Edit tour

Windows Analysis Report
ExamShieldLauncher.exe

Overview

General Information

Sample Name:	ExamShieldLauncher.exe
Analysis ID:	738028
MD5:	befd48dc616713bd9a29659d3bd59934
SHA1:	f5c74daea1635b0c9c2c5bd84916b468cdcfb8cc
SHA256:	cefdc2e2aa84bc5eef7e546ae0e7e2628afa058748e7049af14d5eca2fc96441
Infos:

Detection

Score:	7
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Compliance

Score:	47
Range:	0 - 100

Signatures

Uses 32bit PE files

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Stores large binary data to the registry

Found potential string decryption / allocating functions

Found evasive API chain (may stop execution after checking a module file name)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Contains functionality to launch a program with higher privileges

Contains functionality to retrieve information about pressed keystrokes

Found large amount of non-executed APIs

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w7x64

ExamShieldLauncher.exe (PID: 2128 cmdline: C:\Users\user\Desktop\ExamShieldLauncher.exe MD5: BEFD48DC616713BD9A29659D3BD59934)

ExamShieldSetup.exe (PID: 800 cmdline: C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe" /z" LAUNCHEXAMSHIELD MD5: BEFD48DC616713BD9A29659D3BD59934)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Compliance

Uses 32bit PE files

Source: ExamShieldLauncher.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 45.60.47.233:443 -> 192.168.2.22:49172 version: TLS 1.2

PE / OLE file has a valid certificate

Source: ExamShieldLauncher.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: ExamShieldLauncher.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Spreading

Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Code function: 1_2_0006A7E8 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,		1_2_0006A7E8
Source: C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe	Code function: 4_2_0004A7E8 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,		4_2_0004A7E8

Networking

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443

Source: ExamShieldLauncher.exe, 00000001.00000002.926596364.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: ExamShieldLauncher.exe, 00000001.00000002.926596364.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: ExamShieldLauncher.exe, 00000001.00000002.926596364.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: ExamShieldLauncher.exe, ExamShieldSetup.exe.1.dr, ExamShieldLauncher.exe.1.dr	String found in binary or memory: http://%I64u%0.1f%0.2f%u%0.0fp
Source: ExamShieldLauncher.exe, ExamShieldSetup.exe.1.dr, ExamShieldLauncher.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: ExamShieldLauncher.exe, ExamShieldSetup.exe.1.dr, ExamShieldLauncher.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: ExamShieldLauncher.exe, ExamShieldSetup.exe.1.dr, ExamShieldLauncher.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: ExamShieldLauncher.exe, ExamShieldSetup.exe.1.dr, ExamShieldLauncher.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: ExamShieldLauncher.exe, 00000001.00000002.926596364.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: ExamShieldLauncher.exe, 00000001.00000002.926596364.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: ExamShieldLauncher.exe, 00000001.00000002.926596364.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: ExamShieldLauncher.exe, 00000001.00000002.926596364.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ExamShieldLauncher.exe, 00000001.00000002.926596364.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: ExamShieldLauncher.exe, 00000001.00000002.926596364.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: ExamShieldLauncher.exe, ExamShieldSetup.exe.1.dr, ExamShieldLauncher.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ExamShieldLauncher.exe, ExamShieldSetup.exe.1.dr, ExamShieldLauncher.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: ExamShieldLauncher.exe, ExamShieldSetup.exe.1.dr, ExamShieldLauncher.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ExamShieldLauncher.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ExamShieldLauncher.exe, ExamShieldSetup.exe.1.dr, ExamShieldLauncher.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: ExamShieldLauncher.exe, 00000001.00000002.926596364.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: ExamShieldLauncher.exe, 00000001.00000002.926596364.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: ExamShieldLauncher.exe, 00000001.00000002.926596364.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: ExamShieldLauncher.exe, 00000001.00000002.926596364.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: ExamShieldLauncher.exe, 00000001.00000002.926596364.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: ExamShieldLauncher.exe, ExamShieldSetup.exe.1.dr, ExamShieldLauncher.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: ExamShieldLauncher.exe, ExamShieldSetup.exe.1.dr, ExamShieldLauncher.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: ExamShieldLauncher.exe, ExamShieldSetup.exe.1.dr, ExamShieldLauncher.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: ExamShieldLauncher.exe, ExamShieldSetup.exe.1.dr, ExamShieldLauncher.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: ExamShieldLauncher.exe, 00000001.00000002.926596364.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: ExamShieldLauncher.exe, 00000001.00000002.926596364.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: ExamShieldLauncher.exe, 00000001.00000002.926596364.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: ExamShieldLauncher.exe, ExamShieldSetup.exe.1.dr, ExamShieldLauncher.exe.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: ExamShieldLauncher.exe, 00000001.00000002.926596364.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: ExamShieldLauncher.exe, 00000001.00000002.926596364.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.peoplecert.org/R
Source: ExamShieldSetup.exe, 00000004.00000002.932500690.0000000002388000.00000004.00000020.00020000.00000000.sdmp, ExamShieldLauncher.exe, ExamShieldSetup.exe.1.dr, ExamShieldLauncher.exe.1.dr	String found in binary or memory: https://download.peoplecert.org/files/examshieldlauncher.exe?id=anonymous&ticks=1647274825234
Source: ExamShieldLauncher.exe, 00000001.00000002.926596364.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.peoplecert.org/files/examshieldlauncher.exe?id=anonymous&ticks=1647274825234%20%20c
Source: ExamShieldLauncher.exe, 00000001.00000002.926596364.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown

DNS traffic detected: queries for: download.peoplecert.org

Source: C:\Users\user\Desktop\ExamShieldLauncher.exe

Code function: 1_2_000552F0 GetFileAttributesW,GetLastError,HttpSendRequestW,GetLastError,_malloc,InternetReadFile,_free,GetTickCount,_free,GetLastError,_free,InternetReadFile,GetTickCount,Sleep,_free,GetLastError,

1_2_000552F0

Source: global traffic

HTTP traffic detected: GET /files/examshieldlauncher.exe?id=anonymous&ticks=1647274825234%20%20current%20categorization:%20education%20last%20time%20rated/ExamShieldSetup.exe?id=ANONYMOUS HTTP/1.1Accept: */*User-Agent: ExamShield LauncherHost: download.peoplecert.orgConnection: Keep-AliveCache-Control: no-cache

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 45.60.47.233:443 -> 192.168.2.22:49172 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\ExamShieldLauncher.exe

Code function: 1_2_000992A2 GetKeyboardState,_memset,GetKeyboardLayout,MapVirtualKeyW,ToUnicodeEx,

1_2_000992A2

System Summary

Uses 32bit PE files

Source: ExamShieldLauncher.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Detected potential crypto function

Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Code function: 1_2_00058050	1_2_00058050
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Code function: 1_2_00052150	1_2_00052150
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Code function: 1_2_00057200	1_2_00057200
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Code function: 1_2_001562F9	1_2_001562F9
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Code function: 1_2_000543D0	1_2_000543D0
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Code function: 1_2_0007F44C	1_2_0007F44C
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Code function: 1_2_001625DC	1_2_001625DC
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Code function: 1_2_0005A810	1_2_0005A810
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Code function: 1_2_00056B10	1_2_00056B10
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Code function: 1_2_000E9E10	1_2_000E9E10
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Code function: 1_2_00151F68	1_2_00151F68
Source: C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe	Code function: 4_2_00038050	4_2_00038050
Source: C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe	Code function: 4_2_00032150	4_2_00032150
Source: C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe	Code function: 4_2_00037200	4_2_00037200
Source: C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe	Code function: 4_2_001362F9	4_2_001362F9
Source: C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe	Code function: 4_2_000343D0	4_2_000343D0
Source: C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe	Code function: 4_2_0005F44C	4_2_0005F44C
Source: C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe	Code function: 4_2_001425DC	4_2_001425DC
Source: C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe	Code function: 4_2_0003A810	4_2_0003A810
Source: C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe	Code function: 4_2_00036B10	4_2_00036B10
Source: C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe	Code function: 4_2_000C9E10	4_2_000C9E10
Source: C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe	Code function: 4_2_00131F68	4_2_00131F68

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Code function: String function: 00151A82 appears 34 times
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Code function: String function: 00151BC0 appears 45 times
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Code function: String function: 00151A19 appears 133 times
Source: C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe	Code function: String function: 00131BC0 appears 45 times
Source: C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe	Code function: String function: 00131A19 appears 132 times
Source: C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe	Code function: String function: 00131A82 appears 34 times

Sample file is different than original file name gathered from version info

Source: ExamShieldLauncher.exe, 00000001.00000003.925937831.0000000004020000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameSHDOCVW.DLL.MUIj% vs ExamShieldLauncher.exe

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior

Source: C:\Users\user\Desktop\ExamShieldLauncher.exe

File read: C:\Users\user\Desktop\ExamShieldLauncher.exe

Jump to behavior

Source: ExamShieldLauncher.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ExamShieldLauncher.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ExamShieldLauncher.exe C:\Users\user\Desktop\ExamShieldLauncher.exe
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Process created: C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe" /z" LAUNCHEXAMSHIELD
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Process created: C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe" /z" LAUNCHEXAMSHIELD	Jump to behavior

Source: C:\Users\user\Desktop\ExamShieldLauncher.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\ExamShieldLauncher.exe

File created: C:\Users\user\AppData\Local\Exam Shield

Jump to behavior

Source: classification engine

Classification label: clean7.winEXE@3/5@1/1

Source: C:\Users\user\Desktop\ExamShieldLauncher.exe

Code function: 1_2_0006F43C CoInitialize,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,

1_2_0006F43C

Source: C:\Users\user\Desktop\ExamShieldLauncher.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ExamShieldLauncher.exe

Code function: 1_2_00064645 __EH_prolog3_catch,FindResourceW,LoadResource,LockResource,GetDesktopWindow,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,FreeResource,

1_2_00064645

Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

PE file has a big code size

Source: ExamShieldLauncher.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Submission file is bigger than most known malware samples

Source: ExamShieldLauncher.exe

Static file information: File size 1999848 > 1048576

PE / OLE file has a valid certificate

Source: ExamShieldLauncher.exe

Static PE information: certificate valid

PE file has a big raw section

Source: ExamShieldLauncher.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x125800

PE file imports many functions

Source: ExamShieldLauncher.exe

Static PE information: More than 200 imports for USER32.dll

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: ExamShieldLauncher.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains a valid data directory to section mapping

Source: ExamShieldLauncher.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ExamShieldLauncher.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ExamShieldLauncher.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ExamShieldLauncher.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ExamShieldLauncher.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Code function: 1_2_00151AF1 push ecx; ret	1_2_00151B04
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Code function: 1_2_00151C05 push ecx; ret	1_2_00151C18
Source: C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe	Code function: 4_2_00131AF1 push ecx; ret	4_2_00131B04
Source: C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe	Code function: 4_2_00131C05 push ecx; ret	4_2_00131C18

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\ExamShieldLauncher.exe

Code function: 1_2_00162FF8 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

1_2_00162FF8

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	File created: C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe			Jump to dropped file
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	File created: C:\Users\user\AppData\Local\Exam Shield\ExamShieldLauncher.exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Stores large binary data to the registry

Source: C:\Users\user\Desktop\ExamShieldLauncher.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Code function: 1_2_00079FFD SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,		1_2_00079FFD
Source: C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe	Code function: 4_2_00059FFD SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,		4_2_00059FFD

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\ExamShieldLauncher.exe

Code function: 1_2_00070268 __EH_prolog3_GS,GetDeviceCaps,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,_memset,GetTextCharsetInfo,lstrcpyW,lstrcpyW,EnumFontFamiliesW,EnumFontFamiliesW,lstrcpyW,EnumFontFamiliesW,lstrcpyW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,GetSystemMetrics,lstrcpyW,CreateFontIndirectW,GetStockObject,GetStockObject,GetObjectW,GetObjectW,lstrcpyW,CreateFontIndirectW,CreateFontIndirectW,GetStockObject,GetObjectW,CreateFontIndirectW,CreateFontIndirectW,__EH_prolog3_GS,GetVersionExW,KiUserCallbackDispatcher,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00070268

Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\ExamShieldLauncher.exe TID: 1784

Thread sleep time: -60000s >= -30000s

Jump to behavior

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_4-33057
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_1-33381

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe

API coverage: 9.8 %

Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Code function: 1_2_0006A7E8 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,		1_2_0006A7E8
Source: C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe	Code function: 4_2_0004A7E8 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,		4_2_0004A7E8

Source: ExamShieldLauncher.exe, 00000001.00000002.926596364.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: ExamShieldLauncher.exe, 00000001.00000003.926076134.000000000402A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Vmcicda.dllOn8S

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\ExamShieldLauncher.exe

Code function: 1_2_001591CA _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_001591CA

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\ExamShieldLauncher.exe

1_2_00162FF8

Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Code function: 1_2_001591CA _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_001591CA
Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Code function: 1_2_00150836 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00150836
Source: C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe	Code function: 4_2_001391CA _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_001391CA
Source: C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe	Code function: 4_2_00130836 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00130836

HIPS / PFW / Operating System Protection Evasion

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\ExamShieldLauncher.exe

Code function: 1_2_00058050 #17,SHGetFolderPathW,GetFileAttributesW,CreateDirectoryW,GetModuleFileNameW,ShellExecuteW,CopyFileExW,KiUserCallbackDispatcher,ShellExecuteW,CopyFileW,

1_2_00058050

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\ExamShieldLauncher.exe

Process created: C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe" /z" LAUNCHEXAMSHIELD

Jump to behavior

Source: C:\Users\user\Desktop\ExamShieldLauncher.exe

Code function: 1_2_0005B2E0 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,DuplicateToken,AllocateAndInitializeSid,LocalAlloc,InitializeSecurityDescriptor,GetLengthSid,LocalAlloc,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetSecurityDescriptorGroup,SetSecurityDescriptorOwner,IsValidSecurityDescriptor,AccessCheck,

1_2_0005B2E0

Source: C:\Users\user\Desktop\ExamShieldLauncher.exe

1_2_0005B2E0

Language, Device and Operating System Detection

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\ExamShieldLauncher.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryExW,		1_2_0006BB41
Source: C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryExW,		4_2_0004BB41

Source: C:\Users\user\Desktop\ExamShieldLauncher.exe

Code function: 1_2_00158258 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

1_2_00158258

Source: C:\Users\user\Desktop\ExamShieldLauncher.exe

Code function: 1_2_0015E48B __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

1_2_0015E48B

Source: C:\Users\user\Desktop\ExamShieldLauncher.exe

1_2_00070268

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Native API	Path Interception	1 Exploitation for Privilege Escalation	1 Masquerading	11 Input Capture	2 System Time Discovery	Remote Services	11 Input Capture	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Modify Registry	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	2 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Virtualization/Sandbox Evasion	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://%I64u%0.1f%0.2f%u%0.0fp	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
yhbk884.x.incapdns.net	45.60.47.233	true	false		unknown
download.peoplecert.org	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://download.peoplecert.org/files/examshieldlauncher.exe?id=anonymous&ticks=1647274825234%20%20current%20categorization:%20education%20last%20time%20rated/ExamShieldSetup.exe?id=ANONYMOUS	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	ExamShieldLauncher.exe, 00000001.00000002.926596364.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://crl.entrust.net/server1.crl0	ExamShieldLauncher.exe, 00000001.00000002.926596364.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://download.peoplecert.org/files/examshieldlauncher.exe?id=anonymous&ticks=1647274825234	ExamShieldSetup.exe, 00000004.00000002.932500690.0000000002388000.00000004.00000020.00020000.00000000.sdmp, ExamShieldLauncher.exe, ExamShieldSetup.exe.1.dr, ExamShieldLauncher.exe.1.dr	false		high
http://ocsp.entrust.net03	ExamShieldLauncher.exe, 00000001.00000002.926596364.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	ExamShieldLauncher.exe, 00000001.00000002.926596364.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	ExamShieldLauncher.exe, 00000001.00000002.926596364.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://download.peoplecert.org/files/examshieldlauncher.exe?id=anonymous&ticks=1647274825234%20%20c	ExamShieldLauncher.exe, 00000001.00000002.926596364.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://%I64u%0.1f%0.2f%u%0.0fp	ExamShieldLauncher.exe, ExamShieldSetup.exe.1.dr, ExamShieldLauncher.exe.1.dr	false	Avira URL Cloud: safe	low
http://ocsp.entrust.net0D	ExamShieldLauncher.exe, 00000001.00000002.926596364.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://secure.comodo.com/CPS0	ExamShieldLauncher.exe, 00000001.00000002.926596364.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	ExamShieldLauncher.exe, 00000001.00000002.926596364.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://download.peoplecert.org/R	ExamShieldLauncher.exe, 00000001.00000002.926596364.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.60.47.233	yhbk884.x.incapdns.net	United States		19551	INCAPSULAUS	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	738028
Start date and time:	2022-11-04 13:15:06 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ExamShieldLauncher.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean7.winEXE@3/5@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 96.1%) Quality average: 81.2% Quality standard deviation: 26.3%
HCA Information:	Successful, ratio: 83% Number of executed functions: 134 Number of non-executed functions: 255
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 173.222.108.210, 173.222.108.226, 8.248.113.254, 8.248.133.254, 8.248.115.254, 8.248.139.254, 8.238.88.254, 93.184.220.29
Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, cs9.wac.phicdn.net, ocsp.digicert.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, downloadgeoiprouting.trafficmanager.net, download.windowsupdate.com.edgesuite.net
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:16:21	API Interceptor	153x Sleep call for process: ExamShieldLauncher.exe modified
13:16:29	API Interceptor	11x Sleep call for process: ExamShieldSetup.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
45.60.47.233	examshieldlauncher.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
yhbk884.x.incapdns.net	examshieldlauncher.exe	Get hash	malicious	Browse	45.60.47.233

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
INCAPSULAUS	Invoice-38937.shtml	Get hash	malicious	Browse	45.60.31.34
	https://secure.2checkout.com/affiliate.php?ACCOUNT=LANTECHS&AFFILIATE=120043&PATH=https%3A%2F%2Fiw2zxo.codesandbox.io/?x.o=Y2xpZmYuY2FsaG91bkBzd2dhcy5jb20=	Get hash	malicious	Browse	45.60.14.94
	https://www.spiceworks.com/privacy/	Get hash	malicious	Browse	45.60.13.212
	https://www.spiceworks.com/terms/	Get hash	malicious	Browse	45.60.13.212
	https://email.email.pandadoc.net/c/eJxVT8tOAjEU_Rq6k0xb-phFF0g0xLjwgYArc_saqsyDTscBvt6SaNTkLk5Ozj0PpzDnvOS0YAyNbfzoOzDuLVjlmyNlN7PNeA2batzGw_qDii0KihSE4IJITLGgbKp5QY0vcHbgkpdsMitcDWE_7aCxYFszbVxCO6WxdBwEAaoJpQ4s95zh0nrNJCFFiUL_lmIOB713ahUHh_Zql1LXT-h8Qm7zQdf9upq2zlRGQ-2alKF22FgpGBYCG58bMZFLYS0lliUH670hlBQUtbGCJpwhhba5LB3f6fWcDofX1XLhfEVePg_P-h5F9d6eprWBmHZDzLOgdjEYaPpQNZCG6C4dUFI_Hf7AqwSxcv-Y_qKI7jP037H3EBdjdZo_Jr1eP3G6XNhUa_TzcJFY97B6uBM3j7tatmcmSlHbo0VWaU61l19HUJLQ	Get hash	malicious	Browse	45.223.20.103
	http://www.uncommonegfrmutations.com	Get hash	malicious	Browse	45.60.76.54
	https://docs.transactional.pandadoc.net/c/eJxVT8tOwzAQ_Jr6RuUYJ44PPrSUgqiooEQVPaG1vXnQ1Am2Wx5fTyJRAdIeRqPZeaBKsoxLKjnNyXvn96EHgy-NVTO5_rxe9kYu59XD7vaJiXvnr0ijGGUsoZQneUqpmILMyxKB6QTRCiMnnEYPLoCJTeegnfbgLNjOTB1GUquypAwYXjKpc56lZaIzXqbGplTYVGQpacLLYGAQdIuq8Eckrapj7MPkcjZhy-Gg739dTXcYqAEdD-jiCHNkTJeYCosZGMGAWoMys4ZJi4LnKKzmnJLOV-CaLxh7jouv3lbbQmounzd3_rXYftR6rh3xKvruc1r6Bn3o3LCvBfvej8EkqnPwH3gRwVf4jwmjwuOpCT9ZflHzh9zcFJt99biutk-Z3G3m5PwwSoRbhNQXXyt_Os5Xga9PXe1WxCqZ5DKx7BuFdZNs	Get hash	malicious	Browse	45.223.20.103
	https://onedrive.live.com/?cid=bb4aaf4b9f531701&id=BB4AAF4B9F531701%21122&ithint=file,pdf&authkey=!ANbIdNq63UzmgEM	Get hash	malicious	Browse	45.60.13.207
	https://app.pandadoc.com/document/d18c38ece13c4d970e26ae9e9adc0894a9c0a84b	Get hash	malicious	Browse	45.223.20.103
	https://app.pandadoc.com/document/297c9b88f7d1d58539546728e0c8dceee0f3dd4c	Get hash	malicious	Browse	45.223.20.103
	https://exam101.in/autb/piuorenoctrm	Get hash	malicious	Browse	45.60.22.18
	M09RmKZC3g.elf	Get hash	malicious	Browse	45.60.181.167
	https://commonservices.novartis.com/user-tracking/EnterpriseCookieServlet?usertrack.destination_url=https%3A%2F%2Fcreditscored.top?r=ZGF2aWQucmVlZGVyQGdsb2JhbGZvdW5kcmllcy5jb20=&usertrack.cookie_name=NovaId	Get hash	malicious	Browse	107.154.76.156
	https://commonservices.novartis.com/user-tracking/EnterpriseCookieServlet?usertrack.destination_url=https%3A%2F%2Fdreamonline.top?r=Z2RtQGFyZ2NzLmNvbQ==&usertrack.cookie_name=NovaId&d=DwMFaQ	Get hash	malicious	Browse	107.154.76.156
	https://commonservices.novartis.com/user-tracking/EnterpriseCookieServlet?usertrack.destination_url=https%3A%2F%2Ftech-r.top?r=cGxwYXBwbGljYXRpb25zQG11bHRpc2VydmljZS5jb20=&usertrack.cookie_name=NovaId	Get hash	malicious	Browse	107.154.76.156
	https://commonservices.novartis.com/user-tracking/EnterpriseCookieServlet?usertrack.destination_url=https%3A%2F%2Ftech-r.top?r=cGxwYXBwbGljYXRpb25zQG11bHRpc2VydmljZS5jb20=&usertrack.cookie_name=NovaId	Get hash	malicious	Browse	107.154.76.156
	Myn7eh9vQ6.elf	Get hash	malicious	Browse	107.154.62.123
	PjzRDP3Bzp.elf	Get hash	malicious	Browse	107.154.123.250
	aPTFhkPRDD.exe	Get hash	malicious	Browse	45.60.22.24
	aPTFhkPRDD.exe	Get hash	malicious	Browse	45.60.22.24

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
7dcce5b76c8b17472d024758970a406b	INVOICE-24 Onvrey.xlsm	Get hash	malicious	Browse	45.60.47.233
	ORDER INQUIRY SPECIFICATION.xls	Get hash	malicious	Browse	45.60.47.233
	22000255.xls	Get hash	malicious	Browse	45.60.47.233
	PF00015722EX2.docx.doc	Get hash	malicious	Browse	45.60.47.233
	Dokumente 2022.02.11_1227.xls	Get hash	malicious	Browse	45.60.47.233
	Rechnung 2022.02.11_1233.xls	Get hash	malicious	Browse	45.60.47.233
	Payment Details.xlsx	Get hash	malicious	Browse	45.60.47.233
	https://cssamares-my.sharepoint.com/:o:/g/personal/barbara_jacques001_csssamares_gouv_qc_ca/EmEkY2pXv8dBmepJcN2zZ-oB_N-SvXJsN0E5rRMIzcWOZQ?e=0pRe0A	Get hash	malicious	Browse	45.60.47.233
	Payment Advice.xlsx	Get hash	malicious	Browse	45.60.47.233
	Ontario Refrigeration statement - 01.11.2022.xlsx	Get hash	malicious	Browse	45.60.47.233
	Excel Statement001.xlsx	Get hash	malicious	Browse	45.60.47.233
	S O Supply INV4322489.xlsx	Get hash	malicious	Browse	45.60.47.233
	file.xlsx	Get hash	malicious	Browse	45.60.47.233
	file.xlsx	Get hash	malicious	Browse	45.60.47.233
	Leeswood_Quo_Upd123.xlsx	Get hash	malicious	Browse	45.60.47.233
	BCN#U00ae.docx	Get hash	malicious	Browse	45.60.47.233
	ACH_WIRE REMITTANCE.xlsx	Get hash	malicious	Browse	45.60.47.233
	ACH_WIRE REMITTANCE.xlsx	Get hash	malicious	Browse	45.60.47.233
	ACH_WIRE REMITTANCE.xlsx	Get hash	malicious	Browse	45.60.47.233
	ZU2XrHhhPl.vbs	Get hash	malicious	Browse	45.60.47.233

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Exam Shield\ExamShieldLauncher.exe

Download File

Process:	C:\Users\user\Desktop\ExamShieldLauncher.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1999848
Entropy (8bit):	6.268620243593902
Encrypted:	false
SSDEEP:	49152:pleXbhrNfgqTzEin+caW8qLTWkceK4RVlkuXXGlc3KAMNmIlQJUJe5eXV/0K:pcbpNfgqTzUcyqLTjceTRVlkud3KA5IZ
MD5:	BEFD48DC616713BD9A29659D3BD59934
SHA1:	F5C74DAEA1635B0C9C2C5BD84916B468CDCFB8CC
SHA-256:	CEFDC2E2AA84BC5EEF7E546AE0E7E2628AFA058748E7049AF14D5ECA2FC96441
SHA-512:	6CCA4E868F707938F7115266EAA6574AF8374935D8D866A8299732233C5EBEA7B331E7BF6E2D204F940BA21BB38F9736F2B5984ADEA6B784CF35753CAD1AC202
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'..EF..EF..EF..*0P.@F..L>..DF..L>x.IF..L>h.bF..EF..\|E..^.e.nF..^.Q..F..^.P.=G..^.T.MF..^.a.DF..^.f.DF..RichEF..........................PE..L.....H[.................X..........,........p....@.......................................@.....................................\|....................\...'...`..........................................@............p...............................text...LW.......X.................. ..`.rdata...F...p...F...\..............@..@.data............\..................@....rsrc...............................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Exam Shield\ExamShieldLauncher.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\ExamShieldLauncher.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Exam Shield\ExamShieldParams.dat

Download File

Process:	C:\Users\user\Desktop\ExamShieldLauncher.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	9
Entropy (8bit):	2.725480556997868
Encrypted:	false
SSDEEP:	3:lJ2n:an
MD5:	9BAB2B4C50D8359FC53C582D09CA21DF
SHA1:	9B2473D04FC51348AA20D1FEDF5E629C43A0ADA9
SHA-256:	9DBF8057012E99A692DF37F984B92232C1AEEE59BA9576BE9F440D2AE0BEF774
SHA-512:	C989409CB5C9FD74B66EC0A6C2D2A0F1166C2F7E379794BC7511119C53388BAF60E37EF0B0F8F3B854283F832FC91147B63DA46EB3CEF22BC394946E34943A12
Malicious:	false
Reputation:	low
Preview:	ANONYMOUS

C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe

Download File

Process:	C:\Users\user\Desktop\ExamShieldLauncher.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1999848
Entropy (8bit):	6.268620243593902
Encrypted:	false
SSDEEP:	49152:pleXbhrNfgqTzEin+caW8qLTWkceK4RVlkuXXGlc3KAMNmIlQJUJe5eXV/0K:pcbpNfgqTzUcyqLTjceTRVlkud3KA5IZ
MD5:	BEFD48DC616713BD9A29659D3BD59934
SHA1:	F5C74DAEA1635B0C9C2C5BD84916B468CDCFB8CC
SHA-256:	CEFDC2E2AA84BC5EEF7E546AE0E7E2628AFA058748E7049AF14D5ECA2FC96441
SHA-512:	6CCA4E868F707938F7115266EAA6574AF8374935D8D866A8299732233C5EBEA7B331E7BF6E2D204F940BA21BB38F9736F2B5984ADEA6B784CF35753CAD1AC202
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'..EF..EF..EF..*0P.@F..L>..DF..L>x.IF..L>h.bF..EF..\|E..^.e.nF..^.Q..F..^.P.=G..^.T.MF..^.a.DF..^.f.DF..RichEF..........................PE..L.....H[.................X..........,........p....@.......................................@.....................................\|....................\...'...`..........................................@............p...............................text...LW.......X.................. ..`.rdata...F...p...F...\..............@..@.data............\..................@....rsrc...............................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\PFSBE4YK.txt

Download File

Process:	C:\Users\user\Desktop\ExamShieldLauncher.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	148
Entropy (8bit):	5.171418502363177
Encrypted:	false
SSDEEP:	3:z+QFSRVhZ1xsC7mpkt0wUkMTUCcqEPuOGAXRfMfAgYUMdNMX16VS:KQFgLxsC7mKUkMYCcZOABf6gUOMoVS
MD5:	A2F2FE10F71B7B17307F990C260360AB
SHA1:	2655653357FBA6C660FC6743575A1E8CF074AB42
SHA-256:	FA19F81043883C39EEE489324FAECFBF8055092B448AA5DF5EA63EF04F66B81D
SHA-512:	F19F20BD90DB3885CA1F58D24C225E3C67058CA9EAEEBDC72E2493D41A8B1371EA2A0ECE54A3DC8714BD596432A0B22E8CB3FCD4C86F62A97A62723244038E4E
Malicious:	false
Reputation:	low
Preview:	visid_incap_1974829.YIOrlx9OQo64xTTB0cWthGkCZWMAAAAAQUIPAAAAAAD61g9uk+8uckOhcIt4lI0W.peoplecert.org/.9729.1316690944.31067811.1259192026.30994571.*.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.268620243593902
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ExamShieldLauncher.exe
File size:	1999848
MD5:	befd48dc616713bd9a29659d3bd59934
SHA1:	f5c74daea1635b0c9c2c5bd84916b468cdcfb8cc
SHA256:	cefdc2e2aa84bc5eef7e546ae0e7e2628afa058748e7049af14d5eca2fc96441
SHA512:	6cca4e868f707938f7115266eaa6574af8374935d8d866a8299732233c5ebea7b331e7bf6e2d204f940ba21bb38f9736f2b5984adea6b784cf35753cad1ac202
SSDEEP:	49152:pleXbhrNfgqTzEin+caW8qLTWkceK4RVlkuXXGlc3KAMNmIlQJUJe5eXV/0K:pcbpNfgqTzUcyqLTjceTRVlkud3KA5IZ
TLSH:	E4959E3236918077D13B3630C64AA3F9A6BABD318D35824762607E3C7E355629D2C76F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'..EF..EF..EF..*0P.@F..L>..DF..L>x.IF..L>h.bF..EF..\|E..^.e.nF..^.Q..F..^.P.=G..^.T.MF..^.a.DF..^.f.DF..RichEF.................

File Icon


Icon Hash:	0e0f31312b330f0c

Static PE Info

General

Entrypoint:	0x50082c
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5B48BD1D [Fri Jul 13 14:54:21 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	18b37dcf3ff15bf9d314cf492a746dc7

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	3/16/2022 5:00:00 PM 3/22/2023 4:59:59 PM
Subject Chain	CN=PEOPLECERT INTERNATIONAL LTD, O=PEOPLECERT INTERNATIONAL LTD, L=Nicosia, C=CY
Version:	3
Thumbprint MD5:	539BBE1A7532BAEE444CC8D0641A0AF0
Thumbprint SHA-1:	4A9D1DC7DB1C5405D44792190178060D11F1F0BD
Thumbprint SHA-256:	B8A9E4B19BBB5D63AC433EB98DDA6E3CAA0F6AF57A883EB4E90B45B09D382BC1
Serial:	02751698341A240FA72CD738CD372E21

Entrypoint Preview

Instruction
call 00007F4708CCC02Ch
jmp 00007F4708CC448Eh
cmp ecx, dword ptr [00570454h]
jne 00007F4708CC4604h
rep ret
jmp 00007F4708CCC0B3h
mov edi, edi
push ecx
mov dword ptr [ecx], 0054CD14h
call 00007F4708CCD107h
pop ecx
ret
mov edi, edi
push ebp
mov ebp, esp
push esi
mov esi, ecx
call 00007F4708CC45E8h
test byte ptr [ebp+08h], 00000001h
je 00007F4708CC4609h
push esi
call 00007F4708BD0142h
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
add ecx, 09h
push ecx
add eax, 09h
push eax
call 00007F4708CCD14Ah
neg eax
pop ecx
sbb eax, eax
pop ecx
inc eax
pop ebp
retn 0004h
mov edi, edi
push ebp
mov ebp, esp
sub esp, 20h
push ebx
push edi
xor ebx, ebx
push 00000007h
xor eax, eax
pop ecx
lea edi, dword ptr [ebp-1Ch]
mov dword ptr [ebp-20h], ebx
rep stosd
cmp dword ptr [ebp+14h], ebx
jne 00007F4708CC461Ah
call 00007F4708CC5C6Bh
mov dword ptr [eax], 00000016h
call 00007F4708CCD086h
or eax, FFFFFFFFh
jmp 00007F4708CC46C1h
mov edi, dword ptr [ebp+10h]
push esi
mov esi, dword ptr [ebp+0Ch]
cmp edi, ebx
je 00007F4708CC461Eh
cmp esi, ebx
jne 00007F4708CC461Ah
call 00007F4708CC5C44h
mov dword ptr [eax], 00000016h
call 00007F4708CCD05Fh
or eax, FFFFFFFFh
jmp 00007F4708CC4699h

Rich Headers

Programming Language:

[C++] VS2010 build 30319
[C++] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2010 SP1 build 40219
[ C ] VS2010 SP1 build 40219
[C++] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1681b4	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x17a000	0x4bc14	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1e5c00	0x27e8	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1c6000	0x1a6a0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x151b90	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x127000	0x98c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x12574c	0x125800	False	0.555054334806218	data	6.5318919200927255	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x127000	0x44600	0x44600	False	0.26790662134369286	data	5.039739208602094	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x16c000	0xd3dc	0x5c00	False	0.2826086956521739	data	4.703069276568397	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x17a000	0x4bc14	0x4be00	False	0.3895149042421746	data	4.790791032205263	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1c6000	0x29ef8	0x2a000	False	0.26264880952380953	data	4.93690967797078	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
PNG	0x17b2c0	0x89e	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced	Greek	Greece
RT_CURSOR	0x17bb60	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States
RT_CURSOR	0x17bc94	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	English	United States
RT_CURSOR	0x17bd48	0x134	AmigaOS bitmap font "(", fc_YSize 4294967264, 5120 elements, 2nd "\377\360?\377\377\370\177\377\377\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	English	United States
RT_CURSOR	0x17be7c	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"	English	United States
RT_CURSOR	0x17bfb0	0x134	data	English	United States
RT_CURSOR	0x17c0e4	0x134	data	English	United States
RT_CURSOR	0x17c218	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	English	United States
RT_CURSOR	0x17c34c	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	English	United States
RT_CURSOR	0x17c480	0x134	Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"	English	United States
RT_CURSOR	0x17c5b4	0x134	Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"	English	United States
RT_CURSOR	0x17c6e8	0x134	data	English	United States
RT_CURSOR	0x17c81c	0x134	data	English	United States
RT_CURSOR	0x17c950	0x134	AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	English	United States
RT_CURSOR	0x17ca84	0x134	data	English	United States
RT_CURSOR	0x17cbb8	0x134	data	English	United States
RT_CURSOR	0x17ccec	0x134	data	English	United States
RT_BITMAP	0x17ce20	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	English	United States
RT_BITMAP	0x17ced8	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	English	United States
RT_ICON	0x17d01c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States
RT_ICON	0x17e0c4	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States
RT_ICON	0x17e52c	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0	English	United States
RT_ICON	0x182754	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States
RT_ICON	0x184cfc	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 0	English	United States
RT_ICON	0x195524	0xca8	Device independent bitmap graphic, 32 x 64 x 24, image size 3072	English	United States
RT_ICON	0x1961cc	0x2868	Device independent bitmap graphic, 128 x 256 x 4, image size 8192	Greek	Greece
RT_ICON	0x198a34	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	Greek	Greece
RT_ICON	0x19909c	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	Greek	Greece
RT_ICON	0x199384	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	Greek	Greece
RT_ICON	0x19956c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	Greek	Greece
RT_ICON	0x199694	0xa8	Device independent bitmap graphic, 8 x 16 x 4, image size 32	Greek	Greece
RT_ICON	0x19973c	0x4c28	Device independent bitmap graphic, 128 x 256 x 8, image size 16384, 256 important colors	Greek	Greece
RT_ICON	0x19e364	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Greek	Greece
RT_ICON	0x19f20c	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Greek	Greece
RT_ICON	0x19fab4	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Greek	Greece
RT_ICON	0x1a017c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Greek	Greece
RT_ICON	0x1a06e4	0x488	Device independent bitmap graphic, 8 x 16 x 8, image size 64, 256 important colors	Greek	Greece
RT_ICON	0x1a0b6c	0xc2c9	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Greek	Greece
RT_ICON	0x1ace38	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	Greek	Greece
RT_ICON	0x1bd660	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Greek	Greece
RT_ICON	0x1bfc08	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Greek	Greece
RT_ICON	0x1c0cb0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Greek	Greece
RT_ICON	0x1c1638	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Greek	Greece
RT_ICON	0x1c1aa0	0x148	Device independent bitmap graphic, 8 x 16 x 32, image size 288	Greek	Greece
RT_DIALOG	0x1c1be8	0x814	data	English	United States
RT_DIALOG	0x1c23fc	0x2d4	data	English	United States
RT_DIALOG	0x1c26d0	0x1be	data	English	United States
RT_DIALOG	0x1c2890	0x23a	data	English	United States
RT_DIALOG	0x1c2acc	0x21e	data	English	United States
RT_DIALOG	0x1c2cec	0xe8	data	English	United States
RT_DIALOG	0x1c2dd4	0x34	data	English	United States
RT_STRING	0x1c2e08	0x242	data	English	United States
RT_STRING	0x1c304c	0x28c	data	English	United States
RT_STRING	0x1c32d8	0x202	data	English	United States
RT_STRING	0x1c34dc	0x32	Matlab v4 mat-file (little endian) N, numeric, rows 0, columns 0
RT_STRING	0x1c3510	0x40	Matlab v4 mat-file (little endian) O, numeric, rows 0, columns 0	English	United States
RT_STRING	0x1c3550	0x142	data
RT_STRING	0x1c3694	0x58	data	English	United States
RT_STRING	0x1c36ec	0x46	data	English	United States
RT_STRING	0x1c3734	0x3e	AmigaOS bitmap font "p", 20224 elements, 2nd, 3rd	English	United States
RT_STRING	0x1c3774	0x46	data	English	United States
RT_STRING	0x1c37bc	0x82	StarOffice Gallery theme p, 536899072 objects, 1st n	English	United States
RT_STRING	0x1c3840	0x2a	data	English	United States
RT_STRING	0x1c386c	0x184	data	English	United States
RT_STRING	0x1c39f0	0x4e6	data	English	United States
RT_STRING	0x1c3ed8	0x264	data	English	United States
RT_STRING	0x1c413c	0x2da	data	English	United States
RT_STRING	0x1c4418	0x8a	data	English	United States
RT_STRING	0x1c44a4	0xac	data	English	United States
RT_STRING	0x1c4550	0xde	data	English	United States
RT_STRING	0x1c4630	0x4a8	data	English	United States
RT_STRING	0x1c4ad8	0x228	data	English	United States
RT_STRING	0x1c4d00	0x2c	data	English	United States
RT_STRING	0x1c4d2c	0x53c	data	English	United States
RT_GROUP_CURSOR	0x1c5268	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States
RT_GROUP_CURSOR	0x1c528c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x1c52a0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x1c52b4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x1c52c8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x1c52dc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x1c52f0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x1c5304	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x1c5318	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x1c532c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x1c5340	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x1c5354	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x1c5368	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x1c537c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x1c5390	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_ICON	0x1c53a4	0x4c	data	English	United States
RT_GROUP_ICON	0x1c53f0	0x14	data	English	United States
RT_GROUP_ICON	0x1c5404	0x110	data	Greek	Greece
RT_VERSION	0x1c5514	0x330	data	English	United States
RT_MANIFEST	0x1c5844	0x357	ASCII text, with very long lines (855), with no line terminators	English	United States
None	0x1c5b9c	0x78	data	English	United States

Imports

DLL	Import
KERNEL32.dll	WriteConsoleW, GetConsoleMode, GetConsoleCP, GetStringTypeW, GetTimeZoneInformation, IsProcessorFeaturePresent, LCMapStringW, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, IsDebuggerPresent, UnhandledExceptionFilter, TerminateProcess, QueryPerformanceCounter, GetLastError, HeapCreate, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetStdHandle, SetUnhandledExceptionFilter, VirtualQuery, GetSystemInfo, VirtualAlloc, GetSystemTimeAsFileTime, HeapSize, HeapQueryInformation, GetFileType, SetStdHandle, CreateThread, ExitThread, HeapReAlloc, RaiseException, RtlUnwind, DecodePointer, EncodePointer, HeapAlloc, HeapFree, GetStartupInfoW, HeapSetInformation, GetCommandLineW, FindResourceExW, VirtualProtect, SearchPathW, GetProfileIntW, GetNumberFormatW, GetWindowsDirectoryW, GetTempPathW, GetTempFileNameW, SetErrorMode, GetCurrentDirectoryW, GlobalGetAtomNameW, GlobalFlags, TlsFree, LocalReAlloc, TlsSetValue, TlsAlloc, InitializeCriticalSection, GlobalHandle, GlobalReAlloc, TlsGetValue, lstrcpyW, GetSystemDirectoryW, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileIntW, lstrcmpA, GetUserDefaultUILanguage, ConvertDefaultLocale, GetSystemDefaultUILanguage, GetLocaleInfoW, LoadLibraryExW, ReleaseActCtx, CreateActCtxW, GetFullPathNameW, GetVolumeInformationW, FindFirstFileW, FindClose, DuplicateHandle, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, lstrcmpiW, CreateEventW, SuspendThread, SetEvent, SetThreadPriority, GetFileTime, GetFileSizeEx, FileTimeToLocalFileTime, FileTimeToSystemTime, GetFileAttributesExW, CreateFileW, WideCharToMultiByte, GlobalSize, GlobalAlloc, MulDiv, GetCurrentProcessId, GlobalLock, GlobalUnlock, GlobalFree, FreeResource, GetCurrentThreadId, GlobalAddAtomW, GlobalFindAtomW, GlobalDeleteAtom, GetVersionExW, GetProcAddress, CompareStringW, LoadLibraryW, ActivateActCtx, DeactivateActCtx, SetLastError, FreeLibrary, lstrcmpW, CloseHandle, GetCurrentProcess, GetCurrentThread, VerifyVersionInfoW, VerSetConditionMask, CopyFileW, CopyFileExW, InterlockedIncrement, InterlockedDecrement, GetModuleFileNameW, CreateDirectoryW, GetModuleHandleW, InterlockedExchange, Sleep, GetFileAttributesW, DeleteFileW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, FindResourceW, LoadResource, LockResource, SizeofResource, MultiByteToWideChar, lstrlenA, GetTickCount, WaitForSingleObject, ResumeThread, ExitProcess, LocalFree, lstrlenW, LocalAlloc, FormatMessageW, SetEnvironmentVariableA
USER32.dll	CopyIcon, UnpackDDElParam, ReuseDDElParam, InsertMenuItemW, TranslateAcceleratorW, FrameRect, RegisterClipboardFormatW, EmptyClipboard, CloseClipboard, SetClipboardData, OpenClipboard, GetNextDlgGroupItem, GetIconInfo, HideCaret, InvertRect, LockWindowUpdate, BringWindowToTop, SetCursorPos, SetRect, CreateAcceleratorTableW, LoadAcceleratorsW, GetKeyboardState, GetKeyboardLayout, ToUnicodeEx, CopyAcceleratorTableW, DrawFocusRect, DrawFrameControl, DrawEdge, DrawIconEx, SetClassLongW, DestroyAcceleratorTable, SetParent, DestroyIcon, UnregisterClassW, GetMenuDefaultItem, SetMenuDefaultItem, CreatePopupMenu, IsMenu, MonitorFromPoint, UpdateLayeredWindow, EnableScrollBar, UnionRect, IsRectEmpty, IsZoomed, GetAsyncKeyState, NotifyWinEvent, MessageBeep, ReleaseCapture, WindowFromPoint, SetCapture, KillTimer, SetTimer, SetWindowRgn, GetSystemMenu, DeleteMenu, OffsetRect, IntersectRect, CopyImage, RealChildWindowFromPoint, DestroyMenu, GetMenuItemInfoW, InflateRect, GetSysColorBrush, LoadCursorW, SetLayeredWindowAttributes, EnumDisplayMonitors, SystemParametersInfoW, SetRectEmpty, ShowOwnedPopups, SetCursor, PostQuitMessage, CharUpperW, GetMessageW, TranslateMessage, MapVirtualKeyW, GetKeyNameTextW, GetCursorPos, EndPaint, CharUpperBuffW, GetWindowDC, ReleaseDC, GetDC, ClientToScreen, GrayStringW, DrawTextExW, DrawTextW, TabbedTextOutW, GetMenuStringW, AppendMenuW, InsertMenuW, RemoveMenu, GetWindowThreadProcessId, GetDesktopWindow, GetActiveWindow, CreateDialogIndirectParamW, GetNextDlgTabItem, EndDialog, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, ModifyMenuW, GetMenuState, EnableMenuItem, CheckMenuItem, IsWindowEnabled, ShowWindow, MoveWindow, SetWindowTextW, IsDialogMessageW, EnableWindow, MessageBoxW, SendMessageW, UpdateWindow, PostMessageW, CheckDlgButton, RegisterWindowMessageW, SendDlgItemMessageW, SendDlgItemMessageA, WinHelpW, IsChild, GetCapture, SetWindowsHookExW, CallNextHookEx, GetClassLongW, SetPropW, GetPropW, RemovePropW, GetFocus, IsWindow, SetFocus, GetWindowTextLengthW, GetWindowTextW, GetForegroundWindow, GetLastActivePopup, SetActiveWindow, DispatchMessageW, BeginDeferWindowPos, EndDeferWindowPos, GetDlgItem, GetTopWindow, DestroyWindow, UnhookWindowsHookEx, PostThreadMessageW, WaitMessage, DefFrameProcW, DefMDIChildProcW, DrawMenuBar, TranslateMDISysAccel, CreateMenu, IsClipboardFormatAvailable, GetUpdateRect, GetDoubleClickTime, IsCharLowerW, MapVirtualKeyExW, SubtractRect, GetMessageTime, GetMessagePos, PeekMessageW, MonitorFromWindow, GetMonitorInfoW, MapWindowPoints, ScrollWindow, TrackPopupMenu, GetKeyState, SetMenu, DestroyCursor, MapDialogRect, GetWindowRgn, BeginPaint, SetWindowLongW, GetWindowLongW, wsprintfW, LoadIconW, IsIconic, GetSystemMetrics, GetClientRect, DrawIcon, LoadImageW, DrawStateW, FillRect, InvalidateRect, LoadBitmapW, GetClassNameW, GetSubMenu, LoadMenuW, GetWindowRect, GetParent, GetWindow, PtInRect, CopyRect, SetWindowPos, GetMenu, CallWindowProcW, DefWindowProcW, GetDlgCtrlID, GetWindowPlacement, SetWindowPlacement, SetScrollInfo, GetScrollInfo, DeferWindowPos, EqualRect, ScreenToClient, AdjustWindowRectEx, GetSysColor, RegisterClassW, GetClassInfoW, GetClassInfoExW, CreateWindowExW, GetMenuItemCount, GetMenuItemID, ValidateRect, IsWindowVisible, RedrawWindow, ShowScrollBar, SetForegroundWindow, GetScrollPos, SetScrollPos, GetScrollRange, SetScrollRange
GDI32.dll	CreateEllipticRgn, Polyline, Ellipse, Polygon, CreatePalette, GetPaletteEntries, GetNearestPaletteIndex, RealizePalette, GetSystemPaletteEntries, OffsetRgn, GetRgnBox, SetDIBColorTable, StretchBlt, SetPixel, Rectangle, EnumFontFamiliesExW, ExtFloodFill, SetPaletteEntries, LPtoDP, GetWindowOrgEx, GetViewportOrgEx, PtInRegion, FillRgn, FrameRgn, GetBoundsRect, GetTextFaceW, SetPixelV, GetTextColor, OffsetViewportOrgEx, SetViewportOrgEx, SelectObject, GetBkColor, CreatePolygonRgn, CreateDIBSection, CreateRoundRectRgn, DPtoLP, CombineRgn, SetRectRgn, GetTextExtentPoint32W, GetTextCharsetInfo, EnumFontFamiliesW, GetTextMetricsW, CreateCompatibleBitmap, CreateFontIndirectW, CreateDIBitmap, PatBlt, CreateRectRgnIndirect, CreateHatchBrush, CreatePen, GetObjectType, SelectPalette, CreateCompatibleDC, CreatePatternBrush, DeleteDC, ExtSelectClipRgn, ScaleWindowExtEx, SetWindowExtEx, OffsetWindowOrgEx, SetWindowOrgEx, Escape, ExtTextOutW, TextOutW, RectVisible, PtVisible, GetPixel, BitBlt, GetWindowExtEx, GetViewportExtEx, CreateRectRgn, SelectClipRgn, SetLayout, GetLayout, SetTextAlign, MoveToEx, LineTo, IntersectClipRect, ExcludeClipRect, GetClipBox, SetMapMode, SetROP2, SetPolyFillMode, SetBkMode, RestoreDC, SaveDC, CreateDCW, CopyMetaFileW, GetDeviceCaps, ScaleViewportExtEx, CreateBitmap, DeleteObject, CreateSolidBrush, GetObjectW, GetStockObject, SetTextColor, SetBkColor, SetViewportExtEx
MSIMG32.dll	TransparentBlt, AlphaBlend
COMDLG32.dll	GetFileTitleW
WINSPOOL.DRV	OpenPrinterW, DocumentPropertiesW, ClosePrinter
ADVAPI32.dll	RegCreateKeyExW, RegOpenKeyExW, RegEnumKeyExW, RegCloseKey, RegQueryValueExW, OpenThreadToken, OpenProcessToken, DuplicateToken, AllocateAndInitializeSid, InitializeSecurityDescriptor, GetLengthSid, InitializeAcl, AddAccessAllowedAce, RegEnumValueW, RegQueryValueW, RegEnumKeyW, RegDeleteKeyW, RegDeleteValueW, RegSetValueExW, SetSecurityDescriptorDacl, FreeSid, AccessCheck, IsValidSecurityDescriptor, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, IsTextUnicode
SHELL32.dll	DragQueryFileW, ShellExecuteW, SHGetFileInfoW, SHGetDesktopFolder, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFolderPathW, DragFinish, SHAppBarMessage, SHGetSpecialFolderLocation
COMCTL32.dll	ImageList_GetIconSize
SHLWAPI.dll	PathStripToRootW, PathIsUNCW, PathFindExtensionW, PathFindFileNameW, PathRemoveFileSpecW, UrlUnescapeW
ole32.dll	ReleaseStgMedium, CoTaskMemAlloc, OleDuplicateData, CoCreateGuid, CoCreateInstance, CoInitialize, CoUninitialize, CreateStreamOnHGlobal, DoDragDrop, CoInitializeEx, OleCreateMenuDescriptor, OleDestroyMenuDescriptor, OleTranslateAccelerator, IsAccelerator, OleLockRunning, OleGetClipboard, RegisterDragDrop, CoLockObjectExternal, RevokeDragDrop, CoTaskMemFree
OLEAUT32.dll	SysAllocStringLen, VariantClear, VariantChangeType, VariantInit, SysAllocString, VariantTimeToSystemTime, SystemTimeToVariantTime, VarBstrFromDate, SysStringLen, SysAllocStringByteLen, SysFreeString
gdiplus.dll	GdipDrawImageI, GdipGetImageGraphicsContext, GdipBitmapUnlockBits, GdipBitmapLockBits, GdipCreateBitmapFromScan0, GdipCreateBitmapFromStream, GdipGetImagePalette, GdipGetImagePaletteSize, GdipGetImagePixelFormat, GdipGetImageHeight, GdipGetImageWidth, GdipCloneImage, GdipDrawImageRectI, GdipSetInterpolationMode, GdipCreateFromHDC, GdiplusShutdown, GdiplusStartup, GdipCreateBitmapFromHBITMAP, GdipDisposeImage, GdipFree, GdipAlloc, GdipDeleteGraphics
WININET.dll	InternetCloseHandle, InternetOpenW, InternetSetStatusCallbackW, InternetConnectW, HttpOpenRequestW, InternetSetOptionW, HttpSendRequestW, InternetCanonicalizeUrlW, InternetCrackUrlW, HttpQueryInfoW, InternetReadFile, InternetErrorDlg
CRYPT32.dll	CertFreeCertificateContext
OLEACC.dll	LresultFromObject, AccessibleObjectFromWindow, CreateStdAccessibleObject
IMM32.dll	ImmGetOpenStatus, ImmGetContext, ImmReleaseContext
WINMM.dll	PlaySoundW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Greek	Greece
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 4, 2022 13:16:08.271589994 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:08.271637917 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:08.271709919 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:08.385225058 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:08.385268927 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:08.439172983 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:08.439311028 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:08.481101036 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:08.481141090 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:08.481955051 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:08.482048988 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.297152042 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.297185898 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.641387939 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.641484976 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.641536951 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.641534090 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.641534090 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.641587019 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.641628027 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.641635895 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.641661882 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.641680956 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.641700029 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.641704082 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.641748905 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.641750097 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.641763926 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.641793013 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.641793013 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.641798973 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.641815901 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.641827106 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.641884089 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.642151117 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.642151117 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.658617020 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.658759117 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.672435999 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.672506094 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.672560930 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.672563076 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.672563076 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.672610998 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.672638893 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.672667980 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.672667980 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.672687054 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.672705889 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.672734022 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.672734022 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.672750950 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.672770023 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.672771931 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.672802925 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.672817945 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.672846079 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.672847986 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.672868967 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.672883987 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.672900915 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.672904015 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.672930002 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.672943115 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.672960997 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.672965050 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.672988892 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.673002958 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.673018932 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.673022032 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.673046112 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.673059940 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.673077106 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.673079014 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.673099041 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.673111916 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.673131943 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.673155069 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.673161983 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.673171043 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.673211098 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.673211098 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.673217058 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.673226118 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.673263073 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.673263073 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.673284054 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.673327923 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.703632116 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.703718901 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.703743935 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.703794956 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.703854084 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.703871965 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.703871965 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.703871965 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.703900099 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.703913927 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.703917980 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.703953028 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.703953028 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.703965902 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.703975916 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.704026937 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.704026937 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.704057932 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.704078913 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.704128027 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.704128981 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.704128981 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.704148054 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.704173088 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.704175949 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.704185963 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.704197884 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.704224110 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.704257965 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.704257965 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.704271078 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.704278946 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.704279900 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.704324007 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.704330921 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.704339981 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.704377890 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.704377890 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.704386950 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.704396963 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.704448938 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.704463959 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.704482079 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.704513073 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.704525948 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.704530001 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.704535961 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.704575062 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.704575062 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.704581022 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.704591036 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.704624891 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.704644918 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.704644918 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.704654932 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.704695940 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.704695940 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.704701900 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.704710960 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.704750061 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.704782963 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.704830885 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.704833984 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.704848051 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.704871893 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.704879999 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.704893112 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.704905033 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.704929113 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.704929113 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.704953909 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.704968929 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.704984903 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.704988956 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.705009937 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.705022097 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.705050945 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.705054045 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.705075979 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.705086946 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.705107927 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.705131054 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.721256971 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.721324921 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.721332073 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.721362114 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.721379042 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.721390963 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.721417904 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.721426964 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.721441984 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.721443892 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.721483946 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.721484900 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.721493959 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.721506119 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.721533060 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.721543074 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.721554041 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.721554995 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.721585035 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.721592903 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.721606970 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.721606970 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.721632004 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.721641064 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.721652031 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.721652985 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.721699953 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.721699953 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.734287977 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.734325886 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.734345913 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.734447956 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.735050917 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.735114098 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.735143900 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.735171080 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.735192060 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.735193014 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.735219955 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.735229015 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.735245943 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.735246897 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.735270023 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.735279083 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.735294104 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.735315084 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.735318899 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.735327005 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.735352039 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.735363007 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.735363960 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.735372066 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.735398054 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.735414028 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.735419989 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.735426903 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.735454082 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.735467911 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.735476017 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.735517025 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.735524893 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.735537052 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.735562086 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.735573053 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.735586882 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.735586882 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.735629082 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.735631943 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.735641003 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.735681057 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.735702991 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.735713005 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.735729933 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.735748053 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.735760927 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.735768080 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.735785007 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.735785007 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.735810995 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.735820055 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.735832930 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.735832930 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.735858917 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.735866070 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.735881090 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.735881090 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.735908031 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.735915899 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.735930920 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.735930920 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.735959053 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.735965967 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.735980034 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.735980988 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.736008883 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.736016035 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.736031055 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.736032009 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.736058950 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.736066103 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.736083031 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.736105919 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.736113071 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.736126900 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.736150026 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.736156940 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.736171961 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.736171961 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.736197948 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.736205101 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.736218929 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.736219883 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.736241102 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.736248016 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.736263990 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.736274958 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.736283064 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.736293077 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.736310959 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.736325979 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.736325979 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.736335039 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.736360073 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.736371040 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.736377954 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.736386061 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.736412048 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.736434937 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.736475945 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.736479044 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.736489058 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.736520052 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.736534119 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.736574888 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.736577988 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.736587048 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.736617088 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.736627102 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.736635923 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.736644983 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.736660957 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.736680984 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.736687899 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.736700058 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.736725092 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.736735106 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.736748934 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.736749887 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.736774921 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.736784935 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.736804962 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.736833096 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.738225937 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.738282919 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.738329887 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.738492966 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.738492966 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.738517046 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.738574028 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.741913080 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.741938114 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.742060900 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.743532896 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.743597031 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.743652105 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.743659973 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.743684053 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.743702888 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.743702888 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.743702888 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.743726969 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.743732929 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.743747950 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.743750095 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.743782997 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.743788958 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.743801117 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.743815899 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.743825912 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.743830919 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.743843079 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.743844032 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.743869066 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.743875027 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.743885994 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.743886948 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.743913889 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.743920088 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.743942022 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.743966103 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.743972063 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.743980885 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.744009972 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.744023085 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.744023085 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.744031906 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.744060993 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.744076014 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.744081974 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.744127989 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.745707035 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.748424053 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.754709959 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.754781008 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.754810095 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.754836082 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.754849911 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.754851103 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.754879951 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.754888058 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.754899025 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.754918098 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.754930973 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.754936934 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.754960060 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.754966021 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.754966021 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.754976034 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.755006075 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.755016088 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.755018950 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.755028963 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.755059004 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.755069971 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.755072117 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.755080938 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.755108118 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.755121946 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.755122900 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.755131960 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.755162954 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.755184889 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.755187988 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.755197048 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.755224943 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.755243063 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.755249023 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.755270004 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.755287886 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.755294085 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.755306005 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.755332947 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.755337954 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.755374908 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.766338110 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.766439915 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.766491890 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.766541004 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.766550064 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.766561985 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.766576052 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.766586065 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.766598940 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.766607046 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.766649008 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.766652107 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.766659021 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.766680002 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.766696930 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.766701937 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.766711950 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.766736031 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.766752958 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.766766071 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.766776085 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.766789913 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.766798019 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.766813040 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.766818047 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.766839981 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.766848087 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.766853094 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.766858101 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.766887903 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.766895056 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.766906977 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.766943932 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.766951084 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.766983986 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.767000914 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.767038107 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.767044067 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.767052889 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.767076969 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.767087936 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.767112970 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.767148018 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.767162085 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.767200947 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.767205954 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.767240047 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.767249107 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.767286062 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.767292976 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.767329931 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.767340899 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.767374992 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.767386913 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.767417908 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.767432928 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.767469883 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.767482042 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.767520905 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.767528057 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.767571926 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.767582893 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.767618895 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.767627954 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.767661095 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.767677069 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.767712116 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.767724991 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.767766953 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.767777920 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.767782927 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.767802000 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.767813921 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.767821074 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.767826080 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.767852068 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.767855883 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.767868042 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.767872095 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.767889977 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.767908096 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.767913103 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.767930984 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.767951012 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.767956972 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.767966986 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.767973900 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.767997026 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.768002033 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.768012047 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.768016100 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.768040895 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.768045902 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.768054962 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.768063068 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.768079996 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.768085957 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.768099070 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.768105984 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.768130064 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.768135071 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.768143892 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.768148899 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.768170118 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.768176079 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.768187046 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.768208981 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.768213987 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.768224955 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.768250942 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.768255949 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.768265963 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.768269062 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.768290997 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.768296003 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.768306017 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.768312931 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.768335104 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.768340111 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.768349886 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.768353939 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.768374920 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.768379927 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.768389940 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.768414021 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.768419027 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.768429041 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.768456936 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.768461943 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.768481016 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.768482924 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.768496037 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.768500090 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.768518925 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.768531084 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.768534899 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.768542051 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.768568993 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.768582106 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.768590927 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.768625975 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.768635035 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.768673897 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.768677950 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.768687010 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.768714905 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.768728018 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.768731117 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.768738985 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.768764019 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.768778086 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.768780947 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.768790007 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.768815994 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.768826962 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.768831968 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.768868923 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.769486904 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.769498110 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.769510031 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.769579887 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.769599915 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.772929907 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.775516033 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.790919065 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.791004896 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.791069984 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.791100979 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.791112900 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.791121006 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.791121006 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.791125059 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.791156054 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.791166067 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.791169882 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.791177034 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.791208982 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.791215897 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.791239977 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.791251898 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.791265011 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.791265965 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.791292906 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.791299105 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.791307926 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.791328907 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.791788101 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.791856050 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.791865110 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.791903973 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.791910887 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.791944027 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.791954994 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.791990042 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.791997910 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.792030096 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.792040110 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.792073011 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.792089939 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.792124033 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.792126894 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.792136908 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.792157888 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.792169094 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.792176008 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.792212009 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.792217016 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.792224884 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.792263031 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.792264938 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.792264938 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.792272091 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.792295933 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.792305946 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.792337894 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.792345047 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.792377949 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.792382956 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.792391062 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.792413950 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.792424917 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.792429924 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.792438984 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.792459965 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.792475939 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.792483091 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.792515993 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.792522907 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.792557001 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.792560101 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.792567968 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.792588949 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.792602062 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.792608976 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.792644024 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.792653084 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.792685032 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.792690992 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.792726040 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.792726040 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.792733908 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.792756081 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.792768002 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.792789936 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.792794943 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.792808056 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.792836905 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.792838097 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.792845964 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.792875051 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.792893887 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.792929888 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.792931080 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.792938948 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.792963028 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.792974949 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.793011904 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.793011904 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.793020010 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.793044090 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.793055058 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.793057919 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.793064117 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.793092012 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.793102980 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.793106079 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.793113947 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.793138027 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.793148994 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.793149948 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.793159008 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.793194056 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.793200970 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.793200970 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.793209076 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.793231010 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.793237925 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.793241024 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.793246984 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.793272018 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.793282986 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.793283939 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.793292046 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.793319941 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.793338060 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.793343067 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.793351889 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.793374062 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.793379068 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.793390036 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.793390989 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.793410063 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.793414116 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.793423891 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.793431044 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.793452978 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.793474913 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.793488026 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.793488979 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.793514013 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.793519020 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.793533087 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.793549061 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.793566942 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.793570995 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.793581963 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.793606043 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.793611050 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.793621063 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.793793917 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.793793917 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.793795109 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.793802023 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.793869972 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.817327023 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.817357063 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.817456007 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.818840981 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.818918943 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.818937063 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.818948984 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.818988085 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.818999052 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.819037914 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.819041967 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.819051027 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.819075108 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.819087029 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.819092035 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.819101095 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.819130898 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.819142103 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.819180965 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.819181919 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.819195986 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.819216967 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.819228888 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.819235086 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.819268942 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.819390059 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.819448948 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.819448948 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.819477081 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.819490910 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.819502115 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.819528103 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.819562912 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.819574118 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.819612980 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.819619894 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.819628954 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.819652081 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.819664001 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.819673061 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.819709063 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.819720984 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.819760084 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.819766998 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.819802046 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.819812059 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.819856882 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.819858074 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.819866896 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.819890022 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.819901943 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.819909096 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.819945097 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.819952011 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.819983006 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.819996119 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.820034027 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.820036888 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.820045948 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.820070028 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.820084095 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.820090055 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.820123911 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.820133924 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.820175886 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.820178986 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.820184946 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.820214033 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.820225000 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.820225954 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.820234060 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.820261002 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.820271969 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.820274115 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.820281982 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.820305109 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.820316076 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.820321083 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.820328951 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.820353985 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.820367098 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.820369959 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.820379019 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.820403099 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.820415020 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.820420027 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.820446968 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.820455074 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.820461035 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.820477962 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.820491076 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.820496082 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.820501089 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.820524931 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.820532084 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.820535898 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.820540905 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.820563078 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.820574045 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.820580959 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.820616007 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.820621014 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.820628881 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.820651054 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.820662022 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.820667982 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.820676088 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.820698023 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.820708036 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.820714951 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.820748091 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.821433067 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.821443081 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.821490049 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.826083899 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.826113939 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.826208115 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.831067085 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.834824085 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.834955931 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.835031986 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.835051060 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.835064888 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.835077047 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.835078955 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.835099936 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.835105896 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.835117102 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.835127115 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.835139036 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.835144997 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.835160017 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.835170031 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.835175991 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.835180044 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.835201025 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.835210085 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.835213900 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.835218906 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.835242033 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.835256100 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.835259914 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.835268974 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.835294008 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.835303068 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.835308075 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.835339069 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.837171078 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.838566065 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.838640928 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.838679075 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.838679075 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.838690996 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.838705063 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.838727951 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.838732958 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.838742971 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.838756084 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.838763952 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.838768959 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.838787079 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.838799953 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.838804007 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.838813066 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.838835001 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.838846922 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.838854074 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.838896036 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.838918924 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.838954926 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.838963985 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.838993073 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839009047 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839047909 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839056015 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839056015 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839065075 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839085102 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839097023 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839107990 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839142084 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839153051 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839188099 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839198112 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839232922 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839241982 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839277029 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839283943 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839293003 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839315891 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839334011 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839339018 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839348078 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839371920 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839384079 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839390993 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839432001 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839441061 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839447021 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839464903 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839473009 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839477062 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839482069 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839513063 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839524031 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839529037 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839550018 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839560986 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839566946 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839576960 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839591026 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839596033 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839601040 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839628935 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839637041 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839641094 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839660883 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839674950 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839680910 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839693069 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839701891 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839708090 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839713097 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839742899 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839766979 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839766979 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839776993 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839785099 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839787006 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839807034 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839812040 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839822054 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839832067 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839842081 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839847088 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839860916 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839871883 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839874029 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839884043 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839905977 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839916945 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839925051 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839961052 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.839966059 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839973927 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.839998960 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.840013981 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.840048075 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.840054989 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.840086937 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.840095997 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.840131044 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.840137005 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.840163946 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.840163946 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.840171099 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.840176105 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.840195894 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.840208054 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.840208054 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.840217113 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.840239048 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.840250969 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.840255976 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.840265036 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.840286970 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.840297937 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.840303898 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.840312958 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.840333939 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.840346098 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.840353012 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.840385914 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.840394974 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.840430975 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.840435982 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.840445995 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.840473890 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.840481043 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.840487003 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.840521097 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.840528011 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.840563059 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.840568066 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.840598106 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.844338894 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.844541073 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.856014967 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.856101990 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.856123924 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.856167078 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.856205940 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.856209040 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.856221914 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.856239080 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.856239080 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.856252909 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.856259108 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.856266022 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.856303930 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.856307983 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.856317043 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.856339931 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.856354952 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.856363058 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.856395960 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.863509893 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.863600016 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.863620996 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.863648891 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.863648891 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.863670111 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.863684893 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.863686085 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.863704920 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.863709927 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.863722086 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.863737106 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.863744974 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.863749981 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.863766909 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.863779068 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.863780022 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.863787889 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.863811016 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.863822937 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.863836050 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.863871098 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.863881111 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.863914013 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.863924980 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.863957882 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.863970041 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.864005089 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.864013910 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.864048958 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.864069939 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.864072084 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.864115953 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.864172935 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.864222050 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.864222050 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.864233017 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.864267111 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.864284992 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.864314079 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.864347935 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.864396095 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.864398003 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.864404917 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.864442110 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.864449024 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.864480972 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.864511013 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.864550114 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.864559889 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.864566088 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.864584923 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.864598036 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.866302013 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.876317978 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.876394987 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.876508951 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.876518011 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.876533031 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.876554966 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.876575947 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.876584053 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.876635075 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.876646042 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.876682043 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.876713991 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.876764059 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.876765966 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.876774073 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.876807928 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.876820087 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.876827955 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.876863956 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.876882076 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.876914978 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.876915932 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.876925945 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.876931906 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.876945972 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.876960993 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.877115965 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.877167940 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.877186060 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.877192020 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.877203941 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.877214909 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.877227068 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.877230883 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.877262115 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.877360106 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.877408981 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.877413988 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.877418995 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.877456903 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.877460957 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.877491951 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.877590895 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.877640963 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.877655983 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.877660990 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.877686977 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.877697945 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.881087065 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.881234884 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.881284952 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.881308079 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.881360054 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.881366014 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.881372929 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.881402969 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.881414890 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.881561041 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.881608963 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.881612062 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.881623983 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.881656885 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.881668091 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.881684065 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.881719112 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.881880999 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.881928921 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.881930113 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.881937981 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.881974936 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.882180929 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.882230043 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.882236958 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.882241964 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.882277966 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.882302046 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.882350922 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.885525942 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.887132883 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.887209892 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.887288094 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.887300014 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.887326956 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.887336016 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.889122963 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.889233112 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.893224955 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.893301964 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.893368959 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.893384933 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.893410921 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.893419981 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.894129038 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.894486904 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.894548893 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.894690037 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.894711971 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.894732952 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.894783974 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.894785881 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.894798040 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.894830942 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.894844055 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.894850969 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.894902945 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.894922018 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.894958019 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.894970894 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.894978046 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.894998074 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.895009995 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.897840023 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.897897959 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.897924900 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.897933960 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.897945881 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.897968054 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.897975922 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.898006916 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.898019075 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.898067951 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.898067951 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.898077965 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.898117065 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.898123026 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.898154974 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.898250103 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.898299932 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.898302078 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.898309946 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.898345947 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.898360014 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.898365021 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.898380041 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.898396969 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.898405075 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.898416042 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.898435116 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.907604933 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.907670975 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.907782078 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.907787085 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.907802105 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.907839060 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.907850981 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.907855988 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.907866001 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.907903910 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.907915115 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.907922029 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.907957077 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.907987118 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.908032894 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.908035040 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.908041954 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.908078909 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.908087969 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.908121109 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.908214092 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.908272982 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.923211098 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.923245907 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.923278093 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.923290968 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.923377991 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.923387051 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.923403025 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.923409939 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.923451900 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.923460007 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.923476934 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.923485994 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.923512936 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.923528910 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.923544884 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.923551083 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.923572063 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.923583031 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.923588991 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.923618078 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.923626900 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.923629045 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.923638105 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.923672915 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.923685074 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.923688889 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.923698902 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.923721075 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.923728943 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.923739910 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.923746109 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.923759937 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.923764944 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.923779011 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.923794031 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.923799038 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.923810959 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.923829079 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.923834085 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.923845053 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.923856974 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.923865080 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.923871040 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.923876047 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.923912048 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.923924923 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.923927069 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.923935890 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.923975945 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.923986912 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.924036980 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.924042940 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.924052954 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.924074888 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.924081087 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.924093008 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.924101114 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.924105883 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.924110889 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.924134016 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.924148083 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.924153090 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.924163103 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.924182892 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.924185991 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.924196005 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.924233913 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.924242020 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.924243927 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.924252033 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.924290895 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.924298048 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.924307108 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.924326897 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.924333096 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.924351931 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.924385071 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.924385071 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.924393892 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.924405098 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.924405098 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.924438953 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.936413050 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.936445951 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.936475039 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.936579943 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.936600924 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.936600924 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.936630964 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.936640978 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.936693907 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.936703920 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.936719894 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.936726093 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.936789989 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.936794996 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.936810017 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.936815023 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.936825991 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.936861038 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.936866045 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.936882019 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.936903000 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.936908007 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.936927080 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.936932087 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.936964989 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.936989069 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.936995029 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.937011957 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.937019110 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.937020063 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.937041044 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.937046051 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.937062979 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.937067986 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.937076092 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.937082052 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.937108040 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.937119961 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.937130928 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.937133074 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.937144041 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.937144041 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.937186003 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.937187910 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.937197924 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.937243938 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.937249899 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.937258959 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.937293053 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.937300920 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.937305927 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.937333107 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.937345982 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.939531088 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.939593077 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.939654112 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.939673901 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.939701080 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.939709902 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.939923048 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.939966917 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.939999104 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.940000057 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.940006018 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.940040112 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.940812111 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.940867901 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.940898895 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.940906048 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.940918922 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.940938950 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.940943956 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.940979958 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.942593098 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.942652941 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.942671061 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.942678928 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.942699909 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.942711115 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.942714930 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.942745924 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.942773104 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.942821026 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.942826986 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.942857027 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.948911905 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.949070930 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.961119890 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.961143017 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.961160898 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.961285114 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.961293936 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.961318016 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.961323977 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.961333036 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.961347103 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.961384058 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.961390018 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.961410046 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.961415052 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.961426973 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.961437941 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.961441994 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.961468935 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.961474895 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.961507082 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.961513042 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.961536884 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.961541891 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.961575985 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.961575031 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.961602926 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.961608887 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.961631060 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.961642027 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.961647987 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.961653948 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.961679935 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.961699009 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.961704969 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.961719990 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.961725950 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.961740971 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.961745977 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.961767912 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.961774111 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.961798906 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.961807013 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.961817026 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.961827040 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.961827993 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.961846113 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.961850882 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.961869955 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.961880922 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.961889029 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.961893082 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.961939096 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.961941004 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.961949110 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.961992025 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.961993933 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.962002039 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.962049961 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.962054014 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.962065935 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.962104082 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.962121964 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.962131977 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.962137938 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.962143898 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.962191105 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.962193012 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.962201118 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.962244987 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.962249994 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.962259054 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.962302923 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.962305069 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.962311983 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.962356091 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.962431908 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.962469101 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.966006041 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.966072083 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.966175079 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.966187000 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.966202021 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.966228008 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.966233015 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.966243982 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.966252089 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.966270924 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.966274977 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.966290951 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.966310978 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.966497898 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.966552019 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.966566086 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.966573000 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.966584921 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.966609955 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.966614962 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.966650009 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.966775894 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.966826916 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.966844082 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.966849089 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.966870070 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.966891050 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.966896057 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.966934919 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.967130899 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.967181921 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.967197895 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.967202902 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.967221975 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.967255116 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.967259884 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.967297077 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.967950106 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.968007088 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.968019009 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.968024969 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.968065023 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.968075037 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.968107939 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.968142033 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.968192101 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.968194008 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.968203068 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.968255043 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.968261003 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.968295097 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.968343973 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.968393087 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.968400002 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.968405008 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.968439102 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.968444109 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.968477011 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.968624115 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.968677044 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.968692064 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.968697071 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.968719006 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.968739033 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.968743086 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.968784094 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.995959997 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.996011972 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.996046066 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.996165037 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.996179104 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.996201038 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.996221066 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.996232986 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.996257067 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.996268034 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.996278048 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.996299982 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.996319056 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.996319056 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.996319056 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.996332884 CET	443	49172	45.60.47.233	192.168.2.22
Nov 4, 2022 13:16:09.996361017 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.996361017 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.996375084 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.996407986 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:09.996418953 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:10.061964035 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:10.079735994 CET	49172	443	192.168.2.22	45.60.47.233
Nov 4, 2022 13:16:10.079785109 CET	443	49172	45.60.47.233	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 4, 2022 13:16:08.174658060 CET	58836	53	192.168.2.22	8.8.8.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 4, 2022 13:16:08.174658060 CET	192.168.2.22	8.8.8.8	0x702c	Standard query (0)	download.peoplecert.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 4, 2022 13:16:08.197923899 CET	8.8.8.8	192.168.2.22	0x702c	No error (0)	download.peoplecert.org	downloadgeoiprouting.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 4, 2022 13:16:08.197923899 CET	8.8.8.8	192.168.2.22	0x702c	No error (0)	incapsula-download.peoplecert.org	yhbk884.x.incapdns.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 4, 2022 13:16:08.197923899 CET	8.8.8.8	192.168.2.22	0x702c	No error (0)	yhbk884.x.incapdns.net		45.60.47.233	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

download.peoplecert.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49172	45.60.47.233	443	C:\Users\user\Desktop\ExamShieldLauncher.exe

Timestamp	kBytes transferred	Direction	Data
2022-11-04 12:16:09 UTC	0	OUT	GET /files/examshieldlauncher.exe?id=anonymous&ticks=1647274825234%20%20current%20categorization:%20education%20last%20time%20rated/ExamShieldSetup.exe?id=ANONYMOUS HTTP/1.1 Accept: / User-Agent: ExamShield Launcher Host: download.peoplecert.org Connection: Keep-Alive Cache-Control: no-cache
2022-11-04 12:16:09 UTC	0	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 1999848 Content-Type: application/octet-stream Expires: Tue, 1 Jan 1980 00:00:00 GMT Last-Modified: Fri, 04 Nov 2022 11:22:30 GMT Accept-Ranges: bytes ETag: "gHGXxEJ9j8V+L6c2kL72fQ==" Server-Timing: intid;desc=91e82184c7e82aea Set-Cookie: ASP.NET_SessionId=yf20hkgy2kmn4gktukyo5ajt; path=/; secure; HttpOnly; SameSite=Lax Content-Disposition: attachment; filename="examshieldlauncher.exe" Date: Fri, 04 Nov 2022 12:16:09 GMT Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload; X-Frame-Options: SAMEORIGIN Set-Cookie: downck=50e6c337-bbff-44d6-b04e-124f51f82e1f; path=/ Set-Cookie: visid_incap_1974829=YIOrlx9OQo64xTTB0cWthGkCZWMAAAAAQUIPAAAAAAD61g9uk+8uckOhcIt4lI0W; expires=Fri, 03 Nov 2023 22:15:52 GMT; HttpOnly; path=/; Domain=.peoplecert.org; Secure; SameSite=None Set-Cookie: nlbi_1974829=KcvPM634OCr0Ccl2scj7uQAAAAAayk0ZSDW/Xp29o6UBYCQL; path=/; Domain=.peoplecert.org; Secure; SameSite=None Set-Cookie: incap_ses_7228_1974829=xqsdd9Qw2ynxRXq2PQRPZIgCZWMAAAAAXxEAMkXGXhVs7V09eCrCYw==; path=/; Domain=.peoplecert.org; Secure; SameSite=None X-CDN: Imperva X-Iinfo: 5-4455510-4455553 NNNN CT(32 37 0) RT(1667564167531 893) q(0 0 0 0) r(1 3) U5
2022-11-04 12:16:09 UTC	1	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f Data Ascii: MZ@!L!This program cannot be run in DOS mo
2022-11-04 12:16:09 UTC	1	IN	Data Raw: 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 27 95 af 45 46 fb fc 45 46 fb fc 45 46 fb fc 2a 30 50 fc 40 46 fb fc 4c 3e 7f fc 44 46 fb fc 4c 3e 78 fc 49 46 fb fc 4c 3e 68 fc 62 46 fb fc 45 46 fa fc 7c 45 fb fc 5e db 65 fc 6e 46 fb fc 5e db 51 fc fd 46 fb fc 5e db 50 fc 3d 47 fb fc 5e db 54 fc 4d 46 fb fc 5e db 61 fc 44 46 fb fc 5e db 66 fc 44 46 fb fc 52 69 63 68 45 46 fb fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 1d bd 48 5b 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 58 12 00 00 00 0c 00 00 00 00 00 2c 08 10 00 00 10 00 00 00 70 12 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 00 1f 00 00 04 00 00 bc bf 1e 00 02 00 40 81 00 00 10 00 00 10 00 00 00 Data Ascii: de.$'EFEFEF*0P@FL>DFL>xIFL>hbFEF\|E^enF^QF^P=G^TMF^aDF^fDFRichEFPELH[X,p@@
2022-11-04 12:16:09 UTC	3	IN	Data Raw: 04 56 ff d0 8b 4d 08 8b 55 fc 5f 5e 89 0a 5b 8b e5 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 68 0e 00 07 80 e8 e6 00 00 00 cc cc cc cc cc cc 55 8b ec 8b 55 08 56 8b f1 8b 06 8b 48 f0 83 e8 10 39 50 08 7d 15 85 d2 7e 11 57 8b 39 6a 02 52 50 8b 47 08 ff d0 5f 85 c0 75 05 e8 c0 ff ff ff 83 c0 10 89 06 5e 5d c2 04 00 cc cc cc cc cc cc 55 8b ec 8b 01 8b 50 f4 57 8b 7d 08 3b d7 7e 02 8b fa 83 78 fc 01 7e 0b 57 e8 02 ff ff ff 5f 5d c2 04 00 8b 40 f8 3b c7 7d 27 56 8b f0 81 fe 00 00 00 40 7e 08 81 c6 00 00 10 00 eb 07 99 2b c2 d1 f8 03 f0 3b f7 7d 02 8b f7 56 e8 70 ff ff ff 5e 5f 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc 55 8b ec 56 8b f1 8b 4d 08 85 c9 79 0a 68 57 00 07 80 e8 29 00 00 00 8b 06 ba 01 00 00 00 2b 50 fc 8b 40 f8 2b c1 0b d0 7d 08 51 8b ce Data Ascii: VMU_^[]hUUVH9P}~W9jRPG_u^]UPW};~x~W_]@;}'V@~+;}Vp^_]UVMyhW)+P@+}Q
2022-11-04 12:16:09 UTC	4	IN	Data Raw: cc cc cc cc cc cc 55 8b ec 56 8b f1 56 e8 24 00 00 00 f6 45 08 01 74 09 56 e8 c3 ab 00 00 83 c4 04 8b c6 5e 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a ff 68 61 3d 52 00 64 a1 00 00 00 00 50 56 a1 54 04 57 00 33 c5 50 8d 45 f4 64 a3 00 00 00 00 8b 75 08 8d 8e 2c 05 00 00 c7 45 fc 0c 00 00 00 e8 6a b0 00 00 8d 8e b8 04 00 00 c6 45 fc 0b e8 5b b0 00 00 8d 8e 44 04 00 00 c6 45 fc 0a e8 4c b0 00 00 c6 45 fc 09 8b 86 20 04 00 00 83 e8 10 8d 48 0c 83 ca ff f0 0f c1 11 4a 85 d2 7f 0a 8b 08 8b 11 50 8b 42 04 ff d0 c6 45 fc 08 8b 86 1c 04 00 00 83 e8 10 8d 48 0c 83 ca ff f0 0f c1 11 4a 85 d2 7f 0a 8b 08 8b 11 50 8b 42 04 ff d0 c6 45 fc 07 8b 86 18 04 00 00 83 e8 10 8d 48 0c 83 ca ff f0 0f c1 11 4a 85 d2 7f 0a 8b 08 8b 11 50 8b 42 04 ff d0 8d Data Ascii: UVV$EtV^]Ujha=RdPVTW3PEdu,EjE[DELE HJPBEHJPBEHJPB
2022-11-04 12:16:09 UTC	5	IN	Data Raw: 00 00 83 c4 0c 50 8b cf c6 45 fc 04 e8 d9 24 00 00 c6 45 fc 03 8b 85 c0 fd ff ff 83 c0 f0 8d 48 0c 83 ca ff f0 0f c1 11 4a 85 d2 7f 0a 8b 08 8b 11 50 8b 42 04 ff d0 8b 3f 8d 8d b0 fd ff ff 51 8d 95 bc fd ff ff 52 8d 85 b8 fd ff ff 50 53 57 e8 48 77 01 00 85 c0 75 0e 6a 02 8b ce e8 b5 21 01 00 e9 a6 01 00 00 8b 8d bc fd ff ff 6a 2f 51 e8 cf ef 0f 00 8b 95 bc fd ff ff 83 c4 08 85 c0 74 0b 2b c2 d1 f8 8b c8 83 f9 ff 75 20 6a 5c 52 e8 af ef 0f 00 83 c4 08 85 c0 74 6a 8b 95 bc fd ff ff 2b c2 d1 f8 8b c8 83 f9 ff 74 59 83 7a f4 01 7e 53 8b 42 f4 2b c1 48 50 8d 95 ac fd ff ff 52 8d 8d bc fd ff ff e8 8e 1c 00 00 8d be 1c 04 00 00 50 8b cf c6 45 fc 05 e8 0c 24 00 00 c6 45 fc 03 8b 85 ac fd ff ff 83 c0 f0 8d 48 0c 83 ca ff f0 0f c1 11 4a 85 d2 7f 20 8b 08 8b 11 50 Data Ascii: PE$EHJPB?QRPSWHwuj!j/Qt+u j\Rtj+tYz~SB+HPRPE$EHJ P
2022-11-04 12:16:09 UTC	7	IN	Data Raw: 40 00 80 e8 06 f0 ff ff 8b 10 8b c8 8b 42 0c ff d0 83 c0 10 89 44 24 28 8b 75 18 8b 7d 14 c6 84 24 80 00 00 00 04 85 f6 0f 87 c6 00 00 00 72 08 81 ff 00 04 00 00 73 52 e8 02 34 01 00 33 c9 85 c0 0f 95 c1 85 c9 75 0a 68 05 40 00 80 e8 bc ef ff ff 8b 10 8b c8 8b 42 0c ff d0 83 c0 10 89 44 24 30 56 57 8d 4c 24 38 68 14 0d 55 00 51 c6 84 24 90 00 00 00 05 e8 63 f0 ff ff 8b 74 24 40 83 c4 10 56 6a 79 e9 c4 00 00 00 85 f6 77 66 72 08 81 ff 00 00 10 00 73 5c e8 a2 33 01 00 33 c9 85 c0 0f 95 c1 85 c9 75 0a 68 05 40 00 80 e8 5c ef ff ff 8b 10 8b c8 8b 42 0c ff d0 83 c0 10 89 44 24 30 df 6d 14 c6 84 24 80 00 00 00 06 83 ec 08 dc 0d 88 1b 55 00 8d 4c 24 38 dd 1c 24 68 20 0d 55 00 51 e8 f6 ef ff ff 8b 74 24 40 83 c4 10 56 6a 7b eb 5a e8 46 33 01 00 33 c9 85 c0 0f 95 Data Ascii: @BD$(u}$rsR43uh@BD$0VWL$8hUQ$ct$@Vjywfrs\33uh@\BD$0m$UL$8$h UQt$@Vj{ZF33
2022-11-04 12:16:09 UTC	8	IN	Data Raw: c4 05 7a 42 e8 8a 2e 01 00 33 c9 3b c3 0f 95 c1 3b cb 75 0a 68 05 40 00 80 e8 44 ea ff ff 8b 10 8b c8 8b 42 0c ff d0 83 c0 10 89 44 24 40 dd 45 08 83 ec 08 c6 84 24 88 00 00 00 02 dd 1c 24 68 2c 0d 55 00 eb 40 e8 48 2e 01 00 33 c9 3b c3 0f 95 c1 3b cb 75 0a 68 05 40 00 80 e8 02 ea ff ff 8b 10 8b c8 8b 42 0c ff d0 83 c0 10 89 44 24 40 dd 45 08 83 ec 08 c6 84 24 88 00 00 00 03 dd 1c 24 68 40 0d 55 00 8d 4c 24 4c 51 e8 a2 ea ff ff 8b 74 24 50 83 c4 10 56 68 81 00 00 00 8d 54 24 44 52 e8 53 68 01 00 8d 46 f0 88 9c 24 80 00 00 00 8d 48 0c 83 ca ff f0 0f c1 11 4a 85 d2 7f 0a 8b 08 8b 11 50 8b 42 04 ff d0 6a 05 8d 8f d4 01 00 00 e8 dd 0b 01 00 8b 4c 24 3c 51 8d 8f d4 01 00 00 e8 02 0b 01 00 6a 01 8d 8f b8 04 00 00 e8 c0 0b 01 00 8b 57 20 52 ff 15 e0 76 52 00 c7 Data Ascii: zB.3;;uh@DBD$@E$$h,U@H.3;;uh@BD$@E$$h@UL$LQt$PVhT$DRShF$HJPBjL$<QjW RvR
2022-11-04 12:16:09 UTC	10	IN	Data Raw: c9 dc 35 50 1b 55 00 d9 6c 24 3c df 7c 24 48 8b 4c 24 48 51 8d 8e 68 ff ff ff d9 6c 24 3c ff d2 5f 5e 5b 8b e5 5d c2 14 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a ff 68 53 3f 52 00 64 a1 00 00 00 00 50 81 ec 34 0a 00 00 a1 54 04 57 00 33 c5 89 45 f0 53 56 57 50 8d 45 f4 64 a3 00 00 00 00 8b 45 0c 8b 75 10 33 ff 83 c0 f6 89 8d c0 f5 ff ff 89 bd c4 f5 ff ff 83 f8 64 0f 87 34 05 00 00 0f b6 80 68 34 40 00 ff 24 85 50 34 40 00 8b 4d 14 57 51 56 ff 15 64 70 52 00 3b c7 74 79 8d 95 e8 fc ff ff 89 95 e4 fc ff ff 3b f7 75 16 89 bd e4 fc ff ff 89 7d fc 8b 85 e4 fc ff ff bb 01 00 00 00 eb 7f 56 ff 15 7c 74 52 00 8d 58 01 68 80 00 00 00 8d 85 e8 fc ff ff 50 8d 8d e4 fc ff ff 53 51 e8 fb 0d 00 00 8b 95 e4 fc ff ff 03 db 53 56 53 52 e8 bc db 0f 00 83 c4 20 Data Ascii: 5PUl$<\|$HL$HQhl$<_^[]UjhS?RdP4TW3ESVWPEdEu3d4h4@$P4@MWQVdpR;ty;u}V\|tRXhPSQSVSR
2022-11-04 12:16:09 UTC	11	IN	Data Raw: ff fd ff ff 3b c1 74 09 50 e8 a4 d8 0f 00 83 c4 04 f7 c6 00 01 00 00 74 19 8b 85 e8 fd ff ff 8d 95 ec fd ff ff 3b c2 74 09 50 e8 83 d8 0f 00 83 c4 04 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b 4d f0 33 cd e8 ec d3 0f 00 8b e5 5d c2 10 00 0c 2f 40 00 12 30 40 00 17 31 40 00 1b 32 40 00 21 33 40 00 32 34 40 00 00 01 05 05 05 05 05 05 05 05 02 03 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 04 8d 49 00 32 2f 40 00 90 2f 40 00 97 30 40 00 97 30 40 00 00 03 03 03 03 03 03 03 03 03 03 03 01 03 03 03 03 03 03 03 03 03 02 03 03 03 03 03 03 03 03 Data Ascii: ;tPt;tPMdY_^[M3]/@0@1@2@!3@24@I2/@/@0@0@
2022-11-04 12:16:09 UTC	13	IN	Data Raw: 89 70 f4 8b 01 33 c9 66 89 0c 70 5f 5e 8b c3 5b 8b e5 5d c2 08 00 e8 e1 1b 01 00 e8 14 1c 01 00 0f 39 40 00 c2 39 40 00 c7 39 40 00 c7 39 40 00 00 03 03 03 03 03 03 03 03 03 03 03 01 03 03 03 03 03 03 03 03 03 02 03 03 03 03 03 03 03 03 03 03 03 02 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 00 8d 49 00 3a 39 40 00 c2 39 40 00 c7 39 40 00 c7 39 40 00 00 03 03 03 03 03 03 03 03 03 03 03 01 03 03 03 03 03 03 03 03 03 02 03 03 03 03 03 03 03 03 03 03 03 02 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 56 8b f1 8b 4d 08 8b 06 Data Ascii: p3fp_^[]9@9@9@9@I:9@9@9@9@UVM
2022-11-04 12:16:09 UTC	14	IN	Data Raw: 8b 75 10 57 8d 3c 06 85 ff 79 0a 68 57 00 07 80 e8 c3 d3 ff ff 8b 5d 08 8b 03 8b 50 f8 b9 01 00 00 00 2b 48 fc 2b d7 0b ca 7d 08 57 8b cb e8 05 d3 ff ff 8b 45 0c 8b 1b 03 f6 56 50 56 53 e8 97 cb 0f 00 8b 45 18 8b 4d 14 03 c0 50 51 50 03 f3 56 e8 84 cb 0f 00 8b 4d 08 8b 01 83 c4 20 3b 78 f8 7f a8 89 78 f4 8b 11 33 c0 66 89 04 7a 5f 5e 5b 5d c3 cc cc cc cc cc 55 8b ec 8b 45 08 53 56 8b 30 8b d9 8b 4e f0 8b 11 8b 42 10 57 ff d0 83 7e fc 00 8d 4e fc 7c 1f 3b 46 f0 75 1a 8d 7e f0 ba 01 00 00 00 f0 0f c1 11 83 c7 10 89 3b 5f 5e 8b c3 5b 5d c2 04 00 8b 4e f4 8b 10 8b 12 6a 02 51 8b c8 ff d2 8b f8 85 ff 75 05 e8 18 d2 ff ff 8b 46 f4 89 47 04 8b 46 f4 8d 44 00 02 50 56 50 8d 4f 10 51 e8 f1 ca 0f 00 83 c4 10 83 c7 10 89 3b 5f 5e 8b c3 5b 5d c2 04 00 cc cc cc cc cc Data Ascii: uW<yhW]P+H+}WEVPVSEMPQPVM ;xx3fz_^[]UESV0NBW~N\|;Fu~;_^[]NjQuFGFDPVPOQ;_^[]
2022-11-04 12:16:09 UTC	15	IN	Data Raw: 42 0c ff d0 83 c0 10 89 46 1c c6 45 fc 05 e8 4a 12 01 00 33 c9 3b c7 0f 95 c1 3b cf 75 0a 68 05 40 00 80 e8 04 ce ff ff 8b 10 8b c8 8b 42 0c ff d0 83 c0 10 89 46 20 c6 45 fc 06 e8 1d 12 01 00 33 c9 3b c7 0f 95 c1 3b cf 75 0a 68 05 40 00 80 e8 d7 cd ff ff 8b 10 8b c8 8b 42 0c ff d0 83 c0 10 89 46 24 c6 45 fc 07 e8 f0 11 01 00 33 c9 3b c7 0f 95 c1 3b cf 75 0a 68 05 40 00 80 e8 aa cd ff ff 8b 10 8b c8 8b 42 0c ff d0 83 c0 10 89 46 28 c6 45 fc 08 e8 c3 11 01 00 33 c9 3b c7 0f 95 c1 3b cf 75 0a 68 05 40 00 80 e8 7d cd ff ff 8b 10 8b c8 8b 42 0c ff d0 83 c0 10 89 46 2c c6 45 fc 09 e8 96 11 01 00 33 c9 3b c7 0f 95 c1 3b cf 75 0a 68 05 40 00 80 e8 50 cd ff ff 8b 10 8b c8 8b 42 0c ff d0 83 c0 10 89 46 30 c6 45 fc 0a d9 ee 68 48 0f 55 00 dd 5e 48 8d 4e 68 89 7e 34 Data Ascii: BFEJ3;;uh@BF E3;;uh@BF$E3;;uh@BF(E3;;uh@}BF,E3;;uh@PBF0EhHU^HNh~4
2022-11-04 12:16:09 UTC	17	IN	Data Raw: 8c 00 00 00 ff d0 eb 14 8b 4d e4 e8 18 0a 01 00 b8 c6 4a 40 00 c3 8b 75 08 8b 5d e8 85 db 75 1a 39 5d ec 75 15 8b 46 0c 50 ff 15 38 74 52 00 85 c0 74 07 8b c6 e8 36 ff ff ff 8b c3 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c2 04 00 55 8b ec 6a ff 68 53 47 52 00 64 a1 00 00 00 00 50 83 ec 20 53 56 57 a1 54 04 57 00 33 c5 50 8d 45 f4 64 a3 00 00 00 00 8b f1 6a 01 8d 86 a0 00 00 00 33 ff 50 8d 4d d4 89 7d f0 e8 33 62 01 00 89 7d fc 39 7e 70 0f 85 ac 01 00 00 8b 46 34 2b c7 0f 84 06 01 00 00 48 0f 84 85 00 00 00 48 0f 85 93 01 00 00 8b 4e 24 8b 49 f4 8d 46 24 3b cf 74 15 50 8d 4d ec e8 55 f4 ff ff 8d 45 ec c6 45 fc 03 8d 5f 10 eb 16 e8 9c 6a 01 00 8b 40 10 50 8d 4d e8 e8 88 1a 00 00 bb 20 00 00 00 8b 4e 10 8b 00 57 57 51 6a 03 50 ff 15 94 78 52 00 89 Data Ascii: MJ@u]u9]uFP8tRt6MdY_^[]UjhSGRdP SVWTW3PEdj3PM}3b}9~pF4+HHN$IF$;tPMUEE_j@PM NWWQjPxR
2022-11-04 12:16:09 UTC	18	IN	Data Raw: 04 9f 00 00 00 00 e8 0c 5d 01 00 c6 45 fc 04 8b 4e 28 8b 41 f4 f7 d8 8b 16 1b c0 23 c1 8b 4e 30 8b d8 8b 41 f4 f7 d8 1b c0 23 c1 8b 4e 2c 89 45 e8 8b 41 f4 f7 d8 1b c0 23 c1 8b 8e 80 00 00 00 89 45 dc 8b 42 24 89 4d e0 56 8b ce ff d0 8b 4d e8 8b 55 e0 50 8b 45 dc 57 53 51 8b 4e 74 52 50 51 ff 15 a0 78 52 00 89 46 78 85 c0 75 3a ff 15 58 72 52 00 8b 16 50 8b 42 1c 6a 6f 8b ce ff d0 8d 4d d0 c6 45 fc 03 e8 67 5c 01 00 57 e8 c4 bb 0f 00 8b 4d f0 51 e8 bb bb 0f 00 83 c4 08 e9 09 fe ff ff e8 dc 04 01 00 8d 4d d0 c6 45 fc 03 e8 3f 5c 01 00 57 e8 9c bb 0f 00 8b 55 f0 52 e8 93 bb 0f 00 83 c4 08 8d 4d bc c7 45 fc ff ff ff ff e8 be 67 01 00 b8 01 00 00 00 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc 56 8b f1 8b 46 1c 8b 48 f4 57 85 Data Ascii: ]EN(A#N0A#N,EA#EB$MVMUPEWSQNtRPQxRFxu:XrRPBjoMEg\WMQME?\WURMEgMdY_^[]VFHW
2022-11-04 12:16:09 UTC	20	IN	Data Raw: 02 00 00 50 e8 02 ba 0f 00 8b f8 83 c4 04 89 7d c8 3b fb 0f 84 ff 01 00 00 89 5d d4 8b 56 5c 8b 46 78 8d 4d d4 51 52 57 50 ff 15 b8 78 52 00 39 5d d4 75 e8 57 c6 45 fc 03 e8 6c b6 0f 00 8b 45 e0 83 c4 04 83 cf ff 3d 97 01 00 00 75 68 8b 4e 14 39 59 f4 74 2d 39 5d e8 75 28 8b 16 8b 42 10 8b ce ff d0 8d 4d ec 85 c0 0f 84 83 01 00 00 c7 45 e8 01 00 00 00 89 7d fc e8 ea ba ff ff e9 72 fe ff ff 39 5e 3c 75 73 8b 16 8b 42 20 68 97 01 00 00 6a 71 8b ce ff d0 8d 4d ec e8 c8 ba ff ff 33 c0 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c2 04 00 3d 91 01 00 00 75 6c 8b 4e 1c 39 59 f4 74 2d 39 5d dc 75 28 8b 16 8b 42 0c 8b ce ff d0 8d 4d ec 85 c0 0f 84 14 01 00 00 c7 45 dc 01 00 00 00 89 7d fc e8 7b ba ff ff e9 03 fe ff ff 39 5e 40 0f 84 35 01 00 00 8b 16 8b 52 Data Ascii: P};]V\FxMQRWPxR9]uWElE=uhN9Yt-9]u(BME}r9^<usB hjqM3MdY_^[]=ulN9Yt-9]u(BME}{9^@5R
2022-11-04 12:16:09 UTC	21	IN	Data Raw: d2 7f 0a 8b 08 8b 11 50 8b 42 04 ff d0 8d 46 f0 c7 45 fc ff ff ff ff 8d 48 0c 83 ca ff f0 0f c1 11 4a 85 d2 7f 0a 8b 08 8b 11 50 8b 42 04 ff d0 8b 4d f4 64 89 0d 00 00 00 00 59 5e 5b 8b e5 5d c2 08 00 cc cc cc cc cc cc cc cc cc 55 8b ec 6a ff 68 b8 40 52 00 64 a1 00 00 00 00 50 51 56 57 a1 54 04 57 00 33 c5 50 8d 45 f4 64 a3 00 00 00 00 8b f9 e8 35 fb 00 00 33 c9 85 c0 0f 95 c1 85 c9 75 0a 68 05 40 00 80 e8 ef b6 ff ff 8b 10 8b c8 8b 42 0c ff d0 83 c0 10 89 45 f0 8b 75 08 56 c7 45 fc 00 00 00 00 e8 f6 44 01 00 85 c0 74 1b 56 50 8d 4d f0 e8 72 07 00 00 85 c0 74 0d 8b 17 8b 45 f0 8b 52 30 50 8b cf ff d2 c7 45 fc ff ff ff ff 8b 45 f0 83 c0 f0 8d 48 0c 83 ca ff f0 0f c1 11 4a 85 d2 7f 0a 8b 08 8b 11 50 8b 42 04 ff d0 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 8b Data Ascii: PBFEHJPBMdY^[]Ujh@RdPQVWTW3PEd53uh@BEuVEDtVPMrtER0PEEHJPBMdY_^
2022-11-04 12:16:09 UTC	22	IN	Data Raw: 04 00 51 e8 ab ae 0f 00 8b 4d 08 83 c4 04 85 c0 89 01 0f 95 c0 5d c2 04 00 cc cc cc cc cc cc cc 55 8b ec 8b 45 0c f7 65 10 85 d2 75 05 83 f8 ff 76 07 b8 16 02 07 80 5d c3 8b 4d 08 89 01 33 c0 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 56 8b f1 83 f8 ff 75 13 8b 06 8b 48 f8 85 c0 74 0e 51 50 e8 ee ad 0f 00 83 c4 08 85 c0 78 17 8b 0e 3b 41 f8 7f 10 89 41 f4 8b 0e 33 d2 66 89 14 41 5e 5d c2 04 00 68 57 00 07 80 e8 3a b1 ff ff cc cc cc cc cc cc cc cc cc cc e9 4a 4b 01 00 cc cc cc cc cc cc cc cc cc cc cc 56 8b f1 8d 46 08 50 c7 06 6c 8f 52 00 ff 15 40 74 52 00 8b ce 5e e9 e4 4a 01 00 cc cc cc cc cc 55 8b ec 56 8b f1 8d 46 08 50 c7 06 6c 8f 52 00 ff 15 40 74 52 00 8b ce e8 c2 4a 01 00 f6 45 08 01 74 09 56 e8 52 61 00 00 83 c4 04 8b c6 5e Data Ascii: QM]UEeuv]M3]UEVuHtQPx;AA3fA^]hW:JKVFPlR@tR^JUVFPlR@tRJEtVRa^
2022-11-04 12:16:09 UTC	24	IN	Data Raw: 8d 45 f4 64 a3 00 00 00 00 8b 75 08 33 db 53 68 85 00 00 00 8b ce e8 c1 5f 00 00 8d be b8 00 00 00 57 89 5d fc e8 9a dc ff ff c6 45 fc 01 8d 8e 80 01 00 00 c7 06 bc 10 55 00 c7 07 5c 12 55 00 e8 39 82 00 00 c7 86 80 01 00 00 0c a6 52 00 8d 8e f4 01 00 00 c6 45 fc 02 e8 20 82 00 00 c7 86 f4 01 00 00 2c 81 52 00 8d 8e 68 02 00 00 c6 45 fc 03 e8 07 82 00 00 c7 86 68 02 00 00 24 a9 52 00 c6 45 fc 04 e8 cb ef 00 00 33 c9 3b c3 0f 95 c1 3b cb 75 0a 68 05 40 00 80 e8 85 ab ff ff 8b 10 8b c8 8b 42 0c ff d0 83 c0 10 89 86 dc 02 00 00 c6 45 fc 05 e8 9b ef 00 00 33 c9 3b c3 0f 95 c1 3b cb 75 0a 68 05 40 00 80 e8 55 ab ff ff 8b 10 8b c8 8b 42 0c ff d0 83 c0 10 89 86 e0 02 00 00 c6 45 fc 06 e8 6b ef 00 00 33 c9 3b c3 0f 95 c1 3b cb 75 0a 68 05 40 00 80 e8 25 ab ff ff Data Ascii: Edu3Sh_W]EU\U9RE ,RhEh$RE3;;uh@BE3;;uh@UBEk3;;uh@%
2022-11-04 12:16:09 UTC	25	IN	Data Raw: 89 be f8 02 00 00 89 9e f0 02 00 00 89 9e f4 02 00 00 89 9d c4 fd ff ff 89 9d c8 fd ff ff 89 9d cc fd ff ff 89 9d d0 fd ff ff 89 9d d4 fd ff ff 89 9d d8 fd ff ff e8 8a 1e 01 00 3b c3 0f 84 c3 00 00 00 8b 96 08 01 00 00 0b 96 0c 01 00 00 0f 85 b1 00 00 00 39 9e f0 00 00 00 0f 84 a5 00 00 00 e8 43 ea 00 00 33 c9 3b c3 0f 95 c1 3b cb 75 0a 68 05 40 00 80 e8 fd a5 ff ff 8b 10 8b c8 8b 42 0c ff d0 83 c0 10 89 85 c0 fd ff ff c7 45 fc 01 00 00 00 8b 86 c4 00 00 00 50 68 82 00 00 00 8d 8d c0 fd ff ff 51 e8 64 24 01 00 8b 95 c0 fd ff ff 53 6a 04 52 e8 3a de 00 00 83 f8 06 74 24 6a 02 8b ce e8 0c d2 00 00 89 7d fc 8b 85 c0 fd ff ff 83 c0 f0 8d 48 0c f0 0f c1 39 4f 85 ff e9 17 03 00 00 89 7d fc 8b 85 c0 fd ff ff 83 c0 f0 8d 48 0c f0 0f c1 39 4f 85 ff 7f 0a 8b 08 8b Data Ascii: ;9C3;;uh@BEPhQd$SjR:t$j}H9O}H9O
2022-11-04 12:16:09 UTC	27	IN	Data Raw: 00 00 85 f6 0f 87 c6 00 00 00 72 08 81 ff 00 04 00 00 73 52 e8 e4 e4 00 00 33 c9 85 c0 0f 95 c1 85 c9 75 0a 68 05 40 00 80 e8 9e a0 ff ff 8b 10 8b c8 8b 42 0c ff d0 83 c0 10 89 44 24 34 56 57 8d 4c 24 3c 68 14 0d 55 00 51 c6 84 24 90 00 00 00 01 e8 45 a1 ff ff 8b 74 24 44 83 c4 10 56 6a 79 e9 c4 00 00 00 85 f6 77 66 72 08 81 ff 00 00 10 00 73 5c e8 84 e4 00 00 33 c9 85 c0 0f 95 c1 85 c9 75 0a 68 05 40 00 80 e8 3e a0 ff ff 8b 10 8b c8 8b 42 0c ff d0 83 c0 10 89 44 24 34 df 6d 0c c6 84 24 80 00 00 00 02 83 ec 08 dc 0d 88 1b 55 00 8d 4c 24 3c dd 1c 24 68 20 0d 55 00 51 e8 d8 a0 ff ff 8b 74 24 44 83 c4 10 56 6a 7b eb 5a e8 28 e4 00 00 33 c9 85 c0 0f 95 c1 85 c9 75 0a 68 05 40 00 80 e8 e2 9f ff ff 8b 10 8b c8 8b 42 0c ff d0 83 c0 10 89 44 24 34 df 6d 0c c6 84 Data Ascii: rsR3uh@BD$4VWL$<hUQ$Et$DVjywfrs\3uh@>BD$4m$UL$<$h UQt$DVj{Z(3uh@BD$4m
2022-11-04 12:16:09 UTC	27	IN	Data Raw: 00 04 00 00 73 52 e8 56 e3 00 00 33 c9 85 c0 0f 95 c1 85 c9 75 0a 68 05 40 00 80 e8 10 9f ff ff 8b 10 8b c8 8b 42 0c ff d0 83 c0 10 89 44 24 34 56 57 8d 4c 24 3c 68 14 0d 55 00 51 c6 84 24 90 00 00 00 05 e8 b7 9f ff ff 8b 74 24 44 83 c4 10 56 6a 79 e9 c4 00 00 00 85 f6 77 66 72 08 81 ff 00 00 10 00 73 5c e8 f6 e2 00 00 33 c9 85 c0 0f 95 c1 85 c9 75 0a 68 05 40 00 80 e8 b0 9e ff ff 8b 10 8b c8 8b 42 0c ff d0 83 c0 10 89 44 24 34 df 6d 14 c6 84 24 80 00 00 00 06 83 ec 08 dc 0d 88 1b 55 00 8d 4c 24 3c dd 1c 24 68 20 0d 55 00 51 e8 4a 9f ff ff 8b 74 24 44 83 c4 10 56 6a 7b eb 5a e8 9a e2 00 00 33 c9 85 c0 0f 95 c1 85 c9 75 0a 68 05 40 00 80 e8 54 9e ff ff 8b 10 8b c8 8b 42 0c ff d0 83 c0 10 89 44 24 34 df 6d 14 c6 84 24 80 00 00 00 07 83 ec 08 dc 0d 80 1b 55 Data Ascii: sRV3uh@BD$4VWL$<hUQ$t$DVjywfrs\3uh@BD$4m$UL$<$h UQJt$DVj{Z3uh@TBD$4m$U
2022-11-04 12:16:09 UTC	29	IN	Data Raw: 10 8b c8 8b 42 0c ff d0 83 c0 10 89 44 24 40 dd 45 08 83 ec 08 c6 84 24 88 00 00 00 03 dd 1c 24 68 40 0d 55 00 8d 4c 24 4c 51 e8 25 9a ff ff 8b 74 24 50 83 c4 10 56 68 81 00 00 00 8d 54 24 44 52 e8 d6 17 01 00 8d 46 f0 88 9c 24 80 00 00 00 8d 48 0c 83 ca ff f0 0f c1 11 4a 85 d2 7f 0a 8b 08 8b 11 50 8b 42 04 ff d0 c7 84 24 80 00 00 00 ff ff ff ff 8b 44 24 3c 83 c0 f0 8d 48 0c 83 ca ff f0 0f c1 11 4a 85 d2 7f 0a 8b 08 8b 11 50 8b 42 04 ff d0 8b 4c 24 78 64 89 0d 00 00 00 00 59 5e 5b 8b e5 5d c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc 56 8b f1 8d 86 b8 00 00 00 50 e8 c1 cf ff ff 8b 4e 20 6a 00 6a 00 68 02 04 00 00 51 ff 15 e4 76 52 00 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc 56 8b f1 8b 86 ec 02 00 00 85 c0 74 29 8b 40 2c 6a ff 50 ff 15 6c 74 52 00 8b 8e Data Ascii: BD$@E$$h@UL$LQ%t$PVhT$DRF$HJPB$D$<HJPBL$xdY^[]VPN jjhQvR^Vt)@,jPltR
2022-11-04 12:16:09 UTC	30	IN	Data Raw: 8b 7d 08 89 07 85 c0 75 07 8b c6 e8 28 db ff ff 33 c0 81 3f 00 2f 00 00 5f 0f 94 c0 5e 5d c2 04 00 cc cc cc cc cc cc cc 8b 81 e8 00 00 00 68 00 00 64 00 6a 00 68 01 04 00 00 50 ff 15 dc 76 52 00 c2 08 00 cc cc cc cc e8 e3 77 00 00 40 f7 d8 1b c0 f7 d8 48 c2 04 00 56 6a 00 8b f1 e8 c8 b5 00 00 8b ce 5e e9 ca ac 06 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc e9 fb fa ff ff cc cc cc cc cc cc cc cc cc cc cc e9 0b 00 00 00 cc cc cc cc cc cc cc cc cc cc cc b8 c0 12 55 00 c3 cc cc cc cc cc cc cc cc cc cc 6a 00 b9 c8 81 57 00 e8 ec 44 01 00 c7 05 c8 81 57 00 9c 17 55 00 b8 c8 81 57 00 c3 cc cc cc cc 55 8b ec 56 8b f1 e8 c7 45 01 00 f6 45 08 01 74 09 56 e8 74 43 00 00 83 c4 04 8b c6 5e 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a ff 68 4e Data Ascii: }u(3?/_^]hdjhPvRw@HVj^UjWDWUWUVEEtVtC^]UjhN
2022-11-04 12:16:09 UTC	31	IN	Data Raw: c7 74 17 68 c8 00 00 00 50 8d 8d c0 fb ff ff e8 cc df ff ff 8b b5 c0 fb ff ff 68 36 01 00 00 e8 32 1d 01 00 3b c7 74 11 68 36 01 00 00 50 8d 8d bc fb ff ff e8 a7 df ff ff 68 40 01 00 00 e8 13 1d 01 00 3b c7 74 11 68 40 01 00 00 50 8d 8d b8 fb ff ff e8 88 df ff ff 68 c8 12 55 00 8d 8d c4 fb ff ff 51 8d 95 d4 fb ff ff 52 e8 30 3c 00 00 83 c4 0c c6 45 fc 10 8b 08 8b bd a8 fb ff ff 8d 41 f0 83 c7 f0 3b c7 74 57 83 7f 0c 00 8d 5f 0c 7c 38 8b 10 3b 17 75 32 50 e8 52 bd ff ff 8b f0 83 c4 04 83 c8 ff f0 0f c1 03 48 85 c0 7f 0a 8b 0f 8b 11 8b 42 04 57 ff d0 83 c6 10 89 b5 a8 fb ff ff 8b b5 c0 fb ff ff eb 10 8b 41 f4 50 51 8d 8d a8 fb ff ff e8 66 bc ff ff 8b 9d c4 fb ff ff c6 45 fc 0f 8b 85 d4 fb ff ff 83 c0 f0 8d 48 0c 83 ca ff f0 0f c1 11 4a 85 d2 7f 0a 8b 08 8b Data Ascii: thPh62;th6Ph@;th@PhUQR0<EA;tW_\|8;u2PRHBWAPQfEHJ
2022-11-04 12:16:09 UTC	33	IN	Data Raw: c0 f0 8d 48 0c 83 ca ff f0 0f c1 11 4a 85 d2 7f 0a 8b 08 8b 11 50 8b 42 04 ff d0 8d 46 f0 c6 45 fc 01 8d 48 0c 83 ca ff f0 0f c1 11 4a 85 d2 7f 0a 8b 08 8b 11 50 8b 42 04 ff d0 c7 45 fc ff ff ff ff 8d 43 f0 8d 48 0c 83 ca ff f0 0f c1 11 4a 85 d2 0f 8f bc 16 00 00 8b 08 8b 11 50 8b 42 04 ff d0 e9 ad 16 00 00 68 05 01 00 00 8d 8d d8 fb ff ff 51 6a 00 ff 15 24 74 52 00 8d 85 d8 fb ff ff 8d 50 02 66 8b 08 83 c0 02 66 85 c9 75 f5 2b c2 d1 f8 50 8d 95 d8 fb ff ff 52 8d 8d 9c fb ff ff e8 ee b6 ff ff 68 a4 13 55 00 8d 85 b0 fb ff ff 50 8d 8d d4 fb ff ff 51 e8 36 36 00 00 83 c4 0c 50 8d 8d 98 fb ff ff c6 45 fc 14 e8 e3 b7 ff ff c6 45 fc 0f 8b 85 d4 fb ff ff 83 c0 f0 8d 50 0c 83 c9 ff f0 0f c1 0a 49 85 c9 7f 0a 8b 08 8b 11 50 8b 42 04 ff d0 68 d4 13 55 00 8d 8d b0 Data Ascii: HJPBFEHJPBECHJPBhQj$tRPffu+PRhUPQ66PEEPIPBhU
2022-11-04 12:16:09 UTC	34	IN	Data Raw: 00 8d bd d0 fb ff ff c6 45 fc 1b e8 48 2e 00 00 8b 8d b8 fb ff ff 83 79 f4 00 0f 8e a3 00 00 00 68 bc 14 55 00 8d 9d d0 fb ff ff e8 88 2b 00 00 8b d3 52 8d 85 b4 fb ff ff c6 45 fc 1f 8b 8d d4 fb ff ff 50 e8 5f 2e 00 00 83 c4 08 b3 20 88 5d fc 8b 00 85 c0 74 04 8b 00 eb 02 33 c0 8d 8d b8 fb ff ff 51 50 8d 95 c8 fb ff ff 52 e8 97 b0 ff ff 83 c4 0c 50 8d 8d d4 fb ff ff c6 45 fc 21 e8 84 b2 ff ff 88 5d fc 8b 85 c8 fb ff ff 83 c0 f0 8d 48 0c 83 ca ff f0 0f c1 11 4a 85 d2 7f 0a 8b 08 8b 11 50 8b 42 04 ff d0 8d bd b4 fb ff ff e8 a4 2d 00 00 8d bd d0 fb ff ff c6 45 fc 1b e8 95 2d 00 00 51 8d 95 88 fb ff ff 89 a5 c8 fb ff ff 8b cc 52 e8 a0 af ff ff e8 ab 10 00 00 84 c0 0f 85 81 02 00 00 6a 00 6a 10 68 d0 14 55 00 e8 62 bb 00 00 c6 45 fc 1a 8b 85 d4 fb ff ff 83 c0 Data Ascii: EH.yhU+REP_. ]t3QPRPE!]HJPB-E-QRjjhUbE
2022-11-04 12:16:09 UTC	35	IN	Data Raw: a8 fb ff ff 83 c0 f0 8d 48 0c 83 ca ff f0 0f c1 11 4a 85 d2 7f 0a 8b 08 8b 11 50 8b 42 04 ff d0 c6 45 fc 01 8b 85 c0 fb ff ff 83 c0 f0 8d 48 0c 83 ca ff f0 0f c1 11 4a 85 d2 7f 0a 8b 08 8b 11 50 8b 42 04 ff d0 c7 45 fc ff ff ff ff 8b 85 c4 fb ff ff 83 c0 f0 8d 48 0c 83 ca ff f0 0f c1 11 4a 85 d2 7f 0a 8b 08 8b 11 50 8b 42 04 ff d0 b8 01 00 00 00 e9 45 0b 00 00 8d 8d 88 f4 ff ff 51 e8 37 80 ff ff 8d 95 a8 fb ff ff 52 8d 8d 28 f5 ff ff c6 45 fc 24 e8 c1 ac ff ff 8d 85 ac fb ff ff 50 8d 8d 2c f5 ff ff e8 af ac ff ff 33 c0 68 54 15 55 00 8d 8d a0 f8 ff ff 89 85 54 f5 ff ff 89 85 58 f5 ff ff e8 f1 28 00 00 80 bb b8 00 00 00 00 74 17 68 68 15 55 00 8d 8d a0 f8 ff ff c6 85 28 fa ff ff 01 e8 d1 28 00 00 8d 8d 88 f4 ff ff e8 4b b0 00 00 83 f8 01 0f 84 37 02 00 00 Data Ascii: HJPBEHJPBEHJPBEQ7R(E$P,3hTUTX(thhU((K7
2022-11-04 12:16:09 UTC	37	IN	Data Raw: 45 fc 31 e8 a8 a7 ff ff 8d 8d c8 fb ff ff e8 ad 76 ff ff 8d bd b4 fb ff ff e8 e2 22 00 00 8d bd d0 fb ff ff c6 45 fc 25 e8 d3 22 00 00 b9 90 15 55 00 8d 9d cc fb ff ff e8 33 1a 00 00 b9 9c 15 55 00 8d 9d cc fb ff ff e8 23 1a 00 00 51 8d 85 ac fb ff ff 89 a5 c8 fb ff ff 8b cc 50 e8 be a4 ff ff e8 c9 05 00 00 84 c0 0f 85 5b 02 00 00 6a 00 6a 10 68 d0 14 55 00 e8 80 b0 00 00 c6 45 fc 24 8b 85 cc fb ff ff 83 c0 f0 8d 48 0c 83 ca ff f0 0f c1 11 4a 85 d2 7f 0a 8b 08 8b 11 50 8b 42 04 ff d0 8d 8d 88 f4 ff ff 51 c6 45 fc 0f e8 9d 7c ff ff c6 45 fc 0e 8b 85 a0 fb ff ff 83 c0 f0 8d 50 0c 83 c9 ff f0 0f c1 0a 49 85 c9 7f 0a 8b 08 8b 11 50 8b 42 04 ff d0 8d 46 f0 c6 45 fc 0d 8d 48 0c 83 ca ff f0 0f c1 11 4a 85 d2 7f 0a 8b 08 8b 11 50 8b 42 04 ff d0 c6 45 fc 0c 8b 85 Data Ascii: E1v"E%"U3U#QP[jjhUE$HJPBQE\|EPIPBFEHJPBE
2022-11-04 12:16:09 UTC	38	IN	Data Raw: ff 8d 8d bc fb ff ff e8 08 71 ff ff 8d 8d 9c fb ff ff e8 fd 70 ff ff 8d 8d 98 fb ff ff e8 f2 70 ff ff 8d 8d 94 fb ff ff e8 e7 70 ff ff 8d 8d 90 fb ff ff e8 dc 70 ff ff 8d 8d a4 fb ff ff e8 d1 70 ff ff 8d 8d a8 fb ff ff e8 c6 70 ff ff 8d 8d c0 fb ff ff e8 bb 70 ff ff 8d 8d c4 fb ff ff e8 b0 70 ff ff 33 c0 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b 4d ec 33 cd e8 5c 67 0f 00 8b e5 5d c3 cc cc 55 8b ec 6a ff 68 27 3b 52 00 64 a1 00 00 00 00 50 83 ec 20 53 56 57 a1 54 04 57 00 33 c5 50 8d 45 f4 64 a3 00 00 00 00 89 65 f0 33 ff 8d 4d d4 89 7d fc c6 45 ef 01 89 7d e8 e8 aa b5 00 00 b3 02 6a 14 88 5d fc e8 51 22 00 00 83 c4 04 89 45 e4 c6 45 fc 03 3b c7 74 11 8b 4d 08 6a 40 51 8b c8 e8 45 0b 01 00 8b c8 eb 02 33 c9 88 5d fc 8b 11 8b 42 34 8b f1 89 75 e8 ff d0 Data Ascii: qpppppppp3MdY_^[M3\g]Ujh';RdP SVWTW3PEde3M}E}j]Q"EE;tMj@QE3]B4u
2022-11-04 12:16:09 UTC	40	IN	Data Raw: 85 c0 74 2e 8d 64 24 00 8b 45 f0 50 e8 d9 69 0f 00 83 c4 04 50 8d 45 d4 e8 eb 11 00 00 8b 4d 08 6a 2e 46 56 51 8d 55 f0 52 e8 2b fb 00 00 85 c0 75 d6 b8 04 00 00 00 2b 45 e0 85 c0 7e 17 8b f0 eb 06 8d 9b 00 00 00 00 6a 00 8d 45 d4 e8 b6 11 00 00 4e 75 f3 8b 45 d8 85 c0 74 11 8b 4d 0c 8b 50 08 8b 00 89 11 83 c1 04 85 c0 75 f2 c6 45 fc 01 8b 45 f0 83 c0 f0 8d 48 0c 83 ca ff f0 0f c1 11 4a 85 d2 7f 0a 8b 08 8b 11 50 8b 42 04 ff d0 8d 45 d4 c6 45 fc 00 e8 ac 11 00 00 c7 45 fc ff ff ff ff 8b 45 08 83 c0 f0 8d 48 0c 83 ca ff f0 0f c1 11 4a 85 d2 7f 0a 8b 08 8b 11 50 8b 42 04 ff d0 8b 4d f4 64 89 0d 00 00 00 00 59 5e 8b e5 5d c2 08 00 cc cc cc cc 55 8b ec 6a ff 68 c0 3f 52 00 64 a1 00 00 00 00 50 83 ec 28 a1 54 04 57 00 33 c5 89 45 f0 50 8d 45 f4 64 a3 00 00 00 Data Ascii: t.d$EPiPEMj.FVQUR+u+E~jENuEtMPuEEHJPBEEEEHJPBMdY^]Ujh?RdP(TW3EPEd
2022-11-04 12:16:09 UTC	41	IN	Data Raw: 00 8b 85 e0 fd ff ff 83 c0 f0 8d 48 0c 83 ca ff f0 0f c1 11 4a 85 d2 7f 0a 8b 08 8b 11 50 8b 42 04 ff d0 8b 85 c4 fd ff ff e9 b6 05 00 00 68 2c 01 00 00 e8 6a f5 00 00 85 c0 74 11 68 2c 01 00 00 50 8d 8d cc fd ff ff e8 df b7 ff Data Ascii: HJPBh,jth,P
2022-11-04 12:16:09 UTC	41	IN	Data Raw: ff 68 f0 12 55 00 8d 8d cc fd ff ff 51 8d 95 e4 fd ff ff 52 e8 87 14 00 00 83 c4 0c c6 45 fc 0b 8b 08 8b b5 d4 fd ff ff 8d 41 f0 83 c6 f0 3b c6 74 4b 83 7e 0c 00 8d 7e 0c 7c 32 8b 10 3b 16 75 2c 50 e8 a9 95 ff ff 8b d8 83 c4 04 83 c8 ff f0 0f c1 07 48 85 c0 7f 0a 8b 0e 8b 11 8b 42 04 56 ff d0 83 c3 10 89 9d d4 fd ff ff eb 10 8b 41 f4 50 51 8d 8d d4 fd ff ff e8 c3 94 ff ff c6 45 fc 09 8b 85 e4 fd ff ff 83 c0 f0 8d 48 0c 83 ca ff f0 0f c1 11 4a 85 d2 7f 0a 8b 08 8b 11 50 8b 42 04 ff d0 68 94 16 55 00 8d 8d dc fd ff ff 51 8d 95 e4 fd ff ff 52 e8 e5 13 00 00 83 c4 0c c6 45 fc 0c 8b 08 8b b5 d8 fd ff ff 8d 41 f0 83 c6 f0 3b c6 74 4b 83 7e 0c 00 8d 7e 0c 7c 32 8b 10 3b 16 75 2c 50 e8 07 95 ff ff 8b d8 83 c4 04 83 c8 ff f0 0f c1 07 48 85 c0 7f 0a 8b 0e 8b 11 8b Data Ascii: hUQREA;tK~~\|2;u,PHBVAPQEHJPBhUQREA;tK~~\|2;u,PH
2022-11-04 12:16:09 UTC	43	IN	Data Raw: 86 56 0f 00 8b e5 5d c2 08 00 cc cc cc cc cc cc cc cc cc cc 55 8b ec 83 ec 10 8d 45 fc 50 68 19 00 02 00 6a 00 68 30 17 55 00 68 02 00 00 80 c7 45 fc 00 00 00 00 c7 45 f0 04 00 00 00 c7 45 f8 00 00 00 00 c7 45 f4 00 00 00 00 ff 15 04 70 52 00 85 c0 74 06 32 c0 8b e5 5d c3 8d 4d f8 51 8b 4d fc 8d 55 f4 52 8d 45 f0 50 6a 00 68 90 17 55 00 51 c7 45 f8 04 00 00 00 ff 15 10 70 52 00 85 c0 75 d2 8b 55 fc 52 ff 15 0c 70 52 00 b0 01 8b e5 5d c3 cc 55 8b ec 83 e4 f8 81 ec 2c 01 00 00 a1 54 04 57 00 33 c4 89 84 24 28 01 00 00 56 68 1c 01 00 00 8d 44 24 0c 6a 00 50 e8 c4 68 0f 00 8b 35 10 74 52 00 83 c4 0c 6a 03 33 c9 6a 02 51 51 c7 44 24 18 1c 01 00 00 c7 44 24 1c 06 00 00 00 c7 44 24 20 00 00 00 00 89 8c 24 2c 01 00 00 ff d6 6a 03 6a 01 52 50 ff d6 6a 03 6a 20 52 Data Ascii: V]UEPhjh0UhEEEEpRt2]MQMUREPjhUQEpRuURpR]U,TW3$(VhD$jPh5tRj3jQQD$D$D$ $,jjRPjj R
2022-11-04 12:16:09 UTC	44	IN	Data Raw: 8b 01 8b 50 f4 8b 0f 8b 79 f4 52 50 57 51 56 c7 45 f0 01 00 00 00 e8 dd 87 ff ff 83 c4 14 8b c6 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 8b e5 5d c3 cc cc cc cc cc cc cc 55 8b ec 8b 4d 08 85 c9 75 0a 68 05 40 00 80 e8 8c 5b ff ff 8b 45 0c 8b 00 8d a4 24 00 00 00 00 66 8b 10 66 3b 11 75 25 66 85 d2 74 15 66 8b 50 02 66 3b 51 02 75 16 83 c0 04 83 c1 04 66 85 d2 75 de 33 c0 33 c9 85 c0 0f 94 c0 5d c3 1b c0 83 d8 ff 33 c9 85 c0 0f 94 c0 5d c3 cc cc cc cc cc 33 c9 c7 00 b0 18 55 00 89 48 0c 89 48 10 89 48 08 89 48 04 89 48 14 c7 40 18 0a 00 00 00 c3 cc 55 8b ec 56 8b f0 8b 46 08 50 e8 21 01 00 00 8b 4d 08 89 48 08 8b 4e 08 85 c9 74 0a 89 01 89 46 08 5e 5d c2 04 00 89 46 04 89 46 08 5e 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b f0 c7 06 b0 18 Data Ascii: PyRPWQVEMdY_^]UMuh@[E$ff;u%ftfPf;Qufu33]3]3UHHHHH@UVFP!MHNtF^]FF^]V
2022-11-04 12:16:09 UTC	45	IN	Data Raw: a1 54 04 57 00 33 c5 50 8d 45 f4 64 a3 00 00 00 00 6a 0c e8 60 06 00 00 83 c4 04 89 45 f0 c7 45 fc 00 00 00 00 85 c0 74 0f 8b 4d 08 51 57 50 e8 b8 fe ff ff 8b d8 eb 02 33 db c7 45 fc ff ff ff ff 85 db 75 0a 68 0e 00 07 80 e8 2d c6 10 00 8b 37 85 f6 74 3e 8d 56 08 52 ff 15 20 74 52 00 85 c0 75 2a 85 f6 74 26 8b 06 85 c0 74 07 50 ff 15 d4 74 52 00 8b 46 04 85 c0 74 09 50 e8 26 06 00 00 83 c4 04 56 e8 1d 06 00 00 83 c4 04 c7 07 00 00 00 00 89 1f 8b c7 8b 4d f4 64 89 0d 00 00 00 00 59 5e 5b 8b e5 5d c2 04 00 cc cc 56 8b 37 85 f6 74 3e 8d 46 08 50 ff 15 20 74 52 00 85 c0 75 2a 85 f6 74 26 8b 06 85 c0 74 07 50 ff 15 d4 74 52 00 8b 46 04 85 c0 74 09 50 e8 c8 05 00 00 83 c4 04 56 e8 bf 05 00 00 83 c4 04 c7 07 00 00 00 00 5e c3 cc cc cc cc cc cc cc cc cc 55 8b ec Data Ascii: TW3PEdj`EEtMQWP3Euh-7t>VR tRut&tPtRFtP&VMdY^[]V7t>FP tRut&tPtRFtPV^U
2022-11-04 12:16:09 UTC	47	IN	Data Raw: 59 5e 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 81 c1 b8 00 00 00 51 6a 01 50 e8 00 c4 00 00 5d c2 04 00 cc cc cc cc cc cc cc e9 0b 00 00 00 cc cc cc cc cc cc cc cc cc cc cc b8 38 19 55 00 c3 cc cc cc cc cc cc cc cc cc cc 6a 06 e8 86 7c 00 00 c3 cc cc cc cc cc cc cc cc 6a 02 e8 76 7c 00 00 c3 cc cc cc cc cc cc cc cc 56 8b f1 e8 0a 80 00 00 e8 fb f2 00 00 8b 40 08 6a 00 6a 10 6a 10 6a 01 68 93 00 00 00 50 ff 15 e4 77 52 00 50 8b 86 d8 00 00 00 6a 01 68 f7 00 00 00 50 ff 15 dc 76 52 00 b8 01 00 00 00 5e c3 e9 43 92 00 00 8b ff 55 8b ec 8b 4d 08 a1 00 c0 56 00 89 0d 00 c0 56 00 5d c2 04 00 8b ff 55 8b ec 56 eb 13 a1 00 c0 56 00 85 c0 74 19 ff 75 08 ff d0 59 85 c0 74 0f ff 75 08 e8 74 4c 0f 00 8b f0 59 85 f6 74 de 8b c6 5e 5d c3 8b ff 55 8b Data Ascii: Y^]UEQjP]8Uj\|jv\|V@jjjjhPwRPjhPvR^CUMVV]UVVtuYtutLYt^]U
2022-11-04 12:16:09 UTC	48	IN	Data Raw: ec fd ff ff 83 c1 f0 e8 28 49 ff ff 8b c6 eb c3 6a 05 ff 15 f8 71 52 00 8b f0 eb e2 b8 64 7f 52 00 c3 8b ff 55 8b ec 8b 01 6a 00 ff 75 18 ff 75 14 ff 75 10 ff 75 0c ff 75 08 68 14 81 52 00 ff 50 54 5d c2 14 00 6a 04 b8 fc 8b 51 00 e8 6b 51 0f 00 8b f1 89 75 f0 c7 06 2c 81 52 00 83 65 fc 00 e8 9b 31 00 00 83 4d fc ff 8b ce e8 eb 42 00 00 e8 1f 52 0f 00 c3 8b ff 55 8b ec 8b 01 6a 00 ff 75 18 ff 75 14 ff 75 10 ff 75 0c ff 75 08 68 94 82 52 00 ff 50 54 5d c2 14 00 6a 04 b8 fc 8b 51 00 e8 16 51 0f 00 8b f1 89 75 f0 c7 06 ac 82 52 00 83 65 fc 00 e8 46 31 00 00 83 4d fc ff 8b ce e8 96 42 00 00 e8 ca 51 0f 00 c3 8b ff 55 8b ec 83 7d 08 2b 74 06 5d e9 34 62 00 00 ff 75 10 8b 01 ff 90 64 01 00 00 33 c0 40 5d c2 10 00 8b ff 55 8b ec 8b 01 6a 00 ff 75 14 ff 75 10 ff Data Ascii: (IjqRdRUjuuuuuhRPT]jQkQu,Re1MBRUjuuuuuhRPT]jQQuReF1MBQU}+t]4bud3@]Ujuu
2022-11-04 12:16:09 UTC	50	IN	Data Raw: 95 b8 89 02 83 c0 10 83 ea 04 49 75 f5 83 7d 28 00 be 03 00 02 80 75 06 8d 45 18 89 45 28 83 7d 20 00 75 06 8d 45 d0 89 45 20 8d 45 f0 50 ff 15 b8 74 52 00 8b 45 0c 05 9a 13 00 00 83 f8 12 0f 87 a7 04 00 00 8a 4d 18 6a 02 5a ff 24 85 09 d3 40 00 83 7f 08 01 0f 85 40 04 00 00 8b 75 bc 8b 03 83 ec 10 8b fc a5 a5 a5 53 a5 ff 50 64 e9 1f 04 00 00 83 7f 08 02 0f 85 1f 04 00 00 8b 45 bc 66 83 38 03 8b 3d b4 74 52 00 74 18 6a 03 6a 00 50 8d 45 f0 50 ff d7 8b f0 85 f6 0f 88 e6 01 00 00 8d 45 f0 8b 40 08 89 45 18 8b 45 c0 66 83 38 03 74 18 6a 03 6a 00 50 8d 45 f0 50 ff d7 8b f0 85 f6 0f 88 a6 03 00 00 8d 45 f0 ff 75 20 8b 40 08 8b 0b 50 ff 75 18 53 ff 51 60 e9 b2 03 00 00 83 7f 08 02 0f 85 b2 03 00 00 8b 45 bc 66 83 38 03 74 1c 6a 03 6a 00 50 8d 45 f0 50 ff 15 b4 Data Ascii: Iu}(uEE(} uEE EPtREMjZ$@@uSPdEf8=tRtjjPEPE@EEf8tjjPEPEu @PuSQ`Ef8tjjPEP
2022-11-04 12:16:09 UTC	51	IN	Data Raw: 5e 5b c9 c2 14 00 b8 06 00 02 80 eb f2 8b ff 55 8b ec 56 8b f1 e8 1c 67 00 00 8b 4d 08 33 c0 c7 06 bc 8d 52 00 c7 46 30 2c 8d 52 00 c7 46 34 a0 8d 52 00 83 ca ff 89 4e 20 88 46 24 89 46 38 89 46 2c 89 46 54 89 46 58 89 46 5c 89 Data Ascii: ^[UVgM3RF0,RF4RN F$F8F,FTFXF\
2022-11-04 12:16:09 UTC	51	IN	Data Raw: 46 60 89 46 64 89 46 68 89 46 6c 89 46 70 8b ca 89 46 44 89 46 48 89 46 4c 89 46 50 89 4e 3c 89 56 40 8b c6 5e 5d c2 04 00 8b ff 55 8b ec ff 75 0c ff 75 08 ff 15 c8 77 52 00 8b 4d 10 f7 d1 23 c8 0b 4d 14 3b c1 75 04 33 c0 eb 2b 51 ff 75 0c ff 75 08 ff 15 c4 77 52 00 8b 45 18 33 c9 3b c1 74 12 83 c8 17 50 51 51 51 51 51 ff 75 08 ff 15 18 78 52 00 33 c0 40 5d c2 14 00 8b ff 55 8b ec ff 75 14 ff 75 10 ff 75 0c 6a f0 ff 75 08 e8 96 ff ff ff 5d c2 10 00 8b ff 55 8b ec ff 75 14 ff 75 10 ff 75 0c 6a ec ff 75 08 e8 7a ff ff ff 5d c2 10 00 ff 71 20 ff 15 1c 78 52 00 50 e8 7c 39 01 00 c3 83 79 20 00 8b 01 74 03 ff 60 60 ff a0 20 01 00 00 8b ff 55 8b ec 56 8b f1 8b 46 5c 85 c0 75 22 8b 06 ff 90 fc 00 00 00 8b 00 85 c0 75 14 ff 75 10 ff 75 0c ff 75 08 ff 76 20 ff 15 Data Ascii: F`FdFhFlFpFDFHFLFPN<V@^]UuuwRM#M;u3+QuuwRE3;tPQQQQQuxR3@]Uuuuju]Uuuujuz]q xRP\|9y t`` UVF\u"uuuuv
2022-11-04 12:16:09 UTC	53	IN	Data Raw: 00 b8 01 40 00 80 c2 10 00 6a 08 b8 3c 87 51 00 e8 58 40 0f 00 8b 75 08 ff 76 ec 8d 4d ec e8 a3 dc 00 00 ff 75 0c 8b 46 d0 83 65 fc 00 8d 4e d0 ff 90 98 00 00 00 83 4d fc ff 8d 4d ec 8b f0 e8 ba d3 00 00 8b c6 e8 fa 40 0f 00 c2 08 00 6a 08 b8 3c 87 51 00 e8 13 40 0f 00 8b 75 08 ff 76 ec 8d 4d ec e8 5e dc 00 00 ff 75 0c 8b 46 d0 83 65 fc 00 8d 4e d0 ff 90 9c 00 00 00 83 4d fc ff 8d 4d ec 8b f0 e8 75 d3 00 00 8b c6 e8 b5 40 0f 00 c2 08 00 6a 08 b8 3c 87 51 00 e8 ce 3f 0f 00 8b 5d 08 ff 73 ec 8d 4d ec e8 19 dc 00 00 ff 75 1c 8b 43 d0 83 65 fc 00 83 ec 10 8b fc 8d 75 0c a5 a5 a5 8d 4b d0 a5 ff 90 a0 00 00 00 83 4d fc ff 8d 4d ec 8b f0 e8 24 d3 00 00 8b c6 e8 64 40 0f 00 c2 18 00 6a 08 b8 3c 87 51 00 e8 7d 3f 0f 00 8b 5d 08 ff 73 ec 8d 4d ec e8 c8 db 00 00 ff Data Ascii: @j<QX@uvMuFeNMM@j<Q@uvM^uFeNMMu@j<Q?]sMuCeuKMM$d@j<Q}?]sM
2022-11-04 12:16:09 UTC	54	IN	Data Raw: 00 00 8b 43 d0 83 65 fc 00 83 ec 10 8b fc 8d 75 0c a5 a5 a5 8d 4b d0 a5 ff 90 e0 00 00 00 83 4d fc ff 8d 4d ec 8b f0 e8 26 ce 00 00 8b c6 e8 66 3b 0f 00 c2 14 00 6a 08 b8 3c 87 51 00 e8 7f 3a 0f 00 8b 5d 08 ff 73 ec 8d 4d ec e8 ca d6 00 00 ff 75 1c 8b 43 d0 83 65 fc 00 83 ec 10 8b fc 8d 75 0c a5 a5 a5 8d 4b d0 a5 ff 90 e4 00 00 00 83 4d fc ff 8d 4d ec 8b f0 e8 d5 cd 00 00 8b c6 e8 15 3b 0f 00 c2 18 00 6a 08 b8 3c 87 51 00 e8 2e 3a 0f 00 8b 5d 08 ff 73 ec 8d 4d ec e8 79 d6 00 00 ff 75 1c 8b 43 d0 83 65 fc 00 83 ec 10 8b fc 8d 75 0c a5 a5 a5 8d 4b d0 a5 ff 90 e8 00 00 00 83 4d fc ff 8d 4d ec 8b f0 e8 84 cd 00 00 8b c6 e8 c4 3a 0f 00 c2 18 00 6a 08 b8 3c 87 51 00 e8 dd 39 0f 00 8b 75 08 ff 76 e8 8d 4d ec e8 28 d6 00 00 83 65 fc 00 8d 4e cc e8 f4 41 01 00 83 Data Ascii: CeuKMM&f;j<Q:]sMuCeuKMM;j<Q.:]sMyuCeuKMM:j<Q9uvM(eNA
2022-11-04 12:16:09 UTC	55	IN	Data Raw: 01 00 00 76 0e 3d 00 02 00 00 72 0f 3d 09 02 00 00 77 08 52 e8 d7 4e 00 00 eb 02 33 c0 5d c2 04 00 8b 41 58 83 e0 10 c3 8b 81 c8 00 00 00 85 c0 74 12 3d 02 e0 00 00 74 0b 3d 01 e0 00 00 74 04 33 c0 40 c3 33 c0 c3 8b ff 55 8b ec 8b 45 08 85 c0 75 05 e8 84 70 00 00 83 20 00 33 c0 40 5d c2 04 00 8b ff 55 8b ec 8b 45 0c 85 c0 75 05 e8 69 70 00 00 83 20 00 33 c0 40 5d c2 10 00 8b 41 68 c3 b8 30 8b 52 00 c3 6a 04 b8 d7 e3 51 00 e8 82 34 0f 00 68 64 01 00 00 e8 a4 30 01 00 8b c8 89 4d f0 33 c0 89 45 fc 3b c8 74 05 e8 3d c9 00 00 e8 38 35 0f 00 c3 6a 10 68 88 a6 55 00 e8 fa 35 0f 00 33 f6 89 75 e0 8d 45 e0 50 e8 54 d0 00 00 ff b0 80 00 00 00 ff 15 ec 73 52 00 89 75 e4 3b c6 75 04 33 c0 eb 22 89 75 fc ff 75 08 ff 15 50 78 52 00 0f b7 c0 89 45 e4 c7 45 fc fe ff ff Data Ascii: v=r=wRN3]AXt=t=t3@3UEup 3@]UEuip 3@]Ah0RjQ4hd0M3E;t=85jhU53uEPTsRu;u3"uuPxREE
2022-11-04 12:16:09 UTC	57	IN	Data Raw: 52 56 0d 00 00 00 40 50 ff 75 0c ff 75 08 6a 00 ff 53 5c 5f 5e 5b 5d c2 1c 00 8b ff 55 8b ec 56 e8 86 cb 00 00 8b f0 8b 46 3c 85 c0 74 17 8b 40 20 85 c0 74 10 6a 00 6a 00 68 01 04 00 00 50 ff 15 dc 76 52 00 83 7d 08 00 8b 76 50 74 1d 85 f6 74 19 6a 01 ff 15 ac 77 52 00 66 85 c0 78 0c 8b 06 6a ff 8b ce ff 90 9c 01 00 00 5e 5d c2 04 00 8b ff 55 8b ec 51 53 56 57 8b f9 e8 29 c5 00 00 8b f0 8b 46 78 8b 5e 74 89 45 fc 8b 45 14 85 c0 74 03 8b 40 20 ff 75 18 89 46 74 8b 4f 04 50 6a 00 ff 75 10 89 4e 78 ff 75 0c ff 75 08 ff 77 04 ff 15 a8 77 52 00 8b 4d fc 5f 89 5e 74 89 4e 78 5e 5b c9 c2 14 00 8b ff 55 8b ec 53 56 8b 75 08 57 85 f6 75 05 e8 56 6a 00 00 ff 76 04 ff 15 60 78 52 00 33 ff 89 45 08 85 c0 7e 3d 8b 5d 0c 57 ff 76 04 ff 15 fc 77 52 00 50 e8 8f 22 01 00 Data Ascii: RV@PuujS\_^[]UVF<t@ tjjhPvR}vPttjwRfxj^]UQSVW)Fx^tEEt@ uFtOPjuNxuuwwRM_^tNx^[USVuWuVjv`xR3E~=]WvwRP"
2022-11-04 12:16:09 UTC	58	IN	Data Raw: dc e8 f7 bf 00 00 8b 88 3c 01 00 00 89 4d ec 8b 4e 20 89 88 3c 01 00 00 8d 4d d4 89 45 e8 8b 06 51 8b ce 89 7d 08 89 7d fc ff 90 00 01 00 00 c7 45 08 01 00 00 00 8b 45 ec 8b 4d e8 89 81 3c 01 00 00 8b 45 08 e8 4b 2a 0f 00 c2 04 00 b8 af f0 40 00 c3 eb e1 8b 75 e4 8b 06 68 08 f1 00 00 6a 30 8b ce ff 50 14 8b ce e8 0f 64 00 00 b8 92 f0 40 00 c3 8b ff 55 8b ec 83 ec 64 a1 54 04 57 00 33 c5 89 45 fc 53 8b 5d 08 56 57 8b f9 89 7d 9c e8 3a 43 00 00 33 f6 89 45 a0 3b de 74 05 8b 5b 20 eb 37 a9 00 00 00 40 74 0b ff 77 20 ff 15 08 78 52 00 eb 0b 6a 04 ff 77 20 ff 15 0c 78 52 00 8b d8 3b de 74 14 56 56 68 6b 03 00 00 53 ff 15 dc 76 52 00 3b c6 74 02 8b d8 8d 45 cc 50 ff 77 20 89 75 cc 89 75 d0 89 75 d4 89 75 d8 ff 15 04 78 52 00 f7 45 a0 00 00 00 40 89 75 ec 89 75 Data Ascii: <MN <MEQ}}EEM<EK*@uhj0Pd@UdTW3ES]VW}:C3E;t[ 7@tw xRjw xR;tVVhkSvR;tEPw uuuuxRE@uu
2022-11-04 12:16:09 UTC	60	IN	Data Raw: fc 8d 45 dc 50 8b ce e8 90 ff ff ff 8b 46 14 33 c9 3b c7 0f 95 c1 3b cf 75 05 e8 b9 5f 00 00 ff 75 08 ff d0 89 45 e4 c7 45 fc fe ff ff ff e8 0b 00 00 00 8b 45 e4 e8 c2 25 0f 00 c2 04 00 33 c0 39 45 e4 0f 94 c0 8b f0 85 f6 74 0a ff 15 58 72 52 00 8b f8 eb 02 33 ff ff 75 e0 6a 00 ff 15 f0 73 52 00 85 f6 74 07 57 ff 15 f4 73 52 00 c3 8b ff 55 8b ec 56 8b f1 83 7e 10 00 75 14 68 f4 8f 52 00 e8 45 fe ff ff 50 ff 15 e0 73 52 00 89 46 10 8b 4e 10 8b 45 08 89 08 5e 5d c2 04 00 6a 14 68 48 a8 55 00 e8 0e 25 0f 00 8b f1 33 ff 89 7d e0 8d 45 e0 50 e8 66 bf 00 00 ff b0 80 00 00 00 ff 15 ec 73 52 00 89 7d e4 3b c7 75 04 33 c0 eb 35 89 7d fc 8d 45 dc 50 8b ce e8 90 ff ff ff 8b 46 10 33 c9 3b c7 0f 95 c1 3b cf 75 05 e8 e6 5e 00 00 ff d0 89 45 e4 c7 45 fc fe ff ff ff e8 Data Ascii: EPF3;;u_uEEE%39EtXrR3ujsRtWsRUV~uhREPsRFNE^]jhHU%3}EPfsR};u35}EPF3;;u^EE
2022-11-04 12:16:09 UTC	61	IN	Data Raw: 33 c9 6a 28 5a 8b c7 f7 e2 0f 90 c1 f7 d9 0b c8 51 e8 b2 c7 ff ff 8b f0 59 85 f6 74 37 6a 28 56 57 ff 75 0c ff 15 38 36 57 00 8b cb 85 c0 74 26 8b 03 56 57 ff 90 28 01 00 00 56 8b f8 e8 b5 c7 ff ff 59 ff 75 0c ff 15 34 36 57 00 85 ff 74 04 33 c0 eb 07 8b cb e8 79 fb ff ff e8 dd 1e 0f 00 c2 08 00 6a 18 b8 f9 87 51 00 e8 f6 1d 0f 00 8b f1 f6 05 50 36 57 00 01 75 1f 83 0d 50 36 57 00 01 83 65 fc 00 68 b0 8f 52 00 e8 50 ec ff ff 83 4d fc ff 59 a3 4c 36 57 00 a1 4c 36 57 00 85 c0 75 05 e8 85 59 00 00 f6 05 50 36 57 00 02 8b 3d e0 73 52 00 75 14 83 0d 50 36 57 00 02 68 78 90 52 00 50 ff d7 a3 48 36 57 00 f6 05 50 36 57 00 04 75 19 83 0d 50 36 57 00 04 68 60 90 52 00 ff 35 4c 36 57 00 ff d7 a3 44 36 57 00 83 3d 48 36 57 00 00 0f 84 cb 01 00 00 83 3d 44 36 57 00 Data Ascii: 3j(ZQYt7j(VWu86Wt&VW(VYu46Wt3yjQP6WuP6WehRPMYL6WL6WuYP6W=sRuP6WhxRPH6WP6WuP6Wh`R5L6WD6W=H6W=D6W
2022-11-04 12:16:09 UTC	62	IN	Data Raw: 90 90 00 00 00 85 c0 75 07 8b ce e8 18 f6 ff ff 5e c2 04 00 8b ff 53 56 57 8b d9 e8 ab 32 00 00 a9 00 00 00 40 75 46 e8 4c c3 ff ff 8b f8 85 ff 74 3b 8b 35 ac 77 52 00 6a 10 ff d6 66 85 c0 78 2c 6a 11 ff d6 66 85 c0 78 23 6a 12 ff d6 66 85 c0 78 1a 6a 00 68 46 e1 00 00 68 11 01 00 00 ff 77 20 ff 15 dc 76 52 00 33 c0 40 eb 0d 8b cb e8 b4 f5 ff ff f7 d8 1b c0 f7 d8 5f 5e 5b c2 04 00 8b ff 55 8b ec 51 56 8b f1 80 7e 24 00 75 07 e8 94 f5 ff ff eb 23 8b 06 83 65 fc 00 8d 4d fc 51 ff 75 0c 8b ce ff 75 08 ff 90 f0 00 00 00 85 c0 79 04 8b ce eb d9 8b 45 fc 5e c9 c2 08 00 8b ff 55 8b ec 56 8b f1 8b 4d 10 85 c9 74 0b 6a 00 e8 e0 fe ff ff 85 c0 75 07 8b ce e8 49 f5 ff ff 5e 5d c2 0c 00 6a 58 b8 ff bd 51 00 e8 32 18 0f 00 8b f1 83 7e 68 00 74 28 56 8d 4d 9c e8 4d 64 Data Ascii: u^SVW2@uFLt;5wRjfx,jfx#jfxjhFhw vR3@_^[UQV~$u#eMQuuyE^UVMtjuI^]jXQ2~ht(VMMd
2022-11-04 12:16:09 UTC	64	IN	Data Raw: 08 50 ff 51 48 5d c2 08 00 8b ff 55 8b ec 8b 45 08 83 78 08 00 75 07 b8 08 01 01 80 eb 19 83 7d 0c 00 75 07 b8 03 40 00 80 eb 0c 8b 40 08 ff 75 0c 8b 08 50 ff 51 4c 5d c2 08 00 8b ff 55 8b ec 8b 45 08 8b 40 08 56 57 85 c0 75 07 b8 08 01 01 80 eb 22 83 7d 1c 00 75 07 b8 03 40 00 80 eb 15 ff 75 1c 8b 08 83 ec 10 8b fc 8d 75 0c a5 a5 a5 50 a5 ff 51 50 5f 5e 5d c2 18 00 8b ff 55 8b ec 8b 45 08 8b 40 08 56 57 85 c0 75 07 b8 08 01 01 80 eb 15 8b 08 83 ec 10 8b fc ff 75 0c 8d 75 10 a5 a5 a5 50 a5 ff 51 54 5f 5e 5d c2 18 00 8b ff 55 8b ec 8b 45 08 8b 40 08 33 c9 56 57 3b c1 75 07 b8 08 01 01 80 eb 39 39 4d 0c 75 07 b8 03 40 00 80 eb 2d 39 4d 10 74 f4 39 4d 14 74 ef 39 4d 18 74 ea 8b 08 83 ec 10 8b fc ff 75 18 8d 75 1c ff 75 14 a5 ff 75 10 a5 ff 75 0c a5 50 a5 ff Data Ascii: PQH]UExu}u@@uPQL]UE@VWu"}u@uuPQP_^]UE@VWuuuPQT_^]UE@3VW;u99Mu@-9Mt9Mt9MtuuuuuP
2022-11-04 12:16:09 UTC	65	IN	Data Raw: e8 9c d7 03 00 8b 4d fc 85 c9 74 07 8b 01 6a 01 ff 50 04 53 ff 15 48 74 52 00 8b ce e8 af ea ff ff 5f 5e 5b c9 c3 8b ff 55 8b ec 56 8b f1 8b 4d 0c 85 c9 74 12 8d 45 0c 50 e8 1e f4 ff ff 85 c0 74 05 8b 45 0c eb 07 8b ce e8 82 ea ff ff 5e 5d c2 0c 00 8b ff 55 8b ec 56 8b 75 0c 83 3e 01 57 8b f9 75 4c 68 8b e5 40 00 b9 10 39 57 00 e8 ad 0e 01 00 85 c0 75 05 e8 ac 48 00 00 8b 48 74 3b 4f 20 75 0a ff 70 78 e8 fa 00 01 00 eb 07 8b 07 8b cf ff 50 6c 85 c0 74 de ff 76 08 50 e8 1c de ff ff 85 c0 74 29 8b 10 56 8b c8 ff 52 10 eb 1f 8b 76 04 6a 01 56 ff 77 20 e8 79 f1 ff ff 85 c0 74 0d 6a 00 8b c8 e8 91 f3 ff ff 85 c0 75 07 8b cf e8 fa e9 ff ff 5f 5e 5d c2 08 00 85 c9 74 07 8b 41 20 85 c0 75 03 33 c0 c3 56 57 8b 3d 08 78 52 00 50 eb 11 8b 06 8b ce ff 90 4c 01 00 00 Data Ascii: MtjPSHtR_^[UVMtEPtE^]UVu>WuLh@9WuHHt;O upxPltvPt)VRvjVw ytju_^]tA u3VW=xRPL
2022-11-04 12:16:09 UTC	67	IN	Data Raw: 15 8b 50 08 3b 51 08 75 0d 8b 40 0c 3b 41 0c 75 05 33 c0 40 5d c3 33 c0 5d c3 b8 01 40 00 80 c2 08 00 83 79 0c 00 75 03 33 c0 c3 8b 41 0c 8b 08 6a 00 50 ff 51 0c c3 8b ff 55 8b ec 8b 45 08 83 38 00 75 1d 83 78 04 00 75 17 81 78 08 c0 00 00 00 75 0e 81 78 0c 00 00 00 46 75 05 33 c0 40 eb 02 33 c0 5d c2 04 00 8b ff 55 8b ec 83 7d 08 00 53 56 57 0f 84 85 00 00 00 8b 75 0c 85 f6 74 7e 8b 5d 14 85 db 75 07 b8 03 40 00 80 eb 75 ff 75 10 83 23 00 e8 9e ff ff ff 85 c0 74 53 8b 76 04 03 75 08 8b 06 56 ff 50 04 89 33 33 c0 eb 54 8b 06 33 c9 85 c0 0f 94 c1 89 4d 0c 85 c9 75 0f ff 75 10 50 e8 20 ff ff ff 59 59 85 c0 74 1f 83 ff 01 74 ca ff 76 04 53 ff 75 10 ff 75 08 ff d7 85 c0 74 20 83 7d 0c 00 75 04 85 c0 78 16 83 c6 0c 8b 7e 08 85 ff 75 b8 b8 02 40 00 80 eb 05 b8 Data Ascii: P;Qu@;Au3@]3]@yu3AjPQUE8uxuxuxFu3@3]U}SVWut~]u@uu#tSvuVP33T3MuuP YYttvSuut }ux~u@
2022-11-04 12:16:09 UTC	67	IN	Data Raw: 5e 5d c2 04 00 83 6c 24 04 10 e9 96 ff ff ff 83 6c 24 04 04 e9 af ff ff ff 83 6c 24 04 10 e9 70 ff ff ff 83 6c 24 04 10 e9 9b ff ff ff 83 6c 24 04 04 e9 6e ff ff ff 83 6c 24 04 04 e9 52 ff ff ff 8b 41 54 85 c0 75 09 ff 71 20 ff 15 08 78 52 00 50 e8 d7 e3 ff ff c3 8b ff 55 8b ec 53 56 57 8b f9 8b 07 8b 70 f4 8d 5e 01 53 e8 80 fe fe ff 66 8b 4d 08 66 89 0c 70 53 8b cf e8 d0 fe fe ff 5f 5e 5b 5d c2 04 00 8b ff 55 8b ec 56 8b f1 e8 24 f7 ff ff f6 45 08 01 74 07 56 e8 0b af ff ff 59 8b c6 5e 5d c2 04 00 8b ff 55 8b ec 56 8b f1 83 7e 6c 00 75 2f ff 76 20 ff 15 28 77 52 00 8d 48 01 51 8b 4d 08 50 e8 c4 b7 ff ff 50 ff 76 20 ff 15 2c 77 52 00 8b 4d 08 6a ff e8 d0 4c ff ff 5e 5d c2 04 00 8b 4e 6c 8b 01 5e 5d ff a0 8c 00 00 00 8b ff 55 8b ec 56 8b 75 0c 83 3e 01 57 Data Ascii: ^]l$l$l$pl$l$nl$RATuq xRPUSVWp^SfMfpS_^[]UV$EtVY^]UV~lu/v (wRHQMPPv ,wRMjL^]Nl^]UVu>W
2022-11-04 12:16:09 UTC	69	IN	Data Raw: 51 51 57 8b 7d 08 8b cf e8 72 1a 00 00 a9 00 00 00 40 75 5a 53 8b cf e8 a2 fd ff ff 8b d8 85 db 74 4b 56 8b 75 10 85 f6 74 18 ff 76 20 ff 15 20 77 52 00 85 c0 74 0b 8b ce e8 80 fd ff ff 3b d8 74 2a 8b 47 20 89 45 f8 85 f6 75 05 21 75 fc eb 06 8b 46 20 89 45 fc 8d 45 f8 50 ff 75 0c 68 6e 03 00 00 ff 73 20 ff 15 dc 76 52 00 5e 5b 5f c9 c2 0c 00 8b ff 55 8b ec 83 7d 0c fe 56 75 65 81 7d 10 01 02 00 00 74 12 81 7d 10 07 02 00 00 74 09 81 7d 10 04 02 00 00 75 4a 8b 4d 08 e8 1c fd ff ff 85 c0 74 3e ff 70 20 ff 15 34 77 52 00 50 e8 cd dd ff ff 8b f0 85 f6 74 29 ff 15 30 77 52 00 50 e8 bb dd ff ff 3b f0 74 19 8b ce e8 2b 1b 00 00 85 c0 74 0e ff 76 20 ff 15 78 78 52 00 33 c0 40 eb 02 33 c0 5e 5d c2 0c 00 6a 4c b8 d0 88 51 00 e8 15 00 0f 00 8b 7d 08 8b 5d 14 be 04 Data Ascii: QQW}r@uZStKVutv wRt;t*G Eu!uF EEPuhns vR^[_U}Vue}t}t}uJMt>p 4wRPt)0wRP;t+tv xxR3@3^]jLQ}]
2022-11-04 12:16:09 UTC	70	IN	Data Raw: c0 74 0a 8b 03 8b cb ff 90 ac 01 00 00 8b 35 dc 76 52 00 33 ff 57 57 6a 1f ff 73 20 ff d6 6a 01 6a 01 57 57 6a 1f ff 73 20 e8 8e ee ff ff 8b cb e8 dd f7 ff ff 8b d8 3b df 75 05 e8 48 36 00 00 57 57 6a 1f ff 73 20 ff d6 6a 01 6a 01 57 57 6a 1f ff 73 20 e8 63 ee ff ff ff 15 00 77 52 00 3b c7 74 07 57 57 6a 1f 50 ff d6 5f 5e 5b c3 68 8c 00 00 00 b8 4b 89 51 00 e8 44 fa 0e 00 8b f9 33 c0 89 45 f0 c7 45 ec ff ff ff 7f 8b 5d 08 89 45 fc 81 fb 11 01 00 00 75 22 ff 75 10 8b 07 ff 75 0c ff 90 f4 00 00 00 85 c0 0f 84 41 02 00 00 c7 45 f0 01 00 00 00 e9 d0 05 00 00 83 fb 4e 75 2a 8b 4d 10 39 01 0f 84 25 02 00 00 8b 07 8d 55 f0 52 51 ff 75 0c 8b cf ff 90 f8 00 00 00 85 c0 0f 85 a6 05 00 00 e9 06 02 00 00 8b 75 10 83 fb 06 75 10 56 e8 de d7 ff ff 50 ff 75 0c 57 e8 4d Data Ascii: t5vR3WWjs jjWWjs ;uH6WWjs jjWWjs cwR;tWWjP_^[hKQD3EE]Eu"uuAENu*M9%URQuuuVPuWM
2022-11-04 12:16:09 UTC	71	IN	Data Raw: c1 ee 10 0f bf ce 51 50 8b 45 0c c1 e8 10 50 0f b7 45 0c 50 8b cf ff d3 e9 c2 00 00 00 8b cf ff d3 89 45 f0 85 c0 0f 84 b3 00 00 00 e9 13 fd ff ff 56 e8 03 e9 00 00 e9 54 fd ff ff 56 e8 f8 e8 00 00 50 e9 8d 00 00 00 56 ff 75 0c e8 e9 e8 00 00 e9 6d fe ff ff 0f b7 ce 51 8b c6 c1 e8 10 8b c8 81 e1 00 f0 00 00 51 25 ff 0f 00 00 50 ff 75 0c e8 b4 d2 ff ff 50 8b cf ff d3 e9 83 fa ff ff 0f b6 45 0c 56 e9 39 fe ff ff 0f bf c6 c1 ee 10 0f bf ce 51 50 8b 45 0c c1 e8 10 50 0f b7 45 0c eb d4 0f bf c6 c1 ee 10 0f bf ce 51 50 8b 45 0c c1 e8 10 50 ff 75 0c eb be 56 ff 75 0c 8b cf ff d3 eb 1c 8b 45 e8 8d 4d ec 89 58 04 e8 99 c3 ff ff 8b 5b 14 56 ff 75 0c 8b cf ff d3 89 45 f0 8b 45 14 85 c0 74 05 8b 4d f0 89 08 83 4d fc ff 8d 4d ec e8 73 c3 ff ff 33 c0 40 e9 53 fc ff ff Data Ascii: QPEPEPEVTVPVumQQ%PuPEV9QPEPEQPEPuVuEMX[VuEEtMMMs3@S
2022-11-04 12:16:09 UTC	73	IN	Data Raw: ec ff ff 85 c0 75 05 e8 24 2b 00 00 ff 75 08 ff 75 0c ff 76 68 ff 70 20 ff 15 f8 76 52 00 85 c0 75 0d 6a ff 50 68 07 f1 00 00 e8 1c 21 00 00 83 4d fc ff 8d 4d 0b e8 c0 fe ff ff e8 01 f0 0e 00 c2 08 00 6a 00 b8 c7 89 51 00 e8 1a ef 0e 00 8b f9 e8 22 8b 00 00 8b 70 04 e8 1a 8b 00 00 8b 48 04 e8 13 10 00 00 83 65 fc 00 8b cf e8 27 f4 ff ff 8b cf e8 42 ec ff ff 85 c0 75 05 e8 af 2a 00 00 ff 75 08 ff 75 0c ff 76 68 ff 70 20 e8 43 ea ff ff 85 c0 75 0d 6a ff 50 68 07 f1 00 00 e8 a8 20 00 00 83 4d fc ff 8d 4d 0b e8 4c fe ff ff e8 8d ef 0e 00 c2 08 00 b8 2c 92 52 00 c3 8b ff 55 8b ec 83 79 6c 00 74 3c 56 ff 75 10 8b 75 08 ff 75 0c 8d 86 00 20 00 00 50 ff 71 20 ff 15 dc 76 52 00 81 c6 ce fe ff ff 83 fe 06 5e 77 08 85 c0 75 04 5d c2 10 00 8b 4d 14 85 c9 74 02 89 01 Data Ascii: u$+uuvhp vRujPh!MMjQ"pHe'Bu*uuvhp CujPh MML,RUylt<Vuuu Pq vR^wu]Mt
2022-11-04 12:16:09 UTC	74	IN	Data Raw: 08 04 74 20 68 01 7a 00 00 68 90 8a 52 00 8d 45 cc 50 89 5d cc 89 7d e8 e8 d7 fe ff ff 85 c0 74 03 83 ce 04 84 5d 08 74 27 68 02 7a 00 00 68 b4 8a 52 00 8d 45 cc 50 c7 45 cc 0b 00 00 00 c7 45 e8 06 00 00 00 e8 aa fe ff ff 85 c0 74 02 0b f3 f6 45 08 10 74 1e 68 c0 3f 00 00 8d 45 f4 50 c7 45 f8 ff 00 00 00 e8 31 d2 ff ff 0b f0 81 65 08 3f c0 ff ff f6 45 08 40 74 14 6a 40 8d 45 f4 50 c7 45 f8 10 00 00 00 e8 10 d2 ff ff 0b f0 f6 45 08 80 74 17 68 80 00 00 00 8d 45 f4 50 c7 45 f8 02 00 00 00 e8 f3 d1 ff ff 0b f0 b8 00 01 00 00 85 45 08 74 0f 50 8d 45 f4 50 89 5d f8 e8 da d1 ff ff 0b f0 b8 00 02 00 00 85 45 08 74 13 50 8d 45 f4 50 c7 45 f8 20 00 00 00 e8 bd d1 ff ff 0b f0 bb 00 04 00 00 85 5d 08 74 13 53 8d 45 f4 50 c7 45 f8 01 00 00 00 e8 a0 d1 ff ff 0b f0 bf Data Ascii: t hzhREP]}t]t'hzhREPEEtEth?EPE1e?E@tj@EPEEthEPEEtPEP]EtPEPE ]tSEPE
2022-11-04 12:16:09 UTC	76	IN	Data Raw: 8b c8 ff 92 9c 00 00 00 5d c2 08 00 8b ff 55 8b ec 83 79 6c 00 75 27 8b 45 08 85 c0 74 03 8b 40 20 ff 75 1c ff 75 18 ff 75 14 ff 75 10 ff 75 0c 50 ff 71 20 ff 15 18 78 52 00 5d c2 18 00 8b 49 6c 8b 01 5d ff a0 9c 00 00 00 8b ff 56 8b f1 83 7e 6c 00 75 54 57 ff 76 20 8b 3d 08 78 52 00 ff d7 50 e8 bf c1 ff ff 85 c0 74 2c ff 76 20 ff d7 50 e8 b0 c1 ff ff 8b c8 e8 fc ae ff ff 85 c0 74 16 ff 76 20 ff d7 50 e8 9a c1 ff ff 8b c8 e8 e6 ae ff ff 83 60 70 00 ff 76 20 ff 15 24 77 52 00 50 e8 80 c1 ff ff 5f 5e c3 8b 4e 6c 8b 01 5e ff a0 b0 00 00 00 8b ff 55 8b ec 56 8b f1 85 f6 74 33 83 7e 6c 00 75 2d ff 76 20 ff 15 08 78 52 00 8b 4d 08 50 83 c1 1c e8 95 ee 00 00 85 c0 74 14 83 78 68 00 74 0e 8b 48 68 8b 01 6a 00 56 ff 90 9c 00 00 00 5e 5d c2 04 00 6a 04 b8 77 f1 51 Data Ascii: ]Uylu'Et@ uuuuuPq xR]Il]V~luTWv =xRPt,v Ptv P`pv $wRP_^Nl^UVt3~lu-v xRMPtxhtHhjV^]jwQ
2022-11-04 12:16:09 UTC	77	IN	Data Raw: 15 08 78 52 00 50 e8 6f bc ff ff 53 53 6a 28 ff 70 20 ff 15 dc 76 52 00 5f ff 75 08 8b 4e 14 e8 ec f9 ff ff c7 46 18 01 00 00 00 5e 5b 5d c2 04 00 8b ff 55 8b ec 56 8b f1 8b 4e 0c 85 c9 74 30 83 7e 10 00 75 60 8b 46 08 3b 46 20 72 05 e8 d9 19 00 00 8b 55 08 f7 da 1b d2 83 e2 08 81 ca 00 04 00 00 52 50 ff 71 04 ff 15 bc 76 52 00 eb 36 8b 46 14 85 c0 74 d7 57 8b 3d dc 76 52 00 6a 00 6a 00 68 87 00 00 00 ff 70 20 ff d7 a9 00 20 00 00 74 12 8b 46 14 6a 00 ff 75 08 68 f1 00 00 00 ff 70 20 ff d7 5f 5e 5d c2 04 00 8b ff 55 8b ec 83 7d 08 00 56 8b f1 75 05 e8 6e 19 00 00 8b 46 0c 85 c0 74 40 83 7e 10 00 75 4c 8b 4e 08 57 bf 00 04 00 00 57 51 ff 70 04 ff 15 b4 76 52 00 8b 4e 08 25 fb f6 ff ff 3b 4e 20 73 cd ff 75 08 0b c7 ff 76 04 50 8b 46 0c 51 ff 70 04 ff 15 b0 Data Ascii: xRPoSSj(p vR_uNF^[]UVNt0~u`F;F rURPqvR6FtW=vRjjhp tFjuhp _^]U}VunFt@~uLNWWQpvRN%;N suvPFQp
2022-11-04 12:16:09 UTC	78	IN	Data Raw: 75 22 e8 f2 6e 00 00 f6 40 64 01 74 17 8b 06 8b ce ff 90 fc 00 00 00 85 c0 74 09 8b 10 6a 01 8b c8 ff 52 34 5e 5f 5d c2 04 00 8b ff 56 57 8b f1 e8 93 74 00 00 8b 40 04 85 c0 74 09 6a 00 8b c8 e8 91 08 00 00 8b 86 88 00 00 00 85 c0 74 03 8b 40 20 8d 8e 8c 00 00 00 51 50 e8 d7 07 00 00 56 8b f8 e8 48 dc ff ff 8b c7 5f 5e c3 8b ff 56 8b f1 e8 13 b7 ff ff 8b ce e8 dc b6 ff ff ff b6 8c 00 00 00 ff 15 20 77 52 00 85 c0 74 0e 6a 01 ff b6 8c 00 00 00 ff 15 d4 76 52 00 83 a6 8c 00 00 00 00 e8 21 74 00 00 8b 40 04 5e 85 c0 74 09 6a 01 8b c8 e8 1e 08 00 00 c3 8b ff 55 8b ec 56 ff 75 08 8b f1 e8 8d 25 00 00 8b 16 50 8b ce ff 92 78 01 00 00 8b ce e8 4d b5 ff ff 5e 5d c2 08 00 8b ff 56 8b f1 8b 06 57 ff 90 84 01 00 00 e8 d5 73 00 00 8b 48 3c 85 c9 74 38 8b 86 90 00 00 Data Ascii: u"n@dttjR4^_]VWt@tjt@ QPVH_^V wRtjvR!t@^tjUVu%PxM^]VWsH<t8
2022-11-04 12:16:09 UTC	80	IN	Data Raw: 4c 01 00 00 85 c0 74 1b 8b cb e8 8e ee ff ff 85 c0 74 10 6a 00 8b cb e8 9c ee ff ff c7 45 d8 01 00 00 00 83 65 fc 00 56 e8 d6 d6 ff ff ff 75 ec e8 ed b0 ff ff 57 50 ff 75 e4 8b ce e8 34 fd ff ff 33 ff 3b c7 74 3a f6 46 58 10 74 1e 6a 04 5f 8b ce e8 c8 ec ff ff a9 00 01 00 00 74 03 6a 05 5f 57 8b ce e8 52 ab ff ff 33 ff 39 7e 20 74 11 68 97 00 00 00 57 57 57 57 57 8b ce e8 87 ee ff ff 83 4d fc ff eb 25 8b 4d d0 85 c9 74 05 e8 39 0d 00 00 8b 45 e0 83 48 60 ff 83 4d fc ff b8 b0 47 41 00 c3 8b 75 e0 8b 5d dc 33 ff 39 7d d8 74 09 6a 01 8b cb e8 fe ed ff ff 39 7d d4 74 0b 6a 01 ff 75 ec ff 15 d4 76 52 00 39 7d ec 74 14 ff 15 98 76 52 00 3b 46 20 75 09 ff 75 ec ff 15 38 77 52 00 8b 06 8b ce ff 50 60 8b ce e8 cf f9 ff ff 39 7e 78 74 09 ff 75 e8 ff 15 c8 73 52 00 Data Ascii: LttjEeVuWPu43;t:FXtj_tj_WR39~ thWWWWWM%Mt9EH`MGAu]39}tj9}tjuvR9}tvR;F uu8wRP`9~xtusR
2022-11-04 12:16:09 UTC	81	IN	Data Raw: 10 57 ff 75 0c 8b 3d 60 78 52 00 ff d7 ff 75 08 89 45 f4 ff d7 48 89 45 f8 0f 88 98 00 00 00 53 56 8b 35 fc 77 52 00 eb 03 8b 45 f8 50 ff 75 08 ff d6 8b d8 33 c0 3b d8 74 72 39 45 10 74 3b 53 ff d7 83 65 fc 00 89 45 f0 85 c0 7e 5f ff 75 fc 53 ff d6 3b 45 10 74 0d ff 45 fc 8b 45 fc 3b 45 f0 7c ea eb 47 68 00 04 00 00 ff 75 fc 53 ff 15 8c 76 52 00 83 65 10 00 eb 32 89 45 fc 39 45 f4 7e 2a ff 75 fc ff 75 0c ff d6 3b c3 74 0d ff 45 fc 8b 45 fc 3b 45 f4 7c e9 eb 11 68 00 04 00 00 ff 75 f8 ff 75 08 ff 15 8c 76 52 00 ff 4d f8 0f 89 74 ff ff ff 5e 5b 5f c9 c2 0c 00 8b ff 55 8b ec 8b 45 10 85 c0 75 05 e8 5b 08 00 00 83 7d 08 00 75 22 66 8b 4d 0c 66 85 c9 74 19 83 60 04 00 83 48 0c ff 83 48 10 ff 89 45 08 66 89 08 c7 40 08 01 00 00 00 8b 45 08 5d c2 0c 00 b8 c0 99 Data Ascii: Wu=`xRuEHESV5wREPu3;tr9Et;SeE~_uS;EtEE;E\|GhuSvRe2E9E~*uu;tEE;E\|huuvRMt^[_UEu[}u"fMft`HHEf@E]
2022-11-04 12:16:09 UTC	83	IN	Data Raw: 0f b7 55 08 8b 7d 10 33 db 39 1e 75 37 8b 0f 8b c1 48 74 2b 48 0f 84 0b 01 00 00 48 48 0f 84 ec 00 00 00 83 e8 04 0f 84 cc 00 00 00 83 e8 08 0f 84 b8 00 00 00 83 e8 10 74 56 83 e8 20 75 61 89 0e 89 5e 04 8b 07 48 0f 84 06 02 00 00 48 0f 84 ad 01 00 00 48 48 0f 84 2f 01 00 00 83 e8 04 0f 84 0d 01 00 00 83 e8 08 74 05 83 e8 30 75 31 39 5e 04 75 2c 53 52 ff 77 04 ff 15 40 79 52 00 33 c9 3b c3 0f 95 c1 89 46 04 8b c1 e9 dc 01 00 00 ff 77 04 53 e8 c1 fb ff ff 89 45 a4 3b c3 75 07 33 c0 e9 c5 01 00 00 50 ff 15 bc 73 52 00 8b f8 53 ff 77 0c ff 15 dc 71 52 00 89 47 0c 3b c3 75 14 ff 75 a4 ff 15 c0 73 52 00 ff 75 a4 ff 15 c4 73 52 00 eb cb 8b 7d a4 57 ff 15 c0 73 52 00 89 7e 04 c7 06 20 00 00 00 e9 7c 01 00 00 c7 06 10 00 00 00 e9 49 ff ff ff 8b 7f 04 89 7e 04 8b Data Ascii: U}39u7Ht+HHHtV ua^HHHH/t0u19^u,SRw@yR3;FwSE;u3PsRSwqRG;uusRusR}WsR~ \|I~
2022-11-04 12:16:09 UTC	83	IN	Data Raw: 0f 85 fe fe ff ff 8b 46 04 8b 10 53 53 53 33 c9 51 50 89 5d 9c ff 52 14 8b 47 04 8b 10 53 53 33 c9 51 51 50 ff 52 14 8b 47 04 8b 08 53 53 ff 75 b4 ff 75 b0 ff 76 04 50 ff 51 1c 85 c0 0f 85 c1 fe ff ff 8b 46 04 8b 10 53 53 33 c9 51 33 f6 56 50 ff 52 14 8b 7f 04 8b 0f 53 53 33 c0 50 56 57 ff 51 14 eb 68 ff 77 04 8d 4d a0 e8 b0 11 ff ff ff 76 04 8d 4d a4 89 5d fc e8 a2 11 ff ff 8b 76 04 8b 7f 04 f7 de 1b f6 23 75 a4 f7 df 1b ff 23 7d a0 53 56 57 ff 15 14 74 52 00 8b 4d a4 83 c1 f0 8b f0 e8 e8 bc fe ff 8b 4d a0 83 c1 f0 e8 dd bc fe ff 8b c6 eb 19 ff 77 04 ff 76 04 e8 fc f9 ff ff 3b c3 0f 84 3a fe ff ff 89 46 04 33 c0 40 e8 30 c6 0e 00 c2 0c 00 83 79 04 00 7e 07 8b 01 6a 01 ff 50 04 c3 8b ff 55 8b ec 8b 01 5d ff 60 10 8b ff 55 8b ec 81 ec 08 04 00 00 a1 54 04 Data Ascii: FSSS3QP]RGSS3QQPRGSSuuvPQFSS3Q3VPRSS3PVWQhwMvM]v#u#}SVWtRMMwv;:F3@0y~jPU]`UT
2022-11-04 12:16:09 UTC	85	IN	Data Raw: ff ff 83 65 fc 00 56 ff b5 6c ff ff ff e8 99 77 00 00 3b c6 74 09 6a 00 6a 03 e8 df 81 00 00 56 ff b5 6c ff ff ff 8d 8d e4 fe ff ff e8 0d ff ff ff 50 8b cf c6 45 fc 01 e8 77 e8 fe ff 8b 8d e4 fe ff ff 83 c1 f0 e8 99 b7 fe ff 8d 85 70 ff ff ff 39 85 6c ff ff ff 0f 84 9a 00 00 00 8d 8d 6c ff ff ff e8 14 fe ff ff e9 8a 00 00 00 83 a5 e8 fe ff ff 00 8d 8d e8 fe ff ff e8 8e fe ff ff 8b 8d e0 fe ff ff 8d 3c 36 57 ff b5 e8 fe ff ff c7 45 fc 02 00 00 00 e8 10 77 00 00 3b c7 0f 85 73 ff ff ff 68 f4 c8 56 00 56 ff b5 e8 fe ff ff 8d 8d e4 fe ff ff e8 ba e1 fe ff 8b 8d d8 fe ff ff 8d 85 e4 fe ff ff 50 c6 45 fc 03 e8 e4 e7 fe ff 8b 8d e4 fe ff ff 83 c1 f0 e8 06 b7 fe ff 8d 85 ec fe ff ff 39 85 e8 fe ff ff 74 0b 8d 8d e8 fe ff ff e8 85 fd ff ff 8b 85 e0 fe ff ff e8 57 Data Ascii: eVlw;tjjVlPEwp9ll<6WEw;shVVPE9tW
2022-11-04 12:16:09 UTC	86	IN	Data Raw: ff 75 14 ff 75 10 ff 75 0c ff 71 04 ff 15 7c 76 52 00 8b 4d 08 0f bf d0 c1 e8 10 98 89 41 04 89 11 8b c1 5d c2 20 00 8b ff 55 8b ec ff 75 14 ff 75 10 ff 75 0c ff 75 08 ff 71 04 ff 15 78 76 52 00 5d c2 10 00 8b ff 55 8b ec ff 75 18 ff 75 14 ff 75 10 ff 75 0c ff 75 08 ff 71 04 ff 15 74 76 52 00 5d c2 14 00 8b ff 55 8b ec 8b 45 08 85 c0 74 03 8b 40 04 ff 75 24 ff 75 20 ff 75 1c ff 75 18 ff 75 14 ff 75 10 ff 75 0c 50 ff 71 04 ff 15 70 76 52 00 5d c2 20 00 8b ff 55 8b ec ff 75 14 ff 75 10 ff 75 0c ff 75 08 ff 71 04 ff 15 74 71 52 00 5d c2 10 00 8b ff 55 8b ec 53 8b 5d 08 56 8b f1 8b 4e 04 83 c8 ff 57 8b 3d 00 71 52 00 3b 4e 08 74 0f 85 db 75 04 33 c0 eb 03 8b 43 04 50 51 ff d7 8b 76 08 85 f6 74 0f 85 db 75 04 33 c0 eb 03 8b 43 04 50 56 ff d7 5f 5e 5b 5d c2 04 Data Ascii: uuuq\|vRMA] UuuuuqxvR]UuuuuuqtvR]UEt@u$u uuuuuPqpvR] UuuuuqtqR]US]VNW=qR;Ntu3CPQvtu3CPV_^[]
2022-11-04 12:16:09 UTC	87	IN	Data Raw: 24 6a 01 89 46 04 e8 5f ff ff ff ff 76 04 8d 48 1c e8 d2 c0 00 00 89 30 ff 76 04 8b 06 8b ce ff 50 0c 33 c0 40 5e 5d c2 04 00 8b ff 56 8b f1 57 8b 7e 04 85 ff 74 16 6a 00 e8 2c ff ff ff 85 c0 74 0b ff 76 04 8d 48 1c e8 ef c0 00 00 8b 06 8b ce ff 50 14 83 66 04 00 8b c7 5f 5e c3 83 79 04 00 75 03 33 c0 c3 e8 bf ff ff ff 50 ff 15 5c 71 52 00 c3 83 79 04 00 c7 01 a4 9d 52 00 74 0c e8 a6 ff ff ff 50 ff 15 5c 71 52 00 c3 6a 04 b8 23 8b 51 00 e8 7d b4 0e 00 8b f1 89 75 f0 33 c0 89 46 04 89 46 08 89 46 0c 8b 4d 08 89 45 fc c7 06 24 9e 52 00 3b c8 74 03 8b 41 20 50 89 46 10 ff 15 68 76 52 00 50 8b ce e8 25 ff ff ff 85 c0 75 05 e8 6a f8 ff ff 8b c6 e8 10 b5 0e 00 c2 04 00 6a 04 b8 23 8b 51 00 e8 29 b4 0e 00 8b f1 89 75 f0 c7 06 24 9e 52 00 83 65 fc 00 e8 2a ff ff Data Ascii: $jF_vH0vP3@^]VW~tj,tvHPf_^yu3P\qRyRtP\qRj#Q}u3FFFME$R;tA PFhvRP%ujj#Q)u$Re*
2022-11-04 12:16:09 UTC	89	IN	Data Raw: 45 fc 04 ff d6 50 8d 4d c4 e8 38 fa ff ff 85 c0 0f 84 ad 01 00 00 53 ff d6 50 8d 4d b4 e8 24 fa ff ff 85 c0 0f 84 99 01 00 00 8b 7d 08 8d 45 9c 50 6a 18 ff 77 04 ff 15 f4 71 52 00 8b 4d 0c e8 30 fd ff ff 0f b7 45 ae 0f b7 4d ac 8b 35 e8 71 52 00 53 50 51 ff 75 a4 ff 75 a0 ff d6 8b 4d 0c 50 e8 b4 fc ff ff 85 c0 0f 84 55 01 00 00 53 6a 01 6a 01 ff 75 a4 ff 75 a0 ff d6 50 8d 4d e4 e8 96 fc ff ff 85 c0 0f 84 37 01 00 00 ff 77 04 ff 75 c8 e8 3a fd ff ff ff 75 e8 89 45 08 ff 75 b8 e8 2c fd ff ff 89 45 ec 39 5d 08 0f 84 12 01 00 00 3b c3 0f 84 0a 01 00 00 53 53 ff 75 c8 ff 15 88 71 52 00 50 8d 4d c4 e8 19 f0 ff ff 8b 35 8c 71 52 00 68 20 00 cc 00 53 53 ff 75 c8 89 45 f0 ff 75 a4 ff 75 a0 53 53 ff 75 b8 ff d6 bf ff ff ff 00 57 8d 4d c4 e8 eb ef ff ff 68 a6 00 11 Data Ascii: EPM8SPM$}EPjwqRM0EM5qRSPQuuMPUSjjuuPM7wu:uEu,E9];SSuqRPM5qRh SSuEuuSSuWMh
2022-11-04 12:16:09 UTC	90	IN	Data Raw: 33 db 8b f1 57 89 75 fc 39 1d 04 3f 57 00 0f 85 77 01 00 00 a1 bc 48 57 00 3b c3 0f 84 6a 01 00 00 ff 70 20 ff 15 20 77 52 00 85 c0 0f 84 59 01 00 00 8b 45 08 8b 0d bc 48 57 00 89 45 f4 8b 45 0c 89 45 f8 8d 45 f4 50 e8 4b a2 01 00 83 f8 04 0f 85 55 01 00 00 a1 bc 48 57 00 8b b8 48 01 00 00 3b fb 0f 84 d3 00 00 00 8b 5f 6c 85 db 0f 84 c8 00 00 00 53 68 8c d0 56 00 e8 4a 79 00 00 8b f0 8b 45 08 89 45 f4 8b 45 0c 59 59 89 45 f8 8d 45 f4 50 ff 73 20 ff 15 44 78 52 00 ff 75 f8 83 c7 54 ff 75 f4 57 ff 15 10 78 52 00 85 c0 74 30 85 f6 75 24 8b 0d bc 48 57 00 8b 01 ff 90 c4 01 00 00 85 c0 75 12 50 50 a1 bc 48 57 00 6a 10 ff 70 20 ff 15 dc 76 52 00 33 c0 40 e9 ad 00 00 00 85 f6 74 58 8b 06 8b ce ff 90 3c 04 00 00 ff 76 20 ff 15 08 78 52 00 50 e8 d5 86 ff ff 50 68 Data Ascii: 3Wu9?WwHW;jp wRYEHWEEEEPKUHWH;_lShVJyEEEYYEEPs DxRuTuWxRt0u$HWuPPHWjp vR3@tX<v xRPPh
2022-11-04 12:16:09 UTC	91	IN	Data Raw: b8 f0 0e 00 00 00 74 9d ff 76 0c ff 76 08 57 ff 70 20 ff 15 dc 76 52 00 eb 8b 0f bf 46 0c 89 45 f4 0f bf 46 0e 53 ff 36 89 45 f8 e8 fe 83 ff ff 8b 3d 20 77 52 00 8b d8 85 db 74 15 ff 36 ff d7 85 c0 74 0d 8d 45 f4 50 ff 73 20 ff 15 6c 76 52 00 ff 75 f8 8b 4d fc ff 75 f4 e8 f3 fb ff ff 5b 85 c0 0f 85 04 ff ff ff ff 36 ff d7 85 c0 0f 85 31 ff ff ff e9 f3 fe ff ff 0f bf 46 0c ff 36 89 45 f4 0f bf 46 0e 89 45 f8 e8 a0 83 ff ff 85 c0 74 0d 8d 4d f4 51 ff 70 20 ff 15 6c 76 52 00 ff 75 f8 8b 4d fc ff 75 f4 e8 83 fd ff ff e9 ef fe ff ff 8b ff 55 8b ec 83 ec 1c a1 54 04 57 00 33 c5 89 45 fc 56 8b 75 10 57 33 ff 39 3d c8 38 57 00 74 7a 8b 45 0c 2d a1 00 00 00 74 1a 6a 03 59 2b c1 74 13 2b c1 74 0f 2d 5a 01 00 00 74 08 2b c1 74 04 2b c1 75 56 8d 45 e4 50 89 7d e4 89 Data Ascii: tvvWp vRFEFS6E= wRt6tEPs lvRuMu[61F6EFEtMQp lvRuMuUTW3EVuW39=8WtzE-tjY+t+t-Zt+t+uVEP}
2022-11-04 12:16:09 UTC	93	IN	Data Raw: 65 fc 00 e8 a9 80 ff ff 83 4d fc ff 8b ce e8 f9 91 ff ff e8 2d a1 0e 00 c3 8b ff 55 8b ec 56 68 00 02 00 00 8b f1 e8 bd b5 ff ff 8b 06 6a 00 ff 75 14 8b ce ff 75 10 ff 75 0c ff 75 08 6a 00 68 e4 a5 52 00 ff 50 54 5e 5d c2 10 00 6a 04 b8 fc 8b 51 00 e8 15 a0 0e 00 8b f1 89 75 f0 c7 06 0c a6 52 00 83 65 fc 00 e8 45 80 ff ff 83 4d fc ff 8b ce e8 95 91 ff ff e8 c9 a0 0e 00 c3 8b ff 55 8b ec 56 68 00 04 00 00 8b f1 e8 59 b5 ff ff 8b 06 6a 00 ff 75 14 8b ce ff 75 10 ff 75 0c ff 75 08 6a 00 68 74 a7 52 00 ff 50 54 5e 5d c2 10 00 8b ff 55 8b ec 56 ff 75 18 8b f1 ff 75 14 8b 06 ff 75 10 ff 75 0c ff 90 60 01 00 00 33 c9 3b c1 74 11 39 4d 08 74 0c 51 ff 75 08 51 8b ce e8 fc b9 ff ff 5e 5d c2 14 00 6a 04 b8 fc 8b 51 00 e8 79 9f 0e 00 8b f1 89 75 f0 c7 06 94 a7 52 00 Data Ascii: eM-UVhjuuuujhRPT^]jQuReEMUVhYjuuuujhtRPT^]UVuuuu`3;t9MtQuQ^]jQyuR
2022-11-04 12:16:09 UTC	94	IN	Data Raw: cc cc 6a 14 68 b8 b0 55 00 e8 5a 9c 0e 00 8b f1 33 ff 89 7d e0 8d 45 e0 50 e8 b2 36 00 00 ff b0 80 00 00 00 ff 15 ec 73 52 00 89 7d e4 3b c7 75 04 33 c0 eb 4a 89 7d fc 8d 45 dc 50 8b ce e8 8e ff ff ff 8b 46 5c 33 c9 3b c7 0f 95 c1 3b cf 75 05 e8 32 d6 ff ff ff 75 20 ff 75 1c ff 75 18 ff 75 14 ff 75 10 ff 75 0c ff 75 08 ff d0 89 45 e4 c7 45 fc fe ff ff ff e8 0b 00 00 00 8b 45 e4 e8 29 9c 0e 00 c2 1c 00 33 c0 39 45 e4 0f 94 c0 8b f0 85 f6 74 0a ff 15 58 72 52 00 8b f8 eb 02 33 ff ff 75 e0 6a 00 ff 15 f0 73 52 00 85 f6 74 07 57 ff 15 f4 73 52 00 c3 8b ff 55 8b ec ff 75 18 ff 75 14 ff 75 10 ff 75 0c ff 75 08 e8 ff 35 00 00 8b 40 78 8b 08 e8 73 fd ff ff 5d c2 14 00 6a 00 b8 0e 97 51 00 e8 d6 99 0e 00 e8 13 36 00 00 8b f0 83 7e 24 00 75 50 83 7d 08 00 74 4a 68 Data Ascii: jhUZ3}EP6sR};u3J}EPF\3;;u2u uuuuuuEEE)39EtXrR3ujsRtWsRUuuuuu5@xs]jQ6~$uP}tJh
2022-11-04 12:16:09 UTC	95	IN	Data Raw: 8b 4d 10 89 01 eb 21 8b 45 10 8b 08 3b ca 7c 05 83 f9 02 7e 02 89 10 52 ff 30 68 f1 00 00 00 ff 75 08 ff 15 dc 76 52 00 5d c2 0c 00 8b ff 55 8b ec 56 8b 75 08 ff 75 0c 8b ce e8 f6 fe ff ff 8b 4e 04 8d 45 08 50 ff 75 0c e8 79 ae ff ff 33 c0 39 06 5e 50 74 16 50 68 47 01 00 00 ff 75 08 ff 15 dc 76 52 00 8b 4d 10 89 01 eb 13 8b 45 10 ff 30 68 4e 01 00 00 ff 75 08 ff 15 dc 76 52 00 5d c2 0c 00 8b ff 55 8b ec 81 ec 88 00 00 00 a1 54 04 57 00 33 c5 89 45 fc 8b 45 0c 56 8b 75 08 57 8b 7d 10 50 8b ce e8 8a fe ff ff 83 3e 00 89 85 78 ff ff ff c7 46 0c 01 00 00 00 74 4b 8b 4d 18 89 8d 78 ff ff ff 6a 40 8d 8d 7c ff ff ff 51 50 ff 15 2c 77 52 00 ff b5 78 ff ff ff 8d 85 7c ff ff ff 57 6a 40 50 e8 78 b0 0e 00 83 c4 10 83 f8 01 74 6e 6a ff 6a 00 ff 75 14 e8 f8 c5 ff ff Data Ascii: M!E;\|~R0huvR]UVuuNEPuy39^PtPhGuvRME0hNuvR]UTW3EEVuW}P>xFtKMxj@\|QP,wRx\|Wj@Pxtnjju
2022-11-04 12:16:09 UTC	97	IN	Data Raw: 00 8b ff 55 8b ec 83 ec 24 a1 54 04 57 00 33 c5 89 45 fc 8b 45 08 56 8b f1 8d 4d dc 51 50 ff 15 98 73 52 00 85 c0 75 11 83 26 00 83 66 04 00 68 57 00 07 80 e8 47 88 fe ff 8d 45 ec 50 8d 45 dc 50 ff 15 9c 73 52 00 85 c0 74 dd ff 75 0c 8d 45 ec 50 8d 4d e4 e8 4d ff ff ff 8b 45 e4 8b 4d fc 89 06 8b 45 e8 89 46 04 8b c6 33 cd 5e e8 14 7d 0e 00 c9 c2 08 00 8b ff 55 8b ec 83 ec 28 a1 54 04 57 00 33 c5 89 45 fc 53 8b 5d 08 85 db 75 0a 68 05 40 00 80 e8 e6 87 fe ff 51 8d 45 d8 50 e8 f9 ad 0e 00 59 59 85 c0 74 04 33 c0 eb 10 56 57 6a 09 59 8d 75 d8 8b fb f3 a5 5f 8b c3 5e 8b 4d fc 33 cd 5b e8 bd 7c 0e 00 c9 c2 04 00 8b ff 55 8b ec 83 ec 30 a1 54 04 57 00 33 c5 89 45 fc 8b 45 10 56 8b 75 0c 57 8b 7d 08 89 45 d4 85 ff 75 07 33 c0 e9 26 01 00 00 57 ff 15 7c 74 52 00 Data Ascii: U$TW3EEVMQPsRu&fhWGEPEPsRtuEPMMEMEF3^}U(TW3ES]uh@QEPYYt3VWjYu_^M3[\|U0TW3EEVuW}Eu3&W\|tR
2022-11-04 12:16:09 UTC	98	IN	Data Raw: f7 74 52 66 83 3e 25 75 40 0f b7 46 02 83 f8 31 72 05 83 f8 39 76 14 83 f8 41 72 2d 83 f8 5a 77 28 83 f8 39 76 05 83 c0 c8 eb 03 83 c0 cf 83 c6 04 3b 45 14 7d 16 8b 04 83 85 c0 74 12 50 ff 15 7c 74 52 00 01 45 0c eb 06 83 c6 02 ff 45 0c 66 83 3e 00 75 ae ff 75 0c 8b 4d 08 8b df e8 32 82 fe ff 66 83 3f 00 8b f0 0f 84 86 00 00 00 0f b7 0b 83 f9 25 75 68 0f b7 43 02 83 f8 31 72 05 83 f8 39 76 14 83 f8 41 72 55 83 f8 5a 77 50 83 f8 39 76 05 83 c0 c8 eb 03 83 c0 cf 83 c3 04 89 5d fc 3b 45 14 7c 08 6a 3f 58 66 89 06 eb 36 8b 4d 10 8d 3c 81 8b 07 85 c0 74 30 50 ff 15 7c 74 52 00 ff 37 8b d8 8b 45 0c 40 50 56 e8 ed fe ff ff 83 c4 0c 29 5d 0c 8d 34 5e 8b 5d fc eb 0c 66 89 0e 83 c3 02 83 c6 02 ff 4d 0c 66 83 3b 00 0f 85 7a ff ff ff 8b 4d 08 2b 31 d1 fe 56 e8 53 d0 Data Ascii: tRf>%u@F1r9vAr-Zw(9v;E}tP\|tREEf>uuM2f?%uhC1r9vArUZwP9v];E\|j?Xf6M<t0P\|tR7E@PV)]4^]fMf;zM+1VS
2022-11-04 12:16:09 UTC	100	IN	Data Raw: 74 06 8b 01 5d ff 60 6c 5d e9 b9 ff ff ff 6a 10 b8 eb 8c 51 00 e8 2a 84 0e 00 83 65 fc 00 e8 0c 91 00 00 6a ff e8 1a 93 00 00 83 7d 08 00 c7 45 fc 02 00 00 00 75 29 e8 17 20 00 00 8b f0 85 f6 74 1e 8b 4e 3c 85 c9 74 17 8b 01 ff 50 60 8b 4e 3c 85 c9 74 07 8b 01 6a 01 ff 50 04 83 66 3c 00 8b 0d 08 3c 57 00 c7 45 fc 04 00 00 00 85 c9 74 0a 6a 00 ff 75 08 e8 f9 84 00 00 e8 69 84 0e 00 c2 04 00 8b 4d ec e8 45 be ff ff b8 32 96 41 00 c3 8b 4d e8 e8 37 be ff ff b8 68 96 41 00 c3 8b 4d e4 e8 29 be ff ff b8 83 96 41 00 c3 8b ff 56 8b f1 57 33 ff 89 7e 20 89 7e 24 89 7e 2c 89 7e 30 e8 8b 19 00 00 89 78 34 89 78 54 83 c0 4c 50 ff 15 54 76 52 00 89 7e 40 89 7e 3c 5f c7 46 28 01 00 00 00 5e c3 6a 04 b8 41 88 51 00 e8 1f 83 0e 00 8b f1 89 75 f0 c7 06 4c ae 52 00 8b 46 Data Ascii: t]`l]jQ*ej}Eu) tN<tP`N<tjPf<<WEtjuiME2AM7hAM)AVW3~ ~$~,~0x4xTLPTvR~@~<_F(^jAQuLRF
2022-11-04 12:16:09 UTC	101	IN	Data Raw: c0 75 05 e8 24 ba ff ff ff 75 10 ff 75 0c 56 ff 70 2c ff 15 08 77 52 00 5e 5d c2 0c Data Ascii: u$uuVp,wR^]
2022-11-04 12:16:09 UTC	101	IN	Data Raw: 00 8b ff 55 8b ec 83 ec 20 53 8b 5d 0c 56 33 f6 89 4d fc 3b de 75 07 33 c0 e9 0f 01 00 00 8b 45 08 2b c6 57 74 75 48 48 74 0a 2d ff 7f 00 00 e9 Data Ascii: U S]V3M;u3E+WtuHHt-
2022-11-04 12:16:09 UTC	101	IN	Data Raw: f6 00 00 00 ff 33 e8 23 5c ff ff 3b c6 74 5c 8b c8 e8 bd 71 ff ff 8b f8 3b fe 74 4f 8b cf e8 09 49 ff ff 85 c0 74 44 39 b7 88 00 00 00 74 3c e8 a4 28 ff ff 8b f8 8b 45 fc 39 70 20 74 2d 53 e8 26 fc ff ff 59 85 c0 75 09 81 7b 04 02 02 00 00 75 19 56 68 46 e1 00 00 68 11 01 00 00 ff 77 20 ff 15 dc 76 52 00 e9 83 00 00 00 e8 68 28 ff ff 39 75 08 0f 85 81 00 00 00 8b 45 fc 39 70 24 74 79 8b 43 04 3d 00 01 00 00 72 6f 3d 09 01 00 00 77 68 68 8b e5 40 00 b9 10 39 57 00 e8 37 7f 00 00 8b d8 3b de 75 05 e8 34 b9 ff ff 39 b3 40 01 00 00 75 46 8b 75 0c 6a 07 c7 83 40 01 00 00 01 00 00 00 59 8d 7d e0 f3 a5 8b 75 fc 8b 4e 24 e8 d5 98 ff ff 85 c0 74 1b 8b 06 8d 4d e0 51 8b ce ff 50 58 85 c0 74 0c 83 a3 40 01 00 00 00 33 c0 40 eb 09 83 a3 40 01 00 00 00 33 c0 5f 5e 5b Data Ascii: 3#\;t\q;tOItD9t<(E9p t-S&Yu{uVhFhw vRh(9uE9p$tyC=ro=whh@9W7;u49@uFuj@Y}uN$tMQPXt@3@@3_^[
2022-11-04 12:16:09 UTC	103	IN	Data Raw: a1 fe ff eb bd 2b c6 d1 f8 8d 0c 00 51 56 51 8b 4d 08 50 e8 cc 2a ff ff 50 e8 b6 9c fe ff 8b 4d 08 83 c4 10 6a ff e8 d9 bf fe ff 33 c0 40 5e 5d c2 10 00 8b ff 56 8b f0 33 c0 8b ca 85 d2 74 0f 66 39 06 74 06 83 c6 02 4a 75 f5 85 d2 75 05 b8 57 00 07 80 5e 85 ff 74 0c 85 c0 78 05 2b ca 89 0f c3 83 27 00 c3 b8 d4 ae 52 00 c3 8b ff 55 8b ec 83 7d 0c 00 56 8b f1 75 04 33 c0 eb 2b 6a 00 8d 45 0c 50 ff 75 0c ff 75 08 ff 76 04 ff 15 78 73 52 00 85 c0 75 0f ff 76 0c ff 15 58 72 52 00 50 e8 72 d4 01 00 8b 45 0c 5e 5d c2 08 00 8b ff 55 8b ec 56 57 8b 7d 0c 8b f1 85 ff 74 37 6a 00 8d 45 0c 50 57 ff 75 08 ff 76 04 ff 15 74 73 52 00 85 c0 75 0f ff 76 0c ff 15 58 72 52 00 50 e8 34 d4 01 00 39 7d 0c 74 0c ff 76 0c 6a ff 6a 0d e8 dd d3 01 00 5f 5e 5d c2 08 00 8b ff 55 8b Data Ascii: +QVQMP*PMj3@^]V3tf9tJuuW^tx+'RU}Vu3+jEPuuvxsRuvXrRPrE^]UVW}t7jEPWuvtsRuvXrRP49}tvjj_^]U
2022-11-04 12:16:09 UTC	104	IN	Data Raw: 57 57 8b bd e8 fb ff ff 57 e8 47 a4 ff ff 8d 4f f0 c6 45 fc 02 e8 1e 6a fe ff 8b 06 6a 01 8b ce ff 50 04 b8 81 a7 41 00 c3 8b b5 e4 fb ff ff 8b 4e 0c 83 e9 10 e8 fe 69 fe ff e8 7d 73 0e 00 c3 8b ff 55 8b ec 56 8b f1 e8 ec fe ff ff f6 45 08 01 74 07 56 e8 fa 1b ff ff 59 8b c6 5e 5d c2 04 00 8b ff 55 8b ec 56 8b 75 08 85 f6 74 1d ff 15 58 72 52 00 50 89 46 0c e8 3e cb 01 00 ff 75 0c 8d 4e 10 89 46 08 e8 ad bd fe ff 5e 5d c2 08 00 68 68 02 00 00 b8 9f 8d 51 00 e8 8b 72 0e 00 8b 7d 08 8b 45 0c 8b 5d 10 33 c9 85 ff 0f 95 c1 89 85 98 fd ff ff 85 c9 75 05 e8 ca ad ff ff 33 c9 85 c0 0f 95 c1 85 c9 74 f0 8d 8d 94 fd ff ff 51 57 be 04 01 00 00 56 50 ff 15 48 73 52 00 85 c0 75 2b 6a ff ff b5 98 fd ff ff 56 57 e8 a6 66 0e 00 50 e8 a1 95 fe ff 83 c4 14 ff b5 98 fd ff Data Ascii: WWWGOEjjPANi}sUVEtVY^]UVutXrRPF>uNF^]hhQr}E]3u3tQWVPHsRu+jVWfP
2022-11-04 12:16:09 UTC	105	IN	Data Raw: 04 00 c7 00 34 b0 52 00 c2 04 00 8b ff 56 8b f1 8b 46 04 c7 06 34 b0 52 00 85 c0 74 0b 50 ff 15 00 74 52 00 83 66 04 00 5e c3 8b ff 55 8b ec 56 8b f1 e8 d4 ff ff ff f6 45 08 01 74 07 56 e8 64 16 ff ff 59 8b c6 5e 5d c2 04 00 8b ff 56 8b f1 83 7e 08 00 74 0f 8b 0e 8b 01 ff 50 14 f7 d8 1b c0 40 89 46 08 33 c0 39 46 08 5e 0f 94 c0 c3 8b ff 55 8b ec 56 8b f1 8b 4d 08 85 c9 75 05 e8 59 a8 ff ff 89 0e 8b 41 04 83 66 08 00 83 7d 0c 00 89 46 04 74 0a 8b 01 6a ff ff 50 0c 89 46 08 8b c6 5e 5d c2 08 00 83 79 04 00 74 0a ff 31 6a 00 ff 15 f0 73 52 00 c3 e9 a2 6e 00 00 8b ff 55 8b ec 81 ec 30 02 00 00 a1 54 04 57 00 33 c5 89 45 fc 56 57 33 c0 66 89 45 fa 66 89 45 f8 68 05 01 00 00 8b f1 8b 7e 08 8d 85 f0 fd ff ff 50 57 ff 15 24 74 52 00 85 c0 0f 84 a5 00 00 00 66 83 Data Ascii: 4RVF4RtPtRf^UVEtVdY^]V~tP@F39F^UVMuYAf}FtjPF^]yt1jsRnU0TW3EVW3fEfEh~PW$tRf
2022-11-04 12:16:09 UTC	107	IN	Data Raw: 00 00 00 89 be d8 00 00 00 89 be dc 00 00 00 89 be e0 00 00 00 89 be e4 00 00 00 89 be e8 00 00 00 89 be ec 00 00 00 89 be f0 00 00 00 89 be f4 00 00 00 89 be f8 00 00 00 89 be fc 00 00 00 89 be 00 01 00 00 89 be 04 01 00 00 89 be 08 01 00 00 89 be 0c 01 00 00 89 be 10 01 00 00 89 be 14 01 00 00 89 be 18 01 00 00 89 be 1c 01 00 00 89 be 20 01 00 00 89 be 24 01 00 00 89 be 28 01 00 00 89 be 2c 01 00 00 89 be 30 01 00 00 89 be 34 01 00 00 89 be 38 01 00 00 89 be 3c 01 00 00 89 be 40 01 00 00 89 be 44 01 00 00 89 be 48 01 00 00 89 be 4c 01 00 00 89 be 50 01 00 00 89 be 54 01 00 00 89 be 58 01 00 00 89 be 5c 01 00 00 89 be 60 01 00 00 89 be 64 01 00 00 89 be 68 01 00 00 89 be 6c 01 00 00 89 be 70 01 00 00 89 be 74 01 00 00 89 be 78 01 00 00 89 be 7c 01 00 00 Data Ascii: $(,048<@DHLPTX\`dhlptx\|
2022-11-04 12:16:09 UTC	108	IN	Data Raw: ff ff ff 76 04 e8 45 0b ff ff 8b 45 08 83 c4 20 89 7e 08 89 46 0c 89 5e 04 5f 5e 5b 5d c2 08 00 8b ff 55 8b ec 8b 55 0c 53 56 8b f1 8b 4d 08 57 8d 1c 11 85 c9 78 56 85 d2 78 52 8b 46 08 3b d8 7f 4b 3b d9 7c 47 3b da 7c 43 2b c3 89 45 08 8b 46 04 8b f9 c1 e7 02 52 03 c7 e8 60 fe ff ff 8b 45 08 59 85 c0 74 19 8b c8 8b 46 04 c1 e1 02 51 8d 14 98 52 51 03 c7 50 e8 c7 83 fe ff 83 c4 10 8b 45 0c 29 46 08 5f 5e 5b 5d c2 08 00 e8 f2 9c ff ff cc 68 10 04 00 00 b8 9b 8e 51 00 e8 ba 61 0e 00 83 65 fc 00 8b f1 ff 76 08 8b 46 04 c7 06 f0 b0 52 00 e8 06 fe ff ff 59 ff 76 04 e8 8d 0a ff ff 59 e8 f0 61 0e 00 c3 e8 37 9e ff ff 50 8d 8d e8 fb ff ff e8 da 57 fe ff 8b b5 e4 fb ff ff 8b 06 33 ff 57 68 00 02 00 00 8d 8d ec fb ff ff 51 8b ce c6 45 fc 02 ff 50 0c 85 c0 74 29 8d Data Ascii: vEE ~F^_^[]UUSVMWxVxRF;K;\|G;\|C+EFR`EYtFQRQPE)F_^[]hQaevFRYvYa7PW3WhQEPt)
2022-11-04 12:16:09 UTC	110	IN	Data Raw: 8b c6 5e c3 8b ff 55 8b ec e8 a7 d7 ff ff 85 c0 74 0d 8b 40 3c 85 c0 74 06 6a 01 6a 01 ff d0 5d ff 25 3c 76 52 00 8b ff 55 8b ec 53 56 57 68 e0 b4 52 00 ff 15 2c 74 52 00 8b f8 85 ff 75 05 e8 94 97 ff ff 8b 35 e0 73 52 00 68 c4 b4 52 00 57 ff d6 68 a0 b4 52 00 57 8b d8 ff d6 8b f0 85 db 74 27 85 f6 74 23 ff 75 0c ff 75 08 ff d3 85 c0 75 19 39 45 10 74 12 ff 75 1c ff 75 18 ff 75 14 ff 75 10 ff d6 85 c0 75 02 33 c0 5f 5e 5b 5d c2 18 00 8b ff 55 8b ec 51 51 53 56 57 68 e0 b4 52 00 89 4d f8 ff 15 2c 74 52 00 8b f8 85 ff 75 05 e8 23 97 ff ff 8b 35 e0 73 52 00 68 18 b5 52 00 57 ff d6 68 fc b4 52 00 57 8b d8 ff d6 8b f8 85 db 74 32 85 ff 74 2e 83 65 fc 00 8d 45 fc 50 ff d3 83 7d fc 00 75 1e 8b 4d f8 8b 01 33 f6 46 ff 90 fc 00 00 00 85 c0 74 09 8b 10 8b c8 ff 52 Data Ascii: ^Ut@<tjj]%<vRUSVWhR,tRu5sRhRWhRWt't#uuu9Etuuuuu3_^[]UQQSVWhRM,tRu#5sRhRWhRWt2t.eEP}uM3FtR
2022-11-04 12:16:09 UTC	111	IN	Data Raw: ff 50 50 68 6a 03 00 00 89 47 60 ff 76 20 ff 15 e4 76 52 00 ff 75 0c 8b 06 ff 75 08 8b ce ff 90 84 00 00 00 5f 5e 5d c2 08 00 8b ff 55 8b ec 56 33 f6 e8 3d f2 ff ff 8b 40 04 85 c0 74 0f ff 75 08 8b 10 8b c8 ff 92 d4 00 00 00 8b f0 8b c6 5e 5d c2 04 00 6a 04 b8 a2 a0 51 00 e8 05 56 0e 00 8b f1 33 ff 39 3d 0c 3b 57 00 0f 84 82 00 00 00 8b 06 ff 90 d8 00 00 00 85 c0 75 0e 8b 06 8b ce ff 90 dc 00 00 00 85 c0 74 68 39 3d 24 39 57 00 75 60 39 be 90 00 00 00 75 58 68 cc 00 00 00 e8 24 ff fe ff 59 8b c8 89 4d f0 89 7d fc 3b cf 74 13 ff b6 b0 00 00 00 ff b6 ac 00 00 00 e8 22 c9 01 00 eb 02 33 c0 83 4d fc ff 89 86 90 00 00 00 8b 10 8b c8 ff 52 0c 85 c0 75 17 8b 8e 90 00 00 00 3b cf 74 07 8b 01 6a 01 ff 50 04 89 be 90 00 00 00 c7 05 24 39 57 00 01 00 00 00 8b 86 90 Data Ascii: PPhjG`v vRuu_^]UV3=@tu^]jQV39=;Wuth9=$9Wu`9uXh$YM};t"3MRu;tjP$9W
2022-11-04 12:16:09 UTC	112	IN	Data Raw: ff 73 48 8d 4d d4 e8 25 9c fe ff be 00 b7 52 00 56 e8 a4 4c 0e 00 59 50 56 8d 4d d8 e8 5f f6 fe ff be fc b6 52 00 56 e8 8e 4c 0e 00 59 50 56 8d 4d d8 e8 49 f6 fe ff 8b 45 d0 ff 70 f4 8d 4d d8 50 e8 3a f6 fe ff 57 ff 75 d8 8d 4d d4 e8 0a fb ff ff 83 f8 ff 75 25 be f4 b6 52 00 56 e8 58 4c 0e 00 59 50 56 8d 4d d4 e8 13 f6 fe ff 8b 45 d8 ff 70 f4 8d 4d d4 50 e8 04 f6 fe ff 8b 03 8b cb ff 90 fc 00 00 00 3b c7 74 0b 8b 10 8d 4d d0 51 8b c8 ff 52 24 8b 75 d4 39 7d 08 74 54 3b f7 75 38 89 7d dc 8b 03 57 8b d0 8b cb c6 45 fc 04 89 45 cc ff 92 f8 00 00 00 50 8b 03 8b cb ff 90 f4 00 00 00 50 8b 03 68 de c3 41 00 8b cb ff 90 f0 00 00 00 50 8b 45 cc eb 4a 56 ff 15 bc 74 52 00 89 45 dc 3b c7 75 bd 68 0e 00 07 80 e8 df 48 fe ff 3b f7 75 05 89 7d dc eb 0e 56 ff 15 bc 74 Data Ascii: sHM%RVLYPVM_RVLYPVMIEpMP:WuMu%RVXLYPVMEpMP;tMQR$u9}tT;u8}WEEPPhAPEJVtRE;uhH;u}Vt
2022-11-04 12:16:09 UTC	114	IN	Data Raw: 7e 14 0f 84 c0 00 00 00 39 7e 08 0f 84 b7 00 00 00 e8 85 ff ff ff e9 ad 00 00 00 e8 35 88 ff ff 50 8d 8d e8 fb ff ff e8 d8 41 fe ff 8b b5 e0 fb ff ff 8b 06 33 ff 57 68 00 02 00 00 8d 8d ec fb ff ff 51 8b ce c6 45 fc 03 ff 50 0c 85 c0 74 29 8d 85 ec fb ff ff 50 6a 5e 68 28 b8 52 00 68 7c 0b 55 00 8d 85 e8 fb ff ff 68 bc 0b 55 00 50 e8 80 44 fe ff 83 c4 18 eb 20 6a 5e 68 28 b8 52 00 68 7c 0b 55 00 8d 85 e8 fb ff ff 68 d8 0b 55 00 50 e8 5e 44 fe ff 83 c4 14 57 57 8b bd e8 fb ff ff 57 e8 fa 7b ff ff 8d 4f f0 c6 45 fc 02 e8 d1 41 fe ff 8b 06 6a 01 8b ce ff 50 04 b8 ce cf 41 00 c3 8b b5 e4 fb ff ff 83 4d fc ff 8b ce e8 b2 d6 ff ff e8 30 4b 0e 00 c3 8b ff 55 8b ec 56 8b f1 e8 f3 fe ff ff f6 45 08 01 74 07 56 e8 ad f3 fe ff 59 8b c6 5e 5d c2 04 00 8b ff 55 8b ec Data Ascii: ~9~5PA3WhQEPt)Pj^h(Rh\|UhUPD j^h(Rh\|UhUP^DWWW{OEAjPAM0KUVEtVY^]U
2022-11-04 12:16:09 UTC	115	IN	Data Raw: 83 46 28 02 8b c6 5e 5d c2 04 00 8b ff 55 8b ec 56 8b f1 f6 46 18 01 75 0a ff 76 14 6a 04 e8 cf 06 00 00 8b 46 28 8b 4e 2c 8d 50 01 3b d1 76 0b 2b c1 40 50 8b ce e8 0d fe ff ff 8b 46 28 8a 00 8b 4d 08 88 01 ff 46 28 8b c6 5e 5d c2 04 00 8b ff 55 8b ec 56 8b f1 f6 46 18 01 75 0a ff 76 14 6a 04 e8 8b 06 00 00 8b 46 28 8b 4e 2c 8d 50 08 3b d1 76 0d 2b c1 83 c0 08 50 8b ce e8 c7 fd ff ff 8b 46 28 8b 10 8b 4d 08 89 11 8b 40 04 89 41 04 83 46 28 08 8b c6 5e 5d c2 04 00 8b ff 55 8b ec 56 8b f1 f6 46 18 01 75 0a ff 76 14 6a 04 e8 3e 06 00 00 8b 46 28 8b 4e 2c 8d 50 02 3b d1 76 0d 2b c1 83 c0 02 50 8b ce e8 7a fd ff ff 8b 46 28 66 8b 00 8b 4d 08 66 89 01 83 46 28 02 8b c6 5e 5d c2 04 00 8b ff 55 8b ec 51 51 56 8b 75 0c 57 8b 7d 08 8d 45 0f 50 8b cf c7 06 01 00 00 Data Ascii: F(^]UVFuvjF(N,P;v+@PF(MF(^]UVFuvjF(N,P;v+PF(M@AF(^]UVFuvj>F(N,P;v+PzF(fMfF(^]UQQVuW}EP
2022-11-04 12:16:09 UTC	117	IN	Data Raw: b8 52 00 c3 6a 0c b8 1b 90 51 00 e8 d8 3f 0e 00 8b f9 33 db 39 5d 08 0f 84 a9 00 00 00 8b 45 10 3b c3 74 0b 8b 4f 08 81 c1 b0 f1 00 00 89 08 89 5d fc e8 c6 7c ff ff 50 8d 4d 10 e8 6c 36 fe ff 8b 47 0c 83 e8 10 50 c6 45 fc 01 e8 3c 67 fe ff 8d 70 10 59 89 75 ec c6 45 fc 02 39 5e f4 75 1c bb 06 f0 00 00 53 e8 87 c6 ff ff 85 c0 74 0d 53 50 8d 4d ec e8 03 89 fe ff 8b 75 ec 8b 47 08 56 05 b0 f1 00 00 50 8d 45 10 50 e8 d5 b6 ff ff 6a ff ff 75 10 ff 75 0c ff 75 08 e8 ec 33 0e 00 50 e8 e7 62 fe ff 83 c4 14 8d 4e f0 e8 7c 36 fe ff 8b 4d 10 83 c1 f0 e8 71 36 fe ff 33 c0 40 eb 08 b8 2a db 41 00 c3 33 c0 e8 c0 3f 0e 00 c2 0c 00 6a 04 b8 f8 8d 51 00 e8 d9 3e 0e 00 8b f1 89 75 f0 e8 b2 7a ff ff c7 06 c8 b8 52 00 e8 0c 7c ff ff 50 8d 4e 0c e8 b2 35 fe ff 8b 45 08 ff 75 Data Ascii: RjQ?39]E;tO]\|PMl6GPE<gpYuE9^uStSPMuGVPEPjuuu3PbN\|6Mq63@*A3?jQ>uzR\|PN5Eu
2022-11-04 12:16:09 UTC	117	IN	Data Raw: af 45 10 83 c0 04 50 e8 70 e7 fe ff 59 8b 4d 08 8b 11 89 10 89 01 5d c2 0c 00 e8 c1 79 ff ff cc 85 c9 74 11 56 8b 31 51 e8 7e e7 fe ff 59 8b ce 85 f6 75 f1 5e c3 33 c0 39 05 10 3b 57 00 74 09 39 81 b4 00 00 00 74 01 40 c3 8b ff 55 8b ec 56 8b f1 83 3e 00 74 36 68 f8 b8 52 00 ff 15 2c 74 52 00 85 c0 74 35 68 e0 b8 52 00 50 ff 15 e0 73 52 00 85 c0 74 25 6a 00 ff 36 ff 75 18 ff 75 14 ff 75 10 ff 75 0c ff 75 08 ff d0 eb 11 83 7e 04 00 74 08 5e 5d ff 25 04 70 52 00 33 c0 40 5e 5d c2 14 00 8b ff 55 8b ec 56 8b f1 83 3e 00 74 42 68 f8 b8 52 00 ff 15 2c 74 52 00 85 c0 74 41 68 14 b9 52 00 50 ff 15 e0 73 52 00 85 c0 74 31 6a 00 ff 36 ff 75 28 ff 75 24 ff 75 20 ff 75 1c ff 75 18 ff 75 14 ff 75 10 ff 75 0c ff 75 08 ff d0 eb 11 83 7e 04 00 74 08 5e 5d ff 25 00 70 52 Data Ascii: EPpYM]ytV1Q~Yu^39;Wt9t@UV>t6hR,tRt5hRPsRt%j6uuuuu~t^]%pR3@^]UV>tBhR,tRtAhRPsRt1j6u(u$u uuuuuu~t^]%pR
2022-11-04 12:16:09 UTC	119	IN	Data Raw: 8b c1 99 2b c2 8b 17 80 eb 41 d1 f8 83 c1 02 88 1c 10 3b 4d 14 7c c4 8b 4d 0c 83 c1 f0 e8 c2 2f fe ff 33 c0 40 e8 1b 39 0e 00 c2 10 00 68 57 00 07 80 e8 4d 31 fe ff cc 8b ff 55 8b ec 6a ff 68 6c 90 51 00 64 a1 00 00 00 00 50 b8 20 20 00 00 e8 ff 59 0e 00 a1 54 04 57 00 33 c5 89 45 f0 53 56 57 50 8d 45 f4 64 a3 00 00 00 00 8b 7d 10 8b 55 14 8b 5d 08 8b 45 0c 33 f6 89 bd d4 df ff ff 89 95 ec df ff ff 89 b5 e0 df ff ff 39 71 58 0f 84 f4 00 00 00 56 50 e8 98 fb ff ff 89 85 e4 df ff ff 3b c6 75 0b ff b5 ec df ff ff e9 0a 01 00 00 e8 ff 74 ff ff 50 8d 8d e8 df ff ff e8 a2 2e fe ff 8d 85 dc df ff ff 50 56 8d 85 d8 df ff ff 50 56 57 ff b5 e4 df ff ff 8b 3d 10 70 52 00 89 75 fc 89 b5 d8 df ff ff 89 b5 dc df ff ff ff d7 89 85 e0 df ff ff 3b c6 75 45 8b 85 dc df ff Data Ascii: +A;M\|M/3@9hWM1UjhlQdP YTW3ESVWPEd}U]E39qXVP;utP.PVPVW=pRu;uE
2022-11-04 12:16:09 UTC	120	IN	Data Raw: 8b f1 85 ff 74 0f 83 ff 01 74 0a 83 ff ff 74 05 e8 73 6e ff ff 83 3d 7c 3e 57 00 00 74 f2 6a 02 e8 1c 3c 00 00 01 be 84 00 00 00 83 be 84 00 00 00 00 7e 21 ff 35 7c 3e 57 00 ff 15 38 76 52 00 85 ff 7e 24 83 be 84 00 00 00 01 75 1b 89 86 88 00 00 00 eb 13 ff b6 88 00 00 00 83 a6 84 00 00 00 00 ff 15 38 76 52 00 6a 02 e8 44 3c 00 00 5f 5e 5d c2 04 00 83 79 5c 00 74 08 8b 49 5c 8b 01 ff 60 24 33 c0 40 c3 8b ff 55 8b ec 83 7d 08 00 75 05 e8 f1 6d ff ff 83 b9 8c 00 00 00 00 74 13 ff 71 54 8b 81 8c 00 00 00 ff 75 08 8b 10 8b c8 ff 52 04 5d c2 04 00 8b ff 55 8b ec 83 79 5c 00 75 05 e8 c1 6d ff ff 8b 49 5c 8b 01 5d ff 60 20 8b ff 55 8b ec 83 79 5c 00 75 05 e8 a8 6d ff ff 8b 49 5c 8b 01 5d ff 60 1c 8b ff 55 8b ec 83 79 5c 00 74 09 8b 49 5c 8b 01 5d ff 60 28 5d c2 Data Ascii: tttsn=\|>Wtj<~!5\|>W8vR~$u8vRjD<_^]y\tI\`$3@U}umtqTuR]Uy\umI\]` Uy\umI\]`Uy\tI\]`(]
2022-11-04 12:16:09 UTC	121	IN	Data Raw: 41 14 eb 67 8b 41 18 eb 62 8b 41 28 eb 5d 8b 41 2c eb 58 8b 41 1c eb 53 8b 41 20 eb 4e 8b 41 30 eb 49 8b 41 24 eb 44 8b 41 34 eb 3f 8b 41 38 eb 3a 8b 41 64 eb 35 8b 41 68 eb 30 8b 41 6c eb 2b 8b 41 70 eb 26 8b 41 74 eb 21 8b 41 78 eb 1c 8b 81 88 00 00 00 eb 14 8b 81 8c 00 00 00 eb 0c 8b 41 7c eb 07 52 ff 15 4c 78 52 00 5d c2 04 00 90 49 ed 41 00 4e ed 41 00 68 ed 41 00 35 ed 41 00 26 ed 41 00 44 ed 41 00 3a ed 41 00 3f ed 41 00 53 ed 41 00 5b ed 41 00 68 ed 41 00 2b ed 41 00 30 ed 41 00 03 ed 41 00 08 ed 41 00 21 ed 41 00 1c ed 41 00 63 ed 41 00 17 ed 41 00 0d ed 41 00 12 ed 41 00 8b ff 55 8b ec 5d ff 25 24 76 52 00 8b ff 55 8b ec 51 8b 81 10 02 00 00 85 c0 75 05 83 c8 ff eb 19 83 65 fc 00 8d 4d fc 51 ff 75 14 ff 75 10 ff 75 0c ff 75 08 ff d0 8b 45 fc c9 Data Ascii: AgAbA(]A,XASA NA0IA$DA4?A8:Ad5Ah0Al+Ap&At!AxA\|RLxR]IANAhA5A&ADA:A?ASA[AhA+A0AAA!AAcAAAAU]%$vRUQueMQuuuuE
2022-11-04 12:16:09 UTC	123	IN	Data Raw: 14 8b 06 8b ce ff 90 4c 01 00 00 85 c0 74 bb 8b c6 5f 5e 5d c3 33 c0 eb f8 8b ff 53 56 57 68 a4 ba 52 00 8b f1 e8 b9 f5 fe ff 8b 3d e0 73 52 00 33 db 59 89 86 ec 01 00 00 3b c3 74 49 68 88 ba 52 00 50 ff d7 68 78 ba 52 00 ff b6 ec 01 00 00 89 86 f4 01 00 00 ff d7 68 64 ba 52 00 ff b6 ec 01 00 00 89 86 f8 01 00 00 ff d7 68 50 ba 52 00 ff b6 ec 01 00 00 89 86 04 02 00 00 ff d7 89 86 08 02 00 00 eb 18 89 9e f4 01 00 00 89 9e f8 01 00 00 89 9e 04 02 00 00 89 9e 08 02 00 00 39 9e f0 01 00 00 74 4e 68 38 ba 52 00 e8 28 fc ff ff 59 89 86 f0 01 00 00 3b c3 75 05 e8 70 62 ff ff 68 18 ba 52 00 50 ff d7 68 04 ba 52 00 ff b6 f0 01 00 00 89 86 0c 02 00 00 ff d7 68 ec b9 52 00 ff b6 f0 01 00 00 89 86 10 02 00 00 ff d7 89 86 14 02 00 00 8d 86 9c 01 00 00 33 f6 46 39 18 Data Ascii: Lt_^]3SVWhR=sR3Y;tIhRPhxRhdRhPR9tNh8R(Y;upbhRPhRhR3F9
2022-11-04 12:16:09 UTC	124	IN	Data Raw: 15 20 76 52 00 89 45 f0 e8 f8 5e ff ff 8b 75 08 50 8b ce e8 9c 18 fe ff 6a 10 ff 75 f0 89 5d fc 6a 08 57 ff 75 0c c7 45 ec 01 00 00 00 68 7c bb 52 00 56 e8 6c 1b fe ff 8b 06 83 c4 1c 8d 4d c4 51 50 57 ff 15 54 78 52 00 85 c0 75 42 a1 24 78 52 00 89 45 c8 8b 45 f0 89 45 dc 8b 06 89 45 e8 8d 45 c4 50 c7 45 c4 08 00 00 00 89 5d d0 89 5d cc 89 7d d4 89 5d d8 c7 45 e0 10 00 00 00 89 5d e4 e8 4c 33 ff ff 85 c0 75 05 e8 59 65 ff ff 8b c6 e8 ff 21 0e 00 c2 08 00 8b ff 53 56 8b d9 8b 33 0f b7 06 57 33 ff 66 85 c0 74 3b 0f b7 c0 50 e8 d2 5f 0e 00 59 85 c0 74 08 85 ff 75 06 8b fe eb 02 33 ff 83 c6 02 0f b7 06 66 85 c0 75 dd 85 ff 74 14 2b 3b 8b cb d1 ff 57 e8 b5 19 fe ff 57 8b cb e8 0d 1a fe ff 5f 5e 8b c3 5b c3 c7 01 a0 bb 52 00 e9 cc 1a fe ff 6a 04 b8 0c 92 51 00 Data Ascii: vRE^uPju]jWuEh\|RVlMQPWTxRuB$xREEEEEPE]]}]E]L3uYe!SV3W3ft;P_Ytu3fut+;WW_^[RjQ
2022-11-04 12:16:09 UTC	126	IN	Data Raw: 6a 1c 89 86 80 00 00 00 ff d7 6a 0a 89 86 84 00 00 00 ff d7 6a 0b 89 86 88 00 00 00 ff d7 6a 13 89 86 8c 00 00 00 ff d7 89 46 7c 39 9e 84 01 00 00 74 0b 8b 46 68 89 46 40 89 46 44 eb 12 6a 1a ff d7 c7 46 40 00 00 ff 00 c7 46 44 80 00 80 00 8b 3d 1c 76 52 00 6a 10 89 46 3c ff d7 33 c9 3b c3 0f 95 c1 89 46 0c 3b cb 75 05 e8 68 57 ff ff 6a 14 ff d7 33 c9 3b c3 0f 95 c1 89 46 08 3b cb 74 e9 6a 05 ff d7 33 c9 3b c3 0f 95 c1 89 46 10 3b cb 74 d7 8d 8e 90 00 00 00 e8 7d 69 ff ff ff 76 14 8b 3d f0 71 52 00 ff d7 50 8d 8e 90 00 00 00 e8 0c 69 ff ff 8d 8e c8 00 00 00 e8 5b 69 ff ff ff 76 4c ff d7 50 8d 8e c8 00 00 00 e8 f0 68 ff ff 8d 8e b0 00 00 00 e8 3f 69 ff ff ff 76 74 ff d7 50 8d 8e b0 00 00 00 e8 d4 68 ff ff 8d 8e b8 00 00 00 e8 23 69 ff ff ff 76 78 ff d7 50 Data Ascii: jjjjF\|9tFhF@FDjF@FD=vRjF<3;F;uhWj3;F;tj3;F;t}iv=qRPi[ivLPh?ivtPh#ivxP
2022-11-04 12:16:09 UTC	127	IN	Data Raw: 89 8d 80 fb ff ff 3b ce 74 0d 39 71 04 74 08 e8 30 64 ff ff 50 ff d7 8d 8b 54 01 00 00 3b ce 74 0d 39 71 04 74 08 e8 19 64 ff ff 50 ff d7 8d 85 9c fd ff ff 50 8b cb c7 85 9c fd ff ff f8 01 00 00 e8 59 ea ff ff 6a 5c 8d 45 94 56 50 e8 2a 17 0e 00 83 c4 0c 56 56 ff b5 70 fb ff ff ff 15 24 71 52 00 88 45 ab 8b 85 8c fe ff ff 89 45 a4 8a 85 90 fe ff ff 88 45 a8 8b 85 7c fe ff ff 99 33 c2 2b c2 83 f8 0c 7f 05 6a 0b 58 eb 01 48 39 b5 7c fe ff ff 7d 02 f7 d8 8b 3d 14 73 52 00 89 45 94 8d 85 98 fe ff ff 50 8d 45 b0 50 ff d7 39 33 75 66 80 bd 93 fe ff ff 02 77 5d ff 35 88 39 57 00 68 1f 02 42 00 56 ff b5 70 fb ff ff 8b 35 28 71 52 00 ff d6 85 c0 75 12 ff 35 88 39 57 00 8d 45 b0 50 ff d7 c6 45 ae 05 eb 2d ff 35 84 39 57 00 68 1f 02 42 00 6a 00 ff b5 70 fb ff ff ff Data Ascii: ;t9qt0dPT;t9qtdPPYj\EVP*VVp$qREEE\|3+jXH9\|}=sREPEP93ufw]59WhBVp5(qRu59WEPE-59WhBjp
2022-11-04 12:16:09 UTC	128	IN	Data Raw: ba 52 00 ff b6 ec 01 00 00 89 86 f4 01 00 00 ff d3 68 40 bc 52 00 ff b6 ec 01 00 00 89 86 f8 01 00 00 ff d3 68 2c bc 52 00 ff b6 ec 01 00 00 89 86 fc 01 00 00 ff d3 68 64 ba 52 00 ff b6 ec 01 00 00 89 86 00 02 00 00 ff d3 68 50 ba 52 00 ff b6 ec 01 00 00 89 86 04 02 00 00 ff d3 89 86 08 02 00 00 eb 24 89 be f4 01 00 00 89 be f8 01 00 00 89 be fc 01 00 00 89 be 00 02 00 00 89 be 04 02 00 00 89 be 08 02 00 00 68 38 ba 52 00 e8 95 e5 ff ff 59 89 86 f0 01 00 00 3b c7 74 36 68 18 ba 52 00 50 ff d3 68 04 ba 52 00 ff b6 f0 01 00 00 89 86 0c 02 00 00 ff d3 68 ec b9 52 00 ff b6 f0 01 00 00 89 86 10 02 00 00 ff d3 89 86 14 02 00 00 eb 12 89 be 0c 02 00 00 89 be 10 02 00 00 89 be 14 02 00 00 8b ce 89 be e8 00 00 00 89 be ec 00 00 00 89 be f0 00 00 00 89 be f4 00 00 Data Ascii: Rh@Rh,RhdRhPR$h8RY;t6hRPhRhR
2022-11-04 12:16:09 UTC	130	IN	Data Raw: 48 04 c9 c2 08 00 8b ff 55 8b ec 51 56 8b 35 80 76 52 00 57 ff 75 10 8b f9 6a 00 6a 00 ff 75 08 ff 77 04 ff d6 8b 4d 0c 89 45 fc 85 c0 7e 24 53 8d 58 01 53 e8 4b bd fe ff ff 75 10 53 50 ff 75 08 ff 77 04 ff d6 8b 4d 0c 6a ff e8 54 52 fe ff 5b eb 05 e8 6c 33 fe ff 8b 45 fc 5f 5e c9 c2 0c 00 6a 54 b8 39 97 51 00 e8 a0 0a 0e 00 89 4d f0 8b 7d 08 8b 47 14 85 c0 74 20 8d 4d d0 51 6a 18 ff 70 04 ff 15 f4 71 52 00 8b 45 d8 8b 75 d4 83 c0 02 89 45 e8 83 c6 02 eb 17 8b 35 d8 77 52 00 6a 32 ff d6 83 c0 02 6a 31 89 45 e8 ff d6 8d 70 02 e8 9f 47 ff ff 50 8d 4d 08 e8 45 01 fe ff 83 65 fc 00 6a 30 5b 53 8d 45 a0 6a 00 50 e8 52 0b 0e 00 8b 47 08 83 c4 0c 8d 4d a0 51 6a 00 50 8b 45 f0 ff 70 04 89 5d a0 8b 1d 14 76 52 00 c7 45 a4 40 00 00 00 ff d3 85 c0 74 7e ff 75 c8 8d Data Ascii: HUQV5vRWujjuwME~$SXSKuSPuwMjTR[l3E_^jT9QM}Gt MQjpqREuE5wRj2j1EpGPMEej0[SEjPRGMQjPEp]vRE@t~u
2022-11-04 12:16:09 UTC	131	IN	Data Raw: 00 00 00 39 5d 94 74 37 a8 08 74 33 8b 45 ec 2b 45 e4 6a 14 89 45 b4 8b 45 e8 2b 45 e0 89 45 a0 ff d7 50 6a 10 ff d7 50 8b 45 b4 40 50 8b 45 a0 40 50 ff 75 e4 8b ce ff 75 e0 e8 90 2d 00 00 39 5d a4 74 53 ff 75 a8 8b 06 8b ce ff 50 2c 8b 06 6a 07 89 45 b4 ff d7 50 8b 45 b4 8b ce ff 50 30 8b 45 ec 2b 45 e4 53 99 2b c2 8b c8 8b 45 90 99 2b c2 8b 55 ac 8b 7a f4 57 52 d1 f8 d1 f9 53 2b c8 03 4d e4 8b 45 e8 6a 02 51 83 c0 03 50 ff 76 04 ff 15 78 71 52 00 39 5d 94 0f 84 c2 00 00 00 bf a0 9f 52 00 89 5d b4 89 7d b0 8b 45 98 8b 40 10 c6 45 fc 02 a8 02 74 11 ff 75 a8 8d 45 b0 50 ff 75 9c e8 c8 54 ff ff eb 18 a8 08 74 1a 68 ff ff ff 00 ff 75 a8 8d 45 b0 50 ff 75 9c e8 2e 57 ff ff 8d 45 b0 89 45 9c 8d 4d 84 e8 19 49 ff ff 53 c6 45 fc 03 ff 15 54 71 52 00 50 8d 4d 84 Data Ascii: 9]t7t3E+EjEE+EEPjPE@PE@Puu-9]tSuP,jEPEP0E+ES+E+UzWRS+MEjQPvxqR9]R]}E@EtuEPuTthuEPu.WEEMISETqRPM
2022-11-04 12:16:09 UTC	133	IN	Data Raw: 3b c3 75 0e ff 75 ec ff 15 48 74 52 00 e8 32 3b ff ff 8b 4e 08 89 46 0c 8b 57 0c 2b d1 c1 e2 02 52 8d 04 88 53 50 e8 a1 00 0e 00 8b 47 0c 83 c4 0c 56 89 46 08 ff 37 ff 15 fc 72 52 00 8b 4d 08 8b 46 0c 3b c3 74 0b 3b 4e 08 7d 06 8b 55 0c 89 14 88 ff 75 ec eb 01 56 ff 15 48 74 52 00 e8 2a 00 0e 00 c2 08 00 8b ff 55 8b ec f6 45 08 01 56 8b f1 74 06 56 e8 84 fb ff ff 8b c6 5e 5d c2 04 00 8b ff 55 8b ec 51 53 33 db 56 8b 75 08 43 57 8b f9 89 5d fc 39 5e 08 7e 42 8b 45 0c 85 c0 74 18 8b 4f 10 39 44 d9 04 74 0f 8b 46 0c 83 3c 98 00 74 1d 83 65 fc 00 eb 17 8b 46 0c 8b 0c 98 85 c9 74 06 8b 01 6a 01 ff 10 8b 46 0c 83 24 98 00 43 3b 5e 08 7c c4 83 7d fc 00 74 35 8d 5f 1c 53 ff 15 44 74 52 00 56 8d 4f 14 e8 2b fc ff ff 53 ff 15 48 74 52 00 ff 76 0c ff 15 78 74 52 00 Data Ascii: ;uuHtR2;NFW+RSPGVF7rRMF;t;N}UuVHtR*UEVtV^]UQS3VuCW]9^~BEtO9DtF<teFtjF$C;^\|}t5_SDtRVO+SHtRvxtR
2022-11-04 12:16:09 UTC	133	IN	Data Raw: 57 00 85 c9 75 21 b9 0c 3c 57 00 89 4d f0 83 65 fc 00 e8 d7 fc ff ff 83 4d fc ff 8b c8 89 0d 08 3c 57 00 85 c0 74 cb e8 aa fb ff ff 89 06 85 c0 74 c0 ff 36 8b 0d 08 3c 57 00 e8 39 fa ff ff 8b f8 85 ff 75 13 ff 55 08 8b 0d 08 3c 57 00 8b f8 57 ff 36 e8 3d fd ff ff 8b c7 e8 92 fe 0d 00 c2 04 00 8b ff 56 8b f1 8b 06 85 c0 74 10 8b 0d 08 3c 57 00 85 c9 74 06 50 e8 b0 fc ff ff 83 26 00 5e c3 8b ff 55 8b ec 8b 0d 08 3c 57 00 85 c9 74 06 5d e9 e5 fe ff ff 5d c2 08 00 8b ff 56 8b f1 8b 46 14 57 85 c0 74 13 8b 78 04 6a 00 50 8b ce e8 30 fe ff ff 8b c7 85 ff 75 ed 8b 06 83 f8 ff 74 07 50 ff 15 f4 72 52 00 8b 46 10 85 c0 74 17 50 ff 15 08 73 52 00 8b f8 57 ff 15 c0 73 52 00 57 ff 15 c4 73 52 00 83 c6 1c 56 ff 15 40 74 52 00 5f 5e c3 83 3d 40 3c 57 00 00 74 08 ff 0d Data Ascii: Wu!<WMeM<Wtt6<W9uU<WW6=Vt<WtP&^U<Wt]]VFWtxjP0utPrRFtPsRWsRWsRV@tR_^=@<Wt
2022-11-04 12:16:09 UTC	135	IN	Data Raw: 75 22 8b 41 04 3b 46 04 75 1a 8b 41 08 3b 46 08 75 12 8b 41 0c 3b 46 0c 75 0a 8b 42 04 03 c3 83 38 00 75 11 83 c2 08 8b 0a 85 c9 75 cf 8b 3f 85 ff 75 c4 33 c0 5f 5e 5b 5d c2 04 00 8b ff 55 8b ec 51 51 8b 01 56 57 89 4d f8 ff 50 38 8b f8 8b 47 04 eb 03 83 c0 08 83 38 00 75 f8 8d 70 04 eb 2a 8b 06 8b 4d f8 8b 04 01 85 c0 74 1b 8b 08 83 65 fc 00 8d 55 fc 52 ff 75 08 50 ff 11 85 c0 75 07 8b 45 fc 85 c0 75 10 83 c6 08 83 3e ff 75 d1 8b 3f 85 ff 75 b9 33 c0 5f 5e c9 c2 04 00 83 79 08 00 74 0a 8b 41 08 8b 08 50 ff 51 04 c3 83 c1 04 51 ff 15 1c 74 52 00 c3 6a 08 b8 3c 87 51 00 e8 a8 f7 0d 00 8b f1 8d 46 04 83 38 00 75 04 33 c0 eb 30 50 ff 15 20 74 52 00 8b f8 85 ff 75 21 ff 76 1c 8d 4d ec e8 db 93 ff ff 8b 06 21 7d fc 8b ce ff 50 10 83 4d fc ff 8d 4d ec e8 fd 8a Data Ascii: u"A;FuA;FuA;FuB8uu?u3_^[]UQQVWMP8G8up*MteURuPuEu>u?u3_^ytAPQQtRj<QF8u30P tRu!vM!}PMM
2022-11-04 12:16:09 UTC	136	IN	Data Raw: c4 bd 52 00 ff 77 04 8d 4e 04 e8 a2 24 03 00 83 65 fc 00 6a 0a 8d 4e 1c e8 3b fd ff ff 6a 04 8d 4e 38 c6 45 fc 01 e8 2d fd ff ff 33 c0 c6 45 fc 02 39 45 0c 75 05 e8 4d 2e ff ff 39 45 10 74 f6 50 6a 07 8d 4e 38 e8 f9 27 03 00 8b 45 0c 89 46 14 8b 45 10 89 46 18 8b 45 14 89 46 58 8b 45 18 89 46 5c 89 7e 54 8b c6 e8 2c f3 0d 00 c2 14 00 6a 08 b8 64 98 51 00 e8 78 f2 0d 00 8b f1 8b 7d 08 85 ff 75 0a 33 c0 e8 0d f3 0d 00 c2 04 00 57 8d 4e 1c e8 89 fd ff ff 85 c0 75 eb 8d 4e 38 57 e8 7c fd ff ff 85 c0 74 12 8b 4e 58 89 3c 01 83 7e 5c 02 75 d2 89 7c 01 04 eb cc 68 12 1e 42 00 e8 48 9b fe ff 83 65 fc 00 8d 4e 04 89 45 08 e8 27 24 03 00 8b d8 85 db 75 05 e8 71 2d ff ff 53 ff 56 14 57 8d 4e 38 e8 a8 fd ff ff ff 75 08 83 4d fc ff 89 18 e8 13 9b fe ff 8b 46 58 89 3c Data Ascii: RwN$ejN;jN8E-3E9EuM.9EtPjN8'EFEFEFXEF\~T,jdQx}u3WNuN8W\|tNX<~\u\|hBHeNE'$uq-SVWN8uMFX<
2022-11-04 12:16:09 UTC	137	IN	Data Raw: 8b 36 68 d8 bd 52 00 e8 15 bd ff ff 8b 10 59 59 57 8b c8 ff 52 0c 85 f6 75 dd 33 c0 40 5e 5f 5d c2 04 00 e8 b4 28 ff ff cc 8b ff 56 57 8b 3d 4c 78 52 00 6a 0f 8b f1 ff d7 6a 10 89 46 28 ff d7 6a 14 89 46 2c ff d7 6a 12 89 46 30 ff d7 6a 06 89 46 34 ff d7 8b 3d 1c 76 52 00 6a 0f 89 46 38 ff d7 6a 06 89 46 24 ff d7 5f 89 46 20 5e c3 8b ff 53 56 8b 35 d8 77 52 00 57 6a 0b 8b f9 ff d6 6a 0c 89 47 08 ff d6 6a 02 89 47 0c ff d6 40 6a 03 a3 40 3e 57 00 ff d6 40 6a 00 a3 44 3e 57 00 ff 15 68 76 52 00 8b 35 e0 71 52 00 8b d8 6a 58 53 ff d6 6a 5a 53 89 47 18 ff d6 53 6a 00 89 47 1c ff 15 64 76 52 00 5f 5e 5b c3 8b ff 53 56 57 8b f1 e8 98 ff ff ff 33 db 8b ce 89 5e 24 e8 46 ff ff ff 8b 3d 20 76 52 00 68 02 7f 00 00 53 ff d7 68 00 7f 00 00 53 89 46 3c ff d7 6a 02 89 Data Ascii: 6hRYYWRu3@^_](VW=LxRjjF(jF,jF0jF4=vRjF8jF$_F ^SV5wRWjjGjG@j@>W@jD>WhvR5qRjXSjZSGSjGdvR_^[SVW3^$F= vRhShSF<j
2022-11-04 12:16:09 UTC	139	IN	Data Raw: 7d f2 8b 46 0c 8b cb c1 e1 02 ff 34 08 89 4d f4 68 30 8b 52 00 e8 5b b7 ff ff 8b f8 33 c0 59 59 3b f8 74 c7 39 47 20 74 c2 89 45 fc 89 45 f8 8d 45 f8 50 8d 45 fc 50 ff 75 0c 8b ce e8 10 fd ff ff 3b 5e 10 7d ae 8b 46 0c 8b 4d f4 83 24 01 00 57 8b ce e8 0f ff ff ff 8b cf e8 e8 d0 fe ff 8b 07 6a 01 8b cf ff 50 04 8b 75 10 ff 75 08 8b ce e8 74 dd fe ff 85 c0 75 05 e8 96 22 ff ff 83 7d fc 00 76 14 ff 75 f8 ff 75 fc 68 7c 03 00 00 ff 76 20 ff 15 dc 76 52 00 33 c0 40 e9 4d ff ff ff 8b ff 55 8b ec 83 7d 08 00 75 0a 68 05 40 00 80 e8 cb df fd ff 8b 01 ff 75 08 50 e8 f4 29 0e 00 59 59 5d c2 04 00 8b ff 55 8b ec 56 8b f1 e8 07 fe ff ff f6 45 08 01 74 07 56 e8 1c 90 fe ff 59 8b c6 5e 5d c2 04 00 6a 04 b8 77 f1 51 00 e8 76 e6 0d 00 33 f6 39 75 0c 75 0a 33 c0 e8 40 e7 Data Ascii: }F4Mh0R[3YY;t9G tEEEPEPu;^}FM$WjPuutu"}vuuh\|v vR3@MU}uh@uP)YY]UVEtVY^]jwQv39uu3@
2022-11-04 12:16:09 UTC	140	IN	Data Raw: 08 75 08 8b 50 04 89 51 08 eb 08 8b 10 8b 70 04 89 72 04 50 e8 68 ff ff ff 5e 5d c2 04 00 b8 e4 bf 52 00 c3 8b ff 55 8b ec 8b c1 33 c9 89 48 0c 89 48 10 89 48 08 89 48 04 89 48 14 8b 4d 08 c7 00 04 c0 52 00 89 48 18 5d c2 04 00 c7 01 04 c0 52 00 e9 e2 13 03 00 8b ff 55 8b ec 56 8b f1 83 7e 10 00 75 2b 6a 0c ff 76 18 8d 46 14 50 e8 1e a3 ff ff 8b 4e 18 8b d1 6b d2 0c 49 8d 44 10 f8 78 0e 8b 56 10 89 10 89 46 10 83 e8 0c 49 79 f2 8b 46 10 8b 08 89 4e 10 8b 4d 08 89 48 04 8b 4d 0c 89 08 ff 46 0c 83 60 08 00 5e 5d c2 08 00 8b ff 55 8b ec 56 8b f1 6a 00 ff 76 08 e8 96 ff ff ff 8b 4d 08 89 48 08 8b 4e 08 85 c9 74 04 89 01 eb 03 89 46 04 89 46 08 5e 5d c2 04 00 8b ff 55 8b ec 56 8b f1 c7 06 04 c0 52 00 e8 49 13 03 00 f6 45 08 01 74 07 56 e8 53 8a fe ff 59 8b c6 Data Ascii: uPQprPh^]RU3HHHHHMRH]RUV~u+jvFPNkIDxVFIyFNMHMF`^]UVjvMHNtFF^]UVRIEtVSY
2022-11-04 12:16:09 UTC	141	IN	Data Raw: 8b 45 0c 8b 4d ec 66 89 03 8b 45 f4 2b c1 50 ff 75 08 03 d9 50 53 e8 85 00 fe ff 2b 75 f0 83 c4 10 ff 37 01 77 04 ff 15 c0 73 52 00 83 67 08 00 33 c0 40 5e 5b 5f c9 c2 08 00 8b ff 55 8b ec 83 ec 64 a1 54 04 57 00 33 c5 89 45 fc 53 56 8b 35 f8 71 52 00 57 6a 0a 5f 6a 11 89 4d 9c bb 10 c0 52 00 ff d6 85 c0 75 08 6a 0d ff d6 85 c0 74 48 8d 4d a0 51 6a 5c 50 ff 15 f4 71 52 00 85 c0 74 37 6a 00 8d 5d bc ff 15 68 76 52 00 83 7d a0 00 8b f0 7d 03 f7 5d a0 6a 5a 56 ff 15 e0 71 52 00 50 6a 48 ff 75 a0 ff 15 b4 73 52 00 56 6a 00 0f b7 f8 ff 15 64 76 52 00 8b 45 08 66 85 c0 75 03 0f b7 c7 8b 4d 9c 50 53 e8 49 fe ff ff 8b 4d fc 5f 5e 33 cd 5b e8 5c cb 0d 00 c9 c2 04 00 8b ff 55 8b ec 33 c0 56 8b f1 39 45 08 75 0f 89 06 89 46 04 89 46 08 8b c6 5e 5d c2 04 00 ff 75 08 Data Ascii: EMfE+PuPS+u7wsRg3@^[_UdTW3ESV5qRWj_jMRujtHMQj\PqRt7j]hvR}}]jZVqRPjHusRVjdvREfuMPSIM_^3[\U3V9EuFF^]u
2022-11-04 12:16:09 UTC	143	IN	Data Raw: ba 55 55 00 00 66 d3 e2 40 66 89 54 45 ea 83 f8 08 7c e8 56 8d 45 ec 50 6a 01 6a 01 6a 08 6a 08 ff 15 e8 71 52 00 8b f0 85 f6 74 13 56 ff 15 58 71 52 00 56 a3 c8 3e 57 00 ff 15 ec 71 52 00 5e 80 3d cc 3e 57 00 00 75 16 68 06 41 42 00 e8 cb cf 0d 00 f7 d8 1a c0 fe c0 59 a2 cc 3e 57 00 6a 08 e8 f9 e1 ff ff ff 35 c8 3e 57 00 e8 99 25 ff ff 8b 4d fc 33 cd e8 0f c6 0d 00 c9 c3 8b ff 55 8b ec 83 ec 14 a1 54 04 57 00 33 c5 89 45 fc 56 ff 75 18 8b f1 ff 76 04 ff 15 00 72 52 00 8b 45 08 8b 4d 0c 89 45 ec 03 45 10 89 4d f0 03 4d 14 89 45 f4 33 c0 50 50 50 89 4d f8 8d 4d ec 51 6a 02 50 50 ff 76 04 ff 15 78 71 52 00 8b 4d fc 33 cd 5e e8 b3 c5 0d 00 c9 c2 14 00 8b ff 55 8b ec 51 53 8b 5d 0c 56 8b 75 10 57 ff 75 18 8d 46 ff 6a 01 50 53 ff 75 08 89 4d fc e8 7e ff ff ff Data Ascii: UUf@fTE\|VEPjjjjqRtVXqRV>WqR^=>WuhABY>Wj5>W%M3UTW3EVuvrREMEEMME3PPPMMQjPPvxqRM3^UQS]VuWuFjPSuM~
2022-11-04 12:16:09 UTC	144	IN	Data Raw: 4a 57 00 c7 80 d0 00 00 00 01 00 00 00 8b 0d e0 4a 57 00 8b 01 ff 50 30 a1 e0 4a 57 00 e8 77 d3 0d 00 c3 8b ff 55 8b ec 8b 45 08 89 81 8c 00 00 00 5d c2 04 00 8b ff 55 8b ec 8b 45 08 56 33 f6 89 30 89 70 04 ba ff 7f 00 00 39 75 0c 74 09 39 75 10 74 04 8b ca eb 02 33 c9 89 08 39 75 0c 74 09 39 75 10 75 04 8b ca eb 02 33 c9 89 48 04 5e 5d c2 0c 00 8b ff 55 8b ec 83 b9 80 00 00 00 00 8b 4d 08 8b 01 74 07 6a 11 ff 50 24 eb 08 68 ac 3a 57 00 ff 50 28 5d c2 04 00 8b ff 55 8b ec 51 51 33 c0 39 81 04 0b 00 00 74 16 39 81 08 0b 00 00 8d 81 ac 0b 00 00 75 1a 8d 81 9c 0b 00 00 eb 12 39 81 08 0b 00 00 b8 64 ce 56 00 75 05 b8 54 ce 56 00 8b 10 8b 40 04 56 8b 75 08 89 46 04 8b 01 89 16 ff 90 5c 03 00 00 85 c0 74 1d e8 bf fe ff ff 8b 10 8d 4d f8 51 8b c8 ff 92 3c 01 00 Data Ascii: JWJWP0JWwUE]UEV30p9ut9ut39ut9uu3H^]UMtjP$h:WP(]UQQ39t9u9dVuTV@VuF\tMQ<
2022-11-04 12:16:09 UTC	145	IN	Data Raw: 06 53 8b ce ff 50 14 ff 75 0c 8b 07 56 8b cf ff 90 40 03 00 00 8b f8 85 ff 79 09 8b 06 6a 01 8b ce ff 50 04 8b c7 5f 5e 5b 5d c2 08 00 6a 04 b8 a2 a0 51 00 e8 dc cc 0d 00 8b f9 33 f6 39 b7 d4 0b 00 00 74 4d 39 75 08 74 48 6a 70 e8 27 76 fe ff 59 8b c8 89 4d f0 89 75 fc 3b ce 74 07 e8 bc 82 04 00 8b f0 ff 75 08 83 4d fc ff c7 46 24 01 00 00 00 8b 07 56 8b cf ff 90 40 03 00 00 8b f8 83 ff ff 75 09 8b 06 6a 01 8b ce ff 50 04 8b c7 eb 03 83 c8 ff e8 53 cd 0d 00 c2 04 00 8b ff 56 8b f1 83 8e 78 0b 00 00 ff 83 8e 7c 0b 00 00 ff 83 8e 80 0b 00 00 ff 83 be d4 0b 00 00 00 74 2e 53 57 8d 8e c8 0b 00 00 e8 33 ea ff ff 8b f8 85 ff 74 10 8b 07 8b cf ff 50 58 8b 07 6a 01 8b cf ff 50 04 83 be d4 0b 00 00 00 75 d6 5f 5b 83 a6 a0 0c 00 00 00 5e c3 8b ff 55 8b ec 8b 89 cc Data Ascii: SPuV@yjP_^[]jQ39tM9utHjp'vYMu;tuMF$V@ujPSVx\|t.SW3tPXjPu_[^U
2022-11-04 12:16:09 UTC	147	IN	Data Raw: 03 c1 8b 4d 08 8d 44 38 ff 50 8d 45 f4 50 e8 22 10 ff ff 8b 8e 58 0c 00 00 8b 86 60 0c 00 00 ff b6 64 0c 00 00 2b c1 99 2b c2 d1 f8 03 c1 8b 4d 08 8d 44 38 ff 50 e8 7c 0a ff ff 8b 86 5c 0c 00 00 8b 4d 08 03 c7 50 8b 86 58 0c 00 00 03 c7 50 8d 45 ec 50 e8 dc 0f ff ff 8b 86 5c 0c 00 00 8b 4d 08 03 c7 50 8b 86 60 0c 00 00 2b c7 50 e8 44 0a ff ff 8b 86 64 0c 00 00 8b 4d 08 2b c7 48 50 8b 86 58 0c 00 00 03 c7 50 8d 45 e4 50 e8 a3 0f ff ff 8b 86 64 0c 00 00 2b c7 48 50 8b 86 60 0c 00 00 2b c7 e9 c1 00 00 00 8b 86 64 0c 00 00 2b 86 5c 0c 00 00 8b 4d 08 99 2b c2 d1 f8 03 86 5c 0c 00 00 8d 44 38 ff 50 ff b6 58 0c 00 00 8d 45 dc 50 e8 5e 0f ff ff 8b 86 64 0c 00 00 2b 86 5c 0c 00 00 8b 4d 08 99 2b c2 d1 f8 03 86 5c 0c 00 00 8d 44 38 ff 50 ff b6 60 0c 00 00 e8 b6 09 Data Ascii: MD8PEP"X`d++MD8P\|\MPXPEP\MP`+PDdM+HPXPEPd+HP`+d+\M+\D8PXEP^d+\M+\D8P`
2022-11-04 12:16:09 UTC	148	IN	Data Raw: 80 50 8b ce e8 8d ef ff ff 8b 40 04 eb 03 8b 45 c4 8b 4d 90 ff 75 b8 89 4d ac 8d 4d ac 51 8d 4d 98 51 8d 4d 88 89 45 b0 8b 07 51 8b cf ff 50 1c 8b 08 8b 40 04 39 9e 18 0b 00 00 74 06 8b 86 74 0b 00 00 39 5d b4 75 48 8b 55 c8 33 db 39 55 d8 74 05 39 5f 10 74 0a f6 47 24 01 74 04 33 c9 33 c0 03 4d d8 3b 4d d0 7e 03 89 4d d0 8b 55 dc 03 c2 3b 45 d4 7e 03 89 45 d4 89 4d d8 39 5f 10 74 2e 8b 45 c8 89 45 d8 8b 45 c4 8d 44 02 05 eb 1c 03 4d d8 3b 4d d0 7e 03 89 4d d0 03 45 dc 3b 45 d4 7e 03 89 45 d4 8b 4d c8 89 4d d8 89 45 dc 39 5d c0 0f 85 03 ff ff ff ff 75 cc 8d 4d 98 e8 be 0f ff ff 8b 45 d0 8b 75 bc 83 4d fc ff 89 06 8b 45 d4 8d 4d 98 89 46 04 e8 ab 0c ff ff 8b c6 e8 c5 c1 0d 00 c2 08 00 8b ff 55 8b ec 53 56 57 8b d9 e8 b7 ed ff ff ff 75 10 8b 75 0c 8b 10 83 Data Ascii: P@EMuMMQMQMEQP@9tt9]uHU39Ut9_tG$t33M;M~MU;E~EM9_t.EEEDM;M~ME;E~EMME9]uMEuMEMFUSVWuu
2022-11-04 12:16:09 UTC	150	IN	Data Raw: 89 81 8c 00 00 00 5d c2 04 00 8b ff 55 8b ec 8b c1 83 b8 f0 0b 00 00 00 74 13 8b 4d 08 8b 11 05 e4 0b 00 00 50 68 50 c0 52 00 ff 52 24 5d c2 04 00 6a 1c b8 05 f6 51 00 e8 d4 bb 0d 00 8b f1 6a 0a 8d 4d d8 33 db e8 d4 ee 02 00 8b 4d 08 8b 01 21 5d fc 8d 55 d8 52 68 50 c0 52 00 ff 50 40 85 c0 74 24 8b 06 8d 4d d8 51 8b ce ff 90 2c 04 00 00 8b d8 eb 12 e8 82 d9 ff ff 85 c0 74 09 8b 10 6a 01 8b c8 ff 52 04 83 7d e4 00 8d 4d d8 75 e5 83 4d fc ff e8 ae ee 02 00 8b c3 e8 49 bc 0d 00 c2 04 00 8b ff 55 8b ec b9 ec 40 57 00 5d e9 1e f6 04 00 8b ff 55 8b ec 33 c0 39 81 04 0b 00 00 74 1f 39 81 38 0b 00 00 75 12 39 05 0c 3f 57 00 74 0a 8b 4d 14 39 41 04 8b c1 7f 22 8b 45 0c eb 1d 39 81 38 0b 00 00 75 12 39 05 0c 3f 57 00 74 0a 8b 4d 10 39 41 04 8b c1 7f 03 8b 45 08 5d Data Ascii: ]UtMPhPRR$]jQjM3M!]URhPRP@t$MQ,tjR}MuMIU@W]U39t98u9?WtM9A"E98u9?WtM9AE]
2022-11-04 12:16:09 UTC	151	IN	Data Raw: c7 06 a0 c0 52 00 e8 d8 a3 05 00 f6 45 08 01 74 07 56 e8 e0 5f fe ff 59 8b c6 5e 5d Data Ascii: REtV_Y^]
2022-11-04 12:16:09 UTC	151	IN	Data Raw: c2 04 00 8b ff 55 8b ec 56 8b f1 c7 06 b0 c0 52 00 e8 b1 a3 05 00 f6 45 08 01 74 07 56 e8 b9 5f fe ff 59 8b c6 5e 5d c2 04 00 e8 89 93 fe ff c2 0c 00 8b ff 55 8b ec ff 75 08 e8 7f eb ff ff 85 c0 74 03 8b 40 20 5d c2 04 00 8b ff 55 8b ec 83 ec 10 56 57 8b 7d 0c 33 f6 3b fe 75 05 e8 ae f1 fe ff ff 75 08 e8 54 eb ff ff 3b c6 75 11 89 75 f0 89 75 f4 89 75 f8 89 75 fc 8d 75 f0 eb 03 8d 70 54 a5 a5 a5 a5 5f 5e c9 c2 08 00 8b ff 55 8b ec 83 ec 14 a1 54 04 57 00 33 c5 89 45 fc 8b 45 08 56 57 8b 7d 0c 33 f6 3b fe 75 05 e8 5f f1 fe ff 50 e8 07 eb ff ff 3b c6 75 11 89 75 ec 89 75 f0 89 75 f4 89 75 f8 8d 75 ec eb 10 8b 10 8d 4d ec 51 8b c8 ff 92 88 00 00 00 8b f0 8b 4d fc a5 a5 a5 a5 5f 33 cd 5e e8 7a a3 0d 00 c9 c2 08 00 8b ff 55 8b ec ff 75 08 e8 c1 ea ff ff 85 c0 Data Ascii: UVREtV_Y^]Uut@ ]UVW}3;uuT;uuuuuupT_^UTW3EEVW}3;u_P;uuuuuuMQM_3^zUu
2022-11-04 12:16:09 UTC	152	IN	Data Raw: 50 8d 45 a0 50 ff 15 04 76 52 00 85 c0 0f 84 26 02 00 00 39 77 40 0f 85 1d 02 00 00 ff b5 5c ff ff ff 8b 03 8d 4d d0 51 ff b5 60 ff ff ff 8b cb ff 90 f4 03 00 00 e9 fe 01 00 00 8d 45 c0 50 8d 45 e0 50 8d 45 a0 50 ff 15 04 76 52 00 85 c0 0f 84 e4 01 00 00 ff b5 28 ff ff ff 8b cb e8 bf e4 ff ff 89 85 18 ff ff ff 8b 85 58 ff ff ff f7 40 24 00 00 04 00 74 0e 83 3d 04 3f 57 00 00 75 05 33 ff 47 eb 02 33 ff 8b 8d 60 ff ff ff 8b 01 8d 55 e0 52 ff 50 58 85 c0 0f 84 9b 01 00 00 33 c0 89 85 5c ff ff ff 39 85 44 ff ff ff 0f 84 54 01 00 00 8b 8d 58 ff ff ff 33 f6 39 41 04 74 14 39 41 38 0f 8c b7 00 00 00 8b 35 1c 3f 57 00 e9 ac 00 00 00 39 83 38 0b 00 00 74 46 3b f8 74 1a 8b b5 14 ff ff ff 39 46 04 7e 0f c7 85 5c ff ff ff 01 00 00 00 e9 86 00 00 00 8b b5 20 ff ff ff Data Ascii: PEPvR&9w@\MQ`EPEPEPvR(X@$t=?Wu3G3`URPX3\9DTX39At9A85?W98tF;t9F~\
2022-11-04 12:16:09 UTC	154	IN	Data Raw: e3 e0 ff ff 68 05 05 00 00 6a 00 6a 00 ff 76 20 ff 15 70 78 52 00 5e c3 8b ff 55 8b ec 56 8b f1 57 8b 7e 14 c7 46 18 01 00 00 00 85 ff 75 05 e8 84 e6 fe ff ff 76 08 8b cf e8 5a f5 ff ff 25 ff ff fb ff 83 7d 08 00 75 05 0d 00 00 04 00 8b 17 50 ff 76 08 8b cf ff 92 74 03 00 00 5f 5e 5d c2 04 00 8b ff 55 8b ec 53 8b 5d 08 56 57 8b f1 83 fb 02 7e 03 33 db 43 8b 7e 14 85 ff 75 05 e8 35 e6 fe ff ff 76 08 8b cf e8 0b f5 ff ff 25 ff ff ee ff 83 fb 01 75 07 0d 00 00 01 00 eb 0a 83 fb 02 75 05 0d 00 00 10 00 8b 17 83 c8 02 50 ff 76 08 8b cf ff 92 74 03 00 00 5f 5e 5b 5d c2 04 00 8b ff 55 8b ec 83 ec 28 56 8b f1 8d 4d d8 e8 53 ca fe ff 8b 86 d4 0b 00 00 83 65 e0 00 c7 45 d8 40 c0 52 00 89 75 ec 89 45 f8 85 c0 74 6a ff 75 e0 8b ce e8 6e df ff ff 85 c0 74 7d 8b 0d 48 Data Ascii: hjjv pxR^UVW~FuvZ%}uPvt_^]US]VW~3C~u5v%uuPvt_^[]U(VMSeE@RuEtjunt}H
2022-11-04 12:16:09 UTC	155	IN	Data Raw: 8b 06 8b ce ff 90 00 04 00 00 a1 78 3f 57 00 3b 45 fc 74 01 43 85 ff 75 c5 85 db 75 ad 8b 45 08 8b 35 70 3f 57 00 a3 04 3f 57 00 eb 33 e8 da e0 fe ff 8b c6 85 f6 74 f5 8b 78 08 8b 36 85 ff 74 ec ff 77 20 e8 3d 83 fe ff 85 c0 74 13 83 bf 04 0b 00 00 00 75 0a 8b 07 8b cf ff 90 08 02 00 00 85 f6 75 ce 8b 3d 70 3f 57 00 33 db eb 66 8b c7 85 ff 74 b9 8b 70 08 8b 3f 85 f6 74 b0 8b ce e8 d3 be fe ff a9 00 00 00 10 74 49 8b 06 8b ce ff 90 98 01 00 00 50 68 9c 68 53 00 e8 b1 74 ff ff 59 59 85 c0 74 10 85 db 75 0c 8b 10 43 53 8b c8 ff 92 74 01 00 00 ff 76 20 e8 c8 82 fe ff 85 c0 74 12 68 85 05 00 00 6a 00 6a 00 ff 76 20 ff 15 70 78 52 00 85 ff 75 96 83 7d 08 00 5f 5e 5b 75 07 83 25 34 3f 57 00 00 33 c0 40 c9 c2 04 00 8b ff 55 8b ec 83 ec 40 a1 54 04 57 00 33 c5 89 Data Ascii: x?W;EtCuuE5p?W?W3tx6tw =tuu=p?W3ftp?ttIPhhStYYtuCStv thjjv pxRu}_^[u%4?W3@U@TW3
2022-11-04 12:16:09 UTC	157	IN	Data Raw: 8b 01 ff 50 50 85 c0 0f 84 fa 00 00 00 83 7d 0c ff 75 3f 83 7d 10 ff 75 39 8d 45 e0 50 ff 76 20 89 5d e0 89 5d e4 89 5d e8 89 5d ec ff 15 dc 77 52 00 8d 45 e0 50 8b ce e8 af e8 fe ff 8b 45 e0 8b 4d e4 89 45 0c 83 c0 05 83 c1 05 89 45 0c 89 4d 10 bf 2c 8a 52 00 89 7d d8 89 5d dc 68 e6 3e 00 00 8d 4d d8 89 5d fc e8 cf 50 fe ff 53 ff 75 dc ff 15 fc 77 52 00 50 e8 41 93 ff ff 8b d8 33 c0 85 db 0f 95 c0 85 c0 75 05 e8 d1 da fe ff 8b 45 d4 8b 40 3c 85 c0 74 10 6a 01 68 0e 42 00 00 ff 73 04 ff 15 b8 76 52 00 8b 06 53 ff 75 d4 8b ce ff 90 04 04 00 00 85 c0 74 3d 8b 86 80 0b 00 00 48 78 22 50 8b ce e8 42 d4 ff ff 85 c0 74 16 83 78 50 00 75 10 6a 01 68 15 42 00 00 ff 73 04 ff 15 b8 76 52 00 6a 00 56 ff 75 10 8b cb ff 75 0c 6a 02 e8 a8 6f fe ff 83 4d fc ff 8d 4d d8 Data Ascii: PP}u?}u9EPv ]]]]wREPEMEEM,R}]h>M]PSuwRPA3uE@<tjhBsvRSut=Hx"PBtxPujhBsvRjVuujoMM
2022-11-04 12:16:09 UTC	157	IN	Data Raw: 50 48 85 c0 75 03 8b 45 0c 5f 5e 5b 5d c2 0c 00 8b ff 55 8b ec 83 ec 24 a1 54 04 57 00 33 c5 89 45 fc 53 56 57 8d 45 e4 8b f1 8b be 30 0b 00 00 33 db 50 89 5d e4 89 5d e8 ff 15 54 76 52 00 3b fb 75 69 8b 3d 44 78 52 00 39 1d 04 3f 57 00 74 6e 83 be 80 0b 00 00 ff 74 63 39 9e 04 0b 00 00 75 5b 8d 45 e4 50 ff 76 20 ff d7 ff 75 e8 8b 06 ff 75 e4 8b 9e 80 0b 00 00 8b ce ff 90 90 03 00 00 3b c3 75 38 53 8b ce e8 01 d3 ff ff 8b d8 8b 03 8b cb ff 50 3c 85 c0 74 23 8b 45 e4 2b 43 5c 50 e8 7a e2 0d 00 59 83 f8 06 7f 11 ff 35 80 3a 57 00 ff 15 38 76 52 00 33 c0 40 eb 5f 33 db 8b 45 e4 89 45 dc 8b 45 e8 89 45 e0 8d 45 dc 50 ff 76 20 ff d7 6a 01 8d 45 ec 50 8d 8e 6c 0b 00 00 89 5d ec 89 5d f0 89 5d f4 89 5d f8 e8 8b e6 03 00 ff 75 e0 8d 45 ec ff 75 dc 50 ff 15 10 78 Data Ascii: PHuE_^[]U$TW3ESVWE03P]]TvR;ui=DxR9?Wtntc9u[EPv uu;u8SP<t#E+C\PzY5:W8vR3@_3EEEEEPv jEPl]]]]uEuPx
2022-11-04 12:16:09 UTC	159	IN	Data Raw: c2 0c 00 8b ff 55 8b ec 83 ec 20 a1 54 04 57 00 33 c5 89 45 fc 56 8b f1 8b 86 a4 0c 00 00 57 33 ff 3b c7 75 07 33 c0 e9 dd 00 00 00 8b 16 57 57 57 57 57 57 50 ff 92 30 03 00 00 89 45 e0 8b 06 8b ce ff 90 08 02 00 00 8b 06 8b ce ff 90 6c 01 00 00 85 c0 74 0f 8b 06 8b ce ff 90 0c 02 00 00 e9 91 00 00 00 39 be ac 00 00 00 0f 84 85 00 00 00 53 8b 1e 8b ce ff 93 60 01 00 00 50 57 8d 45 e4 50 8b ce ff 93 5c 02 00 00 8d 45 ec 50 ff 76 20 89 7d ec 89 7d f0 89 7d f4 89 7d f8 ff 15 04 78 52 00 8b 45 f4 2b 45 ec 8b 4d f8 2b 4d f0 5b 3b 45 e4 75 05 3b 4d e8 74 1d 8b 06 57 6a 16 ff 75 e8 8b ce ff 75 e4 57 57 57 ff 90 34 02 00 00 8b ce e8 7f 7e 04 00 8b 8e b0 00 00 00 8b 01 56 ff 50 28 56 e8 c8 6f ff ff 8b 10 59 6a 01 8b c8 ff 92 74 01 00 00 68 05 05 00 00 57 57 ff 76 Data Ascii: U TW3EVW3;u3WWWWWWP0Elt9S`PWEP\EPv }}}}xRE+EM+M[;Eu;MtWjuuWWW4~VP(VoYjthWWv
2022-11-04 12:16:09 UTC	160	IN	Data Raw: 45 f8 3b 7d fc 74 3b bb fc dd 56 00 3b 7d f8 7c 02 33 ff 57 8b ce e8 1b c8 ff ff 50 53 89 45 f4 e8 a8 62 ff ff 59 59 85 c0 74 0c 8b 45 f4 f7 40 24 00 00 04 00 74 06 47 3b 7d fc 75 cf 3b 7d fc 75 05 33 c0 40 eb 6c 6a 00 e8 1b c1 ff ff 83 25 b8 48 57 00 00 89 45 f4 8b 06 57 8b ce ff 90 b0 03 00 00 8b 86 84 0b 00 00 85 c0 78 3a 50 8b ce e8 c1 c7 ff ff 50 53 e8 51 62 ff ff 8b f0 59 59 85 f6 74 23 8b 06 8b ce ff 50 70 85 c0 74 18 8b 86 8c 00 00 00 6a 00 6a 24 68 00 01 00 00 ff 70 20 ff 15 dc 76 52 00 8b 45 f4 a3 b8 48 57 00 eb 91 33 c0 5f 5e 5b c9 c3 8b ff 55 8b ec 56 6a 00 8b f1 e8 d2 d2 ff ff 85 c0 74 13 8b 10 8b c8 ff 92 e8 00 00 00 85 c0 74 05 33 c0 40 eb 2e 57 8b 7d 08 85 ff 75 09 83 8e 84 0b 00 00 ff eb 3a 8b 86 cc 0b 00 00 33 d2 eb 0e 8b c8 85 c0 74 12 Data Ascii: E;}t;V;}\|3WPSEbYYtE@$tG;}u;}u3@lj%HWEWx:PPSQbYYt#Pptjj$hp vREHW3_^[UVjtt3@.W}u:3t
2022-11-04 12:16:09 UTC	161	IN	Data Raw: 3d 04 3f 57 00 00 75 28 ff 75 08 68 fc cf 56 00 e8 0c 5d ff ff 59 59 85 c0 74 0b 8b c8 e8 74 60 00 00 3b c6 74 0a 8b 06 8b ce ff 90 60 03 00 00 5e 5d c2 04 00 b9 e0 3f 57 00 e8 30 03 04 00 b9 10 41 57 00 e8 26 03 04 00 b9 20 42 57 00 e8 1c 03 04 00 b9 30 43 57 00 e8 12 03 04 00 b9 40 44 57 00 e8 08 03 04 00 b9 50 45 57 00 e8 fe 02 04 00 b9 60 46 57 00 e8 f4 02 04 00 b9 70 47 57 00 e8 ea 02 04 00 b9 84 ce 56 00 e8 04 7a 05 00 b9 ec 40 57 00 e8 7b c6 04 00 e9 31 de 03 00 8b ff 55 8b ec 56 57 ff 75 08 8b f9 e8 0d d7 ff ff 8b 75 0c ff 75 08 88 46 09 c1 e8 10 8b cf 88 46 08 e8 39 d6 ff ff 89 46 04 33 c0 89 06 89 46 0c 89 46 10 5f 40 5e 5d c2 08 00 8b ff 55 8b ec 83 ec 14 a1 54 04 57 00 33 c5 89 45 fc 53 56 8b f1 57 ff 76 20 33 db 89 9e 24 0b 00 00 ff 15 08 78 Data Ascii: =?Wu(uhV]YYtt`;t`^]?W0AW& BW0CW@DWPEW`FWpGWVz@W{1UVWuuuFF9F3FF_@^]UTW3ESVWv 3$x
2022-11-04 12:16:09 UTC	163	IN	Data Raw: 17 89 3d 34 3f 57 00 83 8e 80 0b 00 00 ff eb 08 6a 01 56 e8 39 37 06 00 5f 5e 5d c2 08 00 8b ff 57 8b f9 e8 b0 64 fe ff 83 3d 04 3f 57 00 00 75 36 56 ff 77 20 8b 35 08 78 52 00 ff d6 50 e8 3b 65 fe ff 50 68 c0 45 53 00 e8 27 57 ff ff 59 59 85 c0 74 12 ff 77 20 ff d6 50 e8 1f 65 fe ff 8b c8 e8 3c a3 fe ff 5e 5f c2 0c 00 8b ff 55 8b ec 83 ec 1c a1 54 04 57 00 33 c5 89 45 fc 56 8b f1 85 f6 74 5c 83 7e 20 00 74 56 83 be a0 0c 00 00 00 74 4d 8b 8e a0 0c 00 00 8b 01 8d 55 ec 52 ff 90 88 00 00 00 8b 8e a0 0c 00 00 8d 45 e4 50 e8 8f b5 ff ff ff 70 04 8b 08 51 8d 45 ec 50 ff 15 18 76 52 00 83 45 f4 0a 83 45 f8 0a 68 05 05 00 00 6a 00 8d 45 ec 50 ff 76 20 ff 15 70 78 52 00 8b 4d fc 33 cd 5e e8 9b 74 0d 00 c9 c3 8b ff 55 8b ec 8b 45 0c 56 85 c0 75 05 8b 71 04 eb 17 Data Ascii: =4?WjV97_^]Wd=?Wu6Vw 5xRP;ePhES'WYYtw Pe<^_UTW3EVt\~ tVtMUREPpQEPvREEhjEPv pxRM3^tUEVuq
2022-11-04 12:16:09 UTC	164	IN	Data Raw: 01 ff 50 50 85 c0 0f 84 67 02 00 00 8b 8b 98 0c 00 00 8b 01 ff 50 74 85 c0 0f 84 54 02 00 00 8d 4d 9c e8 33 56 06 00 8b 8b 98 0c 00 00 8b 01 8d 55 9c 52 89 75 fc ff 50 0c ff 77 20 8b 03 8b cb ff 90 14 04 00 00 8b 45 0c 89 35 d0 3f 57 00 8b 7b 20 89 83 80 0c 00 00 8b 45 10 89 83 84 0c 00 00 39 35 08 3f 57 00 74 0a c7 05 04 3f 57 00 01 00 00 00 68 88 3f 57 00 8d 45 e0 50 6a 03 8d 4d 9c e8 33 59 06 00 57 89 45 d8 ff 15 20 77 52 00 85 c0 75 2b 39 35 08 3f 57 00 74 12 89 35 04 3f 57 00 89 35 08 3f 57 00 89 35 34 3f 57 00 83 4d fc ff 8d 4d 9c e8 cd 55 06 00 e9 af 02 00 00 8d 45 d0 50 89 75 d0 89 75 d4 ff 15 54 76 52 00 8d 45 d0 50 ff 73 20 ff 15 44 78 52 00 39 35 d0 3f 57 00 0f 84 50 01 00 00 ff 75 d4 8d 45 e0 ff 75 d0 50 ff 15 10 78 52 00 85 c0 0f 85 38 01 00 Data Ascii: PPgPtTM3VURuPw E5?W{ E95?Wt?Wh?WEPjM3YWE wRu+95?Wt5?W5?W54?WMMUEPuuTvREPs DxR95?WPuEuPxR8
2022-11-04 12:16:09 UTC	166	IN	Data Raw: 7c 55 06 00 59 39 7d dc 74 6b 83 c9 ff 3b f9 74 2a 83 bb 38 0b 00 00 00 75 0e 8b 83 78 0b 00 00 3b f8 74 04 3b c1 75 13 85 f6 74 49 ff 76 20 8b 03 8b cb ff 90 14 04 00 00 eb 3a 39 8b 78 0b 00 00 74 0d 83 bb 38 0b 00 00 00 74 29 3b f9 75 25 83 3d 28 3f 57 00 00 75 1c 8b cb e8 d9 75 fe ff 6a 00 68 01 e0 00 00 68 62 03 00 00 ff 70 20 ff 15 dc 76 52 00 8b 45 dc 3b 83 7c 0b 00 00 0f 84 59 01 00 00 8b 83 78 0b 00 00 83 65 d8 00 83 f8 ff 74 45 50 8b cb e8 eb b0 ff ff 85 c0 75 05 e8 34 b7 fe ff 8b 50 24 8b 8b 78 0b 00 00 8b c2 25 ff ff fd ff 39 8b 7c 0b 00 00 75 05 0d 00 00 02 00 3b c2 74 13 8b 13 50 51 8b cb ff 92 74 03 00 00 c7 45 d8 01 00 00 00 83 bb 38 0b 00 00 00 75 10 8b 83 78 0b 00 00 83 f8 ff 74 05 39 45 dc 75 17 83 7d dc ff 74 11 ff 75 dc 8b cb e8 f0 cd Data Ascii: \|UY9}tk;t*8ux;t;utIv :9xt8t);u%=(?Wuujhhbp vRE;\|YxetEPu4P$x%9\|u;tPQtE8uxt9Eu}tu
2022-11-04 12:16:09 UTC	167	IN	Data Raw: 78 52 00 50 e8 71 54 fe ff 85 ff 75 14 85 c0 74 22 68 d0 76 53 00 8b c8 e8 36 46 ff ff 85 c0 74 12 68 85 05 00 00 6a 00 6a 00 ff 76 20 ff 15 70 78 52 00 8b ce e8 2d ef ff ff 5f 5e 5d c2 04 00 8b ff 55 8b ec 83 7d 0c 00 53 57 8b 7d 08 8b d9 75 0e ff 75 10 8b 07 8b cf ff 50 40 85 c0 74 2b 0f b7 47 20 56 0f b7 75 10 c1 e6 10 8b cb 0b f0 e8 18 70 fe ff ff 75 18 56 68 11 01 00 00 ff 70 20 ff 15 e4 76 52 00 33 c0 40 5e 5f 5b 5d c2 14 00 8b ff 55 8b ec 83 ec 1c a1 54 04 57 00 33 c5 89 45 fc 53 56 8b f1 8b 86 a0 0c 00 00 33 db 57 8b 7d 08 3b c3 74 06 89 98 fc 00 00 00 8b 06 ff 90 18 04 00 00 89 86 74 0b 00 00 8d 45 ec 50 89 1f 89 5f 04 89 5d ec 89 5d f0 89 5d f4 89 5d f8 ff 15 30 76 52 00 8b 06 8b ce ff 90 60 01 00 00 85 c0 74 08 8b 45 f8 2b 45 f0 eb 06 8b 45 f4 Data Ascii: xRPqTut"hvS6Fthjjv pxR-_^]U}SW}uuP@t+G VupuVhp vR3@^_[]UTW3ESV3W};ttEP_]]]]0vR`tE+EE
2022-11-04 12:16:09 UTC	168	IN	Data Raw: 5d c2 04 00 8b ff 55 8b ec 81 ec 84 00 00 00 a1 54 04 57 00 33 c5 89 45 fc 56 8b f1 85 f6 0f 84 b5 01 00 00 83 7e 20 00 0f 84 ab 01 00 00 8b 06 53 57 ff 90 90 01 00 00 8b 8e cc 0b 00 00 25 00 a0 00 00 f7 d8 1b c0 f7 d8 eb 2b 33 ff 8b d1 3b cf 0f 84 58 01 00 00 8b 52 08 8b 09 3b d7 74 1a f6 42 24 01 75 0d 39 be 14 0b 00 00 74 05 3b c7 74 01 47 89 7a 18 85 c9 75 d1 ff 76 20 ff 15 08 78 52 00 50 e8 45 4e fe ff 50 68 d0 76 53 00 e8 31 40 ff ff 59 59 8b c8 89 4d 84 85 c9 0f 84 11 01 00 00 e8 f0 1f 06 00 8b 3d dc 76 52 00 6a 00 6a 00 8b d8 68 0c 04 00 00 ff 73 20 ff d7 8b 4d 84 8b 89 ac 02 00 00 83 65 84 00 89 45 80 89 4d 88 c7 45 8c 30 02 00 00 85 c0 74 24 8d 45 88 50 ff 75 84 68 1c 04 00 00 ff 73 20 ff d7 8b 46 20 39 45 a8 74 0b ff 45 84 8b 45 84 3b 45 80 72 Data Ascii: ]UTW3EV~ SW%+3;XR;tB$u9t;tGzuv xRPENPhvS1@YYM=vRjjhs MeEME0t$EPuhs F 9EtEE;Er
2022-11-04 12:16:09 UTC	169	IN	Data Raw: 8b 8e 7c 0b 00 00 85 c9 78 43 3b 8e d4 0b 00 00 7d 3b 83 8e 84 0b 00 00 ff 83 8e 7c 0b 00 00 ff 51 8b ce e8 31 c1 ff ff ff 76 20 ff 15 e0 76 52 00 8b ce e8 69 68 fe ff 6a 00 68 01 e0 00 00 68 62 03 00 00 ff 70 20 ff 15 dc 76 52 00 8b 06 8b ce 5e ff a0 64 03 00 00 8b ff 55 8b ec 83 3d 04 3f 57 00 00 56 75 53 8b 75 08 85 f6 74 4c 83 fe ff 74 47 56 e8 cc 99 ff ff 59 85 c0 75 3c 39 05 c8 ce 56 00 74 34 81 fe 7c 42 00 00 74 2c 81 fe 7d 42 00 00 74 24 81 fe 80 42 00 00 74 1c 56 e8 1f e8 ff ff 85 c0 75 12 56 b9 ec 40 57 00 e8 4f a8 04 00 85 c0 75 03 40 eb 02 33 c0 5e 5d c2 04 00 8b ff 55 8b ec 51 51 8b 45 08 53 56 8b f1 0f b7 c8 c1 e8 10 89 45 fc 8d 45 f8 50 ff 76 20 89 4d f8 ff 15 44 78 52 00 ff 75 fc 8b 06 ff 75 f8 8b ce ff 90 90 03 00 00 8b d8 85 db 79 04 33 Data Ascii: \|xC;};\|Q1v vRihjhhbp vR^dU=?WVuSutLtGVYu<9Vt4\|Bt,}Bt$BtVuV@WOu@3^]UQQESVEEPv MDxRuuy3
2022-11-04 12:16:09 UTC	170	IN	Data Raw: e8 f4 94 fe ff 83 f8 01 75 26 8b 06 8b ce ff 90 08 02 00 00 8b 06 6a 01 8b ce ff 90 d4 02 00 00 68 05 05 00 00 53 53 ff 76 20 ff 15 70 78 52 00 83 4d fc ff 8d 8d 20 fb ff ff e8 3c 69 04 00 e8 75 69 0d 00 c3 68 dc 04 00 00 b8 81 9a 51 00 e8 e2 68 0d 00 8b d9 ff b3 80 0b 00 00 e8 e1 9d ff ff 8b f0 85 f6 0f 84 bf 00 00 00 8b 46 08 33 ff 47 83 7e 04 00 89 85 18 fb ff ff 8b 46 0c 89 85 1c fb ff ff 89 7e 08 89 7e 0c 74 05 8b 46 38 eb 03 8b 46 34 85 c0 79 5c 8b 03 56 8b cb ff 90 08 04 00 00 50 6a 00 53 ff 35 1c 3f 57 00 8d 8d 20 fb ff ff 56 e8 c6 6f 04 00 83 65 fc 00 8d 8d 20 fb ff ff e8 31 94 fe ff 83 4d fc ff 8d 8d 20 fb ff ff 3b c7 74 19 8b 85 18 fb ff ff 89 46 08 8b 85 1c fb ff ff 89 46 0c e8 8e 68 04 00 eb 3b e8 87 68 04 00 8b 46 2c 83 78 f4 00 75 0b 8b 03 Data Ascii: u&jhSSv pxRM <iuihQhF3G~F~~tF8F4y\VPjS5?W Voe 1M ;tFFh;hF,xu
2022-11-04 12:16:09 UTC	172	IN	Data Raw: c1 85 c9 74 ef ff 70 08 8b 09 68 6c dd 56 00 89 8d 04 ff ff ff e8 13 33 ff ff 33 db 59 59 89 85 08 ff ff ff 3b c3 0f 84 1f 01 00 00 8b 85 00 ff ff ff 8b 78 04 eb 32 8b c7 3b fb 74 b7 ff 70 08 8b 3f 68 6c dd 56 00 e8 e1 32 ff ff 59 59 3b c3 74 17 8b 8d 08 ff ff ff 8b 11 50 ff 92 94 00 00 00 85 c0 0f 85 e2 00 00 00 3b fb 75 ca 8b 85 08 ff ff ff 8b 8d fc fe ff ff c7 86 1c 0b 00 00 01 00 00 00 8b 78 20 8b 86 d4 0b 00 00 89 85 0c ff ff ff 3b c1 7c 06 89 8d 0c ff ff ff 3b fb 75 15 ff b5 0c ff ff ff 8b 06 8b ce ff 90 48 03 00 00 e9 96 00 00 00 83 8d 08 ff ff ff ff 8d 85 08 ff ff ff 50 57 b9 84 ce 56 00 e8 c8 c5 02 00 ff b6 04 0b 00 00 8d 4d 80 53 53 ff b5 08 ff ff ff 57 e8 05 2f 04 00 ff b5 0c ff ff ff 8b 16 50 8b ce 89 5d fc ff 92 44 03 00 00 83 4d fc ff 8d 4d Data Ascii: tphlV33YY;x2;tp?hlV2YY;tP;ux ;\|;uHPWVMSSW/P]DMM
2022-11-04 12:16:09 UTC	173	IN	Data Raw: e4 3b fe 74 06 8b 4d e0 41 eb 03 8d 48 01 89 4d bc 8b f1 89 45 90 8b 03 8b cb ff 90 54 03 00 00 89 45 c0 8b 03 8b cb ff 90 58 03 00 00 89 45 84 8b 45 c0 89 45 88 33 c0 89 45 98 89 45 9c 39 83 a0 0c 00 00 0f 84 a7 00 00 00 8b 03 8b cb ff 90 6c 01 00 00 85 c0 0f 85 95 00 00 00 39 05 04 3f 57 00 0f 85 89 00 00 00 8b 8b a0 0c 00 00 81 c1 10 01 00 00 e8 1c 90 02 00 8b 83 a0 0c 00 00 8b 88 fc 00 00 00 83 a0 fc 00 00 00 00 89 4d c0 85 ff 74 08 8b 4d ec 2b 4d e4 eb 03 8b 4d 88 85 ff 74 05 8b 45 84 eb 06 8b 45 e8 2b 45 e0 57 8d 95 7c ff ff ff 52 8d 95 60 ff ff ff 89 4d 80 8b 8b a0 0c 00 00 52 8d 95 74 ff ff ff 89 85 7c ff ff ff 8b 01 52 ff 50 1c 8b 08 8b 40 04 89 4d 98 8b 4d c0 89 45 9c 8b 83 a0 0c 00 00 89 88 fc 00 00 00 8b 83 cc 0b 00 00 83 65 8c 00 83 65 cc 00 Data Ascii: ;tMAHMETEXEEE3EE9l9?WMtM+MMtEE+EW\|R`MRt\|RP@MMEee
2022-11-04 12:16:09 UTC	175	IN	Data Raw: 30 75 d0 5f 5e 5b c9 c2 04 00 68 00 01 00 00 b8 23 9d 51 00 e8 bd 58 0d 00 8b 7d 08 33 db 8b f1 89 bd fc fe ff ff 89 9d 04 ff ff ff 3b fb 74 17 8b 45 0c 53 c1 e0 02 50 57 e8 0a 6d ff ff 85 c0 75 05 e8 ed 93 fe ff 8b 8e a0 0c 00 00 89 9d 00 ff ff ff 3b cb 74 2b 8b 01 ff 10 8b c8 e8 84 27 ff ff 50 68 28 e4 56 00 e8 0c 28 ff ff 8b 10 59 59 ff b6 a0 0c 00 00 8b c8 89 85 00 ff ff ff ff 52 14 8b 06 8b ce ff 90 50 03 00 00 eb 18 8d 8e e4 0b 00 00 e8 bf 75 ff ff 3b c3 74 09 8b 10 6a 01 8b c8 ff 52 04 39 9e f0 0b 00 00 75 e0 3b fb 74 2e 8b 86 90 0b 00 00 89 85 08 ff ff ff 8b 45 0c 3b c3 0f 8e 6d 01 00 00 89 85 f8 fe ff ff eb 1f 8b 06 ff 4d 0c 6a ff 8b ce ff 90 48 03 00 00 39 5d 0c 7f ec e9 36 02 00 00 8b bd fc fe ff ff 8b 3f 83 85 fc fe ff ff 04 6a 70 e8 d0 00 fe Data Ascii: 0u_^[h#QX}3;tESPWmu;t+'Ph(V(YYRPu;tjR9u;t.E;mMjH9]6?jp
2022-11-04 12:16:09 UTC	176	IN	Data Raw: 83 c4 14 68 00 04 00 00 8d 4d a4 c6 45 fc 02 e8 0d 4a 06 00 53 68 00 10 00 00 53 8d 45 a4 50 8d 8d 5c ff ff ff c6 45 fc 03 e8 cd 11 ff ff 8b 06 8d 8d 5c ff ff ff 51 8b ce c6 45 fc 04 ff 50 08 8d 8d 5c ff ff ff e8 e5 0a ff ff 8d 8d 5c ff ff ff c6 45 fc 03 e8 5f 11 ff ff 8d 4d a4 e8 d9 4a 06 00 8d 4d a4 8b f8 89 55 d8 e8 43 4a 06 00 89 45 dc 3b c3 0f 84 da 00 00 00 89 5d d4 89 5d d8 53 53 8d 4d d4 c6 45 fc 05 e8 d8 54 06 00 ff 75 e8 8b f0 8b 06 8b ce ff 50 0c 3b c3 0f 84 97 00 00 00 8b 45 ec ff 70 20 ff 15 20 77 52 00 85 c0 74 3c e8 52 8f fe ff 50 8d 4d e4 e8 f8 48 fd ff 8b 4d ec 8d 45 e4 50 c6 45 fc 06 e8 80 4c fe ff ff 75 e4 8b 06 68 e4 c0 52 00 8b ce ff 50 30 8b 4d e4 83 c1 f0 c6 45 fc 05 e8 4a 49 fd ff 8b 06 57 ff 75 dc 8b ce 68 d4 c0 52 00 ff 50 28 8b Data Ascii: hMEJShSEP\E\QEP\\E_MJMUCJE;]]SSMETuP;Ep wRt<RPMHMEPELuhRP0MEJIWuhRP(
2022-11-04 12:16:09 UTC	177	IN	Data Raw: 8d 45 fc 50 ff 15 40 76 52 00 0f b7 45 fc 8b 4d f4 89 45 f8 8d 45 f8 50 e8 50 d4 01 00 89 30 85 db 75 8e 5f 5e 5b c9 c3 e8 af 88 fe ff 68 57 00 07 80 e8 f5 45 fd ff cc 6a 0c b8 b4 9d 51 00 e8 d1 4c 0d 00 ff 75 08 8d 45 f0 ff 35 3c 3f 57 00 50 e8 41 52 06 00 83 c4 0c 33 ff 89 7d fc e8 fa 89 fe ff 50 8d 4d 08 e8 a0 43 fd ff ff 75 f0 8d 45 08 68 4c c1 52 00 50 c6 45 fc 01 e8 7b 46 fd ff 83 c4 0c 89 7d e8 89 7d ec 6a 01 57 8d 4d e8 c6 45 fc 02 e8 21 4f 06 00 8b 5d 08 8b f0 8b 06 53 8b ce ff 50 10 85 c0 75 2f 8b 4d e8 c6 45 fc 01 3b cf 74 07 8b 01 6a 01 ff 50 04 8d 4b f0 e8 c8 43 fd ff 8b 4d f0 83 c1 f0 e8 bd 43 fd ff 8b c7 e8 17 4d 0d 00 c2 04 00 8b 06 68 0c 3f 57 00 68 34 c1 52 00 8b ce ff 50 54 8b 4d e8 8b f0 c6 45 fc 01 3b cf 74 07 8b 01 6a 01 ff 50 04 8b Data Ascii: EP@vREMEEPP0u_^[hWEjQLuE5<?WPAR3}PMCuEhLRPE{F}}jWME!O]SPu/ME;tjPKCMCMh?Wh4RPTME;tjP
2022-11-04 12:16:09 UTC	179	IN	Data Raw: 8b 01 ff 90 60 01 00 00 85 c0 8b 45 08 74 0f c7 00 28 00 00 00 c7 40 04 10 00 00 00 eb 0d c7 40 04 28 00 00 00 c7 00 10 00 00 00 5d c2 04 00 8b 81 1c 0b 00 00 c3 8b 81 24 0b 00 00 c3 33 c0 39 81 10 0b 00 00 0f 94 c0 c3 8b 81 38 0b 00 00 c2 04 00 8b ff 55 8b ec 6a 00 ff 75 08 6a 7f ff 71 20 ff 15 dc 76 52 00 5d c2 04 00 8b ff 55 8b ec 83 ec 10 56 8b f1 83 be 18 0b 00 00 00 74 0b 8b 86 74 0b 00 00 e9 85 00 00 00 83 be 38 0b 00 00 00 53 57 74 16 8b 0d 80 ce 56 00 85 c9 7e 04 8b f9 eb 1a 8b 3d 58 ce 56 00 eb 12 8d 45 f8 50 e8 8e 74 ff ff 8b 78 04 8b 0d 80 ce 56 00 8b 96 90 00 00 00 81 e2 00 a0 00 00 a1 68 3b 57 00 8b 1d 64 3b 57 00 75 02 8b d8 3b df 5f 5b 7e 0b 85 d2 74 2d a1 64 3b 57 00 eb 26 83 be 38 0b 00 00 00 74 0f 85 c9 7e 04 8b c1 eb 15 a1 58 ce 56 00 Data Ascii: `Et(@@(]$398Ujujq vR]UVtt8SWtV~=XVEPtxVh;Wd;Wu;_[~t-d;W&8t~XV
2022-11-04 12:16:09 UTC	180	IN	Data Raw: 50 89 4d ec 89 4d f0 89 4d f4 89 4d f8 ff 15 30 76 52 00 89 5d e8 83 65 e8 02 ff 75 e8 8d 45 ec 50 8b cf e8 c7 16 04 00 8b 45 f0 2b 45 f8 ff 75 e8 01 46 04 8b 45 ec 2b 45 f4 83 e3 01 01 06 53 8d 45 e4 50 8b cf e8 e6 6e ff ff 8b 06 3b 45 e4 7f 03 8b 45 e4 89 06 8b 46 04 3b 45 e8 7f 03 8b 45 e8 8b cf 89 46 04 e8 c8 f3 ff ff 8b 4d fc 5f 8b c6 5e 33 cd 5b e8 5f 2f 0d 00 c9 c2 0c 00 68 dc 04 00 00 b8 ee 9f 51 00 e8 98 41 0d 00 8b 45 08 50 89 8d 1c fb ff ff e8 38 fd 03 00 8b f0 33 c0 85 f6 0f 95 c0 85 c0 75 05 e8 d5 7c fe ff 6a 00 6a 09 8d 4e 2c e8 bb d3 ff ff 85 c0 78 2f 50 8d 85 18 fb ff ff 50 8d 4e 2c e8 9f bb fe ff 83 65 fc 00 50 8d 4e 2c e8 28 69 fd ff 8b 8d 18 fb ff ff 83 4d fc ff 83 c1 f0 e8 46 38 fd ff 8b 46 1c 33 db 33 c9 43 3b c1 0f 84 85 00 00 00 89 Data Ascii: PMMMM0vR]euEPE+EuFE+ESEPn;EEF;EEFM_^3[_/hQAEP83u\|jjN,x/PPN,ePN,(iMF8F33C;
2022-11-04 12:16:09 UTC	182	IN	Data Raw: ff 83 f8 ff 75 07 0b c0 e9 2d 01 00 00 53 33 db 57 8b 3d 20 76 52 00 39 1d 80 3a 57 00 75 1a e8 fc d7 fe ff e8 f7 d7 fe ff 8b 40 0c 68 04 79 00 00 50 ff d7 a3 80 3a 57 00 39 1d 84 3a 57 00 75 1a e8 da d7 fe ff e8 d5 d7 fe ff 8b 40 0c 68 05 79 00 00 50 ff d7 a3 84 3a 57 00 39 1d 8c 3a 57 00 75 12 e8 b8 d7 fe ff 68 86 7f 00 00 53 ff d7 a3 8c 3a 57 00 56 e8 da 13 ff ff 59 85 c0 74 32 56 e8 cf 13 ff ff 8b 15 4c 56 57 00 59 3b d3 75 09 8b c8 e8 33 2f fe ff eb 02 8b c2 3b c3 74 12 8b c8 e8 96 55 fe ff 25 00 00 40 00 50 e8 d8 90 03 00 39 9e 28 0b 00 00 75 19 e8 92 d1 fe ff 39 98 60 01 00 00 74 0c 56 8d 8e 1c 0c 00 00 e8 06 6a 06 00 ff 35 b8 39 57 00 6a 01 53 ff 15 48 71 52 00 50 8d 8e 78 0c 00 00 e8 d4 88 fe ff 6a 02 56 8d 86 94 0c 00 00 50 e8 b8 37 04 00 e8 ff Data Ascii: u-S3W= vR9:Wu@hyP:W9:Wu@hyP:W9:WuhS:WVYt2VLVWY;u3/;tU%@P9(u9`tVj59WjSHqRPxjVP7
2022-11-04 12:16:09 UTC	183	IN	Data Raw: 3c a1 54 04 57 00 33 c5 89 45 fc f6 05 80 48 57 00 01 53 56 57 8b 7d 0c 8b f1 bb 7c 48 57 00 75 1f 83 0d 80 48 57 00 01 e8 80 73 fe ff 50 8b cb e8 27 2d fd ff 68 37 61 52 00 e8 d7 2d 0d 00 59 8b 86 94 0c 00 00 33 c9 3b c1 0f 84 ab 00 00 00 39 48 20 0f 84 a2 00 00 00 3b c1 75 04 33 c0 eb 03 8b 40 20 39 07 0f 85 8f 00 00 00 8d 45 c4 50 89 4d c4 89 4d c8 ff 15 54 76 52 00 8d 45 c4 50 ff 76 20 ff 15 44 78 52 00 6a 30 8d 45 cc 6a 00 50 e8 e6 36 0d 00 8b 06 83 c4 0c 8d 4d cc 51 ff 75 c8 8b ce ff 75 c4 c7 45 cc 2c 00 00 00 ff 50 74 85 c0 78 46 83 7d f0 00 74 40 83 7d f0 ff 74 3a ff 75 f0 8b cb e8 11 81 fd ff ff 75 f0 e8 2b 28 0d 00 a1 7c 48 57 00 59 89 47 0c 8b 0d b0 3a 57 00 8b 86 94 0c 00 00 6a 00 51 6a 30 ff 70 20 ff 15 dc 76 52 00 33 c0 40 eb 02 33 c0 8b 4d Data Ascii: <TW3EHWSVW}\|HWuHWsP'-h7aR-Y3;9H ;u3@ 9EPMMTvREPv DxRj0EjP6MQuuE,PtxF}t@}t:uu+(\|HWYG:WjQj0p vR3@3M
2022-11-04 12:16:09 UTC	184	IN	Data Raw: 31 0d 00 c2 04 00 8b ff 55 8b ec 56 6a 00 ff 75 08 8b f1 e8 83 64 ff ff 50 8d 45 08 50 8b ce e8 9e fb ff ff 83 7d 0c 00 74 0c ff 75 08 ff 75 0c ff 15 14 73 52 00 8b 45 08 8b 70 f4 8d 48 f0 e8 ec 27 fd ff 8b c6 5e 5d c2 08 00 b8 bc c5 52 00 c3 83 3d 7c 5b 57 00 00 75 1a 83 3d d8 e4 56 00 00 74 11 b9 ec 40 57 00 e8 0d 6a 04 00 85 c0 74 03 33 c0 c3 33 c0 40 c3 8b ff 55 8b ec 8b 55 08 39 91 d4 0c 00 00 74 0e 8b 01 89 91 d4 0c 00 00 ff 90 e0 03 00 00 5d c2 04 00 6a 04 b8 39 a1 51 00 e8 13 30 0d 00 8b f1 89 75 f0 e8 25 69 06 00 83 65 fc 00 8d 8e 28 01 00 00 c7 06 a4 cb 52 00 e8 65 7b 06 00 8b 45 08 83 a6 90 02 00 00 00 89 86 20 01 00 00 8b 45 0c 89 86 24 01 00 00 8b c6 e8 ac 30 0d 00 c2 08 00 6a 04 b8 39 a1 51 00 e8 c5 2f 0d 00 8b f1 89 75 f0 c7 06 a4 cb 52 00 Data Ascii: 1UVjudPEP}tuusREpH'^]R=\|[Wu=Vt@Wjt33@UU9t]j9Q0u%ie(Re{E E$0j9Q/uR
2022-11-04 12:16:09 UTC	186	IN	Data Raw: c9 74 e3 8b 01 ff 50 58 85 f6 75 e8 5e c3 33 c0 39 81 48 01 00 00 0f 95 c0 c3 8b ff 55 8b ec 56 ff 75 14 8b f1 ff 75 10 ff 75 0c ff 75 08 e8 d6 71 05 00 85 c0 75 19 39 86 24 01 00 00 74 0d 8b 8e 24 01 00 00 8b 01 5e 5d ff 60 0c 33 c0 eb 03 33 c0 40 5e 5d c2 10 00 8b ff 55 8b ec 51 53 56 57 8b f9 ff b7 24 01 00 00 68 7c 7d 52 00 e8 a6 fa fe ff ff b7 24 01 00 00 8b d8 68 c8 8c 53 00 e8 94 fa fe ff 83 c4 10 89 45 fc 85 db 75 08 85 c0 75 04 33 c0 eb 39 8b 75 08 85 f6 75 08 39 3d bc 48 57 00 75 ed 85 db 74 10 8b c6 f7 d8 1b c0 23 c7 50 8b cb e8 cd d4 fd ff 8b 4d fc 85 c9 74 0c f7 de 1b f6 23 f7 56 e8 d2 76 06 00 33 c0 40 5f 5e 5b c9 c2 04 00 a1 d8 e4 56 00 56 6a 00 8b f1 a3 64 5c 57 00 e8 e2 32 06 00 c7 86 b0 10 00 00 01 00 00 00 5e c3 8b ff 55 8b ec 8b 45 08 Data Ascii: tPXu^39HUVuuuuqu9$t$^]`33@^]UQSVW$h\|}R$hSEuu39uu9=HWut#PMt#Vv3@_^[VVjd\W2^UE
2022-11-04 12:16:09 UTC	187	IN	Data Raw: 00 8b 80 c0 00 00 00 89 87 04 0d 00 00 8b 07 52 83 cb 30 53 56 8b cf ff 90 20 03 00 00 85 c0 0f 84 af 00 00 00 8b ce e8 ad f9 ff ff 33 db 3b c3 74 0c 8b 80 c8 0e 00 00 89 86 c8 0e 00 00 8b 86 c8 0e 00 00 89 87 e0 0c 00 00 a1 c8 48 57 00 89 87 e4 0c 00 00 ff 76 20 ff 15 08 78 52 00 50 e8 5a 04 fe ff 3b c3 74 05 8b 40 20 eb 02 33 c0 89 47 54 39 9e c0 0f 00 00 7e 49 39 9e bc 10 00 00 74 41 68 94 02 00 00 e8 80 cf fd ff 59 89 45 08 89 5d fc 3b c3 74 10 ff b6 c0 0f 00 00 8b c8 56 e8 e5 f5 ff ff eb 02 33 c0 83 4d fc ff 89 86 d4 0f 00 00 89 9e c0 0f 00 00 8b 10 8b c8 ff 92 c0 01 00 00 8b 06 8b ce ff 90 ec 01 00 00 f7 d8 1b c0 f7 d8 48 e8 a8 26 0d 00 c2 04 00 8b ff 55 8b ec 81 ec ac 00 00 00 a1 54 04 57 00 33 c5 89 45 fc 53 56 8b d9 8b 03 57 ff 90 c0 01 00 00 ff Data Ascii: R0SV 3;tHWv xRPZ;t@ 3GT9~I9tAhYE];tV3MH&UTW3ESVW
2022-11-04 12:16:09 UTC	188	IN	Data Raw: 00 eb 10 2b 45 f4 8b 4d dc 89 83 28 01 00 00 3b c1 7d 7b 89 8b 28 01 00 00 89 bb a4 0e 00 00 eb 6d 8b 83 48 01 00 00 8b 8b 30 01 00 00 83 c0 54 39 bd 70 ff ff ff 74 07 2b 48 08 03 08 eb 05 03 48 08 2b 08 89 8b 28 01 00 00 8b 8b 34 01 00 00 2b 48 0c 8b 40 04 8d 44 01 01 89 83 2c 01 00 00 c7 83 a4 0e 00 00 03 00 00 00 eb 22 8b 83 48 01 00 00 8b 93 34 01 00 00 2b 50 60 03 50 58 89 8b a4 0e 00 00 2b 55 f8 42 89 93 2c 01 00 00 8d 45 ac 50 89 7d ac 89 7d b0 89 7d b4 89 7d b8 ff 15 30 76 52 00 89 bd 60 ff ff ff e8 3e 4d ff ff 8b 10 8b c8 ff 92 e4 02 00 00 85 c0 0f 84 c4 00 00 00 8b cb e8 65 f3 ff ff 8b f0 85 f6 0f 84 b3 00 00 00 8b 83 48 01 00 00 89 85 58 ff ff ff 85 c0 0f 84 9f 00 00 00 83 b8 b4 00 00 00 00 0f 84 92 00 00 00 33 ff 39 bd 70 ff ff ff 75 10 68 05 Data Ascii: +EM(;}{(mH0T9pt+HH+(4+H@D,"H4+P`PX+UB,EP}}}}0vR`>MeHX39puh
2022-11-04 12:16:09 UTC	189	IN	Data Raw: 8b 4d dc 39 bd 70 ff ff ff 74 06 8d 44 0e 01 eb 13 39 bb b8 0e 00 00 74 05 8d 41 01 eb 06 8b 45 e4 2b c6 48 89 83 28 01 00 00 89 bb a4 0e 00 00 33 f6 39 b5 70 ff ff ff 75 10 39 8b 28 01 00 00 7d 1f 89 8b 28 01 00 00 eb 11 8b 45 e4 39 83 28 01 00 00 7e 0c 89 83 28 01 00 00 89 b3 a4 0e 00 00 39 b3 ec 0e 00 00 75 1c 56 e8 52 4c ff ff 83 f8 01 74 0b 83 f8 03 75 0c 89 b3 e4 0e 00 00 89 b3 e0 0e 00 00 8b 83 2c 01 00 00 8b 75 f8 8d 0c 30 3b 4d e8 0f 8e 31 02 00 00 8b 83 ac 10 00 00 2b 83 a4 10 00 00 83 bb 8c 10 00 00 00 89 85 58 ff ff ff 74 3e 8b 85 68 ff ff ff 8b 4d f4 8d 14 00 2b ca 03 c8 89 4d d4 8b 8d 58 ff ff ff 89 45 cc 89 45 d0 03 c8 89 4d d8 8d 75 cc 8d bb a0 10 00 00 a5 a5 a5 a5 8b 75 f8 c7 83 88 10 00 00 01 00 00 00 8b 03 33 ff 8d 4d 9c 51 8b cb 89 bb Data Ascii: M9ptD9tAE+H(39pu9(}(E9(~(9uVRLtu,u0;M1+Xt>hM+MXEEMuu3MQ
2022-11-04 12:16:09 UTC	191	IN	Data Raw: 83 c0 54 50 8d 45 ec 50 8d 45 cc 50 ff d7 85 c0 74 1e 8b 83 48 01 00 00 6a 01 83 c0 54 50 ff 76 20 ff 15 f0 77 52 00 ff 76 20 ff 15 e0 76 52 00 8b 85 60 ff ff ff 89 83 bc 0e 00 00 33 ff 39 bb f0 0e 00 00 74 28 39 bb f4 0e 00 00 74 20 39 bb 80 10 00 00 75 18 39 bb 84 10 00 00 75 10 68 05 01 00 00 57 57 ff 73 20 ff 15 70 78 52 00 8b 4d fc 5f 5e 33 cd 5b e8 0f 06 0d 00 c9 c2 04 00 83 3d 04 3f 57 00 00 56 8b f1 74 5e 8b 86 48 01 00 00 85 c0 74 54 83 b8 b0 00 00 00 00 75 4b 8b 06 57 ff 90 c0 01 00 00 8b 10 8b c8 ff 92 38 04 00 00 8b f8 85 ff 75 05 e8 78 53 fe ff 8b 8e 48 01 00 00 8b 01 57 ff 90 cc 00 00 00 57 ff 15 10 76 52 00 8b ce e8 c4 ea ff ff 5f 85 c0 74 0b 8b 10 8b c8 5e ff a2 d8 01 00 00 5e c3 8b ff 55 8b ec 51 56 57 8b f1 33 ff 3b f7 74 7d 39 7e 20 74 Data Ascii: TPEPEPtHjTPv wRv vR`39t(9t 9u9uhWWs pxRM_^3[=?WVt^HtTuKW8uxSHWWvR_t^^UQVW3;t}9~ t
2022-11-04 12:16:09 UTC	192	IN	Data Raw: 45 e0 eb 03 29 45 e8 29 45 ec 8d 45 c0 50 89 75 c0 89 75 c4 89 75 c8 89 75 cc ff 15 30 76 52 00 39 b3 48 01 00 00 74 42 8b cb e8 c2 e5 ff ff 85 c0 75 37 8b 8b 48 01 00 00 8b 41 6c 3b c6 74 2a 39 70 20 74 25 8d 71 54 8b 4b 20 8d 7d c0 a5 a5 a5 6a 02 8d 55 c0 a5 ff 4d c8 ff 4d cc 52 51 ff 70 20 ff 15 a0 77 52 00 33 f6 e8 42 3f ff ff 8b 10 8b c8 ff 92 e4 02 00 00 85 c0 74 65 8b cb e8 6d e5 ff ff 3b c6 74 5a 8b 8b 48 01 00 00 3b ce 74 50 39 b1 b4 00 00 00 74 48 39 b0 b0 10 00 00 74 40 39 b3 b0 10 00 00 75 38 83 bb a4 0e 00 00 04 75 2f 8b 41 6c 3b c6 74 28 39 70 20 74 23 8d 71 54 8b 4b 20 8d 7d c0 a5 a5 a5 6a 02 8d 55 c0 52 a5 83 45 cc 02 51 ff 70 20 ff 15 a0 77 52 00 33 f6 39 35 0c 3b 57 00 0f 84 a9 00 00 00 56 8d 4d 8c e8 41 5d fe ff 8d 45 d0 50 ff 73 20 89 Data Ascii: E)E)EEPuuuu0vR9HtBu7HAl;t*9p t%qTK }jUMMRQp wR3B?tem;tZH;tP9tH9t@9u8u/Al;t(9p t#qTK }jUREQp wR395;WVMA]EPs
2022-11-04 12:16:09 UTC	193	IN	Data Raw: cd 02 00 00 39 be b4 0f 00 00 0f 84 c1 02 00 00 8d 8e 9c 0f 00 00 50 e8 aa 5a fe ff 57 57 8d 86 b8 0f 00 00 50 57 8d 45 a8 50 ff 75 98 ff d3 3b c7 0f 84 9a 02 00 00 39 be b8 0f 00 00 0f 84 8e 02 00 00 50 8d 8e a4 0f 00 00 e8 77 5a fe ff 57 57 8d 86 bc 0f 00 00 50 57 8d 45 a8 50 ff 75 98 ff d3 3b c7 0f 84 67 02 00 00 39 be bc 0f 00 00 0f 84 5b 02 00 00 8d 8e ac 0f 00 00 50 e8 44 5a fe ff 8d 86 9c 0f 00 00 3b c7 75 04 33 c0 eb 03 8b 40 04 50 ff 75 98 e8 e1 5a fe ff 89 45 a4 8b 45 88 3b c7 75 04 33 c0 eb 03 8b 40 04 68 20 00 cc 00 ff 75 e4 ff 75 e0 50 ff 75 8c ff 75 84 57 57 ff 75 98 ff 15 8c 71 52 00 8b 45 90 c1 e0 02 50 ff b6 b4 0f 00 00 ff b6 b8 0f 00 00 e8 4a 51 0d 00 8d 86 a4 0f 00 00 83 c4 0c 3b c7 75 04 33 c0 eb 03 8b 40 04 50 ff 75 98 e8 7e 5a fe ff Data Ascii: 9PZWWPWEPu;9PwZWWPWEPu;g9[PDZ;u3@PuZEE;u3@h uuPuuWWuqREPJQ;u3@Pu~Z
2022-11-04 12:16:09 UTC	195	IN	Data Raw: 78 52 00 85 c0 75 1a 6a 01 8d 45 dc 50 ff 73 20 ff d6 6a 01 57 ff 73 20 ff d6 c7 45 c8 01 00 00 00 83 7d c8 00 5f 74 09 ff 73 20 ff 15 e0 76 52 00 8b 4d fc 8b 45 c8 5e 33 cd 5b e8 46 f5 0c 00 c9 c2 04 00 8b ff 55 8b ec 83 ec 38 a1 54 04 57 00 33 c5 89 45 fc 33 c0 53 8b 5d 08 56 89 45 ec 89 45 f0 89 45 f4 89 45 f8 8d 45 ec 8b f1 50 ff 76 20 89 75 c8 ff 15 dc 77 52 00 8d 45 ec 50 8b ce e8 36 50 fe ff ff 73 04 8d 45 ec ff 33 50 ff 15 10 78 52 00 85 c0 75 08 6a 04 58 e9 d0 00 00 00 57 8d 75 ec 8d 7d dc a5 a5 a5 a5 8b 75 c8 8b 86 d4 0e 00 00 83 e8 00 74 33 48 74 22 48 74 11 48 75 36 8b 45 f8 2b 86 cc 0e 00 00 89 45 e0 eb 28 8b 86 cc 0e 00 00 03 45 f0 89 45 e8 eb 1a 8b 45 f4 2b 86 cc 0e 00 00 89 45 dc eb 0c 8b 86 cc 0e 00 00 03 45 ec 89 45 e4 ff 73 04 8d 45 dc Data Ascii: xRujEPs jWs E}_ts vRME^3[FU8TW3E3S]VEEEEEPv uwREP6PsE3PxRujXWu}ut3Ht"HtHu6E+E(EEE+EEEsE
2022-11-04 12:16:09 UTC	196	IN	Data Raw: ff 74 31 8d 45 9c 50 ff 73 20 ff 15 04 78 52 00 8b 4d f8 2b 4d f0 8b 85 60 ff ff ff 2b c8 57 51 8b 4d f4 2b 4d ec 2b c8 51 8b 4d 9c ff 75 a0 03 c8 51 eb 2a b8 1e 04 00 00 50 89 85 68 ff ff ff 8b 45 f8 2b 45 f0 2b 85 60 ff ff ff 50 8b 45 f4 2b 45 ec 2b 85 60 ff ff ff 50 6a ff 6a ff 56 8b cb e8 52 1d fe ff 8d 75 cc 8d 7d 8c a5 a5 a5 8d 45 cc 50 a5 ff 15 cc 75 52 00 85 c0 75 2d 8b b5 64 ff ff ff 8b 46 20 6a 02 8d 4d 8c 51 50 ff 73 20 ff 15 a0 77 52 00 68 85 01 00 00 6a 00 8d 45 8c 50 ff 76 20 ff 15 70 78 52 00 8d 75 ac 8d 7d 8c a5 a5 a5 8d 45 ac a5 8b 3d cc 75 52 00 50 ff d7 85 c0 75 3f 8d 45 ac 50 8d 45 cc 50 ff 15 40 78 52 00 85 c0 75 2d 8b b5 64 ff ff ff 8b 46 20 6a 02 8d 4d 8c 51 50 ff 73 20 ff 15 a0 77 52 00 68 85 01 00 00 6a 00 8d 45 8c 50 ff 76 20 ff Data Ascii: t1EPs xRM+M`+WQM+M+QMuQ*PhE+E+`PE+E+`PjjVRu}EPuRu-dF jMQPs wRhjEPv pxRu}E=uRPu?EPEP@xRu-dF jMQPs wRhjEPv
2022-11-04 12:16:09 UTC	198	IN	Data Raw: 8b cf e8 1e f2 ff ff 5e 5b 8b 4d fc 33 cd 5f e8 1a ea 0c 00 c9 c2 0c 00 a5 1d 43 00 a8 1d 43 00 c1 1d 43 00 c6 1d 43 00 cb 1d 43 00 cb 1d 43 00 ab 1d 43 00 bc 1d 43 00 8b ff 55 8b ec 56 8b f1 39 35 bc 48 57 00 75 46 83 be f0 0e 00 00 00 74 3d 0f bf 45 0c 50 e8 bd 40 0d 00 59 6a 78 99 59 f7 f9 85 c0 7e 28 33 c9 66 39 4d 0c 53 0f 9c c1 57 8d be 28 0f 00 00 8b d8 89 4d 0c 57 6a 00 ff 75 0c 8b ce e8 7b fe ff ff 4b 75 f0 5f 5b 33 c0 40 5e 5d c2 10 00 8b ff 55 8b ec 83 ec 60 a1 54 04 57 00 33 c5 89 45 fc 53 56 8b f1 33 c0 57 3b f0 75 05 89 45 e0 eb 06 8b 4e 20 89 4d e0 8b 3d 94 77 52 00 50 6a 0f 5b 53 53 50 eb 26 53 53 6a 00 8d 45 a0 50 ff 15 44 76 52 00 85 c0 0f 84 a0 00 00 00 8d 45 a0 50 ff 15 3c 77 52 00 6a 00 53 53 6a 00 8d 45 a0 50 ff d7 85 c0 75 d0 ff 15 Data Ascii: ^[M3_CCCCCCCCUV95HWuFt=EP@YjxY~(3f9MSW(MWju{Ku_[3@^]U`TW3ESV3W;uEN M=wRPj[SSP&SSjEPDvREP<wRjSSjEPu
2022-11-04 12:16:09 UTC	199	IN	Data Raw: 0c 00 c9 c2 0c 00 8b ff 55 8b ec 83 ec 1c a1 54 04 57 00 33 c5 89 45 fc 53 56 57 8b f1 33 ff 39 be b0 10 00 00 74 4e ff 35 64 5c 57 00 e8 f3 fe 05 00 8b ce e8 54 f0 fd ff 8b c8 89 4d e8 3b cf 74 33 bb 08 d6 56 00 53 e8 06 c6 fe ff 85 c0 74 24 ff 75 e8 53 e8 17 c6 fe ff 59 59 8b d8 6a 19 8b cb e8 6e 83 01 00 3b c7 74 0a 8b cb 89 78 04 e8 e1 c9 01 00 8b 06 8b ce ff 90 c0 01 00 00 8b d8 8b 83 98 0c 00 00 3b c7 74 27 39 bb 2c 0b 00 00 75 1f 8b 0b 89 4d e8 50 8b cb e8 e4 29 ff ff 50 8b 45 e8 8b cb ff 90 4c 03 00 00 89 bb 98 0c 00 00 8b 86 bc 10 00 00 3b c7 0f 84 af 00 00 00 8b ce 89 78 40 e8 cb c8 ff ff 8b d8 3b df 0f 84 9b 00 00 00 8b 03 8b cb ff 90 00 02 00 00 85 c0 74 1f 53 68 c0 95 53 00 e8 84 c5 fe ff 59 59 3b c7 74 0e 39 b8 00 1f 00 00 75 06 89 be 20 01 Data Ascii: UTW3ESVW39tN5d\WTM;t3VSt$uSYYjn;tx;t'9,uMP)PEL;x@;tShSYY;t9u
2022-11-04 12:16:09 UTC	200	IN	Data Raw: cb 05 00 59 57 8b ce e8 16 0c fe ff 8d 8e c4 0f 00 00 89 be bc 0e 00 00 3b cf 74 0a 39 79 04 74 05 e8 9e 3e fe ff 8d 8e cc 0f 00 00 3b cf 74 0a 39 79 04 74 05 e8 8a 3e fe ff 8b 86 30 01 00 00 89 86 28 01 00 00 8b 86 34 01 00 00 89 86 2c 01 00 00 8b 06 8b ce ff 90 ec 01 00 00 39 be f0 0e 00 00 74 0f 57 8b ce e8 61 e6 ff ff 8b ce e8 1c f1 ff ff 57 8b ce e8 f1 db ff ff 6a 04 8b ce e8 9e 0b fe ff 8b 43 6c 3b c7 74 2b ff 70 20 ff 15 20 77 52 00 85 c0 74 1e 6a 01 8d 43 54 50 8b 43 6c ff 70 20 ff 15 f0 77 52 00 8b 43 6c ff 70 20 ff 15 e0 76 52 00 5f 5e 5b c3 8b ff 55 8b ec 83 b9 88 10 00 00 00 74 1b 83 7d 08 0d 74 0c 83 7d 08 0e 74 06 83 7d 08 0c 75 1b e8 5f f4 ff ff 5d c2 0c 00 83 7d 08 10 74 f1 83 7d 08 11 74 eb 83 7d 08 0f 74 e5 e8 2e cd fd ff eb e3 8b ff 55 Data Ascii: YW;t9yt>;t9yt>0(4,9tWaWjCl;t+p wRtjCTPClp wRClp vR_^[Ut}t}t}u_]}t}t}t.U
2022-11-04 12:16:09 UTC	202	IN	Data Raw: 0f 84 3b ff ff ff 8b 38 8b 58 08 33 c0 85 db 0f 95 c0 89 bd f4 fc ff ff 85 c0 0f 84 21 ff ff ff 81 7b 20 10 e1 00 00 75 11 68 60 cf 52 00 8d 4b 2c e8 4e 90 fd ff 85 c0 74 1b 8b 5b 24 83 e3 01 ff 85 f8 fc ff ff 89 9d f0 fc ff ff 85 ff 75 a2 e9 9e 01 00 00 ff b5 e8 fc ff ff 8d 8e c8 0b 00 00 e8 c3 08 ff ff 8b 03 6a 01 8b cb ff 50 04 8d 85 e8 fd ff ff 50 68 04 01 00 00 ff 15 e8 72 52 00 8d 85 e8 fd ff ff 50 ff 15 7c 74 52 00 8b d8 6a 5c 58 66 89 84 5d e8 fd ff ff 33 c0 43 66 89 84 5d e8 fd ff ff 8b 85 e0 fc ff ff 33 ff 89 bd fc fc ff ff 39 78 04 0f 8e f6 00 00 00 e8 93 27 fe ff 50 8d 8d e8 fc ff ff e8 36 e1 fc ff 8b 8d e0 fc ff ff 8b 01 83 65 fc 00 6a 01 53 8d 95 e8 fd ff ff 52 57 8d 95 e8 fc ff ff 52 ff 50 0c 85 c0 0f 84 91 00 00 00 e8 59 27 fe ff 50 8d 8d Data Ascii: ;8X3!{ uh`RK,Nt[$ujPPhrRP\|tRj\Xf]3Cf]39x'P6ejSRWRPY'P
2022-11-04 12:16:09 UTC	203	IN	Data Raw: c8 8b 03 89 4d ec 8b cb ff 90 64 01 00 00 85 c0 8b 03 74 1d 6a 01 6a 03 83 ec 10 8b fc 8d 75 e0 a5 a5 a5 8b cb a5 ff 90 f8 01 00 00 8b 7d cc eb 7d 56 6a 01 8d 4d e0 51 8b cb ff 90 30 02 00 00 eb 6c 8b 87 48 01 00 00 8b 40 2c 83 e8 10 50 e8 e4 0c fd ff 83 c0 10 59 89 45 d8 83 65 fc 00 6a 26 8d 4d d8 e8 6d 8b ff ff ff 75 d8 8b 07 ff 75 c8 8b cf ff 75 dc ff 90 f4 01 00 00 8b d8 85 db 75 15 8b 4d d8 83 c1 f0 e8 4b dc fc ff 33 c0 e8 b9 e5 0c 00 c2 08 00 53 8b ce e8 7e 56 04 00 8b 4d d8 83 4d fc ff 83 c1 f0 e8 2a dc fc ff 8b 4d c4 85 c9 74 0c 8b 01 53 57 ff 90 00 02 00 00 eb 53 ff 75 dc 68 7c ef 52 00 e8 9f b4 fe ff 59 59 85 c0 74 0e 8b 10 53 57 8b c8 ff 92 e4 01 00 00 eb 32 ff 75 dc 68 ac e5 52 00 e8 7e b4 fe ff 59 59 85 c0 75 13 ff 75 dc 68 f8 e1 52 00 e8 6b Data Ascii: Mdtjju}}VjMQ0lH@,PYEej&MmuuuuMK3S~VMM*MtSWSuh\|RYYtSW2uhR~YYuuhRk
2022-11-04 12:16:09 UTC	205	IN	Data Raw: ff 83 4d fc ff 8b ce e8 f1 18 06 00 e8 7c e0 0c 00 c3 68 78 01 00 00 b8 76 a3 51 00 e8 fd df 0c 00 8b 7d 10 8b 5d 08 33 c0 33 f6 3b fe 0f 95 c0 89 8d 80 fe ff ff 3b c6 75 05 e8 3d 1b fe ff 8b 81 a8 0e 00 00 3b c6 75 07 33 c0 e9 ee 02 00 00 50 e8 84 d3 fe ff 89 85 8c fe ff ff 3b c6 74 e9 68 c8 0c 00 00 e8 ae 88 fd ff 59 89 85 84 fe ff ff 89 75 fc 3b c6 74 09 8b c8 e8 87 93 ff ff 8b f0 ff 75 0c 8b 06 83 4d fc ff 68 08 28 40 50 53 8b ce ff 90 20 03 00 00 8b ce 85 c0 75 09 8b 06 6a 01 ff 50 04 eb a2 57 e8 a6 f9 fd ff 8b 9d 8c fe ff ff ff 73 04 ff 15 60 78 52 00 83 a5 90 fe ff ff 00 89 85 88 fe ff ff 85 c0 0f 8e fa 01 00 00 ff b5 90 fe ff ff ff 73 04 ff 15 Data Ascii: M\|hxvQ}]33;;u=;u3P;thYu;tuMh(@PS ujPWs`xRs
2022-11-04 12:16:09 UTC	205	IN	Data Raw: 64 78 52 00 8b f8 e8 16 1c fe ff 50 8d 8d 94 fe ff ff e8 b9 d5 fc ff 68 00 04 00 00 8d 85 94 fe ff ff 50 ff b5 90 fe ff ff 8b cb c7 45 fc 01 00 00 00 e8 9b d3 fe ff 85 ff 0f 84 6b 01 00 00 83 ff ff 74 63 57 e8 5b 0a ff ff 59 85 c0 0f 85 72 01 00 00 50 50 ff b5 94 fe ff ff 8d 4d 80 6a ff 57 e8 3c ab 03 00 83 7d 84 00 8b 45 b8 c6 45 fc 04 75 03 8b 45 b4 83 f8 ff 75 0b 83 65 8c 00 c7 45 88 01 00 00 00 8b 06 6a ff 8d 4d 80 51 8b ce ff 90 44 03 00 00 8d 4d 80 c6 45 fc 01 e8 aa 95 03 00 e9 1e 01 00 00 8b 0d 78 5d 57 00 83 a5 8c fe ff ff 00 85 c9 74 12 8d 85 94 fe ff ff 50 e8 Data Ascii: dxRPhPEktcW[YrPPMjW<}EEuEueEjMQDMEx]WtP
2022-11-04 12:16:09 UTC	205	IN	Data Raw: 6e 9f 06 00 89 85 8c fe ff ff 6a 00 6a 09 8d 8d 94 fe ff ff e8 b9 70 ff ff 85 c0 78 35 50 8d 85 84 fe ff ff 50 8d 8d 94 fe ff ff e8 9a 58 fe ff 50 8d 8d 94 fe ff ff c6 45 fc 02 e8 20 06 fd ff 8b 8d 84 fe ff ff 83 c1 f0 c6 45 fc 01 e8 3e d5 fc ff ff b5 90 fe ff ff 8b bd 94 fe ff ff ff 73 04 ff 15 fc 77 52 00 50 e8 d1 d1 fe ff 85 c0 74 03 8b 40 04 6a 00 57 83 cf ff 57 50 57 8d 8d 98 fe ff ff e8 22 02 04 00 83 bd 9c fe ff ff 00 8b 85 d0 fe ff ff c6 45 fc 03 75 06 8b 85 cc fe ff ff 3b c7 75 11 83 a5 a4 fe ff ff 00 c7 85 a0 fe ff ff 01 00 00 00 ff b5 8c fe ff ff 8d 8d 98 fe ff ff e8 5b f2 03 00 8b 06 57 8d 8d 98 fe ff ff 51 8b ce ff 90 44 03 00 00 8d 8d 98 fe ff ff c6 45 fc 01 e8 15 ef 03 00 eb 1b 8b 85 88 fe ff ff 48 39 85 90 fe ff ff 74 0c 8b 06 6a ff 8b ce Data Ascii: njjpx5PPXPE E>swRPt@jWWPW"Eu;u[WQDEH9tj
2022-11-04 12:16:09 UTC	207	IN	Data Raw: 24 01 00 00 eb 10 3b c3 74 0c 8b 80 24 01 00 00 89 86 24 01 00 00 8b 4d c4 8b 45 10 89 4d e0 89 4d e8 8b cf 89 45 e4 89 45 ec e8 66 d2 fd ff 85 c0 75 04 8b c7 eb 07 8b cf e8 57 d2 fd ff 8b 8e 40 01 00 00 53 50 8d 45 e0 50 ff 75 c0 51 ff 75 cc 8b cf e8 41 f2 fd ff 25 00 00 40 00 50 8b ce e8 e3 11 06 00 85 c0 75 12 8b 4d cc 83 c1 f0 e8 70 cf fc ff 33 c0 e9 5e 01 00 00 39 9e b8 0e 00 00 74 33 33 c0 40 2b 86 38 01 00 00 6a 01 01 86 28 01 00 00 8b 86 28 01 00 00 89 86 30 01 00 00 8b 86 2c 01 00 00 89 86 34 01 00 00 8b 06 8b ce ff 90 74 01 00 00 8b 06 8b ce ff 90 c0 01 00 00 8b f8 8b 45 18 89 87 04 0b 00 00 8b 86 f4 0e 00 00 89 87 08 0d 00 00 39 5d c8 0f 84 81 00 00 00 8b 96 c0 0f 00 00 8b 86 38 01 00 00 8b 8e 3c 01 00 00 03 c2 03 ca 53 89 86 d8 0e 00 00 89 8e Data Ascii: $;t$$MEMMEEfuW@SPEPuQuA%@PuMp3^9t33@+8j((0,4tE9]8<S
2022-11-04 12:16:09 UTC	208	IN	Data Raw: 00 00 89 be 14 0d 00 00 89 be 0c 0d 00 00 89 8e 1c 0d 00 00 8b c6 e8 7e d3 0c 00 c3 8b ff 55 8b ec 8b 45 08 33 d2 39 91 04 0b 00 00 75 05 89 50 04 eb 0f 8b 91 a4 0b 00 00 8b 89 a8 0b 00 00 89 48 04 89 10 5d c2 04 00 8b ff 55 8b ec 8b 89 cc 0c 00 00 85 c9 74 13 83 b9 04 0b 00 00 00 74 0a ff 75 08 e8 b4 ff ff ff eb 08 ff 75 08 e8 63 12 ff ff 8b 45 08 5d c2 04 00 a1 80 5b 57 00 c3 6a 04 b8 04 a4 51 00 e8 36 d2 0c 00 8b f1 89 75 f0 c7 06 04 d2 52 00 8d 8e 3c 0d 00 00 c7 45 fc 01 00 00 00 c7 01 f0 d1 52 00 e8 91 bf 04 00 8d 8e 20 0d 00 00 c6 45 fc 00 e8 8f 96 06 00 83 4d fc ff 8b ce e8 05 8c ff ff e8 cc d2 0c 00 c3 6a 74 b8 27 a4 51 00 e8 50 d2 0c 00 8b d9 33 ff 3b df 0f 84 61 02 00 00 8b 43 20 3b c7 0f 84 56 02 00 00 50 ff 15 20 77 52 00 85 c0 0f 84 47 02 00 Data Ascii: ~UE39uPH]UttuucE][WjQ6uR<ER EMjt'QP3;aC ;VP wRG
2022-11-04 12:16:09 UTC	209	IN	Data Raw: a6 38 0d 00 00 00 8b 03 8b cb ff 50 58 83 7d f8 00 74 19 a1 4c 56 57 00 85 c0 75 07 8b ce e8 ac c0 fd ff ff 75 f8 50 e8 fa b5 ff ff 8b 4d fc 85 c9 74 17 83 79 20 ff 74 09 83 b9 90 00 00 00 00 74 08 8b 01 6a 01 56 ff 50 20 8b 4d f8 85 c9 74 64 e8 ef 9f ff ff 85 c0 74 5b 8b 5d f8 8b cb e8 e1 9f ff ff 8b 10 8b c8 ff 92 c0 01 00 00 85 c0 74 43 8b 88 38 0d 00 00 3b 8b 48 01 00 00 75 35 8b 10 8b c8 ff 92 40 04 00 00 eb 29 33 d2 39 55 fc 74 22 8b 8e 38 0d 00 00 39 4d fc 75 17 89 91 a4 00 00 00 6a 02 ff 76 20 89 96 38 0d 00 00 ff 15 ec 75 52 00 83 be 08 0d 00 00 00 8b 45 08 89 86 84 0b 00 00 74 2c ff 76 20 ff d7 50 e8 58 aa fd ff 50 68 fc cf 56 00 e8 44 9c fe ff 59 59 85 c0 74 10 ff b6 84 0b 00 00 8b 10 8b c8 ff 92 fc 01 00 00 83 3d c4 48 57 00 00 0f 84 a2 00 00 Data Ascii: 8PX}tLVWuuPMty ttjVP Mtdt[]tC8;Hu5@)39Ut"89Mujv 8uREt,v PXPhVDYYt=HW
2022-11-04 12:16:09 UTC	211	IN	Data Raw: 00 8b 76 20 6a 02 8d 45 ec 50 56 ff 77 20 ff 15 a0 77 52 00 ff 75 0c 8d 45 ec ff 75 08 50 ff 15 10 78 52 00 85 c0 74 08 8b c7 eb 06 8b c3 eb 02 33 c0 5b 8b 4d fc 5f 33 cd 5e e8 47 b5 0c 00 c9 c2 08 00 8b ff 55 8b ec f6 45 0c 08 56 57 8b f9 75 43 ff 77 20 ff 15 08 78 52 00 50 e8 1d a5 fd ff 50 68 fc cf 56 00 e8 09 97 fe ff 8b f0 59 59 85 f6 74 21 8b ce e8 6f 9a ff ff 8b b6 48 01 00 00 85 c0 74 10 85 f6 74 0c 3b b0 98 0c 00 00 75 04 33 c0 eb 13 ff 75 14 8b cf ff 75 10 ff 75 0c ff 75 08 e8 d3 1d ff ff 5f 5e 5d c2 10 00 8b ff 55 8b ec 83 ec 18 53 56 57 33 ff 8b f1 39 3d 04 3f 57 00 75 58 39 3d d8 e4 56 00 74 50 39 be 00 0d 00 00 75 48 ff 76 20 ff 15 08 78 52 00 50 e8 9a a4 fd ff 50 68 fc cf 56 00 e8 86 96 fe ff 59 59 3b c7 74 28 8b c8 e8 6e 9b ff ff 85 c0 74 Data Ascii: v jEPVw wRuEuPxRt3[M_3^GUEVWuCw xRPPhVYYt!oHtt;u3uuuu_^]USVW39=?WuX9=VtP9uHv xRPPhVYY;t(nt
2022-11-04 12:16:09 UTC	211	IN	Data Raw: f4 57 ff ff 85 c0 75 68 ff 73 20 33 f6 e8 e6 57 ff ff 85 c0 74 21 39 7d fc 74 0f 89 7d fc 8d 73 54 8d 7d e8 a5 a5 a5 a5 33 ff 39 7d f8 75 a5 8b 43 60 89 45 f4 eb 19 39 7d fc 75 09 8b 43 58 33 f6 89 45 f4 46 c7 45 fc 01 00 00 00 3b f7 74 20 e8 b4 f2 fe ff 8b 10 83 ec 10 8b fc ff 75 08 8d 75 e8 a5 a5 a5 8b c8 a5 ff 92 a0 00 00 00 33 ff 39 7d f8 0f 85 5b ff ff ff e9 4f ff ff ff e8 5d 01 fe ff cc 8b ff 55 8b ec 83 ec 14 a1 54 04 57 00 33 c5 89 45 fc 53 8b 5d 08 56 57 53 8b f1 e8 ea fa fe ff 85 c0 75 05 e8 33 01 fe ff 8b 78 24 8b 4d 0c 3b f9 0f 84 95 00 00 00 89 48 24 8b c7 23 c1 a9 00 00 02 00 0f 85 83 00 00 00 53 8b ce e8 b9 fa fe ff 50 68 fc dd 56 00 e8 45 95 fe ff 59 59 85 c0 74 5a 8b cf 33 4d 0c f7 c1 00 00 01 00 74 4d 33 c9 89 4d ec 89 4d f0 89 4d f4 89 Data Ascii: Wuhs 3Wt!9}t}sT}39}uC`E9}uCX3EFE;t uu39}[O]UTW3ES]VWSu3x$M;H$#SPhVEYYtZ3MtM3MMM
2022-11-04 12:16:09 UTC	213	IN	Data Raw: ff 74 24 6a 00 8b cf e8 c5 1f 06 00 ff 75 08 83 26 00 8b cf e8 dd 21 06 00 eb 0c a1 b0 5d 57 00 85 c0 74 03 89 70 58 83 7d e8 00 75 09 83 0d 88 d0 56 00 ff eb 0f ff 75 e8 8b cb e8 4c f4 fe ff a3 88 d0 56 00 83 bb 00 0d 00 00 00 0f 84 87 00 00 00 ff 73 20 ff 15 08 78 52 00 50 e8 21 9e fd ff 50 68 fc cf 56 00 e8 0d 90 fe ff 59 59 85 c0 74 67 8b b0 48 01 00 00 85 f6 74 5d 83 7e 6c 00 74 57 8b 45 08 8b 3e 6a 00 50 89 46 20 e8 13 3e 01 00 8b c8 e8 58 3f 01 00 50 8b ce ff 97 bc 00 00 00 33 c0 89 45 ec 89 45 f0 89 45 f4 89 45 f8 8d 45 ec 50 8b ce e8 6a d4 03 00 6a 01 8d 45 ec 50 8b 46 6c ff 70 20 ff 15 f0 77 52 00 8b 46 6c ff 70 20 ff 15 e0 76 52 00 53 e8 d2 97 fe ff 59 6a 00 8b cb 8b f0 e8 66 fb ff ff 8b 06 8b ce ff 50 60 8b 4d fc 5f 5e 33 cd 5b e8 8b ad 0c 00 Data Ascii: t$ju&!]WtpX}uVuLVs xRP!PhVYYtgHt]~ltWE>jPF >X?P3EEEEEPjjEPFlp wRFlp vRSYjfP`M_^3[
2022-11-04 12:16:09 UTC	214	IN	Data Raw: f8 ff 15 54 76 52 00 8d 45 f4 50 8b 45 fc ff 70 20 ff 15 44 78 52 00 ff 75 f8 8d 86 d8 00 00 00 ff 75 f4 50 ff 15 10 78 52 00 85 c0 75 5f 8b 86 8c 00 00 00 3b c3 74 16 53 53 6a 10 ff 70 20 ff 15 e4 76 52 00 33 c0 5b 5f 5e c9 c2 04 00 39 9e 8c 00 00 00 75 ef 8b 06 8b ce ff 90 e4 00 00 00 85 c0 75 29 68 2c 94 53 00 8b ce e8 3f 8a fe ff 85 c0 74 0d 8b 06 53 ff 75 fc 8b ce ff 50 20 eb 0c 8b 4d fc 57 ff 77 20 e8 20 f8 ff ff 33 c0 40 eb b5 6a 48 b8 57 a4 51 00 e8 23 ba 0c 00 8b f9 33 f6 39 b7 00 0d 00 00 74 11 56 ff 75 08 e8 26 f7 fe ff 8b 45 08 e9 1b 02 00 00 57 8d 4d ac 89 75 e0 89 75 e4 e8 6e 05 fe ff 68 ac 3a 57 00 8d 4d ac 89 75 fc e8 ab 08 fe ff 33 c9 3b c6 0f 95 c1 89 45 e8 3b ce 75 05 e8 9b f5 fd ff 39 b7 d4 0b 00 00 75 11 6a 32 58 6a 14 59 89 45 e0 89 Data Ascii: TvREPEp DxRuuPxRu_;tSSjp vR3[_^9uu)h,S?tSuP MWw 3@jHWQ#39tVu&EWMuunh:WMu3;E;u9uj2XjYE
2022-11-04 12:16:09 UTC	215	IN	Data Raw: 00 83 ff 24 74 78 83 ff 26 0f 84 1c 01 00 00 83 ff 28 74 6f 83 3d 04 3f 57 00 00 0f 85 41 04 00 00 6a 11 ff 15 d4 75 52 00 b9 00 80 00 00 66 85 c1 0f 85 2b 04 00 00 57 e8 61 2d 01 00 85 c0 0f 84 bf 02 00 00 57 e8 de 2d 01 00 8b f8 8d 45 d4 50 8d 45 d0 50 8d 8b ac 0c 00 00 89 7d d0 e8 b3 3a 01 00 85 c0 0f 84 99 02 00 00 8b 7d d4 8b 83 cc 0b 00 00 89 7d d0 33 d2 e9 00 02 00 00 33 d2 89 55 d4 83 bb 08 0d 00 00 00 74 15 3b 8b d0 0b 00 00 75 0d 83 ff 24 74 08 33 c0 40 e9 c4 03 00 00 83 bb d4 0b 00 00 00 89 45 c4 0f 84 b1 03 00 00 85 d2 74 06 8b 32 85 f6 75 0c 8b b3 cc 0b 00 00 83 65 d8 00 eb 03 ff 45 d8 3b f2 0f 84 90 03 00 00 89 75 c8 8b c6 85 f6 74 46 8b 78 08 f6 47 24 01 8b 36 75 18 8d 47 54 50 ff 15 cc 75 52 00 85 c0 75 0a 83 7f 20 fe 0f 85 cb 00 00 00 ff Data Ascii: $tx&(to=?WAjuRf+Wa-W-EPEP}:}}33Ut;u$t3@Et2ueE;utFxG$6uGTPuRu
2022-11-04 12:16:09 UTC	217	IN	Data Raw: 85 88 fe ff ff 3b c3 74 e4 a1 4c 56 57 00 3b c3 75 07 8b ce e8 0a a3 fd ff 89 85 94 fe ff ff 3b c3 75 0b e8 00 5a fd ff 89 85 94 fe ff ff 8b 46 20 3b c3 74 48 50 ff 15 08 78 52 00 50 e8 3c 8d fd ff 50 68 fc cf 56 00 e8 28 7f fe ff 59 59 3b c3 74 10 8b 88 24 01 00 00 3b cb 74 06 89 8d 94 fe ff ff 39 1d 28 3f 57 00 74 12 3b c3 74 0e 8b c8 e8 23 82 ff ff 85 c0 74 03 89 7d 0c 8b 8d 94 fe ff ff 3b cb 74 1c 0f b7 86 d4 0c 00 00 50 ff b5 80 fe ff ff 68 17 01 00 00 ff 71 20 ff 15 dc 76 52 00 8b 85 88 fe ff ff ff 70 04 ff 15 60 78 52 00 89 85 84 fe ff ff 89 9d 8c fe ff ff 89 bd 7c fe ff ff 89 bd 74 fe ff ff 39 9e 00 0d 00 00 74 27 db 85 84 fe ff ff da b6 04 0d 00 00 dc 05 f8 bd 52 00 e8 f7 ee 0c 00 89 bd 74 fe ff ff 3b c7 7c 06 89 85 74 fe ff ff 89 9d 90 fe ff ff Data Ascii: ;tLVW;u;uZF ;tHPxRP<PhV(YY;t$;t9(?Wt;t#t};tPhq vRp`xR\|t9t'Rt;\|t
2022-11-04 12:16:09 UTC	218	IN	Data Raw: 8b 75 ec 8b 10 53 56 8b c8 ff 52 7c 85 c0 75 0e 8b 45 f0 8b 40 20 89 45 e8 e9 c6 00 00 00 85 db 0f 84 be 00 00 00 83 7b 24 00 0f 84 b4 00 00 00 e8 d0 e6 fd ff 50 8d 4d ec e8 76 a0 fc ff 8b 43 24 83 65 fc 00 85 c0 74 12 50 8d 4d ec e8 e2 f4 fc ff ff 73 24 e8 fc 9b 0c 00 59 e8 a5 e6 fd ff 50 8d 4d 10 e8 4b a0 fc ff 8b ce c6 45 fc 01 e8 c4 9c fd ff 8b f8 85 ff 74 2b 83 7f 20 00 74 25 8b 4d f0 68 2c 94 53 00 e8 1e 79 fe ff 85 c0 75 14 8b 07 8d 4d 10 51 8b 4d f0 ff 71 20 8b cf ff 90 70 01 00 00 ff 75 10 8b 7d ec 51 89 65 f0 83 c7 f0 89 65 f0 57 e8 d9 d0 fc ff 59 8b 4d f0 83 c0 10 6a 02 89 01 ff b6 94 0c 00 00 53 e8 a3 a6 03 00 8b 4d 10 83 c1 f0 e8 57 a0 fc ff 8b cf e8 50 a0 fc ff 8b 45 e8 e8 a9 a9 0c 00 c2 0c 00 8b ff 56 8b f1 8b 46 2c 85 c0 75 02 5e c3 53 8b Data Ascii: uSVR\|uE@ E{$PMvC$etPMs$YPMKEt+ t%Mh,SyuMQMq pu}QeeWYMjSMWPEVF,u^S
2022-11-04 12:16:09 UTC	220	IN	Data Raw: 75 f0 83 7e f4 00 c6 45 fc 01 75 1f 68 06 f0 00 00 e8 38 2b fe ff 85 c0 74 11 68 06 f0 00 00 50 8d 4d f0 e8 b0 ed fc ff 8b 75 f0 8b 47 08 56 03 c3 50 8d 45 10 50 e8 85 1b fe ff 6a ff ff 75 10 ff 75 0c ff 75 08 e8 9c 98 0c 00 50 e8 97 c7 fc ff 83 c4 14 8d 4e f0 e8 2c 9b fc ff 8b 4d 10 83 c1 f0 e8 21 9b fc ff 33 c0 40 eb 02 33 c0 e8 76 a4 0c 00 c2 0c 00 6a 08 b8 38 8d 51 00 e8 8f a3 0c 00 6a 14 e8 eb 4c fd ff 59 8b c8 89 4d ec 33 c0 89 45 fc 3b c8 74 0e ff 75 10 ff 75 0c ff 75 08 e8 23 33 fe ff 83 4d fc ff 89 45 f0 68 cc cc 55 00 8d 45 f0 50 e8 8f a7 0c 00 cc 8b ff 55 8b ec 83 7d 08 00 74 14 ff 75 0c ff 75 08 ff 75 08 e8 36 fc ff ff 50 e8 9b ff ff ff 5d c2 08 00 8b ff 55 8b ec 83 7d 08 00 75 05 e8 e9 de fd ff ff 75 08 ff 15 14 75 52 00 83 7d 0c 00 75 0a 50 Data Ascii: u~Euh8+thPMuGVPEPjuuuPN,M!3@3vj8QjLYM3E;tuuu#3MEhUEPU}tuuu6P]U}uuuR}uP
2022-11-04 12:16:09 UTC	221	IN	Data Raw: 02 50 8b 47 04 03 c6 6a 00 50 e8 6d 9f 0c 00 8b 75 08 83 c4 1c 8b c6 c1 e0 02 8b 55 0c 8b 4f 04 8b 12 89 14 08 83 c0 04 4b 75 ef 5f 5e 5b 5d c2 0c 00 e8 f5 d9 fd ff cc c7 01 5c d8 52 00 8b 49 04 85 c9 74 07 51 e8 ac 47 fd ff 59 c3 8b ff 55 8b ec 56 8b f1 e8 de ff ff ff f6 45 08 01 74 07 56 e8 91 47 fd ff 59 8b c6 5e 5d c2 04 00 6a 1c b8 bc a5 51 00 e8 1e 9e 0c 00 8b d9 89 5d dc 8b 73 3c 33 ff 89 75 e0 89 7d e8 3b f7 75 28 6a 1c e8 33 47 fd ff 59 89 45 e0 89 7d fc 3b c7 74 0b 6a 0a 8b c8 e8 53 a8 fe ff eb 02 33 c0 83 4d fc ff 8b f0 89 45 e0 8d 45 e8 50 6a 01 8b ce e8 4c a9 fe ff 85 c0 74 08 8b 45 e8 89 45 ec eb 67 6a 14 e8 f2 46 fd ff 59 3b c7 74 19 89 78 04 89 78 10 89 78 0c 89 78 08 c7 00 5c d8 52 00 8b f8 89 45 e4 eb 03 89 7d e4 ff 73 40 33 c0 40 50 8b Data Ascii: PGjPmuUOKu_^[]\RItQGYUVEtVGY^]jQ]s<3u};u(j3GYE};tjS3MEEPjLtEEgjFY;txxxx\RE}s@3@P
2022-11-04 12:16:09 UTC	222	IN	Data Raw: 8b ce e8 d9 fc ff ff 8b ce e8 cc f9 ff ff 8b 4e 38 57 e8 75 a4 fe ff 8b 4e 34 89 08 ff 46 34 8b 07 56 8b cf ff 50 08 5b 5f 5e 5d c2 04 00 6a 14 b8 04 a6 51 00 e8 b2 98 0c 00 8b f1 f6 46 18 01 75 0a ff 76 14 6a 04 e8 fe 59 fe ff 8d 45 e8 50 8d 45 e4 50 ff 75 08 e8 33 fd ff ff 33 db 89 5d ec 3b c3 0f 85 92 00 00 00 8b 46 38 8b 40 08 8b 7d e8 48 3b f8 76 07 ff 76 14 6a 05 eb c9 8b 4e 3c 8d 45 ec 50 6a 01 89 5d ec e8 d4 a3 fe ff 85 c0 74 29 8b 4d ec 3b cb 75 05 e8 e1 d3 fd ff 8b 41 08 8d 50 ff 3b fa 77 13 3b fb 7c ed 3b f8 7d e9 8b 41 04 8b 04 b8 83 f8 01 74 bb 8b 46 38 3b fb 7c d7 3b 78 08 7d d2 8b 40 04 8b 3c b8 3b fb 0f 84 a1 00 00 00 39 5d 08 0f 84 98 00 00 00 ff 75 08 8b cf e8 be 67 fe ff 85 c0 0f 85 86 00 00 00 ff 76 14 6a 06 e9 4c ff ff ff 8b c8 89 5d Data Ascii: N8WuN4F4VP[_^]jQFuvjYEPEPu33];F8@}H;vvjN<EPj]t)M;uAP;w;\|;}AtF8;\|;x}@<;9]ugvjL]
2022-11-04 12:16:09 UTC	223	IN	Data Raw: fe ff eb 52 80 3d 58 49 57 00 00 75 27 68 f8 b8 52 00 ff 15 2c 74 52 00 85 c0 74 11 68 68 d8 52 00 50 ff 15 e0 73 52 00 a3 54 49 57 00 c6 05 58 49 57 00 01 a1 54 49 57 00 85 c0 74 0e 6a 00 ff 76 04 ff 75 08 ff 36 ff d0 eb 0b ff 75 08 ff 36 ff 15 40 70 52 00 5e 5d c2 04 00 8b ff 55 8b ec 51 83 65 fc 00 56 8b 75 10 57 8d 45 fc 50 56 6a 00 ff 75 0c 8b f9 8b 4f 08 ff 75 08 85 c9 74 07 e8 b5 58 fe ff eb 06 ff 15 04 70 52 00 85 c0 75 15 8b cf e8 60 59 fe ff 8b 4d fc 81 e6 00 03 00 00 89 0f 89 77 04 5f 5e c9 c2 0c 00 8b ff 55 8b ec 51 56 8b 75 10 8b 06 83 26 00 57 8b 7d 0c 03 c0 89 45 fc 8d 45 fc 50 57 8d 45 10 50 6a 00 ff 75 08 ff 31 ff 15 10 70 52 00 85 c0 75 39 83 7d 10 01 74 0b 83 7d 10 02 74 05 6a 0d 58 eb 28 8b 45 fc 85 ff 74 1b 85 c0 74 12 a8 01 75 ec 8b Data Ascii: R=XIWu'hR,tRthhRPsRTIWXIWTIWtjvu6u6@pR^]UQeVuWEPVjuOutXpRu`YMw_^UQVu&W}EEPWEPju1pRu9}t}tjX(Ettu
2022-11-04 12:16:09 UTC	224	IN	Data Raw: ff 75 ef 43 3b 5e 08 72 e1 33 db 5f ff 76 04 e8 db 3a fd ff 59 89 5e 04 8b 4e 14 89 5e 0c 89 5e 10 e8 3e 53 fe ff 89 5e 14 5e 5b c3 c7 01 9c d8 52 00 e9 a0 ff ff ff 8b ff 55 8b ec 56 8b f1 c7 06 8c d8 52 00 e8 8d ff ff ff f6 45 08 01 74 07 56 e8 99 3a fd ff 59 8b c6 5e 5d c2 04 00 8b ff 55 8b ec 56 8b f1 c7 06 9c d8 52 00 e8 66 ff ff ff f6 45 08 01 74 07 56 e8 72 3a fd ff 59 8b c6 5e 5d c2 04 00 8b ff 53 56 8b f1 33 db 39 5e 04 74 31 39 5e 08 76 20 57 8b 46 04 8b 3c 98 eb 0a 8b cf e8 68 fe ff ff 8b 7f 08 85 ff 75 f2 43 3b 5e 08 72 e4 33 db 5f ff 76 04 e8 30 3a fd ff 59 89 5e 04 8b 4e 14 89 5e 0c 89 5e 10 e8 93 52 fe ff 89 5e 14 5e 5b c3 8b ff 55 8b ec 56 57 8b 7d 08 8b f1 8b cf e8 25 fe ff ff 8b 46 10 89 47 08 ff 4e 0c 89 7e 10 75 07 8b ce e8 86 ff ff ff Data Ascii: uC;^r3_v:Y^N^^>S^^[RUVREtV:Y^]UVRfEtVr:Y^]SV39^t19^v WF<huC;^r3_v0:Y^N^^R^^[UVW}%FGN~u
2022-11-04 12:16:09 UTC	226	IN	Data Raw: 04 00 8b 81 c0 00 00 00 c3 8b ff 55 8b ec 8b 45 08 89 81 c0 00 00 00 5d c2 04 00 8b ff 55 8b ec 51 8b 81 ac 00 00 00 83 65 fc 00 83 e8 10 50 e8 54 b3 fc ff 59 8d 48 10 8b 45 08 89 08 c9 c2 04 00 8b ff 55 8b ec 51 8b 81 b0 00 00 00 83 65 fc 00 83 e8 10 50 e8 2e b3 fc ff 59 8d 48 10 8b 45 08 89 08 c9 c2 04 00 8b ff 55 8b ec 81 c1 ac 00 00 00 5d e9 80 b3 fc ff 8b ff 55 8b ec 81 c1 b0 00 00 00 5d e9 6f b3 fc ff 6a 08 b8 0e a7 51 00 e8 1c 8b 0c 00 8b f1 89 75 ec c7 06 bc d8 52 00 c7 45 fc 07 00 00 00 eb 23 8d 45 f0 50 8d 8e 90 00 00 00 e8 d4 54 06 00 ff 75 f0 ff 15 3c 74 52 00 8b 4d f0 83 c1 f0 e8 5c 82 fc ff 83 be 9c 00 00 00 00 75 d4 ff b6 c8 00 00 00 6a 00 ff 15 ec 75 52 00 8b 8e b0 00 00 00 83 e9 10 e8 37 82 fc ff 8b 8e ac 00 00 00 83 e9 10 e8 29 82 fc ff Data Ascii: UE]UQePTYHEUQeP.YHEU]U]ojQuRE#EPTu<tRM\ujuR7)
2022-11-04 12:16:09 UTC	227	IN	Data Raw: ec 56 ff 75 08 8b f1 e8 14 d2 fc ff e8 50 c3 fd ff 50 8d 4e 04 e8 f6 7c fc ff 8b c6 5e 5d c2 04 00 6a 0c b8 e3 a7 51 00 e8 ec 85 0c 00 33 ff 89 7d f0 8b 75 0c 8b 46 24 83 e8 10 50 89 7d fc e8 ac ad fc ff 8b 5d 08 83 c0 10 59 89 03 89 7d fc 47 83 78 f4 00 89 7d f0 75 7d 8d 46 20 50 8b cb e8 fb ad fc ff e8 f7 c2 fd ff 50 8d 4d 0c e8 9d 7c fc ff 8b 76 28 89 7d fc 85 f6 74 4f 8b 06 6a 04 8d 4d 0c 51 8b ce ff 50 64 85 c0 74 3e 8b 45 0c 83 78 f4 00 74 35 83 65 ec 00 8d 45 ec 50 68 c4 d9 52 00 8d 45 e8 50 8d 4d 0c e8 c0 e4 ff ff 8b 00 ff 70 f4 8b cb 50 c6 45 fc 02 e8 1f 2b fd ff 8b 4d e8 83 c1 f0 e8 c4 7c fc ff 8b 4d 0c 83 c1 f0 e8 b9 7c fc ff 8b c3 e8 13 86 0c 00 c2 08 00 6a 08 b8 0c a8 51 00 e8 2c 85 0c 00 8b f1 83 7e 10 00 75 2b 6a 10 ff 76 18 8d 46 14 50 e8 Data Ascii: VuPPN\|^]jQ3}uF$P}]Y}Gx}u}F PPM\|v(}tOjMQPdt>Ext5eEPhREPMpPE+M\|M\|jQ,~u+jvFP
2022-11-04 12:16:09 UTC	229	IN	Data Raw: 8b ce ff 50 6c 50 8d 4d ec c6 45 fc 04 e8 a2 a8 fc ff 8b 4d e8 83 c1 f0 c6 45 fc 03 e8 c3 77 fc ff 8b 07 33 db 53 ff 75 ec 8b cf ff 90 e0 00 00 00 85 c0 74 70 ff 75 08 8d 4e 04 e8 13 fc ff ff 8d 4d ec 51 8b c8 e8 69 a8 fc ff ff 75 ec 8d 4d f0 e8 4e 99 fe ff 85 c0 74 0b 8b 06 8d 4d f0 51 8b ce ff 50 54 8b 07 8b cf 39 5d 0c 74 04 6a 01 eb 01 53 ff 50 64 eb 2d e8 93 f0 ff ff ff 75 08 8d 4e 04 8b d8 e8 c9 fb ff ff 68 c0 18 55 00 8b c8 e8 4e cb fc ff 85 db 74 0b 8b 06 8d 4d f0 51 8b ce ff 50 54 8b 4d ec 83 c1 f0 e8 34 77 fc ff 8b 4d f0 83 c1 f0 e8 29 77 fc ff 8b 4d 08 83 c1 f0 e8 1e 77 fc ff 33 c0 40 eb 02 33 c0 e8 73 80 0c 00 c2 08 00 6a 04 b8 c0 a8 51 00 e8 8c 7f 0c 00 8b f1 f6 86 b4 00 00 00 10 0f 84 f2 00 00 00 83 be c4 00 00 00 00 0f 85 e5 00 00 00 e8 b3 Data Ascii: PlPMEMEw3SutpuNMQiuMNtMQPT9]tjSPd-uNhUNtMQPTM4wM)wMw3@3sjQ
2022-11-04 12:16:09 UTC	230	IN	Data Raw: ff 70 50 8d 4d e0 e8 bd c6 fc ff 8d 45 f0 50 6a 10 6a 00 68 e9 f2 00 00 be e8 f2 00 00 56 8d 45 e0 50 8d 45 ec 50 8d 45 e8 50 c6 45 fc 04 e8 70 54 06 00 8b 4d e0 83 c4 20 83 c1 f0 8b d8 e8 f5 71 fc ff 8b 4d f0 33 c0 3b de 0f 95 c0 83 c1 f0 83 c0 06 89 45 dc e8 dd 71 fc ff 8b 4d e8 83 c1 f0 e8 d2 71 fc ff 8d 4f f0 e8 ca 71 fc ff 8b 4d ec 83 c1 f0 e9 10 01 00 00 e8 8b b7 fd ff 50 8d 4d f0 e8 31 71 fc ff c7 45 fc 05 00 00 00 e8 76 b7 fd ff 50 8d 4d ec e8 1c 71 fc ff be e4 f2 00 00 56 c6 45 fc 06 e8 53 01 fe ff 85 c0 74 0a 56 50 8d 4d f0 e8 cf c3 fc ff be dc d9 52 00 56 e8 fe 75 0c 00 59 50 56 8d 4d f0 e8 b9 1f fd ff be e5 f2 00 00 56 e8 24 01 fe ff 85 c0 74 0a 56 50 8d 4d ec e8 a0 c3 fc ff 8b 75 ec ff 76 f4 8d 4d f0 56 e8 91 1f fd ff bf d0 d9 52 00 57 e8 c0 Data Ascii: pPMEPjjhVEPEPEPEpTM qM3;EqMqOqMPM1qEvPMqVEStVPMRVuYPVMV$tVPMuvMVRW
2022-11-04 12:16:09 UTC	231	IN	Data Raw: c3 7e 35 50 8d 85 a0 fd ff ff 50 8d 8d c0 fd ff ff e8 b4 f0 fd ff 50 8d 8d b8 fd ff ff c6 45 fc 05 e8 3a 9e fc ff 8b 8d a0 fd ff ff 83 c1 f0 c6 45 fc 04 e8 58 6d fc ff ff b5 b8 fd ff ff 8b 07 8b cf ff 50 54 8b 06 57 8d 8d ac fd ff ff 51 8b ce ff 50 68 57 8d 4e 58 c6 45 fc 06 e8 13 e8 ff ff 8d 8d ac fd ff ff 51 8b c8 e8 f1 9d fc ff 8d 85 a8 fd ff ff 50 ff b5 c0 fd ff ff 8d 4e 20 89 9d a8 fd ff ff e8 20 28 05 00 8b 8d a8 fd ff ff 3b cb 74 0c 3b cf 74 08 8b 01 ff 90 84 00 00 00 8b 07 6a 01 8b cf ff 50 64 e8 7a 11 fe ff 8b 40 04 8b 10 8b c8 ff 52 74 53 6a 01 6a 0b ff 70 20 ff 15 dc 76 52 00 e8 5d 11 fe ff 8b 40 04 8b 10 8b c8 ff 52 74 6a 01 53 ff 70 20 ff 15 f0 77 52 00 e8 42 11 fe ff 8b 40 04 8b 10 8b c8 ff 52 74 ff 70 20 ff 15 e0 76 52 00 57 8d 4e 74 e8 72 Data Ascii: ~5PPPE:EXmPTWQPhWNXEQPN (;t;tjPdz@RtSjjp vR]@RtjSp wRB@Rtp vRWNtr
2022-11-04 12:16:09 UTC	233	IN	Data Raw: 1e 75 25 8d 45 f4 50 8d 45 e4 50 56 c7 45 e4 01 00 00 00 89 5d e8 89 5d ec 89 5d f0 e8 45 d9 0d 00 85 c0 74 03 88 5d ff 57 ff 15 48 74 52 00 8a 45 ff 5f 5e 5b c9 c3 8b ff 56 57 8b f1 8d 7e 04 57 ff 15 44 74 52 00 8b 06 85 c0 74 06 50 e8 19 d9 0d 00 83 26 00 57 ff 15 48 74 52 00 5f 5e c3 8b ff 56 57 8b f1 8d 7e 04 57 ff 15 44 74 52 00 ff 46 1c 57 ff 15 48 74 52 00 5f 5e c3 8b ff 56 57 8b f1 8d 7e 04 57 ff 15 44 74 52 00 ff 4e 1c 75 07 8b ce e8 9e ff ff ff 57 ff 15 48 74 52 00 5f 5e c3 8b ff 56 57 33 ff 8b f1 6a 00 56 ff 15 30 74 52 00 85 c0 75 10 47 83 c6 04 83 ff 04 7c ea 50 ff 15 54 71 52 00 5f 5e c3 8b ff 55 8b ec 56 57 33 ff 8b f1 ff 75 08 56 ff 15 30 74 52 00 85 c0 74 13 47 83 c6 04 89 45 08 83 ff 04 7c e6 50 ff 15 5c 71 52 00 5f 5e 5d c2 04 00 33 c0 Data Ascii: u%EPEPVE]]]Et]WHtRE_^[VW~WDtRtP&WHtR_^VW~WDtRFWHtR_^VW~WDtRNuWHtR_^VW3jV0tRuG\|PTqR_^UVW3uV0tRtGE\|P\qR_^]3
2022-11-04 12:16:09 UTC	234	IN	Data Raw: 00 8b ff 55 8b ec 83 79 74 00 75 06 33 c0 5d c2 0c 00 8b 49 74 8b 01 5d ff a0 04 02 00 00 83 79 74 00 74 0b 8b 49 74 8b 01 ff a0 fc 01 00 00 c3 8b ff 55 8b ec 8b c1 33 c9 89 48 0c 89 48 10 89 48 08 89 48 04 89 48 14 8b 4d 08 c7 00 00 dc 52 00 89 48 18 5d c2 04 00 8b ff 55 8b ec 8b 45 08 85 c0 74 03 8b 40 20 50 ff 71 20 ff 15 a0 75 52 00 50 e8 5f 48 fd ff 5d c2 04 00 8b ff 55 8b ec 8b 45 0c 8b 4d 10 83 ca ff 2b d0 3b d1 73 07 b8 16 02 07 80 5d c3 03 c1 8b 4d 08 89 01 33 c0 5d c3 8b ff 55 8b ec 51 ff 75 0c 8d 45 fc ff 75 08 50 e8 c5 ff ff ff 83 c4 0c 85 c0 79 06 50 e8 15 63 fc ff 8b 45 fc c9 c3 8b ff 55 8b ec 56 8b f1 ff 76 04 c7 06 78 da 52 00 e8 d0 d2 0d 00 f6 45 08 01 74 06 56 e8 b2 d2 0d 00 8b c6 5e 5d c2 04 00 8b ff 55 8b ec 8b 45 08 56 8b f1 85 c0 74 Data Ascii: Uytu3]It]yttItU3HHHHHMRH]UEt@ Pq uRP_H]UEM+;s]M3]UQuEuPyPcEUVvxREtV^]UEVt
2022-11-04 12:16:09 UTC	235	IN	Data Raw: 50 68 58 e9 52 00 e8 16 35 fe ff 59 59 85 c0 74 44 e8 0e 01 fe ff 8b 40 04 85 c0 74 38 8b 10 8b c8 ff 92 00 01 00 00 85 c0 74 2a 8b 06 8b ce ff 90 e8 01 00 00 85 c0 74 1c 83 3d 10 3b 57 00 00 74 13 8b ce e8 de 7e fd ff a9 00 00 08 00 75 05 33 c0 40 5e c3 33 c0 5e c3 8b ff 55 8b ec 83 ec 24 a1 54 04 57 00 33 c5 89 45 fc 53 56 57 8b d9 e8 81 ff ff ff 85 c0 0f 84 80 00 00 00 8b cb e8 5b ff ff ff 85 c0 74 75 33 c0 89 45 dc 89 45 e0 89 45 e4 89 45 e8 39 83 b8 04 00 00 74 17 8b 03 8d 4d ec 51 8b cb ff 90 08 02 00 00 8b f0 8d 7d dc a5 a5 a5 a5 8b 03 83 ec 10 8b fc 8d 75 dc a5 a5 a5 8b cb a5 ff 90 10 02 00 00 68 4c de 52 00 ff 15 2c 74 52 00 85 c0 74 1e 68 30 de 52 00 50 ff 15 e0 73 52 00 85 c0 74 0e 81 c3 3c 04 00 00 74 03 8b 5b 20 53 ff d0 33 c0 40 eb 02 33 c0 Data Ascii: PhXR5YYtD@t8t*t=;Wt~u3@^3^U$TW3ESVW[tu3EEEE9tMQ}uhLR,tRth0RPsRt<t[ S3@3
2022-11-04 12:16:09 UTC	237	IN	Data Raw: 8b 4d fc 5f 33 cd 5e e8 7a 4d 0c 00 c9 c2 0c 00 8b ff 55 8b ec 53 56 57 8b f1 e8 09 0a fd ff 50 68 58 e9 52 00 e8 4b 2f fe ff 59 59 85 c0 74 0f 8b 4d 08 f7 d9 1b c9 23 ce 89 88 48 01 00 00 8b 7d 0c 57 ff 75 08 8d 8e 44 02 00 00 e8 40 65 01 00 8b 5f 08 57 ff 75 08 8b ce e8 85 b1 04 00 89 5f 08 8b 06 6a 00 8b ce ff 90 c0 01 00 00 8b 06 6a 01 8b ce ff 90 74 01 00 00 5f 5e 5b 5d c2 08 00 8b ff 55 8b ec 83 ec 14 53 56 57 8b d9 33 ff 39 bb 34 04 00 00 74 36 8b 8b 34 04 00 00 8b 01 ff 90 70 01 00 00 85 c0 74 24 8b 83 34 04 00 00 ff 70 20 ff 15 08 78 52 00 50 e8 bf 3c fd ff 3b c3 75 0b 8b b3 34 04 00 00 89 75 fc eb 11 68 00 e9 00 00 8b cb e8 17 78 fd ff 89 45 fc 8b f0 3b f7 0f 84 8e 00 00 00 68 00 ac 53 00 8b ce e8 64 2e fe ff 85 c0 75 18 68 d4 ab 53 00 8b ce e8 Data Ascii: M_3^zMUSVWPhXRK/YYtM#H}WuD@e_Wu_jjt_^[]USVW394t64pt$4p xRP<;u4uhxE;hSd.uhS
2022-11-04 12:16:09 UTC	238	IN	Data Raw: 89 83 60 01 00 00 eb 12 6a 01 56 ff 73 20 89 b3 60 01 00 00 ff 15 f4 75 52 00 8b 3d dc 77 52 00 8d 45 dc 50 8b 83 38 04 00 00 89 75 dc 89 75 e0 89 75 e4 89 75 e8 ff b0 60 04 00 00 ff d7 8d 45 cc 50 ff 73 20 89 75 cc 89 75 d0 89 75 d4 89 75 d8 ff d7 8d 45 cc 50 8b cb e8 b2 a2 fd ff 8d 45 ec 50 ff 73 20 89 75 ec 89 75 f0 89 75 f4 89 75 f8 ff 15 04 78 52 00 8b 45 ec 2b 45 cc 8b 7d e4 01 45 dc 8b 45 f0 2b 45 d0 8d 4d dc 01 45 e0 8b 45 f4 2b 45 d4 03 f8 8b 45 f8 2b 45 d8 89 7d e4 01 45 e8 e8 6a e8 ff ff 85 c0 0f 85 2f 01 00 00 8b 45 e8 2b 45 e0 2b 7d dc 6a 14 50 57 ff 75 e0 ff 75 dc e9 0f 01 00 00 39 75 c8 0f 85 0e 01 00 00 3b c6 74 29 8d 88 40 04 00 00 e8 09 73 fd ff b9 00 02 00 00 85 c1 75 15 6a 20 51 8b 8b 38 04 00 00 56 81 c1 40 04 00 00 e8 31 73 fd ff ff Data Ascii: `jVs `uR=wREP8uuuu`EPs uuuuEPEPs uuuuxRE+E}EE+EMEE+EE+E}Ej/E+E+}jPWuu9u;t)@suj Q8V@1s
2022-11-04 12:16:09 UTC	240	IN	Data Raw: 8b f1 e8 c4 47 fd ff 50 68 58 e9 52 00 e8 0b 24 fe ff 59 59 85 c0 74 3d 8b c8 e8 82 6f fd ff 85 c0 74 32 8b 06 8b ce ff 90 68 01 00 00 85 c0 74 15 8b 10 8b c8 ff 52 60 85 c0 74 0a 8b 06 8b ce ff 90 14 02 00 00 6a 00 6a 00 6a 10 ff 76 20 ff 15 e4 76 52 00 5e c3 8b ff 55 8b ec 56 8b 75 08 33 c0 56 89 06 89 46 04 89 46 08 89 46 0c ff 71 20 ff 15 04 78 52 00 8b c6 5e 5d c2 04 00 8b ff 55 8b ec 83 3d 10 3b 57 00 00 56 8b f1 75 07 33 c0 e9 87 00 00 00 57 e8 2f 47 fd ff 50 68 58 e9 52 00 e8 76 23 fe ff 8b f8 59 59 85 ff 74 6b 6a 00 8b cf e8 71 5e 06 00 3b c6 75 5e 8d 4d 08 e8 a2 e2 ff ff 85 c0 75 0b 8d 45 08 50 8b cf e8 50 9c fd ff b9 98 39 57 00 e8 02 2a fe ff 8b f0 85 f6 74 37 8d 4d 08 e8 7b e2 ff ff 85 c0 75 13 8d 45 08 50 ff 15 cc 75 52 00 85 c0 75 05 8d 45 Data Ascii: GPhXR$YYt=ot2htR`tjjjv vR^UVu3VFFFq xR^]U=;WVu3W/GPhXRv#YYtkjq^;u^MuEPP9W*t7M{uEPuRuE
2022-11-04 12:16:09 UTC	241	IN	Data Raw: 86 38 04 00 00 33 db 3b c3 74 22 8d 88 3c 03 00 00 e8 e3 c3 03 00 85 c0 74 13 8b 86 38 04 00 00 53 53 6a 10 ff 70 20 ff 15 dc 76 52 00 8b 86 34 04 00 00 3b c3 74 78 ff 70 20 e8 3b 2d fd ff 85 c0 74 6c 8b 86 34 04 00 00 ff 70 20 ff 15 08 78 52 00 50 e8 f6 2c fd ff 3b c6 75 4d 8b 86 38 04 00 00 3b c3 74 43 39 98 40 01 00 00 75 3b 8b 8e 34 04 00 00 53 e8 28 6a fd ff 8b be 34 04 00 00 8b 07 8b cf ff 90 98 01 00 00 50 8b cf e8 3e e4 ff ff 8b 8e 38 04 00 00 ff b6 34 04 00 00 81 c1 4c 01 00 00 e8 7b 65 01 00 89 9e 34 04 00 00 56 e8 6b e0 03 00 8b be 10 03 00 00 eb 22 8b c7 3b fb 74 4b ff 70 08 8b 3f 68 08 d6 56 00 e8 73 1e fe ff 59 59 3b c3 74 07 8b 10 8b c8 ff 52 60 3b fb 75 da c7 45 d4 00 dc 52 00 89 5d e0 89 5d e4 89 5d dc 89 5d d8 89 5d e8 c7 45 ec 0a 00 00 Data Ascii: 83;t"<t8SSjp vR4;txp ;-tl4p xRP,;uM8;tC9@u;4S(j4P>84L{e4Vk";tKp?hVsYY;tR`;uER]]]]]E
2022-11-04 12:16:09 UTC	242	IN	Data Raw: 8d 8d 24 ff ff ff 8b f0 e8 7e f8 ff ff 8d 4d a0 c6 45 fc 01 e8 d2 94 fd ff 8d 8d 58 ff ff ff 88 5d fc e8 31 95 fd ff 8d 8d 6c ff ff ff e8 59 f8 ff ff 8b c6 eb 02 33 c0 e8 3c 4a 0c 00 c2 0c 00 8b ff 55 8b ec 51 57 8b f9 83 7f 74 00 75 07 e8 a8 26 fd ff eb 6d 53 0f b7 5d 0c 56 8b 75 0c 68 4c de 52 00 c1 ee 10 89 5d 0c ff 15 2c 74 52 00 85 c0 74 46 68 5c de 52 00 50 ff 15 e0 73 52 00 89 45 fc 85 c0 74 33 8b 4f 74 8b 01 53 56 ff 90 ec 01 00 00 8b d8 85 db 75 0f 6a 01 ff 75 0c 8b cf 56 e8 91 fc ff ff 8b d8 8b 47 20 6a 00 53 50 ff 55 fc 53 ff 15 ec 71 52 00 8b cf e8 3b 26 fd ff 5e 5b 5f c9 c2 08 00 8b ff 55 8b ec 83 ec 1c a1 54 04 57 00 33 c5 89 45 fc 56 57 8b f1 33 ff 39 7e 74 0f 84 bd 00 00 00 53 e8 53 f6 ff ff 8b 4e 74 8d 5d e4 53 89 7d e4 89 7d e8 8b 11 50 Data Ascii: $~MEX]1lY3<JUQWtu&mS]VuhLR],tRtFh\RPsREt3OtSVujuVG jSPUSqR;&^[_UTW3EVW39~tSSNt]S}}P
2022-11-04 12:16:09 UTC	244	IN	Data Raw: 54 3b fc ff e8 c4 44 0c 00 c2 04 00 b8 f0 e0 52 00 c3 6a 10 b8 1c ac 51 00 e8 c3 43 0c 00 8b d9 e8 9d de ff ff 85 c0 0f 84 2d 01 00 00 8b cb e8 77 de ff ff 85 c0 0f 84 1e 01 00 00 8b cb e8 58 37 fd ff 50 68 58 e9 52 00 e8 9f 13 fe ff 8b f0 59 59 85 f6 0f 84 00 01 00 00 8b ce e8 92 5d fd ff 8b f8 f7 c7 00 80 00 00 0f 84 dd 00 00 00 8d 45 e8 50 8b ce e8 5b fd ff ff 83 65 fc 00 e8 a6 80 fd ff 50 8d 4d f0 e8 4c 3a fc ff ff 75 08 8d 4d ec c6 45 fc 01 e8 4d 8f fc ff c6 45 fc 02 68 dc e1 52 00 f7 c7 00 40 00 00 74 28 8d 45 ec 50 8d 45 e4 50 e8 af e9 fc ff 8d 4d e8 51 50 8d 45 08 50 c6 45 fc 03 e8 cd df fc ff 83 c4 18 c6 45 fc 04 eb 26 8d 45 e8 50 8d 45 e4 50 e8 87 e9 fc ff 8d 4d ec 51 50 8d 45 08 50 c6 45 fc 05 e8 a5 df fc ff 83 c4 18 c6 45 fc 06 50 8d 4d f0 e8 Data Ascii: T;DRjQC-wX7PhXRYY]EP[ePML:uMEMEhR@t(EPEPMQPEPEE&EPEPMQPEPEEPM
2022-11-04 12:16:09 UTC	245	IN	Data Raw: 00 00 8d 7d f0 a5 a5 a5 8b 4d 08 a5 8b 45 fc 2b 45 f4 6a 14 50 8b 45 f8 2b 45 f0 50 ff 75 f4 ff 75 f0 6a 00 e8 07 5a fd ff 5f 5e 83 a3 e8 00 00 00 00 5b c9 c2 04 00 8b ff 56 8b f1 e8 91 c4 06 00 6a 00 6a 00 68 63 03 00 00 8d 8e 98 02 00 00 e8 b1 45 01 00 ff b6 30 01 00 00 68 3c bd 53 00 e8 dc 0d fe ff 59 59 5e 85 c0 74 07 8b c8 e8 20 d3 06 00 33 c0 c2 08 00 8b ff 55 8b ec 56 8b f1 57 ff 75 08 8d 8e 98 02 00 00 8b 01 ff 50 50 8b f8 8b 06 6a 00 8b ce ff 90 dc 01 00 00 8b c7 5f 5e 5d c2 04 00 8b ff 55 8b ec 56 ff 75 14 8b f1 ff 75 10 ff 75 0c ff 75 08 e8 73 84 04 00 85 c0 74 05 33 c0 40 eb 17 ff 75 14 8d 8e 98 02 00 00 ff 75 10 ff 75 0c ff 75 08 e8 7f 58 01 00 5e 5d c2 10 00 6a 04 b8 a2 a0 51 00 e8 46 3d 0c 00 68 88 04 00 00 e8 9f e6 fc ff 59 8b c8 89 4d f0 Data Ascii: }ME+EjPE+EPuujZ_^[VjjhcE0h<SYY^t 3UVWuPPj_^]UVuuuust3@uuuuX^]jQF=hYM
2022-11-04 12:16:09 UTC	246	IN	Data Raw: e8 e5 cc 03 00 83 4d fc ff 8b ce e8 ba ba 06 00 e8 4c 39 0c 00 c3 8b ff 55 8b ec 56 ff 75 08 8b f1 8d 8e 98 01 00 00 e8 4d aa 03 00 85 c0 74 07 b8 02 00 ff ff eb 10 ff 75 10 8b ce ff 75 0c ff 75 08 e8 b2 8f 04 00 5e 5d c2 0c 00 8b ff 55 8b ec 56 57 8b 7d 08 8b f1 56 57 8d 8e 98 01 00 00 e8 97 d6 03 00 85 c0 74 1d 85 ff 74 0e 83 bf bc 0e 00 00 00 74 05 33 c0 40 eb 0b 8b 06 57 8b ce ff 90 e4 01 00 00 5f 5e 5d c2 04 00 8b ff 55 8b ec a1 bc 48 57 00 3b 45 08 75 07 83 25 bc 48 57 00 00 81 c1 9c 02 00 00 e8 4b 21 01 00 5d c2 04 00 8b ff 55 8b ec 8b 45 08 56 c1 e8 10 57 8b f9 66 83 f8 01 75 36 0f b7 75 08 56 e8 4b 7c fe ff 6a 00 6a 1b 8d 8f 98 01 00 00 e8 7c b0 03 00 85 c0 74 05 33 c0 40 eb 2e 8b 0d 48 49 57 00 85 c9 74 0a 56 e8 6f 90 ff ff 85 c0 75 e7 83 3d 04 Data Ascii: ML9UVuMtuuu^]UVW}VWttt3@W_^]UHW;Eu%HWK!]UEVWfu6uVK\|jj\|t3@.HIWtVou=
2022-11-04 12:16:09 UTC	247	IN	Data Raw: 00 8b 01 ff 50 24 5d c2 04 00 8b ff 55 8b ec 56 ff 75 08 e8 d9 ff ff ff 8b f0 85 f6 74 23 8b ce e8 06 50 fd ff 8b 16 c1 e8 1c 6a 00 f7 d0 83 e0 01 6a 00 50 8b ce ff 92 20 02 00 00 33 c0 40 eb 02 33 c0 5e 5d c2 04 00 8b ff 55 8b ec 53 56 57 8b 7d 0c 57 ff 75 08 8b f1 8d 8e 9c 02 00 00 e8 dd 3b 01 00 8b 5f 08 57 ff 75 08 8b ce e8 22 88 04 00 89 5f 08 8b 06 6a 01 8b ce ff 90 74 01 00 00 5f 5e 5b 5d c2 08 00 8b ff 55 8b ec 83 ec 10 53 57 ff 75 08 8b d9 e8 ca bd 06 00 33 ff 39 bb e8 00 00 00 0f 85 88 00 00 00 8b 83 9c 02 00 00 56 57 8d 8b 9c 02 00 00 c7 83 e8 00 00 00 01 00 00 00 ff 50 38 ff 75 08 8b 83 9c 02 00 00 8d 8b 9c 02 00 00 ff 50 34 8b cb e8 8b 73 04 00 8b c8 89 4d 08 3b cf 74 43 68 88 ae 53 00 e8 16 05 fe ff 85 c0 74 35 39 bb cc 03 00 00 74 2d 8d b3 Data Ascii: P$]UVut#PjjP 3@3^]USVW}Wu;_Wu"_jt_^[]USWu39VWP8uP4sM;tChSt59t-
2022-11-04 12:16:09 UTC	249	IN	Data Raw: e8 89 5d e0 89 5d dc 89 5d ec c7 45 f0 0a 00 00 00 ff 77 20 89 5d fc ff 15 4c 77 52 00 eb 17 ff 76 20 8d 4d d8 e8 b1 a1 02 00 8b 76 20 6a 02 56 ff 15 0c 78 52 00 50 e8 46 0e fd ff 8b f0 3b f3 75 dd 8b 75 dc 3b f3 74 27 8b 5e 08 8b 36 53 ff 15 20 77 52 00 85 c0 74 13 53 ff 15 08 78 52 00 3b 47 20 75 07 53 ff 15 50 77 52 00 85 f6 75 d9 8b cf e8 f7 b2 06 00 83 4d fc ff 8d 4d d8 c7 45 d8 00 dc 52 00 e8 f5 50 06 00 e8 b6 30 0c 00 c3 b8 d8 e7 52 00 c3 b8 58 e9 52 00 c3 e9 6d 8f 04 00 8b ff 55 8b ec 56 8b f1 8b 06 57 ff 90 24 02 00 00 33 ff 3b c7 74 0b 8b c8 e8 46 e3 06 00 85 c0 75 67 8b 8e 38 04 00 00 3b cf 74 2d e8 ad 49 fd ff a9 00 00 00 10 74 21 8b 06 57 8b ce ff 50 70 57 8b ce e8 9c 3a 06 00 8b 8e 38 04 00 00 50 e8 8b d2 06 00 33 c0 40 eb 32 39 be e8 03 00 Data Ascii: ]]]Ew ]LwRv Mv jVxRPF;uu;t'^6S wRtSxR;G uSPwRuMMERP0RXRmUVW$3;tFug8;t-It!WPpW:8P3@29
2022-11-04 12:16:09 UTC	250	IN	Data Raw: c0 40 5e c9 c2 08 00 8b ff 56 8b f1 8b 06 6a 01 ff 90 74 01 00 00 8d 8e 4c 01 00 00 8b 01 ff 50 30 33 c0 5e c2 08 00 6a 00 6a 00 68 63 03 00 00 81 c1 4c 01 00 00 e8 57 32 01 00 33 c0 c2 08 00 8b ff 55 8b ec ff b1 44 01 00 00 81 c1 40 04 00 00 ff 75 08 e8 bb 73 06 00 5d c2 04 00 8b ff 55 8b ec ff b1 44 01 00 00 81 c1 40 04 00 00 ff 75 08 e8 31 72 06 00 5d c2 04 00 8b ff 55 8b ec 56 ff 75 14 8b f1 ff 75 10 ff 75 0c ff 75 08 e8 de 39 06 00 85 c0 74 05 33 c0 40 eb 17 ff 75 14 8d 8e 4c 01 00 00 ff 75 10 ff 75 0c ff 75 08 e8 36 45 01 00 5e 5d c2 10 00 8b ff 56 8b f1 8d 8e 3c 03 00 00 e8 9b a7 03 00 85 c0 75 08 8b ce 5e e9 5c 07 fd ff 5e c3 8b ff 55 8b ec 56 57 8b f1 e8 4c 07 fd ff ff 75 0c 8d 8e 3c 03 00 00 8b f8 e8 9e ab 03 00 8b c7 5f 5e 5d c2 08 00 8b ff 55 Data Ascii: @^VjtLP03^jjhcLW23UD@us]UD@u1r]UVuuuu9t3@uLuuu6E^]V<u^\^UVWLu<_^]U
2022-11-04 12:16:09 UTC	251	IN	Data Raw: ff 56 8b f1 8b 86 48 01 00 00 57 85 c0 74 19 6a 00 6a 00 6a 10 ff 70 20 ff 15 dc 76 52 00 83 a6 48 01 00 00 00 5f 5e c3 8d 8e 3c 03 00 00 e8 a2 99 03 00 85 c0 75 2a 8b 06 8b ce c7 86 40 01 00 00 01 00 00 00 ff 90 24 02 00 00 85 c0 74 07 8b c8 e8 14 d8 06 00 8d 8e 3c 03 00 00 e8 37 b0 03 00 5f 8b ce 5e e9 57 6a 04 00 8b ff 55 8b ec 53 56 8b 75 08 57 33 ff 8b d9 39 3d 34 3b 57 00 74 37 3b f7 74 33 8b ce e8 b9 f7 fe ff 39 be b4 10 00 00 75 16 3b c7 75 12 39 be 48 01 00 00 74 0a 8b 46 20 57 57 50 6a 05 eb 08 8b 46 20 57 57 50 6a 07 ff 15 d8 75 52 00 39 35 bc 48 57 00 75 06 89 3d bc 48 57 00 8d 8b 4c 01 00 00 e8 b3 0d 01 00 5f 5e 5b 5d c2 04 00 8b ff 55 8b ec 83 7d 08 00 77 12 83 b9 24 01 00 00 00 74 09 e8 ca f6 ff ff 5d c2 08 00 5d e9 f4 34 fd ff 8b ff 55 8b Data Ascii: VHWtjjjp vRH_^<u*@$t<7_^WjUSVuW39=4;Wt7;t39u;u9HtF WWPjF WWPjuR95HWu=HWL_^[]U}w$t]]4U
2022-11-04 12:16:09 UTC	253	IN	Data Raw: 2a 06 00 8b f0 85 f6 74 50 53 ff 76 20 33 db ff 15 d0 75 52 00 85 c0 74 0a 6a 09 8b ce e8 b0 3a fd ff 43 8b 4d fc e8 56 39 06 00 68 01 04 00 00 6a 00 6a 00 ff 76 20 ff 15 70 78 52 00 85 db 5b 74 17 8b 4d fc 6a 00 e8 35 2a 06 00 85 c0 74 09 6a 03 8b c8 e8 79 3a fd ff 5e c9 c3 8b ff 55 8b ec 56 ff 75 08 8b f1 83 be 0c 04 00 00 00 74 0d 8d 8e f4 03 00 00 e8 4b 3b 06 00 eb 12 8d 8e 3c 03 00 00 e8 20 9d 03 00 8b ce e8 49 fc fc ff 5e 5d c2 04 00 8b ff 55 8b ec 51 56 6a 00 8b f1 e8 fd b0 ff ff 85 c0 74 12 8b ce e8 43 ff ff ff 6a 00 8b ce e8 c9 29 06 00 eb 3f e8 b9 ba fd ff 8b 40 04 ff 75 08 8b 10 8b c8 ff 92 a4 00 00 00 8b f0 85 f6 75 04 33 c0 eb 2d 8b 06 8b ce ff 50 68 89 45 fc 85 c0 74 ee 8b 06 8d 4d fc 51 8b ce ff 50 6c 8b c8 e8 eb 11 fd ff 50 68 3c da 52 00 Data Ascii: tPSv 3uRtj:CMV9hjjv pxR[tMj5tjy:^UVutK;< I^]UQVjtCj)?@uu3-PhEtMQPlPh<R
2022-11-04 12:16:09 UTC	254	IN	Data Raw: 70 60 74 24 83 78 50 04 75 1e 8b cb 89 bb 68 03 00 00 e8 b8 33 fd ff 25 00 00 c0 00 f7 d8 1b c0 f7 d8 89 83 6c 03 00 00 39 b3 3c 01 00 00 0f 85 c3 00 00 00 8b cb e8 d2 57 04 00 89 45 fc 39 b3 7c 02 00 00 75 26 8d 8b 4c 01 00 00 e8 8c b0 ff ff 85 c0 75 17 ff 75 08 8b 83 4c 01 00 00 8d 8b 4c 01 00 00 ff 50 34 e9 81 00 00 00 8b 4d fc 3b ce 74 4d 68 88 ae 53 00 e8 2e e9 fd ff 85 c0 74 3f ff 75 08 8d 8b 4c 01 00 00 8b 01 ff 50 34 8d b3 44 02 00 00 8d 7d e8 a5 a5 a5 8b 4d fc a5 8b 45 f4 2b 45 ec 6a 14 50 8b 45 f0 2b 45 e8 50 ff 75 ec ff 75 e8 6a 00 e8 fc 34 fd ff 33 f6 eb 37 39 75 08 74 18 8d 8b 4c 01 00 00 e8 0d b0 ff ff 85 c0 74 09 8b cb e8 e1 f6 ff ff eb 1a ff 75 08 8b cb 89 b3 e8 00 00 00 e8 37 6e 04 00 8b 03 8b cb ff 90 08 02 00 00 8b 83 68 03 00 00 89 b3 Data Ascii: p`t$xPuh3%l9<WE9\|u&LuuLLP4M;tMhS.t?uLP4D}ME+EjPE+EPuuj4379utLtu7nh
2022-11-04 12:16:09 UTC	256	IN	Data Raw: 00 c2 04 00 6a 04 b8 a2 a0 51 00 e8 01 14 0c 00 68 ac 2d 00 00 e8 5a bd fc ff 59 8b c8 89 4d f0 33 c0 89 45 fc 3b c8 74 05 e8 73 fb ff ff e8 b6 14 0c 00 c3 8b ff 55 8b ec 56 8b f1 e8 7b fc ff ff f6 45 08 01 74 07 56 e8 56 bd fc ff 59 8b c6 5e 5d c2 04 00 b8 d4 eb 52 00 c3 6a 0c b8 1f ae 51 00 e8 aa 13 0c 00 8b d9 f6 45 10 10 75 07 33 c0 e9 fb 00 00 00 33 ff 39 3d b0 5d 57 00 74 ef c7 45 e8 2c 8a 52 00 89 7d ec 89 7d fc ff 15 b4 75 52 00 50 8d 4d e8 e8 cf 07 fe ff e8 b8 50 fd ff 50 8d 4d 10 e8 5e 0a fc ff be c0 42 00 00 56 c6 45 fc 01 e8 95 9a fd ff 3b c7 75 04 33 c0 eb 0a 56 50 8d 4d 10 e8 0d 5d fc ff 33 c9 3b c7 0f 95 c1 3b cf 75 05 e8 fd 4e fd ff ff 75 10 6a 96 57 ff 75 ec ff 15 84 76 52 00 6a 08 6a 96 ff 75 ec ff 15 bc 76 52 00 3b df 75 04 33 f6 eb 03 Data Ascii: jQh-ZYM3E;tsUV{EtVVY^]RjQEu339=]WtE,R}}uRPMPPM^BVE;u3VPM]3;;uNujWuvRjjuvR;u3
2022-11-04 12:16:09 UTC	257	IN	Data Raw: 75 03 89 5d fc 8b 8e 20 02 00 00 85 c9 74 0c e8 63 28 fd ff 85 c7 74 03 33 db 43 83 7d fc 00 75 04 85 db 74 34 8b 06 8b ce ff 90 c4 01 00 00 85 c0 74 1d 8b c8 e8 c3 c1 06 00 85 c0 74 12 ff 75 08 8b 3e e8 42 02 fe ff 50 8b ce ff 57 70 eb 09 8b 06 6a 00 8b ce ff 50 70 5f 5e 5b c9 c2 04 00 8b ff 55 8b ec 56 57 ff 75 08 8b f1 68 cc bf 53 00 e8 fb dd fd ff 8b f8 59 59 85 ff 74 14 8b 07 8b cf ff 90 40 03 00 00 85 c0 74 06 89 be 20 02 00 00 ff 75 08 68 64 c3 53 00 e8 d2 dd fd ff 59 59 85 c0 74 06 89 86 24 02 00 00 6a 00 6a 00 ff 75 0c 8d 8e 28 02 00 00 ff 75 08 e8 a1 ec 00 00 5f 5e 5d c2 08 00 8b ff 55 8b ec 81 c1 28 02 00 00 5d e9 44 ed 00 00 8b ff 55 8b ec 81 c1 28 02 00 00 5d e9 80 ed 00 00 8b ff 55 8b ec 81 c1 28 02 00 00 5d e9 dd fb 00 00 8b ff 55 8b ec 6a Data Ascii: u] tc(t3C}ut4ttu>BPWpjPp_^[UVWuhSYYt@t uhdSYYt$jju(u_^]U(]DU(]U(]Uj
2022-11-04 12:16:09 UTC	258	IN	Data Raw: ff 70 20 ff 15 20 77 52 00 85 c0 74 1a 83 7e 08 12 75 14 a1 bc 48 57 00 53 53 6a 10 ff 70 20 ff 15 dc 76 52 00 eb aa 53 ff 76 08 8d 8f 24 01 00 00 e8 55 81 03 00 85 c0 0f 84 58 ff ff ff eb 91 56 e8 7a 7b 03 00 85 c0 75 1a 8d 45 fc 50 ff 76 08 8d 8f 24 01 00 00 e8 2f 81 03 00 85 c0 0f 85 88 00 00 00 33 db 83 7e 08 1b 75 56 39 9f f4 01 00 00 74 0c 57 8d 8f dc 01 00 00 e8 c0 24 06 00 8b 8f e0 03 00 00 3b cb 74 0f 39 59 08 74 0a 39 59 04 74 05 e8 54 d4 06 00 ff 15 00 77 52 00 50 e8 29 e6 fc ff 50 68 90 c3 53 00 e8 15 d8 fd ff 59 59 3b c3 74 0c 53 53 6a 1f ff 70 20 e9 5d ff ff ff 39 5d fc 0f 85 cb fe ff ff 33 c0 e9 cc fe ff ff 8b 8f 20 02 00 00 85 c9 74 17 ff 76 0c ff 76 08 57 e8 ba a3 06 00 85 c0 74 07 8b c3 e9 ab fe ff ff 8b 1d ac 77 52 00 6a 11 ff d3 6a 10 Data Ascii: p wRt~uHWSSjp vRSv$UXVz{uEPv$/3~uV9tW$;t9Yt9YtTwRP)PhSYY;tSSjp ]9]3 tvvWtwRjj
2022-11-04 12:16:09 UTC	259	IN	Data Raw: 00 00 74 4c 8b 46 08 83 f8 12 74 13 83 f8 79 75 3f 39 4d f4 75 3a 3b d9 75 36 39 4d f8 75 31 ff 15 1c 77 52 00 50 e8 53 e5 fc ff 8b 8f d0 01 00 00 3b c8 75 04 8b cf eb 0d f7 46 0c 00 00 00 20 0f 85 3b fe ff ff e8 57 23 fd ff e9 31 fe ff ff a1 bc 48 57 00 3b c1 0f 84 e9 fd ff ff ff 70 20 ff 15 20 77 52 00 e9 7b fe ff ff 3d 00 02 00 00 0f 84 b5 00 00 00 3d 01 02 00 00 74 45 3d 03 02 00 00 0f 86 be fd ff ff 3d 05 02 00 00 76 33 3d 06 02 00 00 0f 86 ac fd ff ff 3d 08 02 00 00 76 21 3d 0a 02 00 00 0f 85 9a fd ff ff ff 76 0c 8d 8f 24 01 00 00 ff 76 08 e8 07 83 03 00 e9 7c fd ff ff 0f bf 46 0c ff 36 89 45 f0 0f bf 46 0e 89 45 f4 e8 a7 e4 fc ff 8b 1d 20 77 52 00 89 45 08 85 c0 74 18 ff 36 ff d3 85 c0 74 10 8d 45 f0 50 8b 45 08 ff 70 20 ff 15 6c 76 52 00 ff 36 8d Data Ascii: tLFtyu?9Mu:;u69Mu1wRPS;uF ;W#1HW;p wR{==tE==v3==v!=v$v\|F6EFE wREt6tEPEp lvR6
2022-11-04 12:16:09 UTC	260	IN	Data Raw: ff ff 85 c0 74 4d 8d 45 ec 50 ff 76 20 89 7d ec 89 7d f0 89 7d f4 89 7d f8 ff 15 04 78 52 00 8b 45 ec 8b 55 f4 8b 4d f0 2b d0 89 45 d8 8b 45 f8 2b c1 89 45 e4 8d 45 d0 89 4d dc 8d 9e 24 01 00 00 50 8b cb c7 45 e8 20 00 00 00 89 55 e0 e8 62 75 03 00 8b cb e8 e5 85 03 00 33 d2 39 be 1c 01 00 00 8d 8e 28 02 00 00 8b 01 0f 94 c2 52 ff 50 58 39 be 1c 01 00 00 75 3b 83 7d 08 02 74 35 39 be 18 01 00 00 75 2d ff 75 10 8b ce ff 75 0c c7 86 34 02 00 00 01 00 00 00 ff 75 08 e8 fc 57 04 00 8b 06 57 8b ce ff 90 b8 01 00 00 89 be 34 02 00 00 eb 3c ff 75 10 8b 5d 08 ff 75 0c 8b ce 53 e8 d8 57 04 00 83 fb 02 74 0c 3b df 75 14 39 be 18 01 00 00 74 0c 8b 06 6a 01 8b ce ff 90 74 01 00 00 33 c0 83 fb 02 0f 94 c0 89 86 18 01 00 00 8b 4d fc 5f 5e 33 cd 5b e8 dd ee 0b 00 c9 c2 Data Ascii: tMEPv }}}}xREUM+EE+EEM$PE Ubu39(RPX9u;}t59u-uu4uWW4<u]uSWt;u9tjt3M_^3[
2022-11-04 12:16:09 UTC	261	IN	Data Raw: 74 0b ff 76 20 8d 4d d4 e8 7a 6f 02 00 8b 76 20 6a 02 56 ff 15 0c 78 52 00 50 e8 0f dc fc ff 8b f0 3b f7 75 be 8b 75 d8 3b f7 74 29 8b 7e 08 8b 36 57 ff 15 20 77 52 00 85 c0 74 13 57 ff 15 08 78 52 00 3b 43 20 75 07 57 ff 15 50 77 52 00 85 f6 75 d9 33 ff ff 45 f0 83 7d f0 02 0f 8c 76 ff ff ff 53 e8 98 8f 03 00 8b cb e8 78 5c 04 00 83 4d fc ff 8d 4d d4 c7 45 d4 00 dc 52 00 e8 a9 1e 06 00 e8 6a fe 0b 00 c3 6a 08 b8 a7 ae 51 00 e8 85 fd 0b 00 8b f1 8b 86 20 02 00 00 8b 3d 6c 78 52 00 33 db 85 c0 74 23 ff 70 20 ff d7 85 c0 75 09 ff 76 20 ff d7 85 c0 75 11 8b 86 20 02 00 00 39 98 14 03 00 00 74 03 33 db 43 8d 8e 24 01 00 00 e8 54 8f ff ff 85 c0 0f 84 8d 00 00 00 ff 76 20 ff d7 85 c0 0f 84 80 00 00 00 33 ff 3b df 75 7a e8 6b 3a fd ff 50 8d 4d ec e8 11 f4 fb ff Data Ascii: tv Mzov jVxRP;uu;t)~6W wRtWxR;C uWPwRu3E}vSx\MMERjjQ =lxR3t#p uv u 9t3C$Tv 3;uzk:PM
2022-11-04 12:16:09 UTC	263	IN	Data Raw: 45 e0 50 53 e8 a8 53 02 00 e8 4b f9 0b 00 c2 1c 00 a1 e4 39 57 00 c3 a1 c8 39 57 00 c3 8b ff 55 8b ec 8b 45 08 f7 40 24 00 00 04 00 a1 c8 39 57 00 75 05 a1 d0 39 57 00 5d c2 04 00 6a 08 b8 ca ae 51 00 e8 25 f8 0b 00 8b 5d 08 53 8d 4d ec e8 dd 6e 05 00 83 65 fc 00 6a ff 6a 00 6a ff 6a ff 83 ec 10 8b fc 8d 75 0c a5 a5 a5 8d 4d ec a5 e8 f0 7b 05 00 ff 35 ec 39 57 00 8d 45 0c ff 35 e8 39 57 00 8b cb 50 e8 bc 20 fe ff 83 4d fc ff 8d 4d ec e8 b1 6e 05 00 e8 a9 f8 0b 00 c2 14 00 8b ff 55 8b ec 51 51 8b 45 0c 8b 40 24 83 65 f8 00 83 65 fc 00 8b 4d 08 c1 e8 12 83 e0 01 8d 55 f8 52 50 8d 45 10 50 8b 45 24 f7 d8 1b c0 83 e0 0a 83 c0 02 50 51 e8 25 7b 00 00 c9 c2 20 00 8b ff 55 8b ec 83 ec 14 a1 54 04 57 00 33 c5 89 45 fc 8b 45 10 53 56 57 8d 75 10 8d 7d ec a5 a5 8b Data Ascii: EPSSK9W9WUE@$9Wu9W]jQ%]SMnejjjjuM{59WE59WP MMnUQQE@$eeMURPEPE$PQ%{ UTW3EESVWu}
2022-11-04 12:16:09 UTC	264	IN	Data Raw: 50 e8 95 1b fe ff 8b 4d fc 33 cd 5b e8 cd e0 0b 00 c9 c2 24 00 8b ff 55 8b ec f7 45 24 00 01 00 00 8b 4d 08 75 2c f7 45 24 00 02 00 00 74 0d a1 e8 39 57 00 8b 15 ec 39 57 00 eb 0b a1 ec 39 57 00 8b 15 e8 39 57 00 50 52 8d 45 10 50 e8 49 1b fe ff 5d c2 20 00 8b ff 55 8b ec 8b 45 0c 8b 80 7c 01 00 00 56 57 8b 7d 08 8b cf 83 f8 01 75 25 ff 35 f0 39 57 00 8d 45 10 6a 7f 50 e8 1a 1b fe ff 8b 35 18 76 52 00 6a ff 6a ff 8d 45 10 50 ff d6 6a 7f eb 68 83 f8 02 8d 45 10 75 38 53 ff 35 f0 39 57 00 bb 00 00 7f 00 53 50 e8 eb 1a fe ff 8b 35 18 76 52 00 6a ff 6a ff 8d 45 10 50 ff d6 53 ff 35 ec 39 57 00 8d 45 10 50 8b cf e8 c9 1a fe ff 5b eb 39 ff 35 f0 39 57 00 ff 35 e4 39 57 00 50 e8 b4 1a fe ff 8b 35 18 76 52 00 6a ff 6a ff 8d 45 10 50 ff d6 ff 35 e8 39 57 00 ff 35 Data Ascii: PM3[$UE$Mu,E$t9W9W9W9WPREPI] UE\|VW}u%59WEjP5vRjjEPjhEu8S59WSP5vRjjEPS59WEP[959W59WP5vRjjEP59W5
2022-11-04 12:16:09 UTC	265	IN	Data Raw: 39 57 00 8b 4d 08 ff 35 e4 39 57 00 ff 75 10 e8 db 15 fe ff 5d c2 0c 00 8b ff 55 8b ec ff 35 e4 39 57 00 8b 4d 08 8d 45 10 50 e8 de 13 fe ff 5d c2 18 00 8b ff 55 8b ec 56 57 ff 75 24 33 d2 39 55 20 8b 01 0f 95 c2 6a 00 ff 75 1c 8d 75 0c 52 83 ec 10 8b fc ff 75 08 a5 a5 a5 a5 ff 90 a0 01 00 00 5f 5e 5d c2 20 00 8b ff 55 8b ec 51 51 8b 45 08 33 c9 8d 55 f8 52 51 89 4d f8 89 4d fc 8d 4d 0c 51 6a 08 50 e8 1c 70 00 00 c9 c2 18 00 8b ff 55 8b ec 51 51 8d 45 f8 50 e8 f5 6e 00 00 8b 40 04 83 c0 06 c9 c2 08 00 8b ff 55 8b ec 56 8b 75 08 57 8b 3e 8b ce ff 97 08 02 00 00 50 8b ce ff 97 d8 01 00 00 8b f8 8b 06 8b ce ff 90 84 02 00 00 85 c0 74 0c 83 ff ff 74 07 8b 45 18 89 38 eb 1a 83 be 14 01 00 00 00 8b 45 18 8b 0d ac 39 57 00 75 06 8b 0d e4 39 57 00 89 08 83 be 14 Data Ascii: 9WM59Wu]U59WMEP]UVWu$39U juuRu_^] UQQE3URQMMMQjPpUQQEPn@UVuW>PttE8E9Wu9W
2022-11-04 12:16:09 UTC	267	IN	Data Raw: 58 74 08 00 5f 5e 5b c9 c2 08 00 8b ff 55 8b ec 8b 01 5d ff a0 30 02 00 00 8b ff 55 8b ec 8b 01 5d ff a0 38 02 00 00 6a 3c b8 4f af 51 00 e8 9f e7 0b 00 8b 45 08 8b 5d 0c 68 68 f0 53 00 8b cb 89 45 cc e8 0f b7 fd ff 85 c0 0f 85 af 01 00 00 8d 73 18 8d 7d d0 a5 a5 a5 8b cb a5 e8 02 44 05 00 85 c0 74 1a 8b 03 8b cb ff 50 3c 85 c0 74 0f 8b 03 8b cb ff 50 2c 85 c0 0f 84 80 01 00 00 8b 03 8b cb ff 50 2c 85 c0 75 25 8b 03 8b cb ff 50 3c 85 c0 75 1a 8b 03 8b cb ff 50 40 85 c0 75 0f 8b 03 8b cb ff 50 30 85 c0 0f 84 50 01 00 00 83 3d 8c 56 57 00 00 74 31 ff 75 cc 8d 4d c0 e8 6a 5d 05 00 ff 35 e8 39 57 00 83 65 fc 00 6a ff 8d 45 d0 50 8d 4d c0 e8 65 8d 05 00 83 4d fc ff 8d 4d c0 e8 5d 5d 05 00 eb 47 8b 03 8b cb ff 50 34 85 c0 75 24 8b 03 8b cb ff 50 3c 85 c0 75 19 Data Ascii: Xt_^[U]0U]8j<OQE]hhSEs}DtP<tP,P,u%P<uP@uP0P=VWt1uMj]59WejEPMeMM]]GP4u$P<u
2022-11-04 12:16:09 UTC	268	IN	Data Raw: 00 74 05 a1 e4 39 57 00 5d c2 10 00 8b ff 55 8b ec 83 ec 34 8d 4d cc e8 1a e5 ff ff 8b 4d 08 8d 45 cc 50 e8 43 e5 ff ff 33 c0 40 c9 c2 08 00 8b ff 56 8b f1 8b 4e 54 85 c9 0f 84 c5 00 00 00 8b 46 04 85 c0 74 03 50 ff d1 8b 46 08 85 c0 74 04 50 ff 56 54 8b 46 0c 85 c0 74 04 50 ff 56 54 8b 46 14 85 c0 74 04 50 ff 56 54 8b 46 10 85 c0 74 04 50 ff 56 54 8b 46 18 85 c0 74 04 50 ff 56 54 8b 46 1c 85 c0 74 04 50 ff 56 54 8b 46 20 85 c0 74 04 50 ff 56 54 8b 46 24 85 c0 74 04 50 ff 56 54 8b 46 28 85 c0 74 04 50 ff 56 54 8b 46 2c 85 c0 74 04 50 ff 56 54 8b 46 30 85 c0 74 04 50 ff 56 54 8b 46 34 85 c0 74 04 50 ff 56 54 8b 46 38 85 c0 74 04 50 ff 56 54 8b 46 3c 85 c0 74 04 50 ff 56 54 8b 46 40 85 c0 74 04 50 ff 56 54 8b 46 44 85 c0 74 04 50 ff 56 54 8b 46 48 85 c0 74 Data Ascii: t9W]U4MMEPC3@VNTFtPFtPVTFtPVTFtPVTFtPVTFtPVTFtPVTF tPVTF$tPVTF(tPVTF,tPVTF0tPVTF4tPVTF8tPVTF<tPVTF@tPVTFDtPVTFHt
2022-11-04 12:16:09 UTC	270	IN	Data Raw: 00 00 8b 06 8b ce ff 90 bc 01 00 00 89 45 fc a9 00 0f 00 00 0f 84 2e 01 00 00 53 8b 5d 08 57 ff 73 08 ff 15 04 71 52 00 8b b6 80 00 00 00 33 ff 89 45 ec a1 b4 39 57 00 3b f7 75 05 a1 ec 39 57 00 89 45 f8 a1 b0 39 57 00 3b f7 75 05 a1 e8 39 57 00 8b 75 10 89 45 08 8b 45 fc 25 00 01 00 00 89 45 f4 74 16 8b 46 0c ff 75 f8 2b 46 04 8b cb 48 50 6a 01 57 57 e8 a6 03 fe ff 8b 45 fc 25 00 02 00 00 89 45 10 74 15 ff 75 f8 8b 46 08 2b 06 6a 01 48 50 57 57 8b cb e8 84 03 fe ff 8b 45 fc 25 00 04 00 00 89 45 f0 74 17 ff 75 08 8b 46 0c 2b 46 04 8b cb 50 6a ff 57 ff 76 08 e8 60 03 fe ff 8b 45 fc 25 00 08 00 00 89 45 fc 74 17 ff 75 08 8b 46 08 2b 06 6a ff 48 50 ff 76 0c 8b cb 57 e8 3c 03 fe ff 8b 4d 0c 8b 01 ff 90 c8 01 00 00 85 c0 75 29 ff 75 08 8b 46 08 2b 06 6a 01 50 Data Ascii: E.S]WsqR3E9W;u9WE9W;u9WuEE%EtFu+FHPjWWE%EtuF+jHPWWE%EtuF+FPjWv`E%EtuF+jHPvW<Mu)uF+jP
2022-11-04 12:16:09 UTC	271	IN	Data Raw: 8d 4d ec 50 89 7d fc e8 30 7d 05 00 39 7d 20 74 10 6a 01 6a 01 8d 45 0c 50 ff 15 00 76 52 00 eb 05 39 7d 24 74 14 ff 35 e8 39 57 00 8d 45 0c 6a ff 50 8d 4d ec e8 02 7d 05 00 83 4d fc ff 8d 4d ec e8 fa 4c 05 00 eb 62 ff 35 64 3a 57 00 8d 45 0c 50 ff 76 04 ff 15 ec 77 52 00 a1 ec 39 57 00 50 50 8d 45 0c 50 8b ce e8 d2 fe fd ff 39 7d 20 74 1c 6a 01 6a 01 8d 45 0c 50 ff 15 00 76 52 00 ff 35 ec 39 57 00 ff 35 e8 39 57 00 eb 11 39 7d 24 74 17 ff 35 e8 39 57 00 ff 35 ec 39 57 00 8d 45 0c 50 8b ce e8 95 fe fd ff 8d 45 e4 50 33 c0 39 7d 1c 89 7d e4 0f 95 c0 89 7d e8 50 8d 45 0c 50 57 56 e8 2f 59 00 00 8b 06 53 8b ce ff 50 30 e8 68 d6 0b 00 c2 24 00 8b ff 55 8b ec ff 35 64 3a 57 00 8b 45 08 ff 75 0c ff 70 04 ff 15 ec 77 52 00 8b 45 18 8b 0d f8 39 57 00 89 08 5d c2 Data Ascii: MP}0}9} tjjEPvR9}$t59WEjPM}MMLb5d:WEPvwR9WPPEP9} tjjEPvR59W59W9}$t59W59WEPEP39}}}PEPWV/YSP0h$U5d:WEupwRE9W]
2022-11-04 12:16:09 UTC	272	IN	Data Raw: e8 39 57 00 50 50 eb 0c ff 35 ec 39 57 00 ff 35 f0 39 57 00 8d 45 e0 50 e8 76 f9 fd ff 6a ff 6a ff 8d 45 e0 50 ff 15 18 76 52 00 a1 fc 39 57 00 50 50 8d 45 e0 50 8d 4d cc e8 55 f9 fd ff 83 4d fc ff 8d 4d cc e8 c9 1c fd ff e8 56 d1 0b 00 c2 04 00 8b ff 55 8b ec 53 56 8b 75 08 57 ff 76 08 8b 3d e8 39 57 00 ff 15 f4 70 52 00 8b d8 8b 45 1c 85 c0 7e 15 8b 4d 0c 57 ff 75 18 03 c1 50 ff 75 10 51 8b ce e8 3f f8 fd ff 8b 4d 20 85 c9 7e 15 8b 45 10 57 03 c8 51 ff 75 14 8b ce 50 ff 75 0c e8 23 f8 fd ff 83 7d 24 00 7e 16 8b 45 14 57 ff 75 18 8b ce 50 ff 75 10 2b 45 24 50 e8 07 f8 fd ff 83 7d 28 00 7e 16 8b 45 18 57 50 ff 75 14 2b 45 28 8b ce 50 ff 75 0c e8 eb f7 fd ff 8b 06 53 8b ce ff 50 30 5f 5e 5b 5d c2 28 00 8b ff 55 8b ec 56 ff 35 64 3a 57 00 8b 75 08 8d 45 0c Data Ascii: 9WPP59W59WEPvjjEPvR9WPPEPMUMMVUSVuWv=9WpRE~MWuPuQ?M ~EWQuPu#}$~EWuPu+E$P}(~EWPu+E(PuSP0_^[](UV5d:WuE
2022-11-04 12:16:09 UTC	274	IN	Data Raw: 50 8b 45 bc ff 70 04 ff 15 ec 77 52 00 ff 75 b4 8b 4d bc ff 75 b4 8d 45 e0 50 e8 c8 f3 fd ff e9 bf 00 00 00 8b cb e8 dc 27 05 00 85 c0 74 44 8b 03 8b cb ff 90 64 01 00 00 85 c0 75 36 8b 03 8b cb ff 50 2c 85 c0 0f 84 97 00 00 00 ff 35 34 3a 57 00 8d 73 18 8d 7d e0 a5 a5 8d 45 e0 50 8b 45 bc ff 70 04 a5 a5 ff 15 ec 77 52 00 a1 d0 39 57 00 eb 73 8b 03 8b cb ff 50 3c 85 c0 74 65 8b 03 8b cb ff 50 2c 85 c0 75 5a 39 05 8c 56 57 00 74 3c 56 8d 4d ac e8 37 41 05 00 8d 73 18 8d 7d e0 a5 a5 6a ff ff 35 fc 39 57 00 a5 8d 45 e0 50 8d 4d ac c7 45 fc 02 00 00 00 a5 e8 25 71 05 00 8d 4d ac 83 4d fc ff e8 1d 41 05 00 eb 16 8d 73 18 8d 7d c0 a5 a5 8d 45 c0 a5 50 ff 75 bc a5 e8 6e 25 02 00 83 c8 ff e8 0e cb 0b 00 c2 08 00 cc cc cc 6a 10 b8 69 b0 51 00 e8 10 ca 0b 00 8b 75 Data Ascii: PEpwRuMuEP'tDdu6P,54:Ws}EPEpwR9WsP<teP,uZ9VWt<VM7As}j59WEPME%qMMAs}EPun%jiQu
2022-11-04 12:16:09 UTC	275	IN	Data Raw: 08 e8 45 e6 ff ff 5d c2 18 00 8b ff 55 8b ec 83 ec 0c 53 8b 5d 1c 56 8b c1 8b 4d 08 33 f6 57 89 45 f4 89 4d f8 39 70 10 75 07 33 c0 e9 ae 00 00 00 8b cb c7 45 fc 01 00 00 00 e8 b2 e0 fc ff 85 c0 75 09 c7 45 fc 04 00 00 00 eb 50 8b cb e8 16 c9 ff ff 85 c0 75 3e 56 56 68 f0 00 00 00 ff 73 20 ff 15 dc 76 52 00 85 c0 75 2a 39 b3 a8 00 00 00 74 09 c7 45 fc 02 00 00 00 eb 20 ff 15 1c 77 52 00 50 e8 ee a2 fc ff 3b c3 75 10 c7 45 fc 05 00 00 00 eb 07 c7 45 fc 03 00 00 00 8b 03 83 ec 10 8b fc 8d 75 0c a5 a5 a5 a5 8b 75 f8 56 8b cb ff 90 70 01 00 00 8b 45 f4 8b 48 58 85 c9 74 1c 85 f6 75 04 33 d2 eb 03 8b 56 04 6a 00 8d 75 0c 56 ff 75 fc 6a 01 52 ff 70 10 ff d1 33 c0 40 5f 5e 5b c9 c2 1c 00 8b ff 55 8b ec 56 8b c1 8b 70 18 8b 4d 08 57 33 ff 3b f7 75 04 33 c0 eb 3d Data Ascii: E]US]VM3WEM9pu3EuEPu>VVhs vRu*9tE wRP;uEEuuVpEHXtu3VjuVujRp3@_^[UVpMW3;u3=
2022-11-04 12:16:09 UTC	277	IN	Data Raw: ff 75 10 50 ff 75 0c ff 71 04 e8 25 fa ff ff 5d c2 14 00 83 b9 84 00 00 00 00 c7 01 Data Ascii: uPuq%]
2022-11-04 12:16:09 UTC	277	IN	Data Raw: 24 f7 52 00 75 07 83 25 e0 4a 57 00 00 e9 01 f8 ff ff 83 c8 ff c3 33 c0 c2 04 00 33 c0 c2 1c 00 33 c0 c2 20 00 8b ff 55 8b ec 83 7d 08 00 74 0a 8b 01 ff 90 c4 00 00 00 eb 03 83 c8 ff 5d c2 04 00 6a 02 58 c3 8b ff 55 8b ec 56 8b 75 08 85 f6 74 10 68 10 f6 52 00 8b ce e8 fe 8e fd ff 85 c0 74 54 8b 0d e0 4a 57 00 89 35 e4 4a 57 00 85 c9 74 0e 8b 01 6a 01 ff 50 04 83 25 e0 4a 57 00 00 b9 98 39 57 00 e8 05 a2 fd ff 6a 00 6a 02 e8 4b a8 00 00 e8 50 94 08 00 e8 58 e1 ff ff e8 18 c4 ff ff e8 8f e0 ff ff 8b 0d 58 57 57 00 85 c9 74 05 e8 d2 ba 02 00 5e 5d c2 04 00 8b ff 56 8b f1 57 33 ff 68 a4 ba 52 00 c7 06 50 f6 52 00 89 7e 04 89 7e 08 89 7e 10 89 7e 14 89 7e 0c 89 7e 18 89 7e 1c 89 7e 20 89 7e 24 89 7e 28 89 7e 2c 89 7e 30 89 7e 34 89 7e 38 89 7e 3c 89 7e 40 89 Data Ascii: $Ru%JW333 U}t]jXUVuthRtTJW5JWtjP%JW9WjjKPXXWWt^]VW3hRPR~~~~~~~~ ~$~(~,~0~4~8~<~@
2022-11-04 12:16:09 UTC	277	IN	Data Raw: 7e 58 89 7e 5c 89 7e 60 89 7e 64 89 7e 68 5f 8b c6 5e c3 8b ff 55 8b ec 56 8b f1 e8 73 f6 ff ff f6 45 08 01 74 07 56 e8 7f 67 fc ff 59 8b c6 5e 5d c2 04 00 6a 04 b8 8c b0 51 00 e8 d9 bd 0b 00 8b f1 89 75 f0 e8 f1 fe ff ff 8b 7d 08 33 d2 c7 06 24 f7 52 00 89 96 c8 00 00 00 89 96 cc 00 00 00 89 55 fc 89 96 d0 00 00 00 89 be 84 00 00 00 3b fa 75 0e 39 15 e0 4a 57 00 75 06 89 35 e0 4a 57 00 83 8e c4 00 00 00 ff 6a 0c 59 33 c0 40 89 8e 9c 00 00 00 89 8e a0 00 00 00 89 8e b4 00 00 00 33 c9 89 56 6c c7 86 98 00 00 00 06 00 00 00 89 56 70 89 46 74 89 56 78 89 46 7c c7 86 a4 00 00 00 0f 00 00 00 c7 86 a8 00 00 00 19 00 00 00 c7 86 ac 00 00 00 0d 00 00 00 c7 86 b0 00 00 00 07 00 00 00 c7 86 b8 00 00 00 05 00 00 00 c7 86 bc 00 00 00 04 00 00 00 89 86 88 00 00 00 89 Data Ascii: ~X~\~`~d~h_^UVsEtVgY^]jQu}3$RU;u9JWu5JWjY3@3VlVpFtVxF\|
2022-11-04 12:16:09 UTC	279	IN	Data Raw: 0f 84 e7 00 00 00 8d 45 a8 50 e8 dd 3a 00 00 8b 45 f8 2b 45 f0 8d 75 ec 8d 7d dc a5 40 a5 99 2b c2 a5 8b c8 a5 8b 75 a8 8d 46 01 99 2b c2 d1 f8 f7 d8 d1 f9 2b c1 03 45 f4 39 45 ec 7f 03 89 45 dc 8b 45 e8 2b 45 e0 8b 4d ac 40 99 2b c2 8b f8 8d 41 01 99 2b c2 d1 f8 f7 d8 d1 ff 2b c7 03 45 e8 39 45 e0 7f 03 89 45 e0 8b 45 dc 03 4d e0 03 c6 89 45 e4 89 4d e8 3b 45 f4 7f 71 3b 4d f8 7f 6c 33 f6 39 75 10 74 43 68 60 3a 57 00 8b cb e8 9d 06 fd ff ff 73 08 8b f8 ff 15 04 71 52 00 ff 35 e8 39 57 00 89 45 c8 ff 35 fc 39 57 00 8d 45 dc 50 8b cb e8 8e e0 fd ff ff 75 c8 8b 03 8b cb ff 50 2c 57 8b cb e8 66 06 fd ff 8b 45 bc 39 70 30 8d 45 c4 50 56 8d 45 dc 89 75 c4 89 75 c8 50 75 04 6a 07 eb 01 56 53 e8 74 3a 00 00 8b 4d fc 5f 5e 33 cd 5b e8 90 a5 0b 00 c9 c2 14 00 6a Data Ascii: EP:E+Eu}@+uF++E9EEE+EM@+A++E9EEEMEM;Eq;Ml39utCh`:WsqR59WE59WEPuP,WfE9p0EPVEuuPujVSt:M_^3[j
2022-11-04 12:16:09 UTC	280	IN	Data Raw: 56 e8 92 da fb ff 83 c0 10 59 89 45 dc 83 65 fc 00 6a 0a 8d 4d dc e8 1b 59 fe ff 6a 0d 8d 4d dc e8 11 59 fe ff 8b 75 dc 8b 46 f4 8b 13 68 24 80 00 00 8d 4d e0 51 50 56 8b cb ff 52 68 83 4d fc ff 8d 4e f0 e8 ef a9 fb ff 57 8b cb e8 20 f4 fc ff ff 75 d8 8b 03 8b cb ff 50 28 ff 75 cc 8b 03 8b cb ff 50 30 e8 43 b3 0b 00 c2 14 00 6a 00 b8 2c b1 51 00 e8 48 b2 0b 00 8b 75 08 8b 7d 0c 33 db 89 5d fc 3b f3 74 03 8b 5e 04 6a 18 ff 15 1c 76 52 00 50 8d 45 10 50 53 ff 15 ec 77 52 00 8d 4d 20 e8 11 4e fc ff 8b 07 8b cf ff 50 38 8b 3d 4c 78 52 00 85 c0 74 07 a1 c8 39 57 00 eb 04 6a 17 ff d7 8b 16 50 8b ce ff 52 30 8b 16 8b d8 6a 25 8d 45 10 50 8b 45 20 ff 70 f4 8b ce 50 ff 52 68 8b 06 53 8b ce ff 50 30 6a 17 ff d7 50 6a 17 ff d7 50 8d 45 10 50 8b ce e8 9d da fd ff 8b Data Ascii: VYEejMYjMYuFh$MQPVRhMNW uP(uP0Cj,QHu}3];t^jvRPEPSwRM NP8=LxRt9WjPR0j%EPE pPRhSP0jPjPEP
2022-11-04 12:16:09 UTC	281	IN	Data Raw: 89 85 28 ff ff ff e8 19 ed ff ff ff b5 34 ff ff ff 8d 4d d4 56 50 e8 09 ed ff ff 83 85 3c ff ff ff 02 83 85 34 ff ff ff 02 89 85 30 ff ff ff 8b 45 18 47 8d 48 fc 4e 39 8d 3c ff ff ff 7c 8c 8b 8d 24 ff ff ff 83 b9 84 00 00 00 01 75 02 4f 46 8d 4f ff 89 8d 08 ff ff ff 8d 4e 01 89 8d 00 ff ff ff 8b 8d 3c ff ff ff 8d 50 ff 3b ca 0f 8d 0d 01 00 00 41 8d 47 01 89 8d 3c ff ff ff 89 85 34 ff ff ff 8b 85 3c ff ff ff 48 50 57 ff b5 28 ff ff ff 8d 4d d4 e8 d3 ec ff ff ff b5 3c ff ff ff 8d 4d d4 ff b5 34 ff ff ff 50 e8 be ec ff ff 89 85 28 ff ff ff 8b 85 3c ff ff ff 48 50 56 ff b5 30 ff ff ff 8d 4d d4 e8 58 ec ff ff ff b5 3c ff ff ff 8d 4e ff 51 50 8d 4d d4 e8 45 ec ff ff 8b 8d 3c ff ff ff 89 85 30 ff ff ff 8b 45 18 8d 50 fe 49 3b ca 75 6a ff b5 3c ff ff ff 8d 4d d4 Data Ascii: (4MVP<40EGHN9<\|$uOFON<P;AG<4<HPW(M<M4P(<HPV0MX<NQPME<0EPI;uj<M
2022-11-04 12:16:09 UTC	283	IN	Data Raw: 89 55 ac 89 55 c4 8b 91 84 00 00 00 89 45 94 89 45 9c 89 45 a4 89 75 b4 89 7d b8 89 75 bc 89 45 cc 8b 8d 38 ff ff ff 8b bd 68 ff ff ff 8d 4c cd 90 39 39 7e 0c 89 39 c7 85 34 ff ff ff 01 00 00 00 85 d2 75 14 8b 8d 38 ff ff ff 8d 4c cd 94 8b fe 2b 39 8d 7c 07 ff 89 39 ff 85 38 ff ff ff 83 bd 38 ff ff ff 08 7c b9 6a 02 6a 08 8d 45 90 50 ff 15 08 71 52 00 50 8d 8d 14 ff ff ff e8 9c f5 fc ff 8d 85 14 ff ff ff 50 8b cb e8 64 f0 fc ff eb 6c c7 85 3c ff ff ff 01 00 00 00 39 7d 1c 0f 84 50 fe ff ff 39 7d 20 0f 85 47 fe ff ff 8b 06 8b ce ff 90 88 02 00 00 85 c0 0f 85 35 fe ff ff 8b 45 18 2b 45 10 e9 2c fe ff ff 6a 00 6a ff 8d 45 80 50 ff 15 18 76 52 00 8b 85 24 ff ff ff 83 b8 84 00 00 00 00 75 05 ff 4d 8c eb 03 ff 45 84 8b 85 68 ff ff ff 39 45 88 7c 03 89 45 88 ff Data Ascii: UUEEEu}uE8hL99~94u8L+9\|988\|jjEPqRPPdl<9}P9} G5E+E,jjEPvR$uMEh9E\|E
2022-11-04 12:16:09 UTC	284	IN	Data Raw: 8b cb e8 86 eb fc ff 8b 45 18 48 50 8b 45 14 83 c0 fe 50 8b cb e8 f5 e5 fc ff 8b 45 18 83 c0 fe 50 8b 45 14 48 50 8b cb e8 e2 e5 fc ff 8b 45 10 48 e9 fc 00 00 00 8b 85 2c ff ff ff 39 b8 94 00 00 00 8d 85 1c ff ff ff 75 06 8d 85 fc fe ff ff 50 8b cb e8 2d f1 fc ff 33 c9 3b c7 0f 95 c1 89 85 30 ff ff ff 3b cf 0f 84 f2 fc ff ff 8b 45 18 39 7d 20 75 01 48 50 ff 75 14 8d 85 78 ff ff ff 50 8b cb e8 05 eb fc ff 8b 45 10 83 c0 02 50 ff 75 14 8b cb e8 76 e5 fc ff 8b 45 14 ff 75 10 83 c0 fe 50 8b cb e8 65 e5 fc ff 8b 85 2c ff ff ff 39 b8 94 00 00 00 74 0e 8d 85 f4 fe ff ff 50 8b cb e8 bf f0 fc ff 8b 45 0c ff 75 10 83 c0 02 50 8b cb e8 38 e5 fc ff 8b 45 10 83 c0 02 50 ff 75 0c 8b cb e8 27 e5 fc ff ff 75 18 8b cb ff 75 0c e8 1a e5 fc ff 8b 85 2c ff ff ff 39 b8 94 00 Data Ascii: EHPEPEPEHPEH,9uP-3;0;E9} uHPuxPEPuvEuPe,9tPEuP8EPu'uu,9
2022-11-04 12:16:09 UTC	285	IN	Data Raw: 8b 45 18 2b 45 10 8d 75 10 0f af 45 24 99 f7 7d 20 8d 7d e0 a5 a5 a5 a5 03 45 10 83 7d 2c ff 89 45 e8 75 2a 51 8d 4d d4 e8 d4 ec fc ff ff 75 d8 8d 45 e0 50 ff 73 04 ff 15 ec 77 52 00 8d 4d d4 c7 45 d4 ac 7d 52 00 e8 d0 96 fb ff eb 37 53 8d 4d d4 e8 82 13 05 00 33 c0 50 50 50 ff 75 2c 8d 75 e0 ff 75 dc 8d 4d d4 83 ec 10 8b fc a5 a5 a5 89 45 fc a5 e8 b8 2c 05 00 83 4d fc ff 8d 4d d4 e8 6b 13 05 00 83 7d 34 00 0f 84 db 00 00 00 e8 c9 d9 fc ff 50 8d 4d dc e8 6f 93 fb ff 8b 45 24 6b c0 64 99 f7 7d 20 c7 45 fc 01 00 00 00 50 8d 45 dc 68 60 fa 52 00 50 e8 3f 96 fb ff 8b 03 83 c4 0c ff 35 f8 39 57 00 8b cb ff 50 30 8b 75 dc 8b 13 68 25 08 00 00 8d 4d 10 51 89 45 d8 8b 46 f4 50 56 8b cb ff 52 68 83 65 d0 00 bf 2c ad 52 00 89 7d cc 8d 45 e0 50 c6 45 fc 02 ff 15 40 Data Ascii: E+EuE$} }E},Eu*QMuEPswRME}R7SM3PPPu,uuME,MMk}4PMoE$kd} EPEh`RP?59WP0uh%MQEFPVRhe,R}EPE@
2022-11-04 12:16:09 UTC	287	IN	Data Raw: fc ff 8d 4d d0 e8 3a 0e 05 00 eb 72 a1 c8 39 57 00 eb dd a1 c8 39 57 00 39 7d 1c 75 05 b8 00 7f 00 00 50 8d 4d d8 e8 2a e7 fc ff 8d 45 d8 50 8b ce 89 7d fc e8 f4 e5 fc ff 8b f8 8b 06 6a 08 8b ce ff 50 24 ff 75 ec 8b d8 ff 75 e8 ff 75 e4 ff 75 e0 ff 76 04 ff 15 90 70 52 00 57 8b ce e8 ca e5 fc ff 53 8b ce e8 c2 e5 fc ff 83 4d fc ff 8d 4d d8 c7 45 d8 ac 7d 52 00 e8 f2 90 fb ff e8 d2 97 0b 00 c2 20 00 6a 10 b8 24 c0 51 00 e8 d7 96 0b 00 ff 35 e8 39 57 00 8d 4d ec 6a 01 6a 00 e8 5d e6 fc ff 8b 75 08 83 65 fc 00 8d 45 ec 50 8b ce e8 77 e5 fc ff 8b f8 33 c0 85 ff 0f 95 c0 85 c0 75 05 e8 68 d2 fc ff ff 75 14 8d 45 e4 ff 75 10 8b ce 50 e8 5c df fc ff ff 75 14 8b ce ff 75 18 e8 d1 d9 fc ff 57 8b ce e8 3f e5 fc ff 83 4d fc ff 8d 4d ec c7 45 ec b0 9f 52 00 e8 6f 90 Data Ascii: M:r9W9W9}uPM*EP}jP$uuuuvpRWSMME}R j$Q59WMjj]ueEPw3uhuEuP\uuW?MMERo
2022-11-04 12:16:09 UTC	288	IN	Data Raw: fc a1 f8 39 57 00 5f 5e 33 cd 5b e8 ca 7f 0b 00 c9 c2 08 00 6a 50 b8 7c b3 51 00 e8 06 92 0b 00 8b 45 0c 8b 5d 08 8b 11 8d 75 bc 56 8d 75 dc 56 ff 75 2c 89 5d c4 ff 75 28 ff 75 24 50 ff 92 88 02 00 00 8b 45 1c 03 45 14 53 99 2b c2 8b f0 8b 45 10 03 45 18 d1 fe 99 2b c2 8b f8 d1 ff 8d 4f f9 89 4d e0 8d 46 f9 83 c1 0f 89 45 e4 89 4d e8 83 c0 0f 8d 4d d4 89 45 ec e8 03 08 05 00 ff 75 dc 83 65 fc 00 ff 75 bc 8d 45 e0 50 8d 4d d4 e8 12 2e 05 00 ff 75 dc 8d 46 fd 8d 5f fd 89 45 b8 83 c0 07 83 3d 8c 56 57 00 00 8d 4b 07 89 4d ac 89 45 b0 74 2b 56 51 56 53 8d 4d d4 e8 33 2b 05 00 83 7d 20 00 0f 85 8c 00 00 00 ff 75 dc 8d 4d d4 ff 75 b0 57 ff 75 b8 57 e8 16 2b 05 00 eb 77 6a 01 6a 00 8d 4d c8 e8 69 e0 fc ff 8b 4d c4 8d 45 c8 50 c6 45 fc 01 e8 85 df fc ff 56 53 8b Data Ascii: 9W_^3[jP\|QE]uVuVu,]u(u$PEES+EE+OMFEMMEueuEPM.uF_E=VWKMEt+VQVSM3+} uMuWuW+wjjMiMEPEVS
2022-11-04 12:16:09 UTC	290	IN	Data Raw: 83 c0 f6 50 ff 15 88 70 52 00 50 8d 4d ec e8 af d9 fc ff 6a 02 8d 45 e4 50 8d 45 ec 50 8d 4d e4 e8 27 b3 fd ff 8d 4d e4 e8 c3 d9 fc ff 6a 01 50 8b 45 08 ff 70 20 ff 15 f4 75 52 00 8d 4d ec 88 5d fc 89 75 ec e8 ce 85 fb ff 83 4d fc ff 8d 4d e4 89 75 e4 e8 bf 85 fb ff 33 c0 40 eb 02 33 c0 e8 84 8c 0b 00 c2 0c 00 8b ff 55 8b ec 8b 45 08 56 8b 75 10 57 ff b0 a0 00 00 00 ff 75 14 83 ec 10 8b fc ff 75 0c a5 a5 a5 a5 e8 66 f2 ff ff 5f 5e 5d c2 10 00 6a 08 b8 1b 0d 52 00 e8 70 8b 0b 00 8b 75 08 8b 06 68 f4 3a 57 00 8b ce ff 50 28 8b f8 33 c0 85 ff 0f 95 c0 85 c0 75 05 e8 16 c7 fc ff 68 6c fa 52 00 8d 4d f0 e8 49 d7 fb ff 83 65 fc 00 6a 0a 8b ce e8 ba ce fc ff ff 35 e8 39 57 00 8b d8 8b 06 8b ce ff 50 30 6a 00 89 45 ec 8b 45 f0 ff 70 f4 50 8d 45 10 50 6a 04 ff 75 Data Ascii: PpRPMjEPEPM'MjPEp uRM]uMMu3@3UEVuWuuf_^]jRpuh:WP(3uhlRMIej59WP0jEEpPEPju
2022-11-04 12:16:09 UTC	291	IN	Data Raw: e8 04 02 fd ff ff 70 30 ff 15 7c 75 52 00 50 6a 01 6a 02 8d 85 f8 fe ff ff 50 8d 85 fc fe ff ff 50 6a 00 57 ff 15 4c 76 52 00 50 57 ff 15 80 75 52 00 8d 85 f8 fe ff ff 50 ff 15 40 76 52 00 0f b7 85 f8 fe ff ff 8b 4d fc 5f 5e 33 Data Ascii: p0\|uRPjjPPjWLvRPWuRP@vRM_^3
2022-11-04 12:16:09 UTC	291	IN	Data Raw: cd 5b e8 2f 74 0b 00 c9 c2 04 00 a1 24 4b 57 00 85 c0 74 0e 50 e8 91 2f fc ff 83 25 24 4b 57 00 00 59 a1 28 4b 57 00 85 c0 74 0e 50 e8 7a 2f fc ff 83 25 28 4b 57 00 00 59 c3 8b ff 55 8b ec 8b 4d 10 85 c9 75 04 33 c0 eb 73 8b 01 ff 90 a4 01 00 00 85 c0 74 f0 83 7d 14 00 57 bf 2c 4b 57 00 75 05 bf 30 4b 57 00 83 7d 14 00 56 be 28 4b 57 00 75 1f be 24 4b 57 00 b9 38 4b 57 00 50 57 51 56 e8 a4 fd ff ff 8b 06 5e 85 c0 75 0c e8 4e c1 fc ff b9 34 4b 57 00 eb e4 8b 3f 33 c9 85 ff 7e 19 66 8b 50 02 66 3b 55 08 75 07 8a 10 3a 55 0c 74 0f 41 83 c0 06 3b cf 7c e7 33 c0 5f 5d c2 10 00 33 c0 40 eb f6 8b ff 55 8b ec 53 56 57 8b 7d 0c 85 ff 75 05 e8 06 c1 fc ff 8b 75 08 85 f6 74 70 83 7d 10 00 75 ee 8b 9e 8c 00 00 00 85 db 74 e4 8b 06 8b ce 89 be 8c 00 00 00 ff 50 54 89 Data Ascii: [/t$KWtP/%$KWY(KWtPz/%(KWYUMu3st}W,KWu0KW}V(KWu$KW8KWPWQV^uN4KW?3~fPf;Uu:UtA;\|3_]3@USVW}uutp}utPT
2022-11-04 12:16:09 UTC	293	IN	Data Raw: 45 fc 50 ff 75 08 74 11 83 c1 20 e8 d2 e3 00 00 85 c0 75 0a 83 c8 ff eb 08 83 c1 04 eb ed 8b 45 fc c9 c2 08 00 8b ff 55 8b ec 56 57 8b 7d 08 8b f1 85 ff 74 36 83 ff ff 74 31 83 7d 10 00 74 11 6a 00 57 e8 a9 ff ff ff 85 c0 79 1f 8d 4e 20 eb 0f 6a 01 57 e8 98 ff ff ff 85 c0 79 0e 8d 4e 04 57 e8 c5 07 07 00 8b 4d 0c 89 08 5f 5e 5d c2 0c 00 8b ff 55 8b ec 53 56 57 6a 00 ff 75 08 8b f1 8d 4e 58 e8 69 f9 fd ff 83 7d 0c 00 8b d8 74 2a 85 db 74 09 53 8d 4e 58 e8 e9 fe ff ff 8b 7d 10 ff 75 08 8d 4e 74 85 ff 78 09 e8 7c 07 07 00 89 38 eb 21 e8 f5 49 00 00 eb 1a ff 75 08 8d 4e 74 e8 e8 49 00 00 85 db 75 0b ff 75 08 8d 4e 58 e8 07 f1 01 00 5f 5e 5b 5d c2 0c 00 33 c0 39 81 8c 01 00 00 74 1a 83 b9 ac 01 00 00 10 7c 11 39 81 84 01 00 00 75 09 39 81 88 01 00 00 75 01 40 Data Ascii: EPut uEUVW}t6t1}tjWyN jWyNWM_^]USVWjuNXi}t*tSNX}uNtx\|8!IuNtIuuNX_^[]39t\|9u9u@
2022-11-04 12:16:09 UTC	294	IN	Data Raw: e8 3a ff ff ff 89 45 fc 33 d2 f7 73 08 8b 43 04 8d 3c 90 eb 18 8b 45 fc 39 46 0c 75 0d ff 75 08 56 e8 e1 f0 06 00 85 c0 75 12 8d 7e 08 8b 37 85 f6 75 e2 33 c0 5f 5e 5b c9 c2 04 00 8b 46 08 56 8b cb 89 07 e8 d7 fe ff ff 33 c0 40 eb e7 8b ff 55 8b ec 56 57 ff 75 08 8b f1 e8 e0 fe ff ff 8b 7d 10 89 07 33 d2 f7 76 08 8b 45 0c 89 10 8b 76 04 85 f6 74 20 8b 34 96 eb 17 8b 46 0c 3b 07 75 0d ff 75 08 56 e8 7d f0 06 00 85 c0 75 0f 8b 76 08 85 f6 75 e5 33 c0 5f 5e 5d c2 0c 00 8b c6 eb f6 8b ff 55 8b ec 56 8b f1 e8 df fe ff ff f6 45 08 01 74 07 56 e8 99 23 fc ff 59 8b c6 5e 5d c2 04 00 8b ff 55 8b ec 51 8d 45 08 50 8d 45 fc 50 ff 75 08 e8 76 ff ff ff 85 c0 74 0b 8b 40 04 8b 4d 0c 89 01 33 c0 40 c9 c2 08 00 6a 74 b8 2c b5 51 00 e8 fd 79 0b 00 8b f1 89 75 ec 33 c0 33 Data Ascii: :E3sC<E9FuuVu~7u3_^[FV3@UVWu}3vEvt 4F;uuV}uvu3_^]UVEtV#Y^]UQEPEPuvt@M3@jt,Qyu33
2022-11-04 12:16:09 UTC	295	IN	Data Raw: a5 8b cb a5 e8 06 3e 06 00 ff 75 08 8b cb e8 a4 3b 06 00 5f 5e 5b 5d c2 04 00 8b ff 55 8b ec 83 ec 18 53 56 57 e8 db a1 fd ff 8b 10 8d 4d f0 51 8b c8 ff 92 40 01 00 00 8b 30 8b 78 04 a1 2c f1 56 00 8b 1d 28 f1 56 00 03 c0 89 45 fc 8d 45 e8 50 03 db e8 3c f7 ff ff 8b 08 8b 50 04 03 55 fc 8b 45 08 03 cb 03 f1 03 fa 89 78 04 5f 89 30 5e 5b c9 c2 04 00 b8 08 d6 56 00 c3 8b ff 55 8b ec 8b 4d 08 68 08 d6 56 00 e8 fd db fe ff 8b 4d 0c 89 01 8b 45 08 5d c2 08 00 6a 01 81 c1 20 01 00 00 e8 e0 5e 08 00 c3 ff b1 c8 00 00 00 e8 a4 52 fc ff c3 8b ff 56 8b f1 8b 06 ff 90 a0 01 00 00 83 f8 01 75 0b 8b 06 8b ce 5e ff a0 a4 01 00 00 33 c0 5e c3 8b ff 55 8b ec 51 51 57 8b b9 00 01 00 00 89 4d f8 85 ff 74 7a 53 33 db 56 43 8b c7 85 ff 74 74 8b 70 08 8b 3f 8b ce 89 5d fc e8 Data Ascii: >u;_^[]USVWMQ@0x,V(VEEP<PUEx_0^[VUMhVME]j ^RVu^3^UQQWMtzS3VCttp?]
2022-11-04 12:16:09 UTC	297	IN	Data Raw: 02 00 00 8b 06 8b ce 5e ff a0 b0 01 00 00 5e c3 8b ff 55 8b ec ff b1 c8 00 00 00 e8 8a 4d fc ff 50 68 c0 57 53 00 e8 4a 3f fd ff 59 59 85 c0 74 14 8b 10 6a ff ff 75 0c 8b c8 ff 75 08 ff 92 2c 02 00 00 eb 03 33 c0 40 5d c2 08 00 8b ff 55 8b ec ff b1 c8 00 00 00 e8 4e 4d fc ff 50 68 c0 57 53 00 e8 0e 3f fd ff 59 59 85 c0 74 14 8b 10 6a ff ff 75 0c 8b c8 ff 75 08 ff 92 28 02 00 00 eb 03 33 c0 40 5d c2 08 00 8b ff 56 8b f1 8b 06 ff 90 9c 01 00 00 85 c0 75 17 8b ce 39 86 8c 00 00 00 74 08 50 e8 29 8a fc ff eb 05 8b 06 ff 50 60 33 c0 5e c2 08 00 8b ff 55 8b ec ff b1 c8 00 00 00 e8 e4 4c fc ff 50 68 c0 45 53 00 e8 a4 3e fd ff 59 59 8b 4d 08 8b 11 50 ff 92 80 01 00 00 5d c2 04 00 8b 01 ff 90 a4 01 00 00 50 68 c0 57 53 00 e8 7f 3e fd ff 59 59 85 c0 74 0a 8b 10 8b Data Ascii: ^^UMPhWSJ?YYtjuu,3@]UNMPhWS?YYtjuu(3@]Vu9tP)P`3^ULPhES>YYMP]PhWS>YYt
2022-11-04 12:16:09 UTC	298	IN	Data Raw: c2 18 00 6a 04 b8 af b5 51 00 e8 ae 69 0b 00 8b f1 89 75 f0 c7 06 a4 fb 52 00 c7 45 fc 02 00 00 00 e8 42 f7 ff ff 8d 8e 20 01 00 00 c6 45 fc 01 e8 84 4c 08 00 8d 8e fc 00 00 00 c6 45 fc 00 e8 af 9c 00 00 83 4d fc ff 8b ce e8 0d 5b fc ff e8 41 6a 0b 00 c3 8b ff 55 8b ec 51 51 56 57 8b f9 8d b7 cc 00 00 00 56 ff 77 20 ff 15 04 78 52 00 8b bf c8 00 00 00 85 ff 74 56 53 57 e8 7d 47 fc ff 50 68 c0 45 53 00 e8 3d 39 fd ff 8b d8 59 59 85 db 74 3b 83 65 f8 00 83 65 fc 00 8d bb d8 01 00 00 a5 a5 a5 8d 45 f8 50 a5 ff 15 54 76 52 00 8d 45 f8 50 ff 73 20 ff 15 44 78 52 00 8b 45 f8 89 83 58 01 00 00 8b 45 fc 89 83 5c 01 00 00 5b 5f 5e c9 c3 8b ff 55 8b ec 83 ec 0c 53 56 8b f1 8b 86 c8 00 00 00 33 db 57 3b c3 74 77 50 ff 15 20 77 52 00 85 c0 74 6c ff b6 c8 00 00 00 e8 Data Ascii: jQiuREB ELEM[AjUQQVWVw xRtVSW}GPhES=9YYt;eeEPTvREPs DxREXE\[_^USV3W;twP wRtl
2022-11-04 12:16:09 UTC	300	IN	Data Raw: ff 75 e0 ff 90 4c 03 00 00 e9 f7 00 00 00 f6 45 e8 82 0f 84 0b ff ff ff 83 7d e4 00 8d b3 2c 01 00 00 8d 7d ec a5 a5 a5 a5 74 0d 6a 01 8d 8b 20 01 00 00 e8 45 4b 08 00 53 e8 17 3c fd ff 8b 35 88 53 57 00 59 ff 75 e0 8b f8 c7 05 88 53 57 00 01 00 00 00 8b 03 8b cb ff 90 28 02 00 00 89 35 88 53 57 00 8b 75 dc 8b 8e b8 01 00 00 89 45 e8 85 c9 74 05 e8 2d 2b 06 00 85 ff 74 0c 8b 07 6a 01 8b cf ff 90 74 01 00 00 8b 06 6a 00 8b ce ff 50 38 8d 45 ec 50 ff 15 cc 75 52 00 85 c0 75 62 8b 4d e8 33 f6 3b ce 74 0d 8b 01 56 ff 90 24 02 00 00 3b c3 75 4c 8b 45 e0 39 30 75 45 8b 45 f8 2b 45 f0 68 04 01 00 00 50 8b 45 f4 2b 45 ec 8b cb 50 ff 75 f0 ff 75 ec 56 e8 2e 7f fc ff ff 73 20 ff 15 6c 78 52 00 85 c0 75 17 8b 03 8b cb ff 90 a0 01 00 00 85 c0 7e 09 6a 05 8b cb e8 78 Data Ascii: uLE},}tj EKS<5SWYuSW(5SWuEt-+tjtjP8EPuRubM3;tV$;uLE90uEE+EhPE+EPuuV.s lxRu~jx
2022-11-04 12:16:09 UTC	301	IN	Data Raw: 89 7d bc 89 7d c0 89 7d c4 89 7d c8 89 7d ec 89 7d f0 89 7d f4 89 7d f8 ff 90 2c 03 00 00 ff 75 ac 8d 45 bc ff 75 a8 50 ff 15 10 78 52 00 85 c0 75 14 ff 75 ac 8d 45 ec ff 75 a8 50 ff 15 10 78 52 00 85 c0 74 31 8b 45 b4 89 45 98 3b c7 74 27 8b 4d b0 57 e8 e8 25 06 00 56 8d 8b 20 01 00 00 e8 d3 47 08 00 e9 39 02 00 00 8b 4d b0 e8 cf 25 06 00 e9 2c 02 00 00 8b 4d b0 6a 01 e8 c0 25 06 00 3b f7 0f 84 32 01 00 00 ff 75 b8 b9 58 ea 56 00 e8 a9 c0 05 00 89 45 a4 8b 06 8b ce ff 90 a4 01 00 00 85 c0 74 09 39 7d a4 0f 84 0b 01 00 00 8b 7d b8 8b 06 57 8b ce ff 90 80 01 00 00 85 c0 0f 84 f5 00 00 00 8b 06 8b ce ff 90 90 01 00 00 8b 17 8b cf 89 45 a4 ff 92 94 01 00 00 85 45 a4 74 0b 8b ce e8 14 33 06 00 85 c0 75 33 8b 06 6a 00 8b ce ff 90 24 02 00 00 85 c0 0f 84 ba 00 Data Ascii: }}}}}}}},uEuPxRuuEuPxRt1EE;t'MW%V G9M%,Mj%;2uXVEt9}}WEEt3u3j$
2022-11-04 12:16:09 UTC	302	IN	Data Raw: 20 3b 5e 20 75 05 33 c0 40 eb 02 33 c0 8b 4d fc 5f 5e 33 cd 5b e8 bc 46 0b 00 c9 c3 8b ff 55 8b ec 83 ec 1c a1 54 04 57 00 33 c5 89 45 fc 56 57 8d 45 e4 33 f6 50 8b f9 89 75 e4 89 75 e8 ff 15 54 76 52 00 8d 45 ec 50 ff 77 20 89 75 ec 89 75 f0 89 75 f4 89 75 f8 ff 15 04 78 52 00 ff 75 e8 8d 45 ec ff 75 e4 50 ff 15 10 78 52 00 85 c0 75 0b 39 b7 88 00 00 00 75 03 40 eb 02 33 c0 8b 4d fc 5f 33 cd 5e e8 4c 46 0b 00 c9 c3 8b ff 56 8b f1 83 be b0 00 00 00 00 57 75 2d 6a 00 ff 35 c8 d5 56 00 6a 05 ff 76 20 ff 15 f0 75 52 00 8b 8e b8 00 00 00 83 c9 01 89 86 b0 00 00 00 8b 06 51 8b ce ff 90 88 01 00 00 5f 5e c3 8b ff 56 8b f1 8b 86 b0 00 00 00 57 85 c0 74 25 50 ff 76 20 ff 15 ec 75 52 00 8b 8e b8 00 00 00 8b 06 83 a6 b0 00 00 00 00 83 e1 fe 51 8b ce ff 90 88 01 00 Data Ascii: ;^ u3@3M_^3[FUTW3EVWE3PuuTvREPw uuuuxRuEuPxRu9u@3M_3^LFVWu-j5Vjv uRQ_^VWt%Pv uRQ
2022-11-04 12:16:09 UTC	304	IN	Data Raw: 50 8b 45 ec 03 c3 50 8d 45 dc 50 ff d7 ff 75 0c 8d 45 dc ff 75 08 50 ff d6 85 c0 74 04 6a 0f eb 5e 8b 4d ec 8b 45 f8 50 8d 14 19 8b 5d 90 52 2b c3 50 51 8d 45 dc 50 ff d7 ff 75 0c 8d 45 dc ff 75 08 50 ff d6 85 c0 74 04 6a 10 eb 32 8b 45 f8 8b 4d cc 2b c3 50 8b 45 ec 03 c8 51 8b 4d f0 03 cb 51 50 8d 45 dc 50 ff d7 ff 75 0c 8d 45 dc ff 75 08 50 ff d6 85 c0 0f 84 da 00 00 00 6a 0a 58 e9 da 00 00 00 8b 4d d0 8b 1d 6c 75 52 00 03 c8 51 ff 75 f4 50 ff 75 ec 8d 45 dc 50 ff d3 ff 75 0c 8d 45 dc ff 75 08 50 ff d6 85 c0 74 0f 8b 45 98 f7 d8 1b c0 83 e0 fa e9 95 00 00 00 ff 75 f8 8b 45 ec 8b 4d cc 03 c8 51 ff 75 f0 50 8d 45 dc 50 ff d3 ff 75 0c 8d 45 dc ff 75 08 50 ff d6 85 c0 74 11 33 c0 39 45 98 0f 94 c0 8d 04 c5 0a 00 00 00 eb 6b 8b 45 f8 50 ff 75 f4 2b 45 d8 50 Data Ascii: PEPEPuEuPtj^MEP]R+PQEPuEuPtj2EM+PEQMQPEPuEuPjXMluRQuPuEPuEuPtEuEMQuPEPuEuPt39EkEPu+EP
2022-11-04 12:16:09 UTC	305	IN	Data Raw: 2b 4d ec 8b 16 57 6a 34 50 51 ff 75 f0 8b ce ff 75 ec 57 ff 92 34 02 00 00 68 05 01 00 00 57 57 ff 76 20 ff 15 70 78 52 00 39 7d e8 74 0a 8b 03 8b cb ff 90 b0 01 00 00 8b 4d fc 5f 5e 33 cd 5b e8 39 3b 0b 00 c9 c3 8b ff 55 8b ec 83 ec 18 53 56 33 db 57 8b f1 39 5d 08 0f 84 e4 00 00 00 83 7d 08 02 8b 7d 0c 75 16 3b fb 74 29 8b 07 8b cf ff 90 88 01 00 00 85 c0 0f 84 c5 00 00 00 3b fb 74 13 8b 07 53 8b cf ff 90 24 02 00 00 85 c0 0f 85 ae 00 00 00 8a 86 99 00 00 00 0f b6 c8 89 4d f8 3a c3 74 17 ff 15 e0 75 52 00 8b 06 53 8b ce 88 9e 99 00 00 00 ff 90 08 02 00 00 8d 45 f0 50 89 5d f0 89 5d f4 ff 15 54 76 52 00 8b 45 f0 89 45 e8 8b 45 f4 89 45 ec 8b 06 8b ce ff 90 a4 01 00 00 8d 4d e8 51 ff 70 20 ff 15 44 78 52 00 ff 75 0c 8b 45 08 68 6c ec 56 00 89 86 7c 01 00 Data Ascii: +MWj4PQuuW4hWWv pxR9}tM_^3[9;USV3W9]}}u;t);tS$M:tuRSEP]]TvREEEEMQp DxRuEhlV\|
2022-11-04 12:16:09 UTC	307	IN	Data Raw: 83 ec 28 a1 54 04 57 00 33 c5 89 45 fc 53 56 57 8b f9 8b 07 33 db 8d 4d ec 51 8b cf 89 5d ec 89 5d f0 89 5d f4 89 5d f8 ff 90 c4 01 00 00 8d 45 d8 50 e8 83 d2 ff ff 8b 45 f8 2b 45 dc 8b 35 38 53 57 00 2b 45 f0 8b 4d f4 99 2b c2 8b 97 04 01 00 00 d1 f8 03 45 f0 2b ce 03 75 ec 89 45 e8 89 75 e0 eb 4f 8b c2 3b d3 74 63 8b 40 08 8b 52 04 39 58 0c 75 3e 39 58 18 74 1c 8b 75 e0 89 70 24 8b 75 e8 89 70 28 89 58 0c a1 c4 d5 56 00 03 45 d8 01 45 e0 eb 1d 2b 4d d8 3b 4d ec 7f 03 8b 4d ec 8b 75 e8 89 48 24 89 70 28 89 58 0c 2b 0d c4 d5 56 00 3b d3 75 ad 8b cf e8 34 fe ff ff 8b 4d fc 5f 5e 33 cd 5b e8 07 35 0b 00 c9 c3 e8 aa 82 fc ff cc 8b ff 55 8b ec 83 ec 14 a1 54 04 57 00 33 c5 89 45 fc 53 8b d9 8b 4d 08 85 c9 74 41 8b 01 56 57 8d 55 ec 52 ff 50 0c 8b f0 8d bb e4 Data Ascii: (TW3ESVW3MQ]]]]EPE+E58SW+EM+E+uEuO;tc@R9Xu>9Xtup$up(XVEE+M;MMuH$p(X+V;u4M_^3[5UTW3ESMtAVWURP
2022-11-04 12:16:09 UTC	307	IN	Data Raw: ff 8b 5d 08 be 00 01 00 00 85 c6 74 0c f6 c3 40 74 07 c7 45 fc 01 00 00 00 f6 c3 03 74 23 8b c3 24 01 0f b6 c0 f7 d8 1b c0 83 e0 c0 83 e8 80 83 c8 17 50 33 c0 50 50 50 50 50 8b cf e8 d3 61 fc ff f6 c3 30 74 10 8b c3 c1 e8 04 83 e0 01 50 8b cf e8 6e 61 fc ff f6 c3 0c 74 3a 8b cf e8 c9 5f fc ff 85 c6 74 2f 6a 00 6a 00 56 8b cf e8 ed 5f fc ff 6a 00 c1 eb 02 83 e3 01 53 68 86 00 00 00 ff 77 20 ff 15 dc 76 52 00 6a 00 56 6a 00 8b cf e8 ca 5f fc ff 8b 45 fc 5f 5e 5b c9 c2 08 00 8b ff 56 8b f1 8b 06 57 ff 90 34 02 00 00 80 be 99 00 00 00 00 0f 84 1e 01 00 00 8b 06 8b ce ff 90 ac 01 00 00 a8 02 0f 84 81 00 00 00 6a 01 8d 8e 20 01 00 00 e8 ac 2c 08 00 ff 76 20 ff 15 6c 78 52 00 85 c0 0f 85 d5 00 00 00 ff b6 c8 00 00 00 e8 65 23 fc ff 50 68 c0 45 53 00 e8 25 15 fd Data Ascii: ]t@tEt#$P3PPPPPa0tPnat:_t/jjV_jShw vRjVj_E_^[VW4j ,v lxRe#PhES%
2022-11-04 12:16:09 UTC	309	IN	Data Raw: cd 5b e8 83 2e 0b 00 c9 c2 0c 00 8b ff 56 8d b1 ac 00 00 00 8b 06 85 c0 74 0d 50 ff 71 20 ff 15 ec 75 52 00 83 26 00 5e c3 8b ff 55 8b ec 51 53 56 8b f1 80 be 99 00 00 00 00 89 75 fc 74 78 83 7d 08 1b 75 72 8b 06 ff 90 ac 01 00 00 a8 02 74 09 8b ce e8 9b fa ff ff eb 5d ff 15 e0 75 52 00 ff b6 c8 00 00 00 e8 43 1e fc ff 50 68 c0 45 53 00 e8 03 10 fd ff 8b d8 59 59 85 db 74 39 8b 03 8b cb ff 90 94 01 00 00 a9 00 f0 00 00 74 28 8b 03 57 81 c6 cc 00 00 00 8d bb d8 01 00 00 a5 a5 6a 02 a5 6a 00 53 8b cb a5 ff 90 f4 01 00 00 5f 85 c0 74 0a 8b 75 fc 8b ce e8 1e 1d fc ff 5e 5b c9 c2 0c 00 8b ff 55 8b ec 83 ec 30 a1 54 04 57 00 33 c5 89 45 fc 53 56 8b f1 8b 86 b4 00 00 00 8b 4d 08 57 33 ff 89 75 d4 3b c7 0f 84 fd 01 00 00 8b 11 6a 01 50 ff 52 24 8b d8 3b df 0f 84 Data Ascii: [.VtPq uR&^UQSVutx}urt]uRCPhESYYt9t(WjjS_tu^[U0TW3ESVMW3u;jPR$;
2022-11-04 12:16:09 UTC	310	IN	Data Raw: 00 2b c1 74 35 2b c1 74 14 48 48 74 35 48 48 74 42 8d 45 d0 50 ff 15 3c 77 52 00 eb ba 8b 45 e8 8b 4d c4 6a 15 6a ff 6a ff 2b c7 50 8b 45 e4 2b c6 50 53 e8 84 56 fc ff eb 9d 83 7d d8 1b 75 97 eb 11 c7 45 c8 01 00 00 00 eb 08 ff 75 d8 e8 61 de fc ff ff 15 e0 75 52 00 ff 75 c0 ff 15 20 77 52 00 85 c0 74 4e 39 5d c8 74 3f 8b 45 bc 53 53 6a 10 ff 70 20 ff 15 dc 76 52 00 a1 4c 56 57 00 3b c3 75 0c 8b 4d c4 e8 ef 2d fc ff 3b c3 74 24 a1 4c 56 57 00 3b c3 75 08 8b 4d c4 e8 da 2d fc ff 8b c8 e8 52 56 fc ff eb 0a 8b 4d bc 6a 04 e8 76 55 fc ff 39 5d c8 0f 85 95 00 00 00 8b 35 4c 56 57 00 3b f3 75 0e 8b 4d c4 e8 ac 2d fc ff 8b f0 3b f3 74 6a 56 68 58 e9 52 00 e8 ed 09 fd ff 59 59 3b c3 74 08 8d 88 3c 03 00 00 eb 49 56 68 7c ef 52 00 e8 d4 09 fd ff 59 59 3b c3 74 08 Data Ascii: +t5+tHHt5HHtBEP<wREMjjj+PE+PSV}uEuauRu wRtN9]t?ESSjp vRLVW;uM-;t$LVW;uM-RVMjvU9]5LVW;uM-;tjVhXRYY;t<IVh\|RYY;t
2022-11-04 12:16:09 UTC	311	IN	Data Raw: c0 89 45 fc 3b c8 74 05 e8 8a c9 ff ff e8 db 35 0b 00 c3 8b ff 55 8b ec 56 8b f1 e8 3b cb ff ff f6 45 08 01 74 07 56 e8 7b de fb ff 59 8b c6 5e 5d c2 04 00 a1 bc 48 57 00 53 56 33 db 57 8b f1 3b c3 74 1f ff 70 20 ff 15 20 77 52 00 85 c0 74 12 a1 bc 48 57 00 53 53 6a 10 ff 70 20 ff 15 dc 76 52 00 8b 86 a8 00 00 00 89 5e 7c 8b ce 3b c3 74 27 50 e8 0d c2 ff ff 3b c3 74 78 8b 8e a8 00 00 00 89 8e a4 00 00 00 50 8b ce c7 40 04 01 00 00 00 e8 9c ed ff ff eb 5b 8b 06 53 ff 90 0c 02 00 00 8b 06 8b ce ff 90 18 02 00 00 ff b6 c8 00 00 00 e8 9f 12 fc ff 50 68 c0 45 53 00 e8 5f 04 fd ff 59 59 3b c3 74 1a 68 d8 ce 56 00 8b c8 c7 80 9c 02 00 00 01 00 00 00 e8 25 04 fd ff 85 c0 75 12 6a 03 53 53 53 53 68 28 34 57 00 8b ce e8 1c 50 fc ff 8b ce e8 89 11 fc ff 5f 5e 5b c2 Data Ascii: E;t5UV;EtV{Y^]HWSV3W;tp wRtHWSSjp vR^\|;t'P;txP@[SPhES_YY;thV%ujSSSSh(4WP_^[
2022-11-04 12:16:09 UTC	313	IN	Data Raw: ce ff 90 a8 03 00 00 83 65 08 00 89 45 fc 85 c0 7e 50 53 bb d0 d5 56 00 8b 06 6a 01 ff 75 08 8b ce ff 90 d0 03 00 00 8b f8 8b cf e8 1e 4a fc ff 83 f8 ff 74 21 83 7d 0c 00 74 13 85 ff 74 03 8b 7f 20 50 8b cb e8 dd b6 06 00 89 38 eb 08 50 8b cb e8 53 f9 ff ff ff 45 08 8b 45 08 3b 45 fc 7c b7 5b 33 c0 40 eb 02 33 c0 5f 5e c9 c2 08 00 8b ff 55 8b ec 53 56 8b 75 08 57 8b f9 85 f6 75 05 e8 ab 6a fc ff 8b 5d 0c 85 db 74 f4 3b f3 74 f0 6a 00 56 e8 03 ff ff ff 8b 4e 20 3b 8f c8 00 00 00 75 09 8b 4b 20 89 8f c8 00 00 00 6a 01 53 e8 e7 fe ff ff 8b 07 8b cf ff 90 f0 01 00 00 5f 5e 5b 5d c2 08 00 8b ff 55 8b ec f6 05 4c 53 57 00 01 53 56 57 8b f1 bf 48 53 57 00 75 1f 83 0d 4c 53 57 00 01 e8 c8 6b fc ff 50 8b cf e8 6f 25 fb ff 68 3b 62 52 00 e8 1f 26 0b 00 59 8b 5d 0c Data Ascii: eE~PSVjuJt!}tt P8PSEE;E\|[3@3_^USVuWuj]t;tjVN ;uK jS_^[]ULSWSVWHSWuLSWkPo%h;bR&Y]
2022-11-04 12:16:09 UTC	314	IN	Data Raw: ff 73 78 8b 10 53 83 ec 10 8b fc 8d 75 b0 a5 a5 a5 a5 8b b5 2c ff ff ff 56 8b c8 ff 92 44 01 00 00 8b bb 00 01 00 00 83 8d 28 ff ff ff ff 83 8d 24 ff ff ff ff 89 85 20 ff ff ff 85 ff 0f 84 b9 00 00 00 8b c7 85 ff 0f 84 51 02 00 00 8b 70 08 83 7e 0c 00 8b 85 20 ff ff ff 8b 3f 89 46 20 0f 85 89 00 00 00 83 7e 18 00 8b 06 74 44 83 bd 24 ff ff ff ff 75 05 8d 4d e0 eb 22 8d 8d 60 ff ff ff 51 8b ce ff 50 0c 8b 40 08 83 c0 02 39 85 24 ff ff ff 7f 59 8b 06 8d 8d 50 ff ff ff 51 8b ce ff 50 0c 8b 40 08 83 c0 02 89 85 24 ff ff ff eb 3d 83 bd 28 ff ff ff ff 75 08 8d 8d 30 ff ff ff eb 1e 8d 8d 40 ff ff ff 51 8b ce ff 50 0c 8b 8d 28 ff ff ff 3b 08 7c 16 8b 06 8d 8d 70 ff ff ff 51 8b ce ff 50 0c 8b 00 89 85 28 ff ff ff 85 ff 0f 85 4d ff ff ff 8b b5 2c ff ff ff 6a 01 8b Data Ascii: sxSu,VD($ Qp~ ?F ~tD$uM"`QP@9$YPQP@$=(u0@QP(;\|pQP(M,j
2022-11-04 12:16:09 UTC	316	IN	Data Raw: 50 8b ce e8 c2 f7 fd ff 8b 8d 2c fc ff ff 8b 01 8d 55 e0 52 ff 50 0c 8b 45 e0 8b bd 20 fc ff ff 89 85 24 fc ff ff 8b 45 e4 89 85 28 fc ff ff 8d 85 24 fc ff ff 50 ff 77 20 ff 15 6c 76 52 00 8d 85 1c fc ff ff 50 e8 cb ae ff ff 8b 8d 28 fc ff ff 8b 06 53 53 83 c1 f7 53 51 8b 8d 24 fc ff ff 83 c1 fe 51 57 8b ce ff 90 08 02 00 00 c7 86 ac 0e 00 00 01 00 00 00 8b 47 20 8b ce 89 46 54 e8 57 f9 fd ff 8d 8d f8 fe ff ff c7 86 b8 10 00 00 01 00 00 00 c6 45 fc 09 e8 58 35 02 00 8b 8d 38 fc ff ff 83 c1 f0 e8 dd 1a fb ff 8d 8d 28 fd ff ff c6 45 fc 04 e8 3b 35 02 00 8d 8d 10 fe ff ff 88 5d fc e8 2d 35 02 00 8b 8d 3c fc ff ff 83 c1 f0 e8 b2 1a fb ff e8 22 24 0b 00 c2 04 00 6a 2c b8 f8 b6 51 00 e8 90 23 0b 00 8b 7d 08 33 db f6 47 18 01 8b f1 0f 84 d2 00 00 00 8d 45 d0 50 Data Ascii: P,URPE $E($Pw lvRP(SSSQ$QWG FTWEX58(E;5]-5<"$j,Q#}3GEP
2022-11-04 12:16:09 UTC	317	IN	Data Raw: bf 8b 4d fc 8b 59 24 be c0 57 53 00 85 db 0f 84 ab 00 00 00 8b c3 85 db 74 3d 8b 78 08 8b 1b 8b cf e8 24 39 fc ff 3b 45 08 74 31 68 14 18 54 00 8b cf e8 1c ee fc ff 85 c0 74 28 57 68 14 18 54 00 e8 2b ee fc ff 8b 10 59 59 ff 75 08 8b c8 ff 92 cc 03 00 00 eb 50 e8 d0 59 fc ff 8b c7 e9 be 00 00 00 68 00 5d 53 00 8b cf e8 e4 ed fc ff 8b cf 85 c0 74 1a ff 75 08 e8 ac f4 02 00 85 c0 74 33 50 56 e8 e9 ed fc ff 59 59 e9 92 00 00 00 68 d0 76 53 00 e8 ba ed fc ff 85 c0 74 17 ff 75 08 8b cf e8 46 37 fc ff 50 56 e8 c3 ed fc ff 59 59 85 c0 75 6d 85 db 0f 85 58 ff ff ff 8b 4d fc 83 7d 0c 00 74 5a 8b b9 cc 00 00 00 eb 40 8b c7 85 ff 74 84 ff 70 08 8b 3f 68 08 d6 56 00 e8 8f ed fc ff 59 59 85 c0 74 25 8b 10 8b c8 ff 92 a4 01 00 00 50 56 e8 78 ed fc ff 8b d8 59 59 85 db Data Ascii: MY$WSt=x$9;Et1hTt(WhT+YYuPYh]Stut3PVYYhvStuF7PVYYumXM}tZ@tp?hVYYt%PVxYY
2022-11-04 12:16:09 UTC	318	IN	Data Raw: 89 70 0c eb 69 f7 c7 00 80 00 00 74 61 03 da 89 58 04 eb 5a 8b 51 04 2b 51 0c 8b 70 0c 2b 50 04 03 d6 74 05 03 f2 89 70 0c 8b 50 08 8b 18 89 55 0c 8b 51 08 8b 09 8b f1 2b f2 2b d1 8b 4d 0c 2b f3 03 75 0c 2b cb 3b ca 7e 24 83 7d 18 00 74 1e f7 c7 00 10 00 00 74 0a 8b 4d 0c 2b ce 89 48 08 eb 0c f7 c7 00 40 00 00 74 04 03 de 89 18 5f 5e 5b 5d c2 14 00 8b ff 55 8b ec 83 ec 0c 53 8b 59 24 56 57 89 4d f4 bf c0 57 53 00 85 db 0f 84 d5 00 00 00 8b c3 85 db 0f 84 5b 01 00 00 ff 70 08 8b 1b 57 e8 1d e8 fc ff 59 59 8b c8 be 00 5d 53 00 56 89 4d fc e8 ed e7 fc ff 85 c0 74 4f ff 75 fc 56 e8 fe e7 fc ff 8b b0 04 01 00 00 59 59 eb 36 8b c6 85 f6 0f 84 1d 01 00 00 ff 70 08 8b 36 57 e8 df e7 fc ff 83 7d 10 00 59 59 89 45 f8 74 0b 8b 10 8b c8 ff 12 3b 45 10 75 0b ff 75 f8 Data Ascii: pitaXZQ+Qp+PtpPUQ++M+u+;~$}ttM+H@t_^[]USY$VWMWS[pWYY]SVMtOuVYY6p6W}YYEt;Euu
2022-11-04 12:16:09 UTC	320	IN	Data Raw: ff ff 3b f3 0f 85 78 ff ff ff 33 c0 8b 4d fc 5f 5e 33 cd 5b e8 11 01 0b 00 c9 c2 1c 00 e8 b2 4e fc ff cc 8b ff 55 8b ec 53 56 57 ff 75 1c 8b f9 8b 07 6a 01 68 6c ec 56 00 6a 01 ff 75 10 ff 75 0c ff 75 08 ff 50 10 8b 75 18 89 06 85 c0 75 74 8b 07 6a 01 6a 00 ff 75 0c 8b cf ff 75 08 ff 50 14 8b d8 85 db 74 58 8b 4d 20 8b 01 6a 00 ff 90 24 02 00 00 3b c3 74 47 8b 03 6a 01 ff 75 0c 8b cb ff 75 08 ff 90 e8 01 00 00 83 f8 02 75 30 8b 03 8b cb ff 90 a0 01 00 00 83 f8 01 75 21 8b 03 8b cb ff 90 a8 01 00 00 50 68 c0 57 53 00 e8 66 e2 fc ff 59 59 89 06 6a 03 58 e9 b8 00 00 00 83 3e 00 74 7f 8b 0e 8b 01 6a 00 ff 90 24 02 00 00 85 c0 74 1d 8b 4d 20 8b 01 ff 90 bc 01 00 00 a8 40 74 0e 8b 0e 8b 01 ff 90 bc 01 00 00 a8 40 75 10 8b 0e 8b 01 6a 00 ff 90 24 02 00 00 85 c0 Data Ascii: ;x3M_^3[NUSVWujhlVjuuuPuutjjuuPtXM j$;tGjuuu0u!PhWSfYYjX>tj$tM @t@uj$
2022-11-04 12:16:09 UTC	321	IN	Data Raw: 00 8b 03 83 65 d4 00 83 65 dc 00 56 6a 01 57 be 08 d6 56 00 56 89 45 e4 e8 50 dd fc ff 59 59 50 ff 75 10 8b 45 e4 ff 75 0c 8b cb ff 50 14 85 c0 74 2b ff 75 e0 8b 10 ff 75 d8 8b c8 ff 75 e8 ff 75 10 ff 75 0c 57 ff 92 bc 01 00 00 ff 75 e8 ff 15 cc 75 52 00 85 c0 0f 84 26 02 00 00 8b 83 b8 01 00 00 85 c0 74 2e 83 78 08 00 74 28 83 78 04 00 74 22 57 56 e8 f3 dc fc ff 8b 10 59 59 8b c8 ff 92 a4 01 00 00 50 68 c0 57 53 00 e8 dc dc fc ff 59 59 eb 02 33 c0 8b 13 50 6a 01 6a 00 6a 01 ff 35 78 d6 56 00 8b cb ff 75 10 ff 75 0c ff 52 10 50 68 6c ec 56 00 e8 b1 dc fc ff 59 59 8b c8 89 4d e4 85 c9 74 59 e8 2d e2 05 00 85 c0 74 50 56 8b cf e8 77 dc fc ff 85 c0 74 1d 57 56 e8 8a dc fc ff 59 59 8b 4d e4 8b 11 50 ff 92 38 03 00 00 85 c0 0f 84 8a 01 00 00 8b 4d e4 e8 f8 e1 Data Ascii: eeVjWVVEPYYPuEuPt+uuuuuWuuR&t.xt(xt"WVYYPhWSYY3Pjjj5xVuuRPhlVYYMtY-tPVwtWVYYMP8M
2022-11-04 12:16:09 UTC	323	IN	Data Raw: 4d c8 ff 75 d8 8b 01 ff 90 a0 02 00 00 85 c0 74 48 33 c0 eb 5a 83 7d d4 02 75 16 39 5d cc 75 39 8b 17 50 ff 75 d8 8b cf 50 ff 92 8c 01 00 00 eb 38 83 7d d4 03 75 22 39 5d cc 75 1d 8b 17 50 ff 75 d8 8b cf 6a 02 ff 92 8c 01 00 00 89 45 d4 8b 06 53 8b ce ff 50 38 eb 13 8b 07 6a 01 ff 75 d8 8b cf 53 ff 90 8c 01 00 00 89 45 d4 8b 45 d4 5b 8b 4d fc 5f 33 cd 5e e8 56 f5 0a 00 c9 c2 04 00 8b ff 55 8b ec 81 65 08 00 f0 00 00 56 8b 71 28 85 f6 74 5a 57 8b c6 85 f6 74 58 83 7d 0c 00 8b 76 04 8b 78 08 74 20 68 c0 45 53 00 8b cf e8 f0 d6 fc ff 85 c0 75 32 68 90 c3 53 00 8b cf e8 e0 d6 fc ff 85 c0 75 22 8b 07 83 65 0c 00 8b cf ff 90 90 01 00 00 3b 45 08 74 06 83 7d 08 00 75 09 ff 77 20 ff 15 64 75 52 00 85 f6 75 a8 5f 5e 5d c2 08 00 e8 84 42 fc ff cc 8b ff 53 33 db 57 Data Ascii: MutH3Z}u9]u9PuP8}u"9]uPujESP8juSEE[M_3^VUeVq(tZWtX}vxt hESu2hSu"e;Et}uw duRu_^]BS3W
2022-11-04 12:16:09 UTC	323	IN	Data Raw: f5 8b 48 08 8b 01 8b 36 ff 90 cc 01 00 00 3b f3 75 e9 eb ad 8b ff 55 8b ec 83 ec 28 a1 54 04 57 00 33 c5 89 45 fc 53 56 8b 75 08 8b 06 57 8b f9 8b ce ff 90 90 01 00 00 89 45 d8 33 c0 89 45 ec 89 45 f0 89 45 f4 89 45 f8 8d 45 ec 50 ff 76 20 ff 15 04 78 52 00 8b 5f 24 e9 94 01 00 00 8b c3 85 db 0f 84 a3 01 00 00 8b 78 08 8b 1b 68 fc 24 54 00 8b cf e8 8e d5 fc ff 85 c0 0f 84 71 01 00 00 57 68 fc 24 54 00 e8 99 d5 fc ff 8b f8 59 59 3b fe 0f 84 5a 01 00 00 8b 07 8b cf ff 90 60 01 00 00 85 c0 74 12 8b 06 8b ce ff 90 60 01 00 00 85 c0 0f 85 3a 01 00 00 8b 07 8b cf ff 90 60 01 00 00 85 c0 75 12 8b 06 8b ce ff 90 60 01 00 00 85 c0 0f 84 1a 01 00 00 33 c0 89 45 dc 89 45 e0 89 45 e4 89 45 e8 8d 45 dc 50 ff 77 20 ff 15 04 78 52 00 8d 45 dc 50 ff 15 cc 75 52 00 85 c0 Data Ascii: H6;uU(TW3ESVuWE3EEEEEPv xR_$xh$TqWh$TYY;Z`t`:`u`3EEEEEPw xREPuR
2022-11-04 12:16:09 UTC	325	IN	Data Raw: 45 ec 3b c3 0f 84 76 02 00 00 8b 45 ec 3b c3 0f 84 31 fd ff ff 8b 08 8b 70 08 8b 06 89 4d ec 8b ce ff 90 68 01 00 00 85 c0 74 5e ff 76 20 8b 3d 08 78 52 00 ff d7 50 e8 46 de fb ff ff 70 20 ff d7 50 e8 3b de fb ff 8b f8 8b 45 e8 ff b0 e4 00 00 00 8b ce e8 ab 95 fe ff 8b 07 56 8b cf ff 90 c4 03 00 00 68 6c ec 56 00 8b ce e8 eb cf fc ff 85 c0 74 0c 8b 06 6a 01 8b ce ff 90 ec 01 00 00 6a 05 8b ce e8 4d 1b fc ff 8b 06 53 8b ce ff 90 24 02 00 00 3b c3 74 0d 8b 10 53 53 56 8b c8 ff 92 78 01 00 00 8b 45 e8 ff b0 e4 00 00 00 8b ce e8 4f 95 fe ff 68 6c ec 56 00 8b ce e8 9a cf fc ff 85 c0 0f 84 ab 01 00 00 56 68 6c ec 56 00 e8 a5 cf fc ff 8d b0 88 02 00 00 8d 7d d4 a5 a5 a5 8b 10 59 59 a5 8b 4d e0 2b 4d d8 53 6a 34 51 8b 4d dc 2b 4d d4 89 45 f0 51 ff 75 d8 8b c8 ff Data Ascii: E;vE;1pMht^v =xRPFp P;EVhlVtjjMS$;tSSVxEOhlVVhlV}YYM+MSj4QM+MEQu
2022-11-04 12:16:09 UTC	326	IN	Data Raw: 85 c0 0f 84 c9 00 00 00 68 6c ec 56 00 8b ce e8 9b ca fc ff 85 c0 0f 85 b5 00 00 00 68 fc 24 54 00 8b ce e8 87 ca fc ff 85 c0 0f 85 a1 00 00 00 68 90 c3 53 00 8b ce e8 73 ca fc ff 85 c0 0f 85 8d 00 00 00 8b 06 57 6a 01 57 8b ce ff 90 20 02 00 00 56 8d 8b 34 01 00 00 e8 55 19 fd ff eb 71 8b 06 8b ce ff 90 78 01 00 00 85 c0 74 28 8b 06 8b ce ff 90 48 02 00 00 85 c0 74 1a 8b 06 57 6a 01 57 8b ce ff 90 20 02 00 00 56 8d 8b 34 01 00 00 e8 1d 19 fd ff 8b b3 cc 00 00 00 3b f7 74 31 8b c6 85 f6 74 3d 8b 78 08 ff 77 20 8b 36 ff 15 6c 78 52 00 85 c0 74 15 6a 00 8b cf e8 69 15 fc ff 57 8d 8b 34 01 00 00 e8 e6 18 fd ff 85 f6 75 cf 33 ff 39 7d 08 0f 85 de fe ff ff 5e 5f 5b 5d c2 04 00 e8 a0 35 fc ff cc 8b ff 55 8b ec 51 53 33 db 56 8b f1 39 5d 08 74 59 39 9e 30 01 00 Data Ascii: hlVh$ThSsWjW V4Uqxt(HtWjW V4;t1t=xw 6lxRtjiW4u39}^_[]5UQS3V9]tY90
2022-11-04 12:16:09 UTC	327	IN	Data Raw: e8 75 ff ff ff 4b 75 e6 5b 5f 5e 5d c2 04 00 8b ff 55 8b ec 8b 45 0c 56 85 c0 75 05 8b 71 04 eb 16 8b 30 eb 12 ff 75 08 8d 46 08 50 e8 2a 6b 06 00 85 c0 75 0d 8b 36 85 f6 75 ea 33 c0 5e 5d c2 08 00 8b c6 eb f7 8b ff 55 8b ec 56 8b f1 8d 4e 1c c7 01 f4 01 53 00 e8 cb 15 05 00 f6 45 08 01 74 07 56 e8 3f 9e fb ff 59 8b c6 5e 5d c2 04 00 8b ff 55 8b ec 56 8b f1 83 7e 10 00 57 75 2b 6a 50 ff 76 18 8d 46 14 50 e8 5c b6 fc ff 8b 4e 18 8b d1 6b d2 50 49 8d 44 10 b4 78 0e 8b 56 10 89 10 89 46 10 83 e8 50 49 79 f2 8b 7e 10 85 ff 75 05 e8 26 30 fc ff 8b 07 89 46 10 8b 45 08 89 47 04 8b 45 0c 89 07 ff 46 0c 8d 4f 08 85 c9 74 05 e8 c3 df ff ff 8b c7 5f 5e 5d c2 08 00 8b ff 55 8b ec 83 ec 24 a1 54 04 57 00 33 c5 89 45 fc 53 8b 5d 08 8b 03 56 8b 75 0c 57 8b f9 8b cb 89 Data Ascii: uKu[_^]UEVuq0uFP*ku6u3^]UVNSEtV?Y^]UV~Wu+jPvFP\NkPIDxVFPIy~u&0FEGEFOt_^]U$TW3ES]VuW
2022-11-04 12:16:09 UTC	329	IN	Data Raw: 77 38 fc ff 8b 03 8b cb ff 90 60 01 00 00 85 c0 74 0a 8b 45 d4 2b 45 cc 85 c0 7f 18 8b 03 8b cb ff 90 60 01 00 00 85 c0 75 18 8b 45 d8 2b 45 d0 85 c0 7e 0e 8b 03 8d 4d cc 51 8b cb ff 90 94 02 00 00 8d 75 a4 8d 7d cc a5 a5 a5 a5 68 90 c3 53 00 8b cb e8 ff be fc ff 85 c0 74 14 8b 03 8d 4d c4 51 8d 4d cc 51 8b cb ff 90 80 02 00 00 eb 42 8d 45 cc 50 ff 73 20 ff 15 08 78 52 00 50 e8 fb cc fb ff 8b c8 e8 f1 37 fc ff ff 75 c4 8b 45 d8 2b 45 d0 8b 4d d4 2b 4d cc 8b 13 6a 14 50 51 ff 75 d0 8b cb ff 75 cc 6a 00 ff 92 34 02 00 00 89 45 c4 f7 45 c0 00 20 00 00 74 0b 8b 45 b0 2b 45 a8 01 45 f0 eb 31 f7 45 c0 00 80 00 00 74 0b 8b 45 a8 2b 45 b0 01 45 f8 eb 1d f7 45 c0 00 10 00 00 74 0b 8b 45 ac 2b 45 a4 01 45 ec eb 09 8b 45 a4 2b 45 ac 01 45 f4 8b 45 b8 39 45 c8 75 10 Data Ascii: w8`tE+E`uE+E~MQu}hStMQMQBEPs xRP7uE+EM+MjPQuuj4EE tE+EE1EtE+EEEtE+EEE+EEE9Eu
2022-11-04 12:16:09 UTC	330	IN	Data Raw: 91 00 00 00 8b c7 85 ff 0f 84 94 00 00 00 8b 70 08 8b 3f 85 f6 75 04 33 db eb 03 8b 5e 20 53 89 5d 08 ff 15 20 77 52 00 85 c0 74 69 53 ff 15 6c 78 52 00 85 c0 74 5e 83 7d fc 00 74 28 56 68 08 d6 56 00 e8 81 b9 fc ff 8b 10 59 59 8b c8 ff 92 a4 01 00 00 50 68 10 40 53 00 e8 6a b9 fc ff 59 59 85 c0 74 30 6a 00 53 ff 15 c4 76 52 00 8b 75 f8 6a 00 8d 45 08 50 8d 8e 64 01 00 00 e8 35 f4 ff ff 85 c0 75 0f 8d 45 08 50 8d 8e 64 01 00 00 e8 8d f3 ff ff 85 ff 0f 85 67 ff ff ff e9 50 ff ff ff e8 dd 24 fc ff cc 8b ff 55 8b ec 8b 45 08 85 c0 75 05 21 45 08 eb 06 8b 40 20 89 45 08 8d 45 08 50 81 c1 9c 01 00 00 e8 54 f3 ff ff 5d c2 04 00 8b ff 55 8b ec 8b 45 08 85 c0 75 04 33 d2 eb 03 8b 50 20 8b 81 a0 01 00 00 eb 07 39 50 08 74 08 8b 00 85 c0 75 f5 eb 0c 50 81 c1 9c 01 Data Ascii: p?u3^ S] wRtiSlxRt^}t(VhVYYPh@SjYYt0jSvRujEPd5uEPdgP$UEu!E@ EEPT]UEu3P 9PtuP
2022-11-04 12:16:09 UTC	332	IN	Data Raw: ff 85 c0 75 0b 8b 03 6a 01 8b cb ff 50 34 eb 0c 8b 10 6a 01 8b c8 ff 92 74 01 00 00 8b 4d fc e8 6b d1 02 00 eb 95 33 c0 5f 5e 5b c9 c2 10 00 8b ff 55 8b ec 56 8b f1 e8 f4 fd ff ff f6 45 08 01 74 07 56 e8 5b 8d fb ff 59 8b c6 5e 5d c2 04 00 8b ff 55 8b ec 56 57 8b f1 6a 00 ff 76 08 e8 09 ef ff ff ff 75 08 8b f8 8d 4f 08 e8 8b fb ff ff 8b 46 08 85 c0 74 04 89 38 eb 03 89 7e 04 89 7e 08 8b c7 5f 5e 5d c2 04 00 6a 50 b8 d7 b8 51 00 e8 e5 e3 0a 00 8b 7d 08 8b 47 18 f7 d0 8b d9 8b cf a8 01 74 21 ff 73 0c e8 bd a1 fc ff 8b 73 04 eb 0e 6a 01 8d 46 08 50 57 e8 52 ce ff ff 8b 36 85 f6 75 ee eb 5a e8 d0 a1 fc ff 89 45 a4 85 c0 74 4e be 11 16 45 00 ff 4d a4 56 68 9c 05 45 00 6a 01 6a 48 8d 45 a8 50 e8 76 2f 0b 00 83 65 fc 00 6a 01 8d 45 a8 50 57 e8 13 ce ff ff 8d 45 Data Ascii: ujP4jtMk3_^[UVEtV[Y^]UVWjvuOFt8~~_^]jPQ}Gt!ssjFPWR6uZEtNEMVhEjjHEPv/ejEPWE
2022-11-04 12:16:09 UTC	333	IN	Data Raw: 00 83 7d e4 00 74 09 ff 75 e4 e8 e8 87 fb ff 59 8b 4d d4 c6 45 fc 01 85 c9 74 07 8b 01 6a 01 ff 50 04 8b 4d e0 83 c1 f0 e8 af d5 fa ff 8b 4d e8 83 c1 f0 e8 a4 d5 fa ff 8b 45 dc e8 fd de 0a 00 c2 08 00 8b 4d cc e8 d9 18 fc ff 8b 45 ec c7 80 5c 01 00 00 01 00 00 00 c7 45 fc 02 00 00 00 b8 19 3c 45 00 c3 eb 9a 8b 4d c8 e8 b5 18 fc ff 8b 75 ec 8b 7e 5c 85 ff 74 38 be 90 c3 53 00 8b c7 85 ff 0f 84 6c fe ff ff 8b 58 08 8b 3f 56 8b cb e8 be ad fc ff 85 c0 8b 03 8b cb 74 05 ff 50 60 eb 08 6a 00 ff 90 b0 01 00 00 85 ff 75 d0 8b 75 ec 8d 4e 58 e8 28 10 00 00 c7 86 5c 01 00 00 01 00 00 00 c7 45 fc 02 00 00 00 b8 84 3c 45 00 c3 e9 2c ff ff ff 8b 75 ec 8b 7e 5c 85 ff 74 38 be 90 c3 53 00 8b c7 85 ff 0f 84 06 fe ff ff 8b 58 08 8b 3f 56 8b cb e8 58 ad fc ff 85 c0 8b 03 Data Ascii: }tuYMEtjPMMEME\E<EMu~\t8SlX?VtP`juuNX(\E<E,u~\t8SX?VX
2022-11-04 12:16:09 UTC	334	IN	Data Raw: 8b 10 8b c8 ff 52 08 57 8d 4e 74 e8 9b f7 fc ff ff 4d 98 75 b3 8b 4d a4 8d 45 9c 50 e8 7d fd fc ff 8b 45 9c 33 ff 89 7d 98 3b c7 0f 8e a8 01 00 00 89 45 a0 8b 5d a4 8d 45 98 50 8b cb e8 5c fd fc ff 83 7d 98 00 0f 84 b9 00 00 00 8d 45 94 50 8b cb e8 47 fd fc ff 83 7d 94 ff 74 1b 8b 06 6a 01 ff 75 94 8b ce ff 50 24 50 68 6c ec 56 00 e8 51 a8 fc ff 59 59 eb 19 8d 45 94 50 8b cb e8 1b fd fc ff 85 ff 74 6a ff 75 94 8b cf e8 81 8c 05 00 8b d8 85 db 74 5a 8b 03 8b cb ff 90 d8 01 00 00 85 c0 74 15 8b 03 6a 01 6a 00 68 00 f0 00 00 6a 00 8b cb ff 90 68 03 00 00 85 ff 74 25 8b 47 20 89 83 40 03 00 00 8b 03 05 dc 01 00 00 89 45 9c 8b 07 8b cf ff 90 90 01 00 00 50 8b 45 9c 8b cb ff 10 53 8d 4e 58 e8 0e 0b 00 00 e9 df 00 00 00 8d 45 94 50 8d 8d 70 ff ff ff e8 1e e2 ff Data Ascii: RWNtMuMEP}E3};E]EP\}EPG}tjuP$PhlVQYYEPtjutZtjjhjht%G @EPESNXEPp
2022-11-04 12:16:09 UTC	336	IN	Data Raw: 85 c0 7e 0e 6a 00 6a 00 68 00 08 00 00 ff 77 04 ff d6 8b 85 74 ff ff ff 8b cb 89 45 84 e8 d0 ed fb ff ff 75 84 50 6a 00 ff 77 04 ff d6 83 65 84 00 8b cb e8 ba ed fb ff 8b 8d 68 ff ff ff 50 e8 87 5a 06 00 89 18 8b 8d 6c ff ff ff 8b 01 ff 45 88 ff 90 a8 01 00 00 39 45 88 0f 8c 14 ff ff ff e9 c2 01 00 00 68 d0 76 53 00 8b cb e8 8a a2 fc ff 85 c0 0f 84 27 01 00 00 53 68 d0 76 53 00 e8 95 a2 fc ff 59 8b d8 59 8b cb e8 5d 82 03 00 6a 00 6a 00 68 0c 04 00 00 ff 70 20 89 85 68 ff ff ff ff 15 dc 76 52 00 8b 8b ac 02 00 00 83 65 88 00 89 85 78 ff ff ff 89 4d 8c c7 45 90 30 02 00 00 85 c0 0f 84 5e 01 00 00 8d 45 8c 50 ff 75 88 8b 85 68 ff ff ff 68 1c 04 00 00 ff 70 20 ff 15 dc 76 52 00 ff 75 ac e8 62 b0 fb ff 50 68 c0 45 53 00 e8 22 a2 fc ff 8b d8 59 59 85 db 0f 84 Data Ascii: ~jjhwtEuPjwehPZlE9EhvS'ShvSYY]jjhp hvRexME0^EPuhhp vRubPhES"YY
2022-11-04 12:16:09 UTC	337	IN	Data Raw: 41 08 8b 50 04 56 8b 70 08 89 51 08 85 d2 74 05 83 22 00 eb 04 83 61 04 00 50 e8 06 eb fc ff 8b c6 5e c3 8b ff 55 8b ec 8b 55 08 3b 51 0c 7d 10 85 d2 78 0c 8b 41 04 74 09 4a 8b 00 75 fb eb 02 33 c0 5d c2 04 00 8b ff 55 8b ec 8b 45 0c 85 c0 75 0d 8b 41 04 eb 0a 8b 48 08 3b 4d 08 74 06 8b 00 85 c0 75 f2 5d c2 08 00 b8 74 d7 56 00 c3 8b ff 55 8b ec 8b c1 33 c9 89 48 0c 89 48 10 89 48 08 89 48 04 89 48 14 8b 4d 08 c7 00 20 03 53 00 89 48 18 5d c2 04 00 c7 01 20 03 53 00 e9 3b ff ff ff 8b ff 55 8b ec 56 8b f1 ff 76 04 6a 00 e8 47 eb fc ff 8b 4d 08 89 48 08 8b 4e 04 85 c9 74 05 89 41 04 eb 03 89 46 08 89 46 04 5e 5d c2 04 00 8b ff 55 8b ec 8b 45 08 56 57 8b f9 85 c0 75 05 e8 42 08 fc ff 8b 70 04 eb 12 8b c6 85 f6 74 f0 ff 70 08 8b 36 8b cf e8 56 eb fc ff 85 f6 Data Ascii: APVpQt"aP^UU;Q}xAtJu3]UEuAH;Mtu]tVU3HHHHHM SH] S;UVvjGMHNtAFF^]UEVWuBptp6V
2022-11-04 12:16:09 UTC	339	IN	Data Raw: 0c 74 73 89 45 08 39 47 08 76 6b 8b 47 04 8b 4d 08 8b 34 88 eb 18 0f b7 46 08 50 8b cb e8 fd 81 fc ff ff 76 04 8b cb e8 62 2e fe ff 8b 36 85 f6 75 e4 ff 45 08 8b 45 08 3b 47 08 72 ce eb 37 e8 fb 85 fc ff 89 45 08 85 c0 74 2b ff 4d 08 8d 45 fc 50 8b cb e8 97 82 fc ff 6a 00 8b cb e8 c8 2e fe ff ff 75 fc 8b cf 8b f0 e8 53 fe ff ff 83 7d 08 00 89 30 75 d5 5f 5e 5b c9 c2 04 00 b8 14 d8 56 00 c3 8b c1 33 c9 c7 00 78 03 53 00 89 48 04 89 48 10 89 48 0c 89 48 08 c3 ff 71 04 c7 01 78 03 53 00 e8 9f 70 fb ff 59 c3 8b ff 55 8b ec 53 56 57 8b 7d 08 33 db 8b f1 3b fb 7d 05 e8 ba 02 fc ff 8b 45 0c 3b c3 7c 03 89 46 10 3b fb 75 14 ff 76 04 e8 6f 70 fb ff 59 89 5e 0c 89 5e 08 e9 ce 00 00 00 8b 4e 04 3b cb 75 1e 83 ff ff 77 cd 57 e8 22 70 fb ff 57 53 50 89 46 04 e8 cb c7 Data Ascii: tsE9GvkGM4FPvb.6uEE;Gr7Et+MEPj.uS}0u_^[V3xSHHHHqxSpYUSVW}3;}E;\|F;uvopY^^N;uwW"pWSPF
2022-11-04 12:16:09 UTC	339	IN	Data Raw: 0a 00 ff 76 04 e8 a1 6f fb ff 8b 45 08 83 c4 24 89 7e 08 89 46 0c 89 5e 04 5f 5e 5b 5d c2 08 00 8b ff 55 8b ec 53 56 8b f1 8b 4d 08 8b 41 18 f7 d0 57 a8 01 74 2f ff 76 08 e8 34 84 fc ff 8b 7e 08 8b 5e 04 85 ff 74 51 be ff ff ff 7f 3b fe 73 02 8b f7 8b 4d 08 56 53 e8 4e 83 fc ff 03 de 2b fe 75 e5 eb 34 e8 39 84 fc ff 6a ff 50 8b ce e8 9a fe ff ff 8b 7e 08 8b 76 04 85 ff 74 1b bb ff ff ff 7f 3b fb 73 02 8b df 8b 4d 08 53 56 e8 8d 65 fb ff 03 f3 2b fb 75 e5 5f 5e 5b 5d c2 04 00 6a 14 e8 d5 6e fb ff 59 33 c9 3b c1 74 13 c7 00 78 03 53 00 89 48 04 89 48 10 89 48 0c 89 48 08 c3 33 c0 c3 8b ff 55 8b ec 56 8b f1 e8 2d fe ff ff f6 45 08 01 74 07 56 e8 ce 6e fb ff 59 8b c6 5e 5d c2 04 00 b8 98 03 53 00 c3 8b ff 56 8b f1 e8 11 54 08 00 33 c0 89 86 38 01 00 00 89 86 Data Ascii: voE$~F^_^[]USVMAWt/v4~^tQ;sMVSN+u49jP~vt;sMSVe+u_^[]jnY3;txSHHHH3UV-EtVnY^]SVT38
2022-11-04 12:16:09 UTC	341	IN	Data Raw: 76 52 00 c2 08 00 8b ff 55 8b ec 56 8b f1 c7 06 bc 03 53 00 e8 bc 4e 08 00 f6 45 08 01 74 07 56 e8 da 69 fb ff 59 8b c6 5e 5d c2 04 00 8b ff 55 8b ec 83 ec 6c 53 56 6a 3c 33 f6 8d 45 94 56 50 8b d9 e8 3d c1 0a 00 8b 45 08 83 c4 0c 89 45 98 8d 45 94 50 56 68 4b 10 00 00 ff 73 20 c7 45 94 04 00 00 00 ff 15 dc 76 52 00 85 c0 0f 84 83 01 00 00 8b 45 b4 89 45 f4 3b c6 0f 84 75 01 00 00 8b 08 3b ce 0f 84 6b 01 00 00 83 c0 08 89 45 08 39 30 0f 84 5d 01 00 00 89 4d fc 3b ce 75 14 8d 45 fc 50 ff 15 e8 74 52 00 85 c0 0f 88 44 01 00 00 eb 06 8b 01 51 ff 50 04 8b 45 fc 3b c6 0f 84 31 01 00 00 57 8d 55 f8 52 ff 75 08 bf 00 00 00 20 6a 01 89 7d f8 8b 08 50 ff 51 24 85 7d f8 74 12 ff 75 f4 8b 03 8b cb ff 90 84 01 00 00 e9 f8 00 00 00 8b 43 20 8b 4d fc 8b 11 8d 7d 08 57 Data Ascii: vRUVSNEtViY^]UlSVj<3EVP=EEEPVhKs EvREE;u;kE90]M;uEPtRDQPE;1WURu j}PQ$}tuC M}W
2022-11-04 12:16:09 UTC	342	IN	Data Raw: a1 2c 68 57 00 53 33 db 56 8b f1 39 58 04 75 05 e8 73 f6 fb ff 39 1d 04 54 57 00 0f 85 66 03 00 00 39 9e 48 01 00 00 75 0a e8 02 98 fb ff e9 54 03 00 00 39 9e 38 01 00 00 0f 84 48 03 00 00 57 8b 3d dc 76 52 00 53 53 68 32 10 00 00 ff 76 20 ff d7 8b 4d 0c 8b d0 83 c8 ff 89 55 c4 89 45 d0 3b c8 75 61 39 45 10 75 5c 3b d3 0f 84 15 03 00 00 8b c8 76 17 89 55 cc 6a 02 50 68 0c 10 00 00 ff 76 20 ff d7 ff 4d cc 8b c8 75 ec 53 8d 45 ec 50 51 8b ce 89 5d ec 89 5d f0 89 5d f4 89 5d f8 e8 07 17 fc ff 85 c0 74 58 8b 45 ec 89 45 0c 8b 45 f8 40 89 45 10 8d 45 0c 50 ff 76 20 ff 15 6c 76 52 00 eb 3c 8b 45 10 89 45 e8 8d 45 e4 50 ff 76 20 89 4d e4 ff 15 44 78 52 00 8d 45 e4 50 53 68 12 10 00 00 ff 76 20 c7 45 ec 01 00 00 00 ff d7 f6 45 ec 0e 0f 84 8b 02 00 00 8b 45 f0 89 Data Ascii: ,hWS3V9Xus9TWf9HuT98HW=vRSSh2v MUE;ua9Eu\;vUjPhv MuSEPQ]]]]tXEEE@EEPv lvR<EEEPv MDxREPShv EEE
2022-11-04 12:16:09 UTC	343	IN	Data Raw: 00 89 45 d8 85 c0 7e 42 8b 06 57 ff 75 08 8d 4d dc ff 75 e0 51 8b ce ff 90 94 01 00 00 ff 30 83 65 fc 00 ff 75 08 8b ce ff 75 e0 e8 c6 12 fc ff 8b 4d dc 83 4d fc ff 83 c1 f0 e8 4d ac fa ff ff 45 08 8b 45 08 3b 45 d8 7c be 8b 45 e8 83 65 f0 00 8b 08 8d 55 f0 52 8d 55 ec 52 6a 01 50 ff 51 0c 85 c0 0f 84 a3 fe ff ff 8b 45 e8 8b 08 50 ff 51 08 8b 45 d4 e8 73 b5 0a 00 c2 08 00 6a 10 b8 8e ba 51 00 e8 8c b4 0a 00 8b f1 e8 cd f1 fb ff 50 8d 4d ec e8 73 ab fa ff ff 75 08 83 65 fc 00 8d 45 ec 50 ff 75 0c e8 58 ce fc ff ff 75 ec 8d 4d e4 e8 5c 05 00 00 c6 45 fc 01 e8 9d f1 fb ff 50 8d 4d f0 e8 43 ab fa ff 6a 00 8d 45 f0 50 68 98 05 53 00 8d 4d e4 c6 45 fc 02 e8 70 05 00 00 85 c0 74 29 8b 45 f0 83 78 f4 00 74 20 8d 4d f0 e8 17 50 fb ff 68 cc bf 52 00 8d 4d f0 e8 8a Data Ascii: E~BWuMuQ0euuMMMEE;E\|EeURURjPQEPQEsjQPMsueEPuXuM\EPMCjEPhSMEpt)Ext MPhRM
2022-11-04 12:16:09 UTC	345	IN	Data Raw: c0 74 12 83 e8 08 81 38 dd dd 00 00 75 07 50 e8 ee a1 0a 00 59 5d c3 c7 01 d0 09 53 00 8b 49 04 83 e9 10 e9 b8 a6 fa ff 8b ff 55 8b ec 56 8b f1 e8 e2 ff ff ff f6 45 08 01 74 07 56 e8 ba 58 fb ff 59 8b c6 5e 5d c2 04 00 8b ff 55 8b ec 8b 45 08 85 c0 75 05 b8 c0 18 55 00 50 83 c1 04 e8 7d fa fa ff 5d c2 04 00 6a 04 b8 7d 35 52 00 e8 f6 ae 0a 00 8b f1 89 75 f0 c7 06 d0 09 53 00 e8 2e ec fb ff 50 8d 4e 04 e8 d4 a5 fa ff ff 75 08 83 65 fc 00 8b ce e8 af ff ff ff 8b c6 e8 a0 af 0a 00 c2 04 00 6a 30 b8 80 bb 51 00 e8 b9 ae 0a 00 8d 79 04 8b 07 8b 40 f4 33 f6 68 28 bc 52 00 8d 4d f0 89 75 e8 89 45 d8 e8 a3 fa fa ff ff 75 08 8d 4d f0 89 75 fc e8 c5 53 fb ff 6a 3e 8d 4d f0 e8 c3 a8 fb ff 8b 45 f0 8b 58 f4 56 50 8b cf 89 5d d4 e8 15 59 fc ff 89 45 d0 3b c6 0f 8c 1b Data Ascii: t8uPY]SIUVEtVXY^]UEuUP}]j}5RuS.PNuej0Qy@3h(RMuEuMuSj>MEXVP]YE;
2022-11-04 12:16:09 UTC	346	IN	Data Raw: 10 56 8b 71 20 ff 92 b8 01 00 00 56 ff 15 20 77 52 00 85 c0 74 07 56 ff 15 24 77 52 00 5e c3 8b ff 55 8b ec 56 8b f1 c7 06 e4 09 53 00 e8 20 b9 00 00 f6 45 08 01 74 07 56 e8 11 53 fb ff 59 8b c6 5e 5d c2 04 00 8b ff 55 8b ec 83 b9 b8 00 00 00 00 74 07 8b 45 08 83 48 18 01 e8 cc 86 fb ff 5d c2 04 00 8b ff 55 8b ec 83 7d 08 09 56 57 8b f9 75 3c 8b 8f bc 00 00 00 8b 01 ff 90 70 01 00 00 83 f8 01 75 29 8b 87 bc 00 00 00 83 b8 cc 00 00 00 00 74 1a 8b 45 10 c1 e0 10 0b 45 0c 8b cf 50 6a 0d 68 00 01 00 00 e8 cb 63 fb ff eb 07 8b cf e8 76 86 fb ff 5f 5e 5d c2 0c 00 6a 6c b8 a3 bb 51 00 e8 5e a9 0a 00 8b d9 33 f6 3b de 0f 84 6f 01 00 00 39 73 20 0f 84 66 01 00 00 8b 03 ff 90 c0 01 00 00 50 e8 e7 86 fb ff 89 45 a0 3b c6 0f 84 4d 01 00 00 8d 45 e0 50 ff 73 20 89 75 Data Ascii: Vq V wRtV$wR^UVS EtVSY^]UtEH]U}VWu<pu)tEEPjhcv_^]jlQ^3;o9s fPE;MEPs u
2022-11-04 12:16:09 UTC	348	IN	Data Raw: 8b 8e 04 01 00 00 57 57 57 57 6a 04 8b d8 57 53 e8 d8 06 fc ff 3b df 75 0b 8b 06 57 8b ce ff 90 78 01 00 00 8b c3 5b eb 03 83 c8 ff 5f 5e 5d c2 0c 00 85 c9 74 23 83 79 20 00 74 1d 8b 89 04 01 00 00 85 c9 74 13 6a 00 6a 00 68 04 10 00 00 ff 71 20 ff 15 dc 76 52 00 c3 83 c8 ff c3 8b ff 55 8b ec 85 c9 74 16 83 79 20 00 74 10 8b 89 04 01 00 00 85 c9 74 06 5d e9 a3 01 fc ff 33 c0 5d c2 04 00 8b ff 55 8b ec 33 c0 3b c8 74 21 39 41 20 74 1c 8b 89 04 01 00 00 3b c8 74 12 ff 75 0c 50 50 50 50 6a 04 50 ff 75 08 e8 3f 06 fc ff 5d c2 08 00 8b ff 55 8b ec 8b 45 0c 83 20 00 83 7d 08 00 53 8b d9 74 78 56 8b 35 d4 75 52 00 57 6a 11 c6 45 0c 00 ff d6 bf 00 80 00 00 66 85 c7 74 04 c6 45 0c 08 6a 12 ff d6 66 85 c7 74 04 80 4d 0c 10 6a 10 ff d6 66 85 c7 74 04 80 4d 0c 04 8b Data Ascii: WWWWjWS;uWx[_^]t#y ttjjhq vRUty tt]3]U3;t!9A t;tuPPPPjPu?]UE }StxV5uRWjEftEjftMjftM
2022-11-04 12:16:09 UTC	349	IN	Data Raw: f0 8b 47 18 89 45 f4 8d 45 f0 50 8b 86 04 01 00 00 ff 70 20 ff 15 44 78 52 00 8b 8e 04 01 00 00 6a 00 ff 75 f4 ff 75 f0 e8 46 fb fb ff 89 45 fc 85 c0 78 43 8b 45 f0 2b 86 08 01 00 00 50 e8 29 e3 0a 00 8b 3d d8 77 52 00 59 6a 44 89 45 08 ff d7 39 45 08 7d 21 8b 45 f4 2b 86 0c 01 00 00 50 e8 07 e3 0a 00 59 6a 45 89 45 08 ff d7 39 45 08 7d 05 33 d2 42 eb 02 33 d2 83 c9 ff 8b c1 89 86 08 01 00 00 89 8e 0c 01 00 00 85 d2 0f 84 34 ff ff ff ff 75 fc 8b 06 8b ce ff 90 8c 01 00 00 e9 22 ff ff ff 57 8b ce e8 c1 58 fb ff 5f 5e 5b c9 c2 04 00 c7 01 5c 0b 53 00 e9 b9 be 04 00 c7 01 6c 0b 53 00 e9 ae be 04 00 c7 01 7c 0b 53 00 e9 0f 8b 02 00 8b ff 55 8b ec 56 8b f1 c7 06 5c 0b 53 00 e8 90 be 04 00 f6 45 08 01 74 07 56 e8 04 47 fb ff 59 8b c6 5e 5d c2 04 00 8b ff 55 8b Data Ascii: GEEPp DxRjuuFExCE+P)=wRYjDE9E}!E+PYjEE9E}3B34u"WX_^[\SlS\|SUV\SEtVGY^]U
2022-11-04 12:16:09 UTC	350	IN	Data Raw: 00 00 00 33 c9 89 86 d0 00 00 00 89 86 dc 00 00 00 5f 89 8e e4 00 00 00 8b c6 5e c3 83 c8 ff c2 04 00 6a 04 b8 13 bc 51 00 e8 8b 98 0a 00 8b f1 89 75 f0 c7 06 8c 0c 53 00 c7 45 fc 05 00 00 00 eb 15 8d 4e 74 e8 f5 49 03 00 85 c0 74 09 8b 10 6a 01 8b c8 ff 52 04 83 be 80 00 00 00 00 75 e2 8b 8e 00 01 00 00 83 e9 10 e8 c2 8f fa ff 8d 8e f8 00 00 00 c6 45 fc 03 c7 01 a0 bb 52 00 e8 3d 92 fa ff 8d 8e ac 00 00 00 c6 45 fc 02 c7 01 7c 0b 53 00 e8 9f 85 02 00 8d 8e 90 00 00 00 c6 45 fc 01 c7 01 6c 0b 53 00 e8 1e b9 04 00 8d 4e 74 c6 45 fc 00 c7 01 5c 0b 53 00 e8 0c b9 04 00 83 4d fc ff 8b ce e8 78 46 fb ff e8 c2 98 0a 00 c3 6a 6c b8 3e bc 51 00 e8 46 98 0a 00 8b d9 53 8d 4d 8c e8 67 e4 fb ff a1 2c 3a 57 00 83 65 fc 00 50 8d b3 e8 00 00 00 56 ff 75 90 ff 15 ec 77 Data Ascii: 3_^jQuSENtItjRuER=E\|SElSNtE\SMxFjl>QFSMg,:WePVuw
2022-11-04 12:16:09 UTC	351	IN	Data Raw: 00 33 c0 40 89 45 fc 85 c9 74 06 8b 11 50 ff 52 04 8d 8e 10 01 00 00 c6 45 fc 00 c7 01 e4 09 53 00 e8 88 a5 00 00 83 4d fc ff 8b ce e8 51 fd ff ff e8 bb 96 0a 00 c3 8b ff 55 8b ec 56 8b f1 e8 3e fd ff ff f6 45 08 01 74 07 56 e8 5b 3f fb ff 59 8b c6 5e 5d c2 04 00 8b ff 55 8b ec 83 7d 0c 00 56 8b f1 8d 8e 00 01 00 00 74 11 ff 75 0c e8 1c e1 fa ff 83 a6 dc 00 00 00 00 eb 0f c7 86 dc 00 00 00 01 00 00 00 e8 44 be fa ff 68 05 01 00 00 6a 00 6a 00 ff 76 20 ff 15 70 78 52 00 8b ce e8 e3 72 fb ff 5e 5d c2 08 00 6a 3c b8 d8 bc 51 00 e8 cc 95 0a 00 8b 45 0c 8b f9 33 db 89 45 cc 3b fb 74 05 39 5f 20 75 07 33 c0 e9 f8 01 00 00 8d 45 d0 50 89 5d d0 89 5d d4 89 5d d8 89 5d dc ff 15 30 76 52 00 68 50 07 00 00 e8 8c 3e fb ff 59 89 45 c8 89 5d fc 3b c3 74 0b 8b c8 e8 d5 Data Ascii: 3@EtPRESMQUV>EtV[?Y^]U}VtuDhjjv pxRr^]j<QE3E;t9_ u3EP]]]]0vRhP>YE];t
2022-11-04 12:16:09 UTC	353	IN	Data Raw: bd 51 00 e8 65 90 0a 00 8b f1 e8 a6 cd fb ff 50 8d 4d f0 e8 4c 87 fa ff ff 75 08 8d 45 f0 50 ff 75 0c 33 ff 89 7d fc e8 30 aa fc ff ff 75 f0 8d 4d d4 e8 34 e1 ff ff 8d 45 ec 50 33 db 68 00 12 53 00 8d 45 d4 43 50 88 5d fc 89 5d ec e8 99 a9 fc ff 85 c0 74 09 8b 45 ec 89 86 d4 00 00 00 8d 45 e8 50 68 d0 11 53 00 8d 45 d4 50 89 7d 08 89 7d e8 e8 74 a9 fc ff 85 c0 74 13 39 7d e8 74 0e 6a f5 8b ce e8 e4 e9 ff ff 83 f8 ff 74 03 8b 5d 08 8d 45 e4 50 68 9c 11 53 00 8d 45 d4 50 89 7d e4 e8 45 a9 fc ff 85 c0 74 16 39 7d e4 74 11 6a f4 8b ce e8 b5 e9 ff ff 83 f8 ff 75 03 83 cb 02 8d 45 e0 50 68 70 11 53 00 8d 45 d4 50 89 7d e0 e8 16 a9 fc ff 85 c0 74 16 39 7d e0 74 11 6a f3 8b ce e8 86 e9 ff ff 83 f8 ff 75 03 83 cb 04 8d 45 dc 50 68 40 11 53 00 8d 45 d4 50 89 7d dc Data Ascii: QePMLuEPu3}0uM4EP3hSECP]]tEEPhSEP}}tt9}tjt]EPhSEP}Et9}tjuEPhpSEP}t9}tjuEPh@SEP}
2022-11-04 12:16:09 UTC	354	IN	Data Raw: ff 6a 02 68 02 11 00 00 ff 77 20 ff d6 ff b5 84 fa ff ff 83 a5 78 fa ff ff 00 6a 04 53 ff 77 20 ff d6 89 85 80 fa ff ff 83 bd 80 fa ff ff 00 0f 84 a3 00 00 00 ff b5 80 fa ff ff 8b cf e8 48 e9 fb ff 85 c0 74 71 68 08 02 00 00 68 b4 02 00 00 8d 8d 88 fa ff ff 51 6a 00 ff 70 04 ff 15 e4 74 52 00 85 c0 74 51 68 08 02 00 00 68 b4 02 00 00 8d 85 3c fd ff ff 50 6a 00 ff b5 74 fa ff ff ff 15 e4 74 52 00 85 c0 74 2e 8d 85 48 fd ff ff 50 8d 85 94 fa ff ff 50 ff 15 fc 73 52 00 85 c0 75 16 8b 85 80 fa ff ff c7 85 78 fa ff ff 01 00 00 00 89 85 84 fa ff ff ff b5 80 fa ff ff 6a 01 53 ff 77 20 ff d6 83 bd 78 fa ff ff 00 89 85 80 fa ff ff 0f 84 50 ff ff ff 83 bd 78 fa ff ff 00 75 07 83 a5 84 fa ff ff 00 ff b5 74 fa ff ff 8b 0d 2c 68 57 00 e8 d8 1e 08 00 83 bd 70 fa ff ff Data Ascii: jhw xjSw HtqhhQjptRtQhh<PjttRt.HPPsRuxjSw xPxut,hWp
2022-11-04 12:16:09 UTC	355	IN	Data Raw: ff f7 d8 1b c0 40 89 46 74 8b 4d f0 83 c1 f0 e8 78 7c fa ff 8d 4d e4 c6 45 fc 00 e8 a3 d5 ff ff 8b 4d ec 83 c1 f0 e8 61 7c fa ff 33 c0 e8 bb 85 0a 00 c2 08 00 8b ff 56 8b f1 e8 45 62 fb ff 83 f8 ff 75 05 83 c8 ff eb 12 83 3d 2c 68 57 00 00 74 f2 8b ce e8 b1 fe ff ff 33 c0 5e c2 04 00 6a 40 b8 af bd 51 00 e8 aa 84 0a 00 8b f1 e8 b2 20 fc ff 8b 48 04 e8 ab a5 fb ff 33 db 6a 28 8d 45 b4 53 50 89 5d fc e8 a1 85 0a 00 8b 45 08 8b 3d dc 76 52 00 83 c4 0c 89 45 b8 8d 45 b4 50 53 68 3e 11 00 00 ff 76 20 c7 45 b4 04 00 00 00 ff d7 85 c0 75 13 83 4d fc ff 8d 4d 0b e8 e7 93 fb ff 33 c0 e9 c3 00 00 00 53 53 6a 0b ff 76 20 ff d7 8b 45 d8 33 c9 3b c3 0f 95 c1 89 45 e8 3b cb 75 05 e8 f6 bf fb ff 89 5d f0 8b 08 89 4d ec 3b cb 75 0c 8d 45 f0 50 ff 15 e8 74 52 00 eb 15 8b Data Ascii: @FtMx\|MEMa\|3VEbu=,hWt3^j@Q H3j(ESP]E=vREEPSh>v EuMM3SSjv E3;E;u]M;uEPtR
2022-11-04 12:16:09 UTC	357	IN	Data Raw: 54 fd ff ff 50 eb 05 68 b0 15 53 00 e8 5f cb fa ff 8b 4d fc 8b c6 33 cd 5e e8 68 6d 0a 00 c9 c2 08 00 8b ff 55 8b ec 8b 4d 0c 85 c9 7e 1b 8b 45 08 0f b7 d0 8b c2 c1 e2 10 57 8b 7d 10 0b c2 d1 e9 f3 ab 13 c9 66 f3 ab 5f 5d c3 6a 04 b8 b8 fd 51 00 e8 12 7f 0a 00 8b f1 89 75 f0 e8 b7 9c fd ff ff 75 08 83 65 fc 00 6a ff ff 75 28 8d 8e c4 10 00 00 6a ff 6a ff ff 75 24 c7 06 64 16 53 00 ff 75 20 ff 75 1c ff 75 18 ff 75 14 ff 75 10 ff 75 0c e8 fb 1a 06 00 83 a6 b4 1e 00 00 00 8b c6 e8 9c 7f 0a 00 c2 24 00 8d 81 c4 10 00 00 c3 8b ff 55 8b ec 56 8b f1 e8 0b 16 08 00 f6 45 08 01 74 07 56 e8 33 28 fb ff 59 8b c6 5e 5d c2 04 00 8b 81 c4 00 00 00 eb 0c 83 78 5c 00 74 0c 8b 80 c4 00 00 00 85 c0 75 f0 40 c3 33 c0 c3 33 c0 eb 01 40 8b 89 c4 00 00 00 85 c9 75 f5 c3 b8 44 Data Ascii: TPhS_M3^hmUM~EW}f_]jQuueju(jju$dSu uuuuu$UVEtV3(Y^]x\tu@33@uD
2022-11-04 12:16:09 UTC	358	IN	Data Raw: ff ff ff 85 c0 75 06 85 f6 75 e5 33 c0 5f 5e 5d c2 0c 00 8b ff 55 8b ec 83 ec 14 a1 54 04 57 00 33 c5 89 45 fc 8b 45 08 53 8b d9 39 43 5c 74 55 83 bb d4 00 00 00 00 74 4c 8b 8b c0 00 00 00 56 89 43 5c 85 c9 74 3d 83 79 20 00 74 37 8b 01 57 ff 90 6c 01 00 00 8b 83 c0 00 00 00 8b 4b 30 8d b0 e8 02 00 00 8d 7d ec a5 a5 a5 68 05 01 00 00 a5 89 4d f0 6a 00 8d 4d ec 51 ff 70 20 ff 15 70 78 52 00 5f 5e 8b 4d fc 33 cd 5b e8 4a 67 0a 00 c9 c2 04 00 8b ff 56 8b f1 8b 86 c0 00 00 00 85 c0 74 6d 53 8b 1d f0 77 52 00 6a 01 8d 4e 2c 51 ff 70 20 ff d3 8b 86 c4 00 00 00 85 c0 74 17 83 78 68 00 74 11 6a 01 83 c0 2c 50 8b 86 c0 00 00 00 ff 70 20 ff d3 83 7e 68 00 74 24 57 8b be cc 00 00 00 eb 16 8b 47 08 8b 3f 6a 01 83 c0 2c 50 8b 86 c0 00 00 00 ff 70 20 ff d3 85 ff 75 e6 Data Ascii: uu3_^]UTW3EES9C\tUtLVC\t=y t7WlK0}hMjMQp pxR_^M3[JgVtmSwRjN,Qp txhtj,Pp ~ht$WG?j,Pp u
2022-11-04 12:16:09 UTC	360	IN	Data Raw: be 51 00 e8 72 74 0a 00 8b f9 8d 8d 6c ff ff ff e8 6d 43 fb ff c7 85 6c ff ff ff 4c 87 52 00 6a ff 57 8d 45 e0 33 db 50 68 00 00 00 40 8d 8d 6c ff ff ff 89 5d fc 89 5d e0 89 5d e4 c7 45 e8 64 00 00 00 c7 45 ec 14 00 00 00 e8 8e 24 fb ff 8b cf e8 a0 c9 ff ff 3b c3 75 04 33 c0 eb 03 8b 40 04 8b 35 dc 76 52 00 6a 01 50 6a 30 ff 75 8c ff d6 53 53 bb d4 00 00 00 53 ff 75 8c ff d6 0f b7 c0 89 87 04 03 00 00 8d 87 e0 02 00 00 85 c0 74 03 8b 40 04 6a 01 50 6a 30 ff 75 8c ff d6 6a 00 6a 00 53 ff 75 8c ff d6 0f b7 c0 8d 8d 6c ff ff ff 89 87 08 03 00 00 e8 99 53 fb ff 83 4d fc ff 8d 8d 6c ff ff ff e8 35 24 fb ff e8 2d 74 0a 00 c3 8b ff 55 8b ec 8b 81 dc 02 00 00 85 c0 75 08 6a 11 ff 15 f8 71 52 00 8b 4d 08 85 c9 74 03 8b 49 04 50 51 ff 15 00 71 52 00 5d c2 04 00 6a Data Ascii: QrtlmClLRjWE3Ph@l]]]EdE$;u3@5vRjPj0uSSSut@jPj0ujjSulSMl5$-tUujqRMtIPQqR]j
2022-11-04 12:16:09 UTC	361	IN	Data Raw: 00 50 ff 15 10 78 52 00 33 ff 85 c0 75 54 39 7d 14 75 4f 8d 45 ec 50 ff 73 20 89 7d ec 89 7d f0 89 7d f4 89 7d f8 ff 15 dc 77 52 00 8b 83 f4 02 00 00 8d 75 ec 8d 7d dc a5 a5 a5 a5 8b 75 d8 89 45 e0 85 f6 74 52 ff 75 0c 8d 45 dc Data Ascii: PxR3uT9}uOEPs }}}}wRu}uEtRuE
2022-11-04 12:16:09 UTC	361	IN	Data Raw: ff 75 08 50 ff 15 10 78 52 00 85 c0 74 3e c7 06 03 00 00 00 eb 36 39 bb c4 02 00 00 74 08 81 c3 7c 03 00 00 eb 06 81 c3 60 03 00 00 8b 73 04 eb 17 ff 75 d8 8b 4e 08 ff 75 0c 8b 36 ff 75 08 e8 8b f3 ff ff 3b c7 75 06 3b f7 75 e5 33 c0 8b 4d fc 5f 5e 33 cd 5b e8 db 5b 0a 00 c9 c2 10 00 8b ff 55 8b ec 83 ec 2c a1 54 04 57 00 33 c5 89 45 fc 53 56 8b 75 08 8b d9 57 8b bb 98 03 00 00 89 75 d8 89 7d d4 3b fe 75 06 57 e9 b7 01 00 00 85 ff 74 10 83 7f 54 00 74 0a 8b 03 6a 01 ff 90 84 01 00 00 8b 03 57 56 8b cb 89 b3 98 03 00 00 ff 90 78 01 00 00 85 ff 0f 84 8b 00 00 00 8b 07 56 8b cf ff 50 74 8d 47 3c 8b f0 8d 7d dc a5 a5 a5 50 a5 ff 15 30 76 52 00 83 7d 0c 00 74 64 8b 4d d4 8b 41 58 8d 71 2c 8d 7d ec a5 a5 a5 a5 85 c0 74 0d 83 bb 58 03 00 00 00 75 1e 85 c0 75 1a Data Ascii: uPxRt>69t\|`suNu6u;u;u3M_^3[[U,TW3ESVuWu};uWtTtjWVxVPtG<}P0vR}tdMAXq,}tXuu
2022-11-04 12:16:09 UTC	363	IN	Data Raw: 20 ff d6 8b 45 f4 2b 45 ec 8b cb 83 c0 0a 89 45 c0 8b 03 ff 90 60 01 00 00 8d 4d bc 51 6a 01 57 ff 70 20 ff d6 e9 c2 00 00 00 8b 8b 98 03 00 00 33 f6 3b ce 0f 84 b2 00 00 00 39 71 58 74 29 39 71 68 74 11 8b 83 18 03 00 00 03 83 e8 02 00 00 39 45 0c 7d 13 33 c0 39 71 5c 0f 94 c0 50 e8 60 ee ff ff e9 84 00 00 00 39 71 60 74 7f 8b 03 56 51 8b cb ff 90 7c 01 00 00 85 c0 74 3a 8b 83 98 03 00 00 8b 80 b4 00 00 00 3b c6 74 2a 8b 3d dc 76 52 00 56 56 68 01 02 00 00 ff 70 20 ff d7 8b 83 98 03 00 00 8b 80 b4 00 00 00 56 56 68 02 02 00 00 ff 70 20 ff d7 8b b3 98 03 00 00 ff 75 10 8d 76 2c ff 75 0c 8d 7d ec a5 a5 a5 8d 45 ec 50 a5 ff 15 10 78 52 00 85 c0 74 11 ff 75 10 8b 8b 98 03 00 00 ff 75 0c 8b 01 ff 50 44 8b 4d fc 5f 5e 33 cd 5b e8 91 55 0a 00 c9 c2 0c 00 8b ff Data Ascii: E+EE`MQjWp 3;9qXt)9qht9E}39q\P`9q`tVQ\|t:;t*=vRVVhp VVhp uv,u}EPxRtuuPDM_^3[U
2022-11-04 12:16:09 UTC	364	IN	Data Raw: 52 00 8b 86 14 03 00 00 8b 8e 10 03 00 00 03 c8 39 4d 10 7f 03 89 4d 10 8b 55 f8 2b 55 f0 2b 55 10 83 c2 02 89 96 f8 02 00 00 3b c2 7f 02 8b c2 89 86 f8 02 00 00 8b 06 8b ce ff 90 6c 01 00 00 68 05 01 00 00 53 53 ff 76 20 ff 15 70 78 52 00 8b 4d fc 5f 5e 33 cd 5b e8 81 50 0a 00 c9 c2 0c 00 8b ff 55 8b ec 56 8b f1 e8 c2 3f fb ff 8b ce e8 5e 7c fb ff 5e a9 00 00 80 00 74 0e 8b 45 0c ff 00 ff 40 04 ff 48 08 ff 48 0c 5d c2 08 00 8b ff 55 8b ec 51 8b 81 98 03 00 00 53 89 4d fc 85 c0 0f 84 9f 00 00 00 8b 80 b4 00 00 00 85 c0 0f 84 91 00 00 00 83 78 20 00 0f 84 87 00 00 00 56 8b 35 d4 75 52 00 57 6a 11 ff d6 0f b7 d8 bf 00 80 00 00 6a 10 23 df ff d6 8b 4d 08 33 d2 23 c7 5f 5e 3b da 74 33 83 f9 43 74 05 83 f9 2d 75 24 52 52 68 01 03 00 00 8b 45 fc 8b 80 98 03 00 Data Ascii: R9MMU+U+U;lhSSv pxRM_^3[PUV?^\|^tE@HH]UQSMx V5uRWjj#M3#_^;t3Ct-u$RRhE
2022-11-04 12:16:09 UTC	365	IN	Data Raw: 8b 56 14 2b 81 e8 02 00 00 8b 52 04 3b d0 7d 02 8b c2 8b 56 14 89 42 04 8b 46 14 ff 70 04 e8 40 ec ff ff 8b 45 0c 83 20 00 5e 5d c2 08 00 8b ff 55 8b ec 6a ff e8 29 ec ff ff 8b 45 0c 83 20 00 5d c2 08 00 8b ff 55 8b ec 83 ec 24 a1 54 04 57 00 33 c5 89 45 fc 56 8b f1 57 8d 86 44 02 00 00 33 ff 89 45 dc 3b c7 0f 84 e5 00 00 00 39 78 20 0f 84 dc 00 00 00 8b 8e 14 03 00 00 3b cf 75 14 89 be 24 03 00 00 89 be 20 03 00 00 89 be 1c 03 00 00 eb 50 8b 86 f4 02 00 00 2b 86 ec 02 00 00 57 99 f7 f9 8b ce 48 89 86 24 03 00 00 e8 da f2 ff ff 89 86 20 03 00 00 3b 86 24 03 00 00 7f 0c 89 be 24 03 00 00 89 be 20 03 00 00 8b 86 1c 03 00 00 8b 8e 20 03 00 00 3b c1 7c 02 8b c1 89 86 1c 03 00 00 6a 1c 8d 45 e0 57 50 e8 3c 5d 0a 00 8b 86 20 03 00 00 89 45 ec 8b 86 24 03 00 00 Data Ascii: V+R;}VBFp@E ^]Uj)E ]U$TW3EVWD3E;9x ;u$ P+WH$ ;$$ ;\|jEWP<] E$
2022-11-04 12:16:09 UTC	367	IN	Data Raw: 84 f1 00 00 00 57 8d 8e b0 01 00 00 e8 5c f6 07 00 8b 06 6a 01 8b ce ff 90 84 01 00 00 8b 4d 08 8b 86 1c 03 00 00 8b f8 83 f9 07 0f 87 c4 00 00 00 ff 24 8d ac c3 45 00 48 eb 2f 40 eb 2c 83 a6 1c 03 00 00 00 eb 29 8b 86 20 03 00 00 eb 1b 2b 86 24 03 00 00 eb 13 8b 8e 24 03 00 00 03 c8 89 8e 1c 03 00 00 eb 09 8b 45 0c 89 86 1c 03 00 00 8b 8e 1c 03 00 00 85 c9 79 04 33 d2 eb 02 8b d1 8b 86 20 03 00 00 2b 86 24 03 00 00 40 3b d0 7d 0a 85 c9 79 04 33 c0 eb 02 8b c1 89 86 1c 03 00 00 3b c7 74 50 6a 01 50 6a 01 8b ce e8 80 2a fb ff 8b ce e8 fb fc ff ff 2b be 1c 03 00 00 8d 86 e8 02 00 00 0f af be 14 03 00 00 50 50 57 6a 00 8b ce e8 c2 2b fb ff 8b 86 98 03 00 00 85 c0 74 14 68 05 01 00 00 6a 00 83 c0 3c 50 ff 76 20 ff 15 70 78 52 00 5f 5e 5d c2 0c 00 90 e8 c2 45 Data Ascii: W\jM$EH/@,) +$$Ey3 +$@;}y3;tPjPj*+PPWj+thj<Pv pxR_^]E
2022-11-04 12:16:09 UTC	368	IN	Data Raw: 50 ff 73 20 89 bb 10 03 00 00 89 7d e0 89 7d e4 89 7d e8 89 7d ec ff 15 dc 77 52 00 39 bb b8 02 00 00 0f 84 c5 00 00 00 8b 83 14 03 00 00 83 c0 04 89 83 10 03 00 00 8b 83 dc 02 00 00 3b c7 75 08 6a 11 ff 15 f8 71 52 00 8b f0 8b 03 8b cb ff 90 60 01 00 00 57 56 8b 35 dc 76 52 00 6a 30 ff 70 20 ff d6 8b 45 e8 2b 45 e0 6a 14 ff b3 10 03 00 00 8b cb 50 ff 75 e4 8b 03 ff 75 e0 57 ff 90 60 01 00 00 8b c8 e8 2d 6d fb ff 8b 83 18 03 00 00 83 c0 02 89 85 60 ff ff ff 8b 03 8b cb c7 85 5c ff ff ff 01 00 00 00 ff 90 60 01 00 00 8d 8d 5c ff ff ff 51 57 bf 0c 12 00 00 57 ff 70 20 ff d6 8b 45 e8 2b 45 e0 8b cb 83 c0 0a 89 85 60 ff ff ff 8b 03 ff 90 60 01 00 00 8d 8d 5c ff ff ff 51 6a 01 57 ff 70 20 ff d6 6a 04 eb 01 57 8b 03 8b cb ff 90 60 01 00 00 8b c8 e8 27 6c fb ff Data Ascii: Ps }}}}wR9;ujqR`WV5vRj0p E+EjPuuW`-m`\`\QWWp E+E``\QjWp jW`'l
2022-11-04 12:16:09 UTC	370	IN	Data Raw: fc 5e 33 cd 5b e8 24 3a 0a 00 c9 c2 0c 00 6a 1c b8 59 bf 51 00 e8 60 4c 0a 00 8b 5d 0c 89 4d dc e8 34 89 fb ff 8b 4d dc 50 e8 da 42 fa ff 83 65 fc 00 85 db 0f 8e ae 00 00 00 66 8b 45 08 33 ff 33 c9 47 66 89 45 d8 66 89 4d da 66 85 c0 74 0c 8d 45 d8 50 e8 b9 47 0a 00 59 8b f8 83 65 e0 00 8d 77 01 56 8d 4d e0 c6 45 fc 01 e8 3f f0 ff ff 6a 01 8d 45 d8 50 56 ff 75 e0 e8 8d 3f 0a 00 50 e8 63 6f fa ff 8b 4d dc 8b f3 0f af f7 83 c4 14 56 e8 52 44 fa ff 83 ff 01 75 13 50 8b 45 e0 0f b7 00 53 50 e8 21 cc ff ff 83 c4 0c eb 21 8b c8 85 db 7e 1b 33 c0 85 ff 7e 12 8b 55 e0 66 8b 14 42 66 89 11 83 c1 02 40 3b c7 7c ee 4b 75 e5 8b 4d dc 56 e8 70 44 fa ff 8d 45 e4 39 45 e0 74 08 8d 4d e0 e8 38 89 fb ff 8b 45 dc e8 0d 4c 0a 00 c2 08 00 6a 04 b8 01 c0 51 00 e8 12 4b 0a 00 Data Ascii: ^3[$:jYQ`L]M4MPBefE33GfEfMftEPGYewVME?jEPVu?PcoMVRDuPESP!!~3~UfBf@;\|KuMVpDE9EtM8ELjQK
2022-11-04 12:16:09 UTC	371	IN	Data Raw: 8b fc ff 75 ac 8d 75 d0 a5 a5 a5 8b cb a5 ff 50 18 83 4d fc ff 8d 4d a0 c7 45 a0 2c ad 52 00 e8 48 40 fa ff eb 4a 8b 03 8b cb ff 90 9c 00 00 00 85 c0 75 3c 8b 45 e4 8d 75 e0 8d 7d d0 a5 a5 a5 40 a5 89 45 d4 8b 45 a8 05 bc 03 00 Data Ascii: uuPMME,RH@Ju<Eu}@EE
2022-11-04 12:16:09 UTC	371	IN	Data Raw: 00 74 0b 83 78 04 00 74 05 ff 70 04 eb 06 ff 35 5c 3a 57 00 8d 45 d0 50 8b 45 ac ff 70 04 ff 15 ec 77 52 00 8b 45 e8 3b 45 e0 0f 8e c1 00 00 00 83 65 dc 00 c7 45 d8 2c ad 52 00 8d 75 e0 8d 7d c0 a5 a5 a5 a5 8b 75 a8 8b 86 f4 02 00 00 c7 45 fc 01 00 00 00 39 45 ec 7c 03 89 45 cc 8d 45 c0 50 ff 15 40 71 52 00 50 8d 4d d8 e8 5a 93 fb ff 8b 7d ac 8d 45 d8 50 8b cf e8 22 8e fb ff 33 c9 89 4d a4 39 4b 58 74 28 39 4b 68 75 23 8d 86 e0 02 00 00 3b c1 75 04 33 c0 eb 03 8b 40 04 3b f9 74 03 8b 4f 04 50 51 ff 15 00 71 52 00 89 45 a4 8b 03 83 ec 10 8b fc 8d 75 e0 a5 a5 a5 a5 8b 75 ac 56 8b cb ff 50 10 83 7d a4 00 74 11 85 f6 74 03 8b 76 04 ff 75 a4 56 ff 15 00 71 52 00 83 4d fc ff 8d 4d d8 c7 45 d8 2c ad 52 00 e8 2f 3f fa ff 8b 45 90 83 65 98 00 8d 73 2c 8d 7d e0 a5 Data Ascii: txtp5\:WEPEpwRE;EeE,Ru}uE9E\|EEP@qRPMZ}EP"3M9KXt(9Khu#;u3@;tOPQqREuuVP}ttvuVqRMME,R/?Ees,}
2022-11-04 12:16:09 UTC	373	IN	Data Raw: 45 fc 00 e8 f7 4f fb ff 8b 4d ec 83 c1 f0 e8 d1 37 fa ff e8 2d 41 0a 00 c2 08 00 6a 3c b8 2c c1 51 00 e8 af 40 0a 00 8b 7d 08 8b 47 04 8b f1 b9 04 01 00 00 33 db 3b c1 77 44 74 70 3d a1 00 00 00 0f 82 c7 00 00 00 3d a2 00 00 00 76 5e 3d a3 00 00 00 0f 86 b5 00 00 00 3d a5 00 00 00 76 4c 3d a6 00 00 00 0f 86 a3 00 00 00 3d a8 00 00 00 76 3a 3d 00 01 00 00 74 33 e9 90 00 00 00 b9 00 02 00 00 3b c1 74 45 0f 86 81 00 00 00 3d 02 02 00 00 76 18 3d 03 02 00 00 76 73 3d 05 02 00 00 76 0a 05 f9 fd ff ff 83 f8 01 77 62 57 53 68 07 04 00 00 ff b6 94 00 00 00 ff 15 dc 76 52 00 8d 8e b0 01 00 00 e8 a7 de 07 00 eb 42 57 53 68 07 04 00 00 ff b6 94 00 00 00 ff 15 dc 76 52 00 39 5f 08 75 2a 8d 45 e8 50 89 5d e8 89 5d ec ff 15 54 76 52 00 8d 45 e8 50 ff 76 20 ff 15 44 78 Data Ascii: EOM7-Aj<,Q@}G3;wDtp==v^==vL==v:=t3;tE=v=vs=vwbWShvRBWShvR9_u*EP]]TvREPv Dx
2022-11-04 12:16:09 UTC	374	IN	Data Raw: 70 20 ff 15 a0 77 52 00 ff 75 c8 8d 45 d0 ff 75 c4 50 ff 15 10 78 52 00 85 c0 74 22 81 7f 04 03 02 00 00 75 19 ff 75 c8 8b 8e 98 03 00 00 ff 75 c4 8b 01 ff 50 44 85 c0 0f 85 4f fb ff ff ff 75 c8 8d 45 d0 ff 75 c4 50 ff 15 10 78 52 00 85 c0 74 18 81 7f 04 04 02 00 00 75 0f 8b 86 98 03 00 00 39 58 64 0f 84 23 fb ff ff ff 75 c8 8d 45 d0 ff 75 c4 50 ff 15 10 78 52 00 85 c0 0f 85 f7 00 00 00 8b 47 04 3d 01 02 00 00 74 19 3d a1 00 00 00 74 12 3d 04 02 00 00 74 0b 3d 07 02 00 00 0f 85 d4 00 00 00 ff 75 c8 8b 86 98 03 00 00 ff 75 c4 83 c0 3c 50 ff 15 10 78 52 00 85 c0 0f 84 92 00 00 00 8b 8e 98 03 00 00 8b 01 8d 55 bc 52 ff 50 24 c7 45 fc 06 00 00 00 e8 f2 d5 fb ff 8b 48 04 e8 eb 5a fb ff ff 75 c8 8b 06 ff 75 c4 8b ce c6 45 fc 07 ff 90 80 01 00 00 8b 8e 98 03 00 Data Ascii: p wRuEuPxRt"uuuPDOuEuPxRtu9Xd#uEuPxRG=t=t=t=uu<PxRURP$EHZuuE
2022-11-04 12:16:09 UTC	375	IN	Data Raw: 9e 00 00 00 83 7d 08 28 0f 85 94 00 00 00 8b 8e 98 03 00 00 8b 01 8d 55 ec 52 ff 50 24 c7 45 fc 03 00 00 00 e8 fb d0 fb ff 8b 48 04 e8 f4 55 fb ff 8b 8e 98 03 00 00 8b 39 83 ca ff 8b c2 52 50 c6 45 fc 04 ff 57 3c 8b 8e 98 03 00 00 8b 01 8d 55 e4 52 ff 50 24 ff 30 8d 4d ec c6 45 fc 05 e8 28 da fa ff 8b 4d e4 85 c0 0f 95 45 0b 83 c1 f0 c6 45 fc 04 e8 13 2c fa ff 38 5d 0b 74 10 ff b6 98 03 00 00 8b 06 8b ce ff 90 70 01 00 00 8d 4d 0b c6 45 fc 03 e8 0d 44 fb ff 8b 4d ec e9 8e fe ff ff 8b 8e 98 03 00 00 8b 41 34 8b 49 38 83 c1 02 6a 01 53 51 48 50 8b ce e8 ca c5 ff ff 8b f8 3b fb 74 13 6a 01 57 8b ce e8 8d c6 ff ff 53 57 8b ce e8 47 de ff ff e8 11 35 0a 00 c2 0c 00 6a 10 b8 ac c1 51 00 e8 2a 34 0a 00 8b f1 f6 05 d0 54 57 00 01 bf cc 54 57 00 75 1f 83 0d d0 54 Data Ascii: }(URP$EHU9RPEW<URP$0ME(MEE,8]tpMEDMA4I8jSQHP;tjWSWG5jQ*4TWTWuT
2022-11-04 12:16:09 UTC	377	IN	Data Raw: 30 0a 00 c2 14 00 b8 cc 21 53 00 c3 8b ff 56 8b f1 e8 11 58 00 00 33 c0 89 86 50 07 00 00 89 86 54 07 00 00 89 86 58 07 00 00 89 86 68 07 00 00 89 86 5c 07 00 00 89 86 64 07 00 00 89 86 6c 07 00 00 c7 06 ec 21 53 00 c7 86 60 07 00 00 01 00 00 00 8b c6 5e c3 c7 01 ec 21 53 00 e9 3b 59 00 00 8b ff 55 8b ec 51 51 56 8b 75 08 57 6a 00 56 8b f9 e8 a2 6f 00 00 8d 45 f8 50 e8 68 b1 fe ff 8b 00 01 06 83 7d 0c 00 8b 06 75 13 6a 16 ff 76 04 8b cf 50 6a ff 6a ff 6a 00 e8 c5 4a fb ff 5f 8b c6 5e c9 c2 08 00 8b ff 55 8b ec 83 ec 40 a1 54 04 57 00 33 c5 89 45 fc 8b 45 08 53 56 8b 75 0c 89 45 c8 57 8d 45 c0 50 8b d9 89 75 f8 e8 15 b1 fe ff 8d 7d dc a5 a5 6a f6 58 2b 45 c0 ff 75 10 a5 a5 01 45 e4 8d 45 dc 50 ff 75 c8 8b cb e8 76 6a 00 00 8b 75 f8 8b 45 e4 8d 7d cc a5 a5 Data Ascii: 0!SVX3PTXh\dl!S`^!S;YUQQVuWjVoEPh}ujvPjjjJ_^U@TW3EESVuEWEPu}jX+EuEEPuvjuE}
2022-11-04 12:16:09 UTC	378	IN	Data Raw: 53 00 8d 45 d4 50 c6 45 fc 01 89 5d ec e8 29 43 fc ff 85 c0 74 09 8b 45 ec 89 86 60 07 00 00 8d 45 e8 50 68 20 24 53 00 8d 45 d4 50 89 5d e8 e8 07 43 fc ff 85 c0 74 09 8b 45 e8 89 86 50 07 00 00 8d 45 e4 50 68 ec 23 53 00 8d 45 d4 50 89 5d e4 e8 e5 42 fc ff 85 c0 74 09 8b 45 e4 89 86 5c 07 00 00 8d 45 e0 50 68 b4 23 53 00 8d 45 d4 50 89 5d e0 e8 c3 42 fc ff 85 c0 74 09 8b 45 e0 89 86 64 07 00 00 8d 45 dc 50 68 84 23 53 00 8d 45 d4 50 89 5d dc e8 a1 42 fc ff 85 c0 74 14 39 5d dc 74 0f 8b 06 53 8d 4d cc 51 8b ce ff 90 6c 01 00 00 8d 4d d4 88 5d fc e8 ae 79 ff ff 8b 4d f0 83 c1 f0 e8 6c 20 fa ff 33 c0 e8 c6 29 0a 00 c2 08 00 b8 80 24 53 00 c3 b8 58 25 53 00 c3 8b ff 55 8b ec 0f b7 45 0c 83 f8 44 7f 53 74 3f 83 e8 2a 74 30 48 74 1d 83 e8 16 74 0e 48 48 75 77 Data Ascii: SEPE])CtE`EPh $SEP]CtEPEPh#SEP]BtE\EPh#SEP]BtEdEPh#SEP]Bt9]tSMQlM]yMl 3)$SX%SUEDSt?*t0HttHHuw
2022-11-04 12:16:09 UTC	380	IN	Data Raw: 8b 55 f0 39 75 f0 7f 02 8b d6 8b 4d f8 8b 45 f4 39 4d f4 7c 02 8b c1 3b d1 7c 02 8b d1 3b c6 7f 02 8b c6 5f 5e 3b 45 f4 75 05 3b 55 f0 74 0b 6a 00 50 52 8b cb e8 e7 a8 ff ff 8b cb e8 3f 01 fb ff 5b c9 c2 0c 00 6a 04 b8 77 f1 51 00 e8 bf 23 0a 00 8b f1 33 db 89 5d f0 8b 46 78 39 58 f4 75 17 8b 76 74 83 ee 10 56 e8 7b 4b fa ff 59 8d 48 10 8b 45 08 89 08 eb 78 e8 dc 60 fb ff 50 8d 4d f0 e8 82 1a fa ff 8b 46 7c 33 ff 89 5d fc 39 58 f4 7e 3f 3b fb 7c 61 8b 46 7c 3b 78 f4 7f 59 66 83 3c 78 5f 75 23 8b 46 74 3b 78 f4 7f 4a 0f b7 04 78 66 3b 86 80 00 00 00 75 05 39 5d 0c 74 09 50 8d 4d f0 e8 87 1d fb ff 8b 46 7c 47 3b 78 f4 7c c1 8b 75 f0 83 c6 f0 56 e8 0a 4b fa ff 8b 7d 08 59 83 c0 10 8b ce 89 07 e8 9a 1a fa ff 8b c7 e8 f4 23 0a 00 c2 08 00 68 57 00 07 80 e8 26 Data Ascii: U9uME9M\|;\|;_^;Eu;UtjPR?[jwQ#3]Fx9XuvtV{KYHEx`PMF\|3]9X~?;\|aF\|;xYf<x_u#Ft;xJxf;u9]tPMF\|G;x\|uVK}Y#hW&
2022-11-04 12:16:09 UTC	381	IN	Data Raw: 00 75 97 e9 35 ff ff ff 83 7d ec 00 0f 84 2b ff ff ff 8b 46 78 33 ff 39 78 f4 0f 84 39 01 00 00 8b 46 7c 83 e8 10 50 e8 10 46 fa ff 83 c0 10 59 89 45 f0 c6 45 fc 01 39 78 f4 7e 35 85 ff 0f 88 32 ff ff ff 8b 46 7c 3b 78 f4 0f 8f 26 ff ff ff 66 83 3c 78 5f 75 11 0f b7 86 80 00 00 00 50 57 8d 4d f0 e8 12 ac fd ff 8b 45 f0 47 3b 78 f4 7c cb 8b 55 08 8b 5a f4 33 c9 33 ff 89 4d ec 85 db 0f 8e a4 00 00 00 8b 46 7c 3b 78 f4 0f 8d 98 00 00 00 85 ff 0f 88 dc fe ff ff 3b 78 f4 0f 8f d3 fe ff ff 0f b7 04 78 83 f8 5f 75 52 85 c9 0f 88 c2 fe ff ff 3b cb 0f 8f ba fe ff ff 0f b7 1c 4a 66 3b 9e 80 00 00 00 74 20 8b 46 78 3b 78 f4 0f 8f a1 fe ff ff 0f b7 04 78 8b 16 50 53 8b ce ff 92 60 01 00 00 85 c0 74 5a 53 57 8d 4d f0 e8 87 ab fd ff ff 45 ec 8b 55 08 8b 4d ec eb 20 83 Data Ascii: u5}+Fx39x9F\|PFYEE9x~52F\|;x&f<x_uPWMEG;x\|UZ33MF\|;x;xx_uR;Jf;t Fx;xxPS`tZSWMEUM
2022-11-04 12:16:09 UTC	382	IN	Data Raw: 8d 4f f0 89 45 0c 89 9e 9c 00 00 00 e8 1f 10 fa ff 8b 45 0c eb 0f 89 9e 9c 00 00 00 33 c0 eb 05 e8 03 f6 fa ff e8 67 19 0a 00 c2 08 00 6a 24 b8 d5 c3 51 00 e8 80 18 0a 00 8b f1 0f b7 45 08 89 45 ec e8 84 32 fb ff a8 08 74 0a ff 75 08 e8 f2 67 0a 00 eb 0c a8 10 74 0f ff 75 08 e8 2b 67 0a 00 0f b7 c0 89 45 ec 59 8b 1d dc 76 52 00 8d 45 f0 50 8d 45 e8 50 bf b0 00 00 00 57 ff 76 20 ff d3 6a 01 ff 75 e8 8d 45 08 50 8d 45 e4 50 8b ce e8 9c f1 ff ff 8b 4d e8 8b 45 f0 85 c9 79 0c 8b 56 74 3b 42 f4 0f 8f 85 03 00 00 3b 4d e4 0f 8c 7c 03 00 00 3b 4d 08 0f 8f 73 03 00 00 3b 45 e4 0f 8c 6a 03 00 00 3b 45 08 0f 8f 61 03 00 00 3b c8 0f 85 55 01 00 00 8b 56 78 83 7a f4 00 0f 84 0c 01 00 00 3b 45 08 75 4c 8b 4e 74 8b 49 f4 49 3b c1 7c 0d 6a ff ff 15 dc 75 52 00 e9 46 03 Data Ascii: OEE3gj$QEE2tugtu+gEYvREPEPWv juEPEPMEyVt;B;M\|;Ms;Ej;Ea;UVxz;EuLNtII;\|juRF
2022-11-04 12:16:09 UTC	384	IN	Data Raw: d0 0f b7 04 58 3b 5d d8 7f c7 8b 16 50 51 8b ce ff 92 60 01 00 00 85 c0 0f 84 47 ff ff ff 8b 55 ec 43 8d 04 13 3b 45 f0 7c b1 52 57 8d 45 f0 8d 4e 74 50 89 4d e4 e8 d5 ef fb ff 8b 45 ec 83 65 fc 00 85 c0 7e 3a 48 50 8d 45 d8 50 8d 4d f0 e8 70 33 fa ff 50 8d 4d f0 c6 45 fc 01 e8 f3 3a fa ff 8b 4d d8 83 c1 f0 c6 45 fc 00 e8 14 0a fa ff 0f b7 86 80 00 00 00 50 8d 4d f0 e8 cc 0c fb ff 6a 00 ff 75 dc 8b ce 57 e8 90 97 ff ff 8b 5d f0 53 6a 01 68 c2 00 00 00 ff 76 20 ff 15 dc 76 52 00 6a 00 57 57 8b ce e8 71 97 ff ff 8b 43 f4 33 f6 85 c0 7e 29 85 f6 0f 88 14 ff ff ff 3b f0 0f 8f 0c ff ff ff 0f b7 04 73 8b 4d e4 50 8d 04 3e 50 e8 4c a0 fd ff 8b 43 f4 46 3b f0 7c d7 8d 4b f0 e9 a9 01 00 00 8d 45 d8 50 8d 45 dc 50 57 ff 76 20 ff d3 8b ce e8 81 ef fa ff ff 75 d8 ff Data Ascii: X;]PQ`GUC;E\|RWENtPMEe~:HPEPMp3PME:MEPMjuW]Sjhv vRjWWqC3~);sMP>PLCF;\|KEPEPWv u
2022-11-04 12:16:09 UTC	385	IN	Data Raw: 00 8b 45 dc 6a 00 8d 0c 18 51 50 e9 20 01 00 00 53 50 8d 45 e4 8d 4e 74 50 89 4d d8 e8 43 ea fb ff c7 45 fc 02 00 00 00 85 db 7e 65 8b 7d e0 2b 7d d4 8b c3 2b c7 50 8d 45 cc 50 8d 4d e4 e8 d5 2d fa ff 50 8d 4d e4 c6 45 fc 03 e8 58 35 fa ff 8b 4d cc 83 c1 f0 c6 45 fc 02 e8 79 04 fa ff 0f b7 86 80 00 00 00 57 50 8d 4d cc e8 ee c0 ff ff 8b 00 ff 70 f4 8d 4d e4 50 c6 45 fc 04 e8 a6 b2 fa ff 8b 4d cc 83 c1 f0 c6 45 fc 02 e8 47 04 fa ff 8b 45 dc 6a 00 8d 0c 18 51 50 8b ce e8 cf 91 ff ff 8b 7d e4 57 6a 01 68 c2 00 00 00 ff 76 20 ff 15 dc 76 52 00 8b 5d dc 6a 00 53 53 8b ce e8 ad 91 ff ff 8b 47 f4 33 f6 85 c0 7e 29 85 f6 0f 88 64 fd ff ff 3b f0 0f 8f 5c fd ff ff 0f b7 04 77 8b 4d d8 50 8d 04 1e 50 e8 88 9a fd ff 8b 47 f4 46 3b f0 7c d7 8d 4f f0 e8 da 03 fa ff eb Data Ascii: EjQP SPENtPMCE~e}+}+PEPM-PMEX5MEyWPMpMPEMEGEjQP}Wjhv vR]jSSG3~)d;\wMPPGF;\|O
2022-11-04 12:16:09 UTC	387	IN	Data Raw: 30 29 53 00 c3 8b ff 55 8b ec 83 ec 14 a1 54 04 57 00 33 c5 89 45 fc 8b 45 08 56 8b 75 0c 57 8d 7d ec a5 a5 8d 4d ec a5 51 ff 70 04 a5 ff 15 88 75 52 00 8b 4d fc 5f 33 cd 5e e8 93 f5 09 00 c9 c2 08 00 6a 04 b8 9a c4 51 00 e8 66 07 0a 00 8b f1 89 75 f0 e8 1a 30 00 00 83 65 fc 00 c7 06 54 29 53 00 e8 95 44 fb ff 50 8d 8e 60 07 00 00 e8 38 fe f9 ff 33 db 43 88 5d fc e8 7e 44 fb ff 50 8d 8e 64 07 00 00 e8 21 fe f9 ff 33 c0 33 c9 89 8e e0 00 00 00 8b ce c6 45 fc 02 c7 46 74 03 00 00 00 89 86 dc 00 00 00 89 9e 84 00 00 00 89 86 50 07 00 00 89 9e 54 07 00 00 89 86 58 07 00 00 89 86 5c 07 00 00 e8 5e 2c 00 00 8b c6 e8 bb 07 0a 00 c3 8b ff 56 8b f1 8b 8e 64 07 00 00 83 e9 10 c7 06 54 29 53 00 e8 40 fe f9 ff 8b 8e 60 07 00 00 83 e9 10 e8 32 fe f9 ff 8b ce 5e e9 e6 Data Ascii: 0)SUTW3EEVuW}MQpuRM_3^jQfu0eT)SDP`83C]~DPd!33EFtPTX\^,VdT)S@`2^
2022-11-04 12:16:09 UTC	387	IN	Data Raw: 89 75 fc e8 a0 00 fb ff 8b 75 d4 8b 45 d0 8b 80 50 07 00 00 8b 13 f7 d8 8d 7d e0 a5 1b c0 a5 83 e0 f0 83 c0 20 50 a5 8d 45 e0 50 8b 45 dc a5 ff 70 f4 8b cb 50 ff 52 68 ff 75 d8 8b 03 8b cb ff 50 28 8b 4d dc 83 c1 f0 e8 43 fd f9 ff e8 b3 06 0a 00 c2 0c 00 6a 44 b8 f2 c4 51 00 e8 21 06 0a 00 8b 7d 08 8b d9 33 c9 51 33 c0 50 8d 8b d4 00 00 00 89 7d c8 33 f6 e8 df 31 fc ff 85 c0 74 10 56 57 8b cb e8 40 46 00 00 8b c7 e9 82 01 00 00 3b de 75 04 33 c0 eb 03 8b 43 20 33 c9 3b c6 0f 95 c1 3b ce 75 05 e8 35 41 fb ff 53 8d 4d b0 e8 dc 50 fb ff 68 d4 3a 57 00 8d 4d b0 89 75 fc e8 19 54 fb ff 33 c9 3b c6 0f 95 c1 89 45 c4 3b ce 74 d4 e8 8a 42 fb ff 50 8d 4d cc e8 30 fc f9 ff 8d 45 cc 50 8b cb c6 45 fc 01 e8 b9 ff fa ff 8d 45 d0 50 ff 73 20 89 75 d0 89 75 d4 89 75 d8 Data Ascii: uuEP} PEPEpPRhuP(MCjDQ!}3Q3P}31tVW@F;u3C 3;;u5ASMPh:WMuT3;E;tBPM0EPEEPs uuu
2022-11-04 12:16:09 UTC	389	IN	Data Raw: a9 fa ff 59 8b c6 5e 5d c2 04 00 8b ff 55 8b ec 53 8b 5d 08 56 57 8b f1 33 ff 39 7e 7c 0f 84 ca 00 00 00 81 7b 04 00 01 00 00 0f 85 bd 00 00 00 39 3d ec f4 56 00 0f 85 b1 00 00 00 ff 76 20 ff 15 08 78 52 00 50 e8 37 de fa ff 8b 53 08 83 ea 09 0f 84 87 00 00 00 83 ea 12 74 4c 83 ea 0b 74 08 4a 4a 0f 85 84 00 00 00 8b 3d ac 77 52 00 6a 12 ff d7 66 85 c0 78 75 6a 11 ff d7 66 85 c0 78 6c 8b 3d dc 76 52 00 6a 00 6a 00 68 57 01 00 00 ff 76 20 ff d7 85 c0 75 54 50 6a 01 68 4f 01 00 00 ff 76 20 ff d7 eb 31 8b 0d 4c 56 57 00 3b cf 75 0f 8b ce e8 6e f3 fa ff 8b 0d 4c 56 57 00 eb 02 8b c1 3b c7 74 12 3b cf 75 09 8b ce e8 55 f3 fa ff 8b c8 e8 cd 1b fb ff 33 c0 40 eb 17 3b c7 74 f7 57 56 8b c8 e8 6c 25 fb ff eb e5 53 8b ce e8 80 ba fa ff 5f 5e 5b 5d c2 04 00 8b ff 55 Data Ascii: Y^]US]VW39~\|{9=Vv xRP7StLtJJ=wRjfxujfxl=vRjjhWv uTPjhOv 1LVW;unLVW;t;uU3@;tWVl%S_^[]U
2022-11-04 12:16:09 UTC	390	IN	Data Raw: 76 20 88 85 e4 fe ff ff 8a 45 10 88 85 ec fe ff ff ff 15 20 77 52 00 f7 d8 1b c0 f7 d8 75 05 e8 64 36 fb ff 33 db 39 5e 7c 74 07 33 c0 e9 28 01 00 00 8b ce e8 7e fb ff ff ff b5 ec fe ff ff 8d 8d f0 fe ff ff 53 6a 02 ff b5 e4 fe ff ff 57 6a ff 53 e8 21 da 07 00 8d 8d f0 fe ff ff 89 5d fc 89 9d e8 fe ff ff e8 eb aa 07 00 85 c0 0f 8e d5 00 00 00 8b 3d dc 76 52 00 ff b5 e8 fe ff ff 8d 8d f0 fe ff ff e8 67 ab 07 00 50 8d 8d e4 fe ff ff e8 32 46 fa ff ff b5 e8 fe ff ff 8d 8d f0 fe ff ff c6 45 fc 01 e8 9c ab 07 00 ff b5 e4 fe ff ff 89 85 ec fe ff ff 6a ff 68 58 01 00 00 ff 76 20 ff d7 85 c0 7f 53 6a 14 e8 56 a3 fa ff 59 8b c8 89 8d e0 fe ff ff c6 45 fc 02 3b cb 74 13 ff b5 ec fe ff ff e8 5e fb ff ff 89 85 ec fe ff ff eb 06 89 9d ec fe ff ff ff b5 e4 fe ff ff 53 Data Ascii: v E wRud639^\|t3(~SjWjS!]=vRgP2FEjhXv SjVYE;t^S
2022-11-04 12:16:09 UTC	391	IN	Data Raw: ce e8 48 11 fb ff ff 76 20 33 c0 40 89 46 78 89 86 80 00 00 00 ff 15 e8 75 52 00 50 e8 09 d3 fa ff 68 01 04 00 00 6a 00 6a 00 ff 76 20 ff 15 70 78 52 00 eb 07 8b ce e8 48 d2 fa ff 5e 5d c2 0c 00 8b ff 55 8b ec 56 8b f1 83 be ac 00 00 00 00 74 17 ff 75 10 8d 86 88 00 00 00 ff 75 0c 50 ff 15 10 78 52 00 85 c0 75 07 8b ce e8 14 d2 fa ff 5e 5d c2 0c 00 8b ff 55 8b ec 56 8b f1 83 7e 2c 00 75 14 68 a8 2e 53 00 e8 43 cf fa ff 50 ff 15 e0 73 52 00 89 46 2c 8b 4e 2c 8b 45 08 89 08 5e 5d c2 04 00 6a 14 68 10 f0 55 00 e8 0c f6 09 00 8b f1 83 65 e0 00 8d 45 e0 50 e8 65 90 fb ff ff b0 80 00 00 00 ff 15 ec 73 52 00 83 4d e4 ff 85 c0 75 05 83 c8 ff eb 3f 83 65 fc 00 8d 45 dc 50 8b ce e8 8e ff ff ff 8b 76 2c 33 c0 85 f6 0f 95 c0 85 c0 75 05 e8 e2 2f fb ff ff 75 10 ff 75 Data Ascii: Hv 3@FxuRPhjjv pxRH^]UVtuuPxRu^]UV~,uh.SCPsRF,N,E^]jhUeEPesRMu?eEPv,3u/uu
2022-11-04 12:16:09 UTC	393	IN	Data Raw: 45 e8 01 00 00 00 8b 45 0c 03 45 14 99 2b c2 8b f0 8b 81 98 00 00 00 99 2b c2 d1 f8 d1 fe 2b f0 8b 45 18 03 45 10 99 2b c2 8b f8 8b 81 9c 00 00 00 99 2b c2 d1 ff d1 f8 2b f8 83 7d 1c 00 74 15 e8 14 1c fc ff 8b 10 8b c8 ff 92 e0 02 00 00 85 c0 74 02 46 47 8b 4d e0 6a 00 57 56 ff 75 e8 53 e8 3a 2f fe ff e9 a4 00 00 00 8b 81 a0 00 00 00 39 50 f4 0f 84 95 00 00 00 ff 75 dc 8b 03 8b cb ff 50 30 6a 01 8b cb 89 45 e0 e8 8a 30 fb ff 89 45 e8 8b 03 6a 11 8b cb ff 50 24 8d 75 0c 8d 7d ec a5 a5 6a fe a5 89 45 d8 6a ff 8d 45 ec 50 a5 ff 15 18 76 52 00 8b 35 00 76 52 00 6a fe 6a 00 8d 45 ec 50 ff d6 83 7d 1c 00 74 0a 6a 01 6a 01 8d 45 ec 50 ff d6 8b 45 e4 8b 80 a0 00 00 00 8b 13 6a 25 8d 4d ec 51 ff 70 f4 8b cb 50 ff 52 68 ff 75 e0 8b 03 8b cb ff 50 30 ff 75 e8 8b cb Data Ascii: EEE+++EE+++}ttFGMjWVuS:/9PuP0jE0EjP$u}jEjEPvR5vRjjEP}tjjEPEj%MQpPRhuP0u
2022-11-04 12:16:09 UTC	394	IN	Data Raw: fc 01 e8 fa 7f 07 00 85 c0 74 3d ff b5 9c fa ff ff 8d 8d 94 fa ff ff e8 18 8f fa ff 85 c0 74 28 ff b5 94 fa ff ff 8b ce e8 2e 04 fb ff 53 6a 01 68 b9 00 00 00 ff 76 20 ff 15 dc 76 52 00 8b 06 8b ce ff 90 6c 01 00 00 8b 8d 94 fa ff ff 83 c1 f0 e8 de e0 f9 ff 8b 8d 9c fa ff ff e9 5e 02 00 00 e8 9f 26 fb ff 50 8d 8d a0 fa ff ff e8 42 e0 f9 ff 8d 85 a0 fa ff ff 50 8b ce 89 7d fc e8 c9 e3 fa ff 8b 85 a0 fa ff ff 39 58 f4 0f 84 f1 00 00 00 53 53 68 00 01 00 00 8d 8d f0 fd ff ff 51 53 53 53 53 50 e8 f3 31 0a 00 83 c4 24 8d 85 f0 fd ff ff 50 8d 8d 98 fa ff ff e8 05 35 fa ff 8d 8d 98 fa ff ff c6 45 fc 03 e8 7b c6 fb ff 8d 8d 98 fa ff ff e8 c0 c7 fb ff 8b 85 98 fa ff ff 39 58 f4 75 0b 8d 8d a0 fa ff ff e8 85 11 fa ff 68 c8 31 53 00 8d 8d 90 fa ff ff e8 c5 34 fa ff Data Ascii: t=t(.Sjhv vRl^&PBP}9XSShQSSSSP1$P5E{9Xuh1S4
2022-11-04 12:16:09 UTC	396	IN	Data Raw: d3 8b 8e 94 07 00 00 8d 45 d0 50 e8 ef df fc ff 39 be 54 07 00 00 74 15 8b 8e 94 07 00 00 8b 01 ff 90 c0 01 00 00 8b c8 e8 1d 00 fb ff 39 be ac 00 00 00 74 0c ff 15 e0 75 52 00 89 be ac 00 00 00 e8 b7 e4 09 00 c3 8b ff 55 8b ec 83 7d 08 20 74 0d 83 7d 08 28 74 07 e8 23 c1 fa ff eb 08 8b 01 ff 90 98 01 00 00 5d c2 0c 00 8b ff 55 8b ec 56 8b f1 57 8b 7e 74 e8 cc fd ff ff 85 c0 74 07 c7 46 74 02 00 00 00 ff 75 10 8b ce ff 75 0c ff 75 08 e8 71 14 00 00 89 7e 74 5f 5e 5d c2 0c 00 8b ff 55 8b ec 8b 45 08 56 8b f1 89 86 58 07 00 00 8b 46 20 85 c0 74 14 6a 01 6a 00 50 ff 15 f0 77 52 00 ff 76 20 ff 15 e0 76 52 00 5e 5d c2 04 00 8b ff 55 8b ec 53 56 ff 75 08 8b f1 e8 be ff ff ff ff 76 20 ff 15 08 78 52 00 50 e8 35 c1 fa ff 8b d8 85 db 74 1f 57 8b 7e 20 8b ce e8 f4 Data Ascii: EP9Tt9tuRU} t}(t#]UVW~ttFtuuuq~t_^]UEVXF tjjPwRv vR^]USVuv xRP5tW~
2022-11-04 12:16:09 UTC	397	IN	Data Raw: 8d 45 bc 50 a5 ff 15 18 76 52 00 83 3d 10 56 57 00 00 74 36 e8 3c 0b fc ff 8b 4d b4 ff b1 a8 00 00 00 8b 10 ff b1 a0 00 00 00 8b 4d 10 83 e1 04 51 83 ec 10 8b fc 8d 75 bc a5 a5 a5 53 8b c8 a5 ff 92 c4 01 00 00 85 c0 75 71 ff 35 2c 3a 57 00 8d 45 cc 50 ff 73 04 ff 15 ec 77 52 00 83 65 f4 00 83 65 f8 00 8d 45 f4 50 8b 45 10 c1 e8 02 83 e0 01 50 8d 45 cc 50 6a 0d 53 e8 78 61 fe ff ff 35 c0 39 57 00 8d 45 cc ff 35 c4 39 57 00 8b cb 50 e8 a9 06 fc ff 6a ff 6a ff 8d 45 cc 50 ff 15 18 76 52 00 ff 35 b0 39 57 00 8d 45 cc ff 35 b4 39 57 00 8b cb 50 e8 84 06 fc ff 83 7d b0 00 74 0c 6a 00 ff 75 b0 8b cb e8 a7 2c fb ff 8b 4d fc 5f 5e 33 cd 5b e8 a8 cb 09 00 c9 c2 0c 00 8b ff 55 8b ec 83 7d 10 00 8b 45 08 56 8b f1 74 09 85 c0 75 05 b8 c0 18 55 00 50 8d 8e a0 07 00 00 Data Ascii: EPvR=VWt6<MMQuSuq5,:WEPswReeEPEPEPjSxa59WE59WPjjEPvR59WE59WP}tju,M_^3[U}EVtuUP
2022-11-04 12:16:09 UTC	398	IN	Data Raw: 39 57 00 57 e8 8a 01 fc ff 6a ff 6a ff 57 ff d6 e9 90 00 00 00 39 7d fc 75 4b ff 35 b4 39 57 00 8b 75 0c ff 35 c0 39 57 00 8b 4d 08 56 e8 61 01 fc ff 8b 3d 18 76 52 00 6a ff 6a ff 56 ff d7 83 7b 74 01 74 15 ff 35 c4 39 57 00 8b 4d 08 ff 35 b0 39 57 00 56 e8 39 01 fc ff 6a ff 6a ff 56 ff d7 33 ff eb 10 6a fe 6a fe ff 75 0c ff 15 18 76 52 00 8b 75 0c 39 3d 10 56 57 00 74 08 39 bb 98 00 00 00 74 20 8b 83 dc 00 00 00 01 06 8b 83 e0 00 00 00 01 46 04 eb 0d 6a fe 6a fe ff 75 0c ff 15 18 76 52 00 5f 5e 5b c9 c2 0c 00 8b ff 55 8b ec 8b 45 08 83 e8 00 74 16 48 74 04 33 c0 eb 15 6a 00 81 c1 e4 00 00 00 e8 5b 4d 00 00 eb 06 8b 81 6c 01 00 00 5d c2 08 00 6a 0a 58 c3 6a 05 58 c3 8b ff 56 8b f1 8d 86 38 07 00 00 50 e8 ef d3 00 00 8b ce 5e e9 ef c9 fa ff 8b ff 55 8b ec Data Ascii: 9WWjjW9}uK59Wu59WMVa=vRjjV{tt59WM59WV9jjV3jjuvRu9=VWt9t FjjuvR_^[UEtHt3j[Ml]jXjXV8P^U
2022-11-04 12:16:09 UTC	400	IN	Data Raw: 8b 45 8c 89 86 d8 00 00 00 3b df 0f 85 ae 00 00 00 8d 4d b0 e8 9c 17 fb ff 57 89 7d fc ff 15 54 71 52 00 50 8d 4d b0 e8 be 1d fb ff 68 00 20 00 00 57 57 57 ff 75 ac ff 15 08 76 52 00 89 45 c0 3b c7 74 6f 50 ff 75 b4 ff 15 00 71 52 00 ff 35 2c 3a 57 00 8b 8e d4 00 00 00 8b d8 8b 86 d8 00 00 00 89 45 ec 8d 45 e0 50 ff 75 b4 89 7d e0 89 7d e4 89 4d e8 ff 15 ec 77 52 00 6a 03 57 57 ff b6 d8 00 00 00 ff b6 d4 00 00 00 ff 75 dc 57 57 ff 75 b4 ff 15 94 75 52 00 3b df 74 0a 53 ff 75 b4 ff 15 00 71 52 00 ff 75 c0 ff 15 ec 71 52 00 8b 5d c4 83 4d fc ff 8d 4d b0 e8 ac 1d fb ff ff 75 ac ff 15 ec 71 52 00 ff 75 a8 ff 15 ec 71 52 00 8b 55 d4 8b 45 88 8b 4d 8c 89 42 50 89 4a 54 39 7d 1c 75 10 ff 35 ac 39 57 00 8b ca e8 9b fe fb ff 8b 55 d4 ff 75 1c 8b ca ff 75 dc e8 46 Data Ascii: E;MW}TqRPMh WWWuvRE;toPuqR5,:WEEPu}}MwRjWWuWWuuR;tSuqRuqR]MMuqRuqRUEMBPJT9}u59WUuuF
2022-11-04 12:16:09 UTC	401	IN	Data Raw: 89 5d e8 39 be ac 00 00 00 74 14 39 7d e4 75 0f ff 15 e0 75 52 00 89 be ac 00 00 00 89 5d e8 39 7d e8 74 14 53 57 ff 76 20 ff 15 f0 77 52 00 ff 76 20 ff 15 e0 76 52 00 8b ce e8 49 ab fa ff 8b 4d fc 5f 5e 33 cd 5b e8 ea bb 09 00 c9 c2 0c 00 8b ff 53 56 8b f1 83 be 94 00 00 00 00 57 74 34 ff 76 20 ff 15 08 78 52 00 50 e8 bf ab fa ff 8b f8 85 ff 74 7e 8b 5e 20 8b ce e8 7f e8 fa ff 0f b7 c0 53 50 68 11 01 00 00 ff 77 20 ff 15 dc 76 52 00 eb 5f 33 ff 47 83 be ac 00 00 00 00 89 be a0 00 00 00 89 be a4 00 00 00 89 be a8 00 00 00 75 15 ff 76 20 ff 15 e8 75 52 00 50 e8 6d ab fa ff 89 be ac 00 00 00 57 6a 00 ff 76 20 ff 15 f0 77 52 00 ff 76 20 ff 15 e0 76 52 00 8b 86 d0 00 00 00 85 c0 7e 0d 6a 00 50 57 ff 76 20 ff 15 f0 75 52 00 8b ce e8 8e aa fa ff 5f 5e 5b c2 0c Data Ascii: ]9t9}uuR]9}tSWv wRv vRIM_^3[SVWt4v xRPt~^ SPhw vR_3Guv uRPmWjv wRv vR~jPWv uR_^[
2022-11-04 12:16:09 UTC	403	IN	Data Raw: 01 00 00 56 56 ff 70 20 89 b0 b4 00 00 00 ff 15 70 78 52 00 56 57 8b 4d fc e8 e7 f0 ff ff 8b f8 3b fb 75 b5 5f 5e 5b c9 c3 8b ff 55 8b ec 83 7d 08 01 56 8b f1 75 48 83 be a0 00 00 00 00 74 3f 83 be a8 00 00 00 00 74 36 57 ff 76 20 ff 15 08 78 52 00 50 e8 29 a6 fa ff 8b f8 85 ff 74 1f 53 8b 5e 20 8b ce e8 e8 e2 fa ff 0f b7 c0 53 50 68 11 01 00 00 ff 77 20 ff 15 dc 76 52 00 5b 5f 8b ce e8 56 a5 fa ff 5e 5d c2 04 00 6a 04 b8 a2 a0 51 00 e8 d6 c7 09 00 68 50 07 00 00 e8 2f 71 fa ff 59 8b c8 89 4d f0 33 c0 89 45 fc 3b c8 74 05 e8 76 f0 ff ff e8 8b c8 09 00 c3 8b ff 56 8b f1 e8 ba e1 fa ff 50 8b ce e8 61 f2 ff ff 6a 00 6a 0b 6a 01 8b ce e8 d9 e1 fa ff 8b ce 5e e9 fe d9 00 00 8b ff 55 8b ec 56 8b 75 08 57 ff 76 20 8b f9 e8 38 f2 ff ff 8b 46 20 83 e0 fe 83 c8 0a Data Ascii: VVp pxRVWM;u_^[U}VuHt?t6Wv xRP)tS^ SPhw vR[_V^]jQhP/qYM3E;tvVPajjj^UVuWv 8F
2022-11-04 12:16:09 UTC	404	IN	Data Raw: 90 88 01 00 00 89 45 a4 3b c7 75 05 e8 77 fe fa ff 8b 4d b8 6a 01 e8 56 04 fb ff 8b 83 44 07 00 00 8b 35 b8 39 57 00 83 f8 ff 74 02 8b f0 39 bb a8 00 00 00 74 0d 8b 83 48 07 00 00 83 f8 ff 74 02 8b f0 57 6a 0a 8d 4d b4 c7 45 bc 00 80 00 00 89 7d b0 e8 22 55 fc ff 85 c0 79 10 c7 45 bc 24 80 00 00 c7 45 b0 01 00 00 00 eb 1d 8b 03 8b cb ff 90 90 01 00 00 99 2b c2 d1 f8 f7 d8 50 57 8d 45 d0 50 ff 15 18 76 52 00 8b 43 78 2b c7 74 26 48 74 09 48 75 32 83 4d bc 01 eb 2c 8b 03 83 4d bc 02 8b cb ff 90 8c 01 00 00 99 2b c2 d1 f8 f7 d8 01 45 d8 eb 12 8b 03 8b cb ff 90 8c 01 00 00 99 2b c2 d1 f8 01 45 d0 8b cb e8 1e dc fa ff a9 00 00 40 00 74 07 81 4d bc 00 00 02 00 8b 45 10 83 e0 04 89 45 ac 74 51 39 bb 90 00 00 00 74 49 8b 4d b8 ff 35 b4 39 57 00 8b 01 ff 50 30 8d Data Ascii: E;uwMjVD59Wt9tHtWjME}"UyE$E+PWEPvRCx+t&HtHu2M,M+E+E@tMEEtQ9tIM59WP0
2022-11-04 12:16:09 UTC	405	IN	Data Raw: e8 4b 9c 02 00 8b 4d 08 83 c1 f0 e8 7c b4 f9 ff 33 c0 e8 d6 bd 09 00 c2 08 00 6a 34 b8 7b ca 51 00 e8 ef bc 09 00 8b f9 e8 30 fa fa ff 50 8d 4d dc e8 d6 b3 f9 ff ff 75 08 8d 45 dc 50 ff 75 0c 33 db 89 5d fc e8 ba d6 fb ff ff 75 dc 8d 4d c8 e8 be 0d ff ff c6 45 fc 01 e8 ff f9 fa ff 50 8d 4d e0 e8 a5 b3 f9 ff 53 8d 45 e0 50 68 60 38 53 00 8d 4d c8 c6 45 fc 02 e8 d3 0d ff ff 85 c0 74 3b 8b 45 e0 39 58 f4 74 33 50 e8 5f b2 09 00 83 e8 04 59 74 24 48 74 18 48 74 0c 48 75 1e c7 47 74 02 00 00 00 eb 15 c7 47 74 03 00 00 00 eb 0c c7 47 74 01 00 00 00 eb 03 89 5f 74 8d 45 d8 50 68 38 38 53 00 8d 45 c8 50 89 5d d8 e8 c2 d5 fb ff 85 c0 74 14 39 5d d8 74 0f 8b 07 53 8d 4d c0 51 8b cf ff 90 6c 01 00 00 e8 6f f9 fa ff 50 8d 4d e4 e8 15 b3 f9 ff 53 8d 45 e4 50 68 14 38 Data Ascii: KM\|3j4{Q0PMuEPu3]uMEPMSEPh`8SMEt;E9Xt3P_Yt$HtHtHuGtGtGt_tEPh88SEP]t9]tSMQloPMSEPh8
2022-11-04 12:16:09 UTC	407	IN	Data Raw: 45 ec 50 8b f1 89 5d ec 89 5d f0 89 5d f4 89 5d f8 ff 15 30 76 52 00 8b 4e 04 8b 01 ff 90 60 01 00 00 8b 4e 04 50 89 45 e8 8d 45 ec 50 e8 69 8c 00 00 39 5d e8 74 30 8b 4e 04 e8 56 d1 fa ff a9 00 00 40 00 74 21 8b 4e 04 e8 2d d1 fa ff 25 01 00 40 00 3d 00 00 40 00 75 0d 53 6a f9 8d 45 ec 50 ff 15 00 76 52 00 8b 45 ec 01 07 8b 45 f0 01 47 04 8b 45 f4 01 47 08 8b 45 f8 01 47 0c 8b 4d fc 5f 5e 33 cd 5b e8 fb a4 09 00 c9 c2 04 00 8b ff 55 8b ec 6a 00 ff 75 08 ff 71 04 b9 98 39 57 00 e8 74 9d fb ff 5d c2 04 00 8b ff 55 8b ec f6 45 08 01 56 8b f1 c7 06 60 43 53 00 74 07 56 e8 37 60 fa ff 59 8b c6 5e 5d c2 04 00 8b ff 55 8b ec 83 ec 18 a1 54 04 57 00 33 c5 89 45 fc 53 8b 5d 08 57 8b f9 8b 4f 04 8b 01 ff 90 9c 01 00 00 85 c0 75 0c 53 ff 15 30 76 52 00 e9 b4 00 00 Data Ascii: EP]]]]0vRN`NPEEPi9]t0NV@t!N-%@=@uSjEPvREEGEGEGM_^3[Ujuq9Wt]UEV`CStV7`Y^]UTW3ES]WOuS0vR
2022-11-04 12:16:09 UTC	408	IN	Data Raw: 55 8b ec dd 05 70 43 53 00 dc 5d 08 df e0 f6 c4 05 7a 14 dd 05 f8 bd 52 00 dc 5d 08 df e0 f6 c4 01 75 04 d9 e8 5d c3 d9 ee 5d c3 8b ff 55 8b ec d9 ee dd 45 08 d8 d1 df e0 f6 c4 05 7a 02 d9 e0 d9 e8 d8 d1 df e0 f6 c4 41 75 06 dd da de e9 5d c3 dd d8 dd d8 5d c3 8b ff 55 8b ec d9 ee dd 45 08 d8 d1 df e0 f6 c4 05 7a 02 d9 e0 d9 e8 d8 d1 df e0 f6 c4 41 75 14 dd da d9 c0 d8 c1 dc 25 b8 bb 52 00 d8 c9 de c9 de c1 5d c3 dd d8 dd d8 5d c3 8b ff 55 8b ec d9 ee dd 45 08 d8 d1 df e0 f6 c4 05 7a 02 d9 e0 dd 05 f8 bd 52 00 d8 d1 df e0 f6 c4 41 75 10 dd d8 dd d9 d9 c0 de c9 dc 2d 78 43 53 00 5d c3 dd 05 f8 f4 52 00 d8 d2 df e0 f6 c4 41 75 0e dd db d9 c9 de e2 d9 c1 de c9 de c9 5d c3 dd d8 dd d8 dd d8 5d c3 8b ff 55 8b ec d9 ee dd 45 08 d8 d1 df e0 f6 c4 05 7a 02 d9 e0 Data Ascii: UpCS]zR]u]]UEzAu]]UEzAu%R]]UEzRAu-xCS]RAu]]UEz
2022-11-04 12:16:09 UTC	410	IN	Data Raw: 52 00 dc fa d9 e8 dc c3 d9 cb dd 5c 24 10 db 45 f8 d8 e2 d8 f1 d8 c3 dd 5c 24 08 db 45 f4 de e2 de f9 de c1 dd 1c 24 ff 35 e4 39 57 00 e8 8a 23 03 00 eb 03 8b 45 08 5f 5e 5b c9 c2 04 00 8b ff 55 8b ec 56 33 f6 ff 34 f5 e4 43 53 00 b9 98 39 57 00 e8 8d 7e fb ff 83 7d 0c 00 74 46 8b c8 c1 e9 08 0f b6 d0 0f b6 c9 c1 e2 08 c1 e8 10 0b ca 0f b6 c0 c1 e1 08 0b c8 39 4d 08 75 2b 8b ce 0f b6 04 cd e0 43 53 00 0f b6 14 cd e1 43 53 00 0f b6 0c cd e2 43 53 00 c1 e0 08 0b c2 c1 e0 08 0b c1 eb 0e 39 45 08 74 0e 46 83 fe 04 7c 98 8b 45 08 5e 5d c2 08 00 8b 04 f5 e0 43 53 00 eb f2 8b ff 55 8b ec 83 ec 5c a1 54 04 57 00 33 c5 89 45 fc 8b 45 08 8d 4d a8 51 6a 54 50 ff 15 f4 71 52 00 85 c0 75 07 33 c0 e9 90 00 00 00 66 83 7d ba 20 75 f2 57 8b 7d bc 85 ff 75 04 33 c0 eb 7c Data Ascii: R\$E\$E$59W#E_^[UV34CS9W~}tF9Mu+CSCSCS9EtF\|E^]CSU\TW3EEMQjTPqRu3f} uW}u3\|
2022-11-04 12:16:09 UTC	411	IN	Data Raw: 44 10 04 dd 00 41 dc 75 d4 83 c2 0c dd 18 8b 46 08 3b 0c 07 76 e2 ff 45 f8 8b 45 f8 3b 46 04 0f 82 53 fe ff ff 5f 5e 5b c9 c2 14 00 8b 45 f0 6b c9 0c 8d 44 01 04 dd 00 d8 c2 dd 18 eb 8f 8b ff 55 8b ec 51 51 56 57 8b f1 e8 44 f7 ff ff 8b 45 0c 8b 08 8b 50 08 8b 78 04 2b d1 89 4d f8 8b 48 0c 8b 45 14 2b cf 85 c0 75 02 8b c2 83 7d 10 00 53 75 06 8d 1c 39 89 5d 10 89 4e 18 8a 4d 18 0f b6 d9 0f af da 83 7d 1c 00 89 5e 1c 89 46 0c 89 46 20 5b 74 05 f7 d8 89 46 20 8b 45 10 ff 75 08 89 46 28 8b 45 f8 88 4e 24 8b ce 89 7e 10 89 46 14 e8 fc f6 ff ff ff 75 08 8b f8 8b ce 89 7e 04 e8 1f f7 ff ff 89 3e 5f 89 46 08 5e c9 c2 18 00 8b ff 55 8b ec 83 ec 10 53 56 8b 35 00 71 52 00 57 8b d9 33 ff 39 7b 3c 74 16 8b 45 08 ff 70 04 ff 35 98 56 57 00 ff d6 ff 75 08 e8 01 a9 fb Data Ascii: DAuF;vEE;FS_^[EkDUQQVWDEPx+MHE+u}Su9]NM}^FF [tF EuF(EN$~Fu~>_F^USV5qRW39{<tEp5VWu
2022-11-04 12:16:09 UTC	412	IN	Data Raw: 00 00 00 75 05 33 c0 40 eb d8 83 3d 44 3b 57 00 08 7e f2 8d 4d a0 e8 46 e5 fa ff 53 89 5d fc ff 15 54 71 52 00 50 8d 4d a0 e8 68 eb fa ff 8d 85 58 ff ff ff 50 6a 18 ff b6 88 00 00 00 ff 15 f4 71 52 00 85 c0 75 0e 83 4d fc ff 8d 4d a0 e8 c4 eb fa ff eb 8b 8b 85 5c ff ff ff 8b 3d 00 71 52 00 89 45 bc 8b 85 60 ff ff ff 89 45 b4 8b 86 88 00 00 00 3b c3 74 0b 50 ff 75 a4 ff d7 89 45 b8 eb 03 89 5d b8 39 5d b8 74 bd 8d 4d 88 e8 cf e4 fa ff ff 75 a4 c6 45 fc 01 ff 15 54 71 52 00 50 8d 4d 88 e8 ee ea fa ff 8b 45 bc 8b 4d b4 6a 20 33 d2 42 66 89 55 d0 5a 53 53 89 45 c8 89 4d cc 0f af c8 8d 45 84 50 53 8d 45 c4 50 ff 75 8c c7 45 c4 28 00 00 00 66 89 55 d2 89 5d d4 89 4d d8 89 5d dc 89 5d e0 89 5d e4 89 5d e8 89 5d 84 ff 15 0c 71 52 00 8b 4d c0 89 01 3b c3 75 18 ff Data Ascii: u3@=D;W~MFS]TqRPMhXPjqRuMM\=qRE`E;tPuE]9]tMuETqRPMEMj 3BfUZSSEMEPSEPuE(fU]M]]]]]qRM;u
2022-11-04 12:16:09 UTC	414	IN	Data Raw: f9 0f b6 4e 02 88 06 8b 85 68 ff ff ff c1 e8 10 0f b6 c0 0f af c1 99 b9 ff 00 00 00 f7 f9 ff 85 6c ff ff ff 83 c6 04 88 46 fb 8b 85 78 ff ff ff 0f af 85 74 ff ff ff 39 85 6c ff ff ff 0f 8c 13 ff ff ff e9 82 00 00 00 8d 85 38 ff ff ff 50 8d 8d 30 ff ff ff e8 77 11 03 00 8b 83 a4 00 00 00 c6 45 fc 02 83 f8 ff 75 05 a1 ac 39 57 00 8b 8d 6c ff ff ff 6a ff 50 ff b5 68 ff ff ff 89 8d 20 ff ff ff 8b 8d 5c ff ff ff 89 b5 18 ff ff ff 89 b5 1c ff ff ff 89 8d 24 ff ff ff 83 ec 10 8b fc 8d b5 18 ff ff ff a5 a5 a5 8d 8d 30 ff ff ff a5 e8 f0 24 03 00 8d 8d 30 ff ff ff c6 45 fc 01 e8 24 11 03 00 8b 3d 00 71 52 00 ff b5 28 ff ff ff ff b5 3c ff ff ff ff d7 ff b5 64 ff ff ff ff b5 4c ff ff ff ff d7 ff b3 88 00 00 00 ff 15 ec 71 52 00 8b 85 60 ff ff ff 33 f6 89 83 88 00 00 Data Ascii: NhlFxt9l8P0wEu9WljPh \$0$0E$=qR(<dLqR`3
2022-11-04 12:16:09 UTC	415	IN	Data Raw: 53 89 5d fc ff 15 54 71 52 00 50 8d 8d 68 ff ff ff e8 28 e0 fa ff 8b 3f 3b fb 74 12 57 ff b5 6c ff ff ff ff 15 00 71 52 00 89 45 88 eb 03 89 5d 88 39 5d 88 75 18 33 f6 83 4d fc ff 8d 8d 68 ff ff ff e8 78 e0 fa ff 8b c6 e9 82 fe ff ff 8b 4d 98 3b cb 0f 8e 9d 00 00 00 8b 3d bc 70 52 00 8b c6 99 2b c2 89 45 8c d1 7d 8c 89 5d 84 8b 1d 88 71 52 00 89 8d 7c ff ff ff 8b 45 84 89 45 98 8d 44 30 ff 89 45 94 8b 45 8c 85 c0 7e 5e 89 45 80 33 f6 39 75 90 7e 43 ff 75 98 56 ff b5 6c ff ff ff ff d3 ff 75 94 89 85 64 ff ff ff 56 ff b5 6c ff ff ff ff d3 50 ff 75 98 56 ff b5 6c ff ff ff ff d7 ff b5 64 ff ff ff ff 75 94 56 ff b5 6c ff ff ff ff d7 46 3b 75 90 7c bd ff 45 98 ff 4d 94 ff 4d 80 75 ab 8b b5 78 ff ff ff 01 75 84 ff 8d 7c ff ff ff 75 83 ff 75 88 ff b5 6c ff ff ff Data Ascii: S]TqRPh(?;tWlqRE]9]u3MhxM;=pR+E}]qR\|EED0EE~^E39u~CuVludVlPuVlduVlF;u\|EMMuxu\|uul
2022-11-04 12:16:09 UTC	417	IN	Data Raw: df e0 f6 c4 05 7a 0a dd da dd 85 2c ff ff ff eb 02 d9 ca 83 ec 18 d9 c9 dd 5c 24 10 dd 5c 24 08 dd 1c 24 e8 59 09 03 00 39 85 50 ff ff ff 74 13 50 ff 75 90 ff 75 98 ff b5 58 ff ff ff ff 15 bc 70 52 00 ff 45 90 8b 45 90 3b 45 8c 0f 8c b2 fe ff ff ff 45 98 8b 45 98 3b 45 88 0f 8c 97 fe ff ff ff b5 68 ff ff ff ff b5 58 ff ff ff ff d7 ff 75 94 ff b5 78 ff ff ff ff d7 ff b6 88 00 00 00 ff 15 ec 71 52 00 8b 45 84 8d be 8c 00 00 00 57 89 86 88 00 00 00 e8 b6 92 fb ff 81 c6 90 00 00 00 56 89 1f e8 a8 92 fb ff 89 1e 8d 8d 54 ff ff ff 88 5d fc e8 5a da fa ff 83 4d fc ff 8d 8d 74 ff ff ff e8 4b da fa ff e8 d4 8f 09 00 c2 08 00 8b ff 55 8b ec 83 ec 18 56 8b f1 8b 86 88 00 00 00 85 c0 74 36 8d 4d e8 51 6a 18 50 ff 15 f4 71 52 00 85 c0 74 25 8b 45 ec 89 46 50 8b 45 f0 Data Ascii: z,\$\$$Y9PtPuuXpREE;EEE;EhXuxqREWVT]ZMtKUVt6MQjPqRt%EFPE
2022-11-04 12:16:09 UTC	417	IN	Data Raw: 8b ec 83 ec 10 ff 75 1c 8b 45 0c ff 75 18 8b 10 ff 75 14 8b 40 04 ff 75 10 83 65 f0 00 83 65 f4 00 89 45 fc 8d 45 f0 50 ff 75 08 89 55 f8 e8 bf e7 ff ff c9 c2 18 00 8b ff 55 8b ec 83 ec 48 a1 54 04 57 00 33 c5 89 45 fc 8b 45 08 53 8b 5d 0c 89 4d d8 85 c0 0f 84 b4 00 00 00 8d 4d b8 51 6a 18 50 ff 15 f4 71 52 00 85 c0 0f 84 9f 00 00 00 83 7d cc 00 0f 84 95 00 00 00 66 83 7d ca 18 0f 82 8a 00 00 00 56 57 ff 75 c0 e8 91 d2 09 00 8b 7d bc 83 65 ec 00 83 65 f0 00 8b f0 8b 03 89 45 dc 03 c7 59 8b 4b 04 89 45 e4 8d 45 ec 50 8d 45 dc 50 89 4d e0 8d 45 ec 03 ce 50 89 7d d0 89 75 d4 89 7d f4 89 75 f8 89 4d e8 ff 15 04 76 52 00 0f b7 45 ca c1 e8 03 0f af f8 8b cf 81 e1 03 00 00 80 79 05 49 83 c9 fc 41 74 07 6a 04 5a 2b d1 03 fa 33 c9 39 4d c0 0f 9c c1 51 8b 4d d8 50 Data Ascii: uEuu@ueeEEPuUUHTW3EES]MMQjPqR}f}VWu}eeEYKEEPEPMEP}u}uMvREyIAtjZ+39MQMP
2022-11-04 12:16:09 UTC	419	IN	Data Raw: f6 c4 44 7a 04 dd d8 eb e2 d9 c0 d9 e8 da e9 df e0 f6 c4 44 7a 0d dd d8 33 c0 40 e8 25 89 09 00 c2 08 00 8b 47 54 89 45 e0 db 45 e0 d8 c9 dd 05 f8 bd 52 00 dc c1 d9 c9 e8 a7 c8 09 00 8b 5f 50 89 5d dc db 45 dc 89 45 ec de ca de c1 e8 92 c8 09 00 8b 4f 54 89 45 94 3b c3 75 05 39 4d ec 74 b7 3b de 7e b3 39 75 e0 7e ae 39 75 94 7e a9 39 75 ec 7e a4 8b 5f 04 89 5d f0 3b de 74 9a 8d 85 24 ff ff ff 50 6a 18 ff b7 88 00 00 00 ff 15 f4 71 52 00 85 c0 0f 84 50 ff ff ff ff b5 2c ff ff ff e8 ce cc 09 00 dd 87 b0 00 00 00 dc 4d 08 59 33 c9 39 b5 2c ff ff ff dd 9f b0 00 00 00 89 75 90 0f 9c c1 89 75 a4 89 75 a8 89 4d dc 8b 4f 50 89 4d 8c 83 fb 01 75 15 8b 4f 54 3b c1 7e 0e 99 f7 f9 89 75 8c 89 4d 90 89 45 f0 8b d8 ff b7 a4 00 00 00 ff b7 88 00 00 00 e8 6f 07 03 00 89 Data Ascii: DzDz3@%GTEER_P]EEOTE;u9Mt;~9u~9u~9u~_];t$PjqRP,MY39,uuuMOPMuOT;~uMEo
2022-11-04 12:16:09 UTC	420	IN	Data Raw: cf e8 b0 e1 ff ff 33 c0 39 b7 88 00 00 00 be d4 43 53 00 0f 95 c0 8d 8d 78 ff ff ff c6 45 fc 02 89 b5 78 ff ff ff 8b f8 e8 80 d3 ff ff 8d 8d 30 ff ff ff c6 45 fc 01 89 b5 30 ff ff ff e8 6b d3 ff ff 8b c7 e9 26 fa ff ff 8b ff 55 8b ec 81 ec 4c 04 00 00 a1 54 04 57 00 33 c5 89 45 fc 53 8b 5d 08 56 8b f1 57 8b cb 89 9d e4 fb ff ff e8 6c cf ff ff 83 a5 f4 fb ff ff 00 8b f8 6a 20 59 89 bd dc fb ff ff 89 8d e8 fb ff ff c7 85 f0 fb ff ff 09 20 02 00 f7 c7 00 00 02 00 74 14 c1 f8 08 25 ff 00 00 00 89 85 e8 fb ff ff 89 bd f0 fb ff ff f7 c7 00 00 04 00 74 1a 89 8d e8 fb ff ff c7 85 f4 fb ff ff 01 00 00 00 c7 85 f0 fb ff ff 0a 20 26 00 8b cb e8 df ce ff ff 8b cb 89 85 ec fb ff ff e8 ac ce ff ff ff b5 f4 fb ff ff 8b ce 6a 00 6a 00 ff b5 e8 fb ff ff ff b5 ec fb ff ff Data Ascii: 39CSxEx0E0k&ULTW3ES]VWlj Y t%t &jj
2022-11-04 12:16:09 UTC	421	IN	Data Raw: 50 56 57 00 85 c0 75 25 6a 34 e8 6d 27 fa ff 59 85 c0 74 09 8b c8 e8 8e 0e fd ff eb 02 33 c0 a3 50 56 57 00 85 c0 75 05 e8 b3 b9 fa ff ff 75 fc 8b c8 e8 fc fe ff ff 8b 45 fc 8b 08 50 ff 51 08 8b 0d 50 56 57 00 e8 9e 0e fd ff 8b 4d f8 50 e8 76 cb fa ff 83 3d 88 56 57 00 00 8b f0 74 07 53 ff 15 48 74 52 00 8b c6 5b 5e c9 c2 08 00 8b ff 55 8b ec 51 56 8b 75 0c 57 89 4d fc 85 f6 75 08 e8 a3 19 fb ff 8b 70 0c ff 35 bc 56 57 00 ff 75 08 56 ff 15 50 74 52 00 8b f8 85 ff 75 08 33 c0 5f 5e c9 c2 08 00 57 56 ff 15 54 74 52 00 89 45 0c 85 c0 74 e9 53 50 ff 15 58 74 52 00 8b d8 85 db 75 10 33 f6 ff 75 0c ff 15 c8 73 52 00 8b c6 5b eb cd 57 56 ff 15 5c 74 52 00 8b 4d fc 50 53 e8 b7 fe ff ff 8b f0 eb dc 6a 04 b8 b1 cc 51 00 e8 24 7d 09 00 8b f1 89 75 f0 c7 06 74 44 53 Data Ascii: PVWu%j4m'Yt3PVWuuEPQPVWMPv=VWtSHtR[^UQVuWMup5VWuVPtRu3_^WVTtREtSPXtRu3usR[WV\tRMPSjQ$}utDS
2022-11-04 12:16:09 UTC	423	IN	Data Raw: 3b c7 74 15 68 00 20 00 00 57 57 57 50 ff 15 08 76 52 00 89 86 8c 00 00 00 8b 83 90 00 00 00 3b c7 74 15 68 00 20 00 00 57 57 57 50 ff 15 08 76 52 00 89 86 90 00 00 00 8b 43 50 89 46 50 8b 43 54 89 46 54 8b 43 60 89 46 60 8b 43 64 89 46 64 8b 43 14 89 46 14 8d 83 94 00 00 00 50 8d 8e 94 00 00 00 e8 4c a0 f9 ff 8b 43 18 89 46 18 8b 43 04 89 46 04 8b 83 a4 00 00 00 89 86 a4 00 00 00 8b 43 20 89 46 20 8b 83 ac 00 00 00 89 86 ac 00 00 00 8b 43 28 89 46 28 8b 43 08 89 46 08 dd 83 b0 00 00 00 dd 9e b0 00 00 00 8b 83 bc 00 00 00 3b c7 74 69 eb 06 8b 85 6c ff ff ff 8b 08 8b 40 08 89 8d 6c ff ff ff 50 8d 8e b8 00 00 00 89 85 64 ff ff ff e8 02 e9 ff ff 83 8d 68 ff ff ff ff 8d 85 68 ff ff ff 50 ff b5 64 ff ff ff 8d 8b f0 00 00 00 e8 ea da fe ff 85 c0 74 19 ff b5 64 Data Ascii: ;th WWWPvR;th WWWPvRCPFPCTFTC`F`CdFdCFPLCFCFC F C(F(CF;til@lPdhhPdtd
2022-11-04 12:16:09 UTC	424	IN	Data Raw: 7d 24 00 74 11 83 3d 44 3b 57 00 08 7f 08 33 c0 40 e9 dc 07 00 00 8b 43 60 03 c2 89 85 50 ff ff ff 8b 85 78 ff ff ff 89 85 4c ff ff ff 03 43 64 83 7b 1c 00 89 95 48 ff ff ff 89 85 54 ff ff ff 8d 7b 68 8d b5 48 ff ff ff a5 a5 a5 a5 74 08 83 65 18 00 83 65 20 00 33 f6 89 b5 64 ff ff ff 39 75 28 74 05 39 75 1c 74 2b 39 73 28 74 26 83 7b 08 20 7d 20 ff b3 88 00 00 00 ff 35 94 56 57 00 ff 15 00 71 52 00 8b 95 68 ff ff ff 89 85 64 ff ff ff 33 f6 8b 4b 08 8b 43 1c 89 85 3c ff ff ff 83 f9 20 75 23 3b c6 74 1f c7 45 a4 01 00 00 00 89 73 1c 83 f9 20 74 15 39 35 8c 56 57 00 75 0d 8b 83 a4 00 00 00 eb 08 89 75 a4 eb e6 83 c8 ff 33 c9 83 f8 ff 0f 95 c1 89 45 88 89 45 90 8b 43 1c 89 8d 7c ff ff ff 85 c0 75 0a 8b b5 6c ff ff ff 85 c9 74 03 8d 73 40 89 75 8c 85 c0 75 09 Data Ascii: }$t=D;W3@C`PxLCd{HT{hHtee 3d9u(t9ut+9s(t&{ } 5VWqRhd3KC< u#;tEs t95VWuu3EEC\|ults@uu
2022-11-04 12:16:09 UTC	425	IN	Data Raw: 14 03 45 80 68 20 00 cc 00 ff 75 84 50 ff 35 94 56 57 00 ff 75 b0 ff 75 ac ff 75 a0 ff 75 9c ff 76 04 ff 15 8c 71 52 00 ff 75 90 ff 35 94 56 57 00 ff 15 00 71 52 00 e9 75 01 00 00 39 7d 1c 75 0e 39 7d 20 75 09 39 7d 24 0f 84 ef 00 00 00 57 6a 01 ff 75 14 8b cb e8 a6 be ff ff 39 7d 24 74 08 8b 83 ac 00 00 00 eb 02 33 c0 8b 16 50 8b ce ff 52 30 8b 06 68 ff ff ff 00 8b ce ff 50 2c 39 7d 1c 74 64 e8 7c 99 fb ff 39 78 74 74 5a a1 a0 39 57 00 3b c7 74 0f 50 ff 76 04 ff 15 00 71 52 00 89 45 a8 eb 03 89 7d a8 39 7d a8 74 3a 8b 45 b0 68 4a 07 b8 00 57 57 ff 35 98 56 57 00 83 c0 02 50 8b 45 ac 83 c0 02 50 8b 45 a0 40 50 8b 45 9c 40 50 ff 76 04 ff 15 8c 71 52 00 ff 75 a8 ff 76 04 ff 15 00 71 52 00 a1 a4 39 57 00 3b c7 74 0f 50 ff 76 04 ff 15 00 71 52 00 89 45 a8 eb Data Ascii: Eh uP5VWuuuuvqRu5VWqRu9}u9} u9}$Wju9}$t3PR0hP,9}td\|9xttZ9W;tPvqRE}9}t:EhJWW5VWPEPE@PE@PvqRuvqR9W;tPvqRE
2022-11-04 12:16:09 UTC	427	IN	Data Raw: e8 6a b3 fa ff 8d 4d c4 c6 45 fc 01 e8 00 ac fa ff 53 c6 45 fc 02 ff 15 54 71 52 00 50 8d 4d c4 e8 21 b2 fa ff bf a0 9f 52 00 89 5d d8 89 7d d4 8b 46 54 8b 4e 50 50 51 ff 75 b0 c6 45 fc 03 ff 15 30 71 52 00 50 8d 4d d4 e8 cc b4 fa ff 3b c3 75 3d 6a ff 53 68 8a 3e 00 00 e8 ec 98 fa ff 8d 4d d4 c6 45 fc 02 89 7d d4 e8 02 61 f9 ff 8d 4d c4 c6 45 fc 01 e8 4d b2 fa ff 8d 4d ac 88 5d fc e8 3e b3 fa ff 33 c0 e8 d8 67 09 00 c2 04 00 ff 75 d8 ff 75 c8 e8 37 b5 fa ff ff 35 2c 3a 57 00 8b 4e 50 89 45 c0 8b 46 54 89 45 e8 8d 45 dc 50 ff 75 c8 89 5d dc 89 5d e0 89 4d e4 ff 15 ec 77 52 00 53 51 51 8b c4 89 18 89 58 04 8d 45 9c 89 65 a8 50 8b ce e8 94 d9 ff ff 68 ff 00 00 00 53 53 53 53 53 ff 75 08 8d 45 c4 53 53 50 8b ce e8 73 f3 ff ff 8d 45 9c 50 8b ce e8 d5 c0 ff ff Data Ascii: jMESETqRPM!R]}FTNPPQuE0qRPM;u=jSh>ME}aMEMM]>3guu75,:WNPEFTEEPu]]MwRSQQXEePhSSSSSuESSPsEP
2022-11-04 12:16:09 UTC	428	IN	Data Raw: bc f5 ff ff 39 9d b8 f5 ff ff 7e 74 ff b5 bc f5 ff ff ff b5 c4 f5 ff ff ff b5 9c f5 ff ff ff 15 88 71 52 00 66 83 bd 8e f5 ff ff 18 89 85 94 f5 ff ff 75 10 39 1d 80 dc 56 00 75 08 50 e8 02 b5 ff ff eb 07 53 50 e8 77 b4 ff ff 39 85 94 f5 ff ff 74 19 50 ff b5 bc f5 ff ff ff b5 c4 f5 ff ff ff b5 9c f5 ff ff ff 15 bc 70 52 00 ff 85 bc f5 ff ff 8b 85 bc f5 ff ff 3b 85 b8 f5 ff ff 7c 8c ff 85 c4 f5 ff ff 8b 85 c4 f5 ff ff 3b 85 c8 f5 ff ff 0f 8c 66 ff ff ff ff 75 e8 ff b5 9c f5 ff ff ff d6 ff b5 d0 f5 ff ff ff b5 ac f5 ff ff ff d6 ff 37 ff 15 ec 71 52 00 8b 85 cc f5 ff ff 89 07 8d 8d 98 f5 ff ff c6 45 fc 01 e8 4b ac fa ff 8d 8d a8 f5 ff ff 88 5d fc e8 3d ac fa ff 8b b5 c0 f5 ff ff 66 83 bd 76 f5 ff ff 20 72 0a ff 76 38 ff 37 e8 73 b5 ff ff 8b ce e8 8a b3 ff ff Data Ascii: 9~tqRfu9VuPSPw9tPpR;\|;fu7qREK]=fv rv87s
2022-11-04 12:16:09 UTC	430	IN	Data Raw: fc 05 89 73 18 89 73 20 89 73 24 89 73 04 89 73 2c 89 73 0c 89 b3 88 00 00 00 89 b3 8c 00 00 00 89 b3 90 00 00 00 89 73 14 39 35 d4 56 57 00 75 34 56 ff 15 54 71 52 00 56 a3 94 56 57 00 ff 15 54 71 52 00 a3 98 56 57 00 39 35 94 56 57 00 74 04 3b c6 75 05 e8 e2 9f fa ff 33 c9 41 89 0d d4 56 57 00 eb 03 33 c9 41 89 75 e0 d9 e8 89 75 e4 dd 9b b0 00 00 00 89 75 e8 89 75 ec 8d 75 e0 a5 a5 a5 83 8b a4 00 00 00 ff 83 8b a8 00 00 00 ff a5 6a 10 58 89 43 50 33 c0 89 45 e0 89 45 e4 89 45 e8 89 45 ec 8d 75 e0 8d 7b 78 a5 a5 6a 0f 5a a5 89 53 54 33 d2 89 4b 30 89 4b 3c 8b cb 89 43 58 89 53 5c 89 43 60 89 53 64 a5 89 43 1c 89 83 a0 00 00 00 89 43 28 89 43 08 c7 43 10 82 00 00 00 89 43 34 89 43 38 e8 9c fa ff ff 8b c3 e8 f6 5b 09 00 c3 68 80 01 00 00 b8 4d cf 51 00 e8 Data Ascii: ss s$ss,ss95VWu4VTqRVVWTqRVW95VWt;u3AVW3AuuuuujXCP3EEEEu{xjZST3K0K<CXS\C`SdCC(CCC4C8[hMQ
2022-11-04 12:16:09 UTC	431	IN	Data Raw: fc 02 e8 14 83 fb ff 85 c0 74 09 8b 45 b0 8b 70 58 8b 78 5c 39 5d 0c 0f 84 87 00 00 00 33 c0 40 6a 20 66 89 45 c0 58 66 89 45 c2 8b c7 0f af c6 53 53 89 45 c8 8d 45 a0 50 53 8d 45 b4 50 ff 75 90 c7 45 b4 28 00 00 00 89 75 b8 89 Data Ascii: tEpXx\9]3@j fEXfESSEEPSEPuE(u
2022-11-04 12:16:09 UTC	431	IN	Data Raw: 7d bc 89 5d c4 89 5d cc 89 5d d0 89 5d d4 89 5d d8 89 5d a0 ff 15 0c 71 52 00 3b c3 75 48 83 ce ff 8d 4d a8 c6 45 fc 01 c7 45 a8 a0 9f 52 00 e8 ec 4f f9 ff 8d 4d 8c 88 5d fc e8 38 a1 fa ff 83 4d fc ff 8d 8d 78 ff ff ff e8 25 a2 fa ff 8b c6 e8 b0 56 09 00 c2 08 00 57 56 ff b5 7c ff ff ff ff 15 30 71 52 00 50 8d 4d a8 e8 5b a3 fa ff ff 75 ac ff 75 90 e8 07 a4 fa ff 89 45 9c 39 5d 0c 75 1f ff 35 2c 3a 57 00 8d 45 e0 50 ff 75 90 89 5d e0 89 5d e4 89 75 e8 89 7d ec ff 15 ec 77 52 00 39 5d a4 74 13 53 53 ff 75 a4 33 c0 57 56 53 50 8d 4d 8c e8 b1 59 fd ff 8b 45 9c 3b c3 75 04 33 c0 eb 03 8b 40 04 50 ff 75 90 e8 b1 a3 fa ff 8b 75 b0 39 5d 0c 74 12 ff 76 38 c7 46 08 20 00 00 00 ff 75 ac e8 dd a9 ff ff 53 ff 75 ac 8b ce e8 07 fa ff ff 8b f0 e9 25 ff ff ff 6a 7c b8 Data Ascii: }]]]]]]qR;uHMEEROM]8Mx%VWV\|0qRPM[uuE9]u5,:WEPu]]u}wR9]tSSu3WVSPMYE;u3@Puu9]tv8F uSu%j\|
2022-11-04 12:16:09 UTC	433	IN	Data Raw: ff 75 0c ff 15 ec 71 52 00 eb c7 66 83 7d 8a 20 72 10 ff 77 38 ff 75 0c e8 fe a4 ff ff e9 9d 01 00 00 66 83 7d 8a 08 76 05 39 5f 30 75 0c 39 1d 1c 3b 57 00 0f 84 85 01 00 00 8d 4d b8 e8 d3 94 fa ff 53 c6 45 fc 01 ff 15 54 71 52 00 50 8d 4d b8 e8 f4 9a fa ff 8d 45 90 50 6a 18 ff 75 0c ff 15 f4 71 52 00 85 c0 75 10 8d 4d b8 88 5d fc e8 57 9b fa ff e9 46 01 00 00 ff 75 0c 8b 35 00 71 52 00 ff 75 bc ff d6 89 45 e0 3b c3 0f 84 1f 01 00 00 8b 4d 98 8b 45 94 51 50 ff 75 bc 89 45 e4 89 4d e8 ff 15 30 71 52 00 89 45 dc 3b c3 75 0d ff 75 e0 ff 75 bc ff d6 e9 f4 00 00 00 8d 4d a8 e8 50 94 fa ff ff 75 bc c6 45 fc 02 ff 15 54 71 52 00 50 8d 4d a8 e8 6f 9a fa ff ff 75 dc ff 75 ac ff d6 89 45 d0 3b c3 75 16 ff 75 e0 ff 75 bc ff d6 ff 75 dc ff 15 ec 71 52 00 e9 a5 00 00 Data Ascii: uqRf} rw8uf}v9_0u9;WMSETqRPMEPjuqRuM]WFu5qRuE;MEQPuEM0qRE;uuuMPuETqRPMouuE;uuuuqR
2022-11-04 12:16:09 UTC	434	IN	Data Raw: c0 40 c3 8b ff 55 8b ec 53 8b d9 8b 4d 08 57 85 c9 75 07 e8 68 f5 f9 ff eb 0e a1 4c 56 57 00 85 c0 75 05 e8 53 3e fa ff 8b f8 57 68 58 e9 52 00 e8 98 1a fb ff 59 59 85 c0 74 10 ff 75 0c 8b 10 53 8b c8 ff 92 ec 01 00 00 eb 54 56 57 be 7c ef 52 00 56 e8 75 1a fb ff 59 59 85 c0 75 2e 50 68 ac e5 52 00 e8 64 1a fb ff 59 59 85 c0 74 10 ff 75 0c 8b 10 53 8b c8 ff 92 f4 01 00 00 eb 1f 57 56 e8 47 1a fb ff 59 59 85 c0 74 10 ff 75 0c 8b 10 53 8b c8 ff 92 d8 01 00 00 eb 02 33 c0 5e 5f 5b 5d c2 08 00 8b ff 55 8b ec 8d 45 08 50 ff 75 08 b9 84 ce 56 00 e8 7b ad fe ff 85 c0 74 05 8b 45 08 eb 03 83 c8 ff 5d c2 04 00 8b ff 56 8b f1 c7 06 b4 44 53 00 e8 2e 87 fa ff 50 8d 4e 2c e8 d4 40 f9 ff e8 20 87 fa ff 50 8d 4e 30 e8 c6 40 f9 ff 33 c0 89 46 54 89 46 58 89 46 5c 89 46 Data Ascii: @USMWuhLVWuS>WhXRYYtuSTVW\|RVuYYu.PhRdYYtuSWVGYYtuS3^_[]UEPuV{tE]VDS.PN,@ PN0@3FTFXF\F
2022-11-04 12:16:09 UTC	435	IN	Data Raw: dc 51 ff 70 f4 8b ce 50 ff 52 68 8b 06 57 8b ce ff 50 30 8b 7d e4 2b 7d dc 8d 43 2c 50 8d 45 ac 50 8b ce e8 b7 39 fb ff 3b 38 7d 08 8b 45 e4 2b 45 dc eb 11 8d 43 2c 50 8d 45 98 50 8b ce e8 9c 39 fb ff 8b 00 03 45 b4 89 45 bc 8b 45 a0 8b 4d fc 5f 89 43 08 8b 45 bc 5e 33 cd 5b e8 d1 32 09 00 c9 c2 0c 00 6a 04 b8 a2 a0 51 00 e8 a4 44 09 00 6a 70 e8 00 ee f9 ff 59 8b c8 89 4d f0 33 c0 89 45 fc 3b c8 74 05 e8 93 fa ff ff e8 5c 45 09 00 c3 8b ff 55 8b ec 56 8b f1 e8 e9 fb ff ff f6 45 08 01 74 07 56 e8 fc ed f9 ff 59 8b c6 5e 5d c2 04 00 6a 04 b8 77 f1 51 00 e8 56 44 09 00 66 83 3d 0c 57 57 00 00 75 58 a1 14 57 57 00 83 c0 f0 50 e8 15 6c f9 ff 8d 70 10 59 89 75 f0 83 65 fc 00 83 7e f4 00 75 1a e8 e7 ee f9 ff 50 8d 45 f0 68 7c 45 53 00 50 e8 00 3e f9 ff 8b 75 f0 Data Ascii: QpPRhWP0}+}C,PEP9;8}E+EC,PEP9EEEM_CE^3[2jQDjpYM3E;t\EUVEtVY^]jwQVDf=WWuXWWPlpYue~uPEh\|ESP>u
2022-11-04 12:16:09 UTC	437	IN	Data Raw: 50 8d 4e 30 e8 a7 67 f9 ff 8b 47 50 89 46 50 8b 47 28 83 66 1c 00 5f 89 46 28 5e 5d c2 04 00 68 b8 00 00 00 b8 a6 d0 51 00 e8 a4 3f 09 00 8b 45 0c 8b 5d 08 8b 7d 10 6a 00 ff 75 1c 8b f1 8b 4d 14 50 89 4e 4c 53 8b ce 89 75 80 89 85 40 ff ff ff 89 bd 4c ff ff ff e8 3c f2 ff ff 33 c0 3b f8 75 0a 33 c9 89 85 50 ff ff ff eb 0c 8b 4f 60 89 8d 50 ff ff ff 8b 4f 64 89 8d 54 ff ff ff 8b 0d 48 49 57 00 89 85 60 ff ff ff 3b c8 74 13 39 46 04 75 0e ff 76 20 e8 75 97 fc ff 89 85 60 ff ff ff 8b b5 40 ff ff ff 8b 4d 80 8d 7d c0 a5 a5 a5 33 c0 a5 39 41 48 74 18 e8 9c 6b fb ff 8b 10 8d 8d 58 ff ff ff 51 8b c8 ff 92 3c 01 00 00 eb 12 89 85 44 ff ff ff 89 85 48 ff ff ff 8d 85 44 ff ff ff 8b 08 8b 40 04 99 2b c2 d1 f8 f7 d8 50 8b c1 99 2b c2 d1 f8 f7 d8 50 8d 45 c0 50 ff 15 Data Ascii: PN0gGPFPG(f_F(^]hQ?E]}juMPNLSu@L<3;u3PO`POdTHIW`;t9Fuv u`@M}39AHtkXQ<DHD@+P+PEP
2022-11-04 12:16:09 UTC	438	IN	Data Raw: 70 ff ff ff 74 0a 39 75 24 74 05 33 c9 41 eb 02 33 c9 8b 45 80 39 70 04 74 05 8b 40 38 eb 03 8b 40 34 03 bd 68 ff ff ff 68 ff 00 00 00 ff b5 7c ff ff ff 56 56 51 8b 8d 4c ff ff ff 56 50 8b 85 5c ff ff ff 03 85 74 ff ff ff 50 57 53 e8 69 c6 ff ff 8b 45 80 39 70 18 74 05 39 75 14 75 15 39 70 08 0f 84 2a 04 00 00 8b 48 2c 39 71 f4 0f 84 1e 04 00 00 39 75 1c 74 05 6a 02 5e eb 0c f7 40 24 00 00 03 00 74 03 33 f6 46 e8 1e 66 fb ff 8b 10 56 8b 75 80 56 8b c8 ff 92 b4 00 00 00 8b 13 50 8b cb ff 52 30 8b 46 2c 83 e8 10 50 e8 e2 60 f9 ff 83 c0 10 59 89 85 74 ff ff ff 8b 45 80 8d 75 c0 8d 7d e0 a5 a5 a5 a5 8b 70 18 c6 45 fc 01 85 f6 74 5e 83 7d 14 00 74 58 83 3d 88 dd 56 00 00 8b 45 dc 8b 8d 54 ff ff ff 8d 44 08 03 89 45 dc c7 85 78 ff ff ff 01 00 00 00 74 0a c7 85 Data Ascii: pt9u$t3A3E9pt@8@4hh\|VVQLVP\tPWSiE9pt9uu9p*H,9q9utj^@$t3FfVuVPR0F,P`YtEu}pEt^}tX=VETDExt
2022-11-04 12:16:09 UTC	440	IN	Data Raw: db 39 5e 04 0f 85 ca 00 00 00 8b 46 20 3b c3 0f 8e bf 00 00 00 8b 0d 48 49 57 00 3b cb 74 0e 50 e8 93 8c fc ff 85 c0 0f 85 a7 00 00 00 ff 76 20 8b 7e 0c e8 bd e9 ff ff 3b c3 7c 10 8b 16 50 8b ce ff 92 bc 00 00 00 e9 88 00 00 00 3b fb 0f 84 80 00 00 00 8d 7e 2c 8b 07 89 5e 0c c7 46 08 01 00 00 00 39 58 f4 75 6c e8 ec 70 fa ff 50 8d 4d f0 e8 92 2a f9 ff 8b 76 20 56 89 5d fc e8 cc ba fa ff 3b c3 74 43 56 50 8d 4d f0 e8 48 7d f9 ff 3b c3 74 35 53 6a 0a 8d 4d f0 e8 2b c6 fb ff 83 f8 ff 74 25 40 50 8d 45 ec 50 8d 4d f0 e8 49 11 fb ff 50 8b cf c6 45 fc 01 e8 9a 5b f9 ff 8b 4d ec 83 c1 f0 e8 bf 2a f9 ff 8b 4d f0 83 c1 f0 e8 b4 2a f9 ff e8 10 34 09 00 c3 6a 04 b8 0f d1 51 00 e8 2b 33 09 00 8b f1 89 75 f0 c7 06 b4 44 53 00 e8 63 70 fa ff 50 8d 4e 2c e8 09 2a f9 ff Data Ascii: 9^F ;HIW;tPv ~;\|P;~,^F9XulpPMv V];tCVPMH};t5SjM+t%@PEPMIPE[MM4jQ+3uDScpPN,
2022-11-04 12:16:09 UTC	441	IN	Data Raw: 01 00 00 c7 86 2c 01 00 00 ff 7f 00 00 88 9e 62 01 00 00 89 9e 5c 01 00 00 89 9e 58 01 00 00 ff 15 30 76 52 00 57 89 9e 64 01 00 00 89 9e 9c 02 00 00 89 9e a0 02 00 00 89 9e 98 02 00 00 c7 86 78 01 00 00 08 d6 56 00 ff 15 30 76 Data Ascii: ,b\X0vRWdxV0v
2022-11-04 12:16:09 UTC	441	IN	Data Raw: 52 00 33 c0 40 89 86 04 01 00 00 89 86 08 01 00 00 89 86 0c 01 00 00 89 86 54 01 00 00 89 86 50 01 00 00 89 9e 74 01 00 00 89 9e 68 01 00 00 89 9e 6c 01 00 00 8b c6 e8 b5 2e 09 00 c3 8b ff 55 8b ec 8b 91 50 01 00 00 8b 45 08 89 10 8b 89 54 01 00 00 89 48 04 5d c2 04 00 6a 04 b8 94 d1 51 00 e8 b3 2d 09 00 8b f1 89 75 f0 c7 06 e4 45 53 00 8b 86 14 01 00 00 c7 45 fc 01 00 00 00 85 c0 74 07 50 e8 2a 20 09 00 59 8d 8e d4 01 00 00 e8 c3 14 07 00 8d 8e 7c 01 00 00 c6 45 fc 00 e8 72 10 06 00 83 4d fc ff 8b ce e8 56 98 00 00 e8 3e 2e 09 00 c3 8b ff 55 8b ec 8b 45 08 89 81 18 01 00 00 8b 45 10 89 81 1c 01 00 00 8b 45 0c 89 81 20 01 00 00 8b 45 14 89 81 24 01 00 00 5d c2 10 00 8b ff 55 8b ec 8b 45 08 8b 10 89 91 18 01 00 00 8b 50 08 89 91 1c 01 00 00 8b 50 04 89 91 Data Ascii: R3@TPthl.UPETH]jQ-uESEtP* Y\|ErMV>.UEEE E$]UEPP
2022-11-04 12:16:09 UTC	443	IN	Data Raw: ac 00 00 00 00 74 13 8b 86 ac 00 00 00 8b 10 6a 00 56 8b c8 ff 92 78 02 00 00 83 7d 08 00 75 0c 8b 06 6a 00 8b ce ff 90 64 02 00 00 5e 5d c2 04 00 8b ff 55 8b ec 8b 45 08 56 8b f1 a3 30 3b 57 00 8b 06 ff 90 9c 01 00 00 85 c0 74 43 8b 06 8b ce ff 90 60 01 00 00 85 c0 74 35 8b 8e 30 01 00 00 8b 86 38 01 00 00 8b 16 57 8b be 3c 01 00 00 2b be 34 01 00 00 6a 00 6a 04 57 2b c1 50 ff b6 34 01 00 00 51 6a 00 8b ce ff 92 34 02 00 00 5f 5e 5d c2 04 00 8b 01 6a 00 ff 90 24 02 00 00 85 c0 74 0a 8b 10 8b c8 ff a2 20 02 00 00 c3 8b ff 55 8b ec 53 56 8b 75 08 57 56 8b d9 e8 5e 82 00 00 8b 86 04 01 00 00 89 83 04 01 00 00 8b 86 08 01 00 00 89 83 08 01 00 00 8b 86 0c 01 00 00 8d 8b 50 01 00 00 89 83 0c 01 00 00 8b 06 51 8b ce ff 90 6c 02 00 00 8d 86 d4 01 00 00 50 8d 8b Data Ascii: tjVx}ujd^]UEV0;WtC`t508W<+4jjW+P4Qj4_^]j$t USVuWV^PQlP
2022-11-04 12:16:09 UTC	444	IN	Data Raw: ff 77 20 ff 15 dc 76 52 00 e9 18 ff ff ff 33 c0 8b 4d fc 5f 5e 33 cd 5b e8 c1 10 09 00 c9 c2 0c 00 8b ff 55 8b ec 51 53 56 57 8b f1 8b 06 33 db 53 ff 90 24 02 00 00 ff 76 20 8b f8 ff 15 08 78 52 00 50 e8 8e 00 fa ff 53 ff 75 08 89 45 fc 8b 06 8b ce ff 90 18 02 00 00 3b fb 74 46 33 c0 40 39 45 0c 75 08 39 9e 74 01 00 00 74 02 33 c0 8b 17 50 53 56 8b cf ff 92 78 01 00 00 83 7d 0c 01 75 21 39 9e 74 01 00 00 75 09 8b 4f 20 89 8e 74 01 00 00 53 53 68 02 02 00 00 ff 77 20 ff 15 dc 76 52 00 39 5d 08 74 0a ff 75 08 8b ce e8 a6 b7 fc ff ff 75 fc 8b 06 8b ce ff 90 1c 02 00 00 5f 5e 5b c9 c2 08 00 8b ff 56 8b f1 8b 06 68 00 20 00 00 ff 90 dc 01 00 00 8b 06 6a 00 8b ce ff 90 24 02 00 00 85 c0 74 1e 8b 8e 6c 01 00 00 6a 37 89 88 88 00 00 00 83 c9 ff 51 51 51 51 6a 00 Data Ascii: w vR3M_^3[UQSVW3S$v xRPSuE;tF3@9Eu9tt3PSVx}u!9tuO tSShw vR9]tuu_^[Vh j$tlj7QQQQj
2022-11-04 12:16:09 UTC	445	IN	Data Raw: 0c 8b 45 f4 3b d1 74 0e 3b 45 14 75 09 8b c8 2b ce 89 4d 0c eb 05 03 f2 89 75 14 2b 45 14 2b c2 03 c1 89 07 ff 75 dc e8 f0 61 09 00 8b 75 e8 59 3b c6 7d 2a 8b 55 f0 8b 4d 10 8b 45 f8 3b d1 74 0e 3b 45 18 75 09 8b c8 2b ce 89 4d 10 eb 05 03 f2 89 75 18 2b 45 18 2b c2 03 c1 89 47 04 8b 75 e0 8d 45 0c 50 ff 76 20 ff 15 08 78 52 00 50 e8 b6 fa f9 ff 8b c8 e8 ac 65 fa ff 8b 06 6a 00 6a 01 8d 4d 0c 51 8b ce ff 90 30 02 00 00 8b 4d fc 8b c7 5f 5e 33 cd 5b e8 96 0a 09 00 c9 c2 1c 00 8b ff 55 8b ec 83 ec 1c a1 54 04 57 00 33 c5 89 45 fc 53 56 8b f1 8b 06 57 ff 90 78 02 00 00 89 45 e4 8b 06 8b ce ff 90 7c 02 00 00 8b 5d 08 83 65 e8 00 8b f8 85 db 7e 14 8b 45 e4 85 c0 0f 84 a9 00 00 00 3b c3 7f 17 89 45 e8 eb 15 53 e8 29 61 09 00 59 3b f8 7d 07 f7 df 89 7d e8 eb 03 Data Ascii: E;t;Eu+Mu+E+uauY;}*UME;t;Eu+Mu+E+GuEPv xRPejjMQ0M_^3[UTW3ESVWxE\|]e~E;ES)aY;}}
2022-11-04 12:16:09 UTC	447	IN	Data Raw: fa ff 85 c0 74 2b 53 56 e8 68 e7 fa ff 59 59 85 c0 75 05 e8 18 53 fa ff 8b 10 8b 77 20 57 8b c8 ff 92 c4 03 00 00 56 ff 15 20 77 52 00 85 c0 74 0a 8b cf 5f 5e 5b e9 5e 09 fa ff 5f 5e 5b c3 8b ff 53 56 8b d9 8b 03 57 ff 90 bc 02 00 00 8b 03 8b cb ff 90 c8 01 00 00 85 c0 74 24 8b 03 6a 01 6a 02 83 ec 10 8b fc 8d b3 d8 01 00 00 a5 a5 a5 8b cb a5 ff 90 f8 01 00 00 8b cb e8 58 f4 f9 ff 5f 5e 5b c2 0c 00 8b ff 56 8b 35 08 78 52 00 57 ff 71 20 ff d6 50 e8 e3 f4 f9 ff 8b f8 85 ff 74 57 53 ff 77 20 ff d6 50 e8 d1 f4 f9 ff 8b d8 85 db 74 42 be 14 71 53 00 56 8b cf e8 97 e6 fa ff 85 c0 74 10 68 14 18 54 00 8b cb e8 87 e6 fa ff 85 c0 75 1c 68 50 f6 56 00 8b cf e8 77 e6 fa ff 85 c0 74 11 56 8b cb e8 6b e6 fa ff 85 c0 74 05 33 c0 40 eb 02 33 c0 5b 5f 5e c3 8b ff 56 57 Data Ascii: t+SVhYYuSw WV wRt_^[^_^[SVWt$jjX_^[V5xRWq PtWSw PtBqSVthTuhPVwtVkt3@3[_^VW
2022-11-04 12:16:09 UTC	448	IN	Data Raw: 45 ec 50 ff 15 00 76 52 00 33 c0 53 50 eb 10 57 53 8d 45 ec 50 ff 15 00 76 52 00 33 c0 50 53 8b ce e8 fc f8 ff ff 8b 45 f8 2b 45 f0 8b 4d f4 2b 4d ec 8b 16 57 6a 15 50 51 ff 75 f0 8b ce ff 75 ec 68 28 34 57 00 ff 92 34 02 00 00 8b 4d fc f7 d8 5f 1b c0 5e 33 cd f7 d8 5b e8 7b ff 08 00 c9 c2 08 00 8b ff 55 8b ec 83 ec 54 a1 54 04 57 00 33 c5 89 45 fc 8b 45 08 53 56 89 45 b4 8b 45 0c 33 f6 57 8b f9 89 45 b8 3b c6 75 05 e8 f3 4c fa ff 8d 45 ac 50 89 75 ac 89 75 b0 89 75 dc 89 75 e0 89 75 e4 89 75 e8 89 75 ec 89 75 f0 89 75 f4 89 75 f8 89 75 bc 89 75 c0 89 75 c4 89 75 c8 89 75 cc 89 75 d0 89 75 d4 89 75 d8 ff 15 54 76 52 00 8d 45 dc 50 ff 77 20 ff 15 04 78 52 00 8d 45 cc 50 8b cf e8 ea f8 ff ff bb 00 5d 53 00 53 56 ff 75 b4 8b cf ff 75 b0 ff 75 ac e8 fd 66 00 Data Ascii: EPvR3SPWSEPvR3PSE+EM+MWjPQuuh(4W4M_^3[{UTTW3EESVEE3WE;uLEPuuuuuuuuuuuuuuuuuuTvREPw xREP]SSVuuuf
2022-11-04 12:16:09 UTC	450	IN	Data Raw: b6 70 01 00 00 8b 07 68 f0 4a 53 00 8b cf ff 50 38 8b 07 8d 8e d8 01 00 00 51 68 d0 4a 53 00 8b cf ff 50 2c 8b 07 8d 8e 08 02 00 00 51 68 ac 4a 53 00 8b cf ff 50 2c ff b6 e8 01 00 00 8b 07 68 80 4a 53 00 8b cf ff 50 34 ff b6 f0 01 00 00 8b 07 68 60 4a 53 00 8b cf ff 50 38 ff 75 e8 8b 07 68 48 4a 53 00 8b cf ff 50 38 ff b6 2c 01 00 00 8b 07 68 34 4a 53 00 8b cf ff 50 38 ff b6 6c 01 00 00 8b 07 68 20 4a 53 00 8b cf ff 50 38 33 db ff 75 10 8b ce ff 75 0c ff 75 08 e8 02 7b 00 00 8b 4d e0 8b f0 c6 45 fc 01 3b cb 74 07 8b 01 6a 01 ff 50 04 8b 4d f0 83 c1 f0 e8 c9 02 f9 ff 8b 4d ec 83 c1 f0 e8 be 02 f9 ff 8b c6 e8 18 0c 09 00 c2 0c 00 6a 10 b8 f2 d1 51 00 e8 31 0b 09 00 8b d9 33 ff 39 3d b0 5d 57 00 75 07 33 c0 e9 f6 04 00 00 8b 03 ff 90 94 01 00 00 a9 00 f0 00 Data Ascii: phJSP8QhJSP,QhJSP,hJSP4h`JSP8uhHJSP8,h4JSP8lh JSP83uuu{ME;tjPMMjQ139=]Wu3
2022-11-04 12:16:09 UTC	451	IN	Data Raw: 6d d6 fa ff 59 59 85 c0 0f 84 01 fe ff ff 8b 10 56 8b c8 ff 92 d0 01 00 00 eb 0c 8b 03 6a 01 8b cb ff 90 e0 02 00 00 83 4d fc ff 8d 4d e4 c7 45 e4 2c 8a 52 00 e8 df fa fa ff 33 c0 40 e8 fb 06 09 00 c2 08 00 6a 24 b8 1d d2 51 00 e8 7d 06 09 00 8b 45 18 8b 75 0c 8b 7d 14 89 45 d8 8b 45 24 8b d9 89 45 d0 e8 43 43 fa ff 50 8d 4d dc e8 e9 fc f8 ff 83 65 fc 00 85 f6 75 31 68 24 4b 53 00 8d 45 d4 50 b9 98 39 57 00 e8 e6 e3 fa ff 50 8d 4d dc c6 45 fc 01 e8 11 2e f9 ff 8b 4d d4 83 c1 f0 c6 45 fc 00 e8 32 fd f8 ff eb 09 56 8d 4d dc e8 27 51 f9 ff ff 75 d0 8b 45 1c ff 75 20 89 83 70 01 00 00 50 ff 75 d8 8b 45 10 57 0d 00 00 00 06 50 33 f6 56 ff 75 dc 8b cb ff 75 08 e8 9f 62 00 00 85 c0 75 15 8b 4d dc 83 c1 f0 e8 eb fc f8 ff 8b c6 e8 59 06 09 00 c2 20 00 57 8d 45 e0 Data Ascii: mYYVjMME,R3@j$Q}Eu}EE$ECCPMeu1h$KSEP9WPME.ME2VM'QuEu pPuEWP3VuubuMY WE
2022-11-04 12:16:09 UTC	452	IN	Data Raw: c3 8b ff 55 8b ec 53 56 57 8b 7d 08 8b f1 8d 86 94 00 00 00 50 68 92 40 00 00 57 e8 55 6d fa ff 8d 86 08 01 00 00 50 68 91 40 00 00 57 e8 43 6d fa ff 8d 86 7c 01 00 00 50 68 93 40 00 00 57 e8 31 6d fa ff 8d 86 f0 01 00 00 50 bb 74 40 00 00 53 57 e8 1e 6d fa ff 8d 86 64 02 00 00 50 68 7d 40 00 00 57 e8 0c 6d fa ff 8d 86 d8 02 00 00 50 68 7c 40 00 00 57 e8 fa 6c fa ff 8d 86 00 04 00 00 50 68 7e 40 00 00 57 e8 e8 6c fa ff 8d 86 74 04 00 00 50 53 57 e8 9a 6d fa ff 81 c6 78 04 00 00 56 68 db 40 00 00 57 e8 88 6d fa ff 5f 5e 5b 5d c2 04 00 6a 08 b8 38 8d 51 00 e8 f9 ff 08 00 8b f1 8d 8e d8 02 00 00 e8 5b 0c 07 00 eb 18 8d 8e 9c 04 00 00 e8 ca 1d fb ff 85 c0 74 09 8b 10 6a 01 8b c8 ff 52 04 83 be a8 04 00 00 00 75 df 8b 86 80 04 00 00 8b 40 04 8b 9e 84 04 00 00 Data Ascii: USVW}Ph@WUmPh@WCm\|Ph@W1mPt@SWmdPh}@WmPh\|@WlPh~@WltPSWmxVh@Wm_^[]j8Q[tjRu@
2022-11-04 12:16:09 UTC	454	IN	Data Raw: ff ff 6a 10 b8 b7 d3 51 00 e8 ff fa 08 00 8b f1 e8 11 24 fa ff 68 79 40 00 00 8b ce e8 74 14 fa ff 33 c9 33 db 3b c3 0f 95 c1 89 45 f0 3b cb 75 05 e8 9e 36 fa ff 68 7b 40 00 00 8b ce e8 53 14 fa ff 8b f8 33 c0 3b fb 0f 95 c0 3b c3 74 e2 e8 78 a5 f9 ff 85 c0 74 1f e8 6f a5 f9 ff 8b c8 e8 d5 14 fa ff b9 00 00 40 00 85 c1 74 0a 53 51 53 8b ce e8 08 15 fa ff 8b 86 80 04 00 00 8d 8e d8 02 00 00 3b c3 74 20 50 e8 4b 07 07 00 8b ce e8 74 fa ff ff ff b6 88 04 00 00 8d 8e d8 02 00 00 e8 76 05 07 00 eb 2b 53 e8 0b 16 fa ff 53 8d 8e 08 01 00 00 e8 ff 15 fa ff 39 9e 88 04 00 00 7d 11 8b 4d f0 53 e8 ee 15 fa ff 53 8b cf e8 e6 15 fa ff 39 9e 98 04 00 00 74 23 8b 86 7c 04 00 00 39 58 3c 75 18 53 33 ff 47 57 68 f1 00 00 00 ff b6 28 01 00 00 ff 15 dc 76 52 00 eb 17 53 6a Data Ascii: jQ$hy@t33;E;u6h{@S3;;txto@tSQS;t PKtv+SS9}MSS9t#\|9X<uS3GWh(vRSj
2022-11-04 12:16:09 UTC	455	IN	Data Raw: 8b 86 80 04 00 00 33 c9 85 c0 0f 95 c1 85 c9 75 05 e8 12 31 fa ff 33 c9 39 8e 88 04 00 00 0f 9d c1 85 c9 74 ec 8b 78 54 8b 58 50 83 65 fc 00 8d 86 d8 02 00 00 50 8d 8d c0 e1 ff ff 89 bd bc e1 ff ff e8 91 40 fa ff 83 a5 f0 e1 ff ff 00 c7 85 ec e1 ff ff a0 9f 52 00 8d 8d dc e1 ff ff c6 45 fc 02 e8 a2 39 fa ff ff b5 c4 e1 ff ff c6 45 fc 03 ff 15 54 71 52 00 50 8d 8d dc e1 ff ff e8 bb 3f fa ff 57 53 ff b5 c4 e1 ff ff ff 15 30 71 52 00 50 8d 8d ec e1 ff ff e8 75 42 fa ff 85 c0 0f 84 88 01 00 00 ff b5 f0 e1 ff ff ff b5 e0 e1 ff ff e8 13 43 fa ff 8b 8e 80 04 00 00 bf c0 c0 c0 00 57 89 85 d4 e1 ff ff e8 14 21 fb ff 83 65 dc 00 83 65 e0 00 89 85 d8 e1 ff ff 8b 85 bc e1 ff ff 89 45 e8 57 8d 45 dc 50 8d 8d dc e1 ff ff 89 5d e4 e8 62 1b fb ff 33 ff 57 33 c9 51 8b 8e Data Ascii: 3u139txTXPeP@RE9ETqRP?WS0qRPuBCW!eeEWEP]b3W3Q
2022-11-04 12:16:09 UTC	457	IN	Data Raw: 8c 01 00 00 85 c0 75 47 eb 75 0f b7 85 ba e1 ff ff 50 56 8d 85 ec e1 ff ff 50 8d 8d f4 e1 ff ff e8 8a 1a 07 00 8d 8d f4 e1 ff ff c6 45 fc 04 e8 ad 1b fa ff c6 45 fc 03 8d 8d f4 e1 ff ff 83 f8 01 74 07 e8 53 f9 ff ff eb 35 e8 4c f9 ff ff 8b 8e 80 04 00 00 6a 00 ff b5 f0 e1 ff ff e8 36 94 ff ff 8b f8 85 ff 0f 88 f3 fe ff ff 8b ce e8 3d ef ff ff 8b 8d d4 e1 ff ff 57 e8 44 fa 06 00 8d 8d dc e1 ff ff c6 45 fc 02 e8 85 3a fa ff 8d 8d ec e1 ff ff c6 45 fc 01 c7 85 ec e1 ff ff a0 9f 52 00 e8 15 e9 f8 ff 8d 8d c0 e1 ff ff c6 45 fc 00 e8 ca 3a fa ff 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b 4d ec 33 cd e8 04 dd 08 00 c9 c3 6a ff 6a 00 68 88 3e 00 00 e8 b9 20 fa ff b8 1a 2b 47 00 c3 b8 0c 4d 53 00 c3 33 c0 39 81 04 0b 00 00 74 1e 39 81 f0 08 00 00 7e 07 8d 81 ec Data Ascii: uGuPVPEEtS5Lj6=WDE:ERE:MdY_^[M3jjh> +GMS39t9~
2022-11-04 12:16:09 UTC	457	IN	Data Raw: 77 d5 51 00 e8 10 ee 08 00 8b f1 89 75 f0 c7 06 24 4e 53 00 8b 86 8c 00 00 00 33 db c7 45 fc 01 00 00 00 3b c3 74 1d 89 98 48 01 00 00 eb 15 8d 4e 70 e8 cd 0b fb ff 3b c3 74 09 8b 10 6a 01 8b c8 ff 52 04 39 5e 7c 75 e6 8b 86 bc 00 00 00 3b c3 74 11 8b 0d 78 5d 57 00 3b cb 74 07 53 50 e8 b8 ae 02 00 8d 4e 70 88 5d fc e8 e0 20 fe ff 83 4d fc ff 8b ce e8 12 a5 ff ff e8 72 ee 08 00 c3 33 c0 39 81 8c 00 00 00 0f 95 c0 c3 c3 33 c0 39 81 bc 00 00 00 0f 95 c0 c3 8b ff 55 8b ec 53 56 57 8b 7d 08 57 8b f1 e8 a8 ad ff ff 8b 87 98 00 00 00 89 86 98 00 00 00 8b 87 a8 00 00 00 89 86 a8 00 00 00 8b 87 ac 00 00 00 89 86 ac 00 00 00 8b 87 c4 00 00 00 89 86 c4 00 00 00 8b 87 b0 00 00 00 89 86 b0 00 00 00 8b 87 c0 00 00 00 89 86 c0 00 00 00 8b 87 b4 00 00 00 89 86 b4 00 00 Data Ascii: wQu$NS3E;tHNp;tjR9^\|u;tx]W;tSPNp] Mr3939USVW}W
2022-11-04 12:16:09 UTC	459	IN	Data Raw: bb 8c 00 00 00 3b cf 74 67 57 eb 5f ff 73 6c 68 8c d0 56 00 e8 60 b8 fa ff 59 59 39 7d 0c 74 18 3b c7 74 14 39 3d 04 3f 57 00 75 0c 6a 01 53 8b c8 e8 4f 1f fc ff eb 2b 8b 4d f8 3b cf 74 11 57 e8 00 29 fb ff 3b c7 74 07 8b 10 8b c8 ff 52 58 8b 03 56 8b cb ff 90 c8 00 00 00 85 c0 0f 84 f0 fe ff ff 8b 4d f8 3b cf 74 06 53 e8 f4 55 fb ff 39 7b 6c 74 38 8d 73 54 8d 7d ec a5 a5 a5 a5 e8 d9 14 fb ff 8b 80 98 00 00 00 50 50 8d 45 ec 50 ff 15 18 76 52 00 68 01 04 00 00 6a 00 8d 45 ec 50 8b 43 6c ff 70 20 ff 15 70 78 52 00 33 c0 40 8b 4d fc 5f 5e 33 cd 5b e8 cd d5 08 00 c9 c2 08 00 8b ff 55 8b ec 83 ec 0c 53 56 8b d9 57 89 5d fc 33 f6 eb 15 8d 4b 70 e8 7b 05 fb ff 3b c6 74 09 8b 10 6a 01 8b c8 ff 52 04 39 73 7c 75 e6 ff 75 08 ff 15 b8 75 52 00 85 c0 0f 84 06 01 00 Data Ascii: ;tgW_slhV`YY9}t;t9=?WujSO+M;tW);tRXVM;tSU9{lt8sT}PPEPvRhjEPClp pxR3@M_^3[USVW]3Kp{;tjR9s\|uuuR
2022-11-04 12:16:09 UTC	460	IN	Data Raw: 50 bf fc cf 56 00 57 e8 c1 b2 fa ff 59 59 85 c0 74 28 53 ff 70 20 8b d8 ff d6 50 e8 b6 c0 f9 ff 50 57 e8 a6 b2 fa ff 59 59 85 c0 75 e6 8b 03 8b cb 5b 5f 5e ff a0 d8 01 00 00 5f 5e c3 8b ff 55 8b ec 83 ec 14 a1 54 04 57 00 33 c5 89 45 fc 56 8b f1 33 c0 c7 86 ac 00 00 00 01 00 00 00 39 46 6c 74 33 89 45 ec 89 45 f0 89 45 f4 89 45 f8 8d 45 ec 50 e8 01 f7 ff ff 6a 01 8d 45 ec 50 8b 46 6c ff 70 20 ff 15 f0 77 52 00 8b 46 6c ff 70 20 ff 15 e0 76 52 00 8b 4d fc 33 cd 5e e8 3d d0 08 00 c9 c3 8b ff 55 8b ec 51 8b 4d 0c 8b 11 8b 41 08 53 8b 1d a8 3a 57 00 56 8b 35 a4 3a 57 00 2b c2 57 89 75 fc 89 55 0c 3b f0 7f 0c 8b 79 04 8b 71 0c 2b f7 3b de 7e 0d 8b 79 04 8b 71 0c 2b f7 89 45 fc 8b de 2b 45 fc 99 2b c2 d1 f8 79 04 33 c9 eb 02 8b c8 8b c6 2b c3 99 2b c2 d1 f8 79 Data Ascii: PVWYYt(Sp PPWYYu[_^_^UTW3EV39Flt3EEEEEPjEPFlp wRFlp vRM3^=UQMAS:WV5:W+WuU;yq+;~yq+E+E+y3++y
2022-11-04 12:16:09 UTC	461	IN	Data Raw: 50 e8 92 60 fd ff 8b 40 04 89 45 f0 39 3d 0c 3f 57 00 74 05 03 c0 89 45 f0 83 6d f0 02 39 3d 20 4b 57 00 0f 84 f8 00 00 00 39 be 94 00 00 00 0f 84 ec 00 00 00 8b 46 20 3d 00 f0 00 00 72 0b 3d f0 f1 00 00 0f 82 d7 00 00 00 6a 00 6a 09 8d 4e 2c e8 7c 70 fb ff 85 c0 78 29 50 8d 45 e0 50 8d 4e 2c e8 63 58 fa ff 83 65 fc 00 50 8d 4e 2c e8 ec 05 f9 ff 8b 4d e0 83 4d fc ff 83 c1 f0 e8 0d d5 f8 ff e8 d9 1a fa ff 50 8d 4d e8 e8 7f d4 f8 ff 8b 4e 6c c7 45 fc 01 00 00 00 85 c9 75 14 e8 34 88 f9 ff 50 68 9c 68 53 00 e8 76 ad fa ff 59 59 eb 0f 8b 1d 4c 56 57 00 85 db 75 0b e8 11 d1 f9 ff 8b d8 85 db 74 48 6a 01 53 8d 45 e8 50 ff 76 20 e8 3a 5a fd ff 85 c0 75 1c 50 8b 03 8b cb ff 90 6c 01 00 00 50 8d 45 e8 50 ff 76 20 e8 1e 5a fd ff 85 c0 74 19 6a 09 8d 4e 2c e8 57 d7 Data Ascii: P`@E9=?WtEm9= KW9F =r=jjN,\|px)PEPN,cXePN,MMPMNlEu4PhhSvYYLVWutHjSEPv :ZuPlPEPv ZtjN,W
2022-11-04 12:16:09 UTC	463	IN	Data Raw: 07 3d 7d 42 00 00 75 07 c7 45 dc 01 00 00 00 8b 0d 48 49 57 00 33 ff 89 bd 68 ff ff ff 3b cf 74 11 39 7b 04 75 0c 50 e8 e8 30 fc ff 89 85 68 ff ff ff ff 73 20 e8 d3 fd 00 00 89 45 84 8d 85 24 ff ff ff 50 e8 a3 5a fd ff 39 bb 8c 00 00 00 74 0f 39 bb a4 00 00 00 75 07 c7 45 18 01 00 00 00 e8 f8 04 fb ff ff b5 6c ff ff ff 8b 10 ff 75 18 8b c8 53 ff 92 9c 00 00 00 89 85 60 ff ff ff e8 d9 04 fb ff 8b 10 8b c8 ff 92 98 00 00 00 f7 d8 1b c0 40 89 85 74 ff ff ff 39 7d 18 74 50 39 7d 20 75 4b e8 b5 04 fb ff 8b 10 8b c8 ff 92 98 00 00 00 85 c0 74 38 e8 a2 04 fb ff 8b b5 78 ff ff ff 8b 10 8d 8d 60 ff ff ff 51 83 ec 10 8b fc a5 a5 a5 53 ff 75 8c 8b c8 a5 ff 92 90 00 00 00 83 a5 74 ff ff ff 00 8b b5 70 ff ff ff 33 ff f7 43 24 00 00 01 00 74 1d e8 61 04 fb ff 8b 10 8b Data Ascii: =}BuEHIW3h;t9{uP0hs E$PZ9t9uEluS`@t9}tP9} uKt8x`QSutp3C$ta
2022-11-04 12:16:09 UTC	464	IN	Data Raw: 50 8b 45 90 03 c7 50 ff 75 8c e8 b0 5f ff ff 6a fe 6a fe 8d 45 90 50 ff 15 00 76 52 00 8b 4d 90 33 c0 33 d2 39 85 6c ff ff ff 0f 95 c2 39 43 04 74 05 8b 43 38 eb 03 8b 43 34 03 75 94 68 ff 00 00 00 ff b5 44 ff ff ff 03 f9 6a 00 6a 00 52 6a 00 50 56 57 ff 75 8c 8b 8d 5c ff ff ff e8 5d 5f ff ff c7 45 88 01 00 00 00 33 ff 39 3d c8 57 57 00 75 09 39 7d 88 0f 85 ad 00 00 00 8b 4b 6c 3b cf 75 14 e8 f8 7c f9 ff 50 68 9c 68 53 00 e8 3a a2 fa ff 59 59 eb 0f 8b 35 4c 56 57 00 3b f7 75 07 e8 d5 c5 f9 ff 8b f0 56 68 58 e9 52 00 e8 1a a2 fa ff 59 59 3b c7 74 14 8b 10 8d 4d 90 51 53 ff 75 8c 8b c8 ff 92 e8 01 00 00 eb 59 56 68 7c ef 52 00 e8 f5 a1 fa ff 59 59 3b c7 74 14 8b 10 8d 4d 90 51 53 ff 75 8c 8b c8 ff 92 d4 01 00 00 eb 34 56 68 ac e5 52 00 e8 d0 a1 fa ff 59 59 Data Ascii: PEPu_jjEPvRM339l9CtC8C4uhDjjRjPVWu\]_E39=WWu9}Kl;u\|PhhS:YY5LVW;uVhXRYY;tMQSuYVh\|RYY;tMQSu4VhRYY
2022-11-04 12:16:09 UTC	465	IN	Data Raw: 8b 01 ff 50 30 8d 75 b0 8d 7d e0 a5 a5 6a 01 a5 6a 01 8d 45 e0 50 a5 ff 15 00 76 52 00 8b 45 88 8b 50 f4 8b 4d 8c 8b 31 6a 24 8d 7d e0 57 52 50 ff 56 68 8b 7d 8c ff b5 60 ff ff ff 8b 07 8b cf ff 50 30 8b 4d 88 8b 41 f4 8b 17 6a 24 8d 75 b0 56 50 51 8b cf ff 52 68 8b 85 68 ff ff ff 83 78 f4 00 0f 84 99 00 00 00 8b 45 b8 2b 85 24 ff ff ff 8d 7d e0 a5 a5 a5 83 e8 03 83 bd 6c ff ff ff 00 a5 89 45 e8 74 50 83 7d 18 00 75 4a e8 73 f9 fa ff 83 78 74 00 74 3f 8b 4d 8c ff 35 b4 39 57 00 8b 01 ff 50 30 8d 75 e0 8d 7d d0 a5 a5 6a 01 a5 6a 01 8d 45 d0 50 a5 ff 15 00 76 52 00 8b 95 68 ff ff ff 8b 42 f4 8b 4d 8c 8b 31 6a 26 8d 7d d0 57 50 52 ff 56 68 8b 75 8c ff b5 60 ff ff ff 8b 06 8b ce ff 50 30 8b 85 68 ff ff ff 8b 48 f4 8b 16 6a 26 8d 7d e0 57 51 50 8b ce ff 52 68 Data Ascii: P0u}jjEPvREPM1j$}WRPVh}`P0MAj$uVPQRhhxE+$}lEtP}uJsxtt?M59WP0u}jjEPvRhBM1j&}WPRVhu`P0hHj&}WQPRh
2022-11-04 12:16:09 UTC	467	IN	Data Raw: 8b 10 56 83 ec 10 8b fc 8d 75 b0 a5 a5 a5 53 ff 75 d8 8b c8 a5 ff 92 8c 00 00 00 33 ff 39 7d 18 74 1e 8b 03 8b cb ff 50 60 85 c0 74 1c 33 f6 39 7d 14 74 1a 39 bb a8 00 00 00 75 12 33 c9 eb 11 f7 43 24 00 00 04 00 74 e4 33 f6 46 eb e1 33 c9 41 8d 45 c8 50 33 c0 3b f7 0f 95 c0 50 8d 83 c8 00 00 00 50 51 ff 75 d8 e8 8e 4a fd ff 8b 45 c4 89 43 24 39 7d 18 0f 85 9d 00 00 00 a9 00 00 03 00 75 21 39 bb 8c 00 00 00 75 19 39 7d 1c 0f 84 85 00 00 00 a9 00 00 15 00 75 7e e8 b9 f3 fa ff 6a 02 eb 5b 39 7d d0 75 4f 39 bb 9c 00 00 00 74 47 8b 43 20 3b c7 74 40 83 f8 ff 74 3b 39 bb a8 00 00 00 75 33 ff 45 f4 e8 8c f3 fa ff 8b 10 6a 02 83 ec 10 8b fc 8d 75 ec a5 a5 a5 53 ff 75 d8 8b c8 a5 ff 92 88 00 00 00 e8 6b f3 fa ff 6a 01 8d b3 c8 00 00 00 eb 0a e8 5c f3 fa ff 6a 01 Data Ascii: VuSu39}tP`t39}t9u3C$t3F3AEP3;PPQuJEC$9}u!9u9}u~j[9}uO9tGC ;t@t;9u3EjuSukj\j
2022-11-04 12:16:09 UTC	468	IN	Data Raw: 9d 47 fb ff 8b 4d fc 5f 33 cd 5e e8 ca af 08 00 c9 c2 0c 00 8b ff 55 8b ec 53 8b 5d 0c 56 57 8b 7d 10 57 53 ff 75 08 8b f1 e8 6f 18 01 00 8d 8e 28 01 00 00 85 c9 74 20 83 79 20 00 74 1a 8b 01 6a 00 6a 14 83 c7 fc 57 83 c3 fc 53 6a 02 6a 02 6a 00 ff 90 34 02 00 00 5f 5e 5b 5d c2 0c 00 6a 68 b8 0e d6 51 00 e8 bb c1 08 00 8b f1 56 8d 4d 8c e8 dc 0d fa ff 33 c0 89 45 fc 89 45 e0 89 45 e4 89 45 e8 89 45 ec 8d 45 e0 50 ff 76 20 ff 15 dc 77 52 00 ff 35 f0 39 57 00 8d 45 e0 ff 35 f4 39 57 00 8d 4d 8c 50 e8 eb e9 fa ff 6a ff 6a ff 8d 45 e0 50 ff 15 18 76 52 00 ff 35 e8 39 57 00 8d 45 e0 ff 35 ec 39 57 00 8d 4d 8c 50 e8 c5 e9 fa ff 83 4d fc ff 8d 4d 8c e8 c8 0d fa ff e8 c6 c1 08 00 c3 8b ff 55 8b ec 83 ec 54 a1 54 04 57 00 33 c5 89 45 fc 56 57 8b 3d 20 77 52 00 8b Data Ascii: GM_3^US]VW}WSuo(t y tjjWSjjj4_^[]jhQVM3EEEEEEPv wR59WE59WMPjjEPvR59WE59WMPMMUTTW3EVW= wR
2022-11-04 12:16:09 UTC	470	IN	Data Raw: 88 00 00 00 74 06 8b 0d 1c 3f 57 00 e8 6b 16 ff ff 89 bb 84 00 00 00 eb 03 8b 75 b8 8b 4e 08 8b 43 24 8b d1 2b 55 c4 2b 4d c0 c1 e8 11 83 e0 01 8d 54 02 ff 89 55 e4 8b 56 0c 8b fa 2b 7d c0 2b 55 c4 8d 4c 01 01 8d 7c 07 01 8d 44 02 ff 89 4d ec 89 4d f4 8b 4d d0 89 45 f8 8b 01 6a 08 89 7d e8 89 7d f0 ff 50 24 33 ff 89 45 bc 3b c7 75 05 e8 63 f7 f9 ff 8b 4d d0 68 40 3a 57 00 e8 53 0a fa ff 89 45 cc 3b c7 74 e7 6a 03 8d 45 e4 50 8b 45 d0 ff 70 04 ff 15 94 70 52 00 39 7d 18 75 65 8b 03 8b cb ff 50 54 85 c0 74 5a 39 7d 20 74 55 39 7b 78 75 26 8b 43 24 a9 00 00 03 00 75 1c 39 7d 1c 74 41 a9 00 00 15 00 75 3a a9 00 00 02 00 74 15 e8 2a e8 fa ff 6a 01 eb 13 8b 43 20 3b c7 74 05 83 f8 ff eb e9 e8 15 e8 fa ff 6a 02 8b 10 83 ec 10 8b fc a5 a5 a5 53 ff 75 d0 8b c8 a5 Data Ascii: t?WkuNC$+U+MTUV+}+UL\|DMMMEj}}P$3E;ucMh@:WSE;tjEPEppR9}uePTtZ9} tU9{xu&C$u9}tAu:t*jC ;tjSu
2022-11-04 12:16:09 UTC	471	IN	Data Raw: f6 8d 83 cc 03 00 00 46 50 81 c1 a4 02 00 00 89 b3 2c 0c 00 00 e8 56 2d ff ff 8b 8b f0 0d 00 00 8d 83 d8 04 00 00 50 81 c1 b0 03 00 00 e8 3e 2d ff ff 8b 8b f0 0d 00 00 8d 83 e4 05 00 00 50 81 c1 bc 04 00 00 e8 26 2d ff ff 8b 8b f0 0d 00 00 8d 83 f0 06 00 00 50 81 c1 c8 05 00 00 e8 0e 2d ff ff 8b 8b f0 0d 00 00 8d 83 fc 07 00 00 50 81 c1 d4 06 00 00 e8 f6 2c ff ff 8b 8b f0 0d 00 00 8d 83 08 09 00 00 50 81 c1 e0 07 00 00 e8 de 2c ff ff 8b 8b f0 0d 00 00 8b 81 9c 0b 00 00 89 83 c4 0c 00 00 8b 81 a0 0b 00 00 89 83 c8 0c 00 00 8b 81 a4 0b 00 00 89 83 cc 0c 00 00 8b 81 a8 0b 00 00 89 83 d0 0c 00 00 8b 81 ac 0b 00 00 89 83 d4 0c 00 00 8b 81 b0 0b 00 00 89 83 d8 0c 00 00 8b 81 b4 0b 00 00 89 83 dc 0c 00 00 8b 81 b8 0b 00 00 81 a3 b8 01 00 00 ff ff bf ff 89 83 e0 Data Ascii: FP,V-P>-P&-P-P,P,
2022-11-04 12:16:09 UTC	472	IN	Data Raw: fa ff 8b 43 70 8b 80 cc 0b 00 00 3b c6 75 56 83 67 20 00 83 c3 74 8d 4f 2c 53 e8 e1 d8 f8 ff 8b 07 6a ff 8b cf ff 90 bc 00 00 00 ff 75 dc 8b 07 83 67 0c 00 8b cf ff 90 cc 00 00 00 8d 4d d8 e8 29 a5 fa ff 83 4d fc ff 8d 4d d8 c7 45 d8 2c 8a 52 00 e8 16 a5 fa ff 33 c0 40 e8 32 b1 08 00 c2 04 00 8b 45 ec 85 c0 0f 84 0a 01 00 00 8b 08 8b 70 08 33 c0 85 f6 0f 95 c0 89 4d ec 85 c0 0f 84 f3 00 00 00 f6 46 24 01 74 17 6a 00 6a 00 68 00 08 00 00 ff 75 dc ff 15 84 76 52 00 e9 c7 00 00 00 8b 46 20 85 c0 0f 84 bc 00 00 00 83 f8 ff 0f 84 b3 00 00 00 8b 46 2c 83 e8 10 50 e8 cf d7 f8 ff 8d 58 10 59 89 5d f0 83 7b f4 00 c6 45 fc 01 75 77 e8 2a ed f9 ff 50 8d 4d 08 e8 d0 a6 f8 ff 8b 46 20 50 c6 45 fc 02 89 45 e8 e8 06 37 fa ff 85 c0 74 4a ff 75 e8 8d 4d 08 50 e8 80 f9 f8 Data Ascii: Cp;uVg tO,SjugM)MME,R3@2Ep3MF$tjjhuvRF F,PXY]{Euw*PMF PEE7tJuMP
2022-11-04 12:16:09 UTC	474	IN	Data Raw: c0 74 16 ff 75 18 ff 75 14 ff 75 10 ff 75 0c ff 75 08 e8 44 3e fc ff eb 24 68 3c bd 53 00 e8 d8 7a fa ff 85 c0 74 16 ff 75 18 8b ce ff 75 14 ff 75 10 ff 75 0c ff 75 08 e8 ea 3d 03 00 5e 5d c2 14 00 8b ff 55 8b ec 8b 01 56 ff 90 98 01 00 00 8b f0 85 f6 0f 84 eb 00 00 00 83 3d 5c ea 56 00 00 0f 85 de 00 00 00 68 7c ef 52 00 8b ce e8 88 7a fa ff 8b ce 85 c0 74 16 ff 75 14 ff 75 10 ff 75 0c ff 75 08 e8 3e 9d fc ff e9 b9 00 00 00 68 58 e9 52 00 e8 62 7a fa ff 8b ce 85 c0 74 16 ff 75 14 ff 75 10 ff 75 0c ff 75 08 e8 0c 7f fc ff e9 93 00 00 00 68 ac e5 52 00 e8 3c 7a fa ff 8b ce 85 c0 74 13 ff 75 14 ff 75 10 ff 75 0c ff 75 08 e8 c7 73 fc ff eb 70 68 f8 e1 52 00 e8 19 7a fa ff 8b ce 85 c0 74 13 ff 75 14 ff 75 10 ff 75 0c ff 75 08 e8 9f 6a fc ff eb 4d 68 3c da 52 Data Ascii: tuuuuuD>$h<Sztuuuuu=^]UV=\Vh\|Rztuuuu>hXRbztuuuuhR<ztuuuusphRztuuuujMh<R
2022-11-04 12:16:09 UTC	475	IN	Data Raw: 76 fa ff 8b ce 85 c0 74 0a 57 57 53 e8 96 7a fc ff eb 66 68 ac e5 52 00 e8 1a 76 fa ff 8b ce 85 c0 74 0a 57 57 53 e8 76 6f fc ff eb 4c 68 f8 e1 52 00 e8 00 76 fa ff 8b ce 85 c0 74 0a 57 57 53 e8 57 66 fc ff eb 32 68 3c da 52 00 e8 e6 75 fa ff 8b ce 85 c0 74 0a 57 57 53 e8 49 39 fc ff eb 18 68 3c bd 53 00 e8 cc 75 fa ff 85 c0 74 0a 57 57 53 8b ce e8 1d 39 03 00 5f 5e 5b 5d c2 04 00 8b 81 b4 00 00 00 85 c0 75 05 a1 70 d6 56 00 c3 8b ff 56 8b f1 8b 86 b8 00 00 00 85 c0 74 0a 50 e8 4a be f9 ff 85 c0 74 0f 6a 00 8b ce e8 bf 7b f9 ff f7 d8 1b c0 f7 d8 5e c2 08 00 8b ff 55 8b ec 83 3d 34 3b 57 00 00 56 8b f1 74 1b 8b 06 ff 90 54 02 00 00 85 c0 74 0f ff 75 0c 8b ce ff 75 08 e8 2a 8d f9 ff eb 02 33 c0 5e 5d c2 08 00 8b 81 90 00 00 00 25 00 f0 00 00 c3 8b ff 55 8b Data Ascii: vtWWSzfhRvtWWSvoLhRvtWWSWf2h<RutWWSI9h<SutWWS9_^[]upVVtPJtj{^U=4;WVtTtuu*3^]%U
2022-11-04 12:16:09 UTC	476	IN	Data Raw: ff 15 dc 77 52 00 e8 82 cd fa ff 56 83 ec 10 8b fc 8d 75 ec a5 a5 8b 10 a5 a5 83 ec 10 8b fc ff 75 d8 8d 75 dc a5 a5 a5 53 8b c8 a5 ff 52 34 8b 4d fc 5f 5e 33 cd 5b e8 7e 8e 08 00 c9 c2 04 00 ff 71 20 ff 15 08 78 52 00 50 e8 63 7e f9 ff 68 14 71 53 00 8b c8 e8 30 70 fa ff c3 8b ff 55 8b ec 51 83 65 fc 00 56 57 ff 71 20 8b 3d 08 78 52 00 ff d7 50 e8 39 7e f9 ff 8b f0 85 f6 74 32 53 bb 08 d6 56 00 53 8b ce e8 fe 6f fa ff 85 c0 75 13 ff 76 20 ff d7 50 e8 16 7e f9 ff 8b f0 85 f6 75 e3 eb 0c 56 53 e8 fe 6f fa ff 59 59 89 45 fc 5b 8b 45 fc 5f 5e c9 c2 04 00 6a 58 b8 ff bd 51 00 e8 40 a0 08 00 83 3d 84 58 57 00 00 8b f1 bb 94 58 57 00 74 07 53 ff 15 44 74 52 00 56 8d 4d 9c e8 4c ec f9 ff 83 65 fc 00 8b ce e8 be b9 f9 ff a9 00 00 00 10 74 0e 8b 06 8d 4d 9c 51 8b Data Ascii: wRVuuuSR4M_^3[~q xRPc~hqS0pUQeVWq =xRP9~t2SVSouv P~uVSoYYE[E_^jXQ@=XWXWtSDtRVMLetMQ
2022-11-04 12:16:09 UTC	477	IN	Data Raw: 8b 8e b0 00 00 00 8b 01 56 ff 50 54 5e c2 0c 00 8b ff 57 8b f9 83 bf 98 00 00 00 00 75 53 56 ff 77 20 8b 35 08 78 52 00 ff d6 50 e8 fe 7b f9 ff 68 00 97 52 00 8b c8 e8 cb 6d fa ff 85 c0 74 30 ff 77 20 ff d6 50 e8 e3 7b f9 ff 85 c0 75 04 33 f6 eb 03 8b 70 20 e8 7d 48 f9 ff 85 c0 74 03 8b 40 20 3b f0 75 0a c7 05 5c ea 56 00 01 00 00 00 5e 8b 87 98 00 00 00 5f c3 8b ff 55 8b ec 53 56 57 8b 3d 08 78 52 00 8d 71 20 ff 36 ff d7 50 e8 9a 7b f9 ff 50 68 50 f6 56 00 e8 86 6d fa ff 59 59 8b 4d 08 85 c0 74 03 8d 70 20 8b 06 89 01 ff 36 ff d7 50 e8 75 7b f9 ff 50 68 14 71 53 00 e8 61 6d fa ff 8b d8 59 59 85 db 75 27 ff 36 ff d7 50 e8 58 7b f9 ff 50 68 14 18 54 00 e8 44 6d fa ff 59 59 85 c0 74 0c 8b 10 8b c8 ff 92 a4 03 00 00 eb 02 8b c3 5f 5e 5b 5d c2 04 00 8b ff 55 Data Ascii: VPT^WuSVw 5xRP{hRmt0w P{u3p }Ht@ ;u\V^_USVW=xRq 6P{PhPVmYYMtp 6Pu{PhqSamYYu'6PX{PhTDmYYt_^[]U
2022-11-04 12:16:09 UTC	479	IN	Data Raw: 00 00 8b b6 b0 00 00 00 85 f6 74 0b 6a 00 6a 00 8b ce e8 b3 46 00 00 5f 5e 5b c9 c2 0c 00 8b ff 55 8b ec 56 57 8b f1 e8 53 b2 f9 ff bf 00 00 00 10 85 c7 74 49 8b 8e ac 00 00 00 85 c9 74 09 e8 3b b2 f9 ff 85 c7 74 36 8b ce e8 46 92 f9 ff 8b f8 85 ff 74 0e 8b 07 8b cf ff 90 4c 01 00 00 85 c0 75 09 56 e8 48 70 fa ff 59 8b f8 85 ff 74 0e ff 75 08 8b 06 57 8b ce ff 90 40 02 00 00 5f 33 c0 5e 5d c2 08 00 8b ff 55 8b ec 56 57 8b 7d 08 f6 47 18 01 8b f1 8b cf 74 23 83 65 08 00 8d 45 08 50 e8 ab bc fa ff 8b 45 08 09 86 90 00 00 00 83 c6 78 56 8b cf e8 97 bc fa ff eb 23 8b 86 90 00 00 00 25 00 f0 00 00 50 e8 46 bc fa ff 8b 06 8b ce ff 90 78 01 00 00 50 8b cf e8 34 bc fa ff 5f 5e 5d c2 04 00 8b ff 55 8b ec 51 57 8b f9 8b 07 ff 90 68 01 00 00 85 c0 75 0b 8b 87 94 00 Data Ascii: tjjF_^[UVWStIt;t6FtLuVHpYtuW@_3^]UVW}Gt#eEPExV#%PFxP4_^]UQWhu
2022-11-04 12:16:09 UTC	480	IN	Data Raw: 83 7d 10 00 74 07 b8 57 00 07 80 eb 25 ff 75 10 8b 06 ff 90 50 02 00 00 8d 8e d8 00 00 00 8b 01 83 78 f4 00 74 d5 e8 9d 7c f9 ff 8b 4d 18 89 01 33 c0 5e 5d c2 14 00 8b ff 55 8b ec 66 83 7d 08 03 56 8b f1 75 2d 83 7d 10 00 7e 27 ff 75 10 8b 06 ff 90 50 02 00 00 8d 8e c8 00 00 00 8b 01 83 78 f4 00 74 0e e8 5e 7c f9 ff 8b 4d 18 89 01 33 c0 eb 03 33 c0 40 5e 5d c2 14 00 6a 04 b8 fc 8b 51 00 e8 3a 92 08 00 8b f1 89 75 f0 e8 a1 61 f9 ff 33 ff c7 06 e4 57 53 00 8d 9e 9c 00 00 00 89 3b 89 7b 04 89 7b 08 89 7b 0c 8d 8e c4 00 00 00 89 7d fc 89 be bc 00 00 00 89 be c0 00 00 00 e8 2b fc ff ff 33 c0 33 c9 53 89 be 8c 00 00 00 89 be 90 00 00 00 89 be ac 00 00 00 89 be b0 00 00 00 89 be 98 00 00 00 89 7e 78 89 7e 7c 89 be 94 00 00 00 89 7e 74 89 be b4 00 00 00 c7 86 88 Data Ascii: }tW%uPxt\|M3^]Uf}Vu-}~'uPxt^\|M33@^]jQ:ua3WS;{{{}+33S~x~\|~t
2022-11-04 12:16:09 UTC	481	IN	Data Raw: 00 85 c0 75 12 85 db 75 95 33 c0 5b 5f 5e c9 c2 04 00 e8 c5 c8 f9 ff 33 c0 40 eb ef 8b ff 55 8b ec 8b 45 08 81 78 04 00 01 00 00 56 75 37 83 78 08 70 75 31 b9 00 40 00 00 66 85 48 0e 75 26 8b 35 ac 77 52 00 6a 10 ff d6 66 85 c0 78 17 6a 11 ff d6 66 85 c0 78 0e 6a 12 ff d6 66 85 c0 78 05 33 c0 40 eb 02 33 c0 5e 5d c2 04 00 8b ff 55 8b ec 56 57 8b f1 ff b6 b0 00 00 00 33 ff 68 58 e9 52 00 e8 9a 5c fa ff 59 59 85 c0 74 12 ff 75 0c 8b 10 ff 75 08 8b c8 ff 92 e0 01 00 00 eb 64 ff b6 b0 00 00 00 68 7c ef 52 00 e8 72 5c fa ff 59 59 85 c0 74 12 ff 75 0c 8b 10 ff 75 08 8b c8 ff 92 cc 01 00 00 eb 3c ff b6 b0 00 00 00 68 ac e5 52 00 e8 4a 5c fa ff 59 59 85 c0 75 16 ff b6 b0 00 00 00 68 f8 e1 52 00 e8 34 5c fa ff 59 59 85 c0 74 12 ff 75 0c 8b 10 ff 75 08 8b c8 ff 92 Data Ascii: uu3[_^3@UExVu7xpu1@fHu&5wRjfxjfxjfx3@3^]UVW3hXR\YYtuudh\|Rr\YYtuu<hRJ\YYuhR4\YYtuu
2022-11-04 12:16:09 UTC	483	IN	Data Raw: ff 92 38 04 00 00 8b 8e ac 00 00 00 8b 01 6a 00 6a 01 ff 76 40 ff 90 30 04 00 00 8b 8e b0 00 00 00 8b 01 6a 00 ff 50 70 ff 76 0c 8b 8e ac 00 00 00 e8 80 8e 01 00 5e 5d c2 04 00 8b ff 55 8b ec 83 ec 0c 8b 45 0c 53 56 33 db 8b f1 89 75 f4 3b c3 74 06 c7 00 01 00 00 00 a1 bc 48 57 00 3b c3 0f 84 fc 00 00 00 ff 70 20 ff 15 20 77 52 00 85 c0 0f 84 eb 00 00 00 ff 15 1c 77 52 00 50 e8 fb 64 f9 ff 8b 0d bc 48 57 00 8b f0 8b 01 ff 90 00 02 00 00 85 c0 74 50 3b f3 74 38 8b 46 20 3b c3 74 31 50 a1 bc 48 57 00 ff 70 20 ff 15 fc 76 52 00 85 c0 75 17 a1 bc 48 57 00 8b 76 20 3b c3 75 04 33 c9 eb 03 8b 48 20 3b f1 75 0c 33 c0 e9 f5 01 00 00 a1 bc 48 57 00 53 53 6a 10 ff 70 20 ff 15 dc 76 52 00 eb e5 3b f3 74 1a 8b 76 20 3b f3 74 13 a1 bc 48 57 00 56 ff 70 20 ff 15 fc 76 Data Ascii: 8jjv@0jPpv^]UESV3u;tHW;p wRwRPdHWtP;t8F ;t1PHWp vRuHWv ;u3H ;u3HWSSjp vR;tv ;tHWVp v
2022-11-04 12:16:09 UTC	484	IN	Data Raw: ec 83 ec 70 a1 54 04 57 00 33 c5 89 45 fc 53 56 8b 75 08 57 33 ff 8b d9 89 5d 90 3b f7 75 05 e8 60 bd f9 ff 8b 8b b0 00 00 00 e8 a0 9b f9 ff a9 00 00 c0 00 74 16 8b 8b b0 00 00 00 e8 8e 9b f9 ff a9 00 00 80 00 0f 85 3c 01 00 00 8d 45 dc 50 8b 83 b0 00 00 00 89 7d dc 89 7d e0 89 7d e4 89 7d e8 ff 70 20 ff 15 04 78 52 00 8b 45 dc 03 45 e4 89 7d ec 99 2b c2 8b c8 8b 45 e0 03 45 e8 d1 f9 99 2b c2 8d 55 94 52 6a 02 d1 f8 50 51 89 7d f0 89 7d f4 89 7d f8 c7 45 94 28 00 00 00 ff 15 bc 75 52 00 50 ff 15 9c 77 52 00 85 c0 74 47 8b 1d 14 78 52 00 8d 45 a8 50 8d 45 cc 50 ff d3 8d 45 98 50 8d 45 bc 50 ff d3 8b 45 cc 2b 45 bc 8b 55 d4 2b 55 cc 8b 4d d0 2b 4d c0 8b 5d 90 03 d0 89 45 ec 8b 45 d8 2b 45 d0 89 4d f0 03 c1 89 55 f4 89 45 f8 eb 0e 57 8d 45 ec 50 57 6a 30 ff Data Ascii: pTW3ESVuW3];u`t<EP}}}}p xREE}+EE+URjPQ}}}E(uRPwRtGxREPEPEPEPE+EU+UM+M]EE+EMUEWEPWj0
2022-11-04 12:16:09 UTC	486	IN	Data Raw: e8 1e c5 f9 ff 8b 45 e8 89 45 e0 8b 83 b0 00 00 00 ff 70 20 ff 15 d4 77 52 00 85 c0 75 09 6a 04 ff d7 03 45 e8 eb 03 8b 45 e0 50 ff 75 e4 8d 45 ec 50 ff 15 00 76 52 00 6a 04 ff d7 8b 4d ec 03 4d e4 03 45 f0 89 0e 8b 4d f0 03 4d e8 03 45 e8 89 4e 04 8b 4d f4 2b 4d e4 89 46 0c 89 4e 08 8b 9b b0 00 00 00 ff 73 20 ff 15 d4 77 52 00 85 c0 74 0e 6a 21 ff d7 01 46 04 6a 20 ff d7 29 46 08 8b 4d fc 5f 8b c6 5e 33 cd 5b e8 9f 69 08 00 c9 c2 04 00 6a 20 b8 ec d6 51 00 e8 72 7b 08 00 8b d9 e8 7c 0d fc ff 85 c0 0f 84 b8 01 00 00 83 bb 98 00 00 00 00 0f 85 10 01 00 00 8b 8b b0 00 00 00 e8 5d 95 f9 ff 89 45 f0 8b 83 b0 00 00 00 6a 00 ff 70 20 ff 15 f8 75 52 00 50 e8 56 6f fa ff 8b f0 85 f6 0f 84 e1 00 00 00 ff 76 04 8b 3d b8 75 52 00 ff d7 85 c0 0f 84 ce 00 00 00 8b 76 Data Ascii: EEp wRujEEPuEPvRjMMEMMENM+MFNs wRtj!Fj )FM_^3[ij Qr{\|]Ejp uRPVov=uRv
2022-11-04 12:16:09 UTC	487	IN	Data Raw: 6a 34 8d 45 b8 56 50 e8 70 77 08 00 8b 45 ec 8b 8b b0 00 00 00 89 45 b8 8b 45 f0 89 45 bc 8b 45 f4 83 c4 0c 89 45 c0 8b 45 f8 56 8d 55 b8 89 45 c4 8b 01 52 ff 50 68 8b 8b b0 00 00 00 e8 35 90 f9 ff 8b c8 b8 00 00 c0 00 23 c8 3b c8 75 0b 6a 04 ff 15 d8 77 52 00 01 45 bc 8b 45 c4 2b 45 bc 6a 14 50 8b 45 c0 2b 45 b8 50 ff 75 bc ff 75 b8 56 e9 f2 00 00 00 8b 45 f8 2b 45 f0 8b 8b b0 00 00 00 6a 16 40 50 8b 45 f4 2b 45 ec 83 cf ff 40 50 57 57 56 e8 c7 91 f9 ff 8b 45 f8 2b 45 f0 6a 16 50 8b 45 f4 2b 45 ec 50 57 57 eb c3 8b 8b b0 00 00 00 89 75 b4 e8 bc 8f f9 ff b9 00 00 80 00 85 c1 74 22 39 73 24 74 1d 39 73 28 75 18 6a 20 56 51 8b 8b b0 00 00 00 89 7d b4 89 7b 3c e8 c8 8f f9 ff 89 73 3c e8 6a a2 fa ff 8b 4d f8 2b 4d f0 8b 55 f4 2b 55 ec 8b 38 51 52 ff b3 b0 00 Data Ascii: j4EVPpwEEEEEEEVUERPh5#;ujwREE+EjPE+EPuuVE+Ej@PE+E@PWWVE+EjPE+EPWWut"9s$t9s(uj VQ}{<s<jM+MU+U8QR
2022-11-04 12:16:09 UTC	488	IN	Data Raw: e8 8f 69 fb ff 3b c3 0f 84 6c fe ff ff 7e 1b 83 f8 02 0f 8e cb 00 00 00 83 f8 03 0f 84 58 fe ff ff 83 f8 05 0f 84 4f fe ff ff 8b 0d bc 48 57 00 8b 01 ff 90 c4 01 00 00 85 c0 0f 85 85 00 00 00 8b 0d bc 48 57 00 8b 01 ff 90 d4 01 00 00 53 f7 d8 53 1b f6 a1 bc 48 57 00 6a 10 ff 70 20 46 89 75 cc ff 15 dc 76 52 00 ff 15 1c 77 52 00 50 e8 5a 4e f9 ff 3b c3 74 1e 68 d8 ce 56 00 8b c8 e8 23 40 fa ff 85 c0 74 0e 8b 45 d0 8b 88 b0 00 00 00 e8 5c 8c f9 ff 3b f3 74 2b ff 75 d8 ff 75 d4 ff 15 e4 75 52 00 50 e8 22 4e f9 ff 50 68 b8 68 53 00 e8 0e 40 fa ff 59 59 3b c3 74 05 39 58 20 75 03 89 5d cc 81 7d 08 a5 00 00 00 0f 85 7b 01 00 00 8b 75 d0 8b 86 b0 00 00 00 3b c3 75 3c 33 c0 eb 3b 53 53 6a 10 ff 76 20 ff 15 dc 76 52 00 8b 45 d0 8b 88 b0 00 00 00 e8 f4 8b f9 ff e9 Data Ascii: i;l~XOHWHWSSHWjp FuvRwRPZN;thV#@tE\;t+uuuRP"NPhhS@YY;t9X u]}{u;u<3;SSjv vRE
2022-11-04 12:16:09 UTC	490	IN	Data Raw: e8 7f 62 f8 ff 8d 8e 8c 00 00 00 c6 45 fc 01 e8 2f 9e fd ff 8d 4e 70 88 5d fc e8 24 9e fd ff 83 4d fc ff 8d 4e 54 e8 18 9e fd ff e8 b5 6b 08 00 c3 6a 04 b8 77 f1 51 00 e8 d0 6a 08 00 e8 da 06 fa ff ff 70 04 68 84 80 53 00 e8 ca 3a fa ff 59 59 85 c0 74 2c 68 c0 18 55 00 8d 4d f0 51 8b c8 e8 64 66 01 00 ff 30 83 65 fc 00 e8 c0 1d fb ff 8b 4d f0 83 c1 f0 8b f0 e8 07 62 f8 ff 8b c6 eb 02 33 c0 e8 5d 6b 08 00 c3 68 1c 01 00 00 b8 79 d7 51 00 e8 de 6a 08 00 8b 35 60 5c 57 00 8b 45 08 33 ff 8b d9 89 85 dc fe ff ff 3b f7 74 5d 68 a0 08 00 00 e8 b7 13 f9 ff 59 89 85 e0 fe ff ff 89 7d fc 3b c7 74 1a 57 6a 40 6a 01 ff b3 b0 00 00 00 8b c8 e8 9f 31 01 00 89 85 e4 fe ff ff eb 06 89 bd e4 fe ff ff 8b 86 04 0c 00 00 83 4d fc ff 89 bd e8 fe ff ff 3b c7 75 1f 8b 8d e4 fe Data Ascii: bE/Np]$MNTkjwQjphS:YYt,hUMQdf0eMb3]khyQj5`\WE3;t]hY};tWj@j1M;u
2022-11-04 12:16:09 UTC	491	IN	Data Raw: e9 f2 00 00 00 8b 8e f8 00 00 00 e8 82 35 fa ff ff 75 dc 8b d8 8b 03 68 08 28 40 50 ff b6 b0 00 00 00 8b cb ff 90 20 03 00 00 8b cb 85 c0 75 09 8b 03 6a 01 ff 50 04 eb c5 ff 75 d4 e8 76 80 f9 ff 8b 33 8b cb ff 96 bc 01 00 00 83 c8 34 50 8b cb ff 96 e0 01 00 00 8b 03 68 00 f0 00 00 8b cb ff 90 e8 01 00 00 8d 45 e0 50 89 7d e0 89 7d e4 89 7d e8 89 7d ec ff 73 20 ff 15 04 78 52 00 8b 3d d8 77 52 00 6a 10 ff d7 99 2b c2 8b f0 6a 11 d1 fe ff d7 8b 4d e8 2b 4d e0 99 03 ce 89 4d c8 8b 4d ec 2b 4d e4 6a 01 2b c2 d1 f8 89 75 c0 6a 00 89 45 c4 03 c8 8b 03 89 4d cc 83 ec 10 8b fc 8d 75 c0 a5 a5 a5 8b cb a5 ff 90 f8 01 00 00 8b 45 d8 c7 83 2c 01 00 00 ff 7f 00 00 8b 88 b0 00 00 00 8b 01 6a 01 ff 90 74 01 00 00 8b 4d d0 53 e8 16 84 fa ff 8b c3 e8 09 66 08 00 c2 04 00 Data Ascii: 5uh(@P ujPuv34PhEP}}}}s xR=wRj+jM+MMM+Mj+ujEMuE,jtMSf
2022-11-04 12:16:09 UTC	493	IN	Data Raw: 74 1e ff 70 6c 68 c0 57 53 00 e8 6a 30 fa ff 59 59 8b cf 8b f0 e8 83 33 fb ff 8b f8 3b fb 75 d8 3b f3 74 3a 68 8c d0 56 00 8b ce e8 2b 30 fa ff 85 c0 75 2a 8b 06 8b ce ff 90 64 01 00 00 85 c0 74 1c 8b 7e 20 ff 15 1c 77 52 00 3b c7 74 0f 39 1d f4 cf 56 00 74 07 8b ce e8 48 7c f9 ff 33 c0 40 e8 df 60 08 00 c2 08 00 b8 68 5c 53 00 c3 8b ff 55 8b ec 8b 45 08 33 d2 39 55 0c 89 41 08 0f 94 c2 52 50 51 8b 49 44 e8 ea 3e 00 00 5d c2 08 00 8b ff 55 8b ec 56 57 6a 00 ff 75 08 8d 71 24 8b ce e8 ab 92 fd ff 8b f8 85 ff 74 18 ff 75 0c 8b ce 57 e8 9b 93 fd ff 57 8b ce e8 c9 7d fa ff 33 c0 40 eb 02 33 c0 5f 5e 5d c2 08 00 8b ff 55 8b ec 83 ec 14 53 56 8b 75 08 8b 06 89 4d fc 57 8b ce ff 90 78 02 00 00 8b d8 8b 06 8b ce ff 90 7c 02 00 00 8b f8 8b 45 0c 85 c0 7e 11 85 db Data Ascii: tplhWSj0YY3;u;t:hV+0u*dt~ wR;t9VtH\|3@`h\SUE39UARPQID>]UVWjuq$tuWW}3@3_^]USVuMWx\|E~
2022-11-04 12:16:09 UTC	494	IN	Data Raw: eb 26 8b c6 85 f6 74 2e ff 70 08 8b 36 68 c0 45 53 00 e8 b6 2a fa ff 59 59 85 c0 74 0b 53 ff 77 40 8b c8 e8 66 48 ff ff 85 f6 75 d6 01 5f 18 5f 5e 5b 5d c2 04 00 e8 4d 96 f9 ff cc 8b ff 55 8b ec 56 8b 75 08 57 56 8b f9 ff 15 30 76 52 00 8b 47 44 85 c0 74 2e 56 ff 70 20 ff 15 04 78 52 00 f7 47 40 00 a0 00 00 8b 47 18 74 0e 01 46 04 8b 4f 0c 03 4e 04 89 4e 0c eb 0a 01 06 8b 4f 0c 03 0e 89 4e 08 5f 5e 5d c2 04 00 8b ff 55 8b ec 56 8b 75 08 57 56 8b f9 e8 a0 ff ff ff 8b 4f 44 56 e8 2e a3 f9 ff f7 47 40 00 a0 00 00 8b 47 18 74 0e 29 46 04 8b 4f 0c 03 4e 04 89 4e 0c eb 0a 29 06 8b 4f 0c 03 0e 89 4e 08 5f 5e 5d c2 04 00 8b ff 55 8b ec 83 ec 0c 53 56 57 8b f9 8b 47 44 ff 70 20 ff 15 08 78 52 00 50 e8 e8 37 f9 ff ff 70 20 ff 15 6c 78 52 00 8b 5f 28 f7 d8 1b f6 8b Data Ascii: &t.p6hES*YYtSw@fHu__^[]MUVuWV0vRGDt.Vp xRG@GtFONNON_^]UVuWVODV.G@Gt)FONN)ON_^]USVWGDp xRP7p lxR_(
2022-11-04 12:16:09 UTC	495	IN	Data Raw: 22 83 7f 04 00 8b 36 8b 48 08 75 0c 8b 01 ff 90 78 01 00 00 85 c0 74 01 43 85 f6 75 de 5f 5e 8b c3 5b c3 e8 b4 90 f9 ff cc 8b ff 55 8b ec 83 ec 40 a1 54 04 57 00 33 c5 89 45 fc 8b 45 08 53 56 57 8b f9 33 db 53 50 8d 4f 24 89 7d c4 e8 a8 87 fd ff 8b f0 8d 45 ec 50 89 5d ec 89 5d f0 89 5d f4 89 5d f8 ff 15 30 76 52 00 8d 45 cc 50 8b cf 89 5d cc 89 5d d0 89 5d d4 89 5d d8 e8 0f fa ff ff 89 5d dc 89 5d e0 89 5d e4 89 5d e8 e9 50 01 00 00 8b c6 38 5d 0c 74 0c 3b f3 0f 84 5a 01 00 00 8b 36 eb 0b 3b f3 0f 84 4e 01 00 00 8b 76 04 8b 78 08 8b 07 8b cf ff 90 78 01 00 00 85 c0 75 0c 8b 45 c4 39 58 04 0f 84 15 01 00 00 8d 45 ec 50 ff 77 20 ff 15 04 78 52 00 8b fe 3b f3 0f 84 06 01 00 00 89 7d c0 8b c7 38 5d 0c 74 0c 3b fb 0f 84 05 01 00 00 8b 3f eb 0b 3b fb 0f 84 f9 Data Ascii: "6HuxtCu_^[U@TW3EESVW3SPO$}EP]]]]0vREP]]]]]]]]P8]t;Z6;NvxxuE9XEPw xR;}8]t;?;
2022-11-04 12:16:09 UTC	497	IN	Data Raw: 00 8b 4f 40 8b 55 f4 8b f1 81 e6 00 20 00 00 75 08 f7 c1 00 80 00 00 74 08 8b 45 f8 2b 45 f0 eb 05 8b c2 2b 45 ec 39 45 e8 7f 1d 3b f3 75 08 f7 c1 00 80 00 00 74 0b 8b 45 f8 2b 45 f0 89 45 e8 eb 06 2b 55 ec 89 55 e8 39 5d e4 0f 85 6c ff ff ff 5e 39 5d e8 74 06 8b 47 1c 01 45 e8 8b 4d fc 8b 45 e8 5f 33 cd 5b e8 1a 3d 08 00 c9 c2 04 00 e8 bb 8a f9 ff cc 8b ff 55 8b ec 83 ec 18 a1 54 04 57 00 33 c5 89 45 fc 8b 45 08 53 57 50 8b d9 89 45 e8 e8 4c f4 ff ff 8b 7b 28 85 ff 74 65 56 8b c7 85 ff 74 6e 8b 70 08 8b 06 8b 3f 8b ce ff 90 78 01 00 00 85 c0 75 05 39 43 04 74 41 33 c0 89 45 ec 89 45 f0 89 45 f4 89 45 f8 8d 45 ec 50 ff 76 20 ff 15 04 78 52 00 f7 43 40 00 a0 00 00 74 0b 8b 45 ec 2b 45 f4 6a 00 50 eb 09 8b 45 f0 2b 45 f8 50 6a 00 ff 75 e8 ff 15 18 76 52 00 Data Ascii: O@U utE+E+E9E;utE+EE+UU9]l^9]tGEME_3[=UTW3EESWPEL{(teVtnp?xu9CtA3EEEEEPv xRC@tE+EjPE+EPjuvR
2022-11-04 12:16:09 UTC	498	IN	Data Raw: 00 00 53 57 eb 06 8b 45 d8 8b 75 d4 85 c0 0f 84 ac 00 00 00 8b 08 8b 58 08 8b 03 89 4d d8 8b cb ff 90 78 01 00 00 85 c0 75 05 39 46 04 74 78 8d b3 9c 00 00 00 8d 7d ec a5 a5 a5 33 c0 a5 89 45 dc 89 45 e0 89 45 e4 89 45 e8 8d 45 dc 50 ff 73 20 ff 15 04 78 52 00 8d 45 dc 50 8d 45 ec 50 ff 15 40 78 52 00 85 c0 75 3e 8d 45 ec 50 ff 73 20 ff 15 08 78 52 00 50 e8 56 27 f9 ff 8b c8 e8 4c 92 f9 ff 8b 4d f8 2b 4d f0 8b 03 6a 00 6a 14 51 8b 4d f4 2b 4d ec 51 ff 75 f0 8b cb ff 75 ec 6a 00 ff 90 34 02 00 00 83 7d d8 00 0f 85 55 ff ff ff 5f 5b 8b 4d fc 33 cd 5e e8 1c 37 08 00 c9 c3 e8 bf 84 f9 ff cc 8b ff 55 8b ec 83 ec 2c a1 54 04 57 00 33 c5 89 45 fc 53 57 33 ff 8d 45 ec 50 8b d9 89 7d ec 89 7d f0 89 7d f4 89 7d f8 e8 93 ee ff ff 8b 43 28 89 7d e8 3b c7 74 54 56 eb Data Ascii: SWEuXMxu9Ftx}3EEEEEPs xREPEP@xRu>EPs xRPV'LM+MjjQM+MQuuj4}U_[M3^7U,TW3ESW3EP}}}}C(};tTV
2022-11-04 12:16:09 UTC	500	IN	Data Raw: 8b ec 83 ec 38 a1 54 04 57 00 33 c5 89 45 fc 53 56 8b 75 08 57 33 ff 8b d9 57 8d 4b 24 56 89 75 c8 e8 d0 76 fd ff 89 45 d8 3b c7 0f 84 2e 01 00 00 8b 06 8d 4d cc 51 68 ff ff 00 00 8b ce 89 7d cc ff 90 ac 02 00 00 ff 75 d8 8d 4b 24 e8 db 61 fa ff 89 be b0 00 00 00 39 7b 30 0f 84 f5 00 00 00 8b 43 28 3b c7 75 39 8b cb e8 5c ea ff ff 8b 03 57 8b cb ff 50 44 57 8b cb e8 bd f3 ff ff 8b f0 3b 73 0c 0f 8d d5 00 00 00 8b 4b 44 6a 01 56 53 e8 f3 21 00 00 89 73 0c e9 c1 00 00 00 8b 45 d8 3b c7 0f 84 a8 00 00 00 8b 08 89 4d d8 8b 48 08 8b 01 89 4d d4 ff 90 78 01 00 00 85 c0 75 05 39 7b 04 74 7e 8b 45 d4 3b c6 74 77 8d 4d dc 51 89 7d dc 89 7d e0 89 7d e4 89 7d e8 ff 70 20 ff 15 04 78 52 00 8b 4d d4 8d 45 ec 50 89 7d ec 89 7d f0 89 7d f4 89 7d f8 e8 2a 2b ff ff 8d 45 Data Ascii: 8TW3ESVuW3WK$VuvE;.MQh}uK$a9{0C(;u9\WPDW;sKDjVS!sE;MHMxu9{t~E;twMQ}}}}p xRMEP}}}}*+E
2022-11-04 12:16:09 UTC	501	IN	Data Raw: ff eb 03 8b 45 d8 3b c3 74 70 8b 48 04 8b 78 08 8b 07 89 4d d8 8b cf 89 7d cc ff 90 78 01 00 00 85 c0 75 05 39 5e 04 74 47 8b 07 8d 4d d4 51 ff 75 d0 8b cf ff 90 ac 02 00 00 8d 4d d4 51 53 50 89 45 c8 e8 24 83 08 00 ff 75 d0 8b Data Ascii: E;tpHxM}xu9^tGMQuMQSPE$u
2022-11-04 12:16:09 UTC	501	IN	Data Raw: f8 e8 1a 83 08 00 59 59 2b c7 50 ff 75 cc 8b ce e8 78 e7 ff ff 8b 45 c8 3b 45 d0 0f 84 d9 fe ff ff 29 45 d0 39 5d d8 75 8e e9 cc fe ff ff e8 ad 79 f9 ff cc 8b ff 55 8b ec 83 ec 40 a1 54 04 57 00 33 c5 89 45 fc 8b 45 08 53 56 57 8b f9 33 f6 56 50 8d 4f 24 89 7d d4 e8 a1 70 fd ff 8b d8 8d 45 ec 50 89 75 ec 89 75 f0 89 75 f4 89 75 f8 ff 15 30 76 52 00 8d 45 dc 50 8b cf 89 75 dc 89 75 e0 89 75 e4 89 75 e8 e8 08 e3 ff ff e9 4b 01 00 00 80 7d 0c 00 8b c3 74 0c 3b de 0f 84 54 01 00 00 8b 1b eb 0b 3b de 0f 84 48 01 00 00 8b 5b 04 8b 78 08 8b 07 8b cf ff 90 78 01 00 00 85 c0 75 0c 8b 45 d4 39 70 04 0f 84 0f 01 00 00 8d b7 9c 00 00 00 8d 7d ec a5 a5 a5 a5 8b f3 85 db 0f 84 00 01 00 00 80 7d 0c 00 89 75 d0 8b c6 74 12 85 f6 0f 84 fe 00 00 00 8b 78 08 8b 36 89 7d d8 Data Ascii: YY+PuxE;E)E9]uyU@TW3EESVW3VPO$}pEPuuuu0vREPuuuuK}t;T;H[xxuE9p}}utx6}
2022-11-04 12:16:09 UTC	503	IN	Data Raw: 00 8b ff 55 8b ec 83 ec 24 a1 54 04 57 00 33 c5 89 45 fc 53 56 8b f1 33 db 57 8b 7d 08 39 5e 30 74 4d 8d 45 ec 50 89 5d ec 89 5d f0 89 5d f4 89 5d f8 e8 ff dd ff ff 8d 45 ec 50 ff 15 cc 75 52 00 85 c0 75 2a 8b ce 89 5d dc e8 27 ef ff ff 83 7e 30 01 89 45 e4 75 28 3b fb 75 06 8b 4e 28 8b 79 08 3b c3 7d 1a 50 57 8b ce e8 5e d8 ff ff 8b 4d fc 5f 5e 33 cd 5b e8 0e 26 08 00 c9 c2 04 00 3b fb 74 0b 53 57 8b ce e8 fb f9 ff ff eb 06 8b 46 28 8b 78 08 6a 01 57 8b ce e8 e9 f9 ff ff 6a 01 8b ce e8 5e eb ff ff 8b f8 6a 01 57 8b ce e8 7a ef ff ff 3b c3 7e 0b 6a 01 50 57 8b ce e8 03 f0 ff ff 53 8b ce e8 3b eb ff ff 53 50 8b ce 89 45 e0 e8 57 ef ff ff 8b f8 3b fb 7e 92 8b 45 e4 53 3b c3 7e 12 f7 df 57 ff 75 e0 8b ce e8 d4 ef ff ff e9 78 ff ff ff 50 89 45 e8 e8 74 7c 08 Data Ascii: U$TW3ESV3W}9^0tMEP]]]]EPuRu*]'~0Eu(;uN(y;}PW^M_^3[&;tSWF(xjWj^jWz;~jPWS;SPEW;~ES;~WuxPEt\|
2022-11-04 12:16:09 UTC	504	IN	Data Raw: ff ff ff 75 b8 e8 be 77 08 00 8b f0 2b 75 b4 59 0f af f7 33 ff 8b 43 2c 3b c7 0f 84 17 03 00 00 eb 05 8b 45 b8 33 ff 3b c7 74 6c 8b 48 04 8b 78 08 8b 07 89 4d b8 8b cf 89 7d a4 ff 90 78 01 00 00 85 c0 75 05 39 43 04 74 42 8b 07 8d 4d a8 51 56 8b cf ff 90 ac 02 00 00 8d 4d a8 51 ff 75 ac 89 45 b4 50 e8 5f 77 08 00 56 8b f8 e8 57 77 08 00 59 59 2b c7 50 ff 75 a4 8b cb e8 b5 db ff ff 39 75 b4 0f 84 ae 02 00 00 2b 75 b4 83 7d b8 00 75 90 e9 a0 02 00 00 e8 ec 6d f9 ff 8b 7b 28 89 75 b4 85 ff 0f 84 8e 00 00 00 8b c7 85 ff 74 e7 8b 70 08 8b 06 8b 3f 8b ce ff 90 78 01 00 00 85 c0 75 05 39 43 04 74 65 8b 06 8d 4d a8 51 ff 75 b4 8b ce ff 90 ac 02 00 00 89 45 a4 85 c0 74 41 85 ff 74 3d 8b c7 eb 03 8b 45 ac 85 c0 74 a8 8b 08 8b 70 08 8b 06 89 4d ac 8b ce ff 90 78 01 Data Ascii: uw+uY3C,;E3;tlHxM}xu9CtBMQVMQuEP_wVWwYY+Pu9u+u}um{(utp?xu9CteMQuEtAt=EtpMx
2022-11-04 12:16:09 UTC	505	IN	Data Raw: f6 75 eb 5f 5e 5d c2 04 00 8b ff 55 8b ec 8b 45 08 85 c0 75 05 e8 c2 68 f9 ff 56 8b 30 57 8b 78 08 8b 07 8b cf ff 50 58 85 c0 75 05 39 45 0c 74 1e 8b 7f 0c eb 15 8b c6 85 f6 74 d9 8b 48 08 8b 01 8b 36 8b d7 f7 da 52 ff 50 38 85 f6 75 e7 5f 5e 5d c2 08 00 8b ff 55 8b ec 83 7d 08 00 75 05 e8 77 68 f9 ff 83 7d 0c 00 8b 01 74 0b ff 75 08 ff 90 80 02 00 00 eb 0b 6a 01 ff 75 08 ff 90 84 02 00 00 5d c2 08 00 8b ff 55 8b ec 53 56 8b 75 08 8b 06 57 ff 75 0c 8b f9 8b ce ff 50 34 8b d8 8b 06 8b ce ff 50 58 85 c0 74 32 6a 00 56 8d 8f 1c 01 00 00 e8 41 5f fd ff 85 c0 75 05 e8 1a 68 f9 ff 8b 30 eb 11 8b c6 85 f6 74 f1 8b 48 08 8b 01 8b 36 53 ff 50 38 85 f6 75 eb 8b c3 5f 5e 5b 5d c2 08 00 8b ff 55 8b ec 83 ec 0c 53 56 57 6a 00 ff 75 08 8d b1 1c 01 00 00 89 4d f4 8b ce Data Ascii: u_^]UEuhV0WxPXu9EttH6RP8u_^]U}uwh}tuju]USVuWuP4PXt2jVA_uh0tH6SP8u_^[]USVWjuM
2022-11-04 12:16:09 UTC	507	IN	Data Raw: d8 8d 8e 00 01 00 00 e8 42 5a fd ff 85 c0 75 05 e8 1b 63 f9 ff 53 50 8d 8e 00 01 00 00 e8 ed 5a fd ff 8b 06 8b ce ff 90 a4 02 00 00 8b 06 8b ce ff 90 98 02 00 00 83 67 04 00 33 c0 40 8b 4d fc 5f 5e 33 cd 5b e8 3c 15 08 00 c9 c2 08 00 8b ff 55 8b ec 83 ec 20 a1 54 04 57 00 33 c5 89 45 fc 53 33 c0 56 8b 75 08 57 89 45 ec 89 45 f0 89 45 f4 89 45 f8 8d 45 ec 8b d9 50 ff 73 20 ff 15 dc 77 52 00 8b 46 08 8b 55 f4 2b 06 8b 4e 0c 2b 55 ec 8b 7d f8 2b 4e 04 2b 7d f0 3b c2 75 04 3b cf 74 7e 8b 9b 20 01 00 00 2b c2 2b cf 89 45 e4 89 4d e8 85 db 0f 84 82 00 00 00 eb 03 8b 5d e0 8b c3 85 db 74 56 83 7d e4 00 8b 0b 8b 58 08 89 4d e0 74 1d ff 75 e4 8b 3b e8 93 6b 08 00 59 50 33 c0 39 45 e4 8b cb 0f 9f c0 50 6a 02 56 ff 57 3c 83 7d e8 00 74 1d ff 75 e8 8b 3b e8 70 6b 08 Data Ascii: BZucSPZg3@M_^3[<U TW3ES3VuWEEEEEPs wRFU+N+U}+N+};u;t~ ++EM]tV}XMtu;kYP39EPjVW<}tu;pk
2022-11-04 12:16:09 UTC	508	IN	Data Raw: 54 fd ff 89 45 08 85 c0 74 24 8b 17 6a 00 50 8b cf ff 92 84 02 00 00 ff 75 08 8d 8f 1c 01 00 00 e8 b4 3f fa ff 8b 06 6a 01 8b ce ff 50 04 5f 5e 5b 5d c2 04 00 8b ff 55 8b ec 51 51 53 8b 5d 0c 56 57 8b 7d 08 2b 5f 0c 8b f1 79 59 8b 07 8b cf ff 50 40 85 c0 75 4e 8b 07 89 45 08 8b 06 8b ce ff 90 60 01 00 00 50 6a 01 8d 45 f8 50 8b 45 08 8b cf ff 50 18 8b 06 8b ce ff 90 60 01 00 00 85 c0 74 08 8b 45 0c 2b 45 fc 78 16 8b 06 8b ce ff 90 60 01 00 00 85 c0 75 0c 8b 45 0c 2b 45 f8 79 04 33 c0 eb 1b 8b 06 53 57 8b ce ff 90 88 02 00 00 ff 75 10 8b f8 57 8b ce e8 bf fb ff ff 8b c7 5f 5e 5b c9 c2 0c 00 8b ff 55 8b ec 56 57 8b 7d 08 8b f1 6a 00 57 8d 8e 1c 01 00 00 e8 c1 53 fd ff ff 75 0c 8b 16 50 8b ce ff 92 8c 02 00 00 83 7d 0c 00 8b 47 0c 75 02 f7 d8 ff 75 10 8b ce Data Ascii: TEt$jPu?jP_^[]UQQS]VW}+_yYP@uNE`PjEPEP`tE+Ex`uE+Ey3SWuW_^[UVW}jWSuP}Guu
2022-11-04 12:16:09 UTC	510	IN	Data Raw: 44 77 52 00 33 c0 8b 4d fc 5f 5e 33 cd 5b e8 1b 0a 08 00 c9 c2 10 00 8b ff 55 8b ec 83 ec 54 a1 54 04 57 00 33 c5 89 45 fc 8b 45 10 53 56 8b 75 08 57 89 45 d4 33 ff 8d 45 dc 8b d9 50 89 5d cc 89 75 d0 89 7d dc 89 7d e0 89 7d e4 89 7d e8 ff 15 30 76 52 00 39 7d d4 74 1c ff 75 d4 8d 45 ec 50 ff 15 14 78 52 00 8d 75 ec 8d 7d dc a5 a5 a5 a5 8b 75 d0 33 ff 8b 03 8b cb ff 90 60 01 00 00 f7 d8 1b c0 40 6a 00 89 45 c8 58 0f 94 c0 8d 4d c0 89 45 bc ff 75 bc 8b 06 57 51 8b ce ff 90 5c 02 00 00 57 56 8d 8b 00 01 00 00 e8 46 4e fd ff 85 c0 0f 85 b3 02 00 00 33 db 83 7d 0c 01 88 5d db 75 46 8d 45 b4 33 ff 50 89 7d b4 89 7d b8 ff 15 54 76 52 00 8b 75 cc 8d 45 ec 50 ff 76 20 89 7d ec 89 7d f0 89 7d f4 89 7d f8 ff 15 04 78 52 00 8d 45 db 50 ff 75 b8 8b ce ff 75 b4 e8 f3 Data Ascii: DwR3M_^3[UTTW3EESVuWE3EP]u}}}}0vR9}tuEPxRu}u3`@jEXMEuWQ\WVFN3}]uFE3P}}TvRuEPv }}}}xREPuu
2022-11-04 12:16:09 UTC	511	IN	Data Raw: f0 68 14 01 00 00 52 2b c8 51 ff 75 f0 8d 8b e0 02 00 00 50 6a 00 e8 45 32 f9 ff 5f 5e 8b 4d fc 33 cd 5b e8 5a 04 08 00 c9 c3 8b ff 55 8b ec 56 ff 75 08 8b f1 e8 61 fd f8 ff 8b 06 8b ce ff 90 0c 02 00 00 5e 85 c0 74 07 8b c8 e8 4e 32 f9 ff 5d c2 04 00 8b ff 55 8b ec ff 75 0c 81 c1 90 02 00 00 ff 75 08 51 ff 15 10 78 52 00 5d c2 08 00 8b ff 55 8b ec 83 b9 04 02 00 00 00 74 09 8b 45 08 89 81 44 01 00 00 5d c2 04 00 8b ff 55 8b ec 51 56 57 8b f1 33 ff 39 be 08 02 00 00 75 0f c7 45 fc 32 00 00 00 39 be 44 02 00 00 74 03 89 7d fc 53 ff 75 fc 8d 8e 54 03 00 00 e8 fe 3b fe ff ff 75 fc 8d 8e a4 0a 00 00 e8 f0 3b fe ff 39 be 08 02 00 00 75 15 39 be 0c 02 00 00 75 0d 39 be 10 02 00 00 75 05 6a 04 58 eb 02 33 c0 6a 17 50 6a 15 8d 8e 54 03 00 00 e8 90 3a fe ff 5b 39 Data Ascii: hR+QuPjE2_^M3[ZUVua^tN2]UuuQxR]UtED]UQVW39uE29Dt}SuT;u;9u9u9ujX3jPjT:[9
2022-11-04 12:16:09 UTC	512	IN	Data Raw: 39 fe ff 89 9e 44 19 00 00 8d 8e 94 20 00 00 c6 45 fc 05 e8 5f 39 fe ff 6a 0a 8d 8e e8 27 00 00 89 9e 94 20 00 00 e8 fd a5 fb ff 8b 1d 30 76 52 00 83 8e a0 00 00 00 ff 8d 86 90 02 00 00 50 89 be 9c 00 00 00 89 be 04 02 00 00 89 be 08 02 00 00 89 be 0c 02 00 00 89 be 10 02 00 00 89 be 18 02 00 00 89 be 1c 02 00 00 89 be 14 02 00 00 ff d3 8d 86 a0 02 00 00 50 ff d3 8d 86 70 02 00 00 50 89 be 58 02 00 00 89 be 64 02 00 00 89 be 5c 02 00 00 89 be 60 02 00 00 89 be 68 02 00 00 89 be 54 02 00 00 ff d3 33 c0 40 89 86 24 02 00 00 89 86 00 01 00 00 89 86 28 02 00 00 89 86 fc 00 00 00 89 86 34 02 00 00 8d 86 b0 02 00 00 50 89 be 20 02 00 00 89 be 2c 02 00 00 89 be 30 02 00 00 89 be 38 02 00 00 89 be 3c 02 00 00 89 be 44 02 00 00 89 be 40 02 00 00 89 be 48 02 00 00 Data Ascii: 9D E_9j' 0vRPPpPXd\`hT3@$(4P ,08<D@H
2022-11-04 12:16:09 UTC	514	IN	Data Raw: 8b da 53 ff 90 78 02 00 00 85 c0 75 13 8b 86 9c 00 00 00 03 86 a0 00 00 00 47 3b f8 7c d5 eb 3d 8b 06 53 8b ce c7 86 00 02 00 00 01 00 00 00 ff 90 10 02 00 00 8b 06 8b ce ff 90 0c 02 00 00 8b c8 e8 00 27 f9 ff ff b6 a0 00 00 00 8b 06 8b ce ff 90 6c 02 00 00 83 a6 00 02 00 00 00 33 c0 40 e9 c9 00 00 00 8b 86 a0 00 00 00 8b 8e 9c 00 00 00 8d 7c 01 ff 3b f8 7e e4 8b c7 99 f7 be 9c 00 00 00 8b 06 8b ce 8b da 53 ff 90 78 02 00 00 85 c0 75 8d 4f 3b be a0 00 00 00 7f dd eb bf 3d 00 02 00 00 72 60 3d 02 02 00 00 76 18 3d 03 02 00 00 76 52 3d 05 02 00 00 76 0a 05 f9 fd ff ff 83 f8 01 77 41 8b 86 dc 00 00 00 8b 3d dc 76 52 00 bb 07 04 00 00 85 c0 74 11 83 78 20 00 74 0b ff 75 08 6a 00 53 ff 70 20 ff d7 8b 86 d8 00 00 00 85 c0 74 11 83 78 20 00 74 0b ff 75 08 6a 00 Data Ascii: SxuG;\|=S'l3@\|;~SxuO;=r`=v=vR=vwA=vRtx tujSp tx tuj
2022-11-04 12:16:09 UTC	515	IN	Data Raw: 8b 50 01 00 00 2b 45 f4 2b 4d f8 6a 44 89 45 f4 89 4d f8 ff 15 d8 77 52 00 89 45 d8 ff d6 50 e8 52 e3 f8 ff 3b c3 75 28 39 bb 48 01 00 00 74 20 ff 75 f4 e8 30 4a 08 00 59 3b 45 d8 7d 12 ff 75 f8 e8 22 4a 08 00 59 3b 45 d8 0f 8c 81 00 00 00 ff 73 20 ff 15 08 78 52 00 50 e8 17 e3 f8 ff 0f b7 4d 10 0f b7 55 0c c1 e1 10 0b ca 51 ff 75 08 ff 35 60 59 57 00 ff 70 20 ff 15 dc 76 52 00 85 c0 75 4e 39 bb 04 02 00 00 75 36 e8 c1 31 fa ff 8b 10 8b c8 ff 92 18 01 00 00 85 c0 74 09 c7 43 7c 01 00 00 00 eb 1a 39 bb 08 02 00 00 74 12 e8 9d 31 fa ff 8b 10 8b c8 ff 92 14 01 00 00 89 43 7c ff 75 10 8b cb ff 75 0c ff 75 08 e8 46 99 00 00 8b 4d fc 5f 5e 33 cd 5b e8 a0 f2 07 00 c9 c2 0c 00 8b ff 53 56 57 8b f1 ff 15 00 77 52 00 50 e8 81 e2 f8 ff 2b c6 f7 d8 1b ff 8b 06 8b ce Data Ascii: P+E+MjDEMwREPR;u(9Ht u0JY;E}u"JY;Es xRPMUQu5`YWp vRuN9u61tC\|9t1C\|uuuFM_^3[SVWwRP+
2022-11-04 12:16:09 UTC	517	IN	Data Raw: 04 00 8b ff 55 8b ec 51 53 56 57 8b f1 e8 93 2c fa ff ff 76 20 8b f8 89 7d fc ff 15 08 78 52 00 50 e8 a4 dd f8 ff 8b 1f 50 68 b8 60 53 00 e8 8e cf f9 ff 59 59 8b 4d fc 50 56 8b 75 0c 83 ec 10 8b fc ff 75 08 a5 a5 a5 a5 ff 93 04 01 00 00 5f 5e 5b c9 c2 08 00 8b ff 55 8b ec 53 56 57 8b f9 e8 40 2c fa ff ff 77 20 8b d8 ff 15 08 78 52 00 50 e8 54 dd f8 ff 8b 33 50 68 b8 60 53 00 e8 3e cf f9 ff 59 59 50 ff 75 10 8b cb 57 ff 75 0c ff 75 08 ff 96 08 01 00 00 5f 5e 5b 5d c2 0c 00 8b ff 55 8b ec 51 51 56 8b f1 8b 86 ec 27 00 00 57 33 ff c7 45 fc 01 00 00 00 3b c7 0f 84 ee 00 00 00 53 eb 03 8b 45 f8 8b 58 08 8b 08 89 4d f8 3b df 0f 84 de 00 00 00 39 be 1c 02 00 00 74 0d 39 be 40 02 00 00 75 05 33 c0 40 eb 02 33 c0 39 7d 18 0f 85 8c 00 00 00 3b c7 75 15 8d 86 94 20 Data Ascii: UQSVW,v }xRPPh`SYYMPVuu_^[USVW@,w xRPT3Ph`S>YYPuWuu_^[]UQQV'W3E;SEXM;9t9@u3@39};u
2022-11-04 12:16:09 UTC	517	IN	Data Raw: ff 15 e0 76 52 00 89 7d fc 39 7d f8 0f 85 16 ff ff ff 5b 5f 5e c9 c2 18 00 e8 c2 39 f9 ff cc 8b ff 53 56 8b f1 33 db 3b f3 0f 84 51 01 00 00 39 5e 20 0f 84 48 01 00 00 39 9e 18 02 00 00 0f 84 3c 01 00 00 39 9e 04 02 00 00 0f 85 30 01 00 00 57 39 9e 08 02 00 00 75 3d 39 9e 0c 02 00 00 75 35 39 9e 10 02 00 00 75 2d 33 c0 39 9e 58 02 00 00 8d 8e 54 03 00 00 0f 9f c0 50 e8 44 19 f9 ff 39 9e 44 02 00 00 75 79 8b 86 58 02 00 00 3b 86 5c 02 00 00 eb 65 8d 8e 54 03 00 00 39 9e 90 00 00 00 75 09 53 e8 1a 19 f9 ff 53 eb 58 33 c0 39 9e 64 02 00 00 0f 9f c0 50 e8 06 19 f9 ff 8b 86 90 00 00 00 48 3b c3 0f 8c b6 00 00 00 3b 86 90 00 00 00 0f 8d aa 00 00 00 39 9e 44 02 00 00 75 20 8b 8e 8c 00 00 00 8b 0c 81 8b 49 18 3b 8e 98 02 00 00 7e 08 39 86 64 02 00 00 7c 04 33 c0 Data Ascii: vR}9}[_^9SV3;Q9^ H9<90W9u=9u59u-39XTPD9DuyX;\eT9uSSX39dPH;;9Du I;~9d\|3
2022-11-04 12:16:09 UTC	533	IN	Data Raw: c0 40 5e c3 8b ce 5e e9 ac 9b f8 ff 8b ff 55 8b ec 83 ec 1c 56 8b f1 83 be 88 00 00 00 00 74 69 53 57 6a 03 bf 67 03 00 00 57 57 ff 76 20 8d 45 Data Ascii: @^^UVtiSWjgWWv E
2022-11-04 12:16:09 UTC	533	IN	Data Raw: e4 50 ff 15 94 77 52 00 8b 1d e4 76 52 00 85 c0 75 0a 6a 00 6a 00 57 ff 76 20 ff d3 ff 15 00 77 52 00 3b 46 20 75 06 ff 15 e0 75 52 00 8b ce e8 9f b1 f8 ff 33 c9 3b c1 75 05 e8 a1 f9 f8 ff 51 51 89 8e 88 00 00 00 68 6a 03 00 00 89 88 88 00 00 00 ff 76 20 ff d3 5f 5b 5e c9 c3 8b ff 56 8b f1 e8 6d b1 f8 ff 85 c0 75 05 e8 71 f9 f8 ff 83 b8 88 00 00 00 00 74 11 ff 35 84 3e 57 00 ff 15 38 76 52 00 33 c0 40 eb 07 8b ce e8 f8 9a f8 ff 5e c2 0c 00 8b ff 55 8b ec 56 8b 75 0c 57 8b f9 85 f6 75 27 e8 83 88 f8 ff 85 c0 74 0e 8b b7 c8 00 00 00 81 c6 00 00 01 00 eb 0c 8b b7 c4 00 00 00 81 c6 00 00 02 00 85 f6 74 1e e8 58 59 f9 ff 8b 40 04 85 c0 74 0d 8b 10 6a 01 56 8b c8 ff 92 c8 00 00 00 33 c0 40 eb 02 33 c0 5f 5e 5d c2 08 00 8b ff 55 8b ec 53 56 0f b7 75 08 57 8b f9 Data Ascii: PwRvRujjWv wR;F uuR3;uQQhjv _[^Vmuqt5>W8vR3@^UVuWu'ttXY@tjV3@3_^]USVuW
2022-11-04 12:16:09 UTC	549	IN	Data Raw: ff 90 80 01 00 00 8b 06 6a ff 8b ce ff 90 6c 02 00 00 5e 5b c3 e8 f6 b9 f8 ff cc 8b ff 55 8b ec 56 57 8b f1 33 ff 39 be 9c 00 00 00 7e 54 85 ff Data Ascii: jl^[UVW39~T
2022-11-04 12:16:09 UTC	549	IN	Data Raw: 78 5d 3b be 90 00 00 00 7d 55 8b 86 8c 00 00 00 8b 04 b8 8b 40 20 85 c0 74 2f 8b 48 20 3b 4d 08 74 39 50 68 50 f6 56 00 e8 f8 4d f9 ff 59 59 85 c0 74 16 8b 10 8b c8 ff 92 a8 03 00 00 85 c0 74 08 8b 40 20 3b 45 08 74 12 47 3b be 9c 00 00 00 7c ac 83 c8 ff 5f 5e 5d c2 04 00 8b c7 eb f6 e8 7c b9 f8 ff cc 8b ff 55 8b ec 83 ec 40 a1 54 04 57 00 33 c5 89 45 fc 53 56 57 ff 75 0c 8b f9 8b 07 ff 90 bc 02 00 00 8b f0 33 db 89 75 d4 3b f3 0f 8c e6 03 00 00 8b 07 56 8b cf ff 90 ec 01 00 00 85 c0 0f 84 d3 03 00 00 8b 07 56 8b cf ff 90 ac 01 00 00 50 68 c0 45 53 00 e8 66 4d f9 ff 8b f0 59 59 3b f3 0f 84 b1 03 00 00 8b 06 8b ce ff 90 c8 01 00 00 85 c0 0f 84 9f 03 00 00 8d 45 dc 50 89 5d dc 89 5d e0 89 5d e4 89 5d e8 ff 15 30 76 52 00 ff 75 08 8b 06 8d 4d dc 51 8b ce ff Data Ascii: x];}U@ t/H ;Mt9PhPVMYYtt@ ;EtG;\|_^]\|U@TW3ESVWu3u;VVPhESfMYY;EP]]]]0vRuMQ
2022-11-04 12:16:09 UTC	561	IN	Data Raw: 50 57 e8 12 ba fa ff 8b 36 85 f6 75 ee eb 26 53 e8 8e 0c f9 ff 8b d8 85 db 74 19 6a 01 8d 45 08 50 57 e8 f2 b9 fa ff ff 75 08 8b ce e8 56 bf fd ff 4b 75 e7 5b 5f 5e 5d c2 04 00 8b ff 55 8b ec 56 8b f1 c7 06 38 77 53 00 e8 dd 6e 01 00 f6 45 08 01 74 07 56 e8 51 f7 f7 ff 59 8b c6 5e 5d c2 04 00 8b ff 55 8b ec 8b 45 0c 56 8b 70 04 57 33 ff eb 1f 8b c6 85 f6 74 25 8b 40 08 8b 36 85 c0 74 1c ff 75 08 8d 48 2c e8 03 f3 f7 ff 85 c0 75 01 47 85 f6 75 dd 8b c7 5f 5e 5d c2 08 00 e8 3d 89 f8 ff cc b8 44 77 53 00 c3 8b ff 55 8b ec 51 8d 45 08 50 8d 45 fc 50 ff 75 08 e8 b7 ba fa ff 85 c0 74 0b 8b 40 04 8b 4d 0c 89 01 33 c0 40 c9 c2 08 00 6a 58 b8 7d e0 51 00 e8 a3 4d 07 00 8b d9 e8 0b 9a 05 00 89 45 a4 8d 45 b0 33 f6 50 ff 73 20 89 75 b0 89 75 b4 89 75 b8 89 75 bc ff Data Ascii: PW6u&StjEPWuVKu[_^]UV8wSnEtVQY^]UEVpW3t%@6tuH,uGu_^]=DwSUQEPEPut@M3@jX}QMEE3Ps uuuu
2022-11-04 12:16:09 UTC	577	IN	Data Raw: f8 ff 8b 85 6c eb ff ff 39 78 f4 75 32 68 e8 3e 00 00 e8 6f 95 f8 ff 3b c7 75 04 33 c0 eb 11 68 e8 3e 00 00 50 8d 8d 6c eb ff ff e8 e0 57 f7 ff Data Ascii: l9xu2h>o;u3h>PlW
2022-11-04 12:16:09 UTC	577	IN	Data Raw: 33 c9 3b c7 0f 95 c1 3b cf 0f 84 f5 fe ff ff e8 4d 4b f8 ff 50 8d 8d 64 eb ff ff e8 f0 04 f7 ff 8b 8d 58 eb ff ff c6 45 fc 06 e8 cf 28 f8 ff 50 8d 85 64 eb ff ff 68 40 0f 55 00 50 e8 bf 07 f7 ff 83 c4 0c 8d 8d 70 eb ff ff e8 79 2b fa ff 57 ff b5 64 eb ff ff 8d 8d 08 ff ff ff 56 57 6a 01 c6 45 fc 07 e8 41 32 fe ff 56 50 8d 8d 70 eb ff ff c6 45 fc 08 e8 58 e1 f9 ff 8d 8d 08 ff ff ff c6 45 fc 07 e8 74 1f fe ff 8b 85 bc ec ff ff 57 ff b5 6c eb ff ff 8d 8d bc ec ff ff 56 ff 90 38 04 00 00 50 56 8d 8d 04 fe ff ff e8 fa 31 fe ff 8b 8d 68 eb ff ff 56 8d 85 04 fe ff ff 50 c6 45 fc 09 e8 0b e1 f9 ff 8d 8d 04 fe ff ff c6 45 fc 07 e8 27 1f fe ff 8d 8d 70 eb ff ff c6 45 fc 06 e8 7d 2c fa ff 8b 8d 64 eb ff ff 83 c1 f0 e8 9d 04 f7 ff 8b 8d 6c eb ff ff 83 c1 f0 89 75 fc Data Ascii: 3;;MKPdXE(Pdh@UPpy+WdVWjEA2VPpEXEtWlV8PV1hVPEE'pE},dlu
2022-11-04 12:16:09 UTC	593	IN	Data Raw: 51 00 e8 42 ce 06 00 6a 1c e8 9e 77 f7 ff 59 8b c8 89 4d f0 33 c0 89 45 fc 3b c8 74 05 e8 11 ff ff ff e8 fa ce 06 00 c3 8b ff 55 8b ec 56 8b f1 Data Ascii: QBjwYM3E;tUV
2022-11-04 12:16:09 UTC	593	IN	Data Raw: e8 4d ff ff ff f6 45 08 01 74 07 56 e8 9a 77 f7 ff 59 8b c6 5e 5d c2 04 00 6a 4c b8 21 ea 51 00 e8 93 ce 06 00 33 db 89 4d bc 53 8d 4d a8 89 5d fc e8 e9 19 f8 ff 8b 35 a4 3a 57 00 8b 3d a8 3a 57 00 8d 4d c4 c6 45 fc 01 e8 73 12 f8 ff 53 c6 45 fc 02 ff 15 54 71 52 00 50 8d 4d c4 e8 94 18 f8 ff 89 5d d8 bb a0 9f 52 00 89 5d d4 57 56 ff 75 ac c6 45 fc 03 ff 15 30 71 52 00 50 8d 4d d4 e8 45 1b f8 ff 85 c0 75 3c 6a ff 50 68 8a 3e 00 00 e8 65 ff f7 ff 8d 4d d4 c6 45 fc 02 89 5d d4 e8 7b c7 f6 ff 8d 4d c4 c6 45 fc 01 e8 c6 18 f8 ff 8d 4d a8 c6 45 fc 00 e8 b6 19 f8 ff 33 c0 e8 50 ce 06 00 c3 ff 75 d8 ff 75 c8 e8 b1 1b f8 ff ff 35 2c 3a 57 00 83 65 dc 00 83 65 e0 00 89 45 c0 8d 45 dc 50 ff 75 c8 89 75 e4 89 7d e8 ff 15 ec 77 52 00 8b 4d bc 8d 45 dc 50 8d 45 c4 50 Data Ascii: MEtVwY^]jL!Q3MSM]5:W=:WMEsSETqRPM]R]WVuE0qRPMEu<jPh>eME]{MEME3Puu5,:WeeEEPuu}wRMEPEP
2022-11-04 12:16:09 UTC	609	IN	Data Raw: e8 bb d9 f6 ff 68 b0 45 53 00 8d 4d f0 e8 3e da f6 ff ff 75 f0 8d 4d 08 68 9c 45 53 00 c6 45 fc 01 e8 8a ab f6 ff 6a 26 8d 4d 08 e8 8e 34 f9 ff Data Ascii: hESM>uMhESEj&M4
2022-11-04 12:16:09 UTC	609	IN	Data Raw: 68 d8 bb 52 00 ff 75 f0 8d 4d 08 e8 70 ab f6 ff ff 75 08 6a 00 68 80 01 00 00 ff 77 20 ff d6 53 50 68 9a 01 00 00 ff 77 20 89 45 ec ff d6 8b 4d f0 83 c1 f0 e8 57 85 f6 ff 8b 4d 08 83 c1 f0 e8 4c 85 f6 ff 8b 45 ec eb 03 83 c8 ff e8 a0 8e 06 00 c2 08 00 6a 14 b8 3f ed 51 00 e8 b9 8d 06 00 8b f9 33 db 39 5f 68 75 68 39 5f 38 74 63 8b 47 08 83 78 f4 02 7d 5a 53 6a 26 8d 4f 04 e8 50 20 f9 ff 3b c3 7c 4b 8b 4f 04 8b 49 f4 49 3b c1 7d 40 8d 48 01 3b cb 7c 4d 8b 47 04 3b 48 f4 7f 45 66 83 3c 48 26 74 2a 6a 01 51 8d 45 ec 50 8d 4f 04 e8 66 6a f8 ff 50 8d 4f 08 89 5d fc e8 9e b5 f6 ff 8b 4d ec 83 4d fc ff 83 c1 f0 e8 bf 84 f6 ff 8d 77 08 8b 06 39 58 f4 75 14 8b 45 08 89 18 89 58 04 eb 65 68 57 00 07 80 e8 41 86 f6 ff 68 14 94 53 00 8d 4d f0 e8 24 d9 f6 ff 8b 4d 0c Data Ascii: hRuMpujhw SPhw EMWMLEj?Q39_huh9_8tcGx}ZSj&OP ;\|KOII;}@H;\|MG;HEf<H&t*jQEPOfjPO]MMw9XuEXehWAhSM$M
2022-11-04 12:16:09 UTC	621	IN	Data Raw: 5d f0 89 04 8f 89 34 9f eb 0b 03 5d e8 8d 0c 9f 89 01 89 71 fc dd 45 a8 51 dc 65 d4 51 dd 5d d4 dd 45 d4 dd 1c 24 e8 15 b2 06 00 59 59 e8 5e 9e 06 00 8b d8 89 5d 0c db 45 0c dc 6d d4 dd 85 6c ff ff ff d8 c9 e8 46 9e 06 00 dd 85 7c ff ff ff d8 c9 89 45 ec e8 36 9e 06 00 dd 45 b0 d8 c9 89 45 08 e8 29 9e 06 00 dd 05 00 be 52 00 d8 c9 89 45 0c e8 19 9e 06 00 83 7d d0 00 8b f0 89 75 e4 74 42 d9 e8 de e1 db 45 90 d8 c9 da 45 0c e8 33 9e 06 00 db 45 a4 0f b6 f0 81 ce 00 ff ff ff d8 c9 c1 e6 08 da 45 08 e8 1a 9e 06 00 da 4d b8 0f b6 c0 0b f0 c1 e6 08 da 45 ec e8 07 9e 06 00 0f b6 c0 eb 1b 0f b6 45 0c dd d8 c1 e6 08 0b f0 0f b6 45 08 c1 e6 08 0b f0 0f b6 45 ec c1 e6 08 0b f0 8a 45 c4 2a 45 0c 83 c9 ff 2b 4d e4 0f b6 c0 c1 e1 08 0b c1 8a 4d c8 2a 4d 08 c1 e0 08 0f Data Ascii: ]4]qEQeQ]E$YY^]EmlF\|E6EE)RE}utBEE3EEMEEEEEE+MMM
2022-11-04 12:16:09 UTC	637	IN	Data Raw: 83 4d fc ff 8b ce c7 06 94 18 53 00 e8 b6 42 f7 ff e8 0b 1f 06 00 c3 8b ff 55 8b ec 56 8b f1 e8 59 ff ff ff f6 45 08 01 74 07 56 e8 ab c7 f6 ff Data Ascii: MSBUVYEtV
2022-11-04 12:16:09 UTC	637	IN	Data Raw: 59 8b c6 5e 5d c2 04 00 68 30 01 00 00 b8 e3 f3 51 00 e8 6b 1e 06 00 8b 45 10 89 85 cc fe ff ff 8b 45 18 8b f1 8b 4d 20 89 85 d0 fe ff ff 8b 45 1c 50 89 8d d8 fe ff ff 33 db 53 8b ce 89 b5 c4 fe ff ff e8 0f 43 f7 ff 89 5d fc c7 06 94 9d 53 00 e8 0b 5b f7 ff 50 8d 8e b0 00 00 00 e8 ae 14 f6 ff bf 14 01 00 00 57 8d 85 dc fe ff ff 53 89 9e 40 03 00 00 50 c6 45 fc 01 89 9e 44 03 00 00 e8 ab 1e 06 00 83 c4 0c 8d 85 dc fe ff ff 50 89 bd dc fe ff ff ff 15 dc 73 52 00 83 bd e0 fe ff ff 06 72 0b 8b 45 24 89 86 98 00 00 00 eb 06 89 9e 98 00 00 00 89 9e 9c 00 00 00 39 9d d8 fe ff ff 75 0a c7 85 d8 fe ff ff 58 00 00 00 ff b5 d8 fe ff ff e8 3b 13 06 00 59 89 86 94 00 00 00 3b c3 75 05 e8 c0 58 f7 ff ff b5 d8 fe ff ff 53 50 e8 3b 1e 06 00 8b 95 d8 fe ff ff 33 c0 8d 8e Data Ascii: Y^]h0QkEEM EP3SC]S[PWS@PEDPsRrE$9uX;Y;uXSP;3
2022-11-04 12:16:09 UTC	653	IN	Data Raw: 05 00 8b f1 33 ff 89 7d e0 8d 45 e0 50 e8 46 7a f7 ff ff b0 80 00 00 00 ff 15 ec 73 52 00 89 7d e4 3b c7 75 04 33 c0 eb 3b 89 7d fc 8d 45 dc 50 Data Ascii: 3}EPFzsR};u3;}EP
2022-11-04 12:16:09 UTC	653	IN	Data Raw: 8b ce e8 90 ff ff ff 8b 46 50 33 c9 3b c7 0f 95 c1 3b cf 75 05 e8 c6 19 f7 ff ff 75 0c ff 75 08 ff d0 89 45 e4 c7 45 fc fe ff ff ff e8 0b 00 00 00 8b 45 e4 e8 cc df 05 00 c2 08 00 33 c0 39 45 e4 0f 94 c0 8b f0 85 f6 74 0a ff 15 58 72 52 00 8b f8 eb 02 33 ff ff 75 e0 6a 00 ff 15 f0 73 52 00 85 f6 74 07 57 ff 15 f4 73 52 00 c3 6a 04 b8 60 f5 51 00 e8 a0 dd 05 00 8b f1 89 75 f0 e8 07 ad f6 ff 33 db 8d 4e 74 89 5d fc c7 06 6c a8 53 00 e8 9c cb fd ff 8d 8e 80 28 00 00 c6 45 fc 01 e8 78 40 f7 ff 6a 0a 5f 57 8d 8e 88 28 00 00 e8 4e 5b fe ff 8d 8e a4 28 00 00 c6 45 fc 03 e8 44 fc ff ff 57 8d 8e d0 28 00 00 e8 58 10 fb ff 57 8d 8e ec 28 00 00 e8 f2 fd ff ff 57 8d 8e 14 29 00 00 c6 45 fc 05 e8 3c 10 fb ff 8d be 3c 29 00 00 6a 0a 8d 8e 4c 29 00 00 c6 45 fc 06 89 1f Data Ascii: FP3;;uuuEEE39EtXrR3ujsRtWsRj`Qu3Nt]lS(Ex@j_W(N[(EDW(XW(W)E<<)jL)E
2022-11-04 12:16:09 UTC	669	IN	Data Raw: 20 ff 15 e4 76 52 00 85 db 75 9b eb 1c 39 86 7c 28 00 00 74 14 6a 01 8b ce e8 56 e9 ff ff 8d 4e 74 8b 01 ff 90 80 01 00 00 ff 76 20 ff 15 08 78 Data Ascii: vRu9\|(tjVNtv x
2022-11-04 12:16:09 UTC	669	IN	Data Raw: 52 00 50 e8 26 7c f6 ff 8b 10 6a 01 8b c8 ff 92 74 01 00 00 5f 5e 5b 5d c2 04 00 b8 14 aa 53 00 c3 8b c1 83 60 04 00 83 60 08 00 c7 00 c4 ab 53 00 c3 c7 01 c4 ab 53 00 c3 8b ff 55 8b ec 8b 45 08 8b 4d 0c 83 ec 10 56 57 8b f0 8d 7d f0 a5 a5 a5 a5 5f 5e 83 f9 a6 74 15 83 f9 5a 74 36 81 f9 b4 00 00 00 74 23 81 f9 0e 01 00 00 75 17 8b 4d f4 89 08 8b 4d f8 89 48 04 8b 4d fc 89 48 08 8b 4d f0 89 48 0c c9 c2 08 00 8b 4d fc 89 48 04 8b 4d f4 eb ee 8b 4d f0 89 48 04 8b 4d f4 89 48 08 8b 4d f8 89 48 0c 8b 4d fc 89 08 eb d8 8b ff 55 8b ec 56 8b 75 08 68 08 d6 56 00 8b ce e8 45 6d f7 ff 8b ce 85 c0 74 0a 8b 06 ff 90 70 01 00 00 eb 1c 68 c0 45 53 00 e8 2b 6d f7 ff 85 c0 74 0c 8b 06 8b ce ff 90 88 01 00 00 eb 02 33 c0 5e 5d c2 04 00 8b ff 55 8b ec 56 ff 75 08 68 08 d6 Data Ascii: RP&\|jt_^[]S``SSUEMVW}_^tZt6t#uMMHMHMHMHMMHMHMHMUVuhVEmtphES+mt3^]UVuh
2022-11-04 12:16:09 UTC	685	IN	Data Raw: 52 00 83 7d 0c 00 89 45 f0 0f 84 14 01 00 00 bf 68 01 00 00 a9 00 00 02 00 74 40 57 e8 8b 07 f6 ff 59 89 45 ec 83 65 fc 00 85 c0 74 16 ff 73 20 8b c8 68 20 f0 00 00 e8 e6 f5 ff ff eb 07 e8 cd 99 f6 ff 33 c0 83 4d fc ff 50 8d 8e 2c 03 00 00 e8 a8 36 04 00 ff 86 bc 02 00 00 f7 45 f0 00 00 01 00 74 3e 57 e8 42 07 f6 ff 59 89 45 ec c7 45 fc 01 00 00 00 85 c0 74 11 ff 73 20 8b c8 68 20 f1 00 00 e8 9a f5 ff ff eb 02 33 c0 83 4d fc ff 50 8d 8e 2c 03 00 00 e8 61 36 04 00 ff 86 bc 02 00 00 57 e8 04 07 f6 ff 59 89 45 ec c7 45 fc 02 00 00 00 bf 60 f0 00 00 85 c0 74 10 ff 73 20 8b c8 57 e8 5b f5 ff ff 89 45 f0 eb 04 83 65 f0 00 83 4d fc ff 6a 30 5b 53 8d 45 bc 6a 00 50 e8 7d 5e 05 00 83 c4 0c 8d 45 bc 50 6a 00 89 5d bc 57 ff 75 0c 33 db 43 89 5d c0 ff 15 14 76 52 00 Data Ascii: R}Eht@WYEets h 3MP,6Et>WBYEEts h 3MP,a6WYEE`ts W[EeMj0[SEjP}^EPj]Wu3C]vR
2022-11-04 12:16:09 UTC	701	IN	Data Raw: 50 e8 88 fc f5 ff 50 68 6c ec 56 00 e8 74 ee f6 ff 8b d8 59 59 85 db 74 34 8b 07 6a 00 8b cf ff 90 24 02 00 00 8b cb 8b f0 e8 e3 f3 ff ff 85 f6 74 0e 8b 06 53 57 8b ce ff 90 e0 01 00 00 eb 0d 85 c0 74 09 53 57 8b c8 e8 51 d4 ff ff 5b 5e 5f c3 8b ff 56 8b f1 e8 57 3a f6 ff a1 bc 48 57 00 85 c0 74 13 ff 70 20 e8 4e fc f5 ff 85 c0 74 07 6a 00 e8 01 1e f8 ff 8b ce e8 6a fb f5 ff 5e c2 0c 00 8b ff 55 8b ec 83 ec 34 a1 54 04 57 00 33 c5 89 45 fc 53 56 57 8d 45 e4 33 ff 50 8b d9 89 7d e4 89 7d e8 ff 15 54 76 52 00 8b 03 8b cb ff 90 b4 01 00 00 a8 01 0f 84 c4 01 00 00 80 bb 60 01 00 00 00 8b 35 00 77 52 00 75 15 ff d6 50 e8 ba fb f5 ff 3b c3 74 27 80 bb 60 01 00 00 00 74 0c ff d6 50 e8 a5 fb f5 ff 3b c3 75 12 6a 01 ff 15 d4 75 52 00 b9 00 80 00 00 66 85 c1 75 1c Data Ascii: PPhlVtYYt4j$tSWtSWQ[^_VW:HWtp Ntjj^U4TW3ESVWE3P}}TvR`5wRuP;t'`tP;ujuRfu
2022-11-04 12:16:09 UTC	703	IN	Data Raw: 50 8b 06 8b ce ff 90 98 01 00 00 8b c8 e8 19 5f f6 ff 8b 06 8b ce ff 90 98 01 00 00 8b c8 e8 22 30 f6 ff 8b 8e 1c 03 00 00 25 00 00 40 00 89 45 d8 89 7d dc 89 7d e0 89 7d e4 89 7d e8 8b 01 ff 90 9c 01 00 00 8d 4d dc 51 ff 70 20 ff d3 8d 45 dc 50 8b 06 8b ce ff 90 98 01 00 00 8b c8 e8 c8 5e f6 ff 8b 06 8b ce ff 90 90 01 00 00 3d 00 10 00 00 0f 84 d9 00 00 00 3d 00 20 00 00 0f 84 ab 00 00 00 3d 00 40 00 00 74 72 3d 00 80 00 00 75 58 83 be 14 03 00 00 01 75 20 33 c0 39 7d 08 74 0b 8b 4d f8 3b 4d e0 e9 bd 00 00 00 8b 4d f0 3b 4d e0 0f 9d c0 e9 b2 00 00 00 39 7d 08 74 1b 8b 86 04 03 00 00 8b 4d f8 2b 86 fc 02 00 00 2b 4d f0 33 d2 3b c8 e9 b8 00 00 00 8b 45 f8 2b 45 f0 33 c9 85 c0 0f 9e c1 8b f9 8b c7 5f 5b 8b 4d fc 33 cd 5e e8 3e 03 05 00 c9 c2 04 00 83 be 14 Data Ascii: P_"0%@E}}}}MQp EP^== =@tr=uXu 39}tM;MM;M9}tM++M3;E+E3_[M3^>
2022-11-04 12:16:09 UTC	719	IN	Data Raw: 4d fc 5f 5e 33 cd 5b e8 5a c4 04 00 c9 c2 0c 00 8b ff 55 8b ec 83 ec 14 a1 54 04 57 00 33 c5 89 45 fc b8 00 02 00 00 56 8b f1 85 45 08 74 69 53 33 db 39 9e 70 0d 00 00 74 08 39 9e 68 0d 00 00 74 55 57 50 56 8d be 94 0c 00 00 57 e8 9c d2 fb ff 8d 45 ec 50 ff 76 20 89 5d ec 89 5d f0 89 5d f4 89 5d f8 ff 15 dc 77 52 00 8b 07 68 80 02 00 00 53 68 18 04 00 00 ff 70 20 ff 15 dc 76 52 00 8b ce e8 a7 f0 f5 ff 8b 0f 50 8d 45 ec 50 6a ff 56 e8 ee b4 fd ff 5f 5b 8b 4d fc 33 cd 33 c0 5e e8 c1 c3 04 00 c9 c2 08 00 8b 81 94 0c 00 00 85 c0 74 18 83 78 20 00 74 12 6a 00 6a 00 68 1c 04 00 00 ff 70 20 ff 15 dc 76 52 00 c3 8b ff 55 8b ec ff 71 20 ff 15 08 78 52 00 50 e8 7e b3 f5 ff 50 68 58 ce 53 00 e8 6a a5 f6 ff 59 59 85 c0 74 0b 8b 10 8b c8 5d ff a2 0c 02 00 00 5d c2 04 Data Ascii: M_^3[ZUTW3EVEtiS39pt9htUWPVWEPv ]]]]wRhShp vRPEPjV_[M33^tx tjjhp vRUq xRP~PhXSjYYt]]
2022-11-04 12:16:09 UTC	735	IN	Data Raw: ec 77 52 00 a1 f8 39 57 00 89 85 24 ff ff ff e8 55 c3 f6 ff 8b 10 8d 8d 24 ff ff ff 51 83 ec 10 8b fc ff b5 2c ff ff ff 8d b3 30 02 00 00 a5 a5 a5 8b c8 a5 ff 92 ec 00 00 00 e8 82 d3 f5 ff 50 8d 8d 28 ff ff ff e8 25 8d f4 ff 8b 03 8d 8d 28 ff ff ff 51 ff b3 a0 00 00 00 8b cb c6 45 fc 03 ff 90 b8 01 00 00 a1 24 e1 56 00 8d b3 30 02 00 00 8d 7d c0 a5 a5 6a 00 f7 d8 a5 50 8d 45 c0 50 a5 ff 15 18 76 52 00 8b b5 2c ff ff ff ff b5 24 ff ff ff 8b 06 8b ce ff 50 30 8b 85 28 ff ff ff 8b 48 f4 8b 16 68 24 80 00 00 8d 7d c0 57 51 50 8b ce ff 52 68 8b 8d 28 ff ff ff 83 c1 f0 c6 45 fc 02 e8 29 8d f4 ff 8d bb 40 02 00 00 57 ff 15 cc 75 52 00 85 c0 75 26 e8 8c c2 f6 ff 8b 10 8b f7 83 ec 10 8b fc ff b5 2c ff ff ff a5 a5 a5 8b c8 a5 ff 92 e8 00 00 00 8b b5 2c ff ff ff 83 Data Ascii: wR9W$U$Q,0P(%(QE$V0}jPEPvR,$P0(Hh$}WQPRh(E)@WuRu&,,
2022-11-04 12:16:09 UTC	741	IN	Data Raw: 1d 39 73 04 74 18 8b cb e8 eb cb f5 ff 50 ff 15 ec 71 52 00 39 73 04 74 05 e8 c2 b9 f5 ff 83 3d 44 3b 57 00 08 74 04 33 c0 eb 7c 8b 55 08 57 8b 7a 08 3b fe 75 04 33 c0 eb 6c 83 ff 64 7e 03 6a 64 5f b8 00 03 00 00 66 89 85 64 fe ff ff 66 89 bd 66 fe ff ff 85 ff 7e 35 85 f6 78 bc 3b 72 08 7d b7 8b 42 04 8d 0c b0 8a 19 8d 84 b5 69 fe ff ff 88 58 ff 8a 59 01 88 18 8a 49 02 46 88 48 01 c6 40 02 00 3b f7 7c d1 8b 9d 60 fe ff ff 8d 85 64 fe ff ff 50 ff 15 98 70 52 00 50 8b cb e8 27 cb f5 ff 33 c0 40 5f 8b 4d fc 5e 33 cd 5b e8 83 6b 04 00 c9 c2 08 00 8b ff 55 8b ec 83 3d 44 3b 57 00 08 74 1e 81 c1 c8 0d 00 00 74 12 83 79 04 00 74 0c e8 20 cb f5 ff 50 ff 15 ec 71 52 00 33 c0 eb 5c 8b 81 e4 0d 00 00 56 85 c0 74 0f 8b 80 a8 07 00 00 85 c0 74 05 6a 00 50 eb 20 8d b1 Data Ascii: 9stPqR9st=D;Wt3\|UWz;u3ld~jd_fdff~5x;r}BiXYIFH@;\|`dPpRP'3@_M^3[kU=D;Wttyt PqR3\VttjP
2022-11-04 12:16:09 UTC	753	IN	Data Raw: a4 8d 45 9c 50 8b ce 89 7d fc e8 65 ff ff ff 39 7d a4 75 2f 83 4d fc ff 8d 4d 9c e8 fc f7 fd ff 33 c0 e9 a9 01 00 00 e8 06 ff ff ff 3b c7 74 f0 8b 10 57 8b c8 ff 92 3c 01 00 00 33 c0 40 e9 8d 01 00 00 8b ce e8 e8 fe ff ff 89 45 b0 3b c7 75 60 33 c0 89 45 b8 39 7d a4 0f 8e fe 00 00 00 85 c0 78 49 3b 45 a4 7d 44 8b 4d a0 8d 04 81 8b 18 8b 03 8b cb ff 50 78 85 c0 74 18 8d 73 18 8d 7d d0 a5 a5 a5 8d 45 d0 50 a5 ff 15 cc 75 52 00 85 c0 74 11 8b 45 b8 40 89 45 b8 3b 45 a4 7c c0 e9 b9 00 00 00 89 5d b4 e9 b1 00 00 00 e8 5f 89 f5 ff 89 7d b8 81 c6 04 01 00 00 8d 7d c0 a5 a5 a5 8d 45 c0 50 a5 ff 15 cc 75 52 00 8b 75 bc f7 d8 1b db 81 c6 6c 02 00 00 8d 7d e0 a5 a5 a5 8d 45 e0 50 43 a5 ff 15 cc 75 52 00 8b 75 bc f7 d8 1b c0 8d 4d b8 51 40 50 53 ff 75 b0 83 c6 20 83 Data Ascii: EP}e9}u/MM3;tW<3@E;u`3E9}xI;E}DMPxts}EPuRtE@E;E\|]_}}EPuRul}EPCuRuMQ@PSu
2022-11-04 12:16:09 UTC	757	IN	Data Raw: 8b c7 e8 ea 3e 04 00 c2 04 00 6a 08 b8 c3 04 52 00 e8 03 3e 04 00 8b f1 83 4e 14 ff 83 8e c8 03 00 00 ff 33 ff 8d 46 20 50 89 be c4 03 00 00 89 7e 04 89 7e 08 c7 46 0c 01 00 00 00 89 7e 1c 89 7e 10 89 7e 18 ff 15 30 76 52 00 8b 45 08 ff 75 0c 8b ce 89 86 c0 03 00 00 e8 95 fe ff ff 8b 45 18 8b 4d 1c 3b c7 75 04 3b cf 74 0c 89 86 48 04 00 00 89 8e 4c 04 00 00 8b 4d 20 8b 45 24 3b cf 75 04 3b c7 74 0c 89 8e 54 05 00 00 89 86 58 05 00 00 8b 45 10 8b 4d 14 89 86 24 06 00 00 89 8e 28 06 00 00 3b c7 76 18 57 57 8d 8e f8 03 00 00 50 e8 d2 eb fa ff 85 c0 75 06 89 be 24 06 00 00 8b 86 28 06 00 00 3b c7 76 18 57 57 8d 8e 04 05 00 00 50 e8 b0 eb fa ff 85 c0 75 06 89 be 28 06 00 00 d9 e8 39 3d 7c 3b 57 00 74 0b dd 05 74 3b 57 00 dd 5d ec eb 03 dd 55 ec dd 45 ec da e9 Data Ascii: >jR>N3F P~~F~~~0vREuEM;u;tHLM E$;u;tTXEM$(;vWWPu$(;vWWPu(9=\|;Wtt;W]UE
2022-11-04 12:16:09 UTC	771	IN	Data Raw: fc ff 50 ff b6 6c 01 00 00 8d 8e 64 01 00 00 e8 3a 64 fd ff e8 38 07 04 00 c3 8b ff 55 8b ec 56 8b 75 08 57 56 8b f9 e8 cd 87 00 00 68 a8 f6 53 00 8b ce e8 2f d6 f5 ff 85 c0 0f 84 76 01 00 00 53 8b cf e8 29 f0 ff ff 8d 87 a0 01 00 00 50 8d 8e a0 01 00 00 e8 3c 8b fa ff 8b 86 ec 02 00 00 89 87 ec 02 00 00 8b 86 d8 02 00 00 89 87 d8 02 00 00 8b 86 f0 02 00 00 89 87 f0 02 00 00 8b 86 f4 02 00 00 89 87 f4 02 00 00 8b 86 c0 02 00 00 89 87 c0 02 00 00 8b 86 e4 02 00 00 89 87 e4 02 00 00 8b 86 dc 02 00 00 89 87 dc 02 00 00 8b 86 c8 02 00 00 89 87 c8 02 00 00 8b 86 f8 02 00 00 89 87 f8 02 00 00 8b 86 fc 02 00 00 89 87 fc 02 00 00 8b 86 e0 02 00 00 89 87 e0 02 00 00 8b 86 00 03 00 00 6a ff 33 db 8d 8f 78 01 00 00 53 89 87 00 03 00 00 e8 ae a2 f5 ff 6a ff 8d 8f 8c Data Ascii: Pld:d8UVuWVhS/vS)P<j3xSj
2022-11-04 12:16:09 UTC	773	IN	Data Raw: 19 00 00 00 eb 3e 6a 30 e8 6f a7 f4 ff 59 8b c8 89 4d 08 33 c0 40 89 45 fc 85 c9 74 25 50 6a 18 eb 19 6a 30 e8 53 a7 f4 ff 59 8b c8 89 4d 08 83 65 fc 00 85 c9 74 0b 6a 01 6a 17 e8 ed 5d 00 00 eb 02 33 c0 83 4d fc ff 50 8d 8e fc 00 00 00 e8 06 31 f9 ff e8 98 fe 03 00 c2 04 00 8b ff 55 8b ec 5d e9 65 a6 f8 ff 8b ff 55 8b ec 51 56 8b b1 00 01 00 00 89 4d fc 85 f6 74 41 53 57 8b c6 85 f6 74 3e 8b 78 08 8b 36 33 db 8b cf 43 e8 e1 5d 00 00 83 f8 09 75 0e 8b 45 fc 83 b8 88 00 00 00 00 74 02 33 db 8b 07 6a 00 53 6a 01 6a 00 ff 75 08 8b cf ff 50 10 85 f6 75 c3 5f 5b 5e c9 c2 04 00 e8 1a 39 f5 ff cc 8b ff 55 8b ec 53 57 8b f9 8b 07 ff 90 a4 01 00 00 50 68 14 01 57 00 e8 42 cd f5 ff 8b d8 59 59 85 db 74 52 8b 45 08 83 e8 17 74 40 48 74 31 48 75 44 6a 19 8b cf e8 87 Data Ascii: >j0oYM3@Et%Pjj0SYMetjj]3MP1U]eUQVMtASWt>x63C]uEt3jSjjuPu_[^9USWPhWBYYtREt@Ht1HuDj
2022-11-04 12:16:09 UTC	789	IN	Data Raw: f4 3b 86 5c 02 00 00 7d ec 8b 8e 58 02 00 00 8b 0c 81 8b 01 89 4d fc ff 10 8b c8 e8 02 8e f5 ff ff 75 fc 8b d8 8b 03 8b cb ff 90 c8 00 00 00 ff 75 fc 8b 03 8b cb ff 90 d0 00 00 00 8d 8f 54 02 00 00 53 ff 71 08 e8 33 1c fd ff ff 45 08 8b 45 08 3b 86 5c 02 00 00 7c a1 5f 5e 5b c9 c2 04 00 6a 5c b8 e3 08 52 00 e8 a6 be 03 00 8b 45 08 8b d9 8b 8b b0 00 00 00 68 4c b1 54 00 89 45 b4 e8 13 8e f5 ff 89 45 b8 33 c0 39 45 b8 75 15 8b 8b Data Ascii: ;\}XMuuTSq3EE;\\|_^[j\REhLTEE39Eu
2022-11-04 12:16:09 UTC	789	IN	Data Raw: b0 00 00 00 c7 45 bc 01 00 00 00 39 81 00 03 00 00 75 03 89 45 bc 8d 73 6c 8d 7d c0 a5 a5 a5 89 45 e0 89 45 e4 89 45 e8 89 45 ec 8d 45 e0 a5 8b 35 30 76 52 00 50 ff d6 33 ff 8d 45 d0 50 89 7d d0 89 7d d4 89 7d d8 89 7d dc ff d6 8d b3 8c 00 00 00 56 ff 15 cc 75 52 00 85 c0 0f 85 87 00 00 00 39 bb ac 00 00 00 74 5c 39 7d bc 75 57 39 7d b8 75 52 8b 83 ac 00 00 00 8b 88 c8 0c 00 00 89 4d b8 89 b8 c8 0c 00 00 e8 7c ea f5 ff 57 83 ec 10 8b fc a5 a5 8b 10 a5 a5 83 ec 10 8b fc ff b3 ac 00 00 00 8d b3 8c 00 00 00 ff 75 b4 a5 a5 a5 8b c8 a5 ff 52 34 8b 83 ac 00 00 00 8b 4d b8 89 88 c8 0c 00 00 8d b3 8c 00 00 00 8d 7d e0 a5 a5 a5 a5 ff 4d e4 8b 45 e4 40 89 45 ec 8b 83 90 00 00 00 48 89 45 cc 33 ff 8d 73 7c 56 ff 15 cc 75 52 00 85 c0 75 7c 39 bb ac 00 00 00 74 54 39 Data Ascii: E9uEsl}EEEEE50vRP3EP}}}}VuR9t\9}uW9}uRM\|WuR4M}ME@EHE3s\|VuRu\|9tT9
2022-11-04 12:16:09 UTC	801	IN	Data Raw: 54 00 e8 1e 5e f5 ff 33 f6 59 59 89 85 e0 fe ff ff 3b c6 74 6d 8b 48 78 89 8d d0 fe ff ff 8b 4b 78 89 48 78 8d 48 18 8b f1 8d bd b0 fe ff ff a5 a5 a5 a5 8b f9 8d 73 18 a5 a5 8b 10 a5 a5 83 ec 10 8b fc ff 75 0c 8d 75 10 ff b5 cc fe ff ff a5 a5 a5 89 8d d8 fe ff ff 8b c8 a5 ff 52 7c 8b bd d8 fe ff ff 8b 85 d0 fe ff ff 8b 8d e0 fe ff ff 8d b5 b0 fe ff ff a5 a5 a5 89 41 78 a5 e9 60 02 00 00 8b 8b fc 00 00 00 3b ce 0f 84 d3 01 00 00 39 75 0c 74 10 8b 83 00 01 00 00 89 85 d0 fe ff ff 3b c6 75 06 89 8d d0 fe ff ff 39 75 0c 75 04 6a 20 eb 02 6a 10 8b 3d 7c 3b 57 00 d9 e8 dd 05 74 3b 57 00 58 89 85 dc fe ff ff 89 85 e0 fe ff ff 8d 85 dc fe ff ff 8b 08 8b 40 04 89 8d d4 fe ff ff 89 85 d8 fe ff ff 3b fe 74 04 d9 c0 eb 02 d9 c1 d9 c2 da e9 df e0 f6 c4 44 7b 46 3b fe Data Ascii: T^3YY;tmHxKxHxHsuuR\|Ax`;9ut;u9uuj j=\|;Wt;WX@;tD{F;
2022-11-04 12:16:09 UTC	817	IN	Data Raw: ff ff f6 45 08 01 74 07 56 e8 cd f7 f3 ff 59 8b c6 5e 5d c2 04 00 68 cc 00 00 00 b8 be 0c 52 00 e8 8d 4e 03 00 8b d9 33 ff 57 8d 8d 38 ff ff ff Data Ascii: EtVY^]hRN3W8
2022-11-04 12:16:09 UTC	817	IN	Data Raw: e8 8b 99 f4 ff 8b 83 e8 03 00 00 89 7d fc 3b c7 75 07 b8 ac 3a 57 00 eb 06 50 e8 97 9b f4 ff 50 8d 8d 38 ff ff ff e8 b2 9c f4 ff 89 85 58 ff ff ff 8d 45 a4 50 ff b5 40 ff ff ff ff 15 2c 71 52 00 8b 75 a4 8d 45 80 50 8b cb 83 c6 02 e8 3e ef ff ff 8b 83 78 04 00 00 83 f8 ff 75 2f 8b 83 2c 04 00 00 39 78 f4 74 0b 39 bb b0 02 00 00 74 03 83 c6 0a 3b 75 84 7f 03 8b 75 84 8b 83 70 04 00 00 8b 8b 6c 04 00 00 8d 04 41 03 c6 89 83 7c 04 00 00 39 bb b0 02 00 00 74 07 83 83 7c 04 00 00 08 8d 45 94 50 ff 73 20 89 7d 94 89 7d 98 89 7d 9c 89 7d a0 ff 15 dc 77 52 00 8d 45 94 50 ff 15 cc 75 52 00 85 c0 0f 85 33 06 00 00 39 bb b0 02 00 00 74 77 8d 85 78 ff ff ff 50 e8 b8 cf f7 ff 8b 45 9c 2b 45 80 8b 4d 98 83 85 78 ff ff ff 08 83 85 7c ff ff ff 08 89 85 28 ff ff ff 03 85 Data Ascii: };u:WPP8XEP@,qRuEP>xu/,9xt9t;uuplA\|9t\|EPs }}}}wREPuR39twxPE+EMx\|(
2022-11-04 12:16:09 UTC	833	IN	Data Raw: 8d 1d fe ff 8b ff 55 8b ec 83 b9 58 03 00 00 00 74 0e 8b 81 58 03 00 00 8b 10 8b c8 5d ff 62 08 5d c2 04 00 8b ff 55 8b ec 53 56 57 ff 75 10 8b Data Ascii: UXtX]b]USVWu
2022-11-04 12:16:09 UTC	833	IN	Data Raw: f1 ff 75 0c ff 75 08 e8 7b e2 fd ff 8b 8e 58 03 00 00 8b 01 ff 90 a8 01 00 00 8b d8 33 ff 85 db 7e 3c 8b 8e 58 03 00 00 8b 01 57 ff 90 ac 01 00 00 50 68 c0 57 53 00 e8 e9 dd f4 ff 59 59 85 c0 74 17 ff 75 10 8b 10 ff 75 0c 8b c8 ff 75 08 ff 92 2c 02 00 00 85 c0 74 0f 47 3b fb 7c c4 33 c0 40 5f 5e 5b 5d c2 0c 00 33 c0 eb f5 8b ff 55 8b ec 83 b9 58 03 00 00 00 74 11 8b 81 58 03 00 00 8b 10 8b c8 5d ff a2 4c 02 00 00 5d c2 04 00 8b ff 56 8b f1 e8 c1 fa f9 ff 8d 86 58 03 00 00 83 38 00 5e 74 0c 8b 00 8b 10 8b c8 ff a2 80 01 00 00 c3 e9 db 75 fa ff 8b ff 55 8b ec 56 ff 75 08 8b f1 e8 48 0a fe ff 8b 06 8b ce ff 90 a4 03 00 00 5e 85 c0 74 07 8b c8 e8 75 29 f4 ff 5d c2 04 00 8b ff 55 8b ec 8b 55 08 83 0a ff 83 b9 58 03 00 00 00 75 04 33 c0 eb 13 8b 81 58 03 00 00 Data Ascii: uu{X3~<XWPhWSYYtuuu,tG;\|3@_^[]3UXtX]L]VX8^tuUVuH^tu)]UUXu3X
2022-11-04 12:16:09 UTC	849	IN	Data Raw: 28 02 00 00 85 f6 75 d3 33 c0 40 5e 5d c2 08 00 e8 fb 09 f4 ff cc 8b ff 55 8b ec 56 ff 75 08 8b f1 e8 f0 aa f7 ff 8d 8e 80 01 00 00 8b 01 5e 5d Data Ascii: (u3@^]UVu^]
2022-11-04 12:16:09 UTC	849	IN	Data Raw: ff 60 08 8b ff 55 8b ec 53 56 57 ff 75 0c 8b f1 ff 75 08 8b 86 80 01 00 00 8d 8e 80 01 00 00 ff 50 48 33 db 39 5d 0c 74 1d 39 9e 94 00 00 00 75 09 6a 04 8b ce e8 48 e9 f3 ff 8b 06 8b ce ff 90 f0 01 00 00 eb 25 8b 86 80 01 00 00 8d 8e 80 01 00 00 ff 50 4c 85 c0 75 12 53 8b ce e8 21 e9 f3 ff 8b 06 8b ce ff 90 f4 01 00 00 8b 06 8b ce ff 90 84 01 00 00 8b 06 8b ce ff 90 c8 01 00 00 6a 37 53 53 53 53 53 8b ce e8 87 e9 f3 ff 5f 5e 5b 5d c2 08 00 8b ff 56 8b f1 8b 06 ff 90 1c 02 00 00 85 c0 74 15 6a 00 8b ce e8 d4 e8 f3 ff 8d 8e 80 01 00 00 8b 01 5e ff 60 5c 5e c3 8b 01 ff 90 94 01 00 00 c2 0c 00 8b ff 55 8b ec 56 57 ff 75 08 8b f9 68 6c ec 56 00 e8 48 9d f4 ff 8b f0 59 59 85 f6 74 28 8d 55 08 8d 8f 80 01 00 00 8b 01 52 56 c7 45 08 01 00 00 00 ff 90 8c 00 00 00 Data Ascii: `USVWuuPH39]t9ujH%PLuS!j7SSSSS_^[]Vtj^`\^UVWuhlVHYYt(URVE
2022-11-04 12:16:09 UTC	851	IN	Data Raw: 6a 01 6a 02 53 8b cf ff 90 4c 03 00 00 8b 03 6a 01 6a 00 6a 01 8b cb ff 90 20 02 00 00 8b 06 8b ce ff 90 c8 01 00 00 eb 1c ff 75 08 8d 8e 80 01 00 00 8b 01 57 ff 50 20 8b 16 6a 01 50 8b ce ff 92 e4 01 00 00 8b 06 8b ce ff 90 f0 01 00 00 33 c0 40 eb 02 33 c0 5f 5e 5b c9 c2 04 00 8b ff 56 8b f1 e8 21 a3 f3 ff 8b 06 8b ce ff 90 c8 01 00 00 8b ce e8 e7 7d f7 ff 6a 00 6a 00 68 85 00 00 00 ff 76 20 ff 15 dc 76 52 00 5e c2 0c 00 8b ff 55 8b ec 83 ec 3c a1 54 04 57 00 33 c5 89 45 fc 53 56 57 8d 45 ec 8b f1 33 db 50 ff 76 20 89 75 c4 89 5d ec 89 5d f0 89 5d f4 89 5d f8 ff 15 dc 77 52 00 6a 14 ff 15 40 77 52 00 8d 8e 80 01 00 00 8d 55 c8 52 83 ec 10 8b fc 8d 75 ec a5 a5 a5 89 45 c8 8b 01 a5 ff 50 38 ff 75 c8 ff 15 44 77 52 00 39 1d 50 57 57 00 0f 84 86 00 00 00 8b Data Ascii: jjSLjjj uWP jP3@3_^[V!}jjhv vR^U<TW3ESVWE3Pv u]]]]wRj@wRURuEP8uDwR9PWW
2022-11-04 12:16:09 UTC	867	IN	Data Raw: 08 85 c9 74 08 8b b9 bc 02 00 00 eb 0a 8b 4b 14 85 c9 74 0f 8b 79 20 83 ff 64 74 04 85 ff 75 03 6a 32 5f 0f af c7 6a 64 99 59 f7 f9 8b 75 c8 51 Data Ascii: tKty dtuj2_jdYuQ
2022-11-04 12:16:09 UTC	867	IN	Data Raw: 2b f0 2b 75 c0 58 03 75 e0 2b c7 8b f8 89 75 e8 89 bd 78 ff ff ff eb 4e 2b 4d a0 3b c8 75 47 8b 4b 04 85 c9 74 08 8b b9 bc 02 00 00 eb 0a 8b 4b 10 85 c9 74 1b 8b 79 20 89 bd 78 ff ff ff 83 ff 64 74 04 85 ff 75 09 6a 32 5f 89 bd 78 ff ff ff 0f af c7 6a 64 99 59 f7 f9 8b f0 03 75 e0 89 75 e8 eb 03 8b 75 e8 8b 45 c8 8b 4d c0 8b 55 e0 2b c8 2b 45 c0 2b 4d 0c 89 85 74 ff ff ff db 85 74 ff ff ff 8b c6 2b c2 89 85 74 ff ff ff db 85 74 ff ff ff 03 4d 14 89 8d 68 ff ff ff d8 f1 dd 05 08 49 53 00 dc c9 d9 c9 dd 55 d4 d9 c0 d9 c2 da e9 df e0 f6 c4 44 7b 0d d9 c0 d9 ee da e9 df e0 f6 c4 44 7a 0b dd d8 dd 05 a0 28 54 00 dd 55 d4 83 3d 64 67 57 00 00 0f 84 91 00 00 00 85 c9 0f 85 2e 01 00 00 8b 45 f0 dd d8 2b c2 03 c6 89 45 f8 83 ff ff 74 09 db 85 78 ff ff ff dd 5d d4 Data Ascii: ++uXu+uxN+M;uGKtKty xdtuj2_xjdYuuuEMU++E+Mtt+ttMhISUD{Dz(TU=dgW.E+Etx]
2022-11-04 12:16:09 UTC	883	IN	Data Raw: 00 8b 45 08 81 78 04 00 01 00 00 0f 85 2b 02 00 00 6a 12 ff 15 ac 77 52 00 66 85 c0 0f 88 e8 00 00 00 6a 11 ff 15 ac 77 52 00 66 85 c0 0f 88 d7 Data Ascii: Ex+jwRfjwRf
2022-11-04 12:16:09 UTC	883	IN	Data Raw: 00 00 00 8b 46 74 8b 80 b4 00 00 00 85 c0 0f 84 c6 00 00 00 8b 4d 08 8b 49 08 83 f9 0d 74 2e 83 f9 20 0f 86 b2 00 00 00 83 f9 24 76 0e 83 f9 26 74 09 83 f9 28 0f 85 9f 00 00 00 6a 00 6a 00 53 ff 70 20 ff d7 85 c0 0f 84 8d 00 00 00 8b ce e8 fe 61 f3 ff 8b 46 74 8b 80 b4 00 00 00 6a 00 6a 00 53 ff 70 20 ff d7 85 c0 74 0e 8b 45 08 ff 70 0c ff 70 08 e9 3f ff ff ff 8b 46 74 8b 88 b4 00 00 00 e8 ba 3f f3 ff 85 c0 0f 84 3a ff ff ff 8b 46 74 05 b8 00 00 00 50 8b ce e8 09 40 f3 ff 8b 46 74 8b 80 b4 00 00 00 85 c0 75 04 33 ff eb 03 8b 78 20 8b 76 74 8b 8e b4 00 00 00 0f b7 76 20 e8 7c 3f f3 ff 57 56 68 11 01 00 00 ff 70 20 ff 15 e4 76 52 00 e9 ef fe ff ff 8b 45 08 8b 40 08 83 e8 09 0f 84 ed 00 00 00 83 e8 12 0f 84 b5 00 00 00 83 e8 0b 74 08 48 48 0f 85 0d 01 00 00 Data Ascii: FtMIt. $v&t(jjSp aFtjjSp tEpp?Ft?:FtP@Ftu3x vtv \|?WVhp vRE@tHH
2022-11-04 12:16:09 UTC	899	IN	Data Raw: ff ff 74 26 8b c7 99 2b c2 d1 f8 2b f0 8b 03 56 ff b5 00 ff ff ff 8b cb ff b5 f8 fe ff ff ff b5 2c ff ff ff ff 90 88 01 00 00 8b 03 6a 00 83 ec Data Ascii: t&++V,j
2022-11-04 12:16:09 UTC	899	IN	Data Raw: 10 8b fc ff b5 2c ff ff ff 8d b5 f8 fe ff ff a5 a5 a5 8d 8d 1c ff ff ff 51 8b cb a5 ff 90 84 01 00 00 ff b5 08 ff ff ff 8b 8d 2c ff ff ff e8 aa 54 f3 ff 8d 8d 0c ff ff ff c6 45 fc 01 c7 85 0c ff ff ff b0 9f 52 00 e8 d4 ff f1 ff 8d 4d 94 c6 45 fc 00 e8 50 e6 f3 ff 83 4d fc ff 8d 8d 40 ff ff ff e8 9b 52 f3 ff e8 99 06 02 00 c3 68 b8 00 00 00 b8 4d 1a 52 00 e8 06 06 02 00 8b 45 0c 33 f6 8b d9 89 30 89 85 64 ff ff ff 39 b3 b8 00 00 00 74 22 e8 71 32 f4 ff 8b 10 6a ff 8d 8b a0 00 00 00 51 8b c8 ff 92 cc 02 00 00 c7 83 b8 00 00 00 01 00 00 00 39 b3 a0 00 00 00 0f 85 6c 04 00 00 8d 85 58 ff ff ff 50 89 b5 58 ff ff ff 89 b5 5c ff ff ff ff 15 54 76 52 00 8b cb e8 f0 f7 ff ff 39 b3 a4 00 00 00 74 13 8b 03 8d 8d 68 ff ff ff 51 8b cb ff 90 70 01 00 00 eb 12 89 b5 68 Data Ascii: ,Q,TERMEPM@RhMRE30d9t"q2jQ9lXPX\TvR9thQph
2022-11-04 12:16:09 UTC	915	IN	Data Raw: 04 ff 15 84 76 52 00 8b 4d 0c 83 4d fc ff 83 c1 f0 e8 aa bd f1 ff 8b 7d f0 8b 87 20 01 00 00 68 1f e8 00 00 81 ce 00 00 00 50 56 ff 75 08 8d 8f Data Ascii: vRMM} hPVu
2022-11-04 12:16:09 UTC	915	IN	Data Raw: 20 01 00 00 ff 90 a0 01 00 00 85 c0 75 0c 83 a7 e8 00 00 00 00 e9 f6 fe ff ff 57 8d 8f 20 01 00 00 e8 8a 5b f5 ff 33 c0 40 eb e3 8b ff 55 8b ec 51 56 57 68 20 0a 55 00 8b f1 e8 f6 cc f3 ff 8b 3d 7c 79 52 00 6a 00 6a 01 50 89 45 fc ff d7 85 c0 74 04 33 c0 eb 38 53 8b 5d 08 68 10 0a 55 00 8b ce e8 ce cc f3 ff 50 ff 73 20 ff 15 78 79 52 00 85 c0 74 0d 6a 00 6a 00 ff 75 fc ff d7 33 c0 eb 0c 8b 43 20 89 46 20 33 c0 89 73 64 40 5b 5f 5e c9 c2 04 00 8b ff 56 8b f1 8b 46 20 85 c0 74 2e 50 ff 15 80 79 52 00 6a 01 6a 00 68 20 0a 55 00 8b ce e8 7d cc f3 ff 50 ff 15 7c 79 52 00 ff 76 20 e8 67 a3 f2 ff 83 60 64 00 83 66 20 00 5e c3 8b ff 55 8b ec 56 8b 75 08 68 b8 68 53 00 8b ce e8 21 95 f3 ff 85 c0 74 16 ff 75 18 8b 06 ff 75 14 8b ce ff 75 10 ff 75 0c ff 90 6c 01 00 Data Ascii: uW [3@UQVWh U=\|yRjjPEt38S]hUPs xyRtjju3C F 3sd@[_^VF t.PyRjjh U}P\|yRv g`df ^UVuhhS!tuuuul
2022-11-04 12:16:09 UTC	931	IN	Data Raw: 50 14 8b c8 68 c4 13 54 00 89 4d e8 e8 26 56 f3 ff 85 c0 0f 84 b0 00 00 00 8b 45 e8 39 98 8c 00 00 00 0f 84 a1 00 00 00 89 5d ec 89 5d f0 53 53 Data Ascii: PhTM&VE9]]SS
2022-11-04 12:16:09 UTC	931	IN	Data Raw: 68 46 01 00 00 ff b6 c8 01 00 00 ff d7 39 45 f0 7d 32 53 ff 75 f0 68 50 01 00 00 ff b6 c8 01 00 00 ff d7 3b c3 74 12 8b 40 54 8b 4d e8 c7 45 ec 01 00 00 00 3b 41 54 74 03 89 5d ec ff 45 f0 39 5d ec 74 ba 39 5d ec 75 50 e8 13 c3 f2 ff 50 8d 4d e4 e8 b9 7c f1 ff 8b 4d e8 8b 01 6a 02 8d 55 e4 52 89 5d fc ff 50 64 ff 75 e4 53 68 43 01 00 00 ff b6 c8 01 00 00 ff d7 ff 75 e8 50 68 51 01 00 00 ff b6 c8 01 00 00 ff d7 8b 4d e4 83 4d fc ff 83 c1 f0 e8 f7 7c f1 ff 39 5d e0 0f 85 24 ff ff ff ff b6 f8 04 00 00 68 9c 68 53 00 e8 73 55 f3 ff 59 59 3b c3 0f 84 9a 00 00 00 39 98 80 00 00 00 0f 84 8e 00 00 00 e8 94 c2 f2 ff 50 8d 4d e4 e8 3a 7c f1 ff 68 f2 3e 00 00 c7 45 fc 01 00 00 00 e8 6f 0c f3 ff 3b c3 75 04 33 c0 eb 0e 68 f2 3e 00 00 50 8d 4d e4 e8 e3 ce f1 ff 33 c9 Data Ascii: hF9E}2SuhP;t@TME;ATt]E9]t9]uPPM\|MjUR]PduShCuPhQMM\|9]$hhSsUYY;9PM:\|h>Eo;u3h>PM3
2022-11-04 12:16:09 UTC	947	IN	Data Raw: b7 94 00 00 00 eb 16 2b b7 94 00 00 00 eb 0e 03 b7 9c 00 00 00 eb 06 2b b7 9c 00 00 00 6a 01 8b cf e8 1d 1a f2 ff c1 eb 08 0f b6 cb 83 e9 00 8b Data Ascii: ++j
2022-11-04 12:16:09 UTC	947	IN	Data Raw: d0 74 3b 49 74 30 49 74 25 49 74 1a 49 49 74 11 49 74 0a 49 75 2e b8 ff ff ff 7f eb 27 33 c0 eb 23 8b 45 0c eb 1e 03 87 98 00 00 00 eb 16 2b 87 98 00 00 00 eb 0e 03 87 a0 00 00 00 eb 06 2b 87 a0 00 00 00 ff 75 10 2b 75 fc 2b c2 8b 17 50 56 8b cf ff 92 68 01 00 00 8b f0 85 f6 74 0f 83 7d 10 00 74 09 ff 77 20 ff 15 e0 76 52 00 5f 8b c6 5e 5b c9 c2 0c 00 8b ff 55 8b ec 83 ec 2c a1 54 04 57 00 33 c5 89 45 fc 53 56 57 8d 45 dc 33 ff 50 8b f1 89 7d dc 89 7d e0 ff 15 54 76 52 00 8d 45 ec 50 ff 76 20 89 7d ec 89 7d f0 89 7d f4 89 7d f8 ff 15 04 78 52 00 8b 86 90 00 00 00 bb 23 79 00 00 89 7d e8 3b c3 74 07 3d 22 79 00 00 75 1d 8b 4d e0 3b 4d f0 7d 09 c7 45 e8 17 79 00 00 eb 0c 3b 4d f8 7e 07 c7 45 e8 1d 79 00 00 3b c3 74 07 3d 21 79 00 00 75 39 8b 4d dc 3b 4d ec Data Ascii: t;It0It%ItIItItIu.'3#E++u+u+PVht}tw vR_^[U,TW3ESVWE3P}}TvREPv }}}}xR#y};t="yuM;M}Ey;M~Ey;t=!yu9M;M
2022-11-04 12:16:09 UTC	963	IN	Data Raw: ff 15 04 78 52 00 39 75 dc 75 05 39 7d e0 74 1a 8b 4d d8 6a 01 6a ff 6a ff 57 56 68 18 35 57 00 e8 1f 22 f2 ff 33 c0 40 eb 02 33 c0 8b 4d fc 5f Data Ascii: xR9uu9}tMjjjWVh5W"3@3M_
2022-11-04 12:16:09 UTC	963	IN	Data Raw: 5e 33 cd 5b e8 2d f4 00 00 c9 c2 14 00 8b ff 55 8b ec ff 75 08 8b 01 ff 50 1c 85 c0 74 16 8b 4d 0c 39 88 e4 02 00 00 74 0b ff 75 10 51 8b c8 e8 a1 fe ff ff 5d c2 0c 00 8b ff 55 8b ec 8b 45 08 56 8b f1 89 86 80 00 00 00 8b 46 20 85 c0 74 17 68 05 01 00 00 6a 00 6a 00 50 ff 15 70 78 52 00 8b ce e8 28 f9 ff ff 5e 5d c2 04 00 f6 05 0c 6f 57 00 01 56 be 08 6f 57 00 75 1f 83 0d 0c 6f 57 00 01 e8 da 42 f2 ff 50 8b ce e8 81 fc f0 ff 68 9f 66 52 00 e8 31 fd 00 00 59 8b 0d 08 6f 57 00 33 c0 39 41 f4 75 15 50 50 50 68 20 08 00 00 e8 08 18 f2 ff 50 8b ce e8 d4 50 f1 ff a1 08 6f 57 00 5e c3 8b ff 55 8b ec 56 57 8b 7d 08 8b f1 8d 4e 08 39 be b8 02 00 00 75 07 e8 b0 f8 ff ff eb 50 53 57 89 be b8 02 00 00 e8 4a ff ff ff 83 be c0 02 00 00 00 74 0a e8 10 e9 ff ff 83 f8 02 Data Ascii: ^3[-UuPtM9tuQ]UEVF thjjPpxR(^]oWVoWuoWBPhfR1YoW39AuPPPh PPoW^UVW}N9uPSWJt
2022-11-04 12:16:09 UTC	979	IN	Data Raw: 06 8b be 24 01 00 00 ff b6 30 01 00 00 8d 55 d4 ff 76 20 81 c6 f0 00 00 00 ff 76 fc ff 76 20 ff 76 24 ff 76 1c 52 51 8b 4d f0 50 57 ff 76 f8 56 Data Ascii: $0Uv vv v$vRQMPWvV
2022-11-04 12:16:09 UTC	979	IN	Data Raw: e8 db fc ff ff 8b f8 83 4d fc ff 8d 4d d4 89 5d d4 e8 15 e7 fa ff 8b c7 e8 d4 c6 00 00 c3 6a 1c b8 05 f6 51 00 e8 ef c5 00 00 8b f9 8b 5d 08 ff 77 20 b9 20 00 57 00 89 9f e8 00 00 00 e8 95 4d fc ff 89 18 8b 47 6c 33 f6 3b c6 74 14 39 70 20 74 0f 6a 01 8d 4f 54 51 ff 70 20 ff 15 f0 77 52 00 39 75 0c 0f 84 9f 00 00 00 6a 0a 8d 4d d8 e8 b3 f8 f5 ff 8d 45 d8 50 ff 77 20 89 75 fc e8 58 fd f2 ff 85 c0 7e 35 8b 75 dc eb 2c 8b c6 85 f6 74 34 ff 70 08 8b 36 68 c4 ff 56 00 e8 84 95 f2 ff 59 59 85 c0 74 11 3b c7 74 0d 8b 10 6a 00 53 8b c8 ff 92 f8 00 00 00 85 f6 75 d0 e8 d7 07 f3 ff 8b 70 04 eb 33 e8 15 01 f2 ff 8b c6 85 f6 74 f5 ff 70 08 8b 36 68 14 ee 56 00 e8 45 95 f2 ff 59 59 85 c0 74 13 8b 88 8c 0d 00 00 3b 4f 20 75 08 53 8b c8 e8 72 41 fc ff 85 f6 75 ce 83 4d Data Ascii: MM]jQ]w WMGl3;t9p tjOTQp wR9ujMEPw uX~5u,t4p6hVYYt;tjSup3tp6hVEYYt;O uSrAuM
2022-11-04 12:16:09 UTC	995	IN	Data Raw: c1 0f 8c 45 0b 00 00 39 83 34 04 00 00 0f 8e 39 0b 00 00 8d bd 74 ff ff ff a5 a5 a5 a5 8b b3 94 03 00 00 83 fe ff 75 0b e8 0c b3 f2 ff 8b b0 9c Data Ascii: E949tu
2022-11-04 12:16:09 UTC	995	IN	Data Raw: 00 00 00 8b 83 98 03 00 00 83 f8 ff 75 0b e8 f6 b2 f2 ff 8b 80 a0 00 00 00 f7 de 56 f7 d8 50 8d 85 74 ff ff ff 50 ff 15 18 76 52 00 53 8d 8d 3c ff ff ff e8 58 d1 f1 ff 8d 83 c4 03 00 00 33 ff 50 8d 8d 3c ff ff ff 89 7d fc e8 8e d4 f1 ff 89 85 2c ff ff ff 8d 45 84 50 ff b5 44 ff ff ff ff 15 2c 71 52 00 8b 83 e0 03 00 00 39 45 84 7e 03 8b 45 84 8b 8b 80 03 00 00 0f af c8 89 83 8c 03 00 00 8b 85 78 ff ff ff 2b c1 89 85 70 ff ff ff 8b 83 74 03 00 00 89 bb 90 03 00 00 3b c7 7c 29 3b 83 0c 05 00 00 7d 21 8b 8b 08 05 00 00 8d 04 81 ff 30 8d 8b 4c 04 00 00 e8 1d b8 f5 ff 33 c9 3b c7 0f 95 c1 3b cf 75 05 e8 12 c1 f1 ff 3b c7 74 f7 8b 48 08 8b 83 6c 04 00 00 89 8d 38 ff ff ff e9 c0 07 00 00 8b d0 3b c7 74 dd 8b 72 08 8b 00 89 85 50 ff ff ff 89 b5 54 ff ff ff 39 4e Data Ascii: uVPtPvRS<X3P<},EPD,qR9E~Ex+pt;\|);}!0L3;;u;tHl8;trPT9N
2022-11-04 12:16:09 UTC	1011	IN	Data Raw: 8b f1 89 75 f0 8b 06 83 65 fc 00 85 c0 74 20 8b 80 94 00 00 00 8b 40 10 85 c0 74 13 50 ff 15 5c 71 52 00 8b 06 8b 80 94 00 00 00 83 60 10 00 8b Data Ascii: uet @tP\qR`
2022-11-04 12:16:09 UTC	1011	IN	Data Raw: 0e 85 c9 74 07 8b 01 6a 01 ff 50 04 8b 4e 1c 83 e9 10 e8 79 3d f0 ff e8 d5 46 00 00 c3 8b ff 55 8b ec 51 51 8b 45 0c f7 6d 10 8b c8 8b 45 14 89 55 fc f7 6d 18 53 56 57 8b f8 8b 45 fc 8b f2 99 33 c2 89 4d f8 33 ca 2b ca 1b c2 33 db eb 07 0f ac c1 01 d1 f8 43 8b d1 0b d0 75 f3 8b 45 08 99 33 c2 2b c2 83 65 0c 00 99 eb 09 0f ac d0 01 d1 fa ff 45 0c 8b c8 0b ca 75 f1 03 5d 0c 85 f6 7f 20 7c 04 85 ff 73 1a 8b 45 f8 8b 4d fc f7 df 83 d6 00 f7 de f7 d8 83 d1 00 f7 d9 89 45 f8 89 4d fc 6a 1f 58 eb 42 8b 4d f8 8b 55 fc 0f ac d1 01 0f ac f7 01 4b d1 fa d1 fe 89 4d f8 89 55 fc 3b d8 7e 29 0f ac d1 01 0f ac f7 01 d1 fa 89 4d f8 d1 fe 8d 4b ff 83 eb 02 89 55 fc 3b c8 7e 0d d1 7d 08 0f ac f7 01 d1 fe 3b d8 7f ba ff 75 fc 8b 45 08 ff 75 f8 99 52 50 e8 f3 88 00 00 8b cf Data Ascii: tjPNy=FUQQEmEUmSVWE3M3+3CuE3+eEu] \|sEMEMjXBMUKMU;~)MKU;~};uEuRP
2022-11-04 12:16:09 UTC	1027	IN	Data Raw: cd e8 60 f4 ff ff c9 c3 8b ff 55 8b ec 83 ec 10 ff 75 10 8d 4d f0 e8 f6 fd ff ff 8b 4d 08 8d 45 f0 50 ff 75 0c e8 6e fe ff ff 80 7d fc 00 59 59 Data Ascii: `UuMMEPun}YY
2022-11-04 12:16:09 UTC	1027	IN	Data Raw: 74 07 8b 4d f8 83 61 70 fd c9 c3 8b ff 55 8b ec 6a 00 ff 75 0c ff 75 08 e8 bb ff ff ff 83 c4 0c 5d c3 8b ff 55 8b ec 51 51 a1 54 04 57 00 33 c5 89 45 fc 53 56 8b f1 33 db 57 3b f3 75 14 e8 dc 0a 00 00 6a 16 5e 89 30 e8 f8 7e 00 00 e9 2c 01 00 00 ff 75 08 56 e8 61 fb ff ff 59 59 3b 45 08 72 07 33 c0 66 89 06 eb d5 8b 45 0c 8b 00 8b 40 14 3b c3 75 29 8b c6 66 39 1e 74 1b 0f b7 08 83 f9 41 72 0b 83 f9 5a 77 06 83 c1 20 66 89 08 83 c0 02 66 39 18 75 e5 33 c0 e9 e2 00 00 00 53 53 6a ff 56 bf 00 01 00 00 57 50 e8 ab 9d 00 00 8b c8 83 c4 18 89 4d f8 3b cb 75 17 e8 5f 0a 00 00 c7 00 2a 00 00 00 e8 54 0a 00 00 8b 00 e9 ae 00 00 00 39 4d 08 73 11 33 c0 66 89 06 e8 3e 0a 00 00 6a 22 e9 5d ff ff ff 3b cb 7e 43 6a e0 33 d2 58 f7 f1 83 f8 02 72 37 8d 44 09 08 3d 00 04 Data Ascii: tMapUjuu]UQQTW3ESV3W;uj^0~,uVaYY;Er3fE@;u)f9tArZw ff9u3SSjVWPM;u_*T9Ms3f>j"];~Cj3Xr7D=
2022-11-04 12:16:09 UTC	1043	IN	Data Raw: 00 39 45 08 77 10 8b 4f 0c f6 c1 08 74 08 f7 c1 00 04 00 00 74 03 8b 47 18 89 45 08 8b 03 f6 44 30 04 04 74 03 ff 45 08 8b 45 08 29 45 fc 8b 45 Data Ascii: 9EwOttGED0tEE)EE
2022-11-04 12:16:09 UTC	1043	IN	Data Raw: f4 03 45 fc 5e 5f 5b c9 c3 6a 0c 68 40 6c 56 00 e8 ab c7 ff ff 33 c0 39 45 08 0f 95 c0 85 c0 75 15 e8 f9 ca ff ff c7 00 16 00 00 00 e8 14 3f 00 00 83 c8 ff eb 28 ff 75 08 e8 aa a0 00 00 59 83 65 fc 00 ff 75 08 e8 2a fe ff ff 59 89 45 e4 c7 45 fc fe ff ff ff e8 09 00 00 00 8b 45 e4 e8 a2 c7 ff ff c3 ff 75 08 e8 ef a0 00 00 59 c3 8b ff 55 8b ec 56 8b 75 08 8b 46 0c a8 83 75 10 e8 9c ca ff ff c7 00 16 00 00 00 83 c8 ff eb 67 83 e0 ef 83 7d 10 01 89 46 0c 75 0e 56 e8 d5 fd ff ff 01 45 0c 83 65 10 00 59 56 e8 c6 00 00 00 8b 46 0c 59 84 c0 79 08 83 e0 fc 89 46 0c eb 16 a8 01 74 12 a8 08 74 0e a9 00 04 00 00 75 07 c7 46 18 00 02 00 00 ff 75 10 ff 75 0c 56 e8 8f f4 ff ff 59 50 e8 ea b6 00 00 33 c9 83 c4 0c 83 f8 ff 0f 95 c1 8d 41 ff 5e 5d c3 6a 0c 68 60 6c 56 00 Data Ascii: E^_[jh@lV39Eu?(uYeu*YEEEuYUVuFug}FuVEeYVFYyFttuFuuVYP3A^]jh`lV
2022-11-04 12:16:09 UTC	1059	IN	Data Raw: 8b 54 24 04 8b 4c 24 08 f7 c2 03 00 00 00 75 3c 8b 02 3a 01 75 2e 0a c0 74 26 3a 61 01 75 25 0a e4 74 1d c1 e8 10 3a 41 02 75 19 0a c0 74 11 3a Data Ascii: T$L$u<:u.t&:au%t:Aut:
2022-11-04 12:16:09 UTC	1059	IN	Data Raw: 61 03 75 10 83 c1 04 83 c2 04 0a e4 75 d2 8b ff 33 c0 c3 90 1b c0 d1 e0 83 c0 01 c3 f7 c2 01 00 00 00 74 18 8a 02 83 c2 01 3a 01 75 e7 83 c1 01 0a c0 74 dc f7 c2 02 00 00 00 74 a4 66 8b 02 83 c2 02 3a 01 75 ce 0a c0 74 c6 3a 61 01 75 c5 0a e4 74 bd 83 c1 02 eb 88 8b ff 55 8b ec 81 ec 78 04 00 00 a1 54 04 57 00 33 c5 89 45 fc 53 8b 5d 14 56 8b 75 08 33 c0 57 ff 75 10 8b 7d 0c 8d 8d b4 fb ff ff 89 b5 d4 fb ff ff 89 9d e4 fb ff ff 89 85 ac fb ff ff 89 85 f8 fb ff ff 89 85 d8 fb ff ff 89 85 f4 fb ff ff 89 85 dc fb ff ff 89 85 b0 fb ff ff 89 85 d0 fb ff ff e8 22 7d ff ff e8 5b 8a ff ff 89 85 9c fb ff ff 85 f6 75 2b e8 4c 8a ff ff c7 00 16 00 00 00 e8 67 fe ff ff 80 bd c0 fb ff ff 00 74 0a 8b 85 bc fb ff ff 83 60 70 fd 83 c8 ff e9 ed 0a 00 00 33 f6 3b fe 74 cf Data Ascii: auu3t:uttf:ut:autUxTW3ES]Vu3Wu}"}[u+Lgt`p3;t
2022-11-04 12:16:09 UTC	1061	IN	Data Raw: f6 85 f8 fb ff ff 80 c7 85 e0 fb ff ff 10 00 00 00 0f 84 7c fe ff ff 6a 30 58 66 89 85 cc fb ff ff 8b 85 ac fb ff ff 83 c0 51 66 89 85 ce fb ff ff 89 8d dc fb ff ff e9 57 fe ff ff f7 85 f8 fb ff ff 00 10 00 00 0f 85 57 fe ff ff 83 c3 04 f6 85 f8 fb ff ff 20 74 1c f6 85 f8 fb ff ff 40 89 9d e4 fb ff ff 74 06 0f bf 43 fc eb 04 0f b7 43 fc 99 eb 17 f6 85 f8 fb ff ff 40 8b 43 fc 74 03 99 eb 02 33 d2 89 9d e4 fb ff ff f6 85 f8 fb ff ff 40 74 1b 85 d2 7f 17 7c 04 85 c0 73 11 f7 d8 83 d2 00 f7 da 81 8d f8 fb ff ff 00 01 00 00 f7 85 f8 fb ff ff 00 90 00 00 8b fa 8b d8 75 02 33 ff 83 bd f4 fb ff ff 00 7d 0c c7 85 f4 fb ff ff 01 00 00 00 eb 1a 83 a5 f8 fb ff ff f7 b8 00 02 00 00 39 85 f4 fb ff ff 7e 06 89 85 f4 fb ff ff 8b c3 0b c7 75 06 21 85 dc fb ff ff 8d b5 fb Data Ascii: \|j0XfQfWW t@tCC@Ct3@t\|su3}9~u!
2022-11-04 12:16:09 UTC	1077	IN	Data Raw: c7 85 e8 fc ff ff 6f 00 00 00 eb 5c ff b5 20 fd ff ff ff 8d 38 fd ff ff 53 e8 95 f3 ff ff 59 59 6a 30 5b e9 4a 01 00 00 ff b5 20 fd ff ff ff 85 Data Ascii: o\ 8SYYj0[J
2022-11-04 12:16:09 UTC	1077	IN	Data Raw: 38 fd ff ff e8 a8 2d 00 00 83 bd f4 fc ff ff 00 0f b7 d8 59 89 9d 30 fd ff ff 74 16 83 ad 28 fd ff ff 02 83 bd 28 fd ff ff 01 7d 06 fe 85 3f fd ff ff 89 b5 e8 fc ff ff 8b bd e8 fc ff ff e9 05 01 00 00 83 a5 10 fd ff ff 00 52 ff b5 f0 fc ff ff 8d 85 10 fd ff ff 53 50 e8 d8 6b 00 00 83 c4 10 83 f8 22 0f 84 73 04 00 00 8b 85 10 fd ff ff 85 c0 0f 8e 4d fc ff ff 03 d8 29 85 f0 fc ff ff 89 9d f8 fc ff ff e9 3a fc ff ff 83 c6 02 e9 32 fc ff ff ff b5 20 fd ff ff ff 8d 38 fd ff ff 52 e8 de f2 ff ff 59 59 3b f3 0f 84 61 04 00 00 80 bd 2f fd ff ff 00 0f 85 51 03 00 00 ff 85 ec fc ff ff 83 ff 63 0f 84 42 03 00 00 80 bd 1f fd ff ff 00 74 10 8b 8d f8 fc ff ff 33 c0 66 89 01 e9 29 03 00 00 8b 85 f8 fc ff ff c6 00 00 e9 1b 03 00 00 c6 85 27 fd ff ff 01 8b 9d 30 fd ff ff Data Ascii: 8-Y0t((}?RSPk"sM):2 8RYY;a/QcBt3f)'0
2022-11-04 12:16:09 UTC	1093	IN	Data Raw: 5d f8 dd 45 f8 59 dd 45 08 59 da e9 df e0 f6 c4 44 7a 0e 56 53 e8 6c 12 00 00 dd 45 f8 59 59 eb 22 f6 c3 20 75 ed dd 45 f8 53 83 ec 10 dd 5c 24 Data Ascii: ]EYEYDzVSlEYY" uES\$
2022-11-04 12:16:09 UTC	1093	IN	Data Raw: 08 dd 45 08 dd 1c 24 6a 0c 6a 10 e8 05 10 00 00 83 c4 1c 5e 5b c9 c3 8b ff 55 8b ec 51 51 53 56 be ff ff 00 00 56 ff 35 14 14 57 00 e8 25 12 00 00 dd 45 08 59 59 0f b7 4d 0e 8b d8 b8 f0 7f 00 00 23 c8 51 51 dd 1c 24 66 3b c8 75 55 e8 ba 10 00 00 59 59 85 c0 7e 2d 83 f8 02 7e 1a 83 f8 03 75 23 dd 45 08 53 51 51 dd 1c 24 6a 0b e8 4e 0f 00 00 83 c4 10 eb 74 56 53 e8 d8 11 00 00 dd 45 08 59 59 eb 66 dd 45 08 53 dc 05 78 1b 55 00 83 ec 10 dd 5c 24 08 dd 45 08 dd 1c 24 6a 0b 6a 08 eb 41 e8 8f 35 00 00 dd 5d f8 dd 45 f8 59 dd 45 08 59 da e9 df e0 f6 c4 44 7a 0e 56 53 e8 94 11 00 00 dd 45 f8 59 59 eb 22 f6 c3 20 75 ed dd 45 f8 53 83 ec 10 dd 5c 24 08 dd 45 08 dd 1c 24 6a 0b 6a 10 e8 2d 0f 00 00 83 c4 1c 5e 5b c9 c3 cc 55 8b ec 83 ec 08 83 e4 f0 dd 1c 24 f3 0f 7e Data Ascii: E$jj^[UQQSVV5W%EYYM#QQ$f;uUYY~-~u#ESQQ$jNtVSEYYfESxU\$E$jjA5]EYEYDzVSEYY" uES\$E$jj-^[U$~
2022-11-04 12:16:09 UTC	1109	IN	Data Raw: e6 1f 00 00 80 79 05 4e 83 ce e0 46 83 65 d8 00 33 d2 2b ce 42 d3 e2 8d 4c 85 f0 8b 31 8d 3c 16 3b fe 72 04 3b fa 73 07 c7 45 d8 01 00 00 00 89 Data Ascii: yNFe3+BL1<;r;sE
2022-11-04 12:16:09 UTC	1109	IN	Data Raw: 39 8b 4d d8 eb 1f 85 c9 74 1e 8d 4c 85 f0 8b 11 8d 72 01 33 ff 3b f2 72 05 83 fe 01 73 03 33 ff 47 89 31 8b cf 48 79 de 8b 4d d4 83 c8 ff d3 e0 21 03 8b 45 d0 40 83 f8 03 7d 0d 6a 03 59 8d 7c 85 f0 2b c8 33 c0 f3 ab 8b 0d 18 16 57 00 8d 41 01 99 83 e2 1f 03 c2 8d 51 01 c1 f8 05 81 e2 1f 00 00 80 79 05 4a 83 ca e0 42 83 65 d8 00 83 65 e0 00 83 cf ff 8b ca d3 e7 c7 45 dc 20 00 00 00 29 55 dc f7 d7 8b 5d e0 8d 5c 9d f0 8b 33 8b ce 23 cf 89 4d d4 8b ca d3 ee 8b 4d dc 0b 75 d8 89 33 8b 75 d4 d3 e6 ff 45 e0 83 7d e0 03 89 75 d8 7c d3 8b f0 6a 02 c1 e6 02 8d 4d f8 5a 2b ce 3b d0 7c 08 8b 31 89 74 95 f0 eb 05 83 64 95 f0 00 83 e9 04 4a 79 e9 6a 02 33 db 58 e9 53 01 00 00 8b 0d 18 16 57 00 3b 1d 0c 16 57 00 0f 8c a9 00 00 00 33 c0 8d 7d f0 ab ab ab 81 4d f0 00 00 Data Ascii: 9MtLr3;rs3G1HyM!E@}jY\|+3WAQyJBeeE )U]\3#MMu3uE}u\|jMZ+;\|1tdJyj3XSW;W3}M
2022-11-04 12:16:09 UTC	1125	IN	Data Raw: ff 8b 54 24 08 8d 42 0c 8b 4a 98 33 c8 e8 54 6c fe ff 8b 4a fc 33 c8 e8 4a 6c fe ff b8 2c c3 55 00 e9 cc 7a fe ff 8d 8d 20 fb ff ff e9 c6 7e f5 Data Ascii: T$BJ3TlJ3Jl,Uz ~
2022-11-04 12:16:09 UTC	1125	IN	Data Raw: ff 8b 54 24 08 8d 42 0c 8b 8a 1c fb ff ff 33 c8 e8 21 6c fe ff 8b 4a fc 33 c8 e8 17 6c fe ff b8 58 c3 55 00 e9 99 7a fe ff 8d 4d b8 e9 b3 c9 ef ff 8b 54 24 08 8d 42 0c 8b 4a b4 33 c8 e8 f4 6b fe ff b8 84 c3 55 00 e9 76 7a fe ff 8d 4d 80 e9 38 35 f5 ff 8d 8d 10 ff ff ff e9 2d 35 f5 ff 8b 54 24 08 8d 42 0c 8b 8a f8 fe ff ff 33 c8 e8 c3 6b fe ff 8b 4a fc 33 c8 e8 b9 6b fe ff b8 b8 c3 55 00 e9 3b 7a fe ff 8d 8d ec fd ff ff e9 de 74 ee ff 8b 54 24 08 8d 42 0c 8b 8a e8 fd ff ff 33 c8 e8 90 6b fe ff 8b 4a fc 33 c8 e8 86 6b fe ff b8 e4 c3 55 00 e9 08 7a fe ff 8d 8d 60 ff ff ff e9 1f c9 ef ff 8b 54 24 08 8d 42 0c 8b 8a 54 ff ff ff 33 c8 e8 5d 6b fe ff 8b 4a fc 33 c8 e8 53 6b fe ff b8 10 c4 55 00 e9 d5 79 fe ff ff b5 f4 fe ff ff e8 48 78 ee ff c3 8b 85 04 ff ff ff Data Ascii: T$B3!lJ3lXUzMT$BJ3kUvzM85-5T$B3kJ3kU;ztT$B3kJ3kUz`T$BT3]kJ3SkUyHx
2022-11-04 12:16:09 UTC	1141	IN	Data Raw: fe ff 8d 8d ec fd ff ff e9 93 35 ee ff 8b 54 24 08 8d 42 0c 8b 8a e4 fd ff ff 33 c8 e8 45 2c fe ff 8b 4a fc 33 c8 e8 3b 2c fe ff b8 00 06 56 00 Data Ascii: 5T$B3E,J3;,V
2022-11-04 12:16:09 UTC	1141	IN	Data Raw: e9 bd 3a fe ff 8b 4d f0 e9 ab 2f ef ff 8b 4d f0 81 c1 a4 00 00 00 e9 8d 5c f0 ff 8b 4d f0 81 c1 e4 00 00 00 e9 47 35 ee ff 8b 54 24 08 8d 42 0c 8b 4a ec 33 c8 e8 fc 2b fe ff b8 3c 06 56 00 e9 7e 3a fe ff 8b 8d e4 fb ff ff e9 69 2f ef ff 8b 8d e4 fb ff ff 81 c1 a4 00 00 00 e9 48 5c f0 ff 8b 8d e4 fb ff ff 81 c1 e4 00 00 00 e9 ff 34 ee ff 8d 8d e8 fb ff ff e9 f4 34 ee ff 8b 54 24 08 8d 42 0c 8b 8a dc fb ff ff 33 c8 e8 a6 2b fe ff 8b 4a f8 33 c8 e8 9c 2b fe ff b8 84 06 56 00 e9 1e 3a fe ff 8d 4d 08 e9 c4 34 ee ff 8d 4d ec e9 bc 34 ee ff 8b 54 24 08 8d 42 0c 8b 4a e8 33 c8 e8 71 2b fe ff b8 e8 06 56 00 e9 f3 39 fe ff 8d 4d ec e9 99 34 ee ff 8b 54 24 08 8d 42 0c 8b 4a d8 33 c8 e8 4e 2b fe ff b8 48 07 56 00 e9 d0 39 fe ff 8d 8d 14 ff ff ff e9 73 34 ee ff 8d 8d Data Ascii: :M/M\MG5T$BJ3+<V~:i/H\44T$B3+J3+V:M4M4T$BJ3q+V9M4T$BJ3N+HV9s4
2022-11-04 12:16:09 UTC	1157	IN	Data Raw: e9 ed fa fd ff 8d 4d ac e9 1d 4e ef ff 8b 54 24 08 8d 42 0c 8b 4a 9c 33 c8 e8 48 ec fd ff 8b 4a fc 33 c8 e8 3e ec fd ff b8 78 49 56 00 e9 c0 fa Data Ascii: MNT$BJ3HJ3>xIV
2022-11-04 12:16:09 UTC	1157	IN	Data Raw: fd ff 8d 4d a0 e9 dc 67 ef ff 8d 4d a8 e9 d2 49 ef ff 8b 54 24 08 8d 42 0c 8b 4a 80 33 c8 e8 13 ec fd ff 8b 4a fc 33 c8 e8 09 ec fd ff b8 ac 49 56 00 e9 8b fa fd ff 8d 4d e4 e9 f1 f8 ed ff 8b 54 24 08 8d 42 0c 8b 4a e0 33 c8 e8 e6 eb fd ff b8 d8 49 56 00 e9 68 fa fd ff 8d 4d 9c e9 a0 4a ef ff 8d 4d 8c e9 0d 49 ef ff 8b 54 24 08 8d 42 0c 8b 4a 88 33 c8 e8 bb eb fd ff 8b 4a fc 33 c8 e8 b1 eb fd ff b8 0c 4a 56 00 e9 33 fa fd ff 8d 4d bc e9 dc 49 ef ff 8d 4d d0 e9 d8 48 ef ff 8b 54 24 08 8d 42 0c 8b 4a b8 33 c8 e8 86 eb fd ff 8b 4a fc 33 c8 e8 7c eb fd ff b8 40 4a 56 00 e9 fe f9 fd ff 8d 4d cc e9 1c 1e fc ff 8d 4d ac e9 a3 48 ef ff 8d 4d bc e9 9b 48 ef ff 8b 54 24 08 8d 42 0c 8b 8a 7c ff ff ff 33 c8 e8 46 eb fd ff 8b 4a fc 33 c8 e8 3c eb fd ff b8 7c 4a 56 00 Data Ascii: MgMIT$BJ3J3IVMT$BJ3IVhMJMIT$BJ3J3JV3MIMHT$BJ3J3\|@JVMMHMHT$B\|3FJ3<\|JV
2022-11-04 12:16:09 UTC	1173	IN	Data Raw: b9 6c 67 57 00 e8 4d f1 f2 ff 68 8e 65 52 00 e8 e6 b5 fd ff 59 c3 68 64 2d 54 00 b9 20 68 57 00 e8 2b 0a ee ff 68 bb 65 52 00 e8 cb b5 fd ff 59 Data Ascii: lgWMheRYhd-T hW+heRY
2022-11-04 12:16:09 UTC	1173	IN	Data Raw: c3 68 84 2d 54 00 b9 24 68 57 00 e8 10 0a ee ff 68 c9 65 52 00 e8 b0 b5 fd ff 59 c3 68 48 f4 56 00 e8 22 8e ef ff c3 68 38 30 54 00 ff 15 ec 76 52 00 a3 30 68 57 00 c3 e8 24 fb ee ff 50 b9 b4 68 57 00 e8 c8 b4 ed ff 68 d7 65 52 00 e8 78 b5 fd ff 59 c3 68 d0 f4 56 00 e8 ea 8d ef ff c3 68 1c f5 56 00 e8 df 8d ef ff c3 6a 0a b9 30 69 57 00 e8 b1 f0 f2 ff 68 e5 65 52 00 e8 4a b5 fd ff 59 c3 68 78 f5 56 00 e8 bc 8d ef ff c3 68 44 4b 53 00 b9 b4 69 57 00 e8 84 09 ee ff 68 ef 65 52 00 e8 24 b5 fd ff 59 c3 68 50 f6 56 00 e8 96 8d ef ff c3 68 44 1b 55 00 b9 38 6b 57 00 e8 5e 09 ee ff 68 fd 65 52 00 e8 fe b4 fd ff 59 c3 68 f8 68 54 00 b9 74 6b 57 00 e8 43 09 ee ff 68 0b 66 52 00 e8 e3 b4 fd ff 59 c3 68 04 69 54 00 b9 78 6b 57 00 e8 28 09 ee ff 68 19 66 52 00 e8 c8 Data Ascii: h-T$hWheRYhHV"h80TvR0hW$PhWheRxYhVhVj0iWheRJYhxVhDKSiWheR$YhPVhDU8kW^heRYhhTtkWChfRYhiTxkW(hfR
2022-11-04 12:16:09 UTC	1189	IN	Data Raw: f1 e3 40 00 0c e4 40 00 2e e4 40 00 2e e4 40 00 53 e4 40 00 ec 28 41 00 05 16 41 00 9e 16 41 00 1d d5 40 00 70 5d 40 00 90 15 40 00 a0 15 40 00 Data Ascii: @@.@.@S@(AAA@p]@@@
2022-11-04 12:16:09 UTC	1189	IN	Data Raw: 21 d5 40 00 29 33 41 00 7b d6 40 00 c6 1f 41 00 d4 d4 40 00 8c 2c 47 00 6d 2b 41 00 ed ec 40 00 ff d5 40 00 be 02 44 00 d2 a8 4d 00 b9 75 49 00 b9 75 49 00 92 f0 43 00 d2 a8 4d 00 bb 20 4c 00 39 b1 4a 00 4b e5 40 00 66 e5 40 00 96 5a 44 00 39 b1 4a 00 6d 00 73 00 63 00 74 00 6c 00 73 00 5f 00 75 00 70 00 64 00 6f 00 77 00 6e 00 33 00 32 00 00 00 00 00 00 00 f0 28 55 00 7d 7b 41 00 ef 7b 41 00 70 5d 40 00 d4 38 41 00 c3 d4 40 00 50 ee 42 00 96 5a 44 00 39 b1 4a 00 39 b1 4a 00 f2 39 41 00 67 2b 41 00 48 3a 41 00 00 3a 41 00 42 3a 41 00 57 d8 40 00 06 3a 41 00 bb 20 4c 00 96 5a 44 00 96 5a 44 00 96 5a 44 00 8c 2c 47 00 7a ea 40 00 2f ea 40 00 69 1e 41 00 5d fa 40 00 84 32 41 00 26 d8 40 00 b3 d4 40 00 12 ea 40 00 42 d5 40 00 96 5a 44 00 7e 2a 41 00 f3 2a 41 Data Ascii: !@)3A{@A@,Gm+A@@DMuIuICM L9JK@f@ZD9Jmsctls_updown32(U}{A{Ap]@8A@PBZD9J9J9Ag+AH:A:AB:AW@:A LZDZDZD,Gz@/@iA]@2A&@@@B@ZD~AA
2022-11-04 12:16:09 UTC	1191	IN	Data Raw: 70 5d 40 00 49 6d 61 67 65 4c 69 73 74 5f 43 72 65 61 74 65 00 00 00 00 49 6d 61 67 65 4c 69 73 74 5f 44 65 73 74 72 6f 79 00 00 00 49 6d 61 67 65 4c 69 73 74 5f 4c 6f 61 64 49 6d 61 67 65 57 00 00 00 00 67 2b 41 00 4c ac 52 00 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 00 00 00 9a 81 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 67 2b 41 00 84 ac 52 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 00 00 00 fd 81 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 66 00 3a 00 5c 00 64 00 64 00 5c 00 76 00 63 00 74 00 6f 00 6f 00 6c 00 73 00 5c 00 76 00 63 00 37 00 6c 00 69 00 62 00 73 00 5c 00 73 00 68 00 69 00 70 00 5c 00 61 00 74 00 6c 00 6d 00 66 00 63 00 5c 00 73 00 72 Data Ascii: p]@ImageList_CreateImageList_DestroyImageList_LoadImageWg+ALRAg+ARAf:\dd\vctools\vc7libs\ship\atlmfc\sr
2022-11-04 12:16:09 UTC	1207	IN	Data Raw: 68 f6 43 00 82 34 4a 00 e0 eb 52 00 00 00 00 00 20 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 00 00 17 eb 43 00 47 00 00 00 00 00 00 00 Data Ascii: hC4JR CG
2022-11-04 12:16:09 UTC	1207	IN	Data Raw: 00 00 00 00 00 00 00 00 33 00 00 00 f2 f0 43 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 29 00 00 00 22 f6 43 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 00 00 00 03 f5 43 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 00 00 00 17 ff 43 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0d 00 00 00 67 f8 43 00 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 27 f9 43 00 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2c 00 00 00 0c fb 43 00 7b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 26 00 00 00 bb fb 43 00 85 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 00 00 00 10 f0 43 00 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 54 f0 43 00 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 35 00 00 00 6b fd 43 Data Ascii: 3C)"CCCgC'C$,C{&CCTC5kC
2022-11-04 12:16:09 UTC	1223	IN	Data Raw: 96 19 46 00 70 5d 40 00 d4 38 41 00 c3 d4 40 00 50 ee 42 00 96 5a 44 00 39 b1 4a 00 39 b1 4a 00 f2 39 41 00 13 22 46 00 48 3a 41 00 00 3a 41 00 Data Ascii: Fp]@8A@PBZD9J9J9A"FH:A:A
2022-11-04 12:16:09 UTC	1223	IN	Data Raw: 42 3a 41 00 57 d8 40 00 06 3a 41 00 bb 20 4c 00 96 5a 44 00 96 5a 44 00 96 5a 44 00 d4 21 46 00 7a ea 40 00 2f ea 40 00 69 1e 41 00 5d fa 40 00 84 32 41 00 26 d8 40 00 b3 d4 40 00 12 ea 40 00 42 d5 40 00 96 5a 44 00 7e 2a 41 00 f3 2a 41 00 54 ed 40 00 25 e5 40 00 0b f4 40 00 35 f4 40 00 8e e1 40 00 ad e1 40 00 c2 e1 40 00 d7 e1 40 00 fc e1 40 00 21 e2 40 00 46 e2 40 00 6b e2 40 00 90 e2 40 00 b5 e2 40 00 da e2 40 00 02 e3 40 00 27 e3 40 00 3c e3 40 00 51 e3 40 00 76 e3 40 00 9b e3 40 00 c9 e3 40 00 f1 e3 40 00 0c e4 40 00 2e e4 40 00 2e e4 40 00 53 e4 40 00 ec 28 41 00 05 16 41 00 9e 16 41 00 1d d5 40 00 70 5d 40 00 90 15 40 00 a0 15 40 00 b7 19 46 00 29 33 41 00 7b d6 40 00 c6 1f 41 00 d4 d4 40 00 8c 2c 47 00 89 ca 40 00 ed ec 40 00 ff d5 40 00 be 02 44 Data Ascii: B:AW@:A LZDZDZD!Fz@/@iA]@2A&@@@B@ZD~AAT@%@@5@@@@@@!@F@k@@@@@'@<@Q@v@@@@@.@.@S@(AAA@p]@@@F)3A{@A@,G@@@D
2022-11-04 12:16:09 UTC	1239	IN	Data Raw: 0e 00 00 00 dc 6a 48 00 62 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 db 74 48 00 76 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: jHbtHv
2022-11-04 12:16:09 UTC	1239	IN	Data Raw: 0e 00 00 00 1b 59 48 00 63 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 00 00 00 05 6f 48 00 21 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 6d 74 48 00 14 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2a 00 00 00 af 61 48 00 15 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2a 00 00 00 d9 61 48 00 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 23 00 00 00 ce 58 48 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0d 00 00 00 50 74 48 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 00 00 00 e7 78 48 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 00 00 00 c5 5f 48 00 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 f9 70 48 00 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 1d 71 48 00 06 00 00 00 00 00 00 Data Ascii: YHcoH!mtHaHaH#XHPtHxH_HpHqH
2022-11-04 12:16:09 UTC	1255	IN	Data Raw: 77 00 00 00 c8 ab 53 00 c0 00 00 00 ff ff 00 00 00 00 00 00 b4 73 54 00 00 00 00 00 00 00 00 00 43 53 70 6c 69 74 74 65 72 57 6e 64 00 00 00 00 Data Ascii: wSsTCSplitterWnd
2022-11-04 12:16:09 UTC	1255	IN	Data Raw: f0 ab 53 00 fc 00 00 00 ff ff 00 00 00 00 00 00 30 8b 52 00 00 00 00 00 00 00 00 00 67 2b 41 00 28 ac 53 00 00 00 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 00 00 00 c1 89 4a 00 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 00 00 00 cd 8b 4a 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0d 00 00 00 e3 8a 4a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 00 00 00 91 89 4a 00 11 01 00 00 00 00 00 00 35 e1 00 00 35 e1 00 00 3c 00 00 00 5f 8d 4a 00 11 01 00 00 ff ff ff ff 35 e1 00 00 35 e1 00 00 41 00 00 00 25 8d 4a 00 11 01 00 00 ff ff ff ff 50 e1 00 00 50 e1 00 00 41 00 00 00 7b 8d 4a 00 11 01 00 00 00 00 00 00 50 e1 00 00 50 e1 00 00 3c 00 00 00 be 8d 4a 00 11 01 00 00 ff ff ff ff 51 e1 00 00 51 e1 00 00 41 00 00 00 7b 8d 4a Data Ascii: S0Rg+A(SJ!JJJ55<_J55A%JPPA{JPP<JQQA{J
2022-11-04 12:16:09 UTC	1261	IN	Data Raw: 96 5a 44 00 8c 2c 47 00 7a ea 40 00 2f ea 40 00 69 1e 41 00 5d fa 40 00 84 32 41 00 26 d8 40 00 b3 d4 40 00 12 ea 40 00 42 d5 40 00 96 5a 44 00 7e 2a 41 00 f3 2a 41 00 54 ed 40 00 25 e5 40 00 0b f4 40 00 35 f4 40 00 8e e1 40 00 26 7e 47 00 7a 75 47 00 96 75 47 00 28 85 47 00 8f 87 47 00 bc 85 47 00 c2 75 47 00 35 76 47 00 50 86 47 00 b0 76 47 00 b9 86 47 00 96 76 47 00 96 76 47 00 3e 87 47 00 b6 76 47 00 6e 7e 47 00 c9 e3 40 00 e6 76 47 00 0c e4 40 00 2e e4 40 00 2e e4 40 00 53 e4 40 00 ec 28 41 00 05 16 41 00 9e 16 41 00 1d d5 40 00 70 5d 40 00 90 15 40 00 a0 15 40 00 c1 83 47 00 29 33 41 00 f4 82 47 00 c6 1f 41 00 d4 d4 40 00 8c 2c 47 00 6d 2b 41 00 ed ec 40 00 ff d5 40 00 be 02 44 00 d2 a8 4d 00 b9 75 49 00 b9 75 49 00 92 f0 43 00 d2 a8 4d 00 bb 20 4c Data Ascii: ZD,Gz@/@iA]@2A&@@@B@ZD~AAT@%@@5@@&~GzuGuG(GGGuG5vGPGvGGvGvG>GvGn~G@vG@.@.@S@(AAA@p]@@@G)3AGA@,Gm+A@@DMuIuICM L
2022-11-04 12:16:09 UTC	1273	IN	Data Raw: 7f 9d 4c 00 15 85 4c 00 bb 20 4c 00 bb 20 4c 00 a7 86 4c 00 e3 86 4c 00 51 8e 43 00 93 b1 4a 00 ed df 4b 00 6e ee 4b 00 75 ee 4b 00 7c ee 4b 00 ae e4 4b 00 0f f3 4b 00 8c 2c 47 00 00 00 00 00 98 6e 55 00 82 e0 4b 00 9e f3 4b 00 70 5d 40 00 d4 38 41 00 c3 d4 40 00 50 ee 42 00 96 5a 44 00 39 b1 4a 00 39 b1 4a 00 f2 39 41 00 42 fb 4b 00 48 3a 41 00 00 3a 41 00 42 3a 41 00 57 d8 40 00 06 3a 41 00 bb 20 4c 00 96 5a 44 00 96 5a 44 00 96 5a 44 00 8c 2c 47 00 7a ea 40 00 2f ea 40 00 69 1e 41 00 5d fa 40 00 84 32 41 00 26 d8 40 00 b3 d4 40 00 12 ea 40 00 42 d5 40 00 96 5a 44 00 7e 2a 41 00 f3 2a 41 00 54 ed 40 00 25 e5 40 00 0b f4 40 00 35 f4 40 00 8e e1 40 00 ad e1 40 00 c2 e1 40 00 d7 e1 40 00 fc e1 40 00 21 e2 40 00 46 e2 40 00 6b e2 40 00 90 e2 40 00 b5 e2 40 Data Ascii: LL L LLLQCJKnKuK\|KKK,GnUKKp]@8A@PBZD9J9J9ABKH:A:AB:AW@:A LZDZDZD,Gz@/@iA]@2A&@@@B@ZD~AAT@%@@5@@@@@@!@F@k@@@
2022-11-04 12:16:09 UTC	1277	IN	Data Raw: 51 8e 43 00 93 b1 4a 00 43 4d 46 43 43 61 70 74 69 6f 6e 42 61 72 00 00 08 04 54 00 9c 04 00 00 ff ff 00 00 95 cb 4c 00 c0 45 53 00 00 00 00 00 00 00 00 00 43 00 61 00 70 00 74 00 69 00 6f 00 6e 00 20 00 42 00 61 00 72 00 00 00 00 00 00 00 90 71 55 00 fa b8 4c 00 c5 cb 4c 00 32 82 47 00 d4 38 41 00 c3 d4 40 00 50 ee 42 00 96 5a 44 00 39 b1 4a 00 39 b1 4a 00 f2 39 41 00 61 d7 4c 00 48 3a 41 00 00 3a 41 00 42 3a 41 00 57 d8 40 00 06 3a 41 00 bb 20 4c 00 96 5a 44 00 96 5a 44 00 96 5a 44 00 8c 2c 47 00 7a ea 40 00 2f ea 40 00 69 1e 41 00 5d fa 40 00 84 32 41 00 26 d8 40 00 b3 d4 40 00 12 ea 40 00 42 d5 40 00 96 5a 44 00 7e 2a 41 00 f3 2a 41 00 54 ed 40 00 25 e5 40 00 0b f4 40 00 35 f4 40 00 8e e1 40 00 26 7e 47 00 7a 75 47 00 96 75 47 00 28 85 47 00 8f 87 47 Data Ascii: QCJCMFCCaptionBarTLESCaption BarqULL2G8A@PBZD9J9J9AaLH:A:AB:AW@:A LZDZDZD,Gz@/@iA]@2A&@@@B@ZD~AAT@%@@5@@&~GzuGuG(GG
2022-11-04 12:16:09 UTC	1291	IN	Data Raw: 0e d3 4d 00 21 42 49 00 8c 2c 47 00 8c 2c 47 00 0c cb 4d 00 bd d6 4d 00 67 2b 41 00 c0 3b 54 00 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 23 00 00 00 44 d0 4d 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 23 00 00 00 6d d0 4d 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 35 00 00 00 a2 d0 4d 00 7b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 26 00 00 00 19 d1 4d 00 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 00 00 00 10 e1 4d 00 a3 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 f0 d0 4d 00 11 bd 00 00 00 03 00 00 00 00 00 00 00 00 00 00 39 00 00 00 01 cb 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4d 46 43 54 6f 6f 6c 42 61 72 46 6f 6e 74 53 69 7a 65 43 6f 6d 62 6f 42 6f 78 00 43 4d 46 Data Ascii: M!BI,G,GMMg+A;T#DM#mM5M{&MMM9MCMFCToolBarFontSizeComboBoxCMF
2022-11-04 12:16:09 UTC	1293	IN	Data Raw: 7d 0f 4e 00 88 7c 53 00 00 00 00 00 00 00 00 00 e4 79 55 00 0e 08 4e 00 ae 0f 4e 00 70 5d 40 00 d4 38 41 00 c3 d4 40 00 50 ee 42 00 96 5a 44 00 39 b1 4a 00 39 b1 4a 00 f2 39 41 00 3f 1a 4e 00 48 3a 41 00 00 3a 41 00 42 3a 41 00 57 d8 40 00 06 3a 41 00 bb 20 4c 00 96 5a 44 00 96 5a 44 00 96 5a 44 00 8c 2c 47 00 7a ea 40 00 2f ea 40 00 69 1e 41 00 5d fa 40 00 84 32 41 00 26 d8 40 00 b3 d4 40 00 12 ea 40 00 42 d5 40 00 96 5a 44 00 7e 2a 41 00 f3 2a 41 00 54 ed 40 00 25 e5 40 00 0b f4 40 00 35 f4 40 00 8e e1 40 00 ad e1 40 00 c2 e1 40 00 d7 e1 40 00 fc e1 40 00 21 e2 40 00 46 e2 40 00 6b e2 40 00 90 e2 40 00 b5 e2 40 00 da e2 40 00 02 e3 40 00 27 e3 40 00 3c e3 40 00 51 e3 40 00 76 e3 40 00 9b e3 40 00 c9 e3 40 00 f1 e3 40 00 0c e4 40 00 2e e4 40 00 2e e4 40 Data Ascii: }N\|SyUNNp]@8A@PBZD9J9J9A?NH:A:AB:AW@:A LZDZDZD,Gz@/@iA]@2A&@@@B@ZD~AAT@%@@5@@@@@@!@F@k@@@@@'@<@Q@v@@@@@.@.@
2022-11-04 12:16:09 UTC	1309	IN	Data Raw: 4c 00 00 00 49 00 4e 00 44 00 45 00 58 00 00 00 41 00 4c 00 57 00 41 00 59 00 53 00 5f 00 44 00 45 00 53 00 43 00 52 00 49 00 50 00 54 00 49 00 4f 00 4e 00 00 00 00 00 41 00 4c 00 57 00 41 00 59 00 53 00 5f 00 4c 00 41 00 52 00 47 00 45 00 00 00 00 00 50 00 41 00 4c 00 45 00 54 00 54 00 45 00 5f 00 54 00 4f 00 50 00 00 00 49 00 44 00 5f 00 48 00 44 00 50 00 49 00 00 00 4b 00 45 00 59 00 53 00 5f 00 4d 00 45 00 4e 00 55 00 00 00 Data Ascii: LINDEXALWAYS_DESCRIPTIONALWAYS_LARGEPALETTE_TOPID_HDPIKEYS_MENU
2022-11-04 12:16:09 UTC	1309	IN	Data Raw: 4b 00 45 00 59 00 53 00 00 00 00 00 44 00 45 00 53 00 43 00 52 00 49 00 50 00 54 00 49 00 4f 00 4e 00 00 00 54 00 45 00 58 00 54 00 00 00 00 00 56 00 41 00 4c 00 55 00 45 00 00 00 4e 00 41 00 4d 00 45 00 00 00 00 00 00 00 00 00 00 00 f8 3f 52 00 49 00 42 00 42 00 4f 00 4e 00 5f 00 42 00 41 00 52 00 00 00 00 00 53 00 49 00 5a 00 45 00 53 00 00 00 41 00 46 00 58 00 5f 00 52 00 49 00 42 00 42 00 4f 00 4e 00 00 00 00 00 98 82 55 00 2d f3 4e 00 52 00 49 00 43 00 48 00 45 00 44 00 32 00 30 00 2e 00 44 00 4c 00 4c 00 00 00 00 00 52 00 69 00 63 00 68 00 45 00 64 00 69 00 74 00 32 00 30 00 57 00 00 00 20 83 55 00 8c e9 41 00 1b f4 4e 00 42 f4 4e 00 43 4d 46 43 52 69 62 62 6f 6e 4c 61 62 65 6c 00 d8 84 54 00 64 01 00 00 ff ff 00 00 a2 f5 4e 00 00 02 54 00 00 00 00 Data Ascii: KEYSDESCRIPTIONTEXTVALUENAME?RIBBON_BARSIZESAFX_RIBBONU-NRICHED20.DLLRichEdit20W UANBNCMFCRibbonLabelTdNT
2022-11-04 12:16:09 UTC	1321	IN	Data Raw: a5 77 49 00 77 80 49 00 aa 02 4c 00 39 b1 4a 00 f2 08 4c 00 ab bd 4f 00 9c 76 49 00 18 95 4c 00 48 96 4c 00 ab 99 4c 00 62 04 4c 00 e5 ab 4c 00 5b b3 4a 00 1a b3 4a 00 df 02 4c 00 19 03 4c 00 bb 20 4c 00 b2 96 4c 00 ea 75 49 00 f7 96 4c 00 51 97 4c 00 2e 76 49 00 0b 8a 49 00 90 77 49 00 60 d1 46 00 01 7a 49 00 8c 2c 47 00 57 08 4c 00 ca 09 4c 00 9c 08 4c 00 7b 76 49 00 4d 82 49 00 54 8c 49 00 50 0a 4c 00 3a 00 4c 00 ae 82 49 00 96 5a 44 00 f9 97 4c 00 4f 98 4c 00 a1 7d 49 00 61 00 4c 00 a0 80 49 00 7a fe 4e 00 f8 c2 4f 00 39 b1 4a 00 c2 80 49 00 c2 80 49 00 73 83 4c 00 f7 83 4c 00 85 84 4c 00 7a fe 4e 00 9d 80 49 00 92 0b 4c 00 6c 75 49 00 b9 75 49 00 92 f0 43 00 6e 7d 49 00 0c 0a 4c 00 9d 80 49 00 da 77 49 00 96 5a 44 00 39 b1 4a 00 39 b1 4a 00 3c b1 4a Data Ascii: wIwIL9JLOvILHLLbLL[JJLL LLuILQL.vIIwI`FzI,GWLLL{vIMITIPL:LIZDLOL}IaLIzNO9JIIsLLLzNILluIuICn}ILIwIZD9J9J<J
2022-11-04 12:16:09 UTC	1331	IN	Data Raw: 53 75 6e 64 61 79 00 00 53 61 74 00 46 72 69 00 54 68 75 00 57 65 64 00 54 75 65 00 4d 6f 6e 00 53 75 6e 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f 40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f 60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 7b 7c 7d 7e 7f 00 3d 00 00 00 8a b4 50 00 b0 91 55 00 94 b2 50 00 d0 3c 51 00 62 61 64 20 65 78 63 65 70 74 69 6f 6e 00 00 00 65 2b 30 30 30 00 00 00 53 75 6e 4d 6f 6e 54 75 65 57 65 64 54 68 75 46 72 69 53 61 74 00 00 00 4a 61 6e 46 65 62 4d 61 72 41 70 72 4d 61 79 4a 75 6e 4a Data Ascii: SundaySatFriThuWedTueMonSun !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~=PUP<Qbad exceptione+000SunMonTueWedThuFriSatJanFebMarAprMayJunJ
2022-11-04 12:16:09 UTC	1341	IN	Data Raw: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f 40 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 5b 5c 5d 5e 5f 60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 7b 7c 7d 7e 7f 80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f 90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 aa ab ac ad ae af b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 ca cb cc cd ce cf d0 d1 d2 d3 d4 d5 d6 d7 d8 d9 da db dc dd de df e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 ea eb ec ed ee ef f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 fa fb fc fd fe Data Ascii: !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~
2022-11-04 12:16:09 UTC	1357	IN	Data Raw: 00 00 00 00 c4 d9 56 00 01 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 b8 43 55 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 d9 56 00 Data Ascii: V@CUV
2022-11-04 12:16:09 UTC	1357	IN	Data Raw: 04 44 55 00 00 00 00 00 00 00 00 00 02 00 00 00 14 44 55 00 20 44 55 00 2c 94 55 00 00 00 00 00 e0 d9 56 00 01 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 04 44 55 00 00 00 00 00 00 00 00 00 00 00 00 00 fc d9 56 00 50 44 55 00 00 00 00 00 00 00 00 00 05 00 00 00 60 44 55 00 78 44 55 00 40 95 55 00 b8 93 55 00 f4 93 55 00 2c 94 55 00 00 00 00 00 fc d9 56 00 04 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 50 44 55 00 00 00 00 00 00 00 00 00 00 00 00 00 1c da 56 00 a8 44 55 00 00 00 00 00 00 00 00 00 06 00 00 00 b8 44 55 00 d4 44 55 00 78 44 55 00 40 95 55 00 b8 93 55 00 f4 93 55 00 2c 94 55 00 00 00 00 00 1c da 56 00 05 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 a8 44 55 00 00 00 00 00 00 00 00 00 00 00 00 00 38 da 56 Data Ascii: DUDU DU,UV@DUVPDU`DUxDU@UUU,UV@PDUVDUDUDUxDU@UUU,UV@DU8V
2022-11-04 12:16:09 UTC	1373	IN	Data Raw: d4 83 55 00 00 00 00 00 00 00 00 00 04 00 00 00 e4 83 55 00 f8 83 55 00 b8 93 55 00 f4 93 55 00 2c 94 55 00 00 00 00 00 14 fd 56 00 03 00 00 00 Data Ascii: UUUUU,UV
2022-11-04 12:16:09 UTC	1373	IN	Data Raw: 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 d4 83 55 00 00 00 00 00 00 00 00 00 00 00 00 00 40 fd 56 00 28 84 55 00 00 00 00 00 00 00 00 00 04 00 00 00 38 84 55 00 4c 84 55 00 b8 93 55 00 f4 93 55 00 2c 94 55 00 00 00 00 00 40 fd 56 00 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 28 84 55 00 00 00 00 00 00 00 00 00 00 00 00 00 ac fd 56 00 7c 84 55 00 00 00 00 00 00 00 00 00 02 00 00 00 8c 84 55 00 98 84 55 00 2c 94 55 00 00 00 00 00 ac fd 56 00 01 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 7c 84 55 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 fd 56 00 c8 84 55 00 00 00 00 00 00 00 00 00 04 00 00 00 d8 84 55 00 ec 84 55 00 b8 93 55 00 f4 93 55 00 2c 94 55 00 00 00 00 00 d8 fd 56 00 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 Data Ascii: @U@V(U8ULUUU,U@V@(UV\|UUU,UV@\|UVUUUUU,UV
2022-11-04 12:16:09 UTC	1381	IN	Data Raw: 6f 29 12 00 95 29 12 00 c5 29 12 00 fa 29 12 00 2a 2a 12 00 57 2a 12 00 82 2a 12 00 b0 2a 12 00 e0 2a 12 00 14 2b 12 00 64 2b 12 00 a0 2b 12 00 ce 2b 12 00 ff 2b 12 00 40 2c 12 00 9d 2c 12 00 c8 2c 12 00 05 2d 12 00 42 2d 12 00 85 2d 12 00 b5 2d 12 00 ed 2d 12 00 10 2e 12 00 3d 2e 12 00 68 2e 12 00 95 2e 12 00 c2 2e 12 00 e6 2e 12 00 0c 2f 12 00 5c 2f 12 00 9d 2f 12 00 cd 2f 12 00 fe 2f 12 00 37 30 12 00 68 30 12 00 8b 30 12 00 b8 30 12 00 e5 30 12 00 0b 31 12 00 57 31 12 00 ea 31 12 00 15 32 12 00 42 32 12 00 65 32 12 00 88 32 12 00 c8 32 12 00 eb 32 12 00 11 33 12 00 64 33 12 00 ad 33 12 00 6d 34 12 00 2a 35 12 00 4d 35 12 00 7d 35 12 00 b6 35 12 00 e1 35 12 00 5b 36 12 00 8e 36 12 00 e5 36 12 00 08 37 12 00 63 37 12 00 c6 37 12 00 ec 37 12 00 35 38 12 Data Ascii: o))))W*+d++++@,,,-B----.=.h..../\////70h00001W112B2e22223d33m45M5}555[6667c77758
2022-11-04 12:16:09 UTC	1391	IN	Data Raw: 22 05 93 19 02 00 00 00 c0 cb 55 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ff ff ff ff c1 a4 51 00 00 00 00 00 Data Ascii: "UQ
2022-11-04 12:16:09 UTC	1391	IN	Data Raw: c9 a4 51 00 22 05 93 19 02 00 00 00 f4 cb 55 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ff ff ff ff ec a4 51 00 00 00 00 00 f7 a4 51 00 00 00 00 00 ff a4 51 00 22 05 93 19 03 00 00 00 28 cc 55 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ff ff ff ff 32 a5 51 00 00 00 00 00 3a a5 51 00 22 05 93 19 02 00 00 00 64 cc 55 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ff ff ff ff 5d a5 51 00 00 00 00 00 65 a5 51 00 22 05 93 19 02 00 00 00 98 cc 55 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 dc cc 55 00 04 00 00 00 f0 cc 55 00 fc ac 55 00 18 ad 55 00 34 ad 55 00 01 00 00 00 d0 1a 57 00 00 00 00 00 ff ff ff Data Ascii: Q"UQQQ"(U2Q:Q"dU]QeQ"UUUUU4UW
2022-11-04 12:16:09 UTC	1407	IN	Data Raw: 22 05 93 19 01 00 00 00 c8 0b 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 22 05 93 19 0c 00 00 00 18 0c 56 00 Data Ascii: "V"V
2022-11-04 12:16:09 UTC	1407	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ff ff ff ff dd e1 51 00 00 00 00 00 55 e2 51 00 01 00 00 00 60 e2 51 00 01 00 00 00 6b e2 51 00 00 00 00 00 e8 e1 51 00 04 00 00 00 f0 e1 51 00 05 00 00 00 fb e1 51 00 04 00 00 00 fb e1 51 00 07 00 00 00 06 e2 51 00 04 00 00 00 11 e2 51 00 09 00 00 00 33 e2 51 00 ff ff ff ff 76 e2 51 00 22 05 93 19 10 00 00 00 9c 0c 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ff ff ff ff a6 e2 51 00 00 00 00 00 b1 e2 51 00 01 00 00 00 c2 e2 51 00 02 00 00 00 d3 e2 51 00 03 00 00 00 e4 e2 51 00 04 00 00 00 f5 e2 51 00 05 00 00 00 06 e3 51 00 05 00 00 00 12 e3 51 00 05 00 00 00 1e e3 51 00 05 00 00 00 2a e3 51 00 05 00 00 00 36 e3 51 00 05 00 00 00 42 e3 51 00 05 00 00 Data Ascii: QUQ`QkQQQQQQQ3QvQ"VQQQQQQQQQ*Q6QBQ
2022-11-04 12:16:09 UTC	1421	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ff ff ff ff 05 17 52 00 22 05 93 19 01 00 00 00 18 44 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ff ff ff ff 32 17 52 00 ff ff ff ff 4a 17 52 00 ff ff ff ff 3a 17 52 00 ff ff ff ff 42 17 52 00 22 05 93 19 04 00 00 00 44 44 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ff ff ff ff 6d 17 52 00 22 05 93 19 01 00 00 00 88 44 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ff ff ff ff 90 17 52 00 00 00 00 00 a9 17 52 00 01 00 00 00 b1 17 52 00 22 05 93 19 03 00 00 00 b4 44 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ff ff ff ff d4 17 52 00 00 00 00 00 ed 17 52 Data Ascii: R"DV2RJR:RBR"DDVmR"DVRRR"DVRR
2022-11-04 12:16:09 UTC	1437	IN	Data Raw: 10 ab 16 00 2a ab 16 00 3c ab 16 00 56 ab 16 00 62 ab 16 00 6e ab 16 00 82 ab 16 00 90 ab 16 00 9c ab 16 00 a8 ab 16 00 be ab 16 00 ce ab 16 00 Data Ascii: *<Vbn
2022-11-04 12:16:09 UTC	1437	IN	Data Raw: e2 ab 16 00 ec ab 16 00 fe ab 16 00 12 ac 16 00 20 ac 16 00 2a ac 16 00 36 ac 16 00 46 ac 16 00 56 ac 16 00 a8 aa 16 00 66 a8 16 00 52 a8 16 00 42 a8 16 00 9a aa 16 00 86 aa 16 00 72 aa 16 00 5c aa 16 00 52 aa 16 00 44 aa 16 00 36 aa 16 00 1e aa 16 00 08 aa 16 00 f4 a9 16 00 e2 a9 16 00 c8 a9 16 00 b2 a9 16 00 a0 a9 16 00 96 a9 16 00 7e a9 16 00 6a a9 16 00 5e a9 16 00 4e a9 16 00 3e a9 16 00 28 a9 16 00 12 a9 16 00 06 a9 16 00 f2 a8 16 00 de a8 16 00 cc a8 16 00 b8 a8 16 00 a6 a8 16 00 38 a8 16 00 2a a8 16 00 1e a8 16 00 10 a8 16 00 04 a8 16 00 f8 a7 16 00 ee a7 16 00 dc a7 16 00 c8 a7 16 00 b8 a7 16 00 a8 a7 16 00 9c a7 16 00 90 a7 16 00 80 a7 16 00 74 a7 16 00 6a a7 16 00 56 a7 16 00 44 a7 16 00 36 a7 16 00 28 a7 16 00 1e a7 16 00 0c a7 16 00 00 a7 16 Data Ascii: 6FVfRBr\RD6~j^N>(8tjVD6(
2022-11-04 12:16:09 UTC	1453	IN	Data Raw: 00 00 00 00 2e 3f 41 55 43 54 68 72 65 61 64 44 61 74 61 40 40 00 00 00 14 cd 54 00 00 00 00 00 2e 3f 41 56 43 48 61 6e 64 6c 65 4d 61 70 40 40 Data Ascii: .?AUCThreadData@@T.?AVCHandleMap@@
2022-11-04 12:16:09 UTC	1453	IN	Data Raw: 00 00 00 00 14 cd 54 00 00 00 00 00 2e 3f 41 56 43 4d 46 43 43 6f 6e 74 72 6f 6c 43 6f 6e 74 61 69 6e 65 72 40 40 00 00 14 cd 54 00 00 00 00 00 2e 3f 41 56 43 50 74 72 4c 69 73 74 40 40 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 40 ff ff ff ff 17 00 00 00 16 00 00 00 10 00 00 00 0f 00 00 00 17 00 00 00 16 00 00 00 10 00 00 00 0f 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff a0 c0 52 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0a 00 00 00 90 c0 52 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0a 00 00 00 90 c0 52 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0a 00 00 00 28 c0 52 00 c8 0c 00 00 01 00 00 80 a1 dd 42 00 10 40 53 00 00 00 00 00 1c 42 57 00 14 cd 54 00 00 00 00 00 2e 3f 41 Data Ascii: T.?AVCMFCControlContainer@@T.?AVCPtrList@@@RRR(RB@SBWT.?A
2022-11-04 12:16:09 UTC	1469	IN	Data Raw: 80 05 55 00 98 0b 57 00 00 0d 57 00 00 0d 57 00 70 06 57 00 7c 01 55 00 14 cd 54 00 00 00 00 00 2e 3f 41 56 62 61 64 5f 65 78 63 65 70 74 69 6f Data Ascii: UWWWpW\|UT.?AVbad_exceptio
2022-11-04 12:16:09 UTC	1469	IN	Data Raw: 6e 40 73 74 64 40 40 00 14 cd 54 00 00 00 00 00 2e 3f 41 56 65 78 63 65 70 74 69 6f 6e 40 73 74 64 40 40 00 00 00 00 00 00 00 00 00 00 00 00 00 bf 44 51 00 bf 44 51 00 bf 44 51 00 bf 44 51 00 bf 44 51 00 bf 44 51 00 bf 44 51 00 bf 44 51 00 bf 44 51 00 bf 44 51 00 80 70 00 00 01 00 00 00 f0 f1 ff ff 00 00 00 00 50 53 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 44 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 0e 57 00 a8 0e 57 00 ff ff ff ff 00 00 00 00 00 00 00 00 ff ff ff Data Ascii: n@std@@T.?AVexception@std@@DQDQDQDQDQDQDQDQDQDQpPSTPDThWW
2022-11-04 12:16:09 UTC	1471	IN	Data Raw: 0b 00 00 00 40 00 00 00 ff 03 00 00 80 00 00 00 81 ff ff ff 18 00 00 00 08 00 00 00 20 00 00 00 7f 00 00 00 fe ff ff ff 00 00 00 00 00 00 00 00 00 a0 02 40 00 00 00 00 00 00 00 00 00 c8 05 40 00 00 00 00 00 00 00 00 00 fa 08 40 00 00 00 00 00 00 00 00 40 9c 0c 40 00 00 00 00 00 00 00 00 50 c3 0f 40 00 00 00 00 00 00 00 00 24 f4 12 40 00 00 00 00 00 00 00 80 96 98 16 40 00 00 00 00 00 00 00 20 bc be 19 40 00 00 00 00 00 04 bf c9 1b 8e 34 40 00 00 00 a1 ed cc ce 1b c2 d3 4e 40 20 f0 9e b5 70 2b a8 ad c5 9d 69 40 d0 5d fd 25 e5 1a 8e 4f 19 eb 83 40 71 96 d7 95 43 0e 05 8d 29 af 9e 40 f9 bf a0 44 ed 81 12 8f 81 82 b9 40 bf 3c d5 a6 cf ff 49 1f 78 c2 d3 40 6f c6 e0 8c e9 80 c9 47 ba 93 a8 41 bc 85 6b 55 27 39 8d f7 70 e0 7c 42 bc dd 8e de f9 9d fb eb 7e aa 51 Data Ascii: @ @@@@@P@$@@ @4@N@ p+i@]%O@qC)@D@<Ix@oGAkU'9p\|B~Q
2022-11-04 12:16:09 UTC	1487	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff d5 dd ff ff 32 59 ff ff 00 2f ff ff 1d 47 ff ff c0 cd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: 2Y/G
2022-11-04 12:16:09 UTC	1487	IN	Data Raw: d4 dc ff ff ba c7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 c1 ff ff 15 40 ff ff 00 2f ff ff 2f 56 ff ff d2 db ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff d3 dc ff ff 5a 7a ff ff 34 5c ff ff 75 90 ff ff 2f 58 ff ff 3c 63 ff ff ba c7 ff ff fc fc ff ff ff ff ff ff ff ff ff ff d2 db ff ff b7 c5 ff ff ff ff ff ff ff ff ff ff fb fc ff ff b6 c4 ff ff 39 60 ff ff 2e 57 ff ff 8c a3 ff ff 4f 72 ff ff 37 5f ff ff ac bd ff ff f9 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff f2 f5 ff ff 9a ae ff ff 31 59 ff ff 5e 7e ff ff d7 df ff ff ff ff ff ff d8 e0 ff ff 5d 7d ff ff 1b 48 ff ff 79 93 ff ff e7 ec ff ff ff ff ff Data Ascii: @//VZz4\u/X<c9`.WOr7_1Y^~]}Hy
2022-11-04 12:16:09 UTC	1503	IN	Data Raw: 7e 97 ff ff 17 44 ff ff e4 e9 ff ff fd fd ff ff 87 9f ff ff 0b 39 ff ff 00 2e ff ff 25 4f ff ff 95 ab ff ff df e6 ff ff 8b a2 ff ff 1e 49 ff ff Data Ascii: ~D9.%OI
2022-11-04 12:16:09 UTC	1503	IN	Data Raw: 00 2e ff ff 10 3e ff ff 70 8c ff ff df e5 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff f2 f5 ff ff 99 ad ff ff 27 51 ff ff 00 2f ff ff 0c 3a ff ff 4c 70 ff ff 2c 55 ff ff 00 2f ff ff 09 38 ff ff 58 79 ff ff ce d8 ff ff fd fe ff ff ff ff ff ff 7e 97 ff ff 17 44 ff ff e3 e9 ff ff ff ff ff ff f2 f5 ff ff 9f b2 ff ff 2c 55 ff ff 00 2f ff ff 0b 39 ff ff 27 52 ff ff 08 36 ff ff 01 30 ff Data Ascii: .>p'Q/:Lp,U/8Xy~D,U/9'R60
2022-11-04 12:16:09 UTC	1519	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii:
2022-11-04 12:16:09 UTC	1519	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii:
2022-11-04 12:16:09 UTC	1535	IN	Data Raw: ff ff ff ff e4 e4 e4 ff 81 81 81 ff 16 16 16 ff 32 32 32 ff f1 f1 f1 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: 222
2022-11-04 12:16:09 UTC	1535	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 80 99 ff ff 00 32 ff ff 00 32 ff ff 00 32 ff ff 80 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fa fb ff ff 78 93 ff ff f1 f4 ff ff ff ff ff ff ff ff ff ff ff ff ff ff 62 82 ff ff 1d 4a ff ff 6c 8a ff ff 07 39 ff ff 1d 4b ff ff 7d 97 ff ff bc ca ff ff 68 86 ff ff ea ef ff ff a4 b6 ff ff ef f3 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 32 ff ff 00 32 ff ff 00 32 ff ff 00 32 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: 222xbJl9K}h2222
2022-11-04 12:16:09 UTC	1541	IN	Data Raw: 00 32 ff ff 52 74 ff ff e8 ed ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 80 99 ff ff 00 32 ff ff 00 32 ff ff 00 32 ff ff 80 99 ff ff ff ff ff ff ff ff ff ff f3 f6 ff ff 69 87 ff ff 01 33 ff ff 00 32 ff ff 00 32 ff ff 00 32 ff ff 00 32 ff ff 00 32 ff ff 05 37 ff ff 82 9b ff ff fb fc ff ff fa fb ff ff 7d 97 ff ff 04 36 ff ff 00 32 ff ff 00 32 ff ff 00 32 ff ff 00 32 ff ff 00 32 ff ff 01 33 ff ff 6e 8b ff ff f5 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff f2 f5 ff ff 37 5f ff ff 3f 65 ff ff ff ff ff ff ff ff ff ff 00 32 ff ff 00 32 ff ff 00 32 ff ff 00 32 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: 2Rt222i3222227}6222223n7_?e2222
2022-11-04 12:16:09 UTC	1553	IN	Data Raw: 1b 49 ff ff d2 db ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff f5 f7 ff ff 5e 7e ff ff 00 32 ff ff 00 32 ff ff 00 32 ff ff 00 32 ff ff 00 32 ff ff 00 32 ff ff 00 32 ff ff 0f 3f ff ff bb ca ff ff fb fc ff ff 82 9b ff ff 06 37 ff ff 00 32 ff ff 00 32 ff ff 00 32 ff ff 00 32 ff ff 00 32 ff ff 01 33 ff ff 6a 88 ff ff f3 f6 ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: I^~2222222?7222223j
2022-11-04 12:16:09 UTC	1557	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 32 ff ff 00 32 ff ff 00 32 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff d0 da ff ff 28 52 ff ff 00 32 ff ff 00 32 ff ff 00 32 ff ff 00 32 ff ff 00 32 ff ff 00 32 ff ff 00 32 ff ff 19 47 ff ff c0 cd ff ff ff ff ff ff ff ff ff ff ff ff ff ff db e3 ff ff 3e 64 ff ff 00 32 ff ff 00 32 ff ff 00 32 ff ff 00 32 ff ff 00 32 ff ff 00 32 ff ff 12 41 ff ff a2 b5 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: 222(R2222222G>d222222A
2022-11-04 12:16:09 UTC	1571	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 9b af ff ff 0d 3d ff ff 00 32 ff ff 00 32 ff ff 00 32 ff ff 0b 3b ff ff 95 aa ff ff fe ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff db e3 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 32 ff ff 00 32 ff ff 00 32 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff de e5 ff ff fc fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b7 c6 ff ff 1d 4a ff ff 00 32 ff ff 00 32 ff ff 28 53 ff ff c8 d3 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: =222;222J22(S
2022-11-04 12:16:09 UTC	1573	IN	Data Raw: ff ff ff ff f2 f5 ff ff 41 67 ff ff 00 32 ff ff 00 32 ff ff 00 32 ff ff 5f 7f ff ff fb fc ff ff 00 32 ff ff 00 32 ff ff 00 32 ff ff ff ff ff ff 92 a8 ff ff 01 33 ff ff 00 32 ff ff 00 32 ff ff 20 4c ff ff da e2 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: Ag222_222322 L
2022-11-04 12:16:09 UTC	1589	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 08 8f 88 f8 88 88 fb f8 8b fb f8 8b 88 b8 8b 88 b8 88 b8 8b 88 b8 8b 76 7c 66 7c 67 c7 c7 c8 77 e7 7c 77 e7 7c 8c 78 68 67 87 e7 7f 88 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 8f 87 87 77 77 67 67 67 66 76 66 56 44 64 46 44 64 44 44 64 44 64 57 73 77 77 77 77 77 77 77 77 77 77 77 77 77 77 77 77 77 78 78 88 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 8f 78 Data Ascii: v\|f\|gw\|w\|xhgpwwgggfvfVDdFDdDDdDdWswwwwwwwwwwwwwwwwwxxpx
2022-11-04 12:16:09 UTC	1589	IN	Data Raw: 8e 8e 8e 77 e7 c6 7c 6c 7c 66 c6 6c 66 c6 66 66 66 c6 66 c6 6b 8b b7 bb bb bb bb b8 bb 7b b8 bb 8b b8 bb 8b 8b 8b 8b 8b 78 88 87 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 8f 78 88 77 77 77 c8 67 e6 76 66 c6 66 c6 64 66 c6 c6 c6 66 c7 66 cb b7 8b 78 98 8b 88 b7 b8 b8 8b 8b 88 b8 b8 b8 b8 b8 b8 b8 78 f8 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 f8 78 e8 7e 7e c8 e7 8c 6c 6c 66 6c 66 64 66 c6 66 66 7c 6c 66 c6 68 7b b7 bb 8b b7 b7 b8 b8 b7 b8 b8 b9 8b 8b 8b 7b 8b 7b 8b 87 88 87 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 8f 78 87 8c 87 86 8c 8e 77 66 c7 66 c6 c6 c6 6c 6c 6c 66 66 c6 6c 6b b7 b7 b8 b7 b8 b7 b8 b9 8b 8b 9b 8b 8b 8b 98 b8 9b 8b 8b 87 f8 87 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 f8 Data Ascii: w\|l\|flfffffk{xxwwwgvffdfffxxxx~~llflfdfff\|lfh{{{xwfflllfflk
2022-11-04 12:16:09 UTC	1605	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a7 ca e5 f0 Data Ascii:
2022-11-04 12:16:09 UTC	1605	IN	Data Raw: 92 cd db 77 73 76 74 73 74 74 74 74 d5 d5 74 d5 74 72 73 73 72 6e 6e 6e 6e 6d 6d 6d 6c 6c 6e 6c 6e 6c 6c 6c 46 13 0a 0c 0c 0d 0e 0c 0e 0e 10 10 14 10 1f 1f 1f 1f 21 20 21 1f 17 1f 1f 15 15 10 10 15 0e 10 1e 35 1b e3 f4 e8 a7 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 93 ef e5 ef 84 dd da 76 74 73 76 73 74 74 74 d5 d5 d5 74 74 74 74 73 73 6e 6e 6e 6d 6d 6d 6d 6c 6e 6c 6e 6c 6e 6c 6e 6c 46 13 0b 0a 0c 0c 0c 0e 0c 10 0f 10 10 1f 10 1f 1f 1f 1f 1f 21 20 17 1f 1f 14 14 15 10 10 10 15 15 2f 33 24 f5 f0 be 9e 93 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a7 e5 f4 Data Ascii: wsvtsttttttrssrnnnnmmmllnlnlllF! !5vtsvstttttttssnnnmmmmlnlnlnlnlF! /3$
2022-11-04 12:16:09 UTC	1621	IN	Data Raw: 07 ff 00 00 ff e0 00 00 3f ff 00 00 ff f8 00 00 ff ff 00 00 ff fe 00 01 ff ff 00 00 ff ff 00 07 ff ff 00 00 ff ff c0 0f ff ff 00 00 ff ff e0 3f Data Ascii: ??
2022-11-04 12:16:09 UTC	1621	IN	Data Raw: ff ff 00 00 ff ff ff ff ff ff 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 08 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 63 63 64 00 6a 6a 6a 00 70 70 70 00 7c 7c 7c 00 98 48 14 00 a4 4d 0f 00 a9 5c 0c 00 a7 5e 16 00 a1 51 19 00 ae 5b 1a 00 a5 60 17 00 b2 67 10 00 b8 60 19 00 9b 6b 38 00 aa 67 27 00 b8 6a 28 00 bb 72 23 00 b4 72 2f 00 bf 77 29 00 bf 79 29 00 bf 6d 37 00 a8 72 34 00 b2 75 32 00 b7 78 35 00 b5 7b 3b 00 bb 7d 3a 00 c2 68 14 00 cc 64 18 00 cd 6c 1b 00 c2 71 16 00 d7 71 1c 00 c4 71 20 00 c1 76 2f 00 c2 7b 2c 00 cc 79 29 00 d9 7e 2c 00 c3 7b 32 00 cb 7b 32 00 c9 7f 39 00 87 5d 43 00 8a 62 46 00 aa 70 49 00 b6 75 47 00 b6 79 40 00 a7 7a 59 00 92 78 68 00 bb 82 3e 00 c8 83 35 00 c3 82 3c 00 c9 86 3f Data Ascii: ( @ccdjjjppp\|\|\|HM\^Q[`g`k8g'j(r#r/w)y)m7r4u2x5{;}:hdlqqq v/{,y)~,{2{29]CbFpIuGy@zYxh>5<?
2022-11-04 12:16:09 UTC	1631	IN	Data Raw: e7 dc af 4e 4d ad 9b 9a 18 1f d3 59 96 23 cf b9 20 27 57 e4 55 0e c8 db 39 76 ef da 81 a9 c9 71 7c e1 4b 5f c2 fd f7 df 8f ab ae 79 07 ee f8 e1 9f c3 d8 c4 34 e6 e6 fb 38 b3 54 78 5f df 4a 78 2f 18 fa 20 e5 cd 7e e7 08 a4 22 c9 e7 81 c0 67 0e 82 e0 41 c3 01 20 07 c7 df 2b 6d d0 ce 3c 08 dc b8 bf 0b 54 47 10 84 51 a2 01 12 42 40 f2 8a 04 04 24 61 c8 21 ba 05 8e 02 00 f8 79 05 84 fd fb d7 e1 b2 fd 93 78 f8 d1 6f e0 cb 7f e7 a3 04 fb f6 ed 45 bb d5 46 a7 33 80 75 75 02 02 04 ad 4d b0 06 b4 36 e3 59 de da 40 84 cb 00 ba 79 cf 9e 3d 8b 3f 74 cb 2d e7 1e 7d f4 d1 de f7 ec a1 7e 9f b7 11 00 7c 07 da 63 8f 3d be e1 e7 7f fe 17 fe b0 28 cb 3f 9d 98 18 bf 68 76 66 9d c9 f3 0c 46 1b 98 2c 83 56 0a 50 b1 5c c7 ec fa 19 ec de b5 03 67 ce cc e1 93 9f fc 24 5e 78 fe 05 Data Ascii: NMY# 'WU9vq\|K_y48Tx_Jx/ ~"gA +m<TGQB@$a!yxoEF3uuM6Y@y=?t-}~\|c=(?hvfF,VP\g$^x
2022-11-04 12:16:09 UTC	1647	IN	Data Raw: cf b8 1d f8 d2 20 ad 6e d2 f9 04 7f 88 9c 98 d4 84 93 6f db cf 35 88 c5 35 fa b0 be ff 28 33 c2 f7 3f 5d dc ae 6e 2d bb d3 8a cd 59 cb ce b4 b9 Data Ascii: no55(3?]n-Y
2022-11-04 12:16:09 UTC	1647	IN	Data Raw: 2c 89 7f b9 44 1f 2e 2b 7c b9 5c 69 4d 8a 80 8b bf 79 11 42 bf 04 5a e8 cc 40 b7 e9 4f 5e fc f9 4a a0 32 87 cf 33 8f b4 83 c3 19 46 89 67 52 65 3e f7 80 1a 6c 77 f7 18 bc a3 08 3e c6 95 15 9e e8 07 a4 fe 7f 64 28 05 88 8c 29 dd d8 f0 11 98 87 13 d6 36 f6 11 39 ce ca ca 31 ea ba 09 d2 5f 82 16 e1 bf ef ee ee 22 62 9e af eb aa e5 12 af e4 cb 31 2e 87 9f 7f 43 c7 ca ca 8a 15 b8 bf ed f5 4c f3 2d ac 43 03 0b 5f da 36 48 6f 09 10 0b 92 c4 0f 9f a2 5d 7f 49 42 1c 95 cc e9 2d ea ea f6 49 52 77 47 a2 74 35 fa f5 d6 c6 75 f9 b2 e8 fa c3 a5 7f ce a3 88 dd 79 cd 33 db 73 9e d9 59 b0 39 a9 5f 94 f8 73 37 e4 e5 8c cb 25 fe 1e 79 f9 a1 30 ff 92 d2 fb a5 be ab 99 84 3e b0 ca a4 a0 9c 4e 8a 2f 49 ea eb a7 32 a3 32 fc 0d c3 27 c6 c3 71 15 b5 65 38 97 4a 66 31 09 7b ab aa Data Ascii: ,D.+\|\iMyBZ@O^J23FgRe>lw>d()691_"b1.CL-C_6Ho]IB-IRwGt5uy3sY9_s7%y0>N/I22'qe8Jf1{
2022-11-04 12:16:09 UTC	1663	IN	Data Raw: 30 5d fb 32 b3 cd 27 f8 f1 1f fb 51 96 46 4b 38 27 b4 4d db 61 7e 0e 78 ec f1 c7 b6 77 76 b6 af fd f0 87 3f fc 0b 4d d3 e4 ba ff 15 1d f5 77 d8 Data Ascii: 0]2'QFK8'Ma~xwv?Mw
2022-11-04 12:16:09 UTC	1663	IN	Data Raw: b8 ea 18 00 c0 03 0f 3e 30 ad ab 7a bf aa eb bf b3 b9 b1 5e cd e7 73 7c 3b b1 82 bd bd 3d 56 d7 37 b8 f5 d6 5b 79 ff f7 7f 3f f7 ff e9 53 3c f2 65 83 33 06 9f 2e 7c 0c ca e3 9e f0 8b c2 c7 fd 97 8e 94 93 af 23 7b 07 b4 cf 54 c7 28 98 07 0c 11 82 83 5c 86 ee 33 e9 9d b7 2e b3 10 09 59 20 c5 24 44 11 0c d1 46 90 31 14 09 e7 cd 08 36 cd 33 3b 3e 44 66 52 84 1d f3 ad 73 49 a8 2e ba dc 4d d8 0d 09 56 14 e0 a7 a2 ae 38 81 18 18 14 54 fb 10 d6 ab 97 92 b5 f3 8e 71 54 0e 67 6d d2 f1 c1 17 f7 0c eb 5b 04 13 9a 7e 48 60 bc 22 89 e1 39 c4 33 18 9c d7 fd cb 41 f4 f9 af 0c 87 0c a9 59 fd d2 ef f1 96 37 bd 89 d7 be f6 b5 98 c2 60 9d 8d 4d 43 74 e6 4d 5d 57 f7 de 7b df b1 f1 78 f2 2f 9f 7a ea c9 2d ae 62 e9 0f 57 29 03 f8 a3 3f fa 23 3b 5f cc f7 36 d6 d7 3e 8d b8 7b 37 Data Ascii: >0z^s\|;=V7[y?S<e3.\|#{T(\3.Y $DF163;>DfRsI.MV8TqTgm[~H`"93AY7`MCtM]W{x/z-bW)?#;_6>{7
2022-11-04 12:16:09 UTC	1679	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2022-11-04 12:16:09 UTC	1679	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2022-11-04 12:16:09 UTC	1691	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 03 00 00 00 0b 42 42 42 2f 8e 8b 8c d1 d5 d2 d2 ff d1 cc cc ff ea e9 eb ff 97 97 98 ff a0 cc d0 ff a7 f6 ff Data Ascii: BBB/
2022-11-04 12:16:09 UTC	1707	IN	Data Raw: bc 82 54 ff bc 81 55 ff bc 82 56 ff bc 82 55 ff bb 81 55 ff ba 81 53 ff bc 81 54 ff bc 82 56 ff bc 81 57 ff bf 82 5b ff ca 89 64 ff d2 8e 6c ff Data Ascii: TUVUUSTVW[dl
2022-11-04 12:16:09 UTC	1707	IN	Data Raw: 8e 7b 73 ff eb ea ed ff ca c5 c7 ff b4 b0 af ff 8e 8d 8c fb 4e 4c 4c 60 00 00 00 21 00 00 00 0e 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 8f 8d 8e 37 ac aa aa fb dd da da ff df dc de ff bd bd bf ff 95 b8 b5 ff d1 9f 73 ff c8 92 61 ff c0 88 51 ff bc 84 4b ff b8 81 46 ff b6 7e 42 ff b5 7e 41 ff b2 7b 3f ff ac 74 39 ff a8 6c 30 ff a7 6c 30 ff a6 6a 2e ff a5 68 2b ff a3 65 28 ff a0 60 21 ff 9d 5c 1b Data Ascii: {sNLL`!7saQKF~B~A{?t9l0l0j.h+e(`!\
2022-11-04 12:16:09 UTC	1723	IN	Data Raw: 6f d6 ff ff 6f d5 ff ff 6f d4 ff ff 6f d4 ff ff 6f d6 ff ff 70 d7 ff ff 72 d7 ff ff 71 d6 ff ff 70 d6 ff ff 71 d7 ff ff 70 d9 ff ff 71 d9 ff ff Data Ascii: oooooprqpqpq
2022-11-04 12:16:09 UTC	1723	IN	Data Raw: 76 df ff ff 6f bc cd ff bd c1 c7 ff d0 ce cf ff bb b7 b6 ff a7 a5 a5 ff 70 6f 6f a3 00 00 00 24 00 00 00 10 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b2 b0 b0 89 e2 e2 e2 ff ff ff ff ff f8 f8 fa ff ad aa a6 ff ec c3 ae ff f1 c5 af ff eb c1 a8 ff e6 c2 a5 ff e3 c0 a1 ff e1 bf a0 ff de bd 9c ff dd bd 9c ff db bc 9b ff da ba 9b ff d9 ba 9a ff d9 bb 9b ff da bb 9e ff da bd a0 ff da c0 a3 ff dc c0 a7 ff dd c3 ab ff de c7 ae Data Ascii: vopoo$
2022-11-04 12:16:09 UTC	1739	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2022-11-04 12:16:09 UTC	1739	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2022-11-04 12:16:09 UTC	1755	IN	Data Raw: a8 a6 a3 d3 f8 f7 f5 fc e5 da d0 ff d7 ba a1 ff e6 c3 a9 ff e4 c1 a1 ff e0 b7 92 ff cb a1 7a ff 7b f9 fa ff 72 f3 f8 ff 5a eb f2 ff 3e c3 d1 ff Data Ascii: z{rZ>
2022-11-04 12:16:09 UTC	1755	IN	Data Raw: 51 a0 bc ff c1 d7 e4 fe b4 c4 cd f5 62 68 6b c4 2c 2d 2e 71 00 00 00 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 65 c3 c1 bf e2 f4 f2 ef fe c5 b6 ab ff d2 a9 91 ff d9 99 67 ff c6 93 68 ff 49 ed f0 ff 37 ed f6 ff 33 af cb ff 90 c0 d9 ff c6 d4 dc fa 80 87 8b d3 01 03 05 61 00 00 00 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 29 6d 6d 6d a4 e8 e8 e7 f9 d1 ce cd ff b4 9b 9e ff 85 79 82 ff 29 a4 b1 ff 46 a9 cc ff ae d1 e5 ff a5 b2 ba Data Ascii: Qbhk,-.q&!eghI73a)mmmy)F
2022-11-04 12:16:09 UTC	1771	IN	Data Raw: 63 00 63 00 65 00 73 00 73 00 69 00 6e 00 67 00 20 00 25 00 31 00 2e 00 33 00 45 00 6e 00 63 00 6f 00 75 00 6e 00 74 00 65 00 72 00 65 00 64 00 Data Ascii: ccessing %1.3Encountered
2022-11-04 12:16:09 UTC	1771	IN	Data Raw: 20 00 61 00 20 00 6c 00 6f 00 63 00 6b 00 69 00 6e 00 67 00 20 00 76 00 69 00 6f 00 6c 00 61 00 74 00 69 00 6f 00 6e 00 20 00 77 00 68 00 69 00 6c 00 65 00 20 00 61 00 63 00 63 00 65 00 73 00 73 00 69 00 6e 00 67 00 20 00 25 00 31 00 2e 00 1d 00 44 00 69 00 73 00 6b 00 20 00 66 00 75 00 6c 00 6c 00 20 00 77 00 68 00 69 00 6c 00 65 00 20 00 61 00 63 00 63 00 65 00 73 00 73 00 69 00 6e 00 67 00 20 00 25 00 31 00 2e 00 24 00 41 00 74 00 74 00 65 00 6d 00 70 00 74 00 65 00 64 00 20 00 74 00 6f 00 20 00 61 00 63 00 63 00 65 00 73 00 73 00 20 00 25 00 31 00 20 00 70 00 61 00 73 00 74 00 20 00 69 00 74 00 73 00 20 00 65 00 6e 00 64 00 2e 00 00 00 12 00 4e 00 6f 00 20 00 65 00 72 00 72 00 6f 00 72 00 20 00 6f 00 63 00 63 00 75 00 72 00 72 00 65 00 64 00 2e 00 2d Data Ascii: a locking violation while accessing %1.Disk full while accessing %1.$Attempted to access %1 past its end.No error occurred.-
2022-11-04 12:16:09 UTC	1787	IN	Data Raw: 85 35 cd 35 fa 35 1d 36 43 36 66 36 84 36 ac 36 df 36 02 37 14 37 44 37 50 37 55 37 5a 37 64 37 85 37 e4 37 08 38 52 38 63 38 9b 38 ab 38 b3 38 Data Ascii: 5556C6f666677D7P7U7Z7d7778R8c8888
2022-11-04 12:16:09 UTC	1787	IN	Data Raw: ce 38 ae 3a b7 3a bf 3a c9 3a d3 3a dd 3a e7 3a f1 3a 04 3b 2c 3b 39 3b 4d 3b 53 3b 59 3b 62 3b 7a 3b 8c 3b 95 3b b5 3b c4 3b d3 3b e2 3b ee 3b fa 3b 07 3c 12 3c 3f 3c 51 3c 63 3c 9f 3c a8 3c b8 3c cf 3c d5 3c f7 3c 02 3d 2e 3d 3a 3d 46 3d 52 3d 59 3d 63 3d 3f 3e 5b 3e d4 3e e7 3e f0 3e 2a 3f 00 00 00 a0 04 00 94 00 00 00 46 30 83 30 f5 30 14 31 2b 31 56 31 7c 32 bb 32 e2 32 10 33 19 33 3b 33 f1 33 fd 33 2f 34 3b 34 4f 34 5b 34 63 34 72 34 91 34 42 35 48 35 7a 35 88 35 1e 36 a7 36 c4 36 df 36 fa 36 0a 37 1a 37 61 37 80 37 49 38 69 38 e0 38 ec 38 09 39 5d 39 09 3a 2f 3a 35 3a 6a 3a 9a 3a d2 3a 0e 3b 78 3b 9d 3b b7 3b d6 3b e6 3b 00 3c 10 3c 3b 3c 56 3c 6c 3c 96 3c 00 3d 20 3d 3d 3d 5b 3d 79 3d 8a 3d 9e 3e b5 3e 5e 3f 9b 3f ea 3f 00 00 00 b0 04 00 a4 00 00 Data Ascii: 8::::::::;,;9;M;S;Y;b;z;;;;;;;;;<<?<Q<c<<<<<<<=.=:=F=R=Y=c=?>[>>>>*?F0001+1V1\|22233;333/4;4O4[4c4r44B5H5z556666677a77I8i8889]9:/:5:j:::;x;;;;;<<;<V<l<<= ===[=y==>>^???
2022-11-04 12:16:09 UTC	1803	IN	Data Raw: 47 3a 5d 3a 6d 3a 85 3a 9f 3a 40 3b 95 3b 15 3c 51 3c 5b 3c df 3c 67 3d ac 3d e7 3d 05 3e 60 3e 7c 3e a8 3e be 3e 02 3f 17 3f 20 3f 6b 3f 76 3f Data Ascii: G:]:m:::@;;<Q<[<<g===>`>\|>>>?? ?k?v?
2022-11-04 12:16:09 UTC	1803	IN	Data Raw: 87 3f 9b 3f b5 3f f7 3f 00 f0 0c 00 a8 00 00 00 12 30 20 30 36 30 77 30 bd 30 cc 30 e7 30 fb 30 35 31 45 31 8a 31 ba 31 dc 31 e2 31 f3 31 17 32 f9 32 2e 33 39 33 7e 33 87 33 c3 33 e3 33 00 34 06 34 0e 34 97 34 06 35 1b 35 5e 35 8a 35 8f 35 ce 35 4f 36 05 37 0b 37 7e 37 84 37 fd 37 3e 38 8f 38 b2 38 b9 38 1c 39 a6 39 0f 3a 16 3a 4e 3a 92 3a cb 3a d8 3a eb 3a 02 3b 2d 3b 4e 3b 57 3b 7e 3b ba 3b ab 3c d7 3c de 3c e9 3c 1f 3d 4a 3d 79 3d b2 3d c1 3d e4 3d 10 3e 5a 3e 67 3e ae 3e f4 3e 1f 3f 50 3f 55 3f 6b 3f b1 3f d0 3f e8 3f 00 00 0d 00 84 00 00 00 21 30 a7 30 8e 31 dd 31 e7 31 34 32 7d 32 b7 32 1f 33 30 33 5d 33 68 33 f9 33 5c 34 8d 34 d4 34 e9 34 13 35 1e 35 2a 35 32 35 45 35 79 35 9f 35 bb 35 cb 35 e1 35 ee 35 15 36 55 36 6d 36 98 36 01 37 19 37 56 37 f7 Data Ascii: ????0 060w0000051E11111122.393~3333444455^5555O677~777>888899::N:::::;-;N;W;~;;<<<<=J=y====>Z>g>>>?P?U?k????!0011142}22303]3h33\444455*525E5y5555556U6m6677V7
2022-11-04 12:16:09 UTC	1819	IN	Data Raw: 34 36 38 36 3c 36 40 36 44 36 48 36 4c 36 50 36 54 36 58 36 5c 36 60 36 64 36 68 36 6c 36 70 36 74 36 78 36 7c 36 80 36 84 36 88 36 8c 36 90 36 Data Ascii: 4686<6@6D6H6L6P6T6X6\6`6d6h6l6p6t6x6\|666666
2022-11-04 12:16:09 UTC	1819	IN	Data Raw: 94 36 98 36 9c 36 a0 36 a4 36 a8 36 ac 36 b0 36 b4 36 b8 36 bc 36 c0 36 c4 36 c8 36 cc 36 d0 36 d4 36 d8 36 dc 36 e0 36 e4 36 e8 36 ec 36 f0 36 f4 36 f8 36 fc 36 00 37 04 37 08 37 0c 37 10 37 14 37 18 37 1c 37 20 37 24 37 28 37 2c 37 30 37 34 37 38 37 3c 37 40 37 44 37 48 37 4c 37 50 37 54 37 58 37 5c 37 60 37 64 37 68 37 6c 37 70 37 90 37 94 37 98 37 9c 37 a0 37 a4 37 a8 37 ac 37 b0 37 b4 37 b8 37 bc 37 c0 37 c4 37 c8 37 cc 37 d0 37 d4 37 d8 37 dc 37 e0 37 e4 37 e8 37 ec 37 f0 37 f4 37 f8 37 fc 37 00 38 04 38 08 38 0c 38 10 38 14 38 18 38 1c 38 20 38 24 38 28 38 2c 38 30 38 34 38 38 38 3c 38 40 38 44 38 48 38 4c 38 50 38 54 38 58 38 5c 38 60 38 64 38 68 38 6c 38 70 38 74 38 78 38 7c 38 80 38 84 38 88 38 8c 38 90 38 94 38 98 38 9c 38 a0 38 a4 38 a8 38 ac Data Ascii: 66666666666666666666666666677777777 7$7(7,7074787<7@7D7H7L7P7T7X7\7`7d7h7l7p7777777777777777777777777777788888888 8$8(8,8084888<8@8D8H8L8P8T8X8\8`8d8h8l8p8t8x8\|888888888888
2022-11-04 12:16:09 UTC	1835	IN	Data Raw: 24 3b 28 3b 2c 3b 30 3b 34 3b 38 3b 3c 3b 40 3b 44 3b 48 3b 4c 3b 50 3b 54 3b 58 3b 5c 3b 60 3b 64 3b 68 3b 6c 3b 70 3b 74 3b 78 3b 7c 3b 80 3b Data Ascii: $;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;\|;;
2022-11-04 12:16:09 UTC	1835	IN	Data Raw: 88 3b 8c 3b 90 3b 94 3b 98 3b 9c 3b a0 3b a4 3b a8 3b ac 3b b0 3b b4 3b b8 3b bc 3b c0 3b c4 3b c8 3b cc 3b d0 3b d4 3b d8 3b dc 3b e0 3b e4 3b e8 3b ec 3b 18 3c 24 3c 28 3c 34 3c 40 3c 44 3c 50 3c 54 3c 58 3c 5c 3c 60 3c 64 3c 68 3c 6c 3c 70 3c 74 3c 78 3c 7c 3c 80 3c 84 3c 88 3c 8c 3c 90 3c 94 3c 98 3c 9c 3c a0 3c a4 3c a8 3c ac 3c b0 3c c8 3c d4 3c d8 3c e8 3c ec 3c f0 3c f4 3c f8 3c fc 3c 00 3d 04 3d 08 3d 0c 3d 10 3d 14 3d 18 3d 1c 3d 20 3d 24 3d 28 3d 2c 3d 30 3d 34 3d 38 3d 3c 3d 40 3d 44 3d 48 3d 4c 3d 50 3d 54 3d 58 3d 5c 3d 60 3d 64 3d 68 3d 6c 3d 70 3d 74 3d 78 3d 7c 3d 80 3d 84 3d 88 3d 8c 3d 90 3d 94 3d 98 3d 9c 3d a0 3d a4 3d a8 3d ac 3d b0 3d b4 3d b8 3d bc 3d c0 3d c4 3d c8 3d cc 3d d0 3d d4 3d d8 3d dc 3d e0 3d e4 3d e8 3d ec 3d f0 3d f4 Data Ascii: ;;;;;;;;;;;;;;;;;;;;;;;;;;<$<(<4<@<D<P<T<X<\<`<d<h<l<p<t<x<\|<<<<<<<<<<<<<<<<<<<<<<<======== =$=(=,=0=4=8=<=@=D=H=L=P=T=X=\=`=d=h=l=p=t=x=\|==============================
2022-11-04 12:16:09 UTC	1851	IN	Data Raw: ac 32 b0 32 b4 32 b8 32 bc 32 c0 32 c4 32 c8 32 cc 32 d0 32 d4 32 d8 32 dc 32 e0 32 e4 32 e8 32 ec 32 f0 32 f4 32 f8 32 fc 32 00 33 04 33 08 33 Data Ascii: 222222222222222222222333
2022-11-04 12:16:09 UTC	1851	IN	Data Raw: 0c 33 10 33 14 33 18 33 1c 33 20 33 24 33 28 33 2c 33 30 33 34 33 38 33 3c 33 40 33 44 33 48 33 4c 33 50 33 54 33 58 33 5c 33 60 33 64 33 68 33 6c 33 70 33 74 33 78 33 7c 33 80 33 84 33 88 33 8c 33 90 33 94 33 98 33 9c 33 a0 33 a4 33 a8 33 ac 33 b0 33 b4 33 b8 33 bc 33 c0 33 c4 33 dc 33 f4 33 0c 34 24 34 3c 34 54 34 6c 34 a4 34 b4 34 c0 34 c4 34 c8 34 cc 34 d0 34 d4 34 d8 34 dc 34 e0 34 e4 34 e8 34 ec 34 f0 34 f4 34 f8 34 fc 34 00 35 04 35 08 35 0c 35 10 35 14 35 18 35 1c 35 20 35 24 35 28 35 2c 35 30 35 34 35 38 35 3c 35 40 35 44 35 48 35 4c 35 50 35 54 35 58 35 5c 35 60 35 64 35 68 35 6c 35 70 35 74 35 78 35 7c 35 80 35 84 35 88 35 8c 35 90 35 94 35 98 35 9c 35 a0 35 a4 35 a8 35 ac 35 b0 35 b4 35 b8 35 bc 35 c0 35 c4 35 c8 35 cc 35 d0 35 d4 35 d8 35 dc Data Ascii: 33333 3$3(3,3034383<3@3D3H3L3P3T3X3\3`3d3h3l3p3t3x3\|3333333333333333333334$4<4T4l444444444444444444455555555 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5\|555555555555555555555555
2022-11-04 12:16:09 UTC	1867	IN	Data Raw: 10 32 14 32 24 32 28 32 2c 32 34 32 4c 32 5c 32 60 32 70 32 74 32 78 32 80 32 98 32 a8 32 ac 32 bc 32 c0 32 c4 32 c8 32 cc 32 d0 32 d4 32 d8 32 Data Ascii: 22$2(2,242L2\2`2p2t2x2222222222222
2022-11-04 12:16:09 UTC	1867	IN	Data Raw: e0 32 f8 32 fc 32 14 33 24 33 28 33 2c 33 30 33 34 33 38 33 3c 33 44 33 5c 33 6c 33 70 33 74 33 78 33 7c 33 80 33 88 33 a0 33 b0 33 b4 33 b8 33 bc 33 c0 33 d4 33 d8 33 e8 33 ec 33 f0 33 f4 33 f8 33 fc 33 00 34 08 34 20 34 24 34 3c 34 4c 34 50 34 54 34 58 34 5c 34 60 34 68 34 80 34 90 34 94 34 98 34 9c 34 a0 34 b4 34 b8 34 c8 34 cc 34 d0 34 d4 34 d8 34 dc 34 e0 34 e8 34 00 35 10 35 14 35 24 35 28 35 2c 35 34 35 4c 35 5c 35 60 35 70 35 74 35 78 35 7c 35 80 35 84 35 88 35 8c 35 90 35 98 35 b0 35 c0 35 c4 35 d4 35 d8 35 dc 35 e4 35 fc 35 0c 36 10 36 20 36 24 36 28 36 30 36 48 36 58 36 5c 36 6c 36 70 36 74 36 7c 36 94 36 a4 36 a8 36 b8 36 bc 36 c0 36 c8 36 e0 36 f0 36 f4 36 04 37 08 37 0c 37 14 37 2c 37 3c 37 40 37 50 37 54 37 58 37 60 37 78 37 7c 37 94 37 a4 Data Ascii: 2223$3(3,3034383<3D3\3l3p3t3x3\|3333333333333333344 4$4<4L4P4T4X4\4`4h44444444444444444555$5(5,545L5\5`5p5t5x5\|55555555555555566 6$6(606H6X6\6l6p6t6\|666666666667777,7<7@7P7T7X7`7x7\|77
2022-11-04 12:16:09 UTC	1883	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2022-11-04 12:16:09 UTC	1883	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2022-11-04 12:16:09 UTC	1899	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2022-11-04 12:16:09 UTC	1899	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2022-11-04 12:16:09 UTC	1915	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2022-11-04 12:16:09 UTC	1915	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2022-11-04 12:16:09 UTC	1931	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2022-11-04 12:16:09 UTC	1931	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2022-11-04 12:16:09 UTC	1941	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: ExamShieldLauncher.exePID: 2128, Parent PID: 1860

General

Target ID:	1
Start time:	13:16:20
Start date:	04/11/2022
Path:	C:\Users\user\Desktop\ExamShieldLauncher.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\ExamShieldLauncher.exe
Imagebase:	0x50000
File size:	1999848 bytes
MD5 hash:	BEFD48DC616713BD9A29659D3BD59934
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: ExamShieldSetup.exePID: 800, Parent PID: 2128

General

Target ID:	4
Start time:	13:16:28
Start date:	04/11/2022
Path:	C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe" /z" LAUNCHEXAMSHIELD
Imagebase:	0x30000
File size:	1999848 bytes
MD5 hash:	BEFD48DC616713BD9A29659D3BD59934
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: ExamShieldLauncher.exePID: 2128, Parent PID: 1860COMMON

Execution Graph

Execution Coverage:	8.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	13.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	35

Executed Functions

Function 00070268 Relevance: 103.8, APIs: 48, Strings: 11, Instructions: 559
libraryloaderstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E00070268(void* __ebx, signed int __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags, signed int __fp0) {
				signed char _t260;
				void* _t270;
				struct tagLOGFONTW _t271;
				struct tagLOGFONTW _t280;
				struct HFONT__* _t305;
				void* _t307;
				struct HFONT__* _t312;
				signed int _t318;
				int _t327;
				signed int _t330;
				struct HINSTANCE__* _t332;
				struct HINSTANCE__* _t333;
				intOrPtr _t336;
				signed int _t352;
				struct HFONT__* _t369;
				int _t371;
				signed int _t372;
				WCHAR* _t373;
				intOrPtr* _t398;
				char _t399;
				void* _t401;
				void* _t404;
				intOrPtr _t405;
				intOrPtr _t406;
				void* _t407;
				intOrPtr _t408;
				void* _t409;
				void* _t410;
				void* _t411;
				intOrPtr _t412;
				void* _t413;
				signed int _t426;
				signed int _t437;
				void* _t440;
				signed int _t442;
				void* _t446;
				signed int _t447;
				signed int _t448;
				void* _t450;
				void* _t453;
				intOrPtr _t484;
				signed long long _t488;

				_t453 = __eflags;
				_t437 = __edx;
				_push(0x488);
				E00151A82(0x169407, __ebx, __edi, __esi);
				_t398 = __ecx;
				_push(0);
				 *(_t450 - 0x460) = __ecx;
				E0006661F(__ecx, _t450 - 0x494, __edx, __edi, 0, _t453);
				 *(_t450 - 4) = 0;
				_t260 = GetDeviceCaps( *(_t450 - 0x48c), 0x58);
				 *(_t450 - 0x464) = _t260;
				asm("fild dword [ebp-0x464]");
				_t488 = __fp0 /  *0x17bbc8;
				asm("fst qword [ebx+0x1dc]");
				asm("fld1");
				asm("fcom st0, st1");
				asm("fnstsw ax");
				if((_t260 & 0x00000005) != 0) {
					st0 = _t488;
					L4:
					st0 = _t488;
				} else {
					_t488 =  *0x17bbc0;
					asm("fcomp st0, st2");
					asm("fnstsw ax");
					st1 = _t488;
					if((_t260 & 0x00000041) != 0) {
						goto L4;
					} else {
						 *(_t398 + 0x1dc) = _t488;
					}
				}
				_t404 = _t398 + 0x114;
				if(_t404 != 0 &&  *((intOrPtr*)(_t404 + 4)) != 0) {
					DeleteObject(E000667F8(_t398, _t404, _t437));
				}
				_t405 = _t398 + 0x11c;
				 *((intOrPtr*)(_t450 - 0x478)) = _t405;
				if(_t405 != 0 &&  *((intOrPtr*)(_t405 + 4)) != 0) {
					DeleteObject(E000667F8(_t398, _t405, _t437));
				}
				_t406 = _t398 + 0x124;
				 *((intOrPtr*)(_t450 - 0x470)) = _t406;
				if(_t406 != 0 &&  *((intOrPtr*)(_t406 + 4)) != 0) {
					DeleteObject(E000667F8(_t398, _t406, _t437));
				}
				_t407 = _t398 + 0x12c;
				if(_t407 != 0 &&  *((intOrPtr*)(_t407 + 4)) != 0) {
					DeleteObject(E000667F8(_t398, _t407, _t437));
				}
				_t408 = _t398 + 0x134;
				 *((intOrPtr*)(_t450 - 0x474)) = _t408;
				if(_t408 != 0 &&  *((intOrPtr*)(_t408 + 4)) != 0) {
					DeleteObject(E000667F8(_t398, _t408, _t437));
				}
				_t409 = _t398 + 0x13c;
				if(_t409 != 0 &&  *((intOrPtr*)(_t409 + 4)) != 0) {
					DeleteObject(E000667F8(_t398, _t409, _t437));
				}
				_t410 = _t398 + 0x144;
				if(_t410 != 0 &&  *((intOrPtr*)(_t410 + 4)) != 0) {
					DeleteObject(E000667F8(_t398, _t410, _t437));
				}
				_t411 = _t398 + 0x14c;
				if(_t411 != 0 &&  *((intOrPtr*)(_t411 + 4)) != 0) {
					DeleteObject(E000667F8(_t398, _t411, _t437));
				}
				_t412 = _t398 + 0x15c;
				 *((intOrPtr*)(_t450 - 0x480)) = _t412;
				if(_t412 != 0 &&  *((intOrPtr*)(_t412 + 4)) != 0) {
					DeleteObject(E000667F8(_t398, _t412, _t437));
				}
				_t413 = _t398 + 0x154;
				if(_t413 != 0) {
					_t475 =  *((intOrPtr*)(_t413 + 4));
					if( *((intOrPtr*)(_t413 + 4)) != 0) {
						DeleteObject(E000667F8(_t398, _t413, _t437));
					}
				}
				 *((intOrPtr*)(_t450 - 0x264)) = 0x1f8;
				E0006EE53(_t475, _t450 - 0x264);
				E00151B30(_t450 - 0x6c, 0, 0x5c);
				 *((char*)(_t450 - 0x55)) = GetTextCharsetInfo( *(_t450 - 0x490), 0, 0);
				 *(_t450 - 0x5c) =  *(_t450 - 0x174);
				 *((char*)(_t450 - 0x58)) =  *((intOrPtr*)(_t450 - 0x170));
				asm("cdq");
				_t270 = ( *(_t450 - 0x184) ^ _t437) - _t437;
				if(_t270 > 0xc) {
					_t271 = _t270 - 1;
					__eflags = _t271;
				} else {
					_t271 = 0xb;
				}
				if( *(_t450 - 0x184) < 0) {
					_t271 =  ~_t271;
				}
				_t440 = lstrcpyW;
				 *(_t450 - 0x6c) = _t271;
				lstrcpyW(_t450 - 0x50, _t450 - 0x168);
				if( *_t398 == 0 &&  *((char*)(_t450 - 0x16d)) <= 2) {
					_t371 = EnumFontFamiliesW( *(_t450 - 0x490), 0, E0007021F,  *0x1c3988); // executed
					if(_t371 != 0) {
						_t372 = EnumFontFamiliesW( *(_t450 - 0x490), 0, E0007021F,  *0x1c3984);
						__eflags = _t372;
						_t373 = _t450 - 0x50;
						if(_t372 != 0) {
							_push( *0x1c398c);
						} else {
							_push( *0x1c3984);
						}
						lstrcpyW(_t373, ??);
					} else {
						lstrcpyW(_t450 - 0x50,  *0x1c3988);
						 *((char*)(_t450 - 0x52)) = 5;
					}
				}
				_t446 = CreateFontIndirectW;
				E000667CA(_t398, _t398 + 0x114, _t437, _t440, CreateFontIndirectW(_t450 - 0x6c));
				 *(_t450 - 0x464) =  *(_t450 - 0x6c);
				 *((intOrPtr*)(_t450 - 0x47c)) = E00155F20(_t437,  *(_t450 - 0x6c));
				asm("fild dword [ebp-0x47c]");
				_t491 = (_t488 +  *0x1a1b78 + st0) /  *0x17bbb8;
				_t280 = E00155A90(_t279, (_t488 +  *0x1a1b78 + st0) /  *0x17bbb8);
				_t481 =  *(_t450 - 0x464);
				 *(_t450 - 0x6c) = _t280;
				if( *(_t450 - 0x464) < 0) {
					 *(_t450 - 0x6c) =  ~( *(_t450 - 0x6c));
				}
				E000667CA(_t398, _t398 + 0x154, _t437, _t440, CreateFontIndirectW(_t450 - 0x6c));
				 *(_t450 - 0x6c) =  *(_t450 - 0x464);
				 *((intOrPtr*)(_t450 - 0x45c)) = 0x1f8;
				E0006EE53(_t481, _t450 - 0x45c);
				 *((char*)(_t450 - 0x58)) =  *((intOrPtr*)(_t450 - 0x30c));
				 *(_t450 - 0x5c) =  *(_t450 - 0x310);
				E000667CA(_t398,  *((intOrPtr*)(_t450 - 0x478)), _t437, _t440, CreateFontIndirectW(_t450 - 0x6c));
				 *((char*)(_t450 - 0x58)) =  *((intOrPtr*)(_t450 - 0x170));
				 *(_t450 - 0x5c) =  *(_t450 - 0x174);
				 *((char*)(_t450 - 0x57)) = 1;
				E000667CA(_t398,  *((intOrPtr*)(_t450 - 0x474)), _t437, _t440, CreateFontIndirectW(_t450 - 0x6c));
				 *((char*)(_t450 - 0x57)) = 0;
				 *(_t450 - 0x5c) = 0x2bc;
				E000667CA(_t398,  *((intOrPtr*)(_t450 - 0x470)), _t437, _t440, CreateFontIndirectW(_t450 - 0x6c));
				_t399 =  *((intOrPtr*)(_t450 - 0x55));
				 *(_t450 - 0x5c) =  *(_t450 - 0x5c) & 0x00000000;
				 *((char*)(_t450 - 0x55)) = 2;
				 *(_t450 - 0x6c) = GetSystemMetrics(0x48) - 1;
				lstrcpyW(_t450 - 0x50,  *0x1c3994);
				_t305 = CreateFontIndirectW(_t450 - 0x6c);
				_t422 =  *((intOrPtr*)(_t450 - 0x480));
				E000667CA(_t399,  *((intOrPtr*)(_t450 - 0x480)), _t437, _t440, _t305);
				 *(_t450 - 0x468) =  *(_t450 - 0x468) & 0x00000000;
				 *((char*)(_t450 - 0x55)) = _t399;
				 *((intOrPtr*)(_t450 - 0x46c)) = 0x17bba0;
				_t441 = GetStockObject;
				 *(_t450 - 4) = 1;
				_t307 = GetStockObject(0x11);
				_t400 = GetObjectW;
				 *(_t450 - 0x468) = _t307;
				if(_t307 != 0 && GetObjectW( *(_t450 - 0x468), 0x5c, _t450 - 0x6c) != 0) {
					 *(_t450 - 0x6c) =  *(_t450 - 0x184);
					 *(_t450 - 0x5c) =  *(_t450 - 0x174);
					 *((char*)(_t450 - 0x58)) =  *((intOrPtr*)(_t450 - 0x170));
					 *((intOrPtr*)(_t450 - 0x60)) = 0x384;
					 *((intOrPtr*)(_t450 - 0x64)) = 0xa8c;
					lstrcpyW(_t450 - 0x50,  *0x1c3990);
					E000667CA(GetObjectW,  *(_t450 - 0x460) + 0x144, _t437, GetStockObject, CreateFontIndirectW(_t450 - 0x6c));
					 *((intOrPtr*)(_t450 - 0x64)) = 0x384;
					_t369 = CreateFontIndirectW(_t450 - 0x6c);
					_t422 =  *(_t450 - 0x460) + 0x14c;
					_t484 =  *(_t450 - 0x460) + 0x14c;
					E000667CA(GetObjectW,  *(_t450 - 0x460) + 0x14c, _t437, GetStockObject, _t369);
				}
				GetObjectW( *(E000667B6(_t400, _t422, _t437, _t441, _t446, _t484, GetStockObject(0x11)) + 4), 0x5c, _t450 - 0x6c);
				 *((char*)(_t450 - 0x57)) = 1;
				_t312 = CreateFontIndirectW(_t450 - 0x6c);
				_t442 =  *(_t450 - 0x460);
				E000667CA(_t400, _t442 + 0x13c, _t437, _t442, _t312);
				 *((char*)(_t450 - 0x57)) = 0;
				 *(_t450 - 0x5c) = 0x2bc;
				E000667CA(_t400, _t442 + 0x12c, _t437, _t442, CreateFontIndirectW(_t450 - 0x6c));
				_t426 = _t442;
				E0006F01E(_t400, _t426, _t437, _t442, _t446, _t484);
				_t447 =  *0x1c3f70; // 0x0
				while(_t447 != 0) {
					_t318 = _t447;
					__eflags = _t447;
					if(_t447 == 0) {
						L60:
						E000655E0(_t426);
						asm("int3");
						_push(0x11c);
						E00151A82(0x169594, _t400, _t442, _t447);
						_t448 = _t426;
						 *(_t450 - 0x128) = _t448;
						 *((intOrPtr*)(_t448 + 0x94)) = 0;
						 *((intOrPtr*)(_t448 + 0x90)) = 0x177dac;
						 *(_t450 - 4) = 0;
						 *((intOrPtr*)(_t448 + 0x9c)) = 0;
						 *((intOrPtr*)(_t448 + 0x98)) = 0x177dac;
						 *((intOrPtr*)(_t448 + 0xa4)) = 0;
						 *((intOrPtr*)(_t448 + 0xa0)) = 0x177dac;
						 *((intOrPtr*)(_t448 + 0xac)) = 0;
						 *((intOrPtr*)(_t448 + 0xa8)) = 0x177dac;
						 *((intOrPtr*)(_t448 + 0xb4)) = 0;
						 *((intOrPtr*)(_t448 + 0xb0)) = 0x177dac;
						 *((intOrPtr*)(_t448 + 0xbc)) = 0;
						 *((intOrPtr*)(_t448 + 0xb8)) = 0x177dac;
						 *((intOrPtr*)(_t448 + 0xc4)) = 0;
						 *((intOrPtr*)(_t448 + 0xc0)) = 0x177dac;
						 *((intOrPtr*)(_t448 + 0xcc)) = 0;
						 *((intOrPtr*)(_t448 + 0xc8)) = 0x177dac;
						 *((intOrPtr*)(_t448 + 0xd4)) = 0;
						 *((intOrPtr*)(_t448 + 0xd0)) = 0x179fb0;
						 *((intOrPtr*)(_t448 + 0xdc)) = 0;
						 *((intOrPtr*)(_t448 + 0xd8)) = 0x179fb0;
						 *((intOrPtr*)(_t448 + 0xe4)) = 0;
						 *((intOrPtr*)(_t448 + 0xe0)) = 0x179fb0;
						 *((intOrPtr*)(_t448 + 0x10c)) = 0;
						 *((intOrPtr*)(_t448 + 0x110)) = 0;
						 *((intOrPtr*)(_t448 + 0x118)) = 0;
						 *((intOrPtr*)(_t448 + 0x114)) = 0x17bba0;
						 *((intOrPtr*)(_t448 + 0x120)) = 0;
						 *((intOrPtr*)(_t448 + 0x11c)) = 0x17bba0;
						 *((intOrPtr*)(_t448 + 0x128)) = 0;
						 *((intOrPtr*)(_t448 + 0x124)) = 0x17bba0;
						 *((intOrPtr*)(_t448 + 0x130)) = 0;
						 *((intOrPtr*)(_t448 + 0x12c)) = 0x17bba0;
						 *((intOrPtr*)(_t448 + 0x138)) = 0;
						 *((intOrPtr*)(_t448 + 0x134)) = 0x17bba0;
						 *((intOrPtr*)(_t448 + 0x140)) = 0;
						 *((intOrPtr*)(_t448 + 0x13c)) = 0x17bba0;
						 *((intOrPtr*)(_t448 + 0x148)) = 0;
						 *((intOrPtr*)(_t448 + 0x144)) = 0x17bba0;
						 *((intOrPtr*)(_t448 + 0x150)) = 0;
						 *((intOrPtr*)(_t448 + 0x14c)) = 0x17bba0;
						 *((intOrPtr*)(_t448 + 0x158)) = 0;
						 *((intOrPtr*)(_t448 + 0x154)) = 0x17bba0;
						 *((intOrPtr*)(_t448 + 0x160)) = 0;
						 *((intOrPtr*)(_t448 + 0x15c)) = 0x17bba0;
						 *(_t450 - 4) = 0x14;
						 *((intOrPtr*)(_t448 + 0x164)) = 0;
						 *((intOrPtr*)(_t448 + 0x168)) = 0;
						 *((intOrPtr*)(_t448 + 0x16c)) = 0;
						 *((intOrPtr*)(_t448 + 0x170)) = 0;
						 *(_t450 - 0x124) = 0x114;
						GetVersionExW(_t450 - 0x124);
						_t327 = GetSystemMetrics(0x1000); // executed
						__eflags =  *((intOrPtr*)(_t450 - 0x120)) - 6;
						 *((intOrPtr*)(_t448 + 0x180)) = _t327;
						asm("sbb eax, eax");
						__eflags =  *((intOrPtr*)(_t450 - 0x120)) - 6;
						 *((intOrPtr*)(_t448 + 0x174)) = _t327 + 1;
						if(__eflags != 0) {
							L63:
							if(__eflags > 0) {
								goto L65;
							} else {
								_t330 = 0;
							}
						} else {
							__eflags =  *((intOrPtr*)(_t450 - 0x11c)) - 1;
							if( *((intOrPtr*)(_t450 - 0x11c)) >= 1) {
								L65:
								_t330 = 1;
								__eflags = 1;
							} else {
								__eflags =  *((intOrPtr*)(_t450 - 0x120)) - 6;
								goto L63;
							}
						}
						 *((intOrPtr*)(_t448 + 0x178)) = _t330;
						 *((intOrPtr*)(_t448 + 0x17c)) = 0;
						 *((intOrPtr*)(_t448 + 0x1e4)) = 1;
						 *((intOrPtr*)(_t448 + 0xc)) = 0;
						 *((intOrPtr*)(_t448 + 8)) = 0;
						 *((intOrPtr*)(_t448 + 0x10)) = 0;
						E0006FD0F(_t400, _t448, _t437, 0, _t448, __eflags);
						_push(L"UxTheme.dll"); // executed
						_t332 = E0005E893(_t448, _t448, __eflags); // executed
						_t401 = GetProcAddress;
						 *(_t448 + 0x1ec) = _t332;
						__eflags = _t332;
						if(_t332 == 0) {
							 *((intOrPtr*)(_t448 + 0x1f4)) = 0;
							 *((intOrPtr*)(_t448 + 0x1f8)) = 0;
							 *((intOrPtr*)(_t448 + 0x1fc)) = 0;
							 *((intOrPtr*)(_t448 + 0x200)) = 0;
							 *((intOrPtr*)(_t448 + 0x204)) = 0;
							 *((intOrPtr*)(_t448 + 0x208)) = 0;
						} else {
							 *((intOrPtr*)(_t448 + 0x1f4)) = GetProcAddress(_t332, "DrawThemeParentBackground");
							 *((intOrPtr*)(_t448 + 0x1f8)) = GetProcAddress( *(_t448 + 0x1ec), "DrawThemeTextEx");
							 *((intOrPtr*)(_t448 + 0x1fc)) = GetProcAddress( *(_t448 + 0x1ec), "BufferedPaintInit");
							 *((intOrPtr*)(_t448 + 0x200)) = GetProcAddress( *(_t448 + 0x1ec), "BufferedPaintUnInit");
							 *((intOrPtr*)(_t448 + 0x204)) = GetProcAddress( *(_t448 + 0x1ec), "BeginBufferedPaint");
							 *((intOrPtr*)(_t448 + 0x208)) = GetProcAddress( *(_t448 + 0x1ec), "EndBufferedPaint");
						}
						_t333 = E0006EF88(_t401, _t437, L"dwmapi.dll"); // executed
						 *(_t448 + 0x1f0) = _t333;
						__eflags = _t333;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t448 + 0x20c)) = 0;
							 *((intOrPtr*)(_t448 + 0x210)) = 0;
							 *((intOrPtr*)(_t448 + 0x214)) = 0;
						} else {
							 *((intOrPtr*)(_t448 + 0x20c)) = GetProcAddress(_t333, "DwmExtendFrameIntoClientArea");
							 *((intOrPtr*)(_t448 + 0x210)) = GetProcAddress( *(_t448 + 0x1f0), "DwmDefWindowProc");
							 *((intOrPtr*)(_t448 + 0x214)) = GetProcAddress( *(_t448 + 0x1f0), "DwmIsCompositionEnabled");
						}
						 *((intOrPtr*)(_t448 + 0xe8)) = 0;
						 *((intOrPtr*)(_t448 + 0xec)) = 0;
						 *((intOrPtr*)(_t448 + 0xf0)) = 0;
						 *((intOrPtr*)(_t448 + 0xf4)) = 0;
						 *((intOrPtr*)(_t448 + 0x100)) = 0;
						 *((intOrPtr*)(_t448 + 0x104)) = 0;
						 *((intOrPtr*)(_t448 + 0x108)) = 0;
						 *((intOrPtr*)(_t448 + 0xf8)) = 0;
						 *((intOrPtr*)(_t448 + 0xfc)) = 0;
						 *_t448 = 0;
						 *((intOrPtr*)(_t448 + 4)) = 0;
						E00070268(_t401, _t448, _t437, 0, _t448, __eflags, _t491); // executed
						E0006EB16(_t448);
						 *(_t448 + 0x1c4) =  *(_t448 + 0x1c4) | 0xffffffff;
						_t336 = 4;
						 *((intOrPtr*)(_t448 + 0x1b0)) = _t336;
						 *((intOrPtr*)(_t448 + 0x1bc)) = _t336;
						__eflags = 1;
						 *((intOrPtr*)(_t448 + 0x18c)) = 1;
						 *((intOrPtr*)(_t448 + 0x21c)) = 1;
						 *((intOrPtr*)(_t448 + 0x19c)) = 1;
						 *((intOrPtr*)(_t448 + 0x198)) = 0;
						 *((intOrPtr*)(_t448 + 0x1e8)) = 0;
						 *((intOrPtr*)(_t448 + 0x1b4)) = 3;
						 *((intOrPtr*)(_t448 + 0x1b8)) = 0xe;
						 *((intOrPtr*)(_t448 + 0x1c0)) = 0x32;
						 *((intOrPtr*)(_t448 + 0x184)) = 0;
						 *((intOrPtr*)(_t448 + 0x188)) = 0;
						 *((intOrPtr*)(_t448 + 0x218)) = 0;
						 *((intOrPtr*)(_t448 + 0x220)) = 0;
						 *((intOrPtr*)(_t448 + 0x224)) = 0;
						return E00151B05(_t401, 0, _t448);
					} else {
						_t442 =  *(_t318 + 8);
						_t447 =  *_t447;
						__eflags = _t442;
						__eflags = 0 | _t442 != 0x00000000;
						if(__eflags == 0) {
							goto L60;
						} else {
							_t352 = E0005F85A(_t400, _t426, _t437, _t442, _t447, __eflags,  *((intOrPtr*)(_t442 + 0x20)));
							__eflags = _t352;
							if(_t352 != 0) {
								_t426 = _t442;
								 *((intOrPtr*)( *_t442 + 0x3a8))();
							}
							continue;
						}
					}
					L73:
				}
				 *(_t450 - 4) = 0;
				 *((intOrPtr*)(_t450 - 0x46c)) = 0x17bba0;
				E00051420(_t450 - 0x46c, _t437);
				 *(_t450 - 4) =  *(_t450 - 4) | 0xffffffff;
				E00066673(_t400, _t450 - 0x494, _t437, _t442, _t447,  *(_t450 - 4));
				return E00151B05(_t400, _t442, _t447);
				goto L73;
			}

0x00070268
0x00070268
0x00070268
0x00070272
0x00070277
0x0007027b
0x00070282
0x00070288
0x00070295
0x00070298
0x0007029e
0x000702a4
0x000702aa
0x000702b0
0x000702b6
0x000702b8
0x000702ba
0x000702bf
0x000702da
0x000702dc
0x000702dc
0x000702c1
0x000702c1
0x000702c7
0x000702c9
0x000702cb
0x000702d0
0x00000000
0x000702d2
0x000702d2
0x000702d2
0x000702d0
0x000702e4
0x000702ec
0x000702f9
0x000702f9
0x000702fb
0x00070301
0x00070309
0x00070316
0x00070316
0x00070318
0x0007031e
0x00070326
0x00070333
0x00070333
0x00070335
0x0007033d
0x0007034a
0x0007034a
0x0007034c
0x00070352
0x0007035a
0x00070367
0x00070367
0x00070369
0x00070371
0x0007037e
0x0007037e
0x00070380
0x00070388
0x00070395
0x00070395
0x00070397
0x0007039f
0x000703ac
0x000703ac
0x000703ae
0x000703b4
0x000703bc
0x000703c9
0x000703c9
0x000703cb
0x000703d3
0x000703d5
0x000703d8
0x000703e0
0x000703e0
0x000703d8
0x000703eb
0x000703f5
0x00070401
0x00070417
0x00070420
0x00070429
0x00070432
0x00070435
0x0007043a
0x00070441
0x00070441
0x0007043c
0x0007043e
0x0007043e
0x00070448
0x0007044a
0x0007044a
0x0007044c
0x00070452
0x00070460
0x00070464
0x00070487
0x0007048b
0x000704b2
0x000704b4
0x000704b6
0x000704b9
0x000704c3
0x000704bb
0x000704bb
0x000704bb
0x000704ca
0x0007048d
0x00070497
0x00070499
0x00070499
0x0007048b
0x000704cc
0x000704df
0x000704e8
0x000704f3
0x000704f9
0x00070508
0x0007050e
0x00070513
0x0007051a
0x0007051d
0x0007051f
0x0007051f
0x0007052f
0x0007053a
0x00070546
0x00070550
0x0007055b
0x00070564
0x00070574
0x0007057f
0x00070588
0x0007058f
0x0007059c
0x000705a5
0x000705a9
0x000705b9
0x000705be
0x000705c1
0x000705c7
0x000705d8
0x000705df
0x000705e5
0x000705e7
0x000705ee
0x000705f3
0x000705fa
0x000705fd
0x00070607
0x0007060f
0x00070613
0x00070615
0x0007061b
0x00070623
0x00070647
0x00070650
0x00070659
0x00070660
0x00070667
0x0007066e
0x00070687
0x00070690
0x00070697
0x000706a0
0x000706a0
0x000706a6
0x000706a6
0x000706be
0x000706c4
0x000706c8
0x000706ca
0x000706d7
0x000706e0
0x000706e4
0x000706f4
0x000706f9
0x000706fb
0x00070700
0x00070734
0x00070708
0x0007070a
0x0007070c
0x00070766
0x00070766
0x0007076b
0x0007076c
0x00070776
0x0007077b
0x00070784
0x0007078a
0x00070790
0x00070796
0x00070799
0x0007079f
0x000707a5
0x000707ab
0x000707b1
0x000707b7
0x000707bd
0x000707c3
0x000707c9
0x000707cf
0x000707d5
0x000707db
0x000707e1
0x000707e7
0x000707f2
0x000707f8
0x000707fe
0x00070804
0x0007080a
0x00070810
0x00070816
0x0007081c
0x00070827
0x0007082d
0x00070833
0x00070839
0x0007083f
0x00070845
0x0007084b
0x00070851
0x00070857
0x0007085d
0x00070863
0x00070869
0x0007086f
0x00070875
0x0007087b
0x00070881
0x00070887
0x0007088d
0x00070893
0x00070899
0x000708a6
0x000708aa
0x000708b0
0x000708b6
0x000708bc
0x000708c2
0x000708cc
0x000708d7
0x000708dd
0x000708e4
0x000708ea
0x000708ed
0x000708f4
0x000708fa
0x0007090c
0x0007090c
0x00000000
0x0007090e
0x0007090e
0x0007090e
0x000708fc
0x000708fc
0x00070903
0x00070912
0x00070914
0x00070914
0x00070905
0x00070905
0x00000000
0x00070905
0x00070903
0x00070917
0x0007091d
0x00070923
0x0007092d
0x00070930
0x00070933
0x00070936
0x0007093b
0x00070940
0x00070945
0x0007094c
0x00070952
0x00070954
0x000709c5
0x000709cb
0x000709d1
0x000709d7
0x000709dd
0x000709e3
0x00070956
0x00070969
0x0007097c
0x0007098f
0x000709a2
0x000709b5
0x000709bd
0x000709bd
0x000709ee
0x000709f4
0x000709fa
0x000709fc
0x00070a34
0x00070a3a
0x00070a40
0x000709fe
0x00070a11
0x00070a24
0x00070a2c
0x00070a2c
0x00070a48
0x00070a4e
0x00070a54
0x00070a5a
0x00070a60
0x00070a66
0x00070a6c
0x00070a72
0x00070a78
0x00070a7e
0x00070a80
0x00070a83
0x00070a8a
0x00070a8f
0x00070a98
0x00070a99
0x00070a9f
0x00070aa7
0x00070aa8
0x00070aae
0x00070ab4
0x00070aba
0x00070ac0
0x00070ac6
0x00070ad0
0x00070ada
0x00070ae4
0x00070aea
0x00070af0
0x00070af6
0x00070afc
0x00070b09
0x0007070e
0x0007070e
0x00070711
0x00070715
0x0007071a
0x0007071c
0x00000000
0x0007071e
0x00070721
0x00070726
0x00070728
0x0007072c
0x0007072e
0x0007072e
0x00000000
0x00070728
0x0007071c
0x00000000
0x0007070c
0x0007073e
0x00070742
0x0007074c
0x00070751
0x0007075b
0x00070765
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 00070272

Part of subcall function 0006661F: __EH_prolog3.LIBCMT ref: 00066626
Part of subcall function 0006661F: GetWindowDC.USER32(00000000), ref: 00066652

GetDeviceCaps.GDI32(?,00000058), ref: 00070298
DeleteObject.GDI32(00000000), ref: 000702F9
DeleteObject.GDI32(00000000), ref: 00070316
DeleteObject.GDI32(00000000), ref: 00070333
DeleteObject.GDI32(00000000), ref: 0007034A
DeleteObject.GDI32(00000000), ref: 00070367
DeleteObject.GDI32(00000000), ref: 0007037E
DeleteObject.GDI32(00000000), ref: 00070395
DeleteObject.GDI32(00000000), ref: 000703AC
DeleteObject.GDI32(00000000), ref: 000703C9
DeleteObject.GDI32(00000000), ref: 000703E0
_memset.LIBCMT ref: 00070401
GetTextCharsetInfo.GDI32(?,00000000,00000000), ref: 00070411
lstrcpyW.KERNEL32(?,?), ref: 00070460
EnumFontFamiliesW.GDI32(?,00000000,Function_0002021F), ref: 00070487
lstrcpyW.KERNEL32(?), ref: 00070497
EnumFontFamiliesW.GDI32(?,00000000,Function_0002021F), ref: 000704B2
lstrcpyW.KERNEL32(?), ref: 000704CA
CreateFontIndirectW.GDI32(?), ref: 000704D6
CreateFontIndirectW.GDI32(?), ref: 00070526
CreateFontIndirectW.GDI32(?), ref: 0007056B
CreateFontIndirectW.GDI32(?), ref: 00070593
CreateFontIndirectW.GDI32(?), ref: 000705B0
GetSystemMetrics.USER32 ref: 000705CB
lstrcpyW.KERNEL32(?), ref: 000705DF
CreateFontIndirectW.GDI32(?), ref: 000705E5
GetStockObject.GDI32(00000011), ref: 00070613
GetObjectW.GDI32(?,0000005C,?), ref: 00070635
lstrcpyW.KERNEL32(?), ref: 0007066E
CreateFontIndirectW.GDI32(?), ref: 00070678
CreateFontIndirectW.GDI32(?), ref: 00070697
GetStockObject.GDI32(00000011), ref: 000706AD
GetObjectW.GDI32(?,0000005C,?), ref: 000706BE
CreateFontIndirectW.GDI32(?), ref: 000706C8
CreateFontIndirectW.GDI32(?), ref: 000706EB

Part of subcall function 000655E0: __CxxThrowException@8.LIBCMT ref: 000655F6

__EH_prolog3_GS.LIBCMT ref: 00070776
GetVersionExW.KERNEL32(?,0000011C,00000000), ref: 000708CC
KiUserCallbackDispatcher.NTDLL ref: 000708D7
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0007095C
GetProcAddress.KERNEL32(?,DrawThemeTextEx), ref: 0007096F
GetProcAddress.KERNEL32(?,BufferedPaintInit), ref: 00070982
GetProcAddress.KERNEL32(?,BufferedPaintUnInit), ref: 00070995
GetProcAddress.KERNEL32(?,BeginBufferedPaint), ref: 000709A8
GetProcAddress.KERNEL32(?,EndBufferedPaint), ref: 000709BB
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea), ref: 00070A04
GetProcAddress.KERNEL32(?,DwmDefWindowProc), ref: 00070A17
GetProcAddress.KERNEL32(?,DwmIsCompositionEnabled), ref: 00070A2A

Strings

BeginBufferedPaint, xrefs: 00070997
DwmIsCompositionEnabled, xrefs: 00070A19
DwmDefWindowProc, xrefs: 00070A06
UxTheme.dll, xrefs: 0007093B
dwmapi.dll, xrefs: 000709E9
EndBufferedPaint, xrefs: 000709AA
BufferedPaintUnInit, xrefs: 00070984
DrawThemeTextEx, xrefs: 0007095E
BufferedPaintInit, xrefs: 00070971
DwmExtendFrameIntoClientArea, xrefs: 000709FE
DrawThemeParentBackground, xrefs: 00070956

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Object$Font$CreateDeleteIndirect$AddressProc$lstrcpy$EnumFamiliesH_prolog3_Stock$CallbackCapsCharsetDeviceDispatcherException@8H_prolog3InfoMetricsSystemTextThrowUserVersionWindow_memset
String ID: BeginBufferedPaint$BufferedPaintInit$BufferedPaintUnInit$DrawThemeParentBackground$DrawThemeTextEx$DwmDefWindowProc$DwmExtendFrameIntoClientArea$DwmIsCompositionEnabled$EndBufferedPaint$UxTheme.dll$dwmapi.dll
API String ID: 3527877632-1174303547
Opcode ID: 68f3710e16d24c37f6bcb96ffc400edbdf48432a87ed1601a4b333618485431c
Instruction ID: c78d1f24f8d73b62c3e808755521e187f3c561eaf3cc225a6f7609bf30c59560
Opcode Fuzzy Hash: 68f3710e16d24c37f6bcb96ffc400edbdf48432a87ed1601a4b333618485431c
Instruction Fuzzy Hash: E23235B0C05708DBCB619FB5C844BDAFBF8AF54304F00896AE5AE97252DB746680CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00058050 Relevance: 60.3, APIs: 9, Strings: 24, Instructions: 2556
fileCOMMONCrypto

Download Yara Rule

C-Code - Quality: 77%

			E00058050(short* __ecx, signed int __edx, void* __fp0) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				char _v544;
				short _v1068;
				short* _v1072;
				signed int _v1076;
				char _v1080;
				char _v1084;
				char _v1088;
				signed int _v1092;
				char _v1096;
				char _v1100;
				char _v1104;
				WCHAR* _v1108;
				char _v1112;
				char _v1116;
				char _v1120;
				char _v1124;
				WCHAR* _v1128;
				WCHAR* _v1132;
				char _v1136;
				char _v1140;
				char _v1144;
				short* _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1192;
				char _v1492;
				char _v1500;
				char _v1892;
				intOrPtr _v2732;
				intOrPtr _v2736;
				char _v2776;
				char _v2780;
				char _v2940;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t792;
				signed int _t793;
				void* _t795;
				signed int _t797;
				signed int _t800;
				signed int _t803;
				signed int _t807;
				signed int _t811;
				signed int _t815;
				signed int _t819;
				signed int _t823;
				signed int _t827;
				signed int _t831;
				signed int _t835;
				signed int _t839;
				signed int _t843;
				signed int _t847;
				signed int _t851;
				signed int _t855;
				signed int _t856;
				signed int _t857;
				signed int _t858;
				intOrPtr* _t859;
				signed int* _t860;
				short* _t862;
				intOrPtr* _t869;
				signed int* _t870;
				short* _t872;
				signed int _t877;
				intOrPtr* _t879;
				long _t884;
				intOrPtr* _t886;
				void* _t891;
				short* _t894;
				void* _t895;
				short* _t898;
				void* _t899;
				short* _t902;
				signed int _t904;
				void* _t911;
				signed int _t916;
				void* _t922;
				void* _t923;
				signed int _t927;
				signed int _t928;
				void* _t931;
				char _t957;
				signed int _t959;
				signed int _t961;
				signed int** _t964;
				signed int** _t967;
				signed int** _t968;
				signed int** _t970;
				signed int** _t972;
				signed int** _t974;
				signed int** _t976;
				signed int** _t978;
				short* _t980;
				short* _t982;
				signed int** _t984;
				signed int** _t986;
				signed int** _t988;
				signed int** _t990;
				signed int** _t992;
				char _t1025;
				char _t1026;
				signed int* _t1029;
				signed int _t1030;
				void* _t1031;
				void* _t1032;
				signed int* _t1038;
				signed int _t1039;
				void* _t1040;
				void* _t1041;
				char _t1046;
				signed int* _t1048;
				signed int _t1049;
				void* _t1050;
				void* _t1051;
				signed int* _t1058;
				signed int _t1059;
				void* _t1060;
				void* _t1061;
				signed int** _t1068;
				signed int** _t1069;
				signed int** _t1071;
				signed int** _t1073;
				signed int** _t1075;
				signed int** _t1077;
				signed int** _t1079;
				short* _t1081;
				short* _t1083;
				signed int** _t1085;
				signed int** _t1087;
				signed int** _t1089;
				signed int** _t1091;
				signed int** _t1093;
				signed int** _t1095;
				void* _t1129;
				signed int** _t1132;
				short* _t1139;
				signed int** _t1141;
				signed int** _t1143;
				signed int** _t1144;
				signed int** _t1146;
				signed int** _t1148;
				signed int** _t1150;
				signed int** _t1152;
				signed int** _t1154;
				signed int** _t1155;
				signed int** _t1156;
				signed int** _t1158;
				signed int** _t1160;
				signed int** _t1162;
				signed int** _t1164;
				signed int** _t1166;
				signed int** _t1168;
				short* _t1205;
				short* _t1207;
				signed int** _t1209;
				signed int** _t1210;
				signed int** _t1212;
				signed int** _t1214;
				signed int** _t1216;
				signed int** _t1218;
				signed int** _t1220;
				short* _t1222;
				short* _t1224;
				signed int** _t1226;
				signed int** _t1228;
				signed int** _t1230;
				signed int** _t1232;
				signed int** _t1234;
				signed int* _t1270;
				signed int _t1271;
				void* _t1272;
				void* _t1273;
				intOrPtr* _t1276;
				signed int* _t1283;
				signed int _t1284;
				void* _t1285;
				void* _t1286;
				signed int** _t1289;
				signed int _t1298;
				signed int** _t1305;
				signed int** _t1306;
				signed int** _t1308;
				signed int** _t1310;
				short* _t1312;
				signed int** _t1314;
				signed int** _t1316;
				short* _t1318;
				short* _t1320;
				signed int** _t1322;
				signed int** _t1324;
				signed int** _t1326;
				signed int** _t1328;
				signed int** _t1330;
				signed int _t1365;
				signed int** _t1368;
				signed int** _t1370;
				signed int** _t1372;
				signed int** _t1374;
				signed int** _t1375;
				signed int** _t1377;
				signed int** _t1379;
				short* _t1381;
				short* _t1383;
				signed int** _t1385;
				signed int** _t1387;
				signed int** _t1389;
				signed int** _t1391;
				signed int** _t1392;
				intOrPtr* _t1424;
				short* _t1428;
				intOrPtr* _t1429;
				short* _t1433;
				signed int _t1442;
				signed int _t1452;
				void* _t1461;
				void* _t1464;
				void* _t1468;
				char _t1469;
				char _t1470;
				void* _t1473;
				WCHAR* _t1479;
				intOrPtr* _t1540;
				signed int _t1542;
				signed int _t1546;
				signed int _t1549;
				signed int _t1606;
				char _t1650;
				signed int _t1660;
				char _t1696;
				signed int _t1781;
				signed int _t1878;
				signed int _t1881;
				signed int _t1885;
				void* _t1886;
				signed int _t1887;
				void* _t1888;
				signed int _t1891;
				signed int _t1894;
				signed int _t1898;
				signed int _t1905;
				signed int _t1907;
				signed int _t1909;
				signed int _t1911;
				signed int _t1913;
				signed int _t1915;
				signed int _t1917;
				signed int _t1919;
				signed int _t1921;
				signed int _t1923;
				signed int _t1925;
				signed int _t1927;
				signed int _t1929;
				signed int _t1935;
				signed int _t1937;
				signed int _t1939;
				signed int _t1941;
				signed int _t1943;
				signed int _t1945;
				signed int _t1947;
				signed int _t1949;
				signed int _t1951;
				signed int _t1953;
				signed int _t1955;
				signed int _t1957;
				signed int _t1959;
				signed int _t1961;
				signed int _t1963;
				signed int _t1966;
				short* _t1967;
				signed int _t1969;
				signed int _t1971;
				signed int _t1973;
				signed int _t1975;
				signed int _t1977;
				signed int _t1979;
				signed int _t1981;
				signed int _t1983;
				signed int _t1985;
				signed int _t1987;
				signed int _t1989;
				signed int _t1991;
				signed int _t1993;
				signed int _t1995;
				signed int _t1997;
				signed int _t1999;
				signed int _t2002;
				signed int _t2004;
				signed int _t2006;
				signed int _t2008;
				signed int _t2010;
				signed int _t2012;
				signed int _t2014;
				signed int _t2016;
				signed int _t2018;
				signed int _t2020;
				signed int _t2022;
				signed int _t2024;
				signed int _t2026;
				signed int _t2028;
				signed int _t2030;
				signed int _t2033;
				signed int _t2038;
				signed int _t2040;
				signed int _t2042;
				signed int _t2044;
				signed int _t2046;
				signed int _t2048;
				signed int _t2050;
				signed int _t2052;
				signed int _t2054;
				signed int _t2056;
				signed int _t2058;
				signed int _t2060;
				signed int _t2062;
				signed int _t2064;
				signed int _t2069;
				signed int _t2071;
				signed int _t2073;
				signed int _t2075;
				signed int _t2077;
				signed int _t2079;
				signed int _t2081;
				signed int _t2083;
				signed int _t2085;
				signed int _t2087;
				signed int _t2089;
				signed int _t2091;
				signed int _t2093;
				signed int _t2095;
				signed int _t2096;
				signed int _t2099;
				void* _t2106;
				signed int** _t2109;
				signed int _t2110;
				signed int** _t2112;
				WCHAR* _t2113;
				void* _t2115;
				WCHAR* _t2120;
				void* _t2123;
				short* _t2124;
				signed int _t2125;
				char _t2126;
				void* _t2127;
				signed int _t2128;
				signed int _t2130;
				signed int _t2132;
				void* _t2133;
				intOrPtr _t2134;
				void* _t2135;
				void* _t2136;
				void* _t2137;
				void* _t2138;
				char _t2139;
				void* _t2143;
				void* _t2144;
				void* _t2145;
				void* _t2146;
				intOrPtr _t2147;
				void* _t2148;
				void* _t2149;
				void* _t2150;
				void* _t2158;

				_t2158 = __fp0;
				_t1862 = __edx;
				_t2134 = _t2133 - 0xb6c;
				_t792 =  *0x1c0454; // 0x885926af
				_t793 = _t792 ^ _t2132;
				_v24 = _t793;
				 *[fs:0x0] =  &_v16;
				_v20 = _t2134;
				_t2124 = __ecx;
				_v1148 = __ecx;
				__imp__#17(_t793, _t2106, _t2123, _t1468,  *[fs:0x0], 0x174d4e, 0xffffffff);
				__ecx[0x5c] = 0;
				_t795 = E0005B1C0(); // executed
				if(_t795 != 0 || E0005B240(_t1468, _t1862, 0) == 0) {
					if(E0005B240(_t1468, _t1862, 0) != 0) {
						goto L7;
					}
					_t1461 = E0005B2E0();
					_t2154 = _t1461;
					if(_t1461 != 0) {
						goto L7;
					}
					goto L4;
				} else {
					L4:
					E0005C190(_t1468,  &_v1492);
					_v8 = 0;
					_t1464 = E00064645(_t1468,  &_v1492, _t1862, 0, _t2124, _t2154);
					_v8 = 0xffffffff;
					if(_t1464 == 6) {
						E0005C230(_t1468, _t1862, 0);
						L7:
						_t797 = E00065761();
						__eflags = _t797;
						_t1486 = 0 | __eflags != 0x00000000;
						if(__eflags == 0) {
							_push(0x80004005);
							_t797 = E00051330(_t1468, _t1486, 0, _t2124);
						}
						_t14 =  *((intOrPtr*)( *((intOrPtr*)( *_t797 + 0xc))))() + 0x10; // 0x10
						_t1469 = _t14;
						_v1088 = _t1469;
						_v8 = 1;
						_t800 = E00065761();
						__eflags = _t800;
						_t1489 = 0 | __eflags != 0x00000000;
						if(__eflags == 0) {
							_push(0x80004005);
							_t800 = E00051330(_t1469, _t1489, 0, _t2124);
						}
						_t20 =  *((intOrPtr*)( *((intOrPtr*)( *_t800 + 0xc))))() + 0x10; // 0x10
						_t2125 = _t20;
						_v1092 = _t2125;
						_v8 = 2;
						_t803 = E00065761();
						__eflags = _t803;
						_t1492 = 0 | __eflags != 0x00000000;
						if(__eflags == 0) {
							_push(0x80004005);
							_t803 = E00051330(_t1469, _t1492, 0, _t2125);
						}
						_v1116 =  *((intOrPtr*)( *((intOrPtr*)( *_t803 + 0xc))))() + 0x10;
						_v8 = 3;
						_t807 = E00065761();
						__eflags = _t807;
						_t1495 = 0 | __eflags != 0x00000000;
						if(__eflags == 0) {
							_push(0x80004005);
							_t807 = E00051330(_t1469, _t1495, 0, _t2125);
						}
						_v1120 =  *((intOrPtr*)( *((intOrPtr*)( *_t807 + 0xc))))() + 0x10;
						_v8 = 4;
						_t811 = E00065761();
						__eflags = _t811;
						_t1498 = 0 | __eflags != 0x00000000;
						if(__eflags == 0) {
							_push(0x80004005);
							_t811 = E00051330(_t1469, _t1498, 0, _t2125);
						}
						_v1140 =  *((intOrPtr*)( *((intOrPtr*)( *_t811 + 0xc))))() + 0x10;
						_v8 = 5;
						_t815 = E00065761();
						__eflags = _t815;
						_t1501 = 0 | __eflags != 0x00000000;
						if(__eflags == 0) {
							_push(0x80004005);
							_t815 = E00051330(_t1469, _t1501, 0, _t2125);
						}
						_v1136 =  *((intOrPtr*)( *((intOrPtr*)( *_t815 + 0xc))))() + 0x10;
						_v8 = 6;
						_t819 = E00065761();
						__eflags = _t819;
						_t1504 = 0 | __eflags != 0x00000000;
						if(__eflags == 0) {
							_push(0x80004005);
							_t819 = E00051330(_t1469, _t1504, 0, _t2125);
						}
						_v1132 =  *((intOrPtr*)( *((intOrPtr*)( *_t819 + 0xc))))() + 0x10;
						_v8 = 7;
						_t823 = E00065761();
						__eflags = _t823;
						_t1507 = 0 | __eflags != 0x00000000;
						if(__eflags == 0) {
							_push(0x80004005);
							_t823 = E00051330(_t1469, _t1507, 0, _t2125);
						}
						_v1128 =  *((intOrPtr*)( *((intOrPtr*)( *_t823 + 0xc))))() + 0x10;
						_v8 = 8;
						_t827 = E00065761();
						__eflags = _t827;
						_t1510 = 0 | __eflags != 0x00000000;
						if(__eflags == 0) {
							_push(0x80004005);
							_t827 = E00051330(_t1469, _t1510, 0, _t2125);
						}
						_v1096 =  *((intOrPtr*)( *((intOrPtr*)( *_t827 + 0xc))))() + 0x10;
						_v8 = 9;
						_t831 = E00065761();
						__eflags = _t831;
						_t1513 = 0 | __eflags != 0x00000000;
						if(__eflags == 0) {
							_push(0x80004005);
							_t831 = E00051330(_t1469, _t1513, 0, _t2125);
						}
						_v1100 =  *((intOrPtr*)( *((intOrPtr*)( *_t831 + 0xc))))() + 0x10;
						_v8 = 0xa;
						_t835 = E00065761();
						__eflags = _t835;
						_t1516 = 0 | __eflags != 0x00000000;
						if(__eflags == 0) {
							_push(0x80004005);
							_t835 = E00051330(_t1469, _t1516, 0, _t2125);
						}
						_v1108 =  *((intOrPtr*)( *((intOrPtr*)( *_t835 + 0xc))))() + 0x10;
						_v8 = 0xb;
						_t839 = E00065761();
						__eflags = _t839;
						_t1519 = 0 | __eflags != 0x00000000;
						if(__eflags == 0) {
							_push(0x80004005);
							_t839 = E00051330(_t1469, _t1519, 0, _t2125);
						}
						_v1112 =  *((intOrPtr*)( *((intOrPtr*)( *_t839 + 0xc))))() + 0x10;
						_v8 = 0xc;
						_t843 = E00065761();
						__eflags = _t843;
						_t1522 = 0 | __eflags != 0x00000000;
						if(__eflags == 0) {
							_push(0x80004005);
							_t843 = E00051330(_t1469, _t1522, 0, _t2125);
						}
						_v1144 =  *((intOrPtr*)( *((intOrPtr*)( *_t843 + 0xc))))() + 0x10;
						_v8 = 0xd;
						_t847 = E00065761();
						__eflags = _t847;
						_t1525 = 0 | __eflags != 0x00000000;
						if(__eflags == 0) {
							_push(0x80004005);
							_t847 = E00051330(_t1469, _t1525, 0, _t2125);
						}
						_v1152 =  *((intOrPtr*)( *((intOrPtr*)( *_t847 + 0xc))))() + 0x10;
						_v8 = 0xe;
						_t851 = E00065761();
						__eflags = _t851;
						_t1528 = 0 | __eflags != 0x00000000;
						if(__eflags == 0) {
							_push(0x80004005);
							_t851 = E00051330(_t1469, _t1528, 0, _t2125);
						}
						_v1124 =  *((intOrPtr*)( *((intOrPtr*)( *_t851 + 0xc))))() + 0x10;
						_v8 = 0xf;
						_push(0x12c);
						_v1076 = 0;
						_t855 = E0006A156();
						__eflags = _t855;
						if(_t855 != 0) {
							E000563E0( &_v1088, _t855, 0x12c);
							_t1469 = _v1088;
						}
						_push(0xc8);
						_t856 = E0006A156();
						__eflags = _t856;
						if(_t856 != 0) {
							E000563E0( &_v1092, _t856, 0xc8);
							_t2125 = _v1092;
						}
						_push(0x136);
						_t857 = E0006A156();
						__eflags = _t857;
						if(_t857 != 0) {
							E000563E0( &_v1096, _t857, 0x136);
						}
						_push(0x140);
						_t858 = E0006A156();
						__eflags = _t858;
						if(_t858 != 0) {
							E000563E0( &_v1100, _t858, 0x140);
						}
						_t1878 =  &_v1072;
						_t859 = E0005C0A0(_t1469, _t1878,  &_v1088, L"ExamShieldSetup.exe");
						_t2135 = _t2134 + 0xc;
						_v8 = 0x10;
						_t1531 =  *_t859;
						_t860 =  *_t859 - 0x10;
						_t2109 = _v1116 + 0xfffffff0;
						__eflags = _t860 - _t2109;
						if(_t860 == _t2109) {
							L53:
							_v8 = 0xf;
							_t862 =  &(_v1072[0xfffffffffffffff8]);
							_t1532 =  &(_t862[6]);
							asm("lock xadd [ecx], edx");
							__eflags = (_t1878 | 0xffffffff) - 1;
							if((_t1878 | 0xffffffff) - 1 <= 0) {
								_t1532 =  *_t862;
								 *((intOrPtr*)( *((intOrPtr*)( *( *_t862) + 4))))(_t862);
							}
							_t2110 =  *(_t1469 - 0xc);
							__eflags = _t2110;
							if(_t2110 >= 0) {
								L57:
								__eflags =  *((intOrPtr*)(_t1469 - 8)) - _t2110 | 0x00000001 -  *((intOrPtr*)(_t1469 - 4));
								if(( *((intOrPtr*)(_t1469 - 8)) - _t2110 | 0x00000001 -  *((intOrPtr*)(_t1469 - 4))) < 0) {
									E00051290( &_v1088, _t2110);
									_t1469 = _v1088;
								}
								_t1532 = _t2110 + 1;
								E001515C5(_t1469, _t2110 + 1);
								_t2135 = _t2135 + 8;
								__eflags = _t2110 -  *((intOrPtr*)(_t1469 - 8));
								if(_t2110 >  *((intOrPtr*)(_t1469 - 8))) {
									goto L56;
								} else {
									_t1881 = 0;
									 *(_t1469 - 0xc) = _t2110;
									 *((short*)(_t1469 + _t2110 * 2)) = 0;
									_t869 = E0005C0A0(_t1469,  &_v1072,  &_v1088, L"ExamShieldVersion.txt");
									_t2136 = _t2135 + 0xc;
									_v8 = 0x11;
									_t1536 =  *_t869;
									_t870 =  *_t869 - 0x10;
									_t2112 = _v1120 + 0xfffffff0;
									__eflags = _t870 - _t2112;
									if(_t870 == _t2112) {
										L68:
										_v8 = 0xf;
										_t872 =  &(_v1072[0xfffffffffffffff8]);
										_t1537 =  &(_t872[6]);
										asm("lock xadd [ecx], edx");
										__eflags = (_t1881 | 0xffffffff) - 1;
										if((_t1881 | 0xffffffff) - 1 <= 0) {
											_t1537 =  *_t872;
											 *((intOrPtr*)( *((intOrPtr*)( *( *_t872) + 4))))(_t872);
										}
										__eflags =  *(_t2125 - 0xc);
										if( *(_t2125 - 0xc) > 0) {
											_t2096 =  &_v1072;
											_t1424 = E00054060(_t2096, L"?id=",  &_v1092);
											_t2150 = _t2136 + 0xc;
											_v8 = 0x12;
											E0005BFE0( &_v1116,  *_t1424,  *((intOrPtr*)( *_t1424 - 0xc)));
											_v8 = 0xf;
											_t1428 =  &(_v1072[0xfffffffffffffff8]);
											asm("lock xadd [ecx], edx");
											__eflags = (_t2096 | 0xffffffff) - 1;
											if((_t2096 | 0xffffffff) - 1 <= 0) {
												 *((intOrPtr*)( *((intOrPtr*)( *( *_t1428) + 4))))(_t1428);
											}
											_t2099 =  &_v1072;
											_t1429 = E00054060(_t2099, L"?id=",  &_v1092);
											_t2136 = _t2150 + 0xc;
											_v8 = 0x13;
											E0005BFE0( &_v1120,  *_t1429,  *((intOrPtr*)( *_t1429 - 0xc)));
											_v8 = 0xf;
											_t1433 =  &(_v1072[0xfffffffffffffff8]);
											_t1537 =  &(_t1433[6]);
											asm("lock xadd [ecx], edx");
											__eflags = (_t2099 | 0xffffffff) - 1;
											if((_t2099 | 0xffffffff) - 1 <= 0) {
												_t1537 =  *_t1433;
												 *((intOrPtr*)( *((intOrPtr*)( *( *_t1433) + 4))))(_t1433);
											}
										}
										_t2110 =  *(_t2125 - 0xc);
										__eflags = _t2110;
										if(_t2110 < 0) {
											_push(0x80070057);
											E00051330(_t1469, _t1537, _t2110, _t2125);
										}
										__eflags =  *((intOrPtr*)(_t2125 - 8)) - _t2110 | 0x00000001 -  *((intOrPtr*)(_t2125 - 4));
										if(( *((intOrPtr*)(_t2125 - 8)) - _t2110 | 0x00000001 -  *((intOrPtr*)(_t2125 - 4))) < 0) {
											E00051290( &_v1092, _t2110);
											_t2125 = _v1092;
										}
										_t1532 = _t2110 + 1;
										E0015140B(_t2125, _t2110 + 1);
										_t2135 = _t2136 + 8;
										__eflags = _t2110 -  *((intOrPtr*)(_t2125 - 8));
										if(_t2110 >  *((intOrPtr*)(_t2125 - 8))) {
											goto L56;
										} else {
											__eflags = 0;
											 *(_t2125 - 0xc) = _t2110;
											 *((short*)(_t2125 + _t2110 * 2)) = 0;
											_t1540 = L"COMPATIBILITYCHECK";
											_t877 = _t2125;
											while(1) {
												_t1885 =  *_t877;
												__eflags = _t1885 -  *_t1540;
												if(_t1885 !=  *_t1540) {
													break;
												}
												__eflags = _t1885;
												if(_t1885 == 0) {
													L85:
													_t877 = 0;
													L87:
													_t877 = _t877 & 0xffffff00 | _t877 == 0x00000000;
													if((_t877 & 0xffffff00 | _t877 == 0x00000000) != 0) {
														_v1148[0x5c] = 1;
													}
													__imp__SHGetFolderPathW(0, 0x801c, 0, 0,  &_v544); // executed
													_t879 =  &_v544;
													_t1886 = _t879 + 2;
													do {
														_t1542 =  *_t879;
														_t879 = _t879 + 2;
														__eflags = _t1542;
													} while (_t1542 != 0);
													_t1887 =  &_v544;
													E00054140( &_v1108, _t1887, _t879 - _t1886 >> 1);
													E0005BFE0( &_v1108, L"\\Exam Shield", 0xc);
													_t2113 = _v1108;
													_t884 = GetFileAttributesW(_t2113); // executed
													__eflags = _t884 - 0xffffffff;
													if(_t884 != 0xffffffff) {
														L124:
														GetModuleFileNameW(0,  &_v1068, 0x105);
														_t886 =  &_v1068;
														_t1888 = _t886 + 2;
														do {
															_t1546 =  *_t886;
															_t886 = _t886 + 2;
															__eflags = _t1546;
														} while (_t1546 != 0);
														E00054140( &_v1128,  &_v1068, _t886 - _t1888 >> 1);
														_t891 = E0005C0A0(_t1469,  &_v1072,  &_v1108, L"\\ExamShieldLauncher.exe");
														_t2137 = _t2135 + 0xc;
														_t1549 =  &_v1132;
														_v8 = 0x14;
														E00054260(_t1549, _t891);
														_v8 = 0xf;
														_t894 =  &(_v1072[0xfffffffffffffff8]);
														asm("lock xadd [edx], ecx");
														__eflags = (_t1549 | 0xffffffff) - 1;
														if((_t1549 | 0xffffffff) - 1 <= 0) {
															 *((intOrPtr*)( *((intOrPtr*)( *( *_t894) + 4))))(_t894);
														}
														_t1891 =  &_v1072;
														_t895 = E0005C0A0(_t1469, _t1891,  &_v1108, L"\\ExamShieldSetup.exe");
														_t2138 = _t2137 + 0xc;
														_v8 = 0x15;
														E00054260( &_v1112, _t895);
														_v8 = 0xf;
														_t898 =  &(_v1072[0xfffffffffffffff8]);
														asm("lock xadd [ecx], edx");
														__eflags = (_t1891 | 0xffffffff) - 1;
														if((_t1891 | 0xffffffff) - 1 <= 0) {
															 *((intOrPtr*)( *((intOrPtr*)( *( *_t898) + 4))))(_t898);
														}
														_t1894 =  &_v1072;
														_t899 = E0005C0A0(_t1469, _t1894,  &_v1108, L"\\ExamShieldParams.dat");
														_t2139 = _t2138 + 0xc;
														_v8 = 0x16;
														E00054260( &_v1152, _t899);
														_v8 = 0xf;
														_t902 =  &(_v1072[0xfffffffffffffff8]);
														asm("lock xadd [ecx], edx");
														_t1896 = (_t1894 | 0xffffffff) - 1;
														__eflags = (_t1894 | 0xffffffff) - 1;
														if((_t1894 | 0xffffffff) - 1 <= 0) {
															_t1896 =  *( *_t902);
															 *((intOrPtr*)( *((intOrPtr*)( *( *_t902) + 4))))(_t902);
														}
														_t1558 = _v1148;
														__eflags = _v1148[0x5c];
														if(__eflags != 0) {
															_t2126 = _v1152;
															goto L165;
														} else {
															E0006CC06( &_v1192, __eflags);
															_v8 = 0x17;
															_t2126 = _v1152;
															_t1298 = E0006CADE( &_v1192, _t2126, 0x5001, 0); // executed
															__eflags = _t1298;
															if(__eflags != 0) {
																E0006CCE1(_t1469,  &_v1192, _t2113, _v1092); // executed
																E0006CEA7( &_v1192);
																_t1558 =  &_v1192;
																_v8 = 0xf;
																E0006CEE5(_t1469,  &_v1192, _t1896, _t2113, _t2126, __eflags);
																L165:
																_v1084 = _t2139;
																_t2114 =  &_v1076;
																E00056620(_t1469, L"ExamShield");
																_t1470 = _v1148;
																_t904 = E0005A210( &_v1076, _t2158, _t1470, _t1558,  &_v1124); // executed
																__eflags = _t904;
																if(__eflags == 0) {
																	E000515C0( &_v1124, __eflags, _t2158,  &_v2940);
																	_t1898 =  &_v1116;
																	_v8 = 0x24;
																	E00054260( &_v2780, _t1898);
																	E00054260( &_v2776,  &_v1112);
																	_v2736 = 0;
																	_v2732 = 0;
																	E0005BEC0( &_v1892, "ExamShield Setup");
																	__eflags =  *((char*)(_t1470 + 0xb8));
																	if(__eflags != 0) {
																		_v1500 = 1;
																		E0005BEC0( &_v1892, "ExamShield (Compatibility Check) Setup");
																	}
																	_t911 = E00064645(_t1470,  &_v2940, _t1898, _t2114, _t2126, __eflags); // executed
																	__eflags = _t911 - 1;
																	if(__eflags == 0) {
																		E00056620(_t1470, 0x1a18c0);
																		_v8 = 0x25;
																		__eflags =  *((char*)(_t1470 + 0xb8));
																		if( *((char*)(_t1470 + 0xb8)) != 0) {
																			E0005BEC0( &_v1080, "/COMPATIBILITYCHECK");
																			__eflags = _v1076;
																			if(_v1076 == 0) {
																				_t1025 = _v1096;
																				__eflags =  *(_t1025 - 0xc);
																				if( *(_t1025 - 0xc) > 0) {
																					E0005BB10( &_v1076, _t1898, " /COLLABORATIONCLIENT=");
																					_v8 = 0x2c;
																					_t1038 = E0005BE00(_v1080,  &_v1104,  &_v1076);
																					_t2144 = _t2139 + 8;
																					_v8 = 0x2d;
																					_t1039 =  *_t1038;
																					__eflags = _t1039;
																					if(_t1039 == 0) {
																						_t1040 = 0;
																						__eflags = 0;
																					} else {
																						_t1040 =  *_t1039;
																					}
																					_t1898 =  &_v1084;
																					_t1041 = E00054060(_t1898, _t1040,  &_v1096);
																					_t2139 = _t2144 + 0xc;
																					_v8 = 0x2e;
																					E00054260( &_v1080, _t1041);
																					E00051170( &_v1084, _t1898);
																					E0005BDB0( &_v1104);
																					_t2114 =  &_v1076;
																					_v8 = 0x25;
																					E0005BDB0( &_v1076);
																				}
																				_t1026 = _v1100;
																				__eflags =  *(_t1026 - 0xc);
																				if( *(_t1026 - 0xc) > 0) {
																					E0005BB10( &_v1076, _t1898, " /OPERATINGSYSTEM=");
																					_v8 = 0x2f;
																					_t1029 = E0005BE00(_v1080,  &_v1104,  &_v1076);
																					_t2143 = _t2139 + 8;
																					_v8 = 0x30;
																					_t1030 =  *_t1029;
																					__eflags = _t1030;
																					if(_t1030 == 0) {
																						_t1031 = 0;
																						__eflags = 0;
																					} else {
																						_t1031 =  *_t1030;
																					}
																					_t1898 =  &_v1084;
																					_t1032 = E00054060(_t1898, _t1031,  &_v1100);
																					_t2139 = _t2143 + 0xc;
																					_v8 = 0x31;
																					E00054260( &_v1080, _t1032);
																					E00051170( &_v1084, _t1898);
																					E0005BDB0( &_v1104);
																					_t2114 =  &_v1076;
																					_v8 = 0x25;
																					E0005BDB0( &_v1076);
																				}
																				E0005B520( &_v1080);
																			} else {
																				_t1650 = _v1096;
																				__eflags =  *(_t1650 - 0xc);
																				if( *(_t1650 - 0xc) > 0) {
																					E0005BB10( &_v1076, _t1898, " /COLLABORATIONCLIENT=");
																					_v8 = 0x26;
																					_t1058 = E0005BE00(_v1080,  &_v1104,  &_v1076);
																					_t2146 = _t2139 + 8;
																					_v8 = 0x27;
																					_t1059 =  *_t1058;
																					__eflags = _t1059;
																					if(_t1059 == 0) {
																						_t1060 = 0;
																						__eflags = 0;
																					} else {
																						_t1060 =  *_t1059;
																					}
																					_t1898 =  &_v1084;
																					_t1061 = E00054060(_t1898, _t1060,  &_v1096);
																					_t2139 = _t2146 + 0xc;
																					_v8 = 0x28;
																					E00054260( &_v1080, _t1061);
																					E00051170( &_v1084, _t1898);
																					E0005BDB0( &_v1104);
																					_t2114 =  &_v1076;
																					_v8 = 0x25;
																					E0005BDB0( &_v1076);
																				}
																				_t1046 = _v1100;
																				__eflags =  *(_t1046 - 0xc);
																				if( *(_t1046 - 0xc) > 0) {
																					E0005BB10( &_v1076, _t1898, " /OPERATINGSYSTEM=");
																					_v8 = 0x29;
																					_t1048 = E0005BE00(_v1080,  &_v1104,  &_v1076);
																					_t2145 = _t2139 + 8;
																					_v8 = 0x2a;
																					_t1049 =  *_t1048;
																					__eflags = _t1049;
																					if(_t1049 == 0) {
																						_t1050 = 0;
																						__eflags = 0;
																					} else {
																						_t1050 =  *_t1049;
																					}
																					_t1898 =  &_v1084;
																					_t1051 = E00054060(_t1898, _t1050,  &_v1100);
																					_t2139 = _t2145 + 0xc;
																					_v8 = 0x2b;
																					E00054260( &_v1080, _t1051);
																					E00051170( &_v1084, _t1898);
																					E0005BDB0( &_v1104);
																					_t2114 =  &_v1076;
																					_v8 = 0x25;
																					E0005BDB0( &_v1076);
																				}
																			}
																		}
																		E0005B520( &_v1080);
																		_v1084 = _t2139;
																		E00053FD0(_t2139,  &_v1112); // executed
																		_t916 = E0005A0E0(_t1898, __eflags, " LAUNCHEXAMSHIELD"); // executed
																		__eflags = _t916;
																		if(__eflags != 0) {
																			E00056620( &_v1080, 0x1a18c0);
																			_v8 = 0x32;
																			E00056620( &_v1080, 0x1a18c0);
																			_v8 = 0x33;
																			E0005BEC0( &_v1160, "/z\"");
																			E0005BEC0( &_v1156, "\"");
																			_t922 = E0005B6D0(0x33,  &_v1104,  &_v1160,  &_v1080);
																			_t1900 =  &_v1084;
																			_v8 = 0x34;
																			_t923 = E0005B6D0(0x33,  &_v1084, _t922,  &_v1156);
																			_v8 = 0x35;
																			E00054260( &_v1080, _t923);
																			E00051170( &_v1084,  &_v1084);
																			E00051170( &_v1104,  &_v1084);
																			_v8 = 0x36;
																			_t927 = E0005B1C0(); // executed
																			__eflags = _t927;
																			if(_t927 != 0) {
																				L339:
																				_t928 = E0005B240(0x33, _t1900, _t2114);
																				__eflags = _t928;
																				if(_t928 != 0) {
																					L342:
																					_push(5);
																					_push(0);
																					_push(_v1080);
																					_push(_v1112);
																					_push(L"open");
																					L343:
																					ShellExecuteW(0, ??, ??, ??, ??, ??); // executed
																					_t931 = E0005C0A0(0x33,  &_v1084,  &_v1124, 0x1a18bc);
																					_v8 = 0x37;
																					E0005C0A0(0x33,  &_v1104, _t931, L"ExamShield.exe");
																					E00051170( &_v1084,  &_v1084);
																					_t1862 = _v1128;
																					CopyFileW(_v1128, _v1132, 0); // executed
																					E00051170( &_v1104, _v1128);
																					_v8 = 0x33;
																					E00051170( &_v1156, _v1128);
																					E00051170( &_v1160, _v1128);
																					E00051170( &_v1080, _v1128);
																					_v8 = 0xf;
																					E00051800(_t1862, _t2114, __eflags,  &_v2940);
																					E00051170( &_v1124, _t1862);
																					E00051170( &_v1152, _t1862);
																					E00051170( &_v1144, _t1862);
																					E00051170( &_v1112, _t1862);
																					E00051170( &_v1108, _t1862);
																					E00051170( &_v1100, _t1862);
																					E00051170( &_v1096, _t1862);
																					E00051170( &_v1128, _t1862);
																					E00051170( &_v1132, _t1862);
																					E00051170( &_v1136, _t1862);
																					E00051170( &_v1140, _t1862);
																					E00051170( &_v1120, _t1862);
																					E00051170( &_v1116, _t1862);
																					E00051170( &_v1092, _t1862);
																					E00051170( &_v1088, _t1862);
																					_t957 = 1;
																					goto L346;
																				}
																				_t959 = E0005B2E0();
																				__eflags = _t959;
																				if(_t959 != 0) {
																					goto L342;
																				}
																				L341:
																				_push(5);
																				_push(0);
																				_push(_v1080);
																				_push(_v1112);
																				_push(L"runas");
																				goto L343;
																			}
																			_t961 = E0005B240(0x33,  &_v1084, _t2114);
																			__eflags = _t961;
																			if(_t961 != 0) {
																				goto L341;
																			}
																			goto L339;
																		} else {
																			E00064BAD( &_v1080, _t2114, _t2126, __eflags, L"An unexpected error has occured! \n Please contact support.", 0x10, 0);
																			_v8 = 0x24;
																			_t964 = _v1080 + 0xfffffff0;
																			asm("lock xadd [ecx], edx");
																			_t1904 = (_t1898 | 0xffffffff) - 1;
																			__eflags = (_t1898 | 0xffffffff) - 1;
																			if(__eflags <= 0) {
																				_t1904 =  *( *_t964);
																				 *((intOrPtr*)( *((intOrPtr*)( *( *_t964) + 4))))(_t964);
																			}
																			_t1606 =  &_v2940;
																			_v8 = 0xf;
																			E00051800(_t1904, _t2114, __eflags, _t1606);
																			_v8 = 0xe;
																			_t967 = _v1124 + 0xfffffff0;
																			_t1905 =  &(_t967[3]);
																			asm("lock xadd [edx], ecx");
																			__eflags = (_t1606 | 0xffffffff) - 1;
																			if((_t1606 | 0xffffffff) - 1 <= 0) {
																				_t1905 =  *( *_t967);
																				 *((intOrPtr*)( *((intOrPtr*)(_t1905 + 4))))(_t967);
																			}
																			_t968 = _t2126 - 0x10;
																			_v8 = 0xd;
																			asm("lock xadd [ecx], edx");
																			_t1907 = (_t1905 | 0xffffffff) - 1;
																			__eflags = _t1907;
																			if(_t1907 <= 0) {
																				_t1907 =  *( *_t968);
																				 *((intOrPtr*)( *((intOrPtr*)(_t1907 + 4))))(_t968);
																			}
																			_v8 = 0xc;
																			_t970 = _v1144 + 0xfffffff0;
																			asm("lock xadd [ecx], edx");
																			_t1909 = (_t1907 | 0xffffffff) - 1;
																			__eflags = _t1909;
																			if(_t1909 <= 0) {
																				_t1909 =  *( *_t970);
																				 *((intOrPtr*)( *((intOrPtr*)(_t1909 + 4))))(_t970);
																			}
																			_v8 = 0xb;
																			_t972 = _v1112 + 0xfffffff0;
																			asm("lock xadd [ecx], edx");
																			_t1911 = (_t1909 | 0xffffffff) - 1;
																			__eflags = _t1911;
																			if(_t1911 <= 0) {
																				_t1911 =  *( *_t972);
																				 *((intOrPtr*)( *((intOrPtr*)(_t1911 + 4))))(_t972);
																			}
																			_v8 = 0xa;
																			_t974 =  &(_v1108[0xfffffffffffffff8]);
																			asm("lock xadd [ecx], edx");
																			_t1913 = (_t1911 | 0xffffffff) - 1;
																			__eflags = _t1913;
																			if(_t1913 <= 0) {
																				_t1913 =  *( *_t974);
																				 *((intOrPtr*)( *((intOrPtr*)(_t1913 + 4))))(_t974);
																			}
																			_v8 = 9;
																			_t976 = _v1100 + 0xfffffff0;
																			asm("lock xadd [ecx], edx");
																			_t1915 = (_t1913 | 0xffffffff) - 1;
																			__eflags = _t1915;
																			if(_t1915 <= 0) {
																				_t1915 =  *( *_t976);
																				 *((intOrPtr*)( *((intOrPtr*)(_t1915 + 4))))(_t976);
																			}
																			_v8 = 8;
																			_t978 = _v1096 + 0xfffffff0;
																			asm("lock xadd [ecx], edx");
																			_t1917 = (_t1915 | 0xffffffff) - 1;
																			__eflags = _t1917;
																			if(_t1917 <= 0) {
																				_t1917 =  *( *_t978);
																				 *((intOrPtr*)( *((intOrPtr*)(_t1917 + 4))))(_t978);
																			}
																			_v8 = 7;
																			_t980 =  &(_v1128[0xfffffffffffffff8]);
																			asm("lock xadd [ecx], edx");
																			_t1919 = (_t1917 | 0xffffffff) - 1;
																			__eflags = _t1919;
																			if(_t1919 <= 0) {
																				_t1919 =  *( *_t980);
																				 *((intOrPtr*)( *((intOrPtr*)(_t1919 + 4))))(_t980);
																			}
																			_v8 = 6;
																			_t982 =  &(_v1132[0xfffffffffffffff8]);
																			asm("lock xadd [ecx], edx");
																			_t1921 = (_t1919 | 0xffffffff) - 1;
																			__eflags = _t1921;
																			if(_t1921 <= 0) {
																				_t1921 =  *( *_t982);
																				 *((intOrPtr*)( *((intOrPtr*)(_t1921 + 4))))(_t982);
																			}
																			_v8 = 5;
																			_t984 = _v1136 + 0xfffffff0;
																			asm("lock xadd [ecx], edx");
																			_t1923 = (_t1921 | 0xffffffff) - 1;
																			__eflags = _t1923;
																			if(_t1923 <= 0) {
																				_t1923 =  *( *_t984);
																				 *((intOrPtr*)( *((intOrPtr*)(_t1923 + 4))))(_t984);
																			}
																			_v8 = 4;
																			_t986 = _v1140 + 0xfffffff0;
																			asm("lock xadd [ecx], edx");
																			_t1925 = (_t1923 | 0xffffffff) - 1;
																			__eflags = _t1925;
																			if(_t1925 <= 0) {
																				_t1925 =  *( *_t986);
																				 *((intOrPtr*)( *((intOrPtr*)(_t1925 + 4))))(_t986);
																			}
																			_v8 = 3;
																			_t988 = _v1120 + 0xfffffff0;
																			asm("lock xadd [ecx], edx");
																			_t1927 = (_t1925 | 0xffffffff) - 1;
																			__eflags = _t1927;
																			if(_t1927 <= 0) {
																				_t1927 =  *( *_t988);
																				 *((intOrPtr*)( *((intOrPtr*)(_t1927 + 4))))(_t988);
																			}
																			_v8 = 2;
																			_t990 = _v1116 + 0xfffffff0;
																			asm("lock xadd [ecx], edx");
																			_t1929 = (_t1927 | 0xffffffff) - 1;
																			__eflags = _t1929;
																			if(_t1929 <= 0) {
																				_t1929 =  *( *_t990);
																				 *((intOrPtr*)( *((intOrPtr*)(_t1929 + 4))))(_t990);
																			}
																			_v8 = 1;
																			_t992 = _v1092 + 0xfffffff0;
																			asm("lock xadd [ecx], edx");
																			_t1862 = (_t1929 | 0xffffffff) - 1;
																			__eflags = (_t1929 | 0xffffffff) - 1;
																			if((_t1929 | 0xffffffff) - 1 <= 0) {
																				_t1862 =  *( *_t992);
																				 *((intOrPtr*)( *((intOrPtr*)( *( *_t992) + 4))))(_t992);
																			}
																			E00051170( &_v1088, _t1862);
																			goto L345;
																		}
																	} else {
																		_t1660 =  &_v2940;
																		_v8 = 0xf;
																		E00051800(_t1898, _t2114, __eflags, _t1660);
																		_v8 = 0xe;
																		_t1068 = _v1124 + 0xfffffff0;
																		_t1935 =  &(_t1068[3]);
																		asm("lock xadd [edx], ecx");
																		__eflags = (_t1660 | 0xffffffff) - 1;
																		if((_t1660 | 0xffffffff) - 1 <= 0) {
																			_t1935 =  *( *_t1068);
																			 *((intOrPtr*)( *((intOrPtr*)(_t1935 + 4))))(_t1068);
																		}
																		_t1069 = _t2126 - 0x10;
																		_v8 = 0xd;
																		asm("lock xadd [ecx], edx");
																		_t1937 = (_t1935 | 0xffffffff) - 1;
																		__eflags = _t1937;
																		if(_t1937 <= 0) {
																			_t1937 =  *( *_t1069);
																			 *((intOrPtr*)( *((intOrPtr*)(_t1937 + 4))))(_t1069);
																		}
																		_v8 = 0xc;
																		_t1071 = _v1144 + 0xfffffff0;
																		asm("lock xadd [ecx], edx");
																		_t1939 = (_t1937 | 0xffffffff) - 1;
																		__eflags = _t1939;
																		if(_t1939 <= 0) {
																			_t1939 =  *( *_t1071);
																			 *((intOrPtr*)( *((intOrPtr*)(_t1939 + 4))))(_t1071);
																		}
																		_v8 = 0xb;
																		_t1073 = _v1112 + 0xfffffff0;
																		asm("lock xadd [ecx], edx");
																		_t1941 = (_t1939 | 0xffffffff) - 1;
																		__eflags = _t1941;
																		if(_t1941 <= 0) {
																			_t1941 =  *( *_t1073);
																			 *((intOrPtr*)( *((intOrPtr*)(_t1941 + 4))))(_t1073);
																		}
																		_v8 = 0xa;
																		_t1075 =  &(_v1108[0xfffffffffffffff8]);
																		asm("lock xadd [ecx], edx");
																		_t1943 = (_t1941 | 0xffffffff) - 1;
																		__eflags = _t1943;
																		if(_t1943 <= 0) {
																			_t1943 =  *( *_t1075);
																			 *((intOrPtr*)( *((intOrPtr*)(_t1943 + 4))))(_t1075);
																		}
																		_v8 = 9;
																		_t1077 = _v1100 + 0xfffffff0;
																		asm("lock xadd [ecx], edx");
																		_t1945 = (_t1943 | 0xffffffff) - 1;
																		__eflags = _t1945;
																		if(_t1945 <= 0) {
																			_t1945 =  *( *_t1077);
																			 *((intOrPtr*)( *((intOrPtr*)(_t1945 + 4))))(_t1077);
																		}
																		_v8 = 8;
																		_t1079 = _v1096 + 0xfffffff0;
																		asm("lock xadd [ecx], edx");
																		_t1947 = (_t1945 | 0xffffffff) - 1;
																		__eflags = _t1947;
																		if(_t1947 <= 0) {
																			_t1947 =  *( *_t1079);
																			 *((intOrPtr*)( *((intOrPtr*)(_t1947 + 4))))(_t1079);
																		}
																		_v8 = 7;
																		_t1081 =  &(_v1128[0xfffffffffffffff8]);
																		asm("lock xadd [ecx], edx");
																		_t1949 = (_t1947 | 0xffffffff) - 1;
																		__eflags = _t1949;
																		if(_t1949 <= 0) {
																			_t1949 =  *( *_t1081);
																			 *((intOrPtr*)( *((intOrPtr*)(_t1949 + 4))))(_t1081);
																		}
																		_v8 = 6;
																		_t1083 =  &(_v1132[0xfffffffffffffff8]);
																		asm("lock xadd [ecx], edx");
																		_t1951 = (_t1949 | 0xffffffff) - 1;
																		__eflags = _t1951;
																		if(_t1951 <= 0) {
																			_t1951 =  *( *_t1083);
																			 *((intOrPtr*)( *((intOrPtr*)(_t1951 + 4))))(_t1083);
																		}
																		_v8 = 5;
																		_t1085 = _v1136 + 0xfffffff0;
																		asm("lock xadd [ecx], edx");
																		_t1953 = (_t1951 | 0xffffffff) - 1;
																		__eflags = _t1953;
																		if(_t1953 <= 0) {
																			_t1953 =  *( *_t1085);
																			 *((intOrPtr*)( *((intOrPtr*)(_t1953 + 4))))(_t1085);
																		}
																		_v8 = 4;
																		_t1087 = _v1140 + 0xfffffff0;
																		asm("lock xadd [ecx], edx");
																		_t1955 = (_t1953 | 0xffffffff) - 1;
																		__eflags = _t1955;
																		if(_t1955 <= 0) {
																			_t1955 =  *( *_t1087);
																			 *((intOrPtr*)( *((intOrPtr*)(_t1955 + 4))))(_t1087);
																		}
																		_v8 = 3;
																		_t1089 = _v1120 + 0xfffffff0;
																		asm("lock xadd [ecx], edx");
																		_t1957 = (_t1955 | 0xffffffff) - 1;
																		__eflags = _t1957;
																		if(_t1957 <= 0) {
																			_t1957 =  *( *_t1089);
																			 *((intOrPtr*)( *((intOrPtr*)(_t1957 + 4))))(_t1089);
																		}
																		_v8 = 2;
																		_t1091 = _v1116 + 0xfffffff0;
																		asm("lock xadd [ecx], edx");
																		_t1959 = (_t1957 | 0xffffffff) - 1;
																		__eflags = _t1959;
																		if(_t1959 <= 0) {
																			_t1959 =  *( *_t1091);
																			 *((intOrPtr*)( *((intOrPtr*)(_t1959 + 4))))(_t1091);
																		}
																		_v8 = 1;
																		_t1093 = _v1092 + 0xfffffff0;
																		asm("lock xadd [ecx], edx");
																		_t1961 = (_t1959 | 0xffffffff) - 1;
																		__eflags = _t1961;
																		if(_t1961 > 0) {
																			L162:
																			_v8 = 0xffffffff;
																			_t1095 = _v1088 + 0xfffffff0;
																			goto L122;
																		} else {
																			_t1961 =  *( *_t1093);
																			 *((intOrPtr*)( *((intOrPtr*)(_t1961 + 4))))(_t1093);
																			_v8 = 0xffffffff;
																			_t1095 = _v1088 + 0xfffffff0;
																			L122:
																			asm("lock xadd [ecx], edx");
																			_t1862 = (_t1961 | 0xffffffff) - 1;
																			__eflags = (_t1961 | 0xffffffff) - 1;
																			if((_t1961 | 0xffffffff) - 1 <= 0) {
																				_t1862 =  *( *_t1095);
																				 *((intOrPtr*)( *((intOrPtr*)( *( *_t1095) + 4))))(_t1095);
																			}
																			goto L345;
																		}
																	}
																}
																_t1129 = E0005C0A0(_t1470,  &_v1164,  &_v1124, 0x1a18bc);
																_t1963 =  &_v1148;
																_v8 = 0x18;
																E0005C0A0(_t1470, _t1963, _t1129, L"ExamShield.exe");
																_t2147 = _t2139 + 0x18;
																_v8 = 0x1a;
																_t1132 = _v1164 + 0xfffffff0;
																asm("lock xadd [ecx], edx");
																_t1965 = (_t1963 | 0xffffffff) - 1;
																__eflags = (_t1963 | 0xffffffff) - 1;
																if((_t1963 | 0xffffffff) - 1 <= 0) {
																	_t1965 =  *( *_t1132);
																	 *((intOrPtr*)( *((intOrPtr*)( *( *_t1132) + 4))))(_t1132);
																}
																E00056620(_t1470, 0x1a18c0);
																_v8 = 0x1b;
																__eflags =  *((char*)(_t1470 + 0xb8));
																if( *((char*)(_t1470 + 0xb8)) != 0) {
																	E0005BEC0( &_v1072, "/COMPATIBILITYCHECK");
																}
																_t1696 = _v1096;
																__eflags =  *(_t1696 - 0xc);
																if( *(_t1696 - 0xc) > 0) {
																	E0005BB10( &_v1076, _t1965, " /COLLABORATIONCLIENT=");
																	_v8 = 0x1c;
																	_t1283 = E0005BE00(_v1072,  &_v1084,  &_v1076);
																	_t2149 = _t2147 + 8;
																	_t1470 = 0x1d;
																	_v8 = 0x1d;
																	_t1284 =  *_t1283;
																	__eflags = _t1284;
																	if(_t1284 == 0) {
																		_t1285 = 0;
																		__eflags = 0;
																	} else {
																		_t1285 =  *_t1284;
																	}
																	_t2038 =  &_v1104;
																	_t1286 = E00054060(_t2038, _t1285,  &_v1096);
																	_t2147 = _t2149 + 0xc;
																	_v8 = 0x1e;
																	E00054260( &_v1072, _t1286);
																	_v8 = _t1470;
																	_t1289 = _v1104 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t1965 = (_t2038 | 0xffffffff) - 1;
																	__eflags = (_t2038 | 0xffffffff) - 1;
																	if((_t2038 | 0xffffffff) - 1 <= 0) {
																		_t1965 =  *( *_t1289);
																		 *((intOrPtr*)( *((intOrPtr*)( *( *_t1289) + 4))))(_t1289);
																	}
																	E0005BDB0( &_v1084);
																	_t2114 =  &_v1076;
																	_v8 = 0x1b;
																	E0005BDB0( &_v1076);
																}
																_t1697 = _v1100;
																__eflags =  *(_t1697 - 0xc);
																if( *(_t1697 - 0xc) > 0) {
																	E0005BB10( &_v1076, _t1965, " /OPERATINGSYSTEM=");
																	_v8 = 0x1f;
																	_t1270 = E0005BE00(_v1072,  &_v1104,  &_v1076);
																	_t2148 = _t2147 + 8;
																	_t1470 = 0x20;
																	_v8 = 0x20;
																	_t1271 =  *_t1270;
																	__eflags = _t1271;
																	if(_t1271 == 0) {
																		_t1272 = 0;
																		__eflags = 0;
																	} else {
																		_t1272 =  *_t1271;
																	}
																	_t2033 =  &_v1084;
																	_t1273 = E00054060(_t2033, _t1272,  &_v1100);
																	_t2147 = _t2148 + 0xc;
																	_v8 = 0x21;
																	E00054260( &_v1072, _t1273);
																	_v8 = _t1470;
																	_t1276 = _v1084 + 0xfffffff0;
																	_t1697 = _t1276 + 0xc;
																	asm("lock xadd [ecx], edx");
																	__eflags = (_t2033 | 0xffffffff) - 1;
																	if((_t2033 | 0xffffffff) - 1 <= 0) {
																		_t1697 =  *_t1276;
																		 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t1276)) + 4))))(_t1276);
																	}
																	E0005BDB0( &_v1104);
																	_t2114 =  &_v1076;
																	_v8 = 0x1b;
																	E0005BDB0( &_v1076);
																}
																_t1966 =  &_v1148;
																_v1084 = _t2147;
																E00053FD0(_t2147, _t1966);
																__eflags = E0005A0E0(_t1966, __eflags, _t1697);
																if(__eflags != 0) {
																	_t1967 = _v1148;
																	ShellExecuteW(0, L"open", _t1967, _v1072, 0, 5);
																	_t1479 = _v1132;
																	_t2120 = _v1128;
																	CopyFileExW(_t2120, _t1479, 0, 0, 0, 0);
																	_v8 = 0x1a;
																	_t1139 =  &(_v1072[0xfffffffffffffff8]);
																	asm("lock xadd [ecx], edx");
																	_t1969 = (_t1967 | 0xffffffff) - 1;
																	__eflags = _t1969;
																	if(_t1969 <= 0) {
																		_t1969 =  *( *_t1139);
																		 *((intOrPtr*)( *((intOrPtr*)(_t1969 + 4))))(_t1139);
																	}
																	_v8 = 0xf;
																	_t1141 =  &(_v1148[0xfffffffffffffff8]);
																	asm("lock xadd [ecx], edx");
																	_t1971 = (_t1969 | 0xffffffff) - 1;
																	__eflags = _t1971;
																	if(_t1971 <= 0) {
																		_t1971 =  *( *_t1141);
																		 *((intOrPtr*)( *((intOrPtr*)(_t1971 + 4))))(_t1141);
																	}
																	_v8 = 0xe;
																	_t1143 = _v1124 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t1973 = (_t1971 | 0xffffffff) - 1;
																	__eflags = _t1973;
																	if(_t1973 <= 0) {
																		_t1973 =  *( *_t1143);
																		 *((intOrPtr*)( *((intOrPtr*)(_t1973 + 4))))(_t1143);
																	}
																	_t1144 = _t2126 - 0x10;
																	_v8 = 0xd;
																	asm("lock xadd [ecx], edx");
																	_t1975 = (_t1973 | 0xffffffff) - 1;
																	__eflags = _t1975;
																	if(_t1975 <= 0) {
																		_t1975 =  *( *_t1144);
																		 *((intOrPtr*)( *((intOrPtr*)(_t1975 + 4))))(_t1144);
																	}
																	_v8 = 0xc;
																	_t1146 = _v1144 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t1977 = (_t1975 | 0xffffffff) - 1;
																	__eflags = _t1977;
																	if(_t1977 <= 0) {
																		_t1977 =  *( *_t1146);
																		 *((intOrPtr*)( *((intOrPtr*)(_t1977 + 4))))(_t1146);
																	}
																	_v8 = 0xb;
																	_t1148 = _v1112 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t1979 = (_t1977 | 0xffffffff) - 1;
																	__eflags = _t1979;
																	if(_t1979 <= 0) {
																		_t1979 =  *( *_t1148);
																		 *((intOrPtr*)( *((intOrPtr*)(_t1979 + 4))))(_t1148);
																	}
																	_v8 = 0xa;
																	_t1150 =  &(_v1108[0xfffffffffffffff8]);
																	asm("lock xadd [ecx], edx");
																	_t1981 = (_t1979 | 0xffffffff) - 1;
																	__eflags = _t1981;
																	if(_t1981 <= 0) {
																		_t1981 =  *( *_t1150);
																		 *((intOrPtr*)( *((intOrPtr*)(_t1981 + 4))))(_t1150);
																	}
																	_v8 = 9;
																	_t1152 = _v1100 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t1983 = (_t1981 | 0xffffffff) - 1;
																	__eflags = _t1983;
																	if(_t1983 <= 0) {
																		_t1983 =  *( *_t1152);
																		 *((intOrPtr*)( *((intOrPtr*)(_t1983 + 4))))(_t1152);
																	}
																	_v8 = 8;
																	_t1154 = _v1096 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t1985 = (_t1983 | 0xffffffff) - 1;
																	__eflags = _t1985;
																	if(_t1985 <= 0) {
																		_t1985 =  *( *_t1154);
																		 *((intOrPtr*)( *((intOrPtr*)(_t1985 + 4))))(_t1154);
																	}
																	_t1155 = _t2120 - 0x10;
																	_v8 = 7;
																	asm("lock xadd [ecx], edx");
																	_t1987 = (_t1985 | 0xffffffff) - 1;
																	__eflags = _t1987;
																	if(_t1987 <= 0) {
																		_t1987 =  *( *_t1155);
																		 *((intOrPtr*)( *((intOrPtr*)(_t1987 + 4))))(_t1155);
																	}
																	_t1156 = _t1479 - 0x10;
																	_v8 = 6;
																	asm("lock xadd [ecx], edx");
																	_t1989 = (_t1987 | 0xffffffff) - 1;
																	__eflags = _t1989;
																	if(_t1989 <= 0) {
																		_t1989 =  *( *_t1156);
																		 *((intOrPtr*)( *((intOrPtr*)(_t1989 + 4))))(_t1156);
																	}
																	_v8 = 5;
																	_t1158 = _v1136 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t1991 = (_t1989 | 0xffffffff) - 1;
																	__eflags = _t1991;
																	if(_t1991 <= 0) {
																		_t1991 =  *( *_t1158);
																		 *((intOrPtr*)( *((intOrPtr*)(_t1991 + 4))))(_t1158);
																	}
																	_v8 = 4;
																	_t1160 = _v1140 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t1993 = (_t1991 | 0xffffffff) - 1;
																	__eflags = _t1993;
																	if(_t1993 <= 0) {
																		_t1993 =  *( *_t1160);
																		 *((intOrPtr*)( *((intOrPtr*)(_t1993 + 4))))(_t1160);
																	}
																	_v8 = 3;
																	_t1162 = _v1120 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t1995 = (_t1993 | 0xffffffff) - 1;
																	__eflags = _t1995;
																	if(_t1995 <= 0) {
																		_t1995 =  *( *_t1162);
																		 *((intOrPtr*)( *((intOrPtr*)(_t1995 + 4))))(_t1162);
																	}
																	_v8 = 2;
																	_t1164 = _v1116 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t1997 = (_t1995 | 0xffffffff) - 1;
																	__eflags = _t1997;
																	if(_t1997 <= 0) {
																		_t1997 =  *( *_t1164);
																		 *((intOrPtr*)( *((intOrPtr*)(_t1997 + 4))))(_t1164);
																	}
																	_v8 = 1;
																	_t1166 = _v1092 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t1999 = (_t1997 | 0xffffffff) - 1;
																	__eflags = _t1999;
																	if(_t1999 <= 0) {
																		_t1999 =  *( *_t1166);
																		 *((intOrPtr*)( *((intOrPtr*)(_t1999 + 4))))(_t1166);
																	}
																	_v8 = 0xffffffff;
																	_t1168 = _v1088 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t1862 = (_t1999 | 0xffffffff) - 1;
																	__eflags = (_t1999 | 0xffffffff) - 1;
																	if((_t1999 | 0xffffffff) - 1 <= 0) {
																		_t1862 =  *( *_t1168);
																		 *((intOrPtr*)( *((intOrPtr*)( *( *_t1168) + 4))))(_t1168);
																	}
																	_t957 = 1;
																	goto L346;
																} else {
																	E00064BAD(_t1470, _t2114, _t2126, __eflags, L"An unexpected error has occured! \n Please contact support.", 0x10, 0);
																	_v8 = 0x1a;
																	_t1205 =  &(_v1072[0xfffffffffffffff8]);
																	asm("lock xadd [ecx], edx");
																	_t2002 = (_t1966 | 0xffffffff) - 1;
																	__eflags = _t2002;
																	if(_t2002 <= 0) {
																		_t2002 =  *( *_t1205);
																		 *((intOrPtr*)( *((intOrPtr*)(_t2002 + 4))))(_t1205);
																	}
																	_v8 = 0xf;
																	_t1207 =  &(_v1148[0xfffffffffffffff8]);
																	asm("lock xadd [ecx], edx");
																	_t2004 = (_t2002 | 0xffffffff) - 1;
																	__eflags = _t2004;
																	if(_t2004 <= 0) {
																		_t2004 =  *( *_t1207);
																		 *((intOrPtr*)( *((intOrPtr*)(_t2004 + 4))))(_t1207);
																	}
																	_v8 = 0xe;
																	_t1209 = _v1124 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t2006 = (_t2004 | 0xffffffff) - 1;
																	__eflags = _t2006;
																	if(_t2006 <= 0) {
																		_t2006 =  *( *_t1209);
																		 *((intOrPtr*)( *((intOrPtr*)(_t2006 + 4))))(_t1209);
																	}
																	_t1210 = _t2126 - 0x10;
																	_v8 = 0xd;
																	asm("lock xadd [ecx], edx");
																	_t2008 = (_t2006 | 0xffffffff) - 1;
																	__eflags = _t2008;
																	if(_t2008 <= 0) {
																		_t2008 =  *( *_t1210);
																		 *((intOrPtr*)( *((intOrPtr*)(_t2008 + 4))))(_t1210);
																	}
																	_v8 = 0xc;
																	_t1212 = _v1144 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t2010 = (_t2008 | 0xffffffff) - 1;
																	__eflags = _t2010;
																	if(_t2010 <= 0) {
																		_t2010 =  *( *_t1212);
																		 *((intOrPtr*)( *((intOrPtr*)(_t2010 + 4))))(_t1212);
																	}
																	_v8 = 0xb;
																	_t1214 = _v1112 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t2012 = (_t2010 | 0xffffffff) - 1;
																	__eflags = _t2012;
																	if(_t2012 <= 0) {
																		_t2012 =  *( *_t1214);
																		 *((intOrPtr*)( *((intOrPtr*)(_t2012 + 4))))(_t1214);
																	}
																	_v8 = 0xa;
																	_t1216 =  &(_v1108[0xfffffffffffffff8]);
																	asm("lock xadd [ecx], edx");
																	_t2014 = (_t2012 | 0xffffffff) - 1;
																	__eflags = _t2014;
																	if(_t2014 <= 0) {
																		_t2014 =  *( *_t1216);
																		 *((intOrPtr*)( *((intOrPtr*)(_t2014 + 4))))(_t1216);
																	}
																	_v8 = 9;
																	_t1218 = _v1100 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t2016 = (_t2014 | 0xffffffff) - 1;
																	__eflags = _t2016;
																	if(_t2016 <= 0) {
																		_t2016 =  *( *_t1218);
																		 *((intOrPtr*)( *((intOrPtr*)(_t2016 + 4))))(_t1218);
																	}
																	_v8 = 8;
																	_t1220 = _v1096 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t2018 = (_t2016 | 0xffffffff) - 1;
																	__eflags = _t2018;
																	if(_t2018 <= 0) {
																		_t2018 =  *( *_t1220);
																		 *((intOrPtr*)( *((intOrPtr*)(_t2018 + 4))))(_t1220);
																	}
																	_v8 = 7;
																	_t1222 =  &(_v1128[0xfffffffffffffff8]);
																	asm("lock xadd [ecx], edx");
																	_t2020 = (_t2018 | 0xffffffff) - 1;
																	__eflags = _t2020;
																	if(_t2020 <= 0) {
																		_t2020 =  *( *_t1222);
																		 *((intOrPtr*)( *((intOrPtr*)(_t2020 + 4))))(_t1222);
																	}
																	_v8 = 6;
																	_t1224 =  &(_v1132[0xfffffffffffffff8]);
																	asm("lock xadd [ecx], edx");
																	_t2022 = (_t2020 | 0xffffffff) - 1;
																	__eflags = _t2022;
																	if(_t2022 <= 0) {
																		_t2022 =  *( *_t1224);
																		 *((intOrPtr*)( *((intOrPtr*)(_t2022 + 4))))(_t1224);
																	}
																	_v8 = 5;
																	_t1226 = _v1136 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t2024 = (_t2022 | 0xffffffff) - 1;
																	__eflags = _t2024;
																	if(_t2024 <= 0) {
																		_t2024 =  *( *_t1226);
																		 *((intOrPtr*)( *((intOrPtr*)(_t2024 + 4))))(_t1226);
																	}
																	_v8 = 4;
																	_t1228 = _v1140 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t2026 = (_t2024 | 0xffffffff) - 1;
																	__eflags = _t2026;
																	if(_t2026 <= 0) {
																		_t2026 =  *( *_t1228);
																		 *((intOrPtr*)( *((intOrPtr*)(_t2026 + 4))))(_t1228);
																	}
																	_v8 = 3;
																	_t1230 = _v1120 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t2028 = (_t2026 | 0xffffffff) - 1;
																	__eflags = _t2028;
																	if(_t2028 <= 0) {
																		_t2028 =  *( *_t1230);
																		 *((intOrPtr*)( *((intOrPtr*)(_t2028 + 4))))(_t1230);
																	}
																	_v8 = 2;
																	_t1232 = _v1116 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t2030 = (_t2028 | 0xffffffff) - 1;
																	__eflags = _t2030;
																	if(_t2030 <= 0) {
																		_t2030 =  *( *_t1232);
																		 *((intOrPtr*)( *((intOrPtr*)(_t2030 + 4))))(_t1232);
																	}
																	_v8 = 1;
																	_t1234 = _v1092 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t1961 = (_t2030 | 0xffffffff) - 1;
																	__eflags = _t1961;
																	if(_t1961 > 0) {
																		goto L162;
																	} else {
																		_t1961 =  *( *_t1234);
																		 *((intOrPtr*)( *((intOrPtr*)(_t1961 + 4))))(_t1234);
																		_v8 = 0xffffffff;
																		_t1095 = _v1088 + 0xfffffff0;
																		goto L122;
																	}
																}
															}
															E00064BAD(_t1469, _t2113, _t2126, __eflags, L"Unable to create file", 0x10, _t1298);
															_t1781 =  &_v1192;
															_v8 = 0xf;
															E0006CEE5(_t1469, _t1781, _t1896, _t2113, _t2126, __eflags);
															_v8 = 0xe;
															_t1305 = _v1124 + 0xfffffff0;
															_t2040 =  &(_t1305[3]);
															asm("lock xadd [edx], ecx");
															__eflags = (_t1781 | 0xffffffff) - 1;
															if((_t1781 | 0xffffffff) - 1 <= 0) {
																_t2040 =  *( *_t1305);
																 *((intOrPtr*)( *((intOrPtr*)(_t2040 + 4))))(_t1305);
															}
															_t1306 = _t2126 - 0x10;
															_v8 = 0xd;
															asm("lock xadd [ecx], edx");
															_t2042 = (_t2040 | 0xffffffff) - 1;
															__eflags = _t2042;
															if(_t2042 <= 0) {
																_t2042 =  *( *_t1306);
																 *((intOrPtr*)( *((intOrPtr*)(_t2042 + 4))))(_t1306);
															}
															_v8 = 0xc;
															_t1308 = _v1144 + 0xfffffff0;
															asm("lock xadd [ecx], edx");
															_t2044 = (_t2042 | 0xffffffff) - 1;
															__eflags = _t2044;
															if(_t2044 <= 0) {
																_t2044 =  *( *_t1308);
																 *((intOrPtr*)( *((intOrPtr*)(_t2044 + 4))))(_t1308);
															}
															_v8 = 0xb;
															_t1310 = _v1112 + 0xfffffff0;
															asm("lock xadd [ecx], edx");
															_t2046 = (_t2044 | 0xffffffff) - 1;
															__eflags = _t2046;
															if(_t2046 <= 0) {
																_t2046 =  *( *_t1310);
																 *((intOrPtr*)( *((intOrPtr*)(_t2046 + 4))))(_t1310);
															}
															_v8 = 0xa;
															_t1312 =  &(_v1108[0xfffffffffffffff8]);
															asm("lock xadd [ecx], edx");
															_t2048 = (_t2046 | 0xffffffff) - 1;
															__eflags = _t2048;
															if(_t2048 <= 0) {
																_t2048 =  *( *_t1312);
																 *((intOrPtr*)( *((intOrPtr*)(_t2048 + 4))))(_t1312);
															}
															_v8 = 9;
															_t1314 = _v1100 + 0xfffffff0;
															asm("lock xadd [ecx], edx");
															_t2050 = (_t2048 | 0xffffffff) - 1;
															__eflags = _t2050;
															if(_t2050 <= 0) {
																_t2050 =  *( *_t1314);
																 *((intOrPtr*)( *((intOrPtr*)(_t2050 + 4))))(_t1314);
															}
															_v8 = 8;
															_t1316 = _v1096 + 0xfffffff0;
															asm("lock xadd [ecx], edx");
															_t2052 = (_t2050 | 0xffffffff) - 1;
															__eflags = _t2052;
															if(_t2052 <= 0) {
																_t2052 =  *( *_t1316);
																 *((intOrPtr*)( *((intOrPtr*)(_t2052 + 4))))(_t1316);
															}
															_v8 = 7;
															_t1318 =  &(_v1128[0xfffffffffffffff8]);
															asm("lock xadd [ecx], edx");
															_t2054 = (_t2052 | 0xffffffff) - 1;
															__eflags = _t2054;
															if(_t2054 <= 0) {
																_t2054 =  *( *_t1318);
																 *((intOrPtr*)( *((intOrPtr*)(_t2054 + 4))))(_t1318);
															}
															_v8 = 6;
															_t1320 =  &(_v1132[0xfffffffffffffff8]);
															asm("lock xadd [ecx], edx");
															_t2056 = (_t2054 | 0xffffffff) - 1;
															__eflags = _t2056;
															if(_t2056 <= 0) {
																_t2056 =  *( *_t1320);
																 *((intOrPtr*)( *((intOrPtr*)(_t2056 + 4))))(_t1320);
															}
															_v8 = 5;
															_t1322 = _v1136 + 0xfffffff0;
															asm("lock xadd [ecx], edx");
															_t2058 = (_t2056 | 0xffffffff) - 1;
															__eflags = _t2058;
															if(_t2058 <= 0) {
																_t2058 =  *( *_t1322);
																 *((intOrPtr*)( *((intOrPtr*)(_t2058 + 4))))(_t1322);
															}
															_v8 = 4;
															_t1324 = _v1140 + 0xfffffff0;
															asm("lock xadd [ecx], edx");
															_t2060 = (_t2058 | 0xffffffff) - 1;
															__eflags = _t2060;
															if(_t2060 <= 0) {
																_t2060 =  *( *_t1324);
																 *((intOrPtr*)( *((intOrPtr*)(_t2060 + 4))))(_t1324);
															}
															_v8 = 3;
															_t1326 = _v1120 + 0xfffffff0;
															asm("lock xadd [ecx], edx");
															_t2062 = (_t2060 | 0xffffffff) - 1;
															__eflags = _t2062;
															if(_t2062 <= 0) {
																_t2062 =  *( *_t1326);
																 *((intOrPtr*)( *((intOrPtr*)(_t2062 + 4))))(_t1326);
															}
															_v8 = 2;
															_t1328 = _v1116 + 0xfffffff0;
															asm("lock xadd [ecx], edx");
															_t2064 = (_t2062 | 0xffffffff) - 1;
															__eflags = _t2064;
															if(_t2064 <= 0) {
																_t2064 =  *( *_t1328);
																 *((intOrPtr*)( *((intOrPtr*)(_t2064 + 4))))(_t1328);
															}
															_v8 = 1;
															_t1330 = _v1092 + 0xfffffff0;
															asm("lock xadd [ecx], edx");
															_t1961 = (_t2064 | 0xffffffff) - 1;
															__eflags = _t1961;
															if(_t1961 <= 0) {
																_t1961 =  *( *_t1330);
																 *((intOrPtr*)( *((intOrPtr*)(_t1961 + 4))))(_t1330);
															}
															goto L162;
														}
													}
													_t1365 = CreateDirectoryW(_t2113, 0); // executed
													__eflags = _t1365;
													if(__eflags != 0) {
														goto L124;
													}
													E00064BAD(_t1469, _t2113, _t2125, __eflags, L"Unable to create directory", 0x10, _t1365);
													_v8 = 0xe;
													_t1368 = _v1124 + 0xfffffff0;
													asm("lock xadd [ecx], edx");
													_t2069 = (_t1887 | 0xffffffff) - 1;
													__eflags = _t2069;
													if(_t2069 <= 0) {
														_t2069 =  *( *_t1368);
														 *((intOrPtr*)( *((intOrPtr*)(_t2069 + 4))))(_t1368);
													}
													_v8 = 0xd;
													_t1370 = _v1152 + 0xfffffff0;
													asm("lock xadd [ecx], edx");
													_t2071 = (_t2069 | 0xffffffff) - 1;
													__eflags = _t2071;
													if(_t2071 <= 0) {
														_t2071 =  *( *_t1370);
														 *((intOrPtr*)( *((intOrPtr*)(_t2071 + 4))))(_t1370);
													}
													_v8 = 0xc;
													_t1372 = _v1144 + 0xfffffff0;
													asm("lock xadd [ecx], edx");
													_t2073 = (_t2071 | 0xffffffff) - 1;
													__eflags = _t2073;
													if(_t2073 <= 0) {
														_t2073 =  *( *_t1372);
														 *((intOrPtr*)( *((intOrPtr*)(_t2073 + 4))))(_t1372);
													}
													_v8 = 0xb;
													_t1374 = _v1112 + 0xfffffff0;
													asm("lock xadd [ecx], edx");
													_t2075 = (_t2073 | 0xffffffff) - 1;
													__eflags = _t2075;
													if(_t2075 <= 0) {
														_t2075 =  *( *_t1374);
														 *((intOrPtr*)( *((intOrPtr*)(_t2075 + 4))))(_t1374);
													}
													_t1375 = _t2113 - 0x10;
													_v8 = 0xa;
													asm("lock xadd [ecx], edx");
													_t2077 = (_t2075 | 0xffffffff) - 1;
													__eflags = _t2077;
													if(_t2077 <= 0) {
														_t2077 =  *( *_t1375);
														 *((intOrPtr*)( *((intOrPtr*)(_t2077 + 4))))(_t1375);
													}
													_v8 = 9;
													_t1377 = _v1100 + 0xfffffff0;
													asm("lock xadd [ecx], edx");
													_t2079 = (_t2077 | 0xffffffff) - 1;
													__eflags = _t2079;
													if(_t2079 <= 0) {
														_t2079 =  *( *_t1377);
														 *((intOrPtr*)( *((intOrPtr*)(_t2079 + 4))))(_t1377);
													}
													_v8 = 8;
													_t1379 = _v1096 + 0xfffffff0;
													asm("lock xadd [ecx], edx");
													_t2081 = (_t2079 | 0xffffffff) - 1;
													__eflags = _t2081;
													if(_t2081 <= 0) {
														_t2081 =  *( *_t1379);
														 *((intOrPtr*)( *((intOrPtr*)(_t2081 + 4))))(_t1379);
													}
													_v8 = 7;
													_t1381 =  &(_v1128[0xfffffffffffffff8]);
													asm("lock xadd [ecx], edx");
													_t2083 = (_t2081 | 0xffffffff) - 1;
													__eflags = _t2083;
													if(_t2083 <= 0) {
														_t2083 =  *( *_t1381);
														 *((intOrPtr*)( *((intOrPtr*)(_t2083 + 4))))(_t1381);
													}
													_v8 = 6;
													_t1383 =  &(_v1132[0xfffffffffffffff8]);
													asm("lock xadd [ecx], edx");
													_t2085 = (_t2083 | 0xffffffff) - 1;
													__eflags = _t2085;
													if(_t2085 <= 0) {
														_t2085 =  *( *_t1383);
														 *((intOrPtr*)( *((intOrPtr*)(_t2085 + 4))))(_t1383);
													}
													_v8 = 5;
													_t1385 = _v1136 + 0xfffffff0;
													asm("lock xadd [ecx], edx");
													_t2087 = (_t2085 | 0xffffffff) - 1;
													__eflags = _t2087;
													if(_t2087 <= 0) {
														_t2087 =  *( *_t1385);
														 *((intOrPtr*)( *((intOrPtr*)(_t2087 + 4))))(_t1385);
													}
													_v8 = 4;
													_t1387 = _v1140 + 0xfffffff0;
													asm("lock xadd [ecx], edx");
													_t2089 = (_t2087 | 0xffffffff) - 1;
													__eflags = _t2089;
													if(_t2089 <= 0) {
														_t2089 =  *( *_t1387);
														 *((intOrPtr*)( *((intOrPtr*)(_t2089 + 4))))(_t1387);
													}
													_v8 = 3;
													_t1389 = _v1120 + 0xfffffff0;
													asm("lock xadd [ecx], edx");
													_t2091 = (_t2089 | 0xffffffff) - 1;
													__eflags = _t2091;
													if(_t2091 <= 0) {
														_t2091 =  *( *_t1389);
														 *((intOrPtr*)( *((intOrPtr*)(_t2091 + 4))))(_t1389);
													}
													_v8 = 2;
													_t1391 = _v1116 + 0xfffffff0;
													asm("lock xadd [ecx], edx");
													_t2093 = (_t2091 | 0xffffffff) - 1;
													__eflags = _t2093;
													if(_t2093 <= 0) {
														_t2093 =  *( *_t1391);
														 *((intOrPtr*)( *((intOrPtr*)(_t2093 + 4))))(_t1391);
													}
													_t233 = _t2125 - 0x10; // 0x0
													_t1392 = _t233;
													_v8 = 1;
													asm("lock xadd [ecx], edx");
													_t1961 = (_t2093 | 0xffffffff) - 1;
													__eflags = _t1961;
													if(_t1961 <= 0) {
														_t1961 =  *( *_t1392);
														 *((intOrPtr*)( *((intOrPtr*)(_t1961 + 4))))(_t1392);
													}
													_v8 = 0xffffffff;
													_t1095 = _t1469 - 0x10;
													goto L122;
												}
												_t2095 =  *((intOrPtr*)(_t877 + 2));
												__eflags = _t2095 -  *((intOrPtr*)(_t1540 + 2));
												if(_t2095 !=  *((intOrPtr*)(_t1540 + 2))) {
													break;
												}
												_t877 = _t877 + 4;
												_t1540 = _t1540 + 4;
												__eflags = _t2095;
												if(_t2095 != 0) {
													continue;
												}
												goto L85;
											}
											asm("sbb eax, eax");
											asm("sbb eax, 0xffffffff");
											goto L87;
										}
									}
									__eflags = _t2112[3];
									if(_t2112[3] < 0) {
										L66:
										E00054140( &_v1120, _t1536,  *((intOrPtr*)(_t1536 - 0xc)));
										L67:
										_t1469 = _v1088;
										goto L68;
									}
									_t1881 =  *_t870;
									__eflags = _t1881 -  *_t2112;
									if(_t1881 !=  *_t2112) {
										goto L66;
									}
									_t1442 = E000541F0(_t870);
									_t2128 = _t1442;
									_t2136 = _t2136 + 4;
									asm("lock xadd [ebx], eax");
									__eflags = (_t1442 | 0xffffffff) - 1;
									if((_t1442 | 0xffffffff) - 1 <= 0) {
										_t1881 =  *( *_t2112);
										 *((intOrPtr*)( *((intOrPtr*)(_t1881 + 4))))(_t2112);
									}
									_v1120 = _t2128 + 0x10;
									_t2125 = _v1092;
									goto L67;
								}
							} else {
								L56:
								_push(0x80070057);
								E00051330(_t1469, _t1532, _t2110, _t2125);
								goto L57;
							}
						} else {
							__eflags = _t2109[3];
							if(_t2109[3] < 0) {
								L51:
								E00054140( &_v1116, _t1531,  *((intOrPtr*)(_t1531 - 0xc)));
								L52:
								_t1469 = _v1088;
								goto L53;
							}
							_t1878 =  *_t860;
							__eflags = _t1878 -  *_t2109;
							if(_t1878 !=  *_t2109) {
								goto L51;
							}
							_t1452 = E000541F0(_t860);
							_t2130 = _t1452;
							_t2135 = _t2135 + 4;
							asm("lock xadd [ebx], eax");
							__eflags = (_t1452 | 0xffffffff) - 1;
							if((_t1452 | 0xffffffff) - 1 <= 0) {
								_t1878 =  *( *_t2109);
								 *((intOrPtr*)( *((intOrPtr*)(_t1878 + 4))))(_t2109);
							}
							_v1116 = _t2130 + 0x10;
							_t2125 = _v1092;
							goto L52;
						}
					} else {
						E0005C230(_t1468, _t1862, 0);
						L345:
						_t957 = 0;
						L346:
						 *[fs:0x0] = _v16;
						_pop(_t2115);
						_pop(_t2127);
						_pop(_t1473);
						return E00150836(_t957, _t1473, _v24 ^ _t2132, _t1862, _t2115, _t2127);
					}
				}
			}

0x00058050
0x00058050
0x00058061
0x00058067
0x0005806c
0x0005806e
0x00058078
0x0005807e
0x00058081
0x00058083
0x00058089
0x00058091
0x00058098
0x0005809f
0x000580b1
0x00000000
0x00000000
0x000580b3
0x000580b8
0x000580ba
0x00000000
0x00000000
0x00000000
0x000580bc
0x000580bc
0x000580c3
0x000580ce
0x000580d1
0x000580d6
0x000580e6
0x000580f2
0x000580f7
0x000580f7
0x000580fe
0x00058100
0x00058105
0x00058107
0x0005810c
0x0005810c
0x0005811a
0x0005811a
0x0005811d
0x00058123
0x0005812a
0x00058131
0x00058133
0x00058138
0x0005813a
0x0005813f
0x0005813f
0x0005814d
0x0005814d
0x00058150
0x00058156
0x0005815a
0x00058161
0x00058163
0x00058168
0x0005816a
0x0005816f
0x0005816f
0x00058180
0x00058186
0x0005818a
0x00058191
0x00058193
0x00058198
0x0005819a
0x0005819f
0x0005819f
0x000581b0
0x000581b6
0x000581ba
0x000581c1
0x000581c3
0x000581c8
0x000581ca
0x000581cf
0x000581cf
0x000581e0
0x000581e6
0x000581ea
0x000581f1
0x000581f3
0x000581f8
0x000581fa
0x000581ff
0x000581ff
0x00058210
0x00058216
0x0005821a
0x00058221
0x00058223
0x00058228
0x0005822a
0x0005822f
0x0005822f
0x00058240
0x00058246
0x0005824a
0x00058251
0x00058253
0x00058258
0x0005825a
0x0005825f
0x0005825f
0x00058270
0x00058276
0x0005827a
0x00058281
0x00058283
0x00058288
0x0005828a
0x0005828f
0x0005828f
0x000582a0
0x000582a6
0x000582aa
0x000582b1
0x000582b3
0x000582b8
0x000582ba
0x000582bf
0x000582bf
0x000582d0
0x000582d6
0x000582da
0x000582e1
0x000582e3
0x000582e8
0x000582ea
0x000582ef
0x000582ef
0x00058300
0x00058306
0x0005830a
0x00058311
0x00058313
0x00058318
0x0005831a
0x0005831f
0x0005831f
0x00058330
0x00058336
0x0005833a
0x00058341
0x00058343
0x00058348
0x0005834a
0x0005834f
0x0005834f
0x00058360
0x00058366
0x0005836a
0x00058371
0x00058373
0x00058378
0x0005837a
0x0005837f
0x0005837f
0x00058390
0x00058396
0x0005839a
0x000583a1
0x000583a3
0x000583a8
0x000583aa
0x000583af
0x000583af
0x000583c0
0x000583c6
0x000583ca
0x000583cf
0x000583d5
0x000583da
0x000583dc
0x000583ea
0x000583ef
0x000583ef
0x000583f5
0x000583fa
0x000583ff
0x00058401
0x0005840f
0x00058414
0x00058414
0x0005841a
0x0005841f
0x00058424
0x00058426
0x00058434
0x00058434
0x00058439
0x0005843e
0x00058443
0x00058445
0x00058453
0x00058453
0x00058464
0x0005846b
0x00058470
0x00058473
0x00058477
0x0005847f
0x00058482
0x00058485
0x00058487
0x000584e0
0x000584e0
0x000584ea
0x000584ed
0x000584f3
0x000584f8
0x000584fa
0x000584fc
0x00058504
0x00058504
0x00058506
0x00058509
0x0005850b
0x00058517
0x00058524
0x00058526
0x0005852f
0x00058534
0x00058534
0x0005853a
0x0005853f
0x00058544
0x00058547
0x0005854a
0x00000000
0x0005854c
0x0005855e
0x00058560
0x00058564
0x00058568
0x0005856d
0x00058570
0x00058574
0x0005857c
0x0005857f
0x00058582
0x00058584
0x000585dd
0x000585dd
0x000585e7
0x000585ea
0x000585f0
0x000585f5
0x000585f7
0x000585f9
0x00058601
0x00058601
0x00058603
0x00058607
0x00058614
0x00058620
0x00058625
0x00058628
0x00058639
0x0005863e
0x00058648
0x00058651
0x00058656
0x00058658
0x00058662
0x00058662
0x0005866b
0x00058677
0x0005867c
0x0005867f
0x00058690
0x00058695
0x0005869f
0x000586a2
0x000586a8
0x000586ad
0x000586af
0x000586b1
0x000586b9
0x000586b9
0x000586af
0x000586bb
0x000586be
0x000586c0
0x000586c2
0x000586c7
0x000586c7
0x000586d9
0x000586db
0x000586e4
0x000586e9
0x000586e9
0x000586ef
0x000586f4
0x000586f9
0x000586fc
0x000586ff
0x00000000
0x00058705
0x00058705
0x00058707
0x0005870a
0x0005870e
0x00058713
0x00058715
0x00058715
0x00058718
0x0005871b
0x00000000
0x00000000
0x0005871d
0x00058720
0x00058737
0x00058737
0x00058740
0x00058745
0x00058747
0x0005874f
0x0005874f
0x00058768
0x0005876e
0x00058774
0x00058777
0x00058777
0x0005877a
0x0005877d
0x0005877d
0x00058787
0x00058794
0x000587a6
0x000587ab
0x000587b2
0x000587b8
0x000587bb
0x00058a13
0x00058a21
0x00058a27
0x00058a2d
0x00058a30
0x00058a30
0x00058a33
0x00058a36
0x00058a36
0x00058a4d
0x00058a65
0x00058a6a
0x00058a6e
0x00058a74
0x00058a78
0x00058a7d
0x00058a87
0x00058a90
0x00058a95
0x00058a97
0x00058aa1
0x00058aa1
0x00058aaf
0x00058ab6
0x00058abb
0x00058ac5
0x00058ac9
0x00058ace
0x00058ad8
0x00058ae1
0x00058ae6
0x00058ae8
0x00058af2
0x00058af2
0x00058b00
0x00058b07
0x00058b0c
0x00058b16
0x00058b1a
0x00058b1f
0x00058b29
0x00058b32
0x00058b36
0x00058b37
0x00058b39
0x00058b3d
0x00058b43
0x00058b43
0x00058b45
0x00058b4b
0x00058b52
0x00058df5
0x00000000
0x00058b58
0x00058b5e
0x00058b65
0x00058b69
0x00058b7b
0x00058b80
0x00058b82
0x00058dd4
0x00058ddf
0x00058de4
0x00058dea
0x00058dee
0x00058dfb
0x00058e05
0x00058e10
0x00058e16
0x00058e1b
0x00058e24
0x00058e29
0x00058e2b
0x00059584
0x00059589
0x00059596
0x0005959a
0x000595ac
0x000595be
0x000595c4
0x000595ca
0x000595cf
0x000595d6
0x000595e3
0x000595ea
0x000595ea
0x000595f5
0x000595fa
0x000595fd
0x00059845
0x0005984a
0x0005984e
0x00059855
0x00059866
0x0005986b
0x00059872
0x000599ad
0x000599b3
0x000599b7
0x000599c8
0x000599d6
0x000599e1
0x000599e6
0x000599e9
0x000599ed
0x000599ef
0x000599f1
0x000599f7
0x000599f7
0x000599f3
0x000599f3
0x000599f3
0x00059a01
0x00059a08
0x00059a0d
0x00059a17
0x00059a1b
0x00059a26
0x00059a31
0x00059a36
0x00059a3c
0x00059a40
0x00059a40
0x00059a45
0x00059a4b
0x00059a4f
0x00059a60
0x00059a6e
0x00059a79
0x00059a7e
0x00059a81
0x00059a85
0x00059a87
0x00059a89
0x00059a8f
0x00059a8f
0x00059a8b
0x00059a8b
0x00059a8b
0x00059a99
0x00059aa0
0x00059aa5
0x00059aaf
0x00059ab3
0x00059abe
0x00059ac9
0x00059ace
0x00059ad4
0x00059ad8
0x00059ad8
0x00059ae8
0x00059878
0x00059878
0x0005987e
0x00059882
0x00059893
0x000598a1
0x000598ac
0x000598b1
0x000598b4
0x000598b8
0x000598ba
0x000598bc
0x000598c2
0x000598c2
0x000598be
0x000598be
0x000598be
0x000598cc
0x000598d3
0x000598d8
0x000598e2
0x000598e6
0x000598f1
0x000598fc
0x00059901
0x00059907
0x0005990b
0x0005990b
0x00059910
0x00059916
0x0005991a
0x0005992b
0x00059939
0x00059944
0x00059949
0x0005994c
0x00059950
0x00059952
0x00059954
0x0005995a
0x0005995a
0x00059956
0x00059956
0x00059956
0x00059964
0x0005996b
0x00059970
0x0005997a
0x0005997e
0x00059989
0x00059994
0x00059999
0x0005999f
0x000599a3
0x000599a3
0x0005991a
0x00059872
0x00059af8
0x00059b04
0x00059b0d
0x00059b12
0x00059b17
0x00059b19
0x00059d85
0x00059d95
0x00059d99
0x00059dae
0x00059db1
0x00059dc1
0x00059ddb
0x00059de8
0x00059def
0x00059df3
0x00059e02
0x00059e06
0x00059e11
0x00059e1c
0x00059e21
0x00059e25
0x00059e2a
0x00059e2c
0x00059e37
0x00059e37
0x00059e3c
0x00059e3e
0x00059e62
0x00059e6e
0x00059e70
0x00059e72
0x00059e73
0x00059e74
0x00059e79
0x00059e7b
0x00059e94
0x00059ea9
0x00059ead
0x00059ebb
0x00059ec6
0x00059ed0
0x00059edc
0x00059ee7
0x00059eea
0x00059ef5
0x00059f00
0x00059f0c
0x00059f10
0x00059f1b
0x00059f26
0x00059f31
0x00059f3c
0x00059f47
0x00059f52
0x00059f5d
0x00059f68
0x00059f73
0x00059f7e
0x00059f89
0x00059f94
0x00059f9f
0x00059faa
0x00059fb5
0x00059fba
0x00000000
0x00059fba
0x00059e40
0x00059e45
0x00059e47
0x00000000
0x00000000
0x00059e49
0x00059e55
0x00059e57
0x00059e59
0x00059e5a
0x00059e5b
0x00000000
0x00059e5b
0x00059e2e
0x00059e33
0x00059e35
0x00000000
0x00000000
0x00000000
0x00059b1f
0x00059b28
0x00059b2d
0x00059b37
0x00059b40
0x00059b44
0x00059b45
0x00059b47
0x00059b4b
0x00059b51
0x00059b51
0x00059b53
0x00059b5a
0x00059b5e
0x00059b63
0x00059b6d
0x00059b70
0x00059b76
0x00059b7b
0x00059b7d
0x00059b81
0x00059b87
0x00059b87
0x00059b89
0x00059b8c
0x00059b96
0x00059b9a
0x00059b9b
0x00059b9d
0x00059ba1
0x00059ba7
0x00059ba7
0x00059ba9
0x00059bb3
0x00059bbc
0x00059bc0
0x00059bc1
0x00059bc3
0x00059bc7
0x00059bcd
0x00059bcd
0x00059bcf
0x00059bd9
0x00059be2
0x00059be6
0x00059be7
0x00059be9
0x00059bed
0x00059bf3
0x00059bf3
0x00059bf5
0x00059bff
0x00059c08
0x00059c0c
0x00059c0d
0x00059c0f
0x00059c13
0x00059c19
0x00059c19
0x00059c1b
0x00059c25
0x00059c2e
0x00059c32
0x00059c33
0x00059c35
0x00059c39
0x00059c3f
0x00059c3f
0x00059c41
0x00059c4b
0x00059c54
0x00059c58
0x00059c59
0x00059c5b
0x00059c5f
0x00059c65
0x00059c65
0x00059c67
0x00059c71
0x00059c7a
0x00059c7e
0x00059c7f
0x00059c81
0x00059c85
0x00059c8b
0x00059c8b
0x00059c8d
0x00059c97
0x00059ca0
0x00059ca4
0x00059ca5
0x00059ca7
0x00059cab
0x00059cb1
0x00059cb1
0x00059cb3
0x00059cbd
0x00059cc6
0x00059cca
0x00059ccb
0x00059ccd
0x00059cd1
0x00059cd7
0x00059cd7
0x00059cd9
0x00059ce3
0x00059cec
0x00059cf0
0x00059cf1
0x00059cf3
0x00059cf7
0x00059cfd
0x00059cfd
0x00059cff
0x00059d09
0x00059d12
0x00059d16
0x00059d17
0x00059d19
0x00059d1d
0x00059d23
0x00059d23
0x00059d25
0x00059d2f
0x00059d38
0x00059d3c
0x00059d3d
0x00059d3f
0x00059d43
0x00059d49
0x00059d49
0x00059d4b
0x00059d55
0x00059d5e
0x00059d62
0x00059d63
0x00059d65
0x00059d6d
0x00059d73
0x00059d73
0x0005a0bb
0x00000000
0x0005a0bb
0x00059603
0x00059603
0x0005960a
0x0005960e
0x00059613
0x0005961d
0x00059620
0x00059626
0x0005962b
0x0005962d
0x00059631
0x00059637
0x00059637
0x00059639
0x0005963c
0x00059646
0x0005964a
0x0005964b
0x0005964d
0x00059651
0x00059657
0x00059657
0x00059659
0x00059663
0x0005966c
0x00059670
0x00059671
0x00059673
0x00059677
0x0005967d
0x0005967d
0x0005967f
0x00059689
0x00059692
0x00059696
0x00059697
0x00059699
0x0005969d
0x000596a3
0x000596a3
0x000596a5
0x000596af
0x000596b8
0x000596bc
0x000596bd
0x000596bf
0x000596c3
0x000596c9
0x000596c9
0x000596cb
0x000596d5
0x000596de
0x000596e2
0x000596e3
0x000596e5
0x000596e9
0x000596ef
0x000596ef
0x000596f1
0x000596fb
0x00059704
0x00059708
0x00059709
0x0005970b
0x0005970f
0x00059715
0x00059715
0x00059717
0x00059721
0x0005972a
0x0005972e
0x0005972f
0x00059731
0x00059735
0x0005973b
0x0005973b
0x0005973d
0x00059747
0x00059750
0x00059754
0x00059755
0x00059757
0x0005975b
0x00059761
0x00059761
0x00059763
0x0005976d
0x00059776
0x0005977a
0x0005977b
0x0005977d
0x00059781
0x00059787
0x00059787
0x00059789
0x00059793
0x0005979c
0x000597a0
0x000597a1
0x000597a3
0x000597a7
0x000597ad
0x000597ad
0x000597af
0x000597b9
0x000597c2
0x000597c6
0x000597c7
0x000597c9
0x000597cd
0x000597d3
0x000597d3
0x000597d5
0x000597df
0x000597e8
0x000597ec
0x000597ed
0x000597ef
0x000597f3
0x000597f9
0x000597f9
0x000597fb
0x00059805
0x0005980e
0x00059812
0x00059813
0x00059815
0x00058db2
0x00058db2
0x00058dbf
0x00000000
0x0005981b
0x0005981d
0x00059823
0x00059825
0x00059832
0x000589f1
0x000589f7
0x000589fb
0x000589fc
0x000589fe
0x00058a06
0x00058a0c
0x00058a0c
0x00000000
0x000589fe
0x00059815
0x000595fd
0x00058e44
0x00058e4f
0x00058e56
0x00058e5a
0x00058e5f
0x00058e62
0x00058e6c
0x00058e75
0x00058e79
0x00058e7a
0x00058e7c
0x00058e80
0x00058e86
0x00058e86
0x00058e93
0x00058e98
0x00058e9c
0x00058ea3
0x00058eb0
0x00058eb0
0x00058eb5
0x00058ebb
0x00058ebf
0x00058ed0
0x00058ede
0x00058ee9
0x00058eee
0x00058ef1
0x00058ef3
0x00058ef6
0x00058ef8
0x00058efa
0x00058f00
0x00058f00
0x00058efc
0x00058efc
0x00058efc
0x00058f0a
0x00058f11
0x00058f16
0x00058f20
0x00058f24
0x00058f29
0x00058f32
0x00058f3b
0x00058f3f
0x00058f40
0x00058f42
0x00058f46
0x00058f4c
0x00058f4c
0x00058f54
0x00058f59
0x00058f5f
0x00058f63
0x00058f63
0x00058f68
0x00058f6e
0x00058f72
0x00058f83
0x00058f91
0x00058f9c
0x00058fa1
0x00058fa4
0x00058fa6
0x00058fa9
0x00058fab
0x00058fad
0x00058fb3
0x00058fb3
0x00058faf
0x00058faf
0x00058faf
0x00058fbd
0x00058fc4
0x00058fc9
0x00058fd3
0x00058fd7
0x00058fdc
0x00058fe5
0x00058fe8
0x00058fee
0x00058ff3
0x00058ff5
0x00058ff7
0x00058fff
0x00058fff
0x00059007
0x0005900c
0x00059012
0x00059016
0x00059016
0x0005901c
0x00059022
0x0005902b
0x00059035
0x00059037
0x000592c4
0x000592d7
0x000592dd
0x000592e3
0x000592f3
0x000592f9
0x00059306
0x0005930f
0x00059313
0x00059314
0x00059316
0x0005931a
0x00059320
0x00059320
0x00059322
0x0005932c
0x00059335
0x00059339
0x0005933a
0x0005933c
0x00059340
0x00059346
0x00059346
0x00059348
0x00059352
0x0005935b
0x0005935f
0x00059360
0x00059362
0x00059366
0x0005936c
0x0005936c
0x0005936e
0x00059371
0x0005937b
0x0005937f
0x00059380
0x00059382
0x00059386
0x0005938c
0x0005938c
0x0005938e
0x00059398
0x000593a1
0x000593a5
0x000593a6
0x000593a8
0x000593ac
0x000593b2
0x000593b2
0x000593b4
0x000593be
0x000593c7
0x000593cb
0x000593cc
0x000593ce
0x000593d2
0x000593d8
0x000593d8
0x000593da
0x000593e4
0x000593ed
0x000593f1
0x000593f2
0x000593f4
0x000593f8
0x000593fe
0x000593fe
0x00059400
0x0005940a
0x00059413
0x00059417
0x00059418
0x0005941a
0x0005941e
0x00059424
0x00059424
0x00059426
0x00059430
0x00059439
0x0005943d
0x0005943e
0x00059440
0x00059444
0x0005944a
0x0005944a
0x0005944c
0x0005944f
0x00059459
0x0005945d
0x0005945e
0x00059460
0x00059464
0x0005946a
0x0005946a
0x0005946c
0x0005946f
0x00059479
0x0005947d
0x0005947e
0x00059480
0x00059484
0x0005948a
0x0005948a
0x0005948c
0x00059496
0x0005949f
0x000594a3
0x000594a4
0x000594a6
0x000594aa
0x000594b0
0x000594b0
0x000594b2
0x000594bc
0x000594c5
0x000594c9
0x000594ca
0x000594cc
0x000594d0
0x000594d6
0x000594d6
0x000594d8
0x000594e2
0x000594eb
0x000594ef
0x000594f0
0x000594f2
0x000594f6
0x000594fc
0x000594fc
0x000594fe
0x00059508
0x00059511
0x00059515
0x00059516
0x00059518
0x0005951c
0x00059522
0x00059522
0x00059524
0x0005952e
0x00059537
0x0005953b
0x0005953c
0x0005953e
0x00059542
0x00059548
0x00059548
0x0005954a
0x00059557
0x00059560
0x00059564
0x00059565
0x00059567
0x0005956b
0x00059571
0x00059571
0x00059573
0x00000000
0x0005903d
0x00059046
0x0005904b
0x00059055
0x0005905e
0x00059062
0x00059063
0x00059065
0x00059069
0x0005906f
0x0005906f
0x00059071
0x0005907b
0x00059084
0x00059088
0x00059089
0x0005908b
0x0005908f
0x00059095
0x00059095
0x00059097
0x000590a1
0x000590aa
0x000590ae
0x000590af
0x000590b1
0x000590b5
0x000590bb
0x000590bb
0x000590bd
0x000590c0
0x000590ca
0x000590ce
0x000590cf
0x000590d1
0x000590d5
0x000590db
0x000590db
0x000590dd
0x000590e7
0x000590f0
0x000590f4
0x000590f5
0x000590f7
0x000590fb
0x00059101
0x00059101
0x00059103
0x0005910d
0x00059116
0x0005911a
0x0005911b
0x0005911d
0x00059121
0x00059127
0x00059127
0x00059129
0x00059133
0x0005913c
0x00059140
0x00059141
0x00059143
0x00059147
0x0005914d
0x0005914d
0x0005914f
0x00059159
0x00059162
0x00059166
0x00059167
0x00059169
0x0005916d
0x00059173
0x00059173
0x00059175
0x0005917f
0x00059188
0x0005918c
0x0005918d
0x0005918f
0x00059193
0x00059199
0x00059199
0x0005919b
0x000591a5
0x000591ae
0x000591b2
0x000591b3
0x000591b5
0x000591b9
0x000591bf
0x000591bf
0x000591c1
0x000591cb
0x000591d4
0x000591d8
0x000591d9
0x000591db
0x000591df
0x000591e5
0x000591e5
0x000591e7
0x000591f1
0x000591fa
0x000591fe
0x000591ff
0x00059201
0x00059205
0x0005920b
0x0005920b
0x0005920d
0x00059217
0x00059220
0x00059224
0x00059225
0x00059227
0x0005922b
0x00059231
0x00059231
0x00059233
0x0005923d
0x00059246
0x0005924a
0x0005924b
0x0005924d
0x00059251
0x00059257
0x00059257
0x00059259
0x00059263
0x0005926c
0x00059270
0x00059271
0x00059273
0x00059277
0x0005927d
0x0005927d
0x0005927f
0x00059289
0x00059292
0x00059296
0x00059297
0x00059299
0x00000000
0x0005929f
0x000592a1
0x000592a7
0x000592a9
0x000592b6
0x00000000
0x000592b6
0x00059299
0x00059037
0x00058b90
0x00058b95
0x00058b9b
0x00058b9f
0x00058ba4
0x00058bae
0x00058bb1
0x00058bb7
0x00058bbc
0x00058bbe
0x00058bc2
0x00058bc8
0x00058bc8
0x00058bca
0x00058bcd
0x00058bd7
0x00058bdb
0x00058bdc
0x00058bde
0x00058be2
0x00058be8
0x00058be8
0x00058bea
0x00058bf4
0x00058bfd
0x00058c01
0x00058c02
0x00058c04
0x00058c08
0x00058c0e
0x00058c0e
0x00058c10
0x00058c1a
0x00058c23
0x00058c27
0x00058c28
0x00058c2a
0x00058c2e
0x00058c34
0x00058c34
0x00058c36
0x00058c40
0x00058c49
0x00058c4d
0x00058c4e
0x00058c50
0x00058c54
0x00058c5a
0x00058c5a
0x00058c5c
0x00058c66
0x00058c6f
0x00058c73
0x00058c74
0x00058c76
0x00058c7a
0x00058c80
0x00058c80
0x00058c82
0x00058c8c
0x00058c95
0x00058c99
0x00058c9a
0x00058c9c
0x00058ca0
0x00058ca6
0x00058ca6
0x00058ca8
0x00058cb2
0x00058cbb
0x00058cbf
0x00058cc0
0x00058cc2
0x00058cc6
0x00058ccc
0x00058ccc
0x00058cce
0x00058cd8
0x00058ce1
0x00058ce5
0x00058ce6
0x00058ce8
0x00058cec
0x00058cf2
0x00058cf2
0x00058cf4
0x00058cfe
0x00058d07
0x00058d0b
0x00058d0c
0x00058d0e
0x00058d12
0x00058d18
0x00058d18
0x00058d1a
0x00058d24
0x00058d2d
0x00058d31
0x00058d32
0x00058d34
0x00058d38
0x00058d3e
0x00058d3e
0x00058d40
0x00058d4a
0x00058d53
0x00058d57
0x00058d58
0x00058d5a
0x00058d5e
0x00058d64
0x00058d64
0x00058d66
0x00058d70
0x00058d79
0x00058d7d
0x00058d7e
0x00058d80
0x00058d84
0x00058d8a
0x00058d8a
0x00058d8c
0x00058d96
0x00058d9f
0x00058da3
0x00058da4
0x00058da6
0x00058daa
0x00058db0
0x00058db0
0x00000000
0x00058da6
0x00058b52
0x000587c4
0x000587ca
0x000587cc
0x00000000
0x00000000
0x000587da
0x000587df
0x000587e9
0x000587f2
0x000587f6
0x000587f7
0x000587f9
0x000587fd
0x00058803
0x00058803
0x00058805
0x0005880f
0x00058818
0x0005881c
0x0005881d
0x0005881f
0x00058823
0x00058829
0x00058829
0x0005882b
0x00058835
0x0005883e
0x00058842
0x00058843
0x00058845
0x00058849
0x0005884f
0x0005884f
0x00058851
0x0005885b
0x00058864
0x00058868
0x00058869
0x0005886b
0x0005886f
0x00058875
0x00058875
0x00058877
0x0005887a
0x00058884
0x00058888
0x00058889
0x0005888b
0x0005888f
0x00058895
0x00058895
0x00058897
0x000588a1
0x000588aa
0x000588ae
0x000588af
0x000588b1
0x000588b5
0x000588bb
0x000588bb
0x000588bd
0x000588c7
0x000588d0
0x000588d4
0x000588d5
0x000588d7
0x000588db
0x000588e1
0x000588e1
0x000588e3
0x000588ed
0x000588f6
0x000588fa
0x000588fb
0x000588fd
0x00058901
0x00058907
0x00058907
0x00058909
0x00058913
0x0005891c
0x00058920
0x00058921
0x00058923
0x00058927
0x0005892d
0x0005892d
0x0005892f
0x00058939
0x00058942
0x00058946
0x00058947
0x00058949
0x0005894d
0x00058953
0x00058953
0x00058955
0x0005895f
0x00058968
0x0005896c
0x0005896d
0x0005896f
0x00058973
0x00058979
0x00058979
0x0005897b
0x00058985
0x0005898e
0x00058992
0x00058993
0x00058995
0x00058999
0x0005899f
0x0005899f
0x000589a1
0x000589ab
0x000589b4
0x000589b8
0x000589b9
0x000589bb
0x000589bf
0x000589c5
0x000589c5
0x000589c7
0x000589c7
0x000589ca
0x000589d4
0x000589d8
0x000589d9
0x000589db
0x000589df
0x000589e5
0x000589e5
0x000589e7
0x000589ee
0x00000000
0x000589ee
0x00058722
0x00058726
0x0005872a
0x00000000
0x00000000
0x0005872c
0x0005872f
0x00058732
0x00058735
0x00000000
0x00000000
0x00000000
0x00058735
0x0005873b
0x0005873d
0x00000000
0x0005873d
0x000586ff
0x00058586
0x0005858d
0x000585c7
0x000585d2
0x000585d7
0x000585d7
0x00000000
0x000585d7
0x0005858f
0x00058591
0x00058593
0x00000000
0x00000000
0x00058596
0x0005859b
0x0005859d
0x000585a3
0x000585a8
0x000585aa
0x000585ae
0x000585b4
0x000585b4
0x000585b9
0x000585bf
0x00000000
0x000585bf
0x0005850d
0x0005850d
0x0005850d
0x00058512
0x00000000
0x00058512
0x00058489
0x00058489
0x00058490
0x000584ca
0x000584d5
0x000584da
0x000584da
0x00000000
0x000584da
0x00058492
0x00058494
0x00058496
0x00000000
0x00000000
0x00058499
0x0005849e
0x000584a0
0x000584a6
0x000584ab
0x000584ad
0x000584b1
0x000584b7
0x000584b7
0x000584bc
0x000584c2
0x00000000
0x000584c2
0x000580e8
0x000580e8
0x0005a0c0
0x0005a0c0
0x0005a0c2
0x0005a0c5
0x0005a0cd
0x0005a0ce
0x0005a0cf
0x0005a0dd
0x0005a0dd
0x000580e6

APIs

#17.COMCTL32(885926AF), ref: 00058089

Part of subcall function 0005B1C0: RegOpenKeyExW.KERNEL32 ref: 0005B1F7

Part of subcall function 0005B240: _memset.LIBCMT ref: 0005B267
Part of subcall function 0005B240: VerSetConditionMask.KERNEL32 ref: 0005B29C
Part of subcall function 0005B240: VerSetConditionMask.KERNEL32(00000000,?,00000001,00000003), ref: 0005B2A4
Part of subcall function 0005B240: VerSetConditionMask.KERNEL32(00000000,?,00000020,00000003,?,00000001,00000003), ref: 0005B2AC
Part of subcall function 0005B240: VerSetConditionMask.KERNEL32(00000000,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 0005B2B4
Part of subcall function 0005B240: VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 0005B2BF

Part of subcall function 00051330: _vwprintf.LIBCMT ref: 0005139E
Part of subcall function 00051330: _vswprintf_s.LIBCMT ref: 000513DD

Part of subcall function 00054140: _memmove_s.LIBCMT ref: 000541BA

Part of subcall function 0005BFE0: _memcpy_s.LIBCMT ref: 0005C079

SHGetFolderPathW.SHELL32(00000000,0000801C,00000000,00000000,?), ref: 00058768
GetFileAttributesW.KERNEL32(?,\Exam Shield,0000000C,?,?,?,?,?,?,?,?,80070057), ref: 000587B2
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,?,?,?,80070057), ref: 000587C4
GetModuleFileNameW.KERNEL32(00000000,?,00000105,?,?,?,?,?,?,80070057), ref: 00058A21

Part of subcall function 0006CEE5: __EH_prolog3_catch_GS.LIBCMT ref: 0006CEEF

Part of subcall function 0006CCE1: _fputws.LIBCMT ref: 0006CCFA

Part of subcall function 0005A210: RegOpenKeyExW.KERNEL32 ref: 0005A28F
Part of subcall function 0005A210: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0005A2C4
Part of subcall function 0005A210: wsprintfW.USER32 ref: 0005A2EC
Part of subcall function 0005A210: RegOpenKeyExW.ADVAPI32 ref: 0005A30E
Part of subcall function 0005A210: RegQueryValueExW.ADVAPI32 ref: 0005A344
Part of subcall function 0005A210: RegCloseKey.ADVAPI32(?), ref: 0005A36C

ShellExecuteW.SHELL32(00000000,open,?,?,00000000,00000005), ref: 000592D7
CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 000592F3

Part of subcall function 0005BEC0: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,0005AEC5,ExamShield Version,000000C8), ref: 0005BEDA
Part of subcall function 0005BEC0: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,-00000001,?,0005AEC5,ExamShield Version,000000C8,?,?,?,?,?,0000012C), ref: 0005BF0D

Part of subcall function 0005BB10: _com_util::ConvertStringToBSTR.COMSUPP ref: 0005BB60

Part of subcall function 0005BE00: SysAllocString.OLEAUT32(?), ref: 0005BE54

Part of subcall function 0005B1C0: RegQueryValueExW.KERNEL32(00000000,001A1790,00000000,00000004,00000000,00000000), ref: 0005B225
Part of subcall function 0005B1C0: RegCloseKey.KERNEL32(00000000), ref: 0005B233

ShellExecuteW.SHELL32(00000000,open,?,?,00000000,00000005), ref: 00059E7B
CopyFileW.KERNEL32 ref: 00059ED0

Strings

\ExamShieldSetup.exe, xrefs: 00058AA3
ExamShield (Compatibility Check) Setup, xrefs: 000595D8
?id=, xrefs: 0005861A, 00058671
\Exam Shield, xrefs: 0005879B
/COMPATIBILITYCHECK, xrefs: 00058EA5, 0005985B
An unexpected error has occured! Please contact support., xrefs: 00059041, 00059B23
ExamShieldVersion.txt, xrefs: 0005854C
/COLLABORATIONCLIENT=, xrefs: 00058EC5, 00059888, 000599BD
\ExamShieldLauncher.exe, xrefs: 00058A52
COMPATIBILITYCHECK, xrefs: 0005870E
7, xrefs: 00059EA9
ExamShieldSetup.exe, xrefs: 00058458
Unable to create file, xrefs: 00058B8B
/z", xrefs: 00059DA3
\ExamShieldParams.dat, xrefs: 00058AF4
LAUNCHEXAMSHIELD, xrefs: 00059AED
Unable to create directory, xrefs: 000587D5
/OPERATINGSYSTEM=, xrefs: 00058F78, 00059920, 00059A55
ExamShield, xrefs: 00058E0B
open, xrefs: 000592D0, 00059E74
UNINSTALL, xrefs: 00059ADD
ExamShield Setup, xrefs: 000595B3
ExamShield.exe, xrefs: 00058E49, 00059E9C
runas, xrefs: 00059E5B

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: ConditionFileMask$Open$ByteCharCloseCopyExecuteMultiQueryShellStringValueWide$AllocAttributesConvertCreateDirectoryEnumFolderH_prolog3_catch_InfoModuleNamePathVerifyVersion_com_util::_fputws_memcpy_s_memmove_s_memset_vswprintf_s_vwprintfwsprintf
String ID: /COLLABORATIONCLIENT=$ /OPERATINGSYSTEM=$ LAUNCHEXAMSHIELD$ UNINSTALL$/COMPATIBILITYCHECK$/z"$7$?id=$An unexpected error has occured! Please contact support.$COMPATIBILITYCHECK$ExamShield$ExamShield (Compatibility Check) Setup$ExamShield Setup$ExamShield.exe$ExamShieldSetup.exe$ExamShieldVersion.txt$Unable to create directory$Unable to create file$\Exam Shield$\ExamShieldLauncher.exe$\ExamShieldParams.dat$\ExamShieldSetup.exe$open$runas
API String ID: 1871693599-2427528796
Opcode ID: c6bd0fea98cc5bc5e4e4b68ae6a258517ec953a0e501332d2238362bfb532c0e
Instruction ID: c527fb69d1bfc524f4f7c2a75219ff345bf40b2d5bdc480a92244ee884501ef7
Opcode Fuzzy Hash: c6bd0fea98cc5bc5e4e4b68ae6a258517ec953a0e501332d2238362bfb532c0e
Instruction Fuzzy Hash: 86337170601605CFD754CB6CCC81B9AB3B5AF95325F28C3D8E5299B2E2DB30AE49CB54

Uniqueness

Uniqueness Score: -1.00%

Function 000552F0 Relevance: 30.3, APIs: 16, Strings: 1, Instructions: 573
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E000552F0(void* __ecx, signed long long __fp0, signed char _a4, signed short _a6) {
				signed int _v8;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				void* _v28;
				long _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				long _v48;
				long _v52;
				void* _v56;
				long _v60;
				intOrPtr _v68;
				intOrPtr _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t166;
				WCHAR* _t172;
				signed int _t174;
				signed int _t177;
				signed int _t179;
				int _t186;
				signed int _t188;
				intOrPtr* _t190;
				void* _t194;
				long _t195;
				signed int _t205;
				signed int _t210;
				signed int _t212;
				signed int _t219;
				void* _t228;
				signed int _t229;
				signed char _t231;
				signed char _t233;
				signed int _t240;
				intOrPtr* _t242;
				void* _t245;
				signed int _t247;
				signed int _t254;
				signed int _t257;
				signed int _t260;
				signed int _t262;
				long _t263;
				signed int _t266;
				void* _t277;
				intOrPtr* _t280;
				void* _t289;
				intOrPtr _t334;
				intOrPtr _t339;
				signed char _t345;
				void* _t350;
				signed int _t362;
				signed int _t367;
				void* _t376;
				void* _t382;
				signed int _t399;
				signed int _t400;
				void* _t403;
				intOrPtr _t405;
				signed int _t409;
				signed int _t411;
				signed char _t413;
				signed int _t420;
				void* _t421;
				intOrPtr _t422;
				signed long long _t431;

				_t431 = __fp0;
				_push(0xffffffff);
				_push(0x174490);
				_push( *[fs:0x0]);
				_t422 = _t421 - 0x38;
				_t166 =  *0x1c0454; // 0x885926af
				_push(_t166 ^ _t420);
				 *[fs:0x0] =  &_v16;
				_v20 = _t422;
				_t413 = _a4;
				E000549A0(_t413);
				_t288 = _t413 + 0x84;
				_t362 = _t413 + 0x6c;
				_t399 = _t413 + 8;
				if(E00069513(_t399,  *(_t413 + 8), _t362, _t413 + 0x7c, _t413 + 0x80, _t413 + 0x84) != 0) {
					_t289 = 0;
					_t400 = _t399 | 0xffffffff;
					L7:
					_t172 =  *(_t413 + 0xc);
					__eflags =  *((intOrPtr*)(_t172 - 0xc)) - _t289;
					if( *((intOrPtr*)(_t172 - 0xc)) == _t289) {
						L16:
						_v8 = _t400;
						_t174 =  *((intOrPtr*)( *((intOrPtr*)( *_t413))))(); // executed
						__eflags = _t174;
						if(_t174 == 0) {
							goto L4;
						} else {
							_t177 =  *((intOrPtr*)( *((intOrPtr*)( *_t413 + 4))))(); // executed
							__eflags = _t177;
							if(_t177 == 0) {
								goto L4;
							} else {
								_t179 =  *((intOrPtr*)( *((intOrPtr*)( *_t413 + 8))))(); // executed
								__eflags = _t179;
								if(_t179 == 0) {
									goto L4;
								} else {
									_v28 = _t289;
									_v40 = _t289;
									_a4 = _t289;
									__eflags =  *((intOrPtr*)(_t413 + 0x60)) - _t289;
									if( *((intOrPtr*)(_t413 + 0x60)) == _t289) {
										L22:
										__eflags =  *((intOrPtr*)(_t413 + 0x64)) - _t289;
										if( *((intOrPtr*)(_t413 + 0x64)) == _t289) {
											goto L25;
										} else {
											_t260 =  *((intOrPtr*)( *((intOrPtr*)( *_t413 + 0xc))))();
											__eflags = _t260;
											if(_t260 == 0) {
												goto L4;
											} else {
												_v40 = 1;
												while(1) {
													L25:
													 *((intOrPtr*)( *((intOrPtr*)( *_t413 + 0x28))))( &_v24);
													_v8 = 3;
													_t367 = _v24;
													_t307 =  *(_t367 - 0xc);
													asm("sbb eax, eax");
													_t186 = HttpSendRequestW( *(_t413 + 0x78),  ~( *(_t367 - 0xc)) & _t367,  *(_t367 - 0xc), _t289, _t289); // executed
													__eflags = _t186 - _t289;
													if(_t186 == _t289) {
													}
													L26:
													_t409 = GetLastError();
													__eflags = _t409 - 0x2f0c;
													if(_t409 != 0x2f0c) {
														L69:
														_push(_t409);
														_push(0x6f);
														L70:
														_t369 =  *_t413;
														_t190 =  *((intOrPtr*)( *_t413 + 0x1c));
														L71:
														 *_t190();
														L72:
														_t309 =  &_v24;
														L73:
														E00051170(_t309, _t369);
														__eflags = 0;
														 *[fs:0x0] = _v16;
														return 0;
													} else {
														__eflags = _a4 - _t289;
														if(_a4 != _t289) {
															goto L69;
														} else {
															_t345 = _t413;
															__eflags =  *((intOrPtr*)(_t413 + 0x44)) - _t289;
															if( *((intOrPtr*)(_t413 + 0x44)) == _t289) {
																_t257 = E000552D0(_t345);
															} else {
																_t257 =  *((intOrPtr*)( *((intOrPtr*)( *_t413 + 0x14))))();
															}
															__eflags = _t257;
															if(_t257 == 0) {
																goto L69;
															} else {
																_a4 = 1;
																_t400 = _t409 | 0xffffffff;
																__eflags = _t400;
																L32:
																_v8 = _t400;
																_t242 = _v24 + 0xfffffff0;
																asm("lock xadd [ecx], edx");
																__eflags = _t400 - 1;
																if(_t400 - 1 <= 0) {
																	 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t242)) + 4))))(_t242);
																}
																while(1) {
																	L25:
																	 *((intOrPtr*)( *((intOrPtr*)( *_t413 + 0x28))))( &_v24);
																	_v8 = 3;
																	_t367 = _v24;
																	_t307 =  *(_t367 - 0xc);
																	asm("sbb eax, eax");
																	_t186 = HttpSendRequestW( *(_t413 + 0x78),  ~( *(_t367 - 0xc)) & _t367,  *(_t367 - 0xc), _t289, _t289); // executed
																	__eflags = _t186 - _t289;
																	if(_t186 == _t289) {
																	}
																	goto L35;
																}
																goto L26;
															}
														}
													}
													goto L93;
													L35:
													_t368 =  *(_t413 + 0x78);
													_v36 = _t289;
													_t188 = L00056080( &_v36, _t307,  *(_t413 + 0x78));
													__eflags = _t188;
													if(_t188 == 0) {
														_push(GetLastError());
														_push(0x70);
														goto L70;
													} else {
														_t194 = _v36;
														__eflags = _t194 - 0x197;
														if(_t194 == 0x197) {
															L38:
															_v60 = _t289;
															_v8 = 4;
															_t195 =  *(_t413 + 0x5c);
															__eflags = 0 - _t289;
															if(__eflags > 0) {
																L75:
																_t369 =  *_t413;
																 *((intOrPtr*)( *((intOrPtr*)( *_t413 + 0x1c))))(0x6e, 0xe);
																E00150CB2(_t289);
																goto L72;
															} else {
																if(__eflags < 0) {
																	L41:
																	_t403 = E00151013(_t368, _t400, _t413, _t195);
																	_t422 = _t422 + 4;
																	_v60 = _t403;
																	__eflags = _t403 - _t289;
																	if(_t403 == _t289) {
																		goto L75;
																	} else {
																		_v48 = _t289;
																		do {
																			InternetReadFile( *(_t413 + 0x78), _t403,  *(_t413 + 0x5c),  &_v48);
																			__eflags = _v48 - _t289;
																		} while (_v48 != _t289);
																		_v8 = 3;
																		E00150CB2(_t403);
																		_t194 = _v36;
																		_t422 = _t422 + 4;
																		_t400 = _t403 | 0xffffffff;
																		__eflags = _t400;
																		goto L45;
																	}
																} else {
																	__eflags = _t195 - _t400;
																	if(_t195 > _t400) {
																		goto L75;
																	} else {
																		goto L41;
																	}
																}
															}
														} else {
															__eflags = _t194 - 0x191;
															if(_t194 != 0x191) {
																L45:
																__eflags = _t194 - 0x197;
																if(_t194 != 0x197) {
																	__eflags = _t194 - 0x191;
																	if(_t194 != 0x191) {
																		__eflags = _t194 - 0xc8;
																		if(_t194 == 0xc8) {
																			L63:
																			 *((intOrPtr*)( *((intOrPtr*)( *_t413 + 0x38))))(0x6c);
																			_v44 = _t289;
																			_v40 = _t289;
																			_v56 = _t289;
																			_t205 = E00056090(_t289,  &_v44,  *(_t413 + 0x78));
																			__eflags = _t205;
																			if(_t205 != 0) {
																				_v56 = 1;
																				 *((intOrPtr*)( *((intOrPtr*)( *_t413 + 0x40))))(_v44, _v40);
																			}
																			 *((intOrPtr*)( *((intOrPtr*)( *_t413 + 0x38))))(0x74);
																			_v60 = GetTickCount();
																			_v32 = _t289;
																			_v28 = _t289;
																			_v8 = 5;
																			_t210 = E00056150( *(_t413 + 0x5c),  &_v28);
																			__eflags = _t210;
																			if(_t210 != 0) {
																				_t405 = 0;
																				__eflags = 0;
																				while(1) {
																					_t212 = InternetReadFile( *(_t413 + 0x78), _v28,  *(_t413 + 0x5c),  &_v32); // executed
																					__eflags = _t212;
																					if(_t212 == 0) {
																						break;
																					}
																					_t219 = _v32;
																					__eflags = _t219;
																					if(_t219 == 0) {
																						L88:
																						asm("adc ecx, [ebp-0x24]");
																						_t376 =  *_t413;
																						_t377 =  *((intOrPtr*)(_t376 + 0x44));
																						 *((intOrPtr*)( *((intOrPtr*)(_t376 + 0x44))))(_t405, 0, _v56,  *((intOrPtr*)(_t413 + 0x50)) + _v44,  *((intOrPtr*)(_t413 + 0x54))); // executed
																						__eflags = _v32;
																						if(_v32 == 0) {
																							L90:
																							E00150CB2(_v28);
																							E00051170( &_v24, _t377);
																							 *[fs:0x0] = _v16;
																							return 1;
																						} else {
																							_t228 =  *_t413;
																							_t377 =  *((intOrPtr*)(_t228 + 0x3c));
																							_t229 =  *((intOrPtr*)( *((intOrPtr*)(_t228 + 0x3c))))();
																							__eflags = _t229;
																							if(_t229 == 0) {
																								continue;
																							} else {
																								goto L90;
																							}
																						}
																					} else {
																						_t231 =  *((intOrPtr*)( *((intOrPtr*)( *_t413 + 0x48))))(_v28, _t219); // executed
																						__eflags = _t231;
																						if(_t231 == 0) {
																							_t375 = _v28;
																							_push(_v28);
																							goto L68;
																						} else {
																							asm("fldz");
																							_t405 = _t405 + _v32;
																							asm("fcomp qword [esi+0x48]");
																							asm("adc ebx, 0x0");
																							_v72 = _t405;
																							_v68 = 0;
																							asm("fnstsw ax");
																							__eflags = _t231 & 0x00000005;
																							if((_t231 & 0x00000005) == 0) {
																								_t233 = GetTickCount() - _v60;
																								__eflags = _t233;
																								_a4 = _t233;
																								asm("fild dword [ebp+0x8]");
																								if(_t233 < 0) {
																									_t431 = _t431 +  *0x1a1b58;
																								}
																								asm("fild qword [ebp-0x44]");
																								_t431 = _t431 / st1;
																								asm("fcom qword [esi+0x48]");
																								asm("fnstsw ax");
																								__eflags = _t233 & 0x00000041;
																								if((_t233 & 0x00000041) != 0) {
																									st1 = _t431;
																									st0 = _t431;
																								} else {
																									asm("fnstcw word [ebp+0xa]");
																									_t431 = _t431 * st1 /  *(_t413 + 0x48);
																									_v48 = _a6 & 0x0000ffff | 0x00000c00;
																									asm("fsubrp st1, st0");
																									asm("fldcw word [ebp-0x2c]");
																									asm("fistp qword [ebp-0x30]");
																									asm("fldcw word [ebp+0xa]");
																									Sleep(_v52);
																								}
																							}
																							goto L88;
																						}
																					}
																					goto L93;
																				}
																				_push(GetLastError());
																				_push(0x72);
																				goto L67;
																			} else {
																				_push(0xe);
																				_push(0x6e);
																				L67:
																				_t375 =  *_t413;
																				 *((intOrPtr*)( *((intOrPtr*)( *_t413 + 0x1c))))();
																				_push(_v28);
																				L68:
																				E00150CB2();
																				E00051170( &_v24, _t375);
																				__eflags = 0;
																				 *[fs:0x0] = _v16;
																				return 0;
																			}
																		} else {
																			__eflags = _t194 - 0xce;
																			if(_t194 != 0xce) {
																				_t369 =  *_t413;
																				_push(_t194);
																				_t190 =  *((intOrPtr*)( *_t413 + 0x20));
																				_push(0x71);
																				goto L71;
																			} else {
																				goto L63;
																			}
																		}
																	} else {
																		_t334 =  *((intOrPtr*)(_t413 + 0x1c));
																		__eflags =  *((intOrPtr*)(_t334 - 0xc)) - _t289;
																		if( *((intOrPtr*)(_t334 - 0xc)) == _t289) {
																			L57:
																			__eflags =  *((intOrPtr*)(_t413 + 0x40)) - _t289;
																			if( *((intOrPtr*)(_t413 + 0x40)) == _t289) {
																				_t369 =  *_t413;
																				_t190 =  *((intOrPtr*)( *_t413 + 0x20));
																				_push(0x191);
																				_push(0x71);
																				goto L71;
																			} else {
																				goto L58;
																			}
																		} else {
																			__eflags = _v40 - _t289;
																			if(_v40 != _t289) {
																				goto L57;
																			} else {
																				_t369 =  *_t413;
																				_t247 =  *((intOrPtr*)( *((intOrPtr*)( *_t413 + 0xc))))();
																				_t309 =  &_v24;
																				__eflags = _t247;
																				if(_t247 == 0) {
																					goto L73;
																				} else {
																					_v40 = 1;
																					_v8 = _t400;
																					E00051170( &_v24, _t369);
																					continue;
																				}
																			}
																		}
																	}
																} else {
																	_t339 =  *((intOrPtr*)(_t413 + 0x14));
																	__eflags =  *((intOrPtr*)(_t339 - 0xc)) - _t289;
																	if( *((intOrPtr*)(_t339 - 0xc)) == _t289) {
																		L50:
																		__eflags =  *((intOrPtr*)(_t413 + 0x3c)) - _t289;
																		if( *((intOrPtr*)(_t413 + 0x3c)) != _t289) {
																			L58:
																			_t382 =  *_t413;
																			_t369 =  *((intOrPtr*)(_t382 + 0x2c));
																			_v56 = _t289;
																			_t240 =  *((intOrPtr*)( *((intOrPtr*)(_t382 + 0x2c))))( &_v56);
																			__eflags = _t240;
																			if(_t240 != 0) {
																				goto L32;
																			} else {
																				_t245 = _v56;
																				__eflags = _t245 - _t289;
																				if(_t245 != _t289) {
																					_push(_t245);
																					_push(0x84);
																					goto L70;
																				}
																				goto L72;
																			}
																		} else {
																			 *((intOrPtr*)( *((intOrPtr*)( *_t413 + 0x20))))(0x71, 0x197);
																			E00051170( &_v24,  *_t413);
																			__eflags = 0;
																			 *[fs:0x0] = _v16;
																			return 0;
																		}
																	} else {
																		__eflags = _v28 - _t289;
																		if(_v28 != _t289) {
																			goto L50;
																		} else {
																			_t369 =  *_t413;
																			_t254 =  *((intOrPtr*)( *((intOrPtr*)( *_t413 + 0x10))))();
																			_t309 =  &_v24;
																			__eflags = _t254;
																			if(_t254 == 0) {
																				goto L73;
																			} else {
																				_v28 = 1;
																				_v8 = _t400;
																				E00051170( &_v24, _t369);
																				continue;
																			}
																		}
																	}
																}
															} else {
																goto L38;
															}
														}
													}
													goto L93;
												}
											}
										}
									} else {
										_t262 =  *((intOrPtr*)( *((intOrPtr*)( *_t413 + 0x10))))();
										__eflags = _t262;
										if(_t262 == 0) {
											goto L4;
										} else {
											_v28 = 1;
											goto L22;
										}
									}
								}
							}
						}
					} else {
						_t263 = GetFileAttributesW(_t172); // executed
						_t263 - _t400 = (_t263 != _t400) - _t289;
						if(_t263 != _t400 == _t289) {
							L12:
							_t350 = 0x1021;
						} else {
							__eflags =  *((intOrPtr*)(_t413 + 0x54)) - _t289;
							if( *((intOrPtr*)(_t413 + 0x54)) > _t289) {
								L11:
								_t350 = 0x3021;
							} else {
								__eflags =  *((intOrPtr*)(_t413 + 0x50)) - _t289;
								if( *((intOrPtr*)(_t413 + 0x50)) <= _t289) {
									goto L12;
								} else {
									goto L11;
								}
							}
						}
						_t266 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t413 + 0x8c)) + 0x24))))( *(_t413 + 0xc), _t350, _t289); // executed
						__eflags = _t266;
						if(_t266 != 0) {
							_v8 = 1;
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t413 + 0x8c)) + 0x2c))))( *((intOrPtr*)(_t413 + 0x50)),  *((intOrPtr*)(_t413 + 0x54)), _t289); // executed
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t413 + 0x8c)) + 0x30))))( *((intOrPtr*)(_t413 + 0x50)),  *((intOrPtr*)(_t413 + 0x54))); // executed
							_t400 = _t400 | 0xffffffff;
							__eflags = _t400;
							goto L16;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)( *_t413 + 0x1c))))(0x83, GetLastError());
							__eflags = 0;
							 *[fs:0x0] = _v16;
							return 0;
						}
					}
				} else {
					_t277 = E00054060( &_v48, L"http://", _t399);
					_t422 = _t422 + 0xc;
					_v8 = 0;
					E00054260(_t399, _t277);
					_v8 = 0xffffffff;
					_t280 = _v48 + 0xfffffff0;
					asm("lock xadd [ecx], edx");
					if((_t362 | 0xffffffff) - 1 <= 0) {
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t280)) + 4))))(_t280);
					}
					_t411 =  *_t399;
					if(E00069513(_t411, _t411, _t413 + 0x6c, _t413 + 0x7c, _t413 + 0x80, _t288) != 0) {
						_t400 = _t411 | 0xffffffff;
						_t289 = 0;
						__eflags = 0;
						goto L7;
					} else {
						L4:
						 *[fs:0x0] = _v16;
						return 0;
					}
				}
				L93:
			}

0x000552f0
0x000552f3
0x000552f5
0x00055300
0x00055301
0x00055307
0x0005530e
0x00055312
0x00055318
0x0005531b
0x0005531e
0x00055326
0x00055338
0x0005533b
0x00055347
0x000553c2
0x000553c4
0x000553ce
0x000553ce
0x000553d1
0x000553d4
0x00055485
0x00055485
0x0005548e
0x00055490
0x00055492
0x00000000
0x00055498
0x0005549f
0x000554a1
0x000554a3
0x00000000
0x000554a9
0x000554b0
0x000554b2
0x000554b4
0x00000000
0x000554ba
0x000554ba
0x000554bd
0x000554c0
0x000554c3
0x000554c6
0x000554e0
0x000554e0
0x000554e3
0x00000000
0x000554e5
0x000554ec
0x000554ee
0x000554f0
0x00000000
0x000554f6
0x000554f6
0x000554fd
0x000554fd
0x00055508
0x0005550a
0x00055511
0x00055514
0x0005551d
0x00055527
0x0005552d
0x0005552f
0x0005552f
0x00055535
0x0005553b
0x0005553d
0x00055543
0x000557eb
0x000557eb
0x000557ec
0x000557ee
0x000557ee
0x000557f0
0x000557f3
0x000557f5
0x000557f7
0x000557f7
0x000557fa
0x000557fa
0x000557ff
0x00055804
0x00055812
0x00055549
0x00055549
0x0005554c
0x00000000
0x00055552
0x00055552
0x00055554
0x00055557
0x000555bf
0x00055559
0x0005555e
0x0005555e
0x00055560
0x00055562
0x00000000
0x00055568
0x00055568
0x0005556f
0x0005556f
0x00055572
0x00055572
0x00055578
0x00055580
0x00055585
0x00055587
0x00055595
0x00055595
0x000554fd
0x000554fd
0x00055508
0x0005550a
0x00055511
0x00055514
0x0005551d
0x00055527
0x0005552d
0x0005552f
0x0005552f
0x00000000
0x0005552f
0x00000000
0x000554fd
0x00055562
0x0005554c
0x00000000
0x000555c6
0x000555c6
0x000555cc
0x000555cf
0x000555d4
0x000555d6
0x0005581b
0x0005581c
0x00000000
0x000555dc
0x000555dc
0x000555df
0x000555e4
0x000555ed
0x000555ed
0x000555f2
0x000555f6
0x000555f9
0x000555fb
0x00055820
0x00055820
0x0005582b
0x0005582e
0x00000000
0x00055601
0x00055601
0x0005560b
0x00055611
0x00055613
0x00055616
0x00055619
0x0005561b
0x00000000
0x00055621
0x00055621
0x00055624
0x00055631
0x00055637
0x00055637
0x0005563d
0x00055641
0x00055646
0x00055649
0x0005564c
0x0005564c
0x00000000
0x0005564c
0x00055603
0x00055603
0x00055605
0x00000000
0x00000000
0x00000000
0x00000000
0x00055605
0x00055601
0x000555e6
0x000555e6
0x000555eb
0x0005564f
0x0005564f
0x00055654
0x000556be
0x000556c3
0x00055731
0x00055736
0x00055743
0x0005574c
0x00055755
0x00055758
0x0005575b
0x0005575e
0x00055766
0x00055768
0x00055779
0x00055780
0x00055780
0x0005578b
0x00055793
0x00055796
0x00055799
0x0005579f
0x000557a7
0x000557ac
0x000557ae
0x00055850
0x00055852
0x00055854
0x00055864
0x0005586a
0x0005586c
0x00000000
0x00000000
0x00055872
0x00055875
0x00055877
0x00055900
0x00055909
0x0005590c
0x0005590e
0x0005591b
0x0005591d
0x00055921
0x00055934
0x00055938
0x00055943
0x00055950
0x0005595e
0x00055923
0x00055923
0x00055925
0x0005592a
0x0005592c
0x0005592e
0x00000000
0x00000000
0x00000000
0x00000000
0x0005592e
0x0005587d
0x00055889
0x0005588b
0x0005588d
0x0005596f
0x00055972
0x00000000
0x00055893
0x00055893
0x00055895
0x00055898
0x0005589b
0x0005589e
0x000558a1
0x000558a4
0x000558a6
0x000558a9
0x000558b1
0x000558b1
0x000558b4
0x000558b7
0x000558ba
0x000558bc
0x000558bc
0x000558c2
0x000558c5
0x000558c7
0x000558ca
0x000558cc
0x000558cf
0x000558fc
0x000558fe
0x000558d1
0x000558d3
0x000558d6
0x000558e2
0x000558e5
0x000558e7
0x000558ea
0x000558f1
0x000558f4
0x000558f4
0x000558cf
0x00000000
0x000558a9
0x0005588d
0x00000000
0x00055877
0x00055967
0x00055968
0x00000000
0x000557b4
0x000557b4
0x000557b6
0x000557b8
0x000557b8
0x000557bf
0x000557c4
0x000557c5
0x000557c5
0x000557d0
0x000557d5
0x000557da
0x000557e8
0x000557e8
0x00055738
0x00055738
0x0005573d
0x00055846
0x00055848
0x00055849
0x0005584c
0x00000000
0x00000000
0x00000000
0x00000000
0x0005573d
0x000556c5
0x000556c5
0x000556c8
0x000556cb
0x000556fa
0x000556fa
0x000556fd
0x00055838
0x0005583a
0x0005583d
0x00055842
0x00000000
0x00000000
0x00000000
0x00000000
0x000556cd
0x000556cd
0x000556d0
0x00000000
0x000556d2
0x000556d2
0x000556d9
0x000556db
0x000556de
0x000556e0
0x00000000
0x000556e6
0x000556e6
0x000556ed
0x000556f0
0x00000000
0x000556f0
0x000556e0
0x000556d0
0x000556cb
0x00055656
0x00055656
0x00055659
0x0005565c
0x0005568b
0x0005568b
0x0005568e
0x00055703
0x00055703
0x00055705
0x0005570e
0x00055711
0x00055713
0x00055715
0x00000000
0x0005571b
0x0005571b
0x0005571e
0x00055720
0x00055726
0x00055727
0x00000000
0x00055727
0x00000000
0x00055720
0x00055690
0x0005569e
0x000556a3
0x000556a8
0x000556ad
0x000556bb
0x000556bb
0x0005565e
0x0005565e
0x00055661
0x00000000
0x00055663
0x00055663
0x0005566a
0x0005566c
0x0005566f
0x00055671
0x00000000
0x00055677
0x00055677
0x0005567e
0x00055681
0x00000000
0x00055681
0x00055671
0x00055661
0x0005565c
0x00000000
0x00000000
0x00000000
0x000555eb
0x000555e4
0x00000000
0x000555d6
0x000554fd
0x000554f0
0x000554c8
0x000554cf
0x000554d1
0x000554d3
0x00000000
0x000554d9
0x000554d9
0x00000000
0x000554d9
0x000554d3
0x000554c6
0x000554b4
0x000554a3
0x000553da
0x000553db
0x000553e8
0x000553ea
0x000553fd
0x000553fd
0x000553ec
0x000553ec
0x000553ef
0x000553f6
0x000553f6
0x000553f1
0x000553f1
0x000553f4
0x00000000
0x00000000
0x00000000
0x00000000
0x000553f4
0x000553ef
0x00055417
0x00055419
0x0005541b
0x00055448
0x00055467
0x00055480
0x00055482
0x00055482
0x00000000
0x0005541d
0x00055430
0x00055432
0x00055437
0x00055445
0x00055445
0x0005541b
0x00055349
0x00055353
0x00055358
0x0005535e
0x00055365
0x0005536a
0x00055374
0x0005537d
0x00055384
0x0005538e
0x0005538e
0x00055390
0x000553aa
0x000553c9
0x000553cc
0x000553cc
0x00000000
0x000553ac
0x000553ac
0x000553b1
0x000553bf
0x000553bf
0x000553aa
0x00000000

APIs

Part of subcall function 000549A0: InternetCloseHandle.WININET(?), ref: 000549C6
Part of subcall function 000549A0: InternetCloseHandle.WININET(?), ref: 000549D7
Part of subcall function 000549A0: InternetCloseHandle.WININET(?), ref: 000549E8

GetFileAttributesW.KERNEL32(?,?,?,?,?,?,885926AF,00000000,?,?,?,?,?,?,?,00174490), ref: 000553DB
GetLastError.KERNEL32(?,?,?,?,?,?,00174490,000000FF,?,00054A90,?,885926AF), ref: 0005541D
HttpSendRequestW.WININET(?,?,?,00000000,00000000), ref: 00055527
GetLastError.KERNEL32(?,?,?,?,?,?,?,00174490,000000FF,?,00054A90,?,885926AF), ref: 00055535

Strings

http://, xrefs: 0005534D

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: CloseHandleInternet$ErrorLast$AttributesFileHttpRequestSend
String ID: http://
API String ID: 2297146605-1121587658
Opcode ID: e0f10b00ae4d66c3a7b2acfe9b1408196502af157d084f59836769ff219928c7
Instruction ID: 047dfe3471752d1a710832a748dbc3c14e4dc7615672d26242c4c2b46058fba8
Opcode Fuzzy Hash: e0f10b00ae4d66c3a7b2acfe9b1408196502af157d084f59836769ff219928c7
Instruction Fuzzy Hash: 89226F71A00A05DFDB14DFA8C890AAFB7F5FF88312F108529E95697290DB35ED49CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00064645 Relevance: 16.6, APIs: 11, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00064645(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t54;
				void* _t58;
				signed int _t59;
				signed int _t63;
				signed int _t71;
				signed int _t84;
				void* _t94;
				struct HINSTANCE__* _t96;
				signed int _t97;
				void* _t98;
				signed int _t100;
				void* _t101;
				void* _t102;

				_t102 = __eflags;
				_t94 = __edx;
				_push(0x24);
				E00151A4C(0x168a4c, __ebx, __edi, __esi);
				_t100 = __ecx;
				 *((intOrPtr*)(_t101 - 0x20)) = __ecx;
				 *(_t101 - 0x1c) =  *(__ecx + 0x80);
				 *(_t101 - 0x18) =  *(__ecx + 0x7c);
				_t54 = E0006B628(__ebx, __edi, __ecx, _t102);
				_t96 =  *(_t54 + 0xc);
				_t84 = 0;
				_t103 =  *(_t100 + 0x78);
				if( *(_t100 + 0x78) != 0) {
					_t96 =  *(E0006B628(0, _t96, _t100, _t103) + 0xc);
					_t54 = LoadResource(_t96, FindResourceW(_t96,  *(_t100 + 0x78), 5));
					 *(_t101 - 0x18) = _t54;
				}
				if( *(_t101 - 0x18) != _t84) {
					_t54 = LockResource( *(_t101 - 0x18));
					 *(_t101 - 0x1c) = _t54;
				}
				if( *(_t101 - 0x1c) != _t84) {
					_t86 = _t100;
					 *(_t101 - 0x14) = E0006418A(_t84, _t100, __eflags);
					E0005F8E9(_t84, _t96, __eflags);
					 *(_t101 - 0x28) =  *(_t101 - 0x28) & _t84;
					 *(_t101 - 0x2c) = _t84;
					 *(_t101 - 0x24) = _t84;
					__eflags =  *(_t101 - 0x14) - _t84;
					if(__eflags != 0) {
						__eflags =  *(_t101 - 0x14) - GetDesktopWindow();
						if(__eflags != 0) {
							__eflags = IsWindowEnabled( *(_t101 - 0x14));
							if(__eflags != 0) {
								EnableWindow( *(_t101 - 0x14), 0);
								 *(_t101 - 0x2c) = 1;
								_t84 = E0005C4D8();
								 *(_t101 - 0x24) = _t84;
								__eflags = _t84;
								if(__eflags != 0) {
									_t86 = _t84;
									__eflags =  *((intOrPtr*)( *_t84 + 0x14c))();
									if(__eflags != 0) {
										_t86 = _t84;
										__eflags = E000635A9(_t84);
										if(__eflags != 0) {
											_t86 = _t84;
											E000635C4(_t84, 0);
											 *(_t101 - 0x28) = 1;
										}
									}
								}
							}
						}
					}
					 *(_t101 - 4) =  *(_t101 - 4) & 0x00000000;
					E00061E0F(_t84, __eflags, _t100);
					_t58 = E0005F82E(_t84, _t86, _t94,  *(_t101 - 0x14));
					_push(_t96);
					_push(_t58);
					_push( *(_t101 - 0x1c));
					_t59 = E00064481(_t84, _t100, _t94, _t96, _t100, __eflags); // executed
					_t97 = 0;
					__eflags = _t59;
					if(_t59 != 0) {
						__eflags =  *(_t100 + 0x58) & 0x00000010;
						if(( *(_t100 + 0x58) & 0x00000010) != 0) {
							_t98 = 4;
							_t71 = E0006342B(_t100);
							__eflags = _t71 & 0x00000100;
							if((_t71 & 0x00000100) != 0) {
								_t98 = 5;
							}
							E0005F2C7(_t100, _t94, _t98); // executed
							_t97 = 0;
							__eflags = 0;
						}
						__eflags =  *((intOrPtr*)(_t100 + 0x20)) - _t97;
						if( *((intOrPtr*)(_t100 + 0x20)) != _t97) {
							E00063614(_t100, _t97, _t97, _t97, _t97, _t97, 0x97);
						}
					}
					 *(_t101 - 4) =  *(_t101 - 4) | 0xffffffff;
					__eflags =  *(_t101 - 0x28) - _t97;
					if( *(_t101 - 0x28) != _t97) {
						E000635C4(_t84, 1);
					}
					__eflags =  *(_t101 - 0x2c) - _t97;
					if( *(_t101 - 0x2c) != _t97) {
						EnableWindow( *(_t101 - 0x14), 1);
					}
					__eflags =  *(_t101 - 0x14) - _t97;
					if(__eflags != 0) {
						__eflags = GetActiveWindow() -  *((intOrPtr*)(_t100 + 0x20));
						if(__eflags == 0) {
							SetActiveWindow( *(_t101 - 0x14));
						}
					}
					 *((intOrPtr*)( *_t100 + 0x60))();
					E000641CC(_t84, _t100, _t94, _t97, _t100, __eflags);
					__eflags =  *(_t100 + 0x78) - _t97;
					if( *(_t100 + 0x78) != _t97) {
						FreeResource( *(_t101 - 0x18));
					}
					_t63 =  *(_t100 + 0x60);
					goto L31;
				} else {
					_t63 = _t54 | 0xffffffff;
					L31:
					return E00151AF1(_t63);
				}
			}

0x00064645
0x00064645
0x00064645
0x0006464c
0x00064651
0x00064653
0x0006465c
0x00064662
0x00064665
0x0006466a
0x0006466d
0x0006466f
0x00064672
0x00064679
0x0006468a
0x00064690
0x00064690
0x00064696
0x0006469b
0x000646a1
0x000646a1
0x000646a7
0x000646b1
0x000646b8
0x000646bb
0x000646c0
0x000646c3
0x000646c6
0x000646c9
0x000646cc
0x000646d4
0x000646d7
0x000646e2
0x000646e4
0x000646eb
0x000646f1
0x000646fd
0x000646ff
0x00064702
0x00064704
0x00064708
0x00064710
0x00064712
0x00064714
0x0006471b
0x0006471d
0x00064721
0x00064723
0x00064728
0x00064728
0x0006471d
0x00064712
0x00064704
0x000646e4
0x000646d7
0x0006472f
0x00064734
0x0006473c
0x00064741
0x00064742
0x00064743
0x00064748
0x0006474d
0x0006474f
0x00064751
0x00064753
0x00064757
0x0006475b
0x0006475e
0x00064763
0x00064768
0x0006476c
0x0006476c
0x00064770
0x00064775
0x00064775
0x00064775
0x00064777
0x0006477a
0x00064788
0x00064788
0x0006477a
0x0006478d
0x000647b8
0x000647bb
0x000647c1
0x000647c1
0x000647c6
0x000647c9
0x000647d0
0x000647d0
0x000647d6
0x000647d9
0x000647e1
0x000647e4
0x000647e9
0x000647e9
0x000647e4
0x000647f3
0x000647f8
0x000647fd
0x00064800
0x00064805
0x00064805
0x0006480b
0x00000000
0x000646a9
0x000646a9
0x0006480e
0x00064813
0x00064813

APIs

__EH_prolog3_catch.LIBCMT ref: 0006464C
FindResourceW.KERNEL32(?,?,00000005,00000024,0005AEF3,ExamShield Version,000000C8,?,?,?,?,?,0000012C), ref: 00064682
LoadResource.KERNEL32(?,00000000,?,?,?,?,?,0000012C), ref: 0006468A

Part of subcall function 0005F8E9: UnhookWindowsHookEx.USER32 ref: 0005F919

LockResource.KERNEL32(00174A94,00000024,0005AEF3,ExamShield Version,000000C8,?,?,?,?,?,0000012C), ref: 0006469B
GetDesktopWindow.USER32 ref: 000646CE
IsWindowEnabled.USER32(000000FF), ref: 000646DC
EnableWindow.USER32(000000FF,00000000), ref: 000646EB

Part of subcall function 000635A9: IsWindowEnabled.USER32(?), ref: 000635B2

Part of subcall function 000635C4: EnableWindow.USER32(?,?), ref: 000635D5

EnableWindow.USER32(000000FF,00000001), ref: 000647D0
GetActiveWindow.USER32 ref: 000647DB
SetActiveWindow.USER32(000000FF), ref: 000647E9
FreeResource.KERNEL32(00174A94,?,00000024,0005AEF3,ExamShield Version,000000C8,?,?,?,?,?,0000012C), ref: 00064805

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchHookLoadLockUnhookWindows
String ID:
API String ID: 964565984-0
Opcode ID: af8d4e17bfa2d01292aeb3372ca5f031edbe807bc61fe021e85871f5b02fd64e
Instruction ID: a92069e2386e38fd5469bcdd6bf92e2517c7ec812baa4075008764673b1eda0b
Opcode Fuzzy Hash: af8d4e17bfa2d01292aeb3372ca5f031edbe807bc61fe021e85871f5b02fd64e
Instruction Fuzzy Hash: 8B517F30A04B05DFDF21AFA4C8896BEBAF3BF45702F240129F516B65E2CB744A81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0006A7E8 Relevance: 12.1, APIs: 8, Instructions: 132
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E0006A7E8(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				WCHAR* _t45;
				long _t46;
				WCHAR* _t51;
				int _t56;
				void* _t58;
				int _t64;
				intOrPtr _t76;
				signed int _t90;
				void* _t93;
				WCHAR* _t95;
				long _t97;
				void* _t98;
				WCHAR* _t103;
				WCHAR* _t105;

				_t93 = __edx;
				_push(0x268);
				E00151A82(0x168d9f, __ebx, __edi, __esi);
				_t95 =  *(_t98 + 8);
				_t45 =  *(_t98 + 0xc);
				_t76 =  *((intOrPtr*)(_t98 + 0x10));
				_t103 = _t95;
				_t78 = 0 | _t103 != 0x00000000;
				 *(_t98 - 0x268) = _t45;
				if(_t103 != 0) {
					L2:
					_t105 = _t45;
					_t78 = 0 | _t105 != 0x00000000;
					if(_t105 != 0) {
						goto L1;
					}
					_t97 = 0x104;
					_t46 = GetFullPathNameW(_t45, 0x104, _t95, _t98 - 0x26c);
					if(_t46 != 0) {
						if(_t46 < 0x104) {
							E00051110(_t98 - 0x264, E00065761());
							 *(_t98 - 4) =  *(_t98 - 4) & 0x00000000;
							E0006A618(_t76, _t95, _t98 - 0x264); // executed
							_t51 = PathIsUNCW( *(_t98 - 0x264));
							if(_t51 != 0) {
								L21:
								E00051190( &(( *(_t98 - 0x264))[0xfffffffffffffff8]), _t93);
								goto L22;
							}
							_t56 = GetVolumeInformationW( *(_t98 - 0x264), _t51, _t51, _t51, _t98 - 0x274, _t98 - 0x270, _t51, _t51); // executed
							if(_t56 != 0) {
								if(( *(_t98 - 0x270) & 0x00000002) == 0) {
									CharUpperW(_t95);
								}
								if(( *(_t98 - 0x270) & 0x00000004) != 0) {
									goto L21;
								} else {
									_t58 = FindFirstFileW( *(_t98 - 0x268), _t98 - 0x260);
									if(_t58 == 0xffffffff) {
										goto L21;
									}
									FindClose(_t58);
									if( *(_t98 - 0x26c) == 0 ||  *(_t98 - 0x26c) <= _t95) {
										goto L11;
									} else {
										_t64 = lstrlenW(_t98 - 0x234);
										_t90 =  *(_t98 - 0x26c) - _t95 >> 1;
										if(_t64 + _t90 >= _t97) {
											if(_t76 != 0) {
												 *((intOrPtr*)(_t76 + 8)) = 3;
												E00056590(_t95,  *(_t98 - 0x268));
											}
											L12:
											E00051190( &(( *(_t98 - 0x264))[0xfffffffffffffff8]), _t93);
											goto L5;
										}
										_push(E00150E8C( *(_t98 - 0x26c), _t97, _t98 - 0x234));
										E00053DF0();
										goto L21;
									}
								}
							}
							L11:
							E0006A7B9(_t95, _t76,  *(_t98 - 0x268));
							goto L12;
						}
						if(_t76 != 0) {
							 *((intOrPtr*)(_t76 + 8)) = 3;
							E00056590(_t95,  *(_t98 - 0x268));
						}
						goto L5;
					} else {
						_push(E00150EEF(_t95, 0x104,  *(_t98 - 0x268), 0xffffffff));
						E00053DF0();
						E0006A7B9(_t95, _t76,  *(_t98 - 0x268));
						L5:
						L22:
						return E00151B05(_t76, _t95, _t97);
					}
				}
				L1:
				_t45 = E000655E0(_t78);
				goto L2;
			}

0x0006a7e8
0x0006a7e8
0x0006a7f2
0x0006a7f7
0x0006a7fa
0x0006a7fd
0x0006a802
0x0006a804
0x0006a807
0x0006a80f
0x0006a816
0x0006a818
0x0006a81a
0x0006a81f
0x00000000
0x00000000
0x0006a829
0x0006a830
0x0006a838
0x0006a867
0x0006a890
0x0006a895
0x0006a8a1
0x0006a8ac
0x0006a8b4
0x0006a980
0x0006a989
0x00000000
0x0006a990
0x0006a8d3
0x0006a8db
0x0006a903
0x0006a906
0x0006a906
0x0006a913
0x00000000
0x0006a915
0x0006a922
0x0006a92b
0x00000000
0x00000000
0x0006a92e
0x0006a93b
0x00000000
0x0006a945
0x0006a94c
0x0006a95a
0x0006a960
0x0006a99b
0x0006a9aa
0x0006a9b1
0x0006a9b1
0x0006a8e9
0x0006a8f2
0x00000000
0x0006a8f2
0x0006a977
0x0006a978
0x00000000
0x0006a97d
0x0006a93b
0x0006a913
0x0006a8dd
0x0006a8e4
0x00000000
0x0006a8e4
0x0006a86b
0x0006a876
0x0006a87d
0x0006a87d
0x00000000
0x0006a83a
0x0006a849
0x0006a84a
0x0006a859
0x0006a85e
0x0006a991
0x0006a996
0x0006a996
0x0006a838
0x0006a811
0x0006a811
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 0006A7F2
GetFullPathNameW.KERNEL32(00000000,00000104,00000000,?,00000268,0006A9CD,00000000,?,00000000,?,00068BC1,?,?,00000000), ref: 0006A830

Part of subcall function 000655E0: __CxxThrowException@8.LIBCMT ref: 000655F6

PathIsUNCW.SHLWAPI(?), ref: 0006A8AC
GetVolumeInformationW.KERNEL32 ref: 0006A8D3
CharUpperW.USER32 ref: 0006A906
FindFirstFileW.KERNEL32(?,?), ref: 0006A922
FindClose.KERNEL32(00000000), ref: 0006A92E
lstrlenW.KERNEL32(?), ref: 0006A94C

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: FindPath$CharCloseException@8FileFirstFullH_prolog3_InformationNameThrowUpperVolumelstrlen
String ID:
API String ID: 3687868058-0
Opcode ID: b32c9fcbb021195d248b765d5f556585d1f2a24aa6fa188c258d011e192e5bbd
Instruction ID: dd7a6102130af453679fd82a2969cf5d8cca52c019f24ebe3bdb1b561818f049
Opcode Fuzzy Hash: b32c9fcbb021195d248b765d5f556585d1f2a24aa6fa188c258d011e192e5bbd
Instruction Fuzzy Hash: 84419371A04215AFDF25BB70CC49BBE7779AF12311F140698B819A2192DF315E85DF21

Uniqueness

Uniqueness Score: -1.00%

Function 0005F0CF Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 191
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E0005F0CF(intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				struct tagRECT _v76;
				char _v96;
				signed int _v100;
				intOrPtr _v104;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t70;
				signed int _t72;
				struct tagMONITORINFO* _t73;
				void* _t99;
				struct HMONITOR__* _t103;
				void* _t108;
				struct HMONITOR__* _t109;
				signed int _t117;
				struct tagMONITORINFO* _t118;
				intOrPtr _t119;
				struct tagMONITORINFO* _t120;
				long _t121;
				long _t126;
				void* _t130;
				intOrPtr _t131;
				struct HWND__* _t132;
				void* _t134;
				struct tagMONITORINFO* _t136;
				struct tagMONITORINFO* _t140;
				signed int _t144;

				_t130 = __edx;
				_t70 =  *0x1c0454; // 0x885926af
				_v8 = _t70 ^ _t144;
				_t119 = _a4;
				_t131 = __ecx;
				_v104 = __ecx;
				_t72 = E0006342B(__ecx);
				_t136 = 0;
				_v100 = _t72;
				if(_t119 == 0) {
					if((_t72 & 0x40000000) == 0) {
						_t73 = GetWindow( *(__ecx + 0x20), 4);
					} else {
						_t73 = GetParent( *(__ecx + 0x20));
					}
					_t120 = _t73;
					if(_t120 != _t136) {
						_t118 = SendMessageW(_t120, 0x36b, _t136, _t136);
						if(_t118 != _t136) {
							_t120 = _t118;
						}
					}
				} else {
					_t120 =  *(_t119 + 0x20);
				}
				_v56.left = _t136;
				_v56.top = _t136;
				_v56.right = _t136;
				_v56.bottom = _t136;
				GetWindowRect( *(_t131 + 0x20),  &_v56);
				_v24.left = _t136;
				_v24.top = _t136;
				_v24.right = _t136;
				_v24.bottom = _t136;
				_v40.left = _t136;
				_v40.top = _t136;
				_v40.right = _t136;
				_v40.bottom = _t136;
				if((_v100 & 0x40000000) != 0) {
					_t132 = GetParent( *(_t131 + 0x20));
					GetClientRect(_t132,  &_v24);
					GetClientRect(_t120,  &_v40);
					MapWindowPoints(_t120, _t132,  &_v40, 2);
				} else {
					if(_t120 != _t136) {
						_t117 = GetWindowLongW(_t120, 0xfffffff0);
						if((_t117 & 0x10000000) == 0 || (_t117 & 0x20000000) != 0) {
							_t120 = 0;
						}
					}
					_v96 = 0x28;
					if(_t120 != _t136) {
						GetWindowRect(_t120,  &_v40);
						_t103 =  &_v96;
						__imp__MonitorFromWindow(2, _t103);
						GetMonitorInfoW(_t103, _t120);
						CopyRect( &_v24,  &_v76);
					} else {
						_t108 = E0005C4D8();
						if(_t108 != _t136) {
							_t136 =  *(_t108 + 0x20);
						}
						_t109 =  &_v96;
						__imp__MonitorFromWindow(1, _t109);
						GetMonitorInfoW(_t109, _t136);
						CopyRect( &_v40,  &_v76);
						CopyRect( &_v24,  &_v76);
					}
				}
				_t121 = _v56.left;
				asm("cdq");
				_t134 = _v56.right - _t121;
				asm("cdq");
				_t126 = (_v40.right + _v40.left - _t130 >> 1) - (_t134 - _t130 >> 1);
				_t135 = _t134 + _t126;
				_v100 = _v56.bottom - _v56.top;
				asm("cdq");
				asm("cdq");
				_t140 = (_v40.top + _v40.bottom - _t130 >> 1) - (_v100 - _t130 >> 1);
				if(_t134 + _t126 > _v24.right) {
					_t126 = _t121;
				}
				if(_t126 < _v24.left) {
					_t126 = _v24.left;
				}
				if(_t140 + _v100 > _v24.bottom) {
					_t140 = _v56.top - _v56.bottom + _v24.bottom;
				}
				if(_t140 < _v24.top) {
					_t140 = _v24.top;
				}
				_t99 = E00063614(_v104, 0, _t126, _t140, 0xffffffff, 0xffffffff, 0x15); // executed
				return E00150836(_t99, _t121, _v8 ^ _t144, _t130, _t135, _t140);
			}

0x0005f0cf
0x0005f0d7
0x0005f0de
0x0005f0e2
0x0005f0e7
0x0005f0e9
0x0005f0ec
0x0005f0f1
0x0005f0f3
0x0005f0f8
0x0005f104
0x0005f116
0x0005f106
0x0005f109
0x0005f109
0x0005f11c
0x0005f120
0x0005f12a
0x0005f132
0x0005f134
0x0005f134
0x0005f132
0x0005f0fa
0x0005f0fa
0x0005f0fa
0x0005f13d
0x0005f140
0x0005f143
0x0005f146
0x0005f149
0x0005f156
0x0005f159
0x0005f15c
0x0005f15f
0x0005f162
0x0005f165
0x0005f168
0x0005f16b
0x0005f16e
0x0005f216
0x0005f21d
0x0005f224
0x0005f22e
0x0005f174
0x0005f176
0x0005f17b
0x0005f186
0x0005f18f
0x0005f18f
0x0005f186
0x0005f191
0x0005f19a
0x0005f1dd
0x0005f1e3
0x0005f1ea
0x0005f1f1
0x0005f1ff
0x0005f19c
0x0005f19c
0x0005f1a3
0x0005f1a5
0x0005f1a5
0x0005f1a8
0x0005f1af
0x0005f1b6
0x0005f1ca
0x0005f1d4
0x0005f1d4
0x0005f19a
0x0005f23d
0x0005f240
0x0005f245
0x0005f249
0x0005f250
0x0005f258
0x0005f25a
0x0005f263
0x0005f26b
0x0005f272
0x0005f277
0x0005f27f
0x0005f27f
0x0005f284
0x0005f286
0x0005f286
0x0005f291
0x0005f299
0x0005f299
0x0005f29f
0x0005f2a1
0x0005f2a1
0x0005f2b1
0x0005f2c4

APIs

Part of subcall function 0006342B: GetWindowLongW.USER32(?,000000F0), ref: 00063436

GetParent.USER32(?), ref: 0005F109
SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 0005F12A
GetWindowRect.USER32(?,?), ref: 0005F149
GetWindowLongW.USER32(00000000,000000F0), ref: 0005F17B
MonitorFromWindow.USER32 ref: 0005F1AF
GetMonitorInfoW.USER32(00000000), ref: 0005F1B6
CopyRect.USER32(?,?), ref: 0005F1CA
CopyRect.USER32(?,?), ref: 0005F1D4
GetWindowRect.USER32(00000000,?), ref: 0005F1DD
MonitorFromWindow.USER32 ref: 0005F1EA
GetMonitorInfoW.USER32(00000000), ref: 0005F1F1
CopyRect.USER32(?,?), ref: 0005F1FF

Strings

(, xrefs: 0005F191

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Window$Rect$Monitor$Copy$FromInfoLong$MessageParentSend
String ID: (
API String ID: 783970248-3887548279
Opcode ID: b4da67cfaea84f92790001ba801d7cdf8fc02b9792ceec661c6cd47ab744adde
Instruction ID: e0979759336e406cf5c1ef58e9b003690c54f2a1f7e1bdb3c7e71d91600aabbc
Opcode Fuzzy Hash: b4da67cfaea84f92790001ba801d7cdf8fc02b9792ceec661c6cd47ab744adde
Instruction Fuzzy Hash: A1613DB1D00219AFCB11DFA8DD889EEBBB9FF08711F140526E905F3291D774A984CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0005A210 Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 259
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E0005A210(signed int __ecx, void* __fp0, intOrPtr _a4, char _a8, intOrPtr _a12) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v2068;
				char _v4116;
				short _v6164;
				char _v8212;
				short _v10260;
				char _v10261;
				int _v10268;
				void* _v10272;
				int* _v10276;
				char _v10280;
				int _v10284;
				signed int _v10288;
				intOrPtr _v10292;
				intOrPtr _v10296;
				intOrPtr _v10300;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t83;
				signed int _t84;
				long _t87;
				long** _t89;
				intOrPtr _t90;
				long** _t98;
				void* _t112;
				char _t114;
				long _t116;
				intOrPtr* _t119;
				long _t125;
				long _t128;
				void**** _t130;
				void* _t135;
				void* _t144;
				void* _t150;
				void* _t158;
				signed int _t167;
				void** _t171;
				void* _t187;
				int _t188;
				void* _t191;
				long _t192;
				signed int _t195;
				intOrPtr _t196;
				void* _t206;

				_t206 = __fp0;
				_push(0xffffffff);
				_push(0x174ade);
				_push( *[fs:0x0]);
				E00153C00(0x282c);
				_t83 =  *0x1c0454; // 0x885926af
				_t84 = _t83 ^ _t195;
				_v20 = _t84;
				_push(_t84);
				 *[fs:0x0] =  &_v16;
				_v10292 = _a12;
				_v10288 = __ecx;
				_t171 =  &_v10276;
				_v8 = 0;
				_v10276 = 0;
				_v10272 = 0;
				_v10284 = 0xf003f;
				_v10268 = 0;
				_v10261 = 0;
				_t87 = RegOpenKeyExW(0x80000001, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall", 0, 0x20019, _t171); // executed
				if(_t87 != 0) {
					L13:
					_v8 = 0xffffffff;
					_t89 = _a8 + 0xfffffff0;
					asm("lock xadd [ecx], edx");
					_t173 = (_t171 | 0xffffffff) - 1;
					__eflags = (_t171 | 0xffffffff) - 1;
					goto L14;
				} else {
					_t188 = 0;
					do {
						_v10268 = 0x800;
						_t192 = RegEnumKeyExW(_v10276, _t188,  &_v6164,  &_v10268, 0, 0, 0, 0);
						if(_t192 != 0) {
							goto L7;
						}
						wsprintfW( &_v10260, L"%s\\%s", L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall",  &_v6164);
						_t196 = _t196 + 0x10;
						if(RegOpenKeyExW(0x80000001,  &_v10260, 0, 0x20019,  &_v10272) != 0) {
							RegCloseKey(_v10272);
							_t150 = _v10276;
							RegCloseKey(_t150);
							_v8 = 0xffffffff;
							_t89 = _a8 + 0xfffffff0;
							_t173 =  &(_t89[3]);
							asm("lock xadd [edx], ecx");
							__eflags = (_t150 | 0xffffffff) - 1;
							L14:
							if(__eflags <= 0) {
								_t173 =  *( *_t89);
								 *((intOrPtr*)( *((intOrPtr*)( *( *_t89) + 4))))(_t89);
							}
							_t90 = 0;
							L27:
							 *[fs:0x0] = _v16;
							_pop(_t187);
							_pop(_t191);
							_pop(_t135);
							return E00150836(_t90, _t135, _v20 ^ _t195, _t173, _t187, _t191);
						}
						_v10268 = 0x800;
						if(RegQueryValueExW(_v10272, L"DisplayName", 0,  &_v10284,  &_v8212,  &_v10268) != 0) {
							L6:
							RegCloseKey(_v10272);
							goto L7;
						}
						_t112 = E0005B790( &_v8212,  &_a8);
						_t196 = _t196 + 8;
						if(_t112 != 0) {
							E0005A810(_t206, _a4,  &_v10280);
							_v8 = 1;
							_t114 = _v10280;
							__eflags =  *(_t114 - 0xc);
							if( *(_t114 - 0xc) != 0) {
								_t157 = _v10272;
								_v10268 = 0x800;
								_t116 = RegQueryValueExW(_v10272, L"DisplayVersion", 0,  &_v10284,  &_v4116,  &_v10268);
								__eflags = _t116;
								if(_t116 == 0) {
									_v10300 = _t196;
									E00056620(0,  &_v4116);
									_v10296 = _t196;
									_v8 = 2;
									E00053FD0(_t196,  &_v10280);
									_v8 = 1;
									_t125 = E0005A6E0(0, _t196, 0x800, RegQueryValueExW, __eflags, _t196, _t157);
									__eflags = _t125;
									if(_t125 != 0) {
										 *_v10288 = 1;
									} else {
										_v10268 = 0x800;
										_t128 = RegQueryValueExW(_v10272, L"InstallLocation", 0,  &_v10284,  &_v2068,  &_v10268);
										__eflags = _t128;
										if(_t128 == 0) {
											E000565D0(_v10292, RegQueryValueExW,  &_v2068);
											_v10261 = 1;
										}
									}
								}
								_t158 = _v10272;
								RegCloseKey(_t158);
								_v8 = 0;
								_t119 = _v10280 + 0xfffffff0;
								asm("lock xadd [edx], ecx");
								__eflags = (_t158 | 0xffffffff) - 1;
								if((_t158 | 0xffffffff) - 1 <= 0) {
									 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t119)) + 4))))(_t119);
								}
								break;
							}
							_t167 = _v10288;
							_t130 = _t114 + 0xfffffff0;
							 *_t167 = 1;
							_v8 = 0;
							_t171 =  &(_t130[3]);
							asm("lock xadd [edx], ecx");
							__eflags = (_t167 | 0xffffffff) - 1;
							if((_t167 | 0xffffffff) - 1 <= 0) {
								_t171 =  *( *_t130);
								 *(_t171[1])(_t130);
							}
							goto L13;
						}
						goto L6;
						L7:
						_t188 = _t188 + 1;
					} while (_t192 == 0);
					_t144 = _v10276;
					RegCloseKey(_t144);
					_v8 = 0xffffffff;
					_t98 = _a8 + 0xfffffff0;
					_t173 =  &(_t98[3]);
					asm("lock xadd [edx], ecx");
					if((_t144 | 0xffffffff) - 1 <= 0) {
						_t173 =  *( *_t98);
						 *((intOrPtr*)( *((intOrPtr*)( *( *_t98) + 4))))(_t98);
					}
					_t90 = _v10261;
					goto L27;
				}
			}

0x0005a210
0x0005a213
0x0005a215
0x0005a220
0x0005a226
0x0005a22b
0x0005a230
0x0005a232
0x0005a238
0x0005a23c
0x0005a245
0x0005a24b
0x0005a253
0x0005a260
0x0005a26d
0x0005a273
0x0005a279
0x0005a283
0x0005a289
0x0005a28f
0x0005a297
0x0005a3fe
0x0005a3fe
0x0005a408
0x0005a411
0x0005a415
0x0005a416
0x00000000
0x0005a29d
0x0005a29d
0x0005a2a0
0x0005a2ba
0x0005a2ca
0x0005a2ce
0x00000000
0x00000000
0x0005a2ec
0x0005a2f2
0x0005a316
0x0005a38d
0x0005a38f
0x0005a396
0x0005a398
0x0005a3a2
0x0005a3a5
0x0005a3ab
0x0005a3b0
0x0005a418
0x0005a418
0x0005a41c
0x0005a422
0x0005a422
0x0005a424
0x0005a563
0x0005a566
0x0005a56e
0x0005a56f
0x0005a570
0x0005a57e
0x0005a57e
0x0005a33a
0x0005a34c
0x0005a365
0x0005a36c
0x00000000
0x0005a36c
0x0005a359
0x0005a35e
0x0005a363
0x0005a3bf
0x0005a3c4
0x0005a3c8
0x0005a3ce
0x0005a3d1
0x0005a438
0x0005a458
0x0005a45e
0x0005a460
0x0005a462
0x0005a471
0x0005a478
0x0005a484
0x0005a48d
0x0005a491
0x0005a496
0x0005a49a
0x0005a49f
0x0005a4a1
0x0005a4f2
0x0005a4a3
0x0005a4c5
0x0005a4cb
0x0005a4cd
0x0005a4cf
0x0005a4de
0x0005a4e3
0x0005a4e3
0x0005a4cf
0x0005a4a1
0x0005a4f8
0x0005a4ff
0x0005a505
0x0005a50e
0x0005a517
0x0005a51c
0x0005a51e
0x0005a528
0x0005a528
0x00000000
0x0005a51e
0x0005a3d3
0x0005a3d9
0x0005a3dc
0x0005a3e2
0x0005a3e5
0x0005a3eb
0x0005a3f0
0x0005a3f2
0x0005a3f6
0x0005a3fc
0x0005a3fc
0x00000000
0x0005a3f2
0x00000000
0x0005a372
0x0005a372
0x0005a373
0x0005a52a
0x0005a531
0x0005a537
0x0005a541
0x0005a544
0x0005a54a
0x0005a551
0x0005a555
0x0005a55b
0x0005a55b
0x0005a55d
0x00000000
0x0005a55d

APIs

RegOpenKeyExW.KERNEL32 ref: 0005A28F
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0005A2C4
wsprintfW.USER32 ref: 0005A2EC
RegOpenKeyExW.ADVAPI32 ref: 0005A30E
RegQueryValueExW.ADVAPI32 ref: 0005A344
RegCloseKey.ADVAPI32(?), ref: 0005A36C
RegCloseKey.ADVAPI32(?), ref: 0005A38D
RegCloseKey.ADVAPI32(?), ref: 0005A396
RegQueryValueExW.ADVAPI32(?,DisplayVersion,00000000,?,?,?), ref: 0005A45E
RegQueryValueExW.ADVAPI32(?,InstallLocation,00000000,?,?,?), ref: 0005A4CB
RegCloseKey.ADVAPI32(?), ref: 0005A4FF
RegCloseKey.ADVAPI32(?), ref: 0005A531

Strings

DisplayVersion, xrefs: 0005A44D
DisplayName, xrefs: 0005A334
%s\%s, xrefs: 0005A2E6
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0005A263, 0005A2DB
InstallLocation, xrefs: 0005A4BF

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Close$QueryValue$Open$Enumwsprintf
String ID: %s\%s$DisplayName$DisplayVersion$InstallLocation$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 1752170364-2283258325
Opcode ID: 013b56a75b42e78d471b0fba5ec82bdf101528fc25dcd91b367e214a11d3a9b4
Instruction ID: adf44ad61419b354725e03014a9e5095c6ef8724cb696729ff30602d159927a6
Opcode Fuzzy Hash: 013b56a75b42e78d471b0fba5ec82bdf101528fc25dcd91b367e214a11d3a9b4
Instruction Fuzzy Hash: 3DA17275A012189FDB25CF58CC89EAAB7F8FF49324F04C299E41997281DB705E89CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00069F68 Relevance: 21.1, APIs: 14, Instructions: 99
synchronizationthreadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00069F68(intOrPtr __ecx, void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				void* _v12;
				void* _v16;
				signed int _v24;
				intOrPtr _v28;
				char _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t43;
				void* _t59;
				void* _t60;
				intOrPtr _t64;

				_t59 = __edx;
				_t64 = __ecx;
				_t69 =  *((intOrPtr*)(__ecx + 0x2c));
				if( *((intOrPtr*)(__ecx + 0x2c)) != 0) {
					E000655E0(__ecx);
				}
				E00151B30( &_v32, 0, 0x1c);
				_v32 = E0006B059(0, _t60, _t64, _t69);
				_v28 = _t64;
				_v16 = CreateEventW(0, 1, 0, 0);
				_v12 = CreateEventW(0, 1, 0, 0);
				_t37 = _a4;
				_v24 = _a4;
				if(_v16 == 0) {
					L12:
					__eflags = _v12;
					if(_v12 == 0) {
						goto L14;
					}
					goto L13;
				} else {
					if(_v12 == 0) {
						CloseHandle(_v16);
						goto L12;
					}
					_t11 = _t64 + 0x30; // 0x30
					_t43 = E00153D34(_t59, _a12, _a8, 0x69e37,  &_v32, _t37 | 0x00000004, _t11); // executed
					 *(_t64 + 0x2c) = _t43;
					if(_t43 != 0) {
						ResumeThread(_t43); // executed
						WaitForSingleObject(_v16, 0xffffffff);
						CloseHandle(_v16); // executed
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							SuspendThread( *(_t64 + 0x2c)); // executed
						}
						__eflags = _v8;
						if(_v8 == 0) {
							SetEvent(_v12);
							return 1;
						} else {
							WaitForSingleObject( *(_t64 + 0x2c), 0xffffffff);
							CloseHandle( *(_t64 + 0x2c));
							 *(_t64 + 0x2c) = 0;
							L13:
							CloseHandle(_v12);
							L14:
							return 0;
						}
					}
					CloseHandle(_v16);
					CloseHandle(_v12);
					goto L14;
				}
			}

0x00069f68
0x00069f72
0x00069f77
0x00069f7a
0x00069f7c
0x00069f7c
0x00069f88
0x00069fa0
0x00069fa3
0x00069fad
0x00069fb8
0x00069fbb
0x00069fbe
0x00069fc4
0x0006a060
0x0006a060
0x0006a063
0x00000000
0x00000000
0x00000000
0x00069fca
0x00069fcd
0x0006a05e
0x00000000
0x0006a05e
0x00069fd3
0x00069fea
0x00069ff2
0x00069ff7
0x0006a008
0x0006a013
0x0006a022
0x0006a024
0x0006a028
0x0006a02d
0x0006a02d
0x0006a033
0x0006a036
0x0006a050
0x00000000
0x0006a038
0x0006a03d
0x0006a046
0x0006a048
0x0006a065
0x0006a068
0x0006a06a
0x00000000
0x0006a06a
0x0006a036
0x00069ffe
0x0006a003
0x00000000
0x0006a003

APIs

_memset.LIBCMT ref: 00069F88
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,00000004,00000000,?,?,00000066,?,?), ref: 00069FA6
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00069FB0
CloseHandle.KERNEL32(?), ref: 00069FFE
CloseHandle.KERNEL32(?), ref: 0006A003

Part of subcall function 000655E0: __CxxThrowException@8.LIBCMT ref: 000655F6

ResumeThread.KERNEL32(00000000), ref: 0006A008
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0006A013
CloseHandle.KERNEL32(?), ref: 0006A022
SuspendThread.KERNEL32(?), ref: 0006A02D
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0006A03D
CloseHandle.KERNEL32(?), ref: 0006A046
SetEvent.KERNEL32(00000004), ref: 0006A050
CloseHandle.KERNEL32(?), ref: 0006A068

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: CloseHandle$Event$CreateObjectSingleThreadWait$Exception@8ResumeSuspendThrow_memset
String ID:
API String ID: 1858493391-0
Opcode ID: 02a825d80e500b163cc332d9b8954e59e732d404595c3a7e2d21faf1bd3e4211
Instruction ID: 1698e21dda39614d5b5aa2363841a62079f74d2d1e8afbd20bbc0945b4d1ef7e
Opcode Fuzzy Hash: 02a825d80e500b163cc332d9b8954e59e732d404595c3a7e2d21faf1bd3e4211
Instruction Fuzzy Hash: 8E315A72D04208FFDF21AFA0DC849AEBBBAFF08354F108569F516B25A0D7315A919F51

Uniqueness

Uniqueness Score: -1.00%

Function 00052EB0 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00052EB0(signed int __ecx, char* __edx, intOrPtr _a8, WCHAR* _a12, int _a16) {
				signed char _v8;
				char _v16;
				signed int _v20;
				char _v276;
				signed int _v280;
				char _v536;
				signed int _v540;
				char _v796;
				int* _v800;
				char _v1056;
				int* _v1060;
				char _v1316;
				signed int _v1320;
				char _v1576;
				int _v1580;
				char _v1836;
				int _v1840;
				char _v2096;
				int _v2100;
				char _v2356;
				int _v2360;
				char _v2616;
				int _v2620;
				signed char _v2624;
				signed int _v2628;
				signed int __ebx;
				void* __edi;
				WCHAR* __esi;
				signed int _t155;
				signed int _t156;
				void* _t174;
				void* _t196;
				WCHAR* _t198;
				void* _t199;
				signed int _t200;
				void* _t201;
				void* _t202;

				_t193 = __edx;
				_push(0xffffffff);
				_push(0x173f53);
				_push( *[fs:0x0]);
				_t202 = _t201 - 0xa34;
				_t155 =  *0x1c0454; // 0x885926af
				_t156 = _t155 ^ _t200;
				_v20 = _t156;
				_push(_t156);
				 *[fs:0x0] =  &_v16;
				_t198 = _a12;
				_t159 = _a8 + 0xfffffff6;
				_v2628 = __ecx;
				_v2624 = 0;
				if(_t159 > 0x64) {
					L67:
					 *[fs:0x0] = _v16;
					_pop(_t196);
					_pop(_t199);
					_pop(_t174);
					return E00150836(_t159, _t174, _v20 ^ _t200, _t193, _t196, _t199);
				}
				switch( *((intOrPtr*)(( *(_t159 + 0x53468) & 0x000000ff) * 4 +  &M00053450))) {
					case 0:
						if(IsTextUnicode(_t198, _a16, 0) == 0) {
							goto L9;
						}
						_t193 =  &_v796;
						_v800 =  &_v796;
						if(_t198 != 0) {
							_t177 = lstrlenW(_t198) + 1;
							_t190 =  &_v800;
							E00053D60(lstrlenW(_t198) + 1,  &_v800,  &_v796,  &_v800, _t177,  &_v796, 0x80);
							_t193 = _v800;
							_t168 = E00150B32(_v800, _t177 + _t177, _t198, _t177 + _t177);
							_t202 = _t202 + 0x20;
							if(_t168 > 0x50) {
								goto L21;
							}
							switch( *((intOrPtr*)(( *(_t168 + 0x534e0) & 0x000000ff) * 4 +  &M000534D0))) {
								case 0:
									goto L5;
								case 1:
									goto L8;
								case 2:
									goto L21;
							}
						} else {
							_v800 = 0;
							L5:
							_v8 = 0;
							_t164 = _v800;
							_t176 = 1;
							goto L10;
						}
					case 1:
						__edx = _a16;
						__eax = IsTextUnicode(__esi, _a16, 0);
						if(__eax == 0) {
							goto L22;
						}
						__eax =  &_v1056;
						_v1060 =  &_v1056;
						if(__esi != 0) {
							__eax = lstrlenW(__esi);
							__ecx =  &_v1056;
							__ebx = __eax + 1;
							__edx =  &_v1060;
							E00053D60(__ebx,  &_v1056,  &_v1060,  &_v1060, __ebx,  &_v1056, 0x80) = __ebx + __ebx;
							__eax = _v1060;
							__eax = E00150B32(_v1060, _v1060, __esi, _v1060);
							if(__eax > 0x50) {
								goto L21;
							}
							__ecx =  *(__eax + 0x53544) & 0x000000ff;
							switch( *((intOrPtr*)(__ecx * 4 +  &M00053534))) {
								case 0:
									L18:
									_v8 = 2;
									__eax = _v1060;
									__ebx = 4;
									goto L23;
								case 1:
									goto L8;
								case 2:
									goto L21;
							}
						}
						_v1060 = 0;
						goto L18;
					case 2:
						__eax = _a16;
						if(IsTextUnicode(__esi, _a16, 0) == 0) {
							__eax =  &_v2616;
							__ebx =  &_v2620;
							_v2620 = __eax;
							__eax = E00053B50(__eax,  &_v2620, __ecx, __esi, 3);
							_v8 = 5;
							__eax = _v2620;
							__ebx = 0x20;
							L35:
							__ecx = _v2628;
							_v2624 = __ebx;
							__eax = E00055CC0(__ebx, __edi, 0x6a, __eax);
							if((__bl & 0x00000020) != 0) {
								__eax = _v2620;
								__ecx =  &_v2616;
								__ebx = __ebx & 0xffffffdf;
								if(__eax != __ecx) {
									__eax = E00150CB2(__eax);
								}
							}
							if((__bl & 0x00000010) == 0) {
								goto L67;
							} else {
								__eax = _v1320;
								__edx =  &_v1316;
								goto L64;
							}
						}
						__ecx =  &_v1316;
						_v1320 = __ecx;
						if(__esi != 0) {
							__eax = lstrlenW(__esi);
							__edx =  &_v1316;
							__ebx = __eax + 1;
							 &_v1320 = E00053D60(__ebx, __ecx,  &_v1316,  &_v1320, __ebx,  &_v1316, 0x80);
							__ecx = _v1320;
							__eax = __ebx + __ebx;
							__eax = E00150B32(_v1320, __ebx + __ebx, __esi, __ebx + __ebx);
							if(__eax > 0x50) {
								goto L21;
							}
							__edx =  *(__eax + 0x535a8) & 0x000000ff;
							switch( *((intOrPtr*)(( *(__eax + 0x535a8) & 0x000000ff) * 4 +  &M00053598))) {
								case 0:
									L31:
									_v8 = 4;
									__eax = _v1320;
									__ebx = 0x10;
									goto L35;
								case 1:
									goto L8;
								case 2:
									goto L21;
							}
						}
						_v1320 = 0;
						goto L31;
					case 3:
						__eax = _a16;
						if(IsTextUnicode(__esi, _a16, 0) == 0) {
							__eax =  &_v2356;
							__ebx =  &_v2360;
							_v2360 = __eax;
							__eax = E00053B50(__eax,  &_v2360, __ecx, __esi, 3);
							_v8 = 7;
							__eax = _v2360;
							__ebx = 0x80;
							L47:
							__ecx = _v2628;
							_v2624 = __ebx;
							__eax = E00055CC0(__ebx, __edi, 0x67, __eax);
							if(__bl < 0) {
								__eax = _v2360;
								__ecx =  &_v2356;
								__ebx = __ebx & 0xffffff7f;
								if(__eax != __ecx) {
									__eax = E00150CB2(__eax);
								}
							}
							if((__bl & 0x00000040) == 0) {
								goto L67;
							} else {
								__eax = _v280;
								__edx =  &_v276;
								goto L64;
							}
						}
						__ecx =  &_v276;
						_v280 = __ecx;
						if(__esi != 0) {
							__eax = lstrlenW(__esi);
							__edx =  &_v276;
							__ebx = __eax + 1;
							 &_v280 = E00053D60(__ebx, __ecx,  &_v276,  &_v280, __ebx,  &_v276, 0x80);
							__ecx = _v280;
							__eax = __ebx + __ebx;
							__eax = E00150B32(_v280, __ebx + __ebx, __esi, __ebx + __ebx);
							if(__eax > 0x50) {
								goto L21;
							}
							__edx =  *(__eax + 0x5360c) & 0x000000ff;
							switch( *((intOrPtr*)(( *(__eax + 0x5360c) & 0x000000ff) * 4 +  &M000535FC))) {
								case 0:
									L43:
									_v8 = 6;
									__eax = _v280;
									__ebx = 0x40;
									goto L47;
								case 1:
									goto L8;
								case 2:
									goto L21;
							}
						}
						_v280 = 0;
						goto L43;
					case 4:
						__eax = _a16;
						if(IsTextUnicode(__esi, _a16, 0) == 0) {
							__eax =  &_v1576;
							__ebx =  &_v1580;
							_v1580 = __eax;
							__eax = E00053B50(__eax, __ebx, __ecx, __esi, 3);
							_v8 = 9;
							__eax = _v1580;
							__esi = 0x200;
							L59:
							__ecx = _v2628;
							_v2624 = __esi;
							__eax = E00055CC0(__ebx, __edi, 0x6b, __eax);
							if((__esi & 0x00000200) != 0) {
								__eax = _v1580;
								__ecx =  &_v1576;
								__esi = __esi & 0xfffffdff;
								if(__eax != __ecx) {
									__eax = E00150CB2(__eax);
								}
							}
							if((__esi & 0x00000100) != 0) {
								__eax = _v540;
								__edx =  &_v536;
								L64:
								L65:
								if(_t210 != 0) {
									_t159 = E00150CB2(_t159);
								}
							}
							goto L67;
						}
						__ecx =  &_v536;
						_v540 = __ecx;
						if(__esi != 0) {
							__eax = lstrlenW(__esi);
							__edx =  &_v536;
							__ebx = __eax + 1;
							 &_v540 = E00053D60(__ebx, __ecx,  &_v536,  &_v540, __ebx,  &_v536, 0x80);
							__ecx = _v540;
							__eax = __ebx + __ebx;
							__eax = E00150B32(_v540, __ebx + __ebx, __esi, __ebx + __ebx);
							if(__eax > 0x50) {
								L21:
								_t169 = E000655E0(_t190);
								L22:
								_t193 =  &_v1836;
								_v1840 =  &_v1836;
								E00053B50(_t169,  &_v1840, _t190, _t198, 3);
								_v8 = 3;
								_t171 = _v1840;
								_t180 = 8;
								L23:
								_v2624 = _t180;
								_t159 = E00055CC0(_t180, 0, 0x69, _t171);
								if((_t180 & 0x00000008) != 0) {
									_t159 = _v1840;
									_t180 = _t180 & 0xfffffff7;
									if(_v1840 !=  &_v1836) {
										_t159 = E00150CB2(_t159);
										_t202 = _t202 + 4;
									}
								}
								if((_t180 & 0x00000004) == 0) {
									goto L67;
								} else {
									_t159 = _v1060;
									_t193 =  &_v1056;
									goto L64;
								}
							}
							__edx =  *(__eax + 0x53670) & 0x000000ff;
							switch( *((intOrPtr*)(( *(__eax + 0x53670) & 0x000000ff) * 4 +  &M00053660))) {
								case 0:
									L55:
									_v8 = 8;
									__eax = _v540;
									__esi = 0x100;
									goto L59;
								case 1:
									L8:
									_t162 = E000655A8(_t190);
									L9:
									_v2100 =  &_v2096;
									E00053B50(_t162,  &_v2100,  &_v2096, _t198, 3);
									_v8 = 1;
									_t164 = _v2100;
									_t176 = 2;
									L10:
									_v2624 = _t176;
									_t159 = E00055CC0(_t176, 0, 0x68, _t164); // executed
									if((_t176 & 0x00000002) != 0) {
										_t159 = _v2100;
										_t193 =  &_v2096;
										_t176 = _t176 & 0xfffffffd;
										if(_v2100 !=  &_v2096) {
											_t159 = E00150CB2(_t159);
											_t202 = _t202 + 4;
										}
									}
									if((_t176 & 0x00000001) == 0) {
										goto L67;
									} else {
										_t159 = _v800;
										_t210 = _v800 -  &_v796;
										goto L65;
									}
								case 2:
									goto L21;
							}
						}
						_v540 = 0;
						goto L55;
					case 5:
						goto L67;
				}
			}

0x00052eb0
0x00052eb3
0x00052eb5
0x00052ec0
0x00052ec1
0x00052ec7
0x00052ecc
0x00052ece
0x00052ed4
0x00052ed8
0x00052ee1
0x00052ee6
0x00052ee9
0x00052eef
0x00052ef8
0x00053432
0x00053435
0x0005343d
0x0005343e
0x0005343f
0x0005344d
0x0005344d
0x00052f05
0x00000000
0x00052f1a
0x00000000
0x00000000
0x00052f1c
0x00052f22
0x00052f2a
0x00052f49
0x00052f58
0x00052f60
0x00052f65
0x00052f71
0x00052f76
0x00052f7c
0x00000000
0x00000000
0x00052f89
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00052f2c
0x00052f2c
0x00052f32
0x00052f32
0x00052f35
0x00052f3b
0x00000000
0x00052f3b
0x00000000
0x00053012
0x00053018
0x00053020
0x00000000
0x00000000
0x00053022
0x00053028
0x00053030
0x0005304d
0x00053058
0x0005305f
0x00053062
0x0005306f
0x00053075
0x0005307c
0x00053087
0x00000000
0x00000000
0x00053089
0x00053090
0x00000000
0x00053038
0x00053038
0x0005303f
0x00053045
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00053090
0x00053032
0x00000000
0x00000000
0x00053117
0x00053125
0x000531a2
0x000531a9
0x000531af
0x000531b5
0x000531ba
0x000531c1
0x000531c7
0x000531cc
0x000531cc
0x000531d5
0x000531db
0x000531e3
0x000531e5
0x000531eb
0x000531f1
0x000531f6
0x000531f9
0x000531fe
0x000531f6
0x00053204
0x00000000
0x0005320a
0x0005320a
0x00053210
0x00000000
0x00053210
0x00053204
0x00053127
0x0005312d
0x00053135
0x00053152
0x0005315d
0x00053163
0x0005316f
0x00053174
0x0005317a
0x00053181
0x0005318c
0x00000000
0x00000000
0x00053192
0x00053199
0x00000000
0x0005313d
0x0005313d
0x00053144
0x0005314a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00053199
0x00053137
0x00000000
0x00000000
0x0005321b
0x00053229
0x000532a6
0x000532ad
0x000532b3
0x000532b9
0x000532be
0x000532c5
0x000532cb
0x000532d0
0x000532d0
0x000532d9
0x000532df
0x000532e6
0x000532e8
0x000532ee
0x000532f4
0x000532fc
0x000532ff
0x00053304
0x000532fc
0x0005330a
0x00000000
0x00053310
0x00053310
0x00053316
0x00000000
0x00053316
0x0005330a
0x0005322b
0x00053231
0x00053239
0x00053256
0x00053261
0x00053267
0x00053273
0x00053278
0x0005327e
0x00053285
0x00053290
0x00000000
0x00000000
0x00053296
0x0005329d
0x00000000
0x00053241
0x00053241
0x00053248
0x0005324e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0005329d
0x0005323b
0x00000000
0x00000000
0x00053321
0x0005332f
0x000533ac
0x000533b3
0x000533b9
0x000533bf
0x000533c4
0x000533cb
0x000533d1
0x000533d6
0x000533d6
0x000533df
0x000533e5
0x000533f0
0x000533f2
0x000533f8
0x000533fe
0x00053406
0x00053409
0x0005340e
0x00053406
0x00053417
0x00053419
0x0005341f
0x00053425
0x00053427
0x00053427
0x0005342a
0x0005342f
0x00053427
0x00000000
0x00053417
0x00053331
0x00053337
0x0005333f
0x0005335c
0x00053367
0x0005336d
0x00053379
0x0005337e
0x00053384
0x0005338b
0x00053396
0x00053097
0x00053097
0x0005309c
0x0005309e
0x000530ab
0x000530b1
0x000530b6
0x000530bd
0x000530c3
0x000530c8
0x000530d1
0x000530d7
0x000530df
0x000530e1
0x000530ed
0x000530f2
0x000530f5
0x000530fa
0x000530fa
0x000530f2
0x00053100
0x00000000
0x00053106
0x00053106
0x0005310c
0x00000000
0x0005310c
0x00053100
0x0005339c
0x000533a3
0x00000000
0x00053347
0x00053347
0x0005334e
0x00053354
0x00000000
0x00000000
0x00052f90
0x00052f90
0x00052f95
0x00052fa4
0x00052faa
0x00052faf
0x00052fb6
0x00052fbc
0x00052fc1
0x00052fca
0x00052fd0
0x00052fd8
0x00052fda
0x00052fe0
0x00052fe6
0x00052feb
0x00052fee
0x00052ff3
0x00052ff3
0x00052feb
0x00052ff9
0x00000000
0x00052fff
0x00052fff
0x0005300b
0x00000000
0x0005300b
0x00000000
0x00000000
0x00000000
0x000533a3
0x00053341
0x00000000
0x00000000
0x00000000
0x00000000

APIs

IsTextUnicode.ADVAPI32(?,?), ref: 00052F12
_free.LIBCMT ref: 00052FEE
IsTextUnicode.ADVAPI32(?,?), ref: 00053018
IsTextUnicode.ADVAPI32(?,?), ref: 0005311D
_free.LIBCMT ref: 000531F9
IsTextUnicode.ADVAPI32(?,?), ref: 00053221
_free.LIBCMT ref: 000532FF

Strings

+, xrefs: 000530D7
,, xrefs: 00052FD0
*, xrefs: 000531DB

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: TextUnicode$_free
String ID: *$+$,
API String ID: 160497213-983556428
Opcode ID: a784522c578ff7c5306d779dd6a5b2e443cc20b94f7dacaaa62a750e077a873c
Instruction ID: a1139efd34b2732dc064f91641ebb0c66d19b7a2503fccfd4516f9fc2554f889
Opcode Fuzzy Hash: a784522c578ff7c5306d779dd6a5b2e443cc20b94f7dacaaa62a750e077a873c
Instruction Fuzzy Hash: 34515870A006289BCB25CF14CD84BEEB7B8AF8A341F5445D5F919A7281D774AF88CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00054E80 Relevance: 16.8, APIs: 11, Instructions: 254
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E00054E80(long __ecx, void* __eflags) {
				char _v8;
				char _v16;
				LPCWSTR* _v20;
				char _v24;
				WCHAR* _v28;
				LPCWSTR* _v32;
				WCHAR* _v36;
				WCHAR* _v40;
				char _v52;
				signed int _v64;
				signed int _v68;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t90;
				WCHAR* _t95;
				signed int _t96;
				void* _t97;
				void* _t98;
				signed int _t106;
				void* _t108;
				signed int _t114;
				signed int _t129;
				long _t135;
				signed int _t144;
				char _t147;
				signed int** _t151;
				signed int _t171;
				signed int _t192;
				LPCWSTR* _t199;
				long _t203;
				signed int _t206;
				void* _t207;
				void* _t208;
				void* _t210;
				signed int _t215;

				_push(0xffffffff);
				_push(0x1746d8);
				_push( *[fs:0x0]);
				_t208 = _t207 - 0x38;
				_push(_t199);
				_t90 =  *0x1c0454; // 0x885926af
				_push(_t90 ^ _t206);
				 *[fs:0x0] =  &_v16;
				_t203 = __ecx;
				E0006B6B1( &_v72);
				_t192 = 0;
				_v8 = 0;
				_t95 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x68)) - 0xc));
				_v28 = _t95;
				_v20 = 0;
				_t156 = _t95 + 1;
				_t96 = _t156;
				_t97 = _t96 + _t96;
				_v8 = 1;
				_t215 = (0 << 0x00000020 | _t96) << 1;
				if(_t215 > 0 || _t215 >= 0 && _t97 > 0xffffffff) {
					L4:
					_t98 =  *_t203;
					_t193 =  *((intOrPtr*)(_t98 + 0x1c));
					 *((intOrPtr*)( *((intOrPtr*)(_t98 + 0x1c))))(0x6e, 0xe);
					E00150CB2(0);
					goto L5;
				} else {
					_t199 = E00151013(_t192, _t199, _t203, _t97);
					_t208 = _t208 + 4;
					_v20 = _t199;
					_t217 = _t199;
					if(_t199 != 0) {
						E00150E8C(_t199, _t156,  *((intOrPtr*)(_t203 + 0x68)));
						_t210 = _t208 + 0xc;
						__eflags = _v28;
						if(_v28 >= 0) {
							__eflags = 2;
							_v28 = 0;
							_v32 = 2 - _v20;
							do {
								_t144 =  *_t199 & 0x0000ffff;
								__eflags = _t144 - 0x2c;
								if(_t144 == 0x2c) {
									L11:
									 *_t199 = 0;
									E00056620(_t156, _v28 + _v20);
									_v8 = 2;
									_t147 = _v24;
									__eflags =  *(_t147 - 0xc);
									if( *(_t147 - 0xc) != 0) {
										_t192 = _v64;
										E0006BA48( &_v72, _t192, _t192,  &_v24);
									}
									_v28 = _v32 + _t199;
									_v8 = 1;
									_t151 = _v24 + 0xfffffff0;
									asm("lock xadd [ecx], edx");
									_t192 = (_t192 | 0xffffffff) - 1;
									__eflags = _t192;
									if(_t192 <= 0) {
										_t192 =  *( *_t151);
										 *((intOrPtr*)( *((intOrPtr*)(_t192 + 4))))(_t151);
									}
								} else {
									__eflags = _t144 - 0x3b;
									if(_t144 == 0x3b) {
										goto L11;
									} else {
										__eflags = _t144;
										if(_t144 == 0) {
											goto L11;
										}
									}
								}
								_t199 =  &(_t199[0]);
								_t156 = _t156 - 1;
								__eflags = _t156;
							} while (_t156 != 0);
							_t199 = _v20;
						}
						_t156 = _v64;
						_v32 = 0;
						_t106 =  &(_t156[0]);
						_t168 = (0 << 0x00000020 | _t106) << 2;
						_t108 = _t106 + _t106 + _t106 + _t106;
						_v8 = 3;
						__eflags = (0 << 0x00000020 | _t106) << 2;
						if(__eflags > 0) {
							L22:
							_t193 =  *_t203;
							 *((intOrPtr*)( *((intOrPtr*)( *_t203 + 0x1c))))(0x6e, 0xe);
							E00150CB2(0);
							E00150CB2(_t199);
							goto L5;
						} else {
							if(__eflags < 0) {
								L20:
								_t199 = E00151013(_t192, _t199, _t203, _t108);
								_t210 = _t210 + 4;
								_v32 = _t199;
								__eflags = _t199;
								if(_t199 != 0) {
									_t114 = 0;
									__eflags = _v64;
									if(_v64 <= 0) {
										L27:
										_t199[_t156] = 0;
										E0006AD73( &_v52, _t203 + 0xa0, 1);
										_v8 = 4;
										_t171 =  *(_t203 + 0x28);
										asm("sbb eax, eax");
										_t156 =  ~( *(_t171 - 0xc)) & _t171;
										asm("sbb eax, eax");
										_v28 =  ~( *( *(_t203 + 0x30) - 0xc)) &  *(_t203 + 0x30);
										asm("sbb eax, eax");
										_v40 =  ~( *( *(_t203 + 0x2c) - 0xc)) &  *(_t203 + 0x2c);
										_v36 =  *((intOrPtr*)(_t203 + 0x80));
										_t129 = HttpOpenRequestW( *(_t203 + 0x74), _v40, _v36, _v28,  ~( *(_t171 - 0xc)) & _t171, _t199,  *((intOrPtr*)( *((intOrPtr*)( *_t203 + 0x24))))(), _t203); // executed
										 *(_t203 + 0x78) = _t129;
										__eflags = _t129;
										if(_t129 != 0) {
											goto L30;
										} else {
											_t135 = GetLastError();
											_t193 =  *_t203;
											 *((intOrPtr*)( *((intOrPtr*)( *_t203 + 0x1c))))(0x6f, _t135);
											_v8 = 3;
											E0006AD4F( &_v52);
											E00150CB2(_t199);
											E00150CB2(_v20);
											L5:
											_v8 = 0xffffffff;
											E0006B8EF(_t156,  &_v72, _t193, _t199, _t203, _t217);
											 *[fs:0x0] = _v16;
											return 0;
										}
									} else {
										while(1) {
											__eflags = _t114;
											if(_t114 < 0) {
												break;
											}
											__eflags = _t114 - _v64;
											if(_t114 >= _v64) {
												break;
											} else {
												_t168 = _v68;
												_t199[_t114] =  *(_v68 + _t114 * 4);
												_t114 = _t114 + 1;
												__eflags = _t114 - _t156;
												if(_t114 < _t156) {
													continue;
												} else {
													goto L27;
												}
											}
											goto L31;
										}
										E000655E0(_t168);
										L30:
										_v8 = 3;
										E0006AD4F( &_v52);
										E00150CB2(_t199);
										E00150CB2(_v20);
										_v8 = 0xffffffff;
										E0006B8EF(_t156,  &_v72, _v20, _t199, _t203, __eflags);
										 *[fs:0x0] = _v16;
										return 1;
									}
								} else {
									_t199 = _v20;
									goto L22;
								}
							} else {
								__eflags = _t108 - 0xffffffff;
								if(_t108 > 0xffffffff) {
									goto L22;
								} else {
									goto L20;
								}
							}
						}
					} else {
						goto L4;
					}
				}
				L31:
			}

0x00054e83
0x00054e85
0x00054e90
0x00054e91
0x00054e96
0x00054e97
0x00054e9e
0x00054ea2
0x00054ea8
0x00054ead
0x00054eb2
0x00054eb4
0x00054eba
0x00054ebd
0x00054ec0
0x00054ec3
0x00054ec6
0x00054ece
0x00054ed0
0x00054ed4
0x00054ed6
0x00054ef1
0x00054ef1
0x00054ef3
0x00054efc
0x00054f00
0x00000000
0x00054edf
0x00054ee5
0x00054ee7
0x00054eea
0x00054eed
0x00054eef
0x00054f31
0x00054f36
0x00054f39
0x00054f3d
0x00054f48
0x00054f4b
0x00054f52
0x00054f55
0x00054f55
0x00054f58
0x00054f5b
0x00054f67
0x00054f73
0x00054f76
0x00054f7b
0x00054f7f
0x00054f82
0x00054f86
0x00054f88
0x00054f93
0x00054f93
0x00054f9d
0x00054fa0
0x00054fa7
0x00054fb0
0x00054fb4
0x00054fb5
0x00054fb7
0x00054fbb
0x00054fc1
0x00054fc1
0x00054f5d
0x00054f5d
0x00054f60
0x00000000
0x00054f62
0x00054f62
0x00054f65
0x00000000
0x00000000
0x00054f65
0x00054f60
0x00054fc3
0x00054fc6
0x00054fc6
0x00054fc6
0x00054fc9
0x00054fc9
0x00054fcc
0x00054fcf
0x00054fd6
0x00054fdb
0x00054fe1
0x00054fe3
0x00054fe7
0x00054fe9
0x00055007
0x00055007
0x00055012
0x00055016
0x0005501c
0x00000000
0x00054feb
0x00054feb
0x00054ff2
0x00054ff8
0x00054ffa
0x00054ffd
0x00055000
0x00055002
0x00055029
0x0005502b
0x0005502e
0x0005504f
0x0005505b
0x00055062
0x00055067
0x0005506b
0x00055075
0x0005507c
0x00055083
0x0005508a
0x00055092
0x0005509c
0x000550a2
0x000550bd
0x000550c3
0x000550c6
0x000550c8
0x00000000
0x000550ca
0x000550ca
0x000550d0
0x000550da
0x000550df
0x000550e3
0x000550e9
0x000550f2
0x00054f08
0x00054f0b
0x00054f12
0x00054f1c
0x00054f2a
0x00054f2a
0x00055030
0x00055030
0x00055030
0x00055032
0x00000000
0x00000000
0x00055038
0x0005503b
0x00000000
0x00055041
0x00055041
0x00055047
0x0005504a
0x0005504b
0x0005504d
0x00000000
0x00000000
0x00000000
0x00000000
0x0005504d
0x00000000
0x0005503b
0x000550ff
0x00055104
0x00055107
0x0005510b
0x00055111
0x0005511a
0x00055125
0x0005512c
0x00055139
0x00055147
0x00055147
0x00055004
0x00055004
0x00000000
0x00055004
0x00054fed
0x00054fed
0x00054ff0
0x00000000
0x00000000
0x00000000
0x00000000
0x00054ff0
0x00054feb
0x00000000
0x00000000
0x00000000
0x00054eef
0x00000000

APIs

_malloc.LIBCMT ref: 00054EE0
_free.LIBCMT ref: 00054F00
_malloc.LIBCMT ref: 00054FF3
_free.LIBCMT ref: 00055016
_free.LIBCMT ref: 0005501C
HttpOpenRequestW.WININET(?,?,?,00000000,?,00000000,00000000), ref: 000550BD
GetLastError.KERNEL32(?,?,00000001), ref: 000550CA
_free.LIBCMT ref: 000550E9
_free.LIBCMT ref: 000550F2
_free.LIBCMT ref: 00055111
_free.LIBCMT ref: 0005511A

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: _free$_malloc$ErrorHttpLastOpenRequest
String ID:
API String ID: 2960187711-0
Opcode ID: 04351310ec6bc4a207c043c9045232f0c5ceae4e6886e035163e034d982f786a
Instruction ID: 17ea89bbc32989f98c9cee28143ccbd47dce557ccd91cc04af365fe0b150ab98
Opcode Fuzzy Hash: 04351310ec6bc4a207c043c9045232f0c5ceae4e6886e035163e034d982f786a
Instruction Fuzzy Hash: 5591E171A006059FDB14DFA8C885BEEB7F5EF58311F144229E826E7381DB35A989CB90

Uniqueness

Uniqueness Score: -1.00%

Function 000717D6 Relevance: 16.6, APIs: 11, Instructions: 106
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E000717D6(void* __ecx) {
				struct _CRITICAL_SECTION* _v8;
				void* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct _CRITICAL_SECTION* _t34;
				void* _t35;
				void* _t36;
				long _t38;
				void* _t39;
				long _t51;
				signed char* _t53;
				signed int _t56;
				signed int _t57;
				void* _t61;
				signed int _t68;
				void* _t72;

				_t59 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t72 = __ecx;
				_t1 = _t72 + 0x1c; // 0x1c
				_t34 = _t1;
				_v8 = _t34;
				EnterCriticalSection(_t34);
				_t56 =  *(_t72 + 4);
				_t68 =  *(_t72 + 8);
				if(_t68 >= _t56 || ( *( *(_t72 + 0x10) + _t68 * 8) & 0x00000001) != 0) {
					_t68 = 1;
					if(_t56 <= 1) {
						L7:
						_t35 =  *(_t72 + 0x10);
						_t57 = _t56 + 0x20;
						_t83 = _t35;
						if(_t35 != 0) {
							_t36 = GlobalHandle(_t35);
							_v12 = _t36;
							GlobalUnlock(_t36);
							_t38 = E000657F3(_t57, _t59, _t68, _t72, __eflags, _t57, 8);
							_t61 = 0x2002;
							_t39 = GlobalReAlloc(_v12, _t38, ??);
						} else {
							_t51 = E000657F3(_t57, _t59, _t68, _t72, _t83, _t57, 8);
							_pop(_t61);
							_t39 = GlobalAlloc(2, _t51); // executed
						}
						if(_t39 == 0) {
							_t72 =  *(_t72 + 0x10);
							if(_t72 != 0) {
								GlobalLock(GlobalHandle(_t72));
							}
							LeaveCriticalSection(_v8);
							_t39 = E000655A8(_t61);
						}
						_v12 = GlobalLock(_t39);
						E00151B30(_t40 +  *(_t72 + 4) * 8, 0, _t57 -  *(_t72 + 4) << 3);
						 *(_t72 + 4) = _t57;
						 *(_t72 + 0x10) = _v12;
					} else {
						_t53 =  *(_t72 + 0x10) + 8;
						while(( *_t53 & 0x00000001) != 0) {
							_t68 = _t68 + 1;
							_t53 =  &(_t53[8]);
							if(_t68 < _t56) {
								continue;
							}
							break;
						}
						if(_t68 >= _t56) {
							goto L7;
						}
					}
				}
				if(_t68 >=  *((intOrPtr*)(_t72 + 0xc))) {
					 *((intOrPtr*)(_t72 + 0xc)) = _t68 + 1;
				}
				 *( *(_t72 + 0x10) + _t68 * 8) =  *( *(_t72 + 0x10) + _t68 * 8) | 0x00000001;
				 *(_t72 + 8) = _t68 + 1;
				LeaveCriticalSection(_v8);
				return _t68;
			}

0x000717d6
0x000717db
0x000717dc
0x000717df
0x000717e1
0x000717e1
0x000717e6
0x000717e9
0x000717ef
0x000717f2
0x000717f7
0x00071808
0x0007180b
0x00071828
0x00071828
0x0007182b
0x0007182e
0x00071830
0x00071848
0x0007184f
0x00071852
0x00071860
0x00071866
0x0007186b
0x00071832
0x00071835
0x0007183b
0x0007183f
0x0007183f
0x00071873
0x00071875
0x0007187a
0x00071884
0x00071884
0x0007188d
0x00071893
0x00071893
0x000718aa
0x000718b3
0x000718be
0x000718c1
0x0007180d
0x00071810
0x00071813
0x00071818
0x00071819
0x0007181e
0x00000000
0x00000000
0x00000000
0x0007181e
0x00071822
0x00000000
0x00000000
0x00071822
0x0007180b
0x000718c7
0x000718cc
0x000718cc
0x000718d8
0x000718de
0x000718e1
0x000718ed

APIs

EnterCriticalSection.KERNEL32(0000001C,?,?,00000002,00000000,00000000,?,00071C2C,00000004,0006B637,0005E58B,0006A15B,0006918A,?,00000000,00000004), ref: 000717E9
GlobalAlloc.KERNEL32(00000002,00000000,?,?,00000002,00000000,00000000,?,00071C2C,00000004,0006B637,0005E58B,0006A15B,0006918A,?,00000000), ref: 0007183F
GlobalHandle.KERNEL32(?), ref: 00071848
GlobalUnlock.KERNEL32(00000000,?,?,00000002,00000000,00000000,?,00071C2C,00000004,0006B637,0005E58B,0006A15B,0006918A,?,00000000,00000004), ref: 00071852
GlobalReAlloc.KERNEL32(?,00000000,00002002), ref: 0007186B
GlobalHandle.KERNEL32(?), ref: 0007187D
GlobalLock.KERNEL32 ref: 00071884
LeaveCriticalSection.KERNEL32(00000000,?,?,00000002,00000000,00000000,?,00071C2C,00000004,0006B637,0005E58B,0006A15B,0006918A,?,00000000,00000004), ref: 0007188D
GlobalLock.KERNEL32 ref: 00071899
_memset.LIBCMT ref: 000718B3
LeaveCriticalSection.KERNEL32(00000000), ref: 000718E1

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: 0e5a4414d65eacb636bf53506eb90124f53cb8757e220dd28bca233e18f56d3f
Instruction ID: 6b118eb0429b7a98a6730f7fdfd62536a5af95e5dc132b766f323b839eace0cd
Opcode Fuzzy Hash: 0e5a4414d65eacb636bf53506eb90124f53cb8757e220dd28bca233e18f56d3f
Instruction Fuzzy Hash: 5F31B071A04704AFD761DF68DC89A9ABBF9FF44301F00892DE85AD7691DB34E884CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00153D34 Relevance: 12.1, APIs: 8, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00153D34(void* __edx, struct _SECURITY_ATTRIBUTES* _a4, long _a8, char _a12, intOrPtr _a16, long _a20, DWORD* _a24) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t16;
				DWORD* _t21;
				char _t34;
				void* _t36;

				_t34 = _a12;
				_t26 = 0;
				_t38 = _t34;
				if(_t34 != 0) {
					E00157D4D();
					_t36 = E0015A751(1, 0x214);
					__eflags = _t36;
					if(__eflags == 0) {
						L7:
						E00150CB2(_t36);
						__eflags = _t26;
						if(_t26 != 0) {
							E00151F45(_t26);
						}
						_t16 = 0;
						__eflags = 0;
						L10:
						return _t16;
					}
					_push( *((intOrPtr*)(E00157F08(0, __edx, __eflags) + 0x6c)));
					_push(_t36);
					E00157DDB(0, _t34, _t36, __eflags);
					 *(_t36 + 4) =  *(_t36 + 4) | 0xffffffff;
					 *((intOrPtr*)(_t36 + 0x58)) = _a16;
					_t21 = _a24;
					 *((intOrPtr*)(_t36 + 0x54)) = _t34;
					__eflags = _t21;
					if(_t21 == 0) {
						_t21 =  &_a12;
					}
					_t16 = CreateThread(_a4, _a8, E00153CCF, _t36, _a20, _t21); // executed
					__eflags = _t16;
					if(_t16 != 0) {
						goto L10;
					} else {
						_t26 = GetLastError();
						goto L7;
					}
				}
				 *((intOrPtr*)(E00151F1F(_t38))) = 0x16;
				E00159345();
				return 0;
			}

0x00153d3b
0x00153d3e
0x00153d40
0x00153d42
0x00153d59
0x00153d6a
0x00153d6e
0x00153d70
0x00153dbb
0x00153dbc
0x00153dc2
0x00153dc4
0x00153dc7
0x00153dcc
0x00153dcd
0x00153dcd
0x00153dcf
0x00000000
0x00153dcf
0x00153d77
0x00153d7a
0x00153d7b
0x00153d83
0x00153d87
0x00153d8a
0x00153d8f
0x00153d92
0x00153d94
0x00153d96
0x00153d96
0x00153da9
0x00153daf
0x00153db1
0x00000000
0x00153db3
0x00153db9
0x00000000
0x00153db9
0x00153db1
0x00153d49
0x00153d4f
0x00000000

APIs

___set_flsgetvalue.LIBCMT ref: 00153D59
__calloc_crt.LIBCMT ref: 00153D65
__getptd.LIBCMT ref: 00153D72
__initptd.LIBCMT ref: 00153D7B
CreateThread.KERNEL32(?,?,00153CCF,00000000,?,?), ref: 00153DA9
GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00153DB3
_free.LIBCMT ref: 00153DBC
__dosmaperr.LIBCMT ref: 00153DC7

Part of subcall function 00151F1F: __getptd_noexit.LIBCMT ref: 00151F1F

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit__initptd_free
String ID:
API String ID: 73303432-0
Opcode ID: 36237a034cdd5fcb159cc0cbbc590904e135d516bcb9f6c15d0b2eac90a0dc17
Instruction ID: 311a3ff403e213a7e8abbd33a4fd94a5d861d1240bb30c37c5a571a2432d6880
Opcode Fuzzy Hash: 36237a034cdd5fcb159cc0cbbc590904e135d516bcb9f6c15d0b2eac90a0dc17
Instruction Fuzzy Hash: 2011C23220874AEFDB11AFE4EC4699B37B9DF543A2B500025FD398F191DB71D9094660

Uniqueness

Uniqueness Score: -1.00%

Function 00051A80 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 432
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E00051A80(void* __ecx, intOrPtr __edx, void* __eflags, void* __fp0) {
				signed int _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				char _v576;
				signed int _v580;
				char _v584;
				char _v588;
				char _v592;
				char _v596;
				char _v600;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t133;
				signed int _t134;
				intOrPtr* _t137;
				void* _t139;
				intOrPtr* _t140;
				intOrPtr* _t144;
				signed int _t149;
				signed int _t150;
				signed int _t151;
				void* _t153;
				signed int _t154;
				signed int _t161;
				signed int** _t164;
				signed int** _t166;
				signed int** _t168;
				void* _t185;
				intOrPtr* _t188;
				void* _t193;
				intOrPtr* _t196;
				signed int _t198;
				intOrPtr* _t202;
				intOrPtr* _t210;
				signed int _t217;
				intOrPtr* _t221;
				intOrPtr* _t229;
				void* _t232;
				void* _t233;
				void* _t235;
				signed int _t237;
				void* _t255;
				signed int _t270;
				char _t306;
				intOrPtr _t307;
				signed int _t309;
				signed int _t310;
				signed int _t312;
				signed int _t316;
				signed int _t320;
				signed int _t331;
				void* _t333;
				signed int _t334;
				signed int _t335;
				void* _t339;
				void* _t343;
				void* _t345;
				signed int _t346;
				void* _t347;
				void* _t348;
				intOrPtr* _t353;
				void* _t362;
				void* _t365;

				_t302 = __edx;
				_push(0xffffffff);
				_push(0x1743fd);
				_push( *[fs:0x0]);
				_t348 = _t347 - 0x248;
				_t133 =  *0x1c0454; // 0x885926af
				_t134 = _t133 ^ _t346;
				_v20 = _t134;
				_push(_t232);
				_push(_t333);
				_push(_t134);
				 *[fs:0x0] =  &_v16;
				_t343 = __ecx;
				E00064332(_t232, __ecx, __edx, _t333, __fp0);
				if( *((char*)(_t343 + 0x5a0)) == 0) {
					_t233 = 0;
					__eflags = 0;
				} else {
					_t221 = E00065761();
					_t233 = 0;
					_t353 = _t221;
					_t294 = 0 | _t353 == 0x00000000;
					if(_t353 == 0) {
						_push(0x80004005);
						_t221 = E00051330(0, _t294, _t333, _t343);
					}
					_v580 =  *((intOrPtr*)( *((intOrPtr*)( *_t221 + 0xc))))() + 0x10;
					_v8 = _t233;
					E000614A8(_t233, _t343 + 0x52c, _t333,  &_v580);
					E00053780(_t233,  &_v580, _t333, L"ExamShield Program", L"ExamShield (Compatibility Check) Program");
					_t331 = _v580;
					E000634B7(_t343 + 0x52c, _t331);
					_v8 = 0xffffffff;
					_t229 = _v580 + 0xfffffff0;
					asm("lock xadd [ecx], edx");
					_t302 = (_t331 | 0xffffffff) - 1;
					if((_t331 | 0xffffffff) - 1 <= 0) {
						_t302 =  *((intOrPtr*)( *_t229));
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t229)) + 4))))(_t229);
					}
				}
				_t237 =  *(_t343 + 0x420);
				_t334 =  *(_t237 - 0x10);
				_t137 = _t237 - 0x10;
				if( *((intOrPtr*)(_t237 - 0xc)) != _t233) {
					if( *((intOrPtr*)(_t137 + 0xc)) >= _t233) {
						asm("lock xadd [edx], ecx");
						__eflags = (_t237 | 0xffffffff) - 1;
						if((_t237 | 0xffffffff) - 1 <= 0) {
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t137)) + 4))))(_t137);
						}
						_t302 =  *_t334;
						_t217 =  *((intOrPtr*)( *((intOrPtr*)( *_t334 + 0xc))))() + 0x10;
						__eflags = _t217;
						 *(_t343 + 0x420) = _t217;
					} else {
						if( *((intOrPtr*)(_t237 - 8)) < _t233) {
							_push(0x80070057);
							E00051330(_t233, _t237, _t334, _t343);
						}
						 *((intOrPtr*)(_t237 - 0xc)) = _t233;
						_t302 = 0;
						 *( *(_t343 + 0x420)) = 0;
					}
				}
				_t335 = _t334 | 0xffffffff;
				 *(_t343 + 0x438) = _t335;
				 *((intOrPtr*)(_t343 + 0x430)) = _t233;
				 *((intOrPtr*)(_t343 + 0x434)) = _t233;
				_v576 = _t233;
				_v572 = _t233;
				_v568 = _t233;
				_v564 = _t233;
				_v560 = _t233;
				_v556 = _t233;
				_t139 = E00068B7D(_t233, _t302,  *((intOrPtr*)(_t343 + 0xa4)),  &_v576, _t233); // executed
				if(_t139 == _t233 || ( *(_t343 + 0xe8) |  *(_t343 + 0xec)) != 0 ||  *((intOrPtr*)(_t343 + 0xd0)) == _t233) {
					L23:
					_t140 = E00065761();
					__eflags = _t140 - _t233;
					_t240 = 0 | __eflags != 0x00000000;
					if(__eflags == 0) {
						_push(0x80004005);
						_t140 = E00051330(_t233, _t240, _t335, _t343);
					}
					_v584 =  *((intOrPtr*)( *((intOrPtr*)( *_t140 + 0xc))))() + 0x10;
					_v8 = 2;
					_t144 = E00065761();
					__eflags = _t144 - _t233;
					_t243 = 0 | __eflags != 0x00000000;
					if(__eflags == 0) {
						_push(0x80004005);
						_t144 = E00051330(_t233, _t243, _t335, _t343);
					}
					_v588 =  *((intOrPtr*)( *((intOrPtr*)( *_t144 + 0xc))))() + 0x10;
					_v8 = 3;
					_t336 = _t343 + 0xa0;
					_t234 = _t343 + 0x104;
					_t149 = E00069513(_t343 + 0xa0,  *((intOrPtr*)(_t343 + 0xa0)), _t343 + 0x104,  &_v588,  &_v584,  &_v596); // executed
					__eflags = _t149;
					if(_t149 != 0) {
						L32:
						_t150 = E00150DBA(_v584, 0x2f);
						_t306 = _v584;
						__eflags = _t150;
						if(_t150 == 0) {
							L34:
							_t151 = E00150DBA(_t306, 0x5c);
							__eflags = _t151;
							if(_t151 == 0) {
								L39:
								_t337 = _t343 + 0x41c;
								E00054260(_t343 + 0x41c,  &_v584);
								L40:
								_t307 =  *((intOrPtr*)(_t343 + 0x418));
								__eflags =  *(_t307 - 0xc);
								_t153 = _t343 + 0x418;
								if( *(_t307 - 0xc) > 0) {
									E00054260(_t337, _t153);
								}
								_t154 = E00065761();
								__eflags = _t154;
								_t251 = 0 | __eflags != 0x00000000;
								if(__eflags == 0) {
									_push(0x80004005);
									_t154 = E00051330(_t234, _t251, _t337, _t343);
								}
								_v592 =  *((intOrPtr*)( *((intOrPtr*)( *_t154 + 0xc))))() + 0x10;
								_v8 = 6;
								_t309 =  &_v592;
								E000691E2(_v588, _t309, 0x66,  *_t337, _v588);
								E000634B7(_t343 + 0x330, _v592); // executed
								_push(0);
								_push(4);
								_push(0);
								_push(0);
								_push(_t343);
								_push(E00052000); // executed
								_t161 = E0006A073(_t234, _t309,  *_t337, _t343, __eflags); // executed
								 *(_t343 + 0x428) = _t161;
								__eflags = _t161;
								if(_t161 != 0) {
									 *((intOrPtr*)(_t161 + 0x28)) = 0;
									_t255 =  *( *(_t343 + 0x428) + 0x2c);
									ResumeThread(_t255); // executed
									_v8 = 3;
									_t164 = _v592 + 0xfffffff0;
									_t310 =  &(_t164[3]);
									asm("lock xadd [edx], ecx");
									__eflags = (_t255 | 0xffffffff) - 1;
								} else {
									E00063F8D(_t343, 2);
									_v8 = 3;
									_t164 = _v592 + 0xfffffff0;
									asm("lock xadd [ecx], edx");
									_t310 = (_t309 | 0xffffffff) - 1;
									__eflags = _t310;
								}
								if(__eflags <= 0) {
									_t310 =  *( *_t164);
									 *((intOrPtr*)( *((intOrPtr*)(_t310 + 4))))(_t164);
								}
								goto L49;
							}
							_t306 = _v584;
							_t270 = _t151 - _t306 >> 1;
							__eflags = _t270 - 0xffffffff;
							if(_t270 == 0xffffffff) {
								goto L39;
							}
							L36:
							__eflags =  *((intOrPtr*)(_t306 - 0xc)) - 1;
							if( *((intOrPtr*)(_t306 - 0xc)) <= 1) {
								goto L39;
							}
							_t316 =  &_v600;
							_t185 = E00053AD0( &_v584, _t316,  *((intOrPtr*)(_t306 - 0xc)) - _t270 - 1);
							_t337 = _t343 + 0x41c;
							_v8 = 5;
							E00054260(_t343 + 0x41c, _t185);
							_v8 = 3;
							_t188 = _v600 + 0xfffffff0;
							asm("lock xadd [ecx], edx");
							__eflags = (_t316 | 0xffffffff) - 1;
							if((_t316 | 0xffffffff) - 1 <= 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t188)) + 4))))(_t188);
							}
							goto L40;
						}
						_t270 = _t150 - _t306 >> 1;
						__eflags = _t270 - 0xffffffff;
						if(_t270 != 0xffffffff) {
							goto L36;
						}
						goto L34;
					} else {
						_t320 =  &_v580;
						_t193 = E00054060(_t320, L"http://", _t336);
						_t348 = _t348 + 0xc;
						_v8 = 4;
						E00054260(_t336, _t193);
						_v8 = 3;
						_t196 = _v580 + 0xfffffff0;
						asm("lock xadd [ecx], edx");
						__eflags = (_t320 | 0xffffffff) - 1;
						if((_t320 | 0xffffffff) - 1 <= 0) {
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t196)) + 4))))(_t196);
						}
						_t310 =  &_v584;
						_t198 = E00069513( *_t336,  *_t336, _t234,  &_v588, _t310,  &_v596);
						__eflags = _t198;
						if(_t198 != 0) {
							goto L32;
						} else {
							E00063F8D(_t343, 2);
							L49:
							_v8 = 2;
							_t166 = _v588 + 0xfffffff0;
							asm("lock xadd [ecx], edx");
							_t312 = (_t310 | 0xffffffff) - 1;
							__eflags = _t312;
							if(_t312 <= 0) {
								_t312 =  *( *_t166);
								 *((intOrPtr*)( *((intOrPtr*)(_t312 + 4))))(_t166);
							}
							_v8 = 0xffffffff;
							_t168 = _v584 + 0xfffffff0;
							asm("lock xadd [ecx], edx");
							_t314 = (_t312 | 0xffffffff) - 1;
							__eflags = (_t312 | 0xffffffff) - 1;
							goto L52;
						}
					}
				} else {
					_t202 = E00065761();
					_t362 = _t202 - _t233;
					_t281 = 0 | _t362 != 0x00000000;
					_t363 = (_t362 != 0) - _t233;
					if(_t362 != 0 == _t233) {
						_push(0x80004005);
						_t202 = E00051330(_t233, _t281, _t335, _t343);
					}
					_v580 =  *((intOrPtr*)( *((intOrPtr*)( *_t202 + 0xc))))() + 0x10;
					_v8 = 1;
					E000691C8( &_v580, 0x82,  *((intOrPtr*)(_t343 + 0xa4)));
					_t314 = _v580;
					if(E00064BAD(_t233, _t335, _t343, _t363, _v580, 4, _t233) == 6) {
						_v8 = _t335;
						_t210 = _v580 + 0xfffffff0;
						asm("lock xadd [ecx], edi");
						_t335 = _t335 - 1;
						__eflags = _t335;
						if(_t335 <= 0) {
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t210)) + 4))))(_t210);
						}
						goto L23;
					} else {
						E00063F8D(_t343, 2);
						_v8 = _t335;
						_t168 = _v580 + 0xfffffff0;
						asm("lock xadd [ecx], edi");
						_t365 = _t335 - 1;
						L52:
						if(_t365 <= 0) {
							_t314 =  *( *_t168);
							 *((intOrPtr*)( *((intOrPtr*)( *( *_t168) + 4))))(_t168);
						}
						 *[fs:0x0] = _v16;
						_pop(_t339);
						_pop(_t345);
						_pop(_t235);
						return E00150836(1, _t235, _v20 ^ _t346, _t314, _t339, _t345);
					}
				}
			}

0x00051a80
0x00051a83
0x00051a85
0x00051a90
0x00051a91
0x00051a97
0x00051a9c
0x00051a9e
0x00051aa1
0x00051aa3
0x00051aa4
0x00051aa8
0x00051aae
0x00051ab0
0x00051abc
0x00051b57
0x00051b57
0x00051ac2
0x00051ac2
0x00051ac9
0x00051acb
0x00051acd
0x00051ad2
0x00051ad4
0x00051ad9
0x00051ad9
0x00051aea
0x00051afd
0x00051b00
0x00051b15
0x00051b1a
0x00051b27
0x00051b2c
0x00051b39
0x00051b42
0x00051b46
0x00051b49
0x00051b4d
0x00051b53
0x00051b53
0x00051b49
0x00051b59
0x00051b5f
0x00051b65
0x00051b68
0x00051b70
0x00051b94
0x00051b99
0x00051b9b
0x00051ba5
0x00051ba5
0x00051ba7
0x00051bb0
0x00051bb0
0x00051bb3
0x00051b72
0x00051b75
0x00051b77
0x00051b7c
0x00051b7c
0x00051b81
0x00051b8a
0x00051b8c
0x00051b8c
0x00051b70
0x00051bc7
0x00051bcb
0x00051bd1
0x00051bd7
0x00051bdd
0x00051be3
0x00051be9
0x00051bef
0x00051bf5
0x00051bfb
0x00051c01
0x00051c08
0x00051cd1
0x00051cd1
0x00051cd8
0x00051cda
0x00051cdf
0x00051ce1
0x00051ce6
0x00051ce6
0x00051cf7
0x00051cfd
0x00051d04
0x00051d0b
0x00051d0d
0x00051d12
0x00051d14
0x00051d19
0x00051d19
0x00051d2a
0x00051d45
0x00051d4f
0x00051d55
0x00051d5d
0x00051d62
0x00051d64
0x00051ddd
0x00051de6
0x00051deb
0x00051df4
0x00051df6
0x00051e03
0x00051e06
0x00051e0e
0x00051e10
0x00051e7c
0x00051e82
0x00051e8b
0x00051e90
0x00051e90
0x00051e96
0x00051e9a
0x00051ea0
0x00051ea5
0x00051ea5
0x00051eaa
0x00051eb1
0x00051eb3
0x00051eb8
0x00051eba
0x00051ebf
0x00051ebf
0x00051ed0
0x00051ed6
0x00051ee6
0x00051eed
0x00051eff
0x00051f04
0x00051f06
0x00051f08
0x00051f0a
0x00051f0c
0x00051f0d
0x00051f12
0x00051f17
0x00051f1d
0x00051f1f
0x00051f46
0x00051f53
0x00051f57
0x00051f5d
0x00051f67
0x00051f6a
0x00051f70
0x00051f75
0x00051f21
0x00051f25
0x00051f2a
0x00051f34
0x00051f3d
0x00051f41
0x00051f42
0x00051f42
0x00051f77
0x00051f7b
0x00051f81
0x00051f81
0x00000000
0x00051f77
0x00051e12
0x00051e1c
0x00051e1e
0x00051e21
0x00000000
0x00000000
0x00051e23
0x00051e23
0x00051e27
0x00000000
0x00000000
0x00051e30
0x00051e3d
0x00051e42
0x00051e4b
0x00051e4f
0x00051e54
0x00051e5e
0x00051e67
0x00051e6c
0x00051e6e
0x00051e78
0x00051e78
0x00000000
0x00051e6e
0x00051dfc
0x00051dfe
0x00051e01
0x00000000
0x00000000
0x00000000
0x00051d66
0x00051d67
0x00051d73
0x00051d78
0x00051d7e
0x00051d82
0x00051d87
0x00051d91
0x00051d9a
0x00051d9f
0x00051da1
0x00051dab
0x00051dab
0x00051db6
0x00051dc6
0x00051dcb
0x00051dcd
0x00000000
0x00051dcf
0x00051dd3
0x00051f83
0x00051f83
0x00051f8d
0x00051f96
0x00051f9a
0x00051f9b
0x00051f9d
0x00051fa1
0x00051fa7
0x00051fa7
0x00051fa9
0x00051fb6
0x00051fbf
0x00051fc3
0x00051fc4
0x00000000
0x00051fc4
0x00051dcd
0x00051c2c
0x00051c2c
0x00051c33
0x00051c35
0x00051c38
0x00051c3a
0x00051c3c
0x00051c41
0x00051c41
0x00051c52
0x00051c58
0x00051c72
0x00051c77
0x00051c89
0x00051caf
0x00051cb8
0x00051cbe
0x00051cc2
0x00051cc3
0x00051cc5
0x00051ccf
0x00051ccf
0x00000000
0x00051c8b
0x00051c8f
0x00051c94
0x00051c9d
0x00051ca3
0x00051ca8
0x00051fc6
0x00051fc6
0x00051fca
0x00051fd0
0x00051fd0
0x00051fda
0x00051fe2
0x00051fe3
0x00051fe4
0x00051ff2
0x00051ff2
0x00051c89

APIs

_wcsrchr.LIBCMT ref: 00051DE6
_wcsrchr.LIBCMT ref: 00051E06

Part of subcall function 00063F8D: KiUserCallbackDispatcher.NTDLL(?,?,?,?,0006435E,000000FF,00000000,?,?,00051AB5,885926AF), ref: 00063FAC

Strings

http://, xrefs: 00051D6D
ExamShield (Compatibility Check) Program, xrefs: 00051B05
ExamShield Program, xrefs: 00051B0A

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: _wcsrchr$CallbackDispatcherUser
String ID: ExamShield (Compatibility Check) Program$ExamShield Program$http://
API String ID: 4010548875-1264212893
Opcode ID: 999180a7eef78381a68e4c4dbd2ab9e1d5a7365008bdb94dbe23abebd2f1a49d
Instruction ID: 8f434863573ca18fd5aa7b73d6b4d661640255165049f11a5fe0986e5ddf5ad7
Opcode Fuzzy Hash: 999180a7eef78381a68e4c4dbd2ab9e1d5a7365008bdb94dbe23abebd2f1a49d
Instruction Fuzzy Hash: 30F1BE706006059FD754DB68CC85BEEB3B5FF84325F1487ACE52A9B292DB30AA49CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0006920A Relevance: 10.7, APIs: 7, Instructions: 161
networkstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E0006920A(WCHAR* _a4, struct _SYSTEMTIME _a8, short* _a12, signed int _a16, signed int _a20) {
				signed int _v8;
				short _v4176;
				short* _v4180;
				short _v4184;
				struct _SYSTEMTIME _v4200;
				WCHAR* _v4204;
				signed int _v4208;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t57;
				int _t67;
				void* _t69;
				long _t71;
				long _t73;
				WCHAR* _t76;
				struct _SYSTEMTIME _t78;
				WCHAR* _t80;
				short* _t84;
				signed int _t95;
				WCHAR* _t96;
				long _t97;
				signed int _t99;

				E00153C00(0x106c);
				_t57 =  *0x1c0454; // 0x885926af
				_v8 = _t57 ^ _t99;
				_t80 = _a4;
				_v4180 = _a12;
				_t78 = _a8;
				_v4208 = _a16;
				_v4200.wHour = _t80;
				if(_t78 == 0 || _t80 == 0) {
					L13:
					_t62 = 0;
					goto L14;
				} else {
					_t97 = _a20 & 0x2e000000;
					_v4200.wSecond = 0x824;
					_v4184 = 0;
					_v4200.wDayOfWeek = 0;
					_v4200.wYear = 0;
					if((_a20 & 0x90000000) != 0 &&  *((intOrPtr*)(_t78 + 0x30)) != 0) {
						if((_a20 & 0x02000000) == 0) {
							_v4200.wDayOfWeek = 0x80000000;
						} else {
							_v4200.wYear = 1;
						}
					}
					_t96 = InternetCanonicalizeUrlW;
					if(InternetCanonicalizeUrlW(_t80,  &_v4176,  &(_v4200.wSecond), _t97) != 0) {
						_t96 =  &_v4176;
						goto L17;
					} else {
						_t73 = GetLastError();
						_t106 = _t73 - 0x7a;
						if(_t73 != 0x7a) {
							goto L13;
						}
						_t95 = 2;
						_t94 = _v4200.wSecond * _t95 >> 0x20;
						_t76 = E0005C37C(_t106,  ~(0 | _t106 > 0x00000000) | _v4200.wSecond * _t95);
						_v4204 = _t76;
						if(_t76 == 0) {
							goto L13;
						}
						_v4184 = 1;
						if(InternetCanonicalizeUrlW(_v4200.wHour, _t76,  &(_v4200.wSecond), _t97) != 0) {
							_t96 = _v4204;
							L17:
							_t97 = 0;
							_t67 = InternetCrackUrlW(_t96, 0, _v4200.wDayOfWeek, _t78); // executed
							_v4200.wHour = _t67;
							__eflags = _v4200.wYear;
							if(_v4200.wYear == 0) {
								L21:
								__eflags = _v4184 - _t97;
								if(_v4184 != _t97) {
									_push(_t96);
									E0005C3AB();
								}
								_t62 = _v4200.wHour;
								__eflags = _v4200.wHour - _t97;
								if(_v4200.wHour != _t97) {
									_t94 = _v4208;
									 *_v4208 =  *((intOrPtr*)(_t78 + 0x18));
									_t78 =  *((intOrPtr*)(_t78 + 0xc)) - 1;
									__eflags = _t78;
									_t84 = _v4180;
									if(_t78 == 0) {
										 *_t84 = 1;
										goto L14;
									}
									_t78 = _t78 - 1;
									__eflags = _t78;
									if(_t78 == 0) {
										 *_t84 = 2;
										goto L14;
									}
									_t78 = _t78 - 1;
									__eflags = _t78;
									if(_t78 == 0) {
										 *_t84 = 3;
										goto L14;
									}
									_t78 = _t78 - 1;
									__eflags = _t78;
									if(_t78 == 0) {
										 *_t84 = 0x100b;
										goto L14;
									}
									_t78 = _t78 - 1;
									__eflags = _t78;
									if(_t78 == 0) {
										 *_t84 = 0x1001;
										goto L14;
									}
									_t78 = _t78 - 1;
									__eflags = _t78;
									if(_t78 == 0) {
										 *_t84 = 0x1006;
										goto L14;
									}
									_t78 = _t78 - 1;
									__eflags = _t78;
									if(_t78 != 0) {
										goto L25;
									}
									 *_t84 = 0x1002;
									goto L14;
								} else {
									_t84 = _v4180;
									L25:
									 *_t84 = 0x1000;
									L14:
									return E00150836(_t62, _t78, _v8 ^ _t99, _t94, _t96, _t97);
								}
							}
							_t69 = E0015161A( *(_t78 + 0x2c));
							__eflags = _t69 - 0x824;
							if(_t69 >= 0x824) {
								L26:
								__eflags = _v4184 - _t97;
								if(_v4184 == _t97) {
									goto L13;
								}
								_push(_t96);
								L12:
								E0005C3AB();
								goto L13;
							}
							_t71 = UrlUnescapeW( *(_t78 + 0x2c), 0, 0, 0x2100000);
							__eflags = _t71;
							if(_t71 < 0) {
								goto L26;
							}
							 *((intOrPtr*)(_t78 + 0x30)) = lstrlenW( *(_t78 + 0x2c));
							goto L21;
						}
						_push(_v4204);
						goto L12;
					}
				}
			}

0x00069214
0x00069219
0x00069220
0x00069226
0x00069229
0x00069233
0x00069236
0x00069240
0x00069248
0x0006931f
0x0006931f
0x00000000
0x00069256
0x00069259
0x00069266
0x00069270
0x00069276
0x0006927c
0x00069282
0x00069290
0x0006929e
0x00069292
0x00069292
0x00069292
0x00069290
0x000692a8
0x000692c2
0x00069332
0x00000000
0x000692c4
0x000692c4
0x000692ca
0x000692cd
0x00000000
0x00000000
0x000692d9
0x000692da
0x000692e4
0x000692ea
0x000692f2
0x00000000
0x00000000
0x00069303
0x00069311
0x0006933a
0x00069340
0x00069347
0x0006934b
0x00069351
0x00069357
0x0006935d
0x0006938f
0x0006938f
0x00069395
0x00069397
0x00069398
0x0006939d
0x0006939e
0x000693a4
0x000693a6
0x000693cf
0x000693d5
0x000693db
0x000693db
0x000693dc
0x000693e2
0x00069438
0x00000000
0x00069438
0x000693e4
0x000693e4
0x000693e5
0x0006942d
0x00000000
0x0006942d
0x000693e7
0x000693e7
0x000693e8
0x00069422
0x00000000
0x00069422
0x000693ea
0x000693ea
0x000693eb
0x00069417
0x00000000
0x00069417
0x000693ed
0x000693ed
0x000693ee
0x0006940c
0x00000000
0x0006940c
0x000693f0
0x000693f0
0x000693f1
0x00069401
0x00000000
0x00069401
0x000693f3
0x000693f3
0x000693f4
0x00000000
0x00000000
0x000693f6
0x00000000
0x000693a8
0x000693a8
0x000693ae
0x000693ae
0x00069321
0x0006932f
0x0006932f
0x000693a6
0x00069362
0x00069368
0x0006936d
0x000693b9
0x000693b9
0x000693bf
0x00000000
0x00000000
0x000693c5
0x00069319
0x00069319
0x00000000
0x0006931e
0x00069379
0x0006937f
0x00069381
0x00000000
0x00000000
0x0006938c
0x00000000
0x0006938c
0x00069313
0x00000000
0x00069313
0x000692c2

APIs

InternetCanonicalizeUrlW.WININET(00000825,?,00000824,?), ref: 000692BE
GetLastError.KERNEL32 ref: 000692C4
InternetCanonicalizeUrlW.WININET(?,00000000,00000824,?), ref: 0006930D
InternetCrackUrlW.WININET(?,00000000,?,02000000), ref: 0006934B
_wcslen.LIBCMT ref: 00069362
UrlUnescapeW.SHLWAPI(?,00000000,00000000,02100000), ref: 00069379
lstrlenW.KERNEL32(?), ref: 00069386

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Internet$Canonicalize$CrackErrorLastUnescape_wcslenlstrlen
String ID:
API String ID: 2764552472-0
Opcode ID: 119127d43e39785501607995bcf970a2cc38528ac6b0ac6fbf367babbbac0ab3
Instruction ID: 34bf14104b5be7ae72ffb426cc9ede7fc17c6caaf53f924fb23ed024a079142b
Opcode Fuzzy Hash: 119127d43e39785501607995bcf970a2cc38528ac6b0ac6fbf367babbbac0ab3
Instruction Fuzzy Hash: 7951A1715042A8DBDB218F65DD80AEEB7FAFF04340F20419AE9499A694D7B18FC4DF60

Uniqueness

Uniqueness Score: -1.00%

Function 0005F2C7 Relevance: 10.6, APIs: 7, Instructions: 117
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E0005F2C7(intOrPtr* __ecx, void* __edx, signed int _a4) {
				int _v8;
				int _v12;
				int _v16;
				struct tagMSG* _v20;
				struct HWND__* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t48;
				struct tagMSG* _t49;
				signed int _t51;
				void* _t54;
				void* _t56;
				int _t57;
				int _t59;
				long _t62;
				signed int _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				void* _t73;
				intOrPtr* _t75;

				_t73 = __edx;
				_t70 = __ecx;
				_t75 = __ecx;
				_v16 = 1;
				_v12 = 0;
				if((_a4 & 0x00000004) == 0) {
					L2:
					_v8 = 0;
					L3:
					_t48 = GetParent( *(_t75 + 0x20));
					 *(_t75 + 0x58) =  *(_t75 + 0x58) | 0x00000018;
					_v24 = _t48;
					_t49 = E000695C6(_t77);
					_t69 = UpdateWindow;
					_v20 = _t49;
					while(1) {
						_t78 = _v16;
						if(_v16 == 0) {
							goto L15;
						}
						while(1) {
							L15:
							_t51 = E00069B57(_t70, _t73, 0, _t75, _t78);
							if(_t51 == 0) {
								break;
							}
							if(_v8 != 0) {
								_t59 = _v20->message;
								if(_t59 == 0x118 || _t59 == 0x104) {
									E00063582(_t75, 1);
									UpdateWindow( *(_t75 + 0x20));
									_v8 = 0;
								}
							}
							_t71 = _t75;
							_t54 =  *((intOrPtr*)( *_t75 + 0x88))();
							_t83 = _t54;
							if(_t54 == 0) {
								_t45 = _t75 + 0x58;
								 *_t45 =  *(_t75 + 0x58) & 0xffffffe7;
								__eflags =  *_t45;
								return  *((intOrPtr*)(_t75 + 0x60));
							} else {
								_push(_v20);
								_t56 = E000699C0(_t69, _t71, 0, _t75, _t83);
								_pop(_t70);
								if(_t56 != 0) {
									_v16 = 1;
									_v12 = 0;
								}
								_t57 = PeekMessageW(_v20, 0, 0, 0, 0); // executed
								if(_t57 == 0) {
									while(1) {
										_t78 = _v16;
										if(_v16 == 0) {
											goto L15;
										}
										goto L4;
									}
								}
								continue;
							}
						}
						_push(0);
						E0006BE0C();
						return _t51 | 0xffffffff;
						L4:
						__eflags = PeekMessageW(_v20, 0, 0, 0, 0);
						if(__eflags != 0) {
							goto L15;
						} else {
							__eflags = _v8;
							if(_v8 != 0) {
								_t70 = _t75; // executed
								E00063582(_t75, 1); // executed
								 *_t69( *(_t75 + 0x20)); // executed
								_v8 = 0;
							}
							__eflags = _a4 & 0x00000001;
							if((_a4 & 0x00000001) == 0) {
								__eflags = _v24;
								if(_v24 != 0) {
									__eflags = _v12;
									if(_v12 == 0) {
										SendMessageW(_v24, 0x121, 0,  *(_t75 + 0x20));
									}
								}
							}
							__eflags = _a4 & 0x00000002;
							if(__eflags != 0) {
								L13:
								_v16 = 0;
								continue;
							} else {
								_t62 = SendMessageW( *(_t75 + 0x20), 0x36a, 0, _v12);
								_v12 = _v12 + 1;
								__eflags = _t62;
								if(__eflags != 0) {
									continue;
								}
								goto L13;
							}
						}
					}
				}
				_t66 = E0006342B(__ecx);
				_v8 = 1;
				_t77 = _t66 & 0x10000000;
				if((_t66 & 0x10000000) == 0) {
					goto L3;
				}
				goto L2;
			}

0x0005f2c7
0x0005f2c7
0x0005f2db
0x0005f2dd
0x0005f2e0
0x0005f2e3
0x0005f2f4
0x0005f2f4
0x0005f2f7
0x0005f2fa
0x0005f300
0x0005f304
0x0005f307
0x0005f30c
0x0005f312
0x0005f382
0x0005f382
0x0005f385
0x00000000
0x00000000
0x0005f387
0x0005f387
0x0005f387
0x0005f38e
0x00000000
0x00000000
0x0005f393
0x0005f398
0x0005f3a0
0x0005f3ad
0x0005f3b5
0x0005f3b7
0x0005f3b7
0x0005f3a0
0x0005f3bc
0x0005f3be
0x0005f3c4
0x0005f3c6
0x0005f3fd
0x0005f3fd
0x0005f3fd
0x00000000
0x0005f3c8
0x0005f3c8
0x0005f3cb
0x0005f3d0
0x0005f3d3
0x0005f3d5
0x0005f3dc
0x0005f3dc
0x0005f3e6
0x0005f3ee
0x0005f382
0x0005f382
0x0005f385
0x00000000
0x00000000
0x00000000
0x0005f385
0x0005f382
0x00000000
0x0005f3ee
0x0005f3c6
0x0005f3f2
0x0005f3f3
0x00000000
0x0005f317
0x0005f324
0x0005f326
0x00000000
0x0005f328
0x0005f328
0x0005f32b
0x0005f32f
0x0005f331
0x0005f339
0x0005f33b
0x0005f33b
0x0005f33e
0x0005f342
0x0005f344
0x0005f347
0x0005f349
0x0005f34c
0x0005f35a
0x0005f35a
0x0005f34c
0x0005f347
0x0005f360
0x0005f364
0x0005f37f
0x0005f37f
0x00000000
0x0005f366
0x0005f372
0x0005f378
0x0005f37b
0x0005f37d
0x00000000
0x00000000
0x00000000
0x0005f37d
0x0005f364
0x0005f326
0x0005f382
0x0005f2e5
0x0005f2ea
0x0005f2ed
0x0005f2f2
0x00000000
0x00000000
0x00000000

APIs

GetParent.USER32(?), ref: 0005F2FA
PeekMessageW.USER32(00000024,00000000,00000000,00000000,00000000), ref: 0005F31E
KiUserCallbackDispatcher.NTDLL ref: 0005F339
SendMessageW.USER32(?,00000121,00000000,?), ref: 0005F35A
SendMessageW.USER32(?,0000036A,00000000,00000002), ref: 0005F372
UpdateWindow.USER32 ref: 0005F3B5
PeekMessageW.USER32(00000024,00000000,00000000,00000000,00000000), ref: 0005F3E6

Part of subcall function 0006342B: GetWindowLongW.USER32(?,000000F0), ref: 00063436

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Message$PeekSendWindow$CallbackDispatcherLongParentUpdateUser
String ID:
API String ID: 3153985260-0
Opcode ID: 8b798a8ab12ac02f08cef7ca80996c636acc99bf8db94d2f1417df4a70da9052
Instruction ID: cf96d1e16378c8ef9fd33f690d00fc6a326a4ef846d4e6657614c9fe11567f0f
Opcode Fuzzy Hash: 8b798a8ab12ac02f08cef7ca80996c636acc99bf8db94d2f1417df4a70da9052
Instruction Fuzzy Hash: 36417D7090064AEBEF219F65CC49AAFBBF5FF80741F20856DE845A21A1D7798B84CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0006ADC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 18%

			E0006ADC0(void* __ecx) {
				signed int _v8;
				short _v10;
				short _v12;
				short _v532;
				struct HINSTANCE__* _v536;
				intOrPtr _v544;
				WCHAR* _v556;
				intOrPtr _v560;
				char _v564;
				void* __edi;
				void* __esi;
				signed int _t25;
				void* _t35;
				void* _t39;
				struct HINSTANCE__* _t41;
				void* _t42;
				intOrPtr* _t43;
				void* _t45;
				void* _t46;
				signed int _t50;

				_t48 = _t50;
				_t25 =  *0x1c0454; // 0x885926af
				_v8 = _t25 ^ _t50;
				_v10 = 0;
				_v12 = 0;
				_t45 = __ecx;
				_t41 =  *(__ecx + 8);
				if(GetModuleFileNameW(_t41,  &_v532, 0x105) != 0) {
					if(_v12 == 0) {
						_v556 =  &_v532;
						_v536 = _t41;
						_t43 = __imp__CreateActCtxW;
						_v564 = 0x20;
						_v560 = 0x88;
						_v544 = 2;
						_t29 =  *_t43( &_v564); // executed
						 *(_t45 + 0x80) = _t29;
						if(_t29 == 0xffffffff) {
							_v544 = 3;
							_t29 =  *_t43( &_v564); // executed
							 *(_t45 + 0x80) = _t29;
						}
						if( *(_t45 + 0x80) == 0xffffffff) {
							_v544 = 1;
							_t29 =  *_t43( &_v564); // executed
							 *(_t45 + 0x80) = _t29;
							if(_t29 == 0xffffffff) {
								 *(_t45 + 0x80) =  *(_t45 + 0x80) & 0x00000000;
							}
						}
					} else {
						SetLastError(0x6f);
					}
				}
				_pop(_t42);
				_pop(_t46);
				return E00150836(_t29, _t35, _v8 ^ _t48, _t39, _t42, _t46);
			}

0x0006adc3
0x0006adcb
0x0006add2
0x0006add9
0x0006addd
0x0006ade6
0x0006ade8
0x0006adfb
0x0006ae06
0x0006ae1b
0x0006ae27
0x0006ae2d
0x0006ae34
0x0006ae3e
0x0006ae48
0x0006ae52
0x0006ae54
0x0006ae5d
0x0006ae66
0x0006ae70
0x0006ae72
0x0006ae72
0x0006ae7f
0x0006ae88
0x0006ae92
0x0006ae94
0x0006ae9d
0x0006ae9f
0x0006ae9f
0x0006ae9d
0x0006ae08
0x0006ae0a
0x0006ae0a
0x0006ae06
0x0006aea9
0x0006aeac
0x0006aeb3

APIs

GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0006ADF3
SetLastError.KERNEL32(0000006F), ref: 0006AE0A
CreateActCtxW.KERNEL32(?), ref: 0006AE52
CreateActCtxW.KERNEL32(00000020), ref: 0006AE70
CreateActCtxW.KERNEL32(00000020), ref: 0006AE92

Strings

, xrefs: 0006AE34

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Create$ErrorFileLastModuleName
String ID:
API String ID: 1315026305-3916222277
Opcode ID: f80d2110b2868a727809b4d07f7f5b7026fd76129461db5afee7d4306f4e7245
Instruction ID: ae3be11d1305888e8c432800ae1637ff4bd779ddce47ebc0b0f3aaf08d570d83
Opcode Fuzzy Hash: f80d2110b2868a727809b4d07f7f5b7026fd76129461db5afee7d4306f4e7245
Instruction Fuzzy Hash: 9321A970900218DEDB60EF68DC48BEAB7F8BF59324F10429ED069E2190DB709A89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 000DF163 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E000DF163(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				int _t18;
				int _t19;
				WCHAR* _t21;
				intOrPtr _t27;
				void* _t28;
				void* _t29;
				intOrPtr _t30;

				_t29 = __eflags;
				_push(4);
				E00151A19(0x168841, __ebx, __edi, __esi);
				_t27 = __ecx;
				 *((intOrPtr*)(_t28 - 0x10)) = __ecx;
				E00063AEA(__ecx, _t29);
				 *((intOrPtr*)(__ecx)) = 0x187ae4;
				 *((intOrPtr*)(__ecx + 0x20)) = 0x187a90;
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				 *((intOrPtr*)(__ecx + 0x28)) = 0;
				 *((intOrPtr*)(__ecx + 0x2c)) = 0;
				 *((intOrPtr*)(__ecx + 0x30)) = 0;
				 *((intOrPtr*)(_t28 - 4)) = 0;
				 *((intOrPtr*)(__ecx + 0x34)) = 0;
				 *((intOrPtr*)(__ecx + 0x38)) = 0;
				 *((intOrPtr*)(__ecx + 0x3c)) = 0;
				E00072399(3);
				_t30 =  *0x1c5a4c; // 0x1
				if(_t30 == 0) {
					_t21 = L"windows";
					_t18 = GetProfileIntW(_t21, L"DragMinDist", 2); // executed
					 *0x1c5a44 = _t18; // executed
					_t19 = GetProfileIntW(_t21, L"DragDelay", 0xc8); // executed
					 *0x1c5a48 = _t19;
					 *0x1c5a4c = 1;
				}
				E0007240B(3);
				return E00151AF1(_t27);
			}

0x000df163
0x000df163
0x000df16a
0x000df16f
0x000df171
0x000df174
0x000df17b
0x000df181
0x000df188
0x000df18b
0x000df18e
0x000df191
0x000df196
0x000df199
0x000df19c
0x000df19f
0x000df1a2
0x000df1a7
0x000df1ad
0x000df1bc
0x000df1c2
0x000df1cf
0x000df1d4
0x000df1d6
0x000df1db
0x000df1db
0x000df1e7
0x000df1f3

APIs

__EH_prolog3.LIBCMT ref: 000DF16A

Part of subcall function 00072399: EnterCriticalSection.KERNEL32(001C3DE0,?,?,00000002,?,000716FF,00000010,00000008,0006B656,0006B5ED,0005E58B,0006A15B,0006918A,?,00000000,00000004), ref: 000723D3
Part of subcall function 00072399: InitializeCriticalSection.KERNEL32(?,?,?,00000002,?,000716FF,00000010,00000008,0006B656,0006B5ED,0005E58B,0006A15B,0006918A,?,00000000,00000004), ref: 000723E5
Part of subcall function 00072399: LeaveCriticalSection.KERNEL32(001C3DE0,?,?,00000002,?,000716FF,00000010,00000008,0006B656,0006B5ED,0005E58B,0006A15B,0006918A,?,00000000,00000004), ref: 000723F2
Part of subcall function 00072399: EnterCriticalSection.KERNEL32(?,?,?,00000002,?,000716FF,00000010,00000008,0006B656,0006B5ED,0005E58B,0006A15B,0006918A,?,00000000,00000004), ref: 00072402

GetProfileIntW.KERNEL32 ref: 000DF1C2
GetProfileIntW.KERNEL32 ref: 000DF1D4

Strings

DragMinDist, xrefs: 000DF1B7
windows, xrefs: 000DF1BC, 000DF1C1, 000DF1CE
DragDelay, xrefs: 000DF1C9

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: CriticalSection$EnterProfile$H_prolog3InitializeLeave
String ID: DragDelay$DragMinDist$windows
API String ID: 3965097884-2101198082
Opcode ID: 6430e3d6043095ef75fed91051e9b28c900852ce30afe7f7302ad81f6bd51ee4
Instruction ID: c103cbae0a3d36591ca5b2ff14e8ee0c3441da7bb75b76503bc8e7c7709d5302
Opcode Fuzzy Hash: 6430e3d6043095ef75fed91051e9b28c900852ce30afe7f7302ad81f6bd51ee4
Instruction Fuzzy Hash: E20171B1940B00DAC321AF5B8981A0AFEE8BFA0700F54590FE145ABAA1C7F4E281CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00054B00 Relevance: 9.2, APIs: 6, Instructions: 245
networkCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00054B00(intOrPtr* __ecx) {
				char _v8;
				char _v16;
				signed char _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t78;
				void* _t83;
				intOrPtr _t97;
				void* _t98;
				void* _t99;
				WCHAR** _t101;
				void* _t103;
				intOrPtr* _t105;
				signed int** _t109;
				void* _t113;
				void* _t114;
				void* _t115;
				WCHAR** _t117;
				signed int** _t121;
				void* _t126;
				WCHAR** _t129;
				signed int** _t133;
				void* _t137;
				signed char _t141;
				signed char _t142;
				signed char _t143;
				signed int _t159;
				signed int _t167;
				WCHAR* _t174;
				signed int _t179;
				intOrPtr* _t192;
				signed int _t196;
				signed int _t206;

				_push(0xffffffff);
				_push(0x174753);
				_push( *[fs:0x0]);
				_push(_t137);
				_t78 =  *0x1c0454; // 0x885926af
				_push(_t78 ^ _t196);
				 *[fs:0x0] =  &_v16;
				_t192 = __ecx;
				_v20 = 0;
				E0006AD73( &_v48, __ecx + 0xa0, 1);
				_v8 = 0;
				if( *((intOrPtr*)(__ecx + 0x70)) != 0) {
					L28:
					_t83 =  *(_t192 + 0x70);
					if(_t83 != 0) {
						__imp__InternetSetStatusCallbackW(_t83, E00056110);
						__eflags = _t83 - 0xffffffff;
						if(_t83 != 0xffffffff) {
							_v8 = 0xffffffff;
							E0006AD4F( &_v48);
							 *[fs:0x0] = _v16;
							return 1;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)( *_t192 + 0x1c))))(0x6e, GetLastError());
							_v8 = 0xffffffff;
							E0006AD4F( &_v48);
							__eflags = 0;
							 *[fs:0x0] = _v16;
							return 0;
						}
					} else {
						 *((intOrPtr*)( *((intOrPtr*)( *_t192 + 0x1c))))(0x6e, GetLastError());
						_v8 = 0xffffffff;
						E0006AD4F( &_v48);
						 *[fs:0x0] = _v16;
						return 0;
					}
				}
				_t97 =  *((intOrPtr*)(__ecx + 0x34));
				if(_t97 == 0) {
					_t98 = __ecx + 0x24;
					__eflags =  *( *((intOrPtr*)(__ecx + 0x24)) - 0xc);
					if(__eflags == 0) {
						_t99 = E0006B628(_t137, 0, __ecx, __eflags);
						_t159 =  &_v36;
						_t101 = E00056620(_t137,  *((intOrPtr*)(_t99 + 0x10)));
						_t141 = 2;
					} else {
						_t159 =  &_v24;
						E00053FD0(_t159, _t98);
						_t101 =  &_v24;
						_v8 = 1;
						_t141 = 1;
					}
					_t103 = InternetOpenW( *_t101, 0, 0, 0, 0); // executed
					 *(_t192 + 0x70) = _t103;
					__eflags = _t141 & 0x00000002;
					if((_t141 & 0x00000002) != 0) {
						_t141 = _t141 & 0xfffffffd;
						_t109 = _v36 + 0xfffffff0;
						_v20 = _t141;
						_t179 =  &(_t109[3]);
						asm("lock xadd [edx], ecx");
						__eflags = (_t159 | 0xffffffff) - 1;
						if((_t159 | 0xffffffff) - 1 <= 0) {
							_t179 =  *( *_t109);
							 *((intOrPtr*)( *((intOrPtr*)(_t179 + 4))))(_t109);
						}
					}
					__eflags = _t141 & 0x00000001;
					L25:
					_v8 = 0;
					if(_t206 != 0) {
						_t105 = _v24 + 0xfffffff0;
						asm("lock xadd [ecx], edx");
						if((_t179 | 0xffffffff) - 1 <= 0) {
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t105)) + 4))))(_t105);
						}
					}
					goto L28;
				}
				_t113 = _t97 - 1;
				if(_t113 == 0) {
					_t114 = __ecx + 0x24;
					__eflags =  *( *((intOrPtr*)(__ecx + 0x24)) - 0xc);
					if(__eflags == 0) {
						_t115 = E0006B628(_t137, 0, __ecx, __eflags);
						_t167 =  &_v32;
						_t117 = E00056620(_t137,  *((intOrPtr*)(_t115 + 0x10)));
						_t142 = 8;
					} else {
						_t167 =  &_v24;
						E00053FD0(_t167, _t114);
						_t117 =  &_v24;
						_v8 = 2;
						_t142 = 4;
					}
					 *(_t192 + 0x70) = InternetOpenW( *_t117, 1, 0, 0, 0);
					__eflags = _t142 & 0x00000008;
					if((_t142 & 0x00000008) != 0) {
						_t142 = _t142 & 0xfffffff7;
						_t121 = _v32 + 0xfffffff0;
						_v20 = _t142;
						_t179 =  &(_t121[3]);
						asm("lock xadd [edx], ecx");
						__eflags = (_t167 | 0xffffffff) - 1;
						if((_t167 | 0xffffffff) - 1 <= 0) {
							_t179 =  *( *_t121);
							 *((intOrPtr*)( *((intOrPtr*)(_t179 + 4))))(_t121);
						}
					}
					__eflags = _t142 & 0x00000004;
					goto L25;
				}
				if(_t113 != 1) {
					goto L28;
				} else {
					_t126 = __ecx + 0x24;
					if( *( *((intOrPtr*)(__ecx + 0x24)) - 0xc) == 0) {
						_t129 = E00056620(_t137,  *((intOrPtr*)(E0006B628(_t137, 0, __ecx, __eflags) + 0x10)));
						_t143 = 0x20;
					} else {
						E00053FD0( &_v24, _t126);
						_t129 =  &_v24;
						_v8 = 3;
						_t143 = 0x10;
					}
					_t174 =  *(_t192 + 0x10);
					 *(_t192 + 0x70) = InternetOpenW( *_t129, 3, _t174, 0, 0);
					if((_t143 & 0x00000020) != 0) {
						_t143 = _t143 & 0xffffffdf;
						_t133 = _v28 + 0xfffffff0;
						_v20 = _t143;
						_t179 =  &(_t133[3]);
						asm("lock xadd [edx], ecx");
						if((_t174 | 0xffffffff) - 1 <= 0) {
							_t179 =  *( *_t133);
							 *((intOrPtr*)( *((intOrPtr*)(_t179 + 4))))(_t133);
						}
					}
					_t206 = _t143 & 0x00000010;
					goto L25;
				}
			}

0x00054b03
0x00054b05
0x00054b10
0x00054b14
0x00054b17
0x00054b1e
0x00054b22
0x00054b28
0x00054b38
0x00054b3b
0x00054b40
0x00054b46
0x00054cf8
0x00054cf8
0x00054cfd
0x00054d3a
0x00054d43
0x00054d45
0x00054d7b
0x00054d7e
0x00054d8b
0x00054d99
0x00054d47
0x00054d57
0x00054d5c
0x00054d5f
0x00054d64
0x00054d69
0x00054d77
0x00054d77
0x00054cff
0x00054d0f
0x00054d14
0x00054d1b
0x00054d25
0x00054d33
0x00054d33
0x00054cfd
0x00054b4f
0x00054b51
0x00054c63
0x00054c66
0x00054c68
0x00054c81
0x00054c8a
0x00054c8d
0x00054c92
0x00054c6a
0x00054c6b
0x00054c6e
0x00054c73
0x00054c76
0x00054c7a
0x00054c7a
0x00054c9e
0x00054ca4
0x00054ca7
0x00054caa
0x00054caf
0x00054cb2
0x00054cb5
0x00054cb8
0x00054cbe
0x00054cc3
0x00054cc5
0x00054cc9
0x00054ccf
0x00054ccf
0x00054cc5
0x00054cd1
0x00054cd4
0x00054cd4
0x00054cd7
0x00054cdc
0x00054ce5
0x00054cec
0x00054cf6
0x00054cf6
0x00054cec
0x00000000
0x00054cd7
0x00054b57
0x00054b58
0x00054be9
0x00054bec
0x00054bee
0x00054c07
0x00054c10
0x00054c13
0x00054c18
0x00054bf0
0x00054bf1
0x00054bf4
0x00054bf9
0x00054bfc
0x00054c00
0x00054c00
0x00054c2b
0x00054c2e
0x00054c31
0x00054c36
0x00054c39
0x00054c3c
0x00054c3f
0x00054c45
0x00054c4a
0x00054c4c
0x00054c50
0x00054c56
0x00054c56
0x00054c4c
0x00054c58
0x00000000
0x00054c58
0x00054b5f
0x00000000
0x00054b65
0x00054b6b
0x00054b70
0x00054b93
0x00054b98
0x00054b72
0x00054b76
0x00054b7b
0x00054b7e
0x00054b82
0x00054b82
0x00054b9d
0x00054bae
0x00054bb4
0x00054bb9
0x00054bbc
0x00054bbf
0x00054bc2
0x00054bc8
0x00054bcf
0x00054bd3
0x00054bd9
0x00054bd9
0x00054bcf
0x00054bdb
0x00000000
0x00054bdb

APIs

InternetOpenW.WININET(?,00000003,?,00000000,00000000), ref: 00054BA8
InternetOpenW.WININET(?,00000001,00000000,00000000,00000000), ref: 00054C25
InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00054C9E
GetLastError.KERNEL32(?,00000001,885926AF), ref: 00054CFF
InternetSetStatusCallbackW.WININET(?,00056110), ref: 00054D3A
GetLastError.KERNEL32 ref: 00054D47

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Internet$Open$ErrorLast$CallbackStatus
String ID:
API String ID: 2768093928-0
Opcode ID: 44a9623c13f3926463d5cd253beb57ada09cad81bd430d08eb7406bf92029d2e
Instruction ID: 612ea9ad1b55c87a20d5184c6204b07ac4e3fe8b4c63908e0700216a1db25600
Opcode Fuzzy Hash: 44a9623c13f3926463d5cd253beb57ada09cad81bd430d08eb7406bf92029d2e
Instruction Fuzzy Hash: A691DD31A00A058FD755CB68C885BEFB7F9FF89325F144369E8269B2D1DB31A984CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00064481 Relevance: 9.1, APIs: 6, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00064481(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t62;
				signed int _t68;
				signed int _t70;
				struct HWND__* _t71;
				struct HWND__* _t72;
				signed int _t74;
				signed int _t104;
				void* _t115;
				signed int _t118;
				DLGTEMPLATE* _t119;
				struct HWND__* _t120;
				intOrPtr* _t122;
				void* _t123;

				_t117 = __edi;
				_t115 = __edx;
				_t98 = __ecx;
				_push(0x3c);
				E00151A4C(0x168a31, __ebx, __edi, __esi);
				_t122 = __ecx;
				 *((intOrPtr*)(_t123 - 0x20)) = __ecx;
				_t127 =  *(_t123 + 0x10);
				if( *(_t123 + 0x10) == 0) {
					 *(_t123 + 0x10) =  *(E0006B628(0, __edi, __ecx, _t127) + 0xc);
				}
				_t118 =  *(E0006B628(0, _t117, _t122, _t127) + 0x3c);
				 *(_t123 - 0x28) = _t118;
				 *(_t123 - 0x14) = 0;
				 *(_t123 - 4) = 0;
				E00062F94(0, _t98, _t118, _t122, _t127, 0x10);
				E00062F94(0, _t98, _t118, _t122, _t127, 0xfc000); // executed
				E0006035B(0, _t98, _t115, _t118, _t127); // executed
				E000730E9();
				if(_t118 == 0) {
					_t119 =  *(_t123 + 8);
					L7:
					__eflags = _t119;
					if(_t119 == 0) {
						L4:
						_t62 = 0;
						L26:
						return E00151AF1(_t62);
					}
					E00051110(_t123 - 0x1c, E00065761());
					 *(_t123 - 4) = 1;
					 *((intOrPtr*)(_t123 - 0x18)) = 0;
					_t68 = E00073D1A(_t119, __eflags, _t119, _t123 - 0x1c, _t123 - 0x18);
					__eflags = _t68;
					__eflags = 0 | _t68 == 0x00000000;
					if(__eflags != 0) {
						_push(_t119);
						E00073CDE(_t123 - 0x38, _t119);
						 *(_t123 - 4) = 2;
						E00073C3A(_t123 - 0x38,  *((intOrPtr*)(_t123 - 0x18)));
						 *(_t123 - 0x14) = E0007398D(_t123 - 0x38);
						 *(_t123 - 4) = 1;
						E0007397F(_t123 - 0x38);
						__eflags =  *(_t123 - 0x14);
						if(__eflags != 0) {
							_t119 = GlobalLock( *(_t123 - 0x14));
						}
					}
					 *(_t122 + 0x60) =  *(_t122 + 0x60) | 0xffffffff;
					 *(_t122 + 0x58) =  *(_t122 + 0x58) | 0x00000010;
					E00061E0F(0, __eflags, _t122);
					_t70 =  *(_t123 + 0xc);
					__eflags = _t70;
					if(_t70 != 0) {
						_t71 =  *(_t70 + 0x20);
					} else {
						_t71 = 0;
					}
					_t72 = CreateDialogIndirectParamW( *(_t123 + 0x10), _t119, _t71, E00063E59, 0); // executed
					_t120 = _t72;
					E00051190( *((intOrPtr*)(_t123 - 0x1c)) + 0xfffffff0, _t115);
					 *(_t123 - 4) =  *(_t123 - 4) | 0xffffffff;
					_t104 =  *(_t123 - 0x28);
					__eflags = _t104;
					if(__eflags != 0) {
						__eflags = _t120;
						if(__eflags != 0) {
							 *((intOrPtr*)( *_t104 + 0x18))(_t123 - 0x48);
							 *((intOrPtr*)( *_t122 + 0x158))(0);
						}
					}
					_t74 = E0005F8E9(0, _t120, __eflags);
					__eflags = _t74;
					if(_t74 == 0) {
						 *((intOrPtr*)( *_t122 + 0x120))();
					}
					__eflags = _t120;
					if(_t120 != 0) {
						__eflags =  *(_t122 + 0x58) & 0x00000010;
						if(( *(_t122 + 0x58) & 0x00000010) == 0) {
							DestroyWindow(_t120);
							_t120 = 0;
							__eflags = 0;
						}
					}
					__eflags =  *(_t123 - 0x14);
					if( *(_t123 - 0x14) != 0) {
						GlobalUnlock( *(_t123 - 0x14));
						GlobalFree( *(_t123 - 0x14));
					}
					__eflags = _t120;
					_t54 = _t120 != 0;
					__eflags = _t54;
					_t62 = 0 | _t54;
					goto L26;
				}
				_push(_t123 - 0x48);
				if( *((intOrPtr*)( *_t122 + 0x158))() != 0) {
					_t119 =  *((intOrPtr*)( *_t118 + 0x14))(_t123 - 0x48,  *(_t123 + 8));
					goto L7;
				}
				goto L4;
			}

0x00064481
0x00064481
0x00064481
0x00064481
0x00064488
0x0006448d
0x0006448f
0x00064494
0x00064497
0x000644a1
0x000644a1
0x000644a9
0x000644ae
0x000644b1
0x000644b4
0x000644b7
0x000644c1
0x000644c6
0x000644cb
0x000644d2
0x000644ff
0x00064502
0x00064502
0x00064504
0x000644e6
0x000644e6
0x0006463d
0x00064642
0x00064642
0x0006450f
0x0006451d
0x00064521
0x00064524
0x0006452e
0x00064533
0x00064535
0x00064537
0x0006453b
0x00064546
0x0006454a
0x0006455a
0x0006455d
0x00064561
0x00064566
0x00064569
0x00064574
0x00064574
0x00064569
0x00064576
0x0006457a
0x0006457f
0x00064584
0x00064587
0x00064589
0x0006458f
0x0006458b
0x0006458b
0x0006458b
0x0006459d
0x000645a9
0x000645ab
0x000645b0
0x000645da
0x000645dd
0x000645df
0x000645e1
0x000645e3
0x000645eb
0x000645f3
0x000645f3
0x000645e3
0x000645f9
0x000645fe
0x00064600
0x00064606
0x00064606
0x0006460c
0x0006460e
0x00064610
0x00064614
0x00064617
0x0006461d
0x0006461d
0x0006461d
0x00064614
0x0006461f
0x00064622
0x00064627
0x00064630
0x00064630
0x00064638
0x0006463a
0x0006463a
0x0006463a
0x00000000
0x0006463a
0x000644d9
0x000644e4
0x000644fb
0x00000000
0x000644fb
0x00000000

APIs

__EH_prolog3_catch.LIBCMT ref: 00064488
GlobalLock.KERNEL32 ref: 0006456E
CreateDialogIndirectParamW.USER32(?,?,?,00063E59,00000000), ref: 0006459D
DestroyWindow.USER32 ref: 00064617
GlobalUnlock.KERNEL32(?), ref: 00064627
GlobalFree.KERNEL32(?), ref: 00064630

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Global$CreateDestroyDialogFreeH_prolog3_catchIndirectLockParamUnlockWindow
String ID:
API String ID: 3003189058-0
Opcode ID: 06fc0546a3bdba1619d31fbdadcbb53f12e17a68b1e1638e91b9b598a5618d06
Instruction ID: ae29e88603306f45ca04bf64d609e8a680543964a69c7b279964c85a6674f829
Opcode Fuzzy Hash: 06fc0546a3bdba1619d31fbdadcbb53f12e17a68b1e1638e91b9b598a5618d06
Instruction Fuzzy Hash: 8F51BD7190024ADFCF14EFA4C8859FEBBB6BF44310F14452DF506A72A2CB748A81DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00154859 Relevance: 7.6, APIs: 5, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00154859(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				long _t27;
				signed int _t34;
				signed int _t36;
				signed char _t42;
				intOrPtr* _t46;
				void* _t49;
				signed int _t56;
				void* _t57;

				_t55 = __esi;
				_t49 = __edx;
				_push(0xc);
				_push(0x1b6b40);
				E00151BC0(__ebx, __edi, __esi);
				 *(_t57 - 0x1c) = 0;
				_t42 = 0;
				if(( *(_t57 + 0xc) & 0x00000008) != 0) {
					_t42 = 0x20;
				}
				if(( *(_t57 + 0xc) & 0x00004000) != 0) {
					_t42 = _t42 | 0x00000080;
				}
				if(( *(_t57 + 0xc) & 0x00000080) != 0) {
					_t42 = _t42 | 0x00000010;
				}
				_t27 = GetFileType( *(_t57 + 8)); // executed
				if(_t27 != 0) {
					__eflags = _t27 - 2;
					if(__eflags != 0) {
						__eflags = _t27 - 3;
						if(__eflags == 0) {
							_t42 = _t42 | 0x00000008;
							__eflags = _t42;
						}
					} else {
						_t42 = _t42 | 0x00000040;
					}
					_t56 = E001546C0(_t42, _t49, 0, _t55, __eflags);
					 *(_t57 + 0xc) = _t56;
					__eflags = _t56 - 0xffffffff;
					if(__eflags != 0) {
						 *((intOrPtr*)(_t57 - 4)) = 0;
						E0015448A(_t42, _t56,  *(_t57 + 8));
						_t46 = 0x1c92c0 + (_t56 >> 5) * 4;
						_t34 = (_t56 & 0x0000001f) << 6;
						 *( *_t46 + _t34 + 4) = _t42 | 0x00000001;
						 *( *_t46 + _t34 + 0x24) =  *( *_t46 + _t34 + 0x24) & 0x00000080;
						 *( *_t46 + _t34 + 0x24) =  *( *_t46 + _t34 + 0x24) & 0x0000007f;
						 *(_t57 - 0x1c) = 1;
						 *((intOrPtr*)(_t57 - 4)) = 0xfffffffe;
						_t36 = E00154947(0, _t56);
						__eflags =  *(_t57 - 0x1c);
						if( *(_t57 - 0x1c) == 0) {
							goto L8;
						}
						_t37 = _t56;
						goto L9;
					} else {
						 *((intOrPtr*)(E00151F1F(__eflags))) = 0x18;
						_t36 = E00151F32(__eflags);
						 *_t36 = 0;
						goto L8;
					}
				} else {
					_t36 = E00151F45(GetLastError());
					L8:
					_t37 = _t36 | 0xffffffff;
					L9:
					return E00151C05(_t37);
				}
			}

0x00154859
0x00154859
0x00154859
0x0015485b
0x00154860
0x00154867
0x0015486a
0x00154870
0x00154872
0x00154872
0x0015487c
0x0015487e
0x0015487e
0x00154885
0x00154887
0x00154887
0x0015488d
0x00154895
0x001548ad
0x001548b0
0x001548b7
0x001548ba
0x001548bc
0x001548bc
0x001548bc
0x001548b2
0x001548b2
0x001548b2
0x001548c4
0x001548c6
0x001548c9
0x001548cc
0x001548e2
0x001548e9
0x001548f8
0x00154904
0x00154909
0x00154913
0x0015491c
0x0015491f
0x00154926
0x0015492d
0x00154932
0x00154935
0x00000000
0x00000000
0x0015493b
0x00000000
0x001548ce
0x001548d3
0x001548d9
0x001548de
0x00000000
0x001548de
0x00154897
0x0015489e
0x001548a4
0x001548a4
0x001548a7
0x001548ac
0x001548ac

APIs

GetFileType.KERNEL32 ref: 0015488D
GetLastError.KERNEL32(?,0005AF92,?,00004000), ref: 00154897
__dosmaperr.LIBCMT ref: 0015489E
__alloc_osfhnd.LIBCMT ref: 001548BF
__set_osfhnd.LIBCMT ref: 001548E9

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: ErrorFileLastType__alloc_osfhnd__dosmaperr__set_osfhnd
String ID:
API String ID: 43408053-0
Opcode ID: 76c1cbe57072dcdc2379b3440de51891e78de547c7eab889df78aa3abf78b5c6
Instruction ID: 1050df7ba62baafff0504a42d9d549ba87eebbe54fa5d777c08f07b4261c87c6
Opcode Fuzzy Hash: 76c1cbe57072dcdc2379b3440de51891e78de547c7eab889df78aa3abf78b5c6
Instruction Fuzzy Hash: E321C231981285EFDF129FA4C8057997BA0AF5233AF288645ED748F1E2C7B985C9DF40

Uniqueness

Uniqueness Score: -1.00%

Function 0005B1C0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0005B1C0() {
				void* _v8;
				int _v12;
				char _v16;
				int _v20;
				long _t13;
				long _t15;

				_v8 = 0;
				_v20 = 4;
				_v12 = 0;
				_v16 = 0;
				_t13 = RegOpenKeyExW(0x80000002, L"SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v3.5", 0, 0x20019,  &_v8); // executed
				if(_t13 == 0) {
					_v12 = 4;
					_t15 = RegQueryValueExW(_v8, 0x1a1790, 0,  &_v20,  &_v16,  &_v12); // executed
					if(_t15 != 0) {
						goto L1;
					} else {
						RegCloseKey(_v8); // executed
						return 1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x0005b1db
0x0005b1e2
0x0005b1e9
0x0005b1f0
0x0005b1f7
0x0005b1ff
0x0005b21e
0x0005b225
0x0005b22d
0x00000000
0x0005b22f
0x0005b233
0x0005b23e
0x0005b23e
0x0005b201
0x0005b201
0x0005b206
0x0005b206

APIs

RegOpenKeyExW.KERNEL32 ref: 0005B1F7
RegQueryValueExW.KERNEL32(00000000,001A1790,00000000,00000004,00000000,00000000), ref: 0005B225
RegCloseKey.KERNEL32(00000000), ref: 0005B233

Strings

SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.5, xrefs: 0005B1D1

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.5
API String ID: 3677997916-3540158507
Opcode ID: c96cc94411c0e077b078cad02119d5f31dbfa4c240ad1889db745846a1f88ac8
Instruction ID: 671a2babece905289669322e1bb47252f1d75aff33ef317fd9956a82dbf54a03
Opcode Fuzzy Hash: c96cc94411c0e077b078cad02119d5f31dbfa4c240ad1889db745846a1f88ac8
Instruction Fuzzy Hash: 2D0131B9A0420CFBEB10DFD0DC49BEEB7B8EB45709F104188FA18A6180D7B16648DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0006CADE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0006CADE(void* __ecx, char _a4, char _a5, signed int _a8, signed int _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t37;
				signed int _t38;
				signed int _t41;
				void* _t42;
				signed int _t52;
				void* _t55;
				void* _t62;
				signed int _t64;
				void* _t66;
				void* _t67;

				_t66 = __ecx;
				if(_a4 != 0) {
					 *(__ecx + 0x14) =  *(__ecx + 0x14) & 0x00000000;
					_t52 = _a8;
					_t64 = _a12;
					_t37 = E0006AA93(__ecx, __eflags, _a4, _t52 & 0xffffbfff, _t64); // executed
					__eflags = _t37;
					if(_t37 == 0) {
						L21:
						_t38 = 0;
						L23:
						return _t38;
					}
					__eflags = _t52 & 0x00001000;
					if((_t52 & 0x00001000) == 0) {
						__eflags = _t52 & 0x00000001;
						if((_t52 & 0x00000001) != 0) {
							L5:
							_a4 = 0x61;
							L6:
							__eflags = _t52 & 0x00000001;
							if((_t52 & 0x00000001) != 0) {
								L8:
								_t55 = 0x4000;
								__eflags = _t52 & 0x00008000;
								if(__eflags == 0) {
									 *((char*)(_t67 + 9)) = 0x74;
									_t41 = 2;
									__eflags = 2;
								} else {
									 *((char*)(_t67 + 9)) = 0x62;
									_t41 = 2;
									_t55 = 0;
								}
								_push(_t55);
								_push( *((intOrPtr*)(_t66 + 4)));
								 *((char*)(_t67 + _t41 + 8)) = 0;
								_t42 = E00154859(_t52, _t62, _t64, _t66, __eflags); // executed
								__eflags = _t42 - 0xffffffff;
								if(__eflags != 0) {
									_push( &_a4);
									_push(_t42);
									 *(_t66 + 0x14) = E00154995(_t52, _t64, _t66, __eflags);
								}
								__eflags =  *(_t66 + 0x14);
								if( *(_t66 + 0x14) != 0) {
									_t38 = 1;
									__eflags = 1;
									goto L23;
								} else {
									__eflags = _t64;
									if(__eflags != 0) {
										 *((intOrPtr*)(_t64 + 0xc)) =  *((intOrPtr*)(E00151F32(__eflags)));
										 *((intOrPtr*)(_t64 + 8)) = E00087313( *((intOrPtr*)(E00151F32(__eflags))));
									}
									E0006A502(_t66);
									goto L21;
								}
							}
							L7:
							_push(2);
							_a5 = 0x2b;
							_pop(1);
							goto L8;
						}
						_a4 = 0x72;
						__eflags = _t52 & 0x00000002;
						if((_t52 & 0x00000002) != 0) {
							goto L7;
						}
						goto L8;
					}
					__eflags = _t52 & 0x00002000;
					if((_t52 & 0x00002000) == 0) {
						_a4 = 0x77;
						goto L6;
					}
					goto L5;
				}
				return 0;
			}

0x0006cae8
0x0006caea
0x0006caf3
0x0006caf8
0x0006cafc
0x0006cb0b
0x0006cb10
0x0006cb12
0x0006cbbc
0x0006cbbc
0x0006cbc3
0x00000000
0x0006cbc4
0x0006cb1b
0x0006cb21
0x0006cb58
0x0006cb5b
0x0006cb2b
0x0006cb2b
0x0006cb2f
0x0006cb2f
0x0006cb32
0x0006cb3b
0x0006cb3b
0x0006cb40
0x0006cb46
0x0006cb68
0x0006cb6d
0x0006cb6d
0x0006cb48
0x0006cb48
0x0006cb4d
0x0006cb4e
0x0006cb4e
0x0006cb6e
0x0006cb6f
0x0006cb72
0x0006cb77
0x0006cb7e
0x0006cb81
0x0006cb86
0x0006cb87
0x0006cb8f
0x0006cb8f
0x0006cb92
0x0006cb96
0x0006cbc2
0x0006cbc2
0x00000000
0x0006cb98
0x0006cb98
0x0006cb9a
0x0006cba3
0x0006cbb2
0x0006cbb2
0x0006cbb7
0x00000000
0x0006cbb7
0x0006cb96
0x0006cb34
0x0006cb34
0x0006cb36
0x0006cb3a
0x00000000
0x0006cb3a
0x0006cb5d
0x0006cb61
0x0006cb64
0x00000000
0x00000000
0x00000000
0x0006cb66
0x0006cb23
0x0006cb29
0x0006cb52
0x00000000
0x0006cb52
0x00000000
0x0006cb29
0x00000000

APIs

__fdopen.LIBCMT ref: 0006CB88

Strings

+, xrefs: 0006CB36
t, xrefs: 0006CB68

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: __fdopen
String ID: +$t
API String ID: 194168367-1842947216
Opcode ID: 5e31c0d55c5204d745f323724012d1d1f6548057f18d4a2a8f074207e1eb0124
Instruction ID: bc99b69e06480a0d1e304ce8907b42ad9e06f8ce1727846633c796a480294bbd
Opcode Fuzzy Hash: 5e31c0d55c5204d745f323724012d1d1f6548057f18d4a2a8f074207e1eb0124
Instruction Fuzzy Hash: B12137311087409DF7219E28D48BFBA7BD69F11314F24942DEDEACA1D2DB78D88587A1

Uniqueness

Uniqueness Score: -1.00%

Function 0006EF88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0006EF88(intOrPtr __ebx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				short _v532;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t12;
				signed int _t17;
				intOrPtr _t20;
				void* _t24;
				intOrPtr _t25;
				void* _t26;
				intOrPtr _t30;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t36;
				signed int _t38;
				signed int _t40;
				void* _t41;

				_t30 = __edx;
				_t25 = __ebx;
				_t38 = _t40;
				_t41 = _t40 - 0x210;
				_t12 =  *0x1c0454; // 0x885926af
				_v8 = _t12 ^ _t38;
				_t32 = _a4;
				if(GetSystemDirectoryW( &_v532, 0x105) != 0) {
					_t17 = E0015161A( &_v532);
					__eflags =  *((short*)(_t38 + _t17 * 2 - 0x212)) - 0x5c;
					_pop(_t26);
					if( *((short*)(_t38 + _t17 * 2 - 0x212)) == 0x5c) {
						L5:
						__eflags = E001542DE( &_v532, 0x105, _t32);
						if(__eflags != 0) {
							goto L2;
						} else {
							_push( &_v532); // executed
							_t20 = E0005E893(_t26, 0x105, __eflags); // executed
						}
					} else {
						_t24 = E001542DE( &_v532, 0x105, 0x1a18bc);
						_t41 = _t41 + 0xc;
						__eflags = _t24;
						if(_t24 != 0) {
							goto L2;
						} else {
							goto L5;
						}
					}
				} else {
					L2:
					_t20 = 0;
				}
				_pop(_t33);
				_pop(_t36);
				return E00150836(_t20, _t25, _v8 ^ _t38, _t30, _t33, _t36);
			}

0x0006ef88
0x0006ef88
0x0006ef8b
0x0006ef8d
0x0006ef93
0x0006ef9a
0x0006ef9f
0x0006efb7
0x0006efc4
0x0006efc9
0x0006efd2
0x0006efd3
0x0006efee
0x0006efff
0x0006f001
0x00000000
0x0006f003
0x0006f009
0x0006f00a
0x0006f00f
0x0006efd5
0x0006efe2
0x0006efe7
0x0006efea
0x0006efec
0x00000000
0x00000000
0x00000000
0x00000000
0x0006efec
0x0006efb9
0x0006efb9
0x0006efb9
0x0006efb9
0x0006f013
0x0006f016
0x0006f01d

APIs

GetSystemDirectoryW.KERNEL32(?,00000105), ref: 0006EFAF
_wcslen.LIBCMT ref: 0006EFC4

Strings

\, xrefs: 0006EFC9

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: DirectorySystem_wcslen
String ID: \
API String ID: 2940219301-2967466578
Opcode ID: 03a3de0b95d70397ed8d3806152e593693e76470af868b18e34fd20825d5de4b
Instruction ID: e32d65b1832fafb211b15f287be8b10ade055bfcad31e548b36b85d4a03c2f0e
Opcode Fuzzy Hash: 03a3de0b95d70397ed8d3806152e593693e76470af868b18e34fd20825d5de4b
Instruction Fuzzy Hash: D701B93590021CA7DB20DBA5EC49EEB77FDAF64314F040479BC19D3041E770DA888A90

Uniqueness

Uniqueness Score: -1.00%

Function 00052CF0 Relevance: 4.6, APIs: 3, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00052CF0(void* __ecx, void* __edx, long long __fp0, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, signed int _a20) {
				intOrPtr _v20;
				signed int _v24;
				long _v28;
				signed int _v32;
				signed short _v36;
				long _t47;
				signed int _t48;
				long _t63;
				signed int _t65;
				signed int _t70;
				void* _t81;
				intOrPtr _t82;
				signed int _t85;
				intOrPtr _t86;
				intOrPtr _t91;
				void* _t93;
				signed int _t95;
				void* _t97;
				long long _t109;

				_t109 = __fp0;
				_t81 = __edx;
				_t97 = (_t95 & 0xffffffc0) - 0x34;
				_t93 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x3a0)) == 0xffffffff) {
					_t63 = GetTickCount();
					 *(_t93 + 0x3a8) = _t63;
					 *(_t93 + 0x3a4) = _t63;
				}
				_t65 = _a20;
				if(_a12 != 0) {
					asm("adc ecx, [ebp+0xc]");
					_t91 = E00160F90(E00155DF0( *((intOrPtr*)(_t93 + 0x50)) + _a4,  *((intOrPtr*)(_t93 + 0x54)), 0x64, 0), _t81, _a16, _t65);
					if(_t91 !=  *((intOrPtr*)(_t93 + 0x3a0))) {
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t93 - 0x98)) + 0x18c))))(_t91); // executed
						 *((intOrPtr*)(_t93 + 0x3a0)) = _t91;
					}
				}
				_t47 = GetTickCount();
				_v28 = _t47;
				_t48 = _t47 -  *(_t93 + 0x3a4);
				if(_t48 > 0x3e8) {
					asm("fild qword [ebp+0x8]");
					_t82 =  *((intOrPtr*)(_t93 - 0x98));
					_v24 = _t48;
					asm("fst qword [esp+0x38]");
					asm("fild qword [esi+0x398]");
					asm("fsubp st1, st0");
					asm("fild dword [esp+0x2c]");
					if(_t48 < 0) {
						_t109 = _t109 +  *0x1a1b58;
					}
					asm("fdivp st1, st0");
					 *((long long*)(_t97 - 8)) = _t109;
					 *((intOrPtr*)( *((intOrPtr*)(_t82 + 0x194))))();
					_t48 = _a4;
					 *(_t93 + 0x3a4) = _v36;
					_t70 = _a8;
					 *(_t93 + 0x398) = _t48;
					 *(_t93 + 0x39c) = _t70;
					if(_a12 != 0 && (_t48 | _t70) != 0) {
						asm("fild dword [esp+0x28]");
						_t85 =  *((intOrPtr*)(_t93 + 0x54));
						_v28 =  *((intOrPtr*)(_t93 + 0x50));
						_push(_t65);
						_push(_a16);
						_v24 = _t85;
						asm("adc eax, [ebp+0xc]");
						_t86 =  *((intOrPtr*)(_t93 - 0x98));
						_push(_t85);
						_push(_v28 + _t48);
						if(_v36 < 0) {
							_t109 = _t109 +  *0x1a1b58;
						}
						asm("fild dword [esi+0x3a8]");
						if( *(_t93 + 0x3a8) < 0) {
						}
						asm("fsubp st1, st0");
						asm("fnstcw word [esp+0x38]");
						asm("sbb ebx, [esp+0x44]");
						_v28 = _a16 - _v28;
						_v24 = _t65;
						_v32 = _v36 & 0x0000ffff | 0x00000c00;
						asm("fild qword [esp+0x40]");
						asm("fsubrp st1, st0");
						asm("fmulp st1, st0");
						asm("fldcw word [esp+0x3c]");
						asm("fistp qword [esp+0x48]");
						asm("fldcw word [esp+0x3c]");
						_t48 =  *((intOrPtr*)( *((intOrPtr*)(_t86 + 0x190))))(_v20);
					}
				}
				return _t48;
			}

0x00052cf0
0x00052cf0
0x00052cf6
0x00052cfb
0x00052d05
0x00052d07
0x00052d0d
0x00052d13
0x00052d13
0x00052d1d
0x00052d20
0x00052d2b
0x00052d45
0x00052d4d
0x00052d62
0x00052d64
0x00052d64
0x00052d4d
0x00052d6a
0x00052d70
0x00052d74
0x00052d7f
0x00052d85
0x00052d88
0x00052d8e
0x00052d92
0x00052d96
0x00052d9c
0x00052d9e
0x00052da4
0x00052da6
0x00052da6
0x00052dac
0x00052dbd
0x00052dc0
0x00052dca
0x00052dcd
0x00052dd3
0x00052dd6
0x00052ddc
0x00052de2
0x00052df5
0x00052df9
0x00052dfc
0x00052e03
0x00052e04
0x00052e0b
0x00052e11
0x00052e14
0x00052e1a
0x00052e1b
0x00052e22
0x00052e24
0x00052e24
0x00052e30
0x00052e38
0x00052e38
0x00052e40
0x00052e53
0x00052e59
0x00052e5d
0x00052e61
0x00052e6f
0x00052e73
0x00052e77
0x00052e79
0x00052e81
0x00052e85
0x00052e94
0x00052e98
0x00052e98
0x00052de2
0x00052ea0

APIs

GetTickCount.KERNEL32 ref: 00052D07
__aulldiv.LIBCMT ref: 00052D40
GetTickCount.KERNEL32(?,?,?,?,?,00000064,00000000), ref: 00052D6A

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: CountTick$__aulldiv
String ID:
API String ID: 3307450582-0
Opcode ID: 76f34473d32dd91317460cd47a3b598bb361e904b9786e2f9d0919bf33986ac6
Instruction ID: 3812fdc5438efb4722ed2a0567620738e49fe42cc1340cd1712f1ff98e687963
Opcode Fuzzy Hash: 76f34473d32dd91317460cd47a3b598bb361e904b9786e2f9d0919bf33986ac6
Instruction Fuzzy Hash: CD515570604700AFD755DF25C480AABB7F8FF8A355F00892DF89A83250EB30A994CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0006BC2B Relevance: 4.6, APIs: 3, Instructions: 70
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0006BC2B(intOrPtr __ecx) {
				void* _v8;
				char _v12;
				int _v16;
				intOrPtr _v20;
				int _v24;
				long _t29;
				short* _t30;
				long _t31;
				intOrPtr _t32;
				short** _t34;
				signed int _t39;
				short** _t43;
				short* _t45;

				 *((intOrPtr*)(__ecx + 0xa8)) = 0;
				_v20 = __ecx;
				_v8 = 0;
				_v12 = 0;
				_v24 = 4;
				_v16 = 0;
				_t34 = 0x1bccb0;
				_t45 =  *0x1bccb0; // 0x17b230
				if(_t45 == 0) {
					L14:
					return 1;
				}
				do {
					_t29 = RegOpenKeyExW(0x80000001,  *_t34, 0, 1,  &_v8); // executed
					if(_t29 != 0) {
						goto L12;
					}
					_t8 =  &(_t34[1]); // 0x1bccd0
					_t43 =  *_t8;
					while(1) {
						_t30 =  *_t43;
						if(_t30 == 0) {
							break;
						}
						_t31 = RegQueryValueExW(_v8, _t30, 0,  &_v16,  &_v12,  &_v24); // executed
						if(_t31 == 0 && _v16 == 4) {
							_t14 =  &(_t43[1]); // 0x1
							_t39 =  *_t14;
							_t32 = _v20;
							if(_v12 == 0) {
								 *(_t32 + 0xa8) =  *(_t32 + 0xa8) &  !_t39;
							} else {
								 *(_t32 + 0xa8) =  *(_t32 + 0xa8) | _t39;
							}
						}
						_v12 = 0;
						_v24 = 4;
						_v16 = 0;
						_t43 =  &(_t43[2]);
					}
					RegCloseKey(_v8); // executed
					_v8 = 0;
					L12:
					_t34 =  &(_t34[2]);
				} while ( *_t34 != 0);
				goto L14;
			}

0x0006bc37
0x0006bc3d
0x0006bc40
0x0006bc43
0x0006bc46
0x0006bc4d
0x0006bc50
0x0006bc55
0x0006bc5b
0x0006bce9
0x0006bcef
0x0006bcef
0x0006bc62
0x0006bc70
0x0006bc78
0x00000000
0x00000000
0x0006bc7a
0x0006bc7a
0x0006bccb
0x0006bccb
0x0006bccf
0x00000000
0x00000000
0x0006bc90
0x0006bc98
0x0006bca0
0x0006bca0
0x0006bca3
0x0006bca9
0x0006bcb5
0x0006bcab
0x0006bcab
0x0006bcab
0x0006bca9
0x0006bcbb
0x0006bcbe
0x0006bcc5
0x0006bcc8
0x0006bcc8
0x0006bcd4
0x0006bcda
0x0006bcdd
0x0006bcdd
0x0006bce0
0x00000000

APIs

RegOpenKeyExW.KERNEL32 ref: 0006BC70
RegQueryValueExW.KERNEL32(?,00000000,00000000,?,?,00000004), ref: 0006BC90
RegCloseKey.KERNEL32(?), ref: 0006BCD4

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: b73920847a07b969e4bff191418a3b6630f0344734008a9e23bafd104161f303
Instruction ID: 84b12d042c7c3ce941ad93d8b981fc16b84b380ca9435a298c07aadd117ac44f
Opcode Fuzzy Hash: b73920847a07b969e4bff191418a3b6630f0344734008a9e23bafd104161f303
Instruction Fuzzy Hash: 442129B1D00208EFDB21CF85C985AAEBBF9EF91310F2040AAE45AE6250DB715B80DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0006A073 Relevance: 4.5, APIs: 3, Instructions: 41
threadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0006A073(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t22;
				intOrPtr* _t24;
				intOrPtr _t32;
				void* _t35;
				void* _t39;
				void* _t40;

				_t40 = __eflags;
				_t35 = __edx;
				_push(4);
				E00151A19(0x16a0a2, __ebx, __edi, __esi);
				_t32 = E0005C37C(_t40, 0x44);
				 *((intOrPtr*)(_t39 - 0x10)) = _t32;
				_t38 = 0;
				 *(_t39 - 4) = 0;
				_t41 = _t32;
				if(_t32 != 0) {
					_push( *((intOrPtr*)(_t39 + 0xc)));
					_push( *((intOrPtr*)(_t39 + 8)));
					_t38 = E00069A2A(__ebx, _t32, __edi, 0, _t41);
				}
				 *(_t39 - 4) =  *(_t39 - 4) | 0xffffffff;
				_t22 = E00069F68(_t38, _t35,  *(_t39 + 0x18) | 0x00000004,  *((intOrPtr*)(_t39 + 0x14)),  *((intOrPtr*)(_t39 + 0x1c))); // executed
				if(_t22 != 0) {
					SetThreadPriority( *(_t38 + 0x2c),  *(_t39 + 0x10)); // executed
					__eflags =  *(_t39 + 0x18) & 0x00000004;
					if(( *(_t39 + 0x18) & 0x00000004) == 0) {
						ResumeThread( *(_t38 + 0x2c));
					}
					_t24 = _t38;
				} else {
					 *((intOrPtr*)( *_t38 + 0x78))();
					_t24 = 0;
				}
				return E00151AF1(_t24);
			}

0x0006a073
0x0006a073
0x0006a073
0x0006a07a
0x0006a087
0x0006a089
0x0006a08c
0x0006a08e
0x0006a091
0x0006a093
0x0006a095
0x0006a098
0x0006a0a0
0x0006a0a0
0x0006a0ab
0x0006a0b5
0x0006a0bc
0x0006a0cf
0x0006a0d5
0x0006a0d9
0x0006a0de
0x0006a0de
0x0006a0e4
0x0006a0be
0x0006a0c2
0x0006a0c5
0x0006a0c5
0x0006a0eb

APIs

__EH_prolog3.LIBCMT ref: 0006A07A

Part of subcall function 0005C37C: _malloc.LIBCMT ref: 0005C39A

Part of subcall function 00069A2A: __EH_prolog3.LIBCMT ref: 00069A31

SetThreadPriority.KERNEL32(?,?,?,?,?,00000004,00051F17,00052000,?,00000000,00000000,00000004,00000000,?,?,00000066), ref: 0006A0CF
ResumeThread.KERNEL32(?,?,00000000,00000000,00000004,00000000,?,?,00000066,?,?), ref: 0006A0DE

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: H_prolog3Thread$PriorityResume_malloc
String ID:
API String ID: 3956167790-0
Opcode ID: fbb59d6d37b4c4af2a7375a2267da042f69fe17fc17eedf4c40db95917d0ba05
Instruction ID: 3ac45e1902a5ed70baf9dc0127d5e94904f8c51714d7b52021a35e5388b4afee
Opcode Fuzzy Hash: fbb59d6d37b4c4af2a7375a2267da042f69fe17fc17eedf4c40db95917d0ba05
Instruction Fuzzy Hash: A1018F71600205EFDF12AF64DC01AAE7AE6BF08714F108518FA56E72B1C7318E61DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00069B57 Relevance: 4.5, APIs: 3, Instructions: 37
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00069B57(void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				int _t8;
				void* _t13;
				void* _t17;
				MSG* _t19;
				void* _t22;

				_t17 = __edx;
				_t5 = E0006B65B(_t13, __ecx, __edi, __esi, __eflags);
				_t15 =  *((intOrPtr*)(_t5 + 4));
				_t25 =  *((intOrPtr*)(_t5 + 4));
				if( *((intOrPtr*)(_t5 + 4)) != 0) {
					goto ( *((intOrPtr*)( *__ecx + 0x5c)));
				}
				_push(__esi);
				_push(__edi);
				_t22 = E0006B059(_t13, __edi, __esi, _t25);
				_t2 = _t22 + 0x30; // 0x30
				_t19 = _t2;
				_t8 = GetMessageW(_t19, 0, 0, 0); // executed
				if(_t8 != 0) {
					_t27 =  *((intOrPtr*)(_t22 + 0x34)) - 0x36a;
					if( *((intOrPtr*)(_t22 + 0x34)) != 0x36a) {
						_push(_t19);
						if(E0006992F(_t13, _t15, _t17, _t19, _t22, _t27) == 0) {
							TranslateMessage(_t19);
							DispatchMessageW(_t19); // executed
						}
					}
					_t8 = 1;
				}
				return _t8;
			}

0x00069b57
0x00069b57
0x00069b5c
0x00069b5f
0x00069b61
0x00069b65
0x00069b65
0x00069b13
0x00069b14
0x00069b1a
0x00069b21
0x00069b21
0x00069b25
0x00069b2d
0x00069b2f
0x00069b36
0x00069b38
0x00069b41
0x00069b44
0x00069b4b
0x00069b4b
0x00069b41
0x00069b53
0x00069b53
0x00069b56

APIs

KiUserCallbackDispatcher.NTDLL ref: 00069B25
TranslateMessage.USER32(00000030), ref: 00069B44
DispatchMessageW.USER32(00000030), ref: 00069B4B

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Message$CallbackDispatchDispatcherTranslateUser
String ID:
API String ID: 2960505505-0
Opcode ID: 719a68052a0d2698e86614534f91eab49e528b440e0a8ef84e56da7c5940d161
Instruction ID: 1c5169d645ab351a19a84201cbf78f3e27603a938d3e1de7e49d268afb70e896
Opcode Fuzzy Hash: 719a68052a0d2698e86614534f91eab49e528b440e0a8ef84e56da7c5940d161
Instruction Fuzzy Hash: E9F05E32304501ABA7656F25AE89D7F37BEEF8271170A206DF406D6851DB34DC829A21

Uniqueness

Uniqueness Score: -1.00%

Function 0006A2A7 Relevance: 4.5, APIs: 3, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0006A2A7(void* __ecx, long _a4, long _a8, long _a12) {
				long _v8;
				long _v12;
				void* __edi;
				void* __esi;
				long _t12;
				long _t13;
				void* _t18;
				void* _t27;

				_push(__ecx);
				_push(__ecx);
				_t12 = _a4;
				_t27 = __ecx;
				_v8 = _a8;
				_v12 = _t12;
				_t13 = SetFilePointer( *(__ecx + 4), _t12,  &_v8, _a12); // executed
				_v12 = _t13;
				if(_t13 == 0xffffffff) {
					if(GetLastError() != 0) {
						E000876C4(_t18, GetLastError, _t27, GetLastError(),  *((intOrPtr*)(_t27 + 0xc)));
					}
				}
				return _v12;
			}

0x0006a2ac
0x0006a2ad
0x0006a2ae
0x0006a2b5
0x0006a2ba
0x0006a2c5
0x0006a2c8
0x0006a2ce
0x0006a2d4
0x0006a2e1
0x0006a2e9
0x0006a2e9
0x0006a2ee
0x0006a2f7

APIs

SetFilePointer.KERNEL32(?,?,?,?), ref: 0006A2C8
GetLastError.KERNEL32 ref: 0006A2DD
GetLastError.KERNEL32(?), ref: 0006A2E6

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 68ea5f43c2891e90c3e2fd84a8610f57f2e0282a489438a540335176d25b2087
Instruction ID: 8a7806c69cfe9e1813b6497441d56ea9f794689bfe14386c005fad3ae51612dd
Opcode Fuzzy Hash: 68ea5f43c2891e90c3e2fd84a8610f57f2e0282a489438a540335176d25b2087
Instruction Fuzzy Hash: 98F01D75900208FBCB14EF69DC44C9EBBB9FF95320B204659F815A32A0D671EE81DA60

Uniqueness

Uniqueness Score: -1.00%

Function 000549A0 Relevance: 4.5, APIs: 3, Instructions: 34
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000549A0(void* __esi) {
				char _v16;
				void* _t12;
				void* _t13;
				void* _t14;
				void* _t22;

				_t22 = __esi;
				E0006AD73( &_v16, __esi + 0xa0, 1);
				_t12 =  *(__esi + 0x78);
				if(_t12 != 0) {
					InternetCloseHandle(_t12); // executed
					 *(__esi + 0x78) = 0;
				}
				_t13 =  *(_t22 + 0x74);
				if(_t13 != 0) {
					InternetCloseHandle(_t13);
					 *(_t22 + 0x74) = 0;
				}
				_t14 =  *(_t22 + 0x70);
				if(_t14 != 0) {
					InternetCloseHandle(_t14);
					 *(_t22 + 0x70) = 0;
				}
				return E0006AD4F( &_v16);
			}

0x000549a0
0x000549b3
0x000549b8
0x000549c3
0x000549c6
0x000549c8
0x000549c8
0x000549cf
0x000549d4
0x000549d7
0x000549d9
0x000549d9
0x000549e0
0x000549e5
0x000549e8
0x000549ea
0x000549ea
0x000549fd

APIs

InternetCloseHandle.WININET(?), ref: 000549C6
InternetCloseHandle.WININET(?), ref: 000549D7
InternetCloseHandle.WININET(?), ref: 000549E8

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: CloseHandleInternet
String ID:
API String ID: 1081599783-0
Opcode ID: f78c7e8b82691a1725ac4c984bd2f624fca7affdfd2f706922c363c2e043f58b
Instruction ID: 27c98356481e9cffcedde155fc16ecd530172e8c1119f14d164655b38d2eb3cf
Opcode Fuzzy Hash: f78c7e8b82691a1725ac4c984bd2f624fca7affdfd2f706922c363c2e043f58b
Instruction Fuzzy Hash: 76F03070A00B045BD721EB75D846B97F7ECAF40704F00061DE956D35A0DB70F848CA91

Uniqueness

Uniqueness Score: -1.00%

Function 00153C6F Relevance: 4.5, APIs: 3, Instructions: 11
threadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00153C6F(long _a4) {
				void* _t4;

				if(E00157E8F(_t4) != 0) {
					E00158051(_t2); // executed
				}
				ExitThread(_a4);
			}

0x00153c7b
0x00153c7e
0x00153c83
0x00153c87

APIs

__getptd_noexit.LIBCMT ref: 00153C74

Part of subcall function 00157E8F: GetLastError.KERNEL32(00000001,00000000,00151F24,0015109C,00000000,?,0015A71D,?,00000001,?,?,0015EDB7,00000018,001B7030,0000000C,0015EE47), ref: 00157E93
Part of subcall function 00157E8F: ___set_flsgetvalue.LIBCMT ref: 00157EA1
Part of subcall function 00157E8F: __calloc_crt.LIBCMT ref: 00157EB5
Part of subcall function 00157E8F: DecodePointer.KERNEL32(00000000,?,0015A71D,?,00000001,?,?,0015EDB7,00000018,001B7030,0000000C,0015EE47,?,?,?,00157FB3), ref: 00157ECF
Part of subcall function 00157E8F: __initptd.LIBCMT ref: 00157EDE
Part of subcall function 00157E8F: GetCurrentThreadId.KERNEL32(?,0015A71D,?,00000001,?,?,0015EDB7,00000018,001B7030,0000000C,0015EE47,?,?,?,00157FB3,0000000D), ref: 00157EE5
Part of subcall function 00157E8F: SetLastError.KERNEL32(00000000,?,0015A71D,?,00000001,?,?,0015EDB7,00000018,001B7030,0000000C,0015EE47,?,?,?,00157FB3), ref: 00157EFD

__freeptd.LIBCMT ref: 00153C7E

Part of subcall function 00158051: TlsGetValue.KERNEL32 ref: 00158072
Part of subcall function 00158051: TlsGetValue.KERNEL32 ref: 00158084
Part of subcall function 00158051: RtlDecodePointer.NTDLL(00000000,?,00153C83,00000000,?,00153CAF,00000000), ref: 0015809A
Part of subcall function 00158051: __freefls@4.LIBCMT ref: 001580A5
Part of subcall function 00158051: TlsSetValue.KERNEL32(0000001F,00000000,?,00153C83,00000000,?,00153CAF,00000000), ref: 001580B7

ExitThread.KERNEL32 ref: 00153C87

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Value$DecodeErrorLastPointerThread$CurrentExit___set_flsgetvalue__calloc_crt__freefls@4__freeptd__getptd_noexit__initptd
String ID:
API String ID: 779801232-0
Opcode ID: f62e8364b8762507d5d9da9cdea3feb7cbff5c79fd7dbc603e3cccb196233674
Instruction ID: 40d83f338278dd650c3e901dd9fc243f9724d90ea0ea936f86857f0c73eacffe
Opcode Fuzzy Hash: f62e8364b8762507d5d9da9cdea3feb7cbff5c79fd7dbc603e3cccb196233674
Instruction Fuzzy Hash: 4FC04C61004208AA9B503B619D0F91A7A6D9A50392B5845657C3CAA0E2EF64DDD98560

Uniqueness

Uniqueness Score: -1.00%

Function 00052F90 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E00052F90(void* __ecx) {
				void* __esi;
				void* _t18;
				intOrPtr _t20;
				intOrPtr _t25;
				void* _t35;
				intOrPtr _t36;
				void* _t37;
				intOrPtr _t38;
				signed int _t39;
				void* _t41;
				void* _t47;

				_t18 = E000655A8(__ecx);
				 *((intOrPtr*)(_t39 - 0x830)) = _t39 - 0x82c;
				E00053B50(_t18, _t39 - 0x830, _t39 - 0x82c, _t37, 3);
				 *((intOrPtr*)(_t39 - 4)) = 1;
				_t20 =  *((intOrPtr*)(_t39 - 0x830));
				_t24 = 2;
				 *(_t39 - 0xa3c) = 2;
				_t21 = E00055CC0(2, _t35, 0x68, _t20); // executed
				if(2 != 0) {
					_t21 =  *((intOrPtr*)(_t39 - 0x830));
					_t34 = _t39 - 0x82c;
					_t24 = 0;
					if( *((intOrPtr*)(_t39 - 0x830)) != _t39 - 0x82c) {
						_t21 = E00150CB2(_t21);
						_t41 = _t41 + 4;
					}
				}
				if((_t24 & 0x00000001) != 0) {
					_t21 =  *((intOrPtr*)(_t39 - 0x31c));
					_t47 =  *((intOrPtr*)(_t39 - 0x31c)) - _t39 - 0x318;
					if(_t47 != 0) {
						_t21 = E00150CB2(_t21);
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t39 - 0xc));
				_pop(_t36);
				_pop(_t38);
				_pop(_t25);
				return E00150836(_t21, _t25,  *(_t39 - 0x10) ^ _t39, _t34, _t36, _t38);
			}

0x00052f90
0x00052fa4
0x00052faa
0x00052faf
0x00052fb6
0x00052fbc
0x00052fca
0x00052fd0
0x00052fd8
0x00052fda
0x00052fe0
0x00052fe6
0x00052feb
0x00052fee
0x00052ff3
0x00052ff3
0x00052feb
0x00052ff9
0x00052fff
0x0005300b
0x00053427
0x0005342a
0x0005342f
0x00053427
0x00053435
0x0005343d
0x0005343e
0x0005343f
0x0005344d

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c107b4033a1269ce262838fcc10ff6532a0ed62defe27d41e3c142963aa6c5b9
Instruction ID: b9992eb171414bb573805421a5ac9fd3d8888443cc4071b5d9303d350b128ddc
Opcode Fuzzy Hash: c107b4033a1269ce262838fcc10ff6532a0ed62defe27d41e3c142963aa6c5b9
Instruction Fuzzy Hash: 77016D70A403188BDB25DA14CC91BEE73B5BF44741F4481D4E95967282DB356F88CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00068B7D Relevance: 3.1, APIs: 2, Instructions: 136
stringCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00068B7D(intOrPtr __ebx, signed int __edx, WCHAR* _a4, signed int* _a8, intOrPtr* _a12) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v24;
				char _v32;
				char _v40;
				signed int _v44;
				intOrPtr* _v48;
				char _v52;
				void* __edi;
				void* __esi;
				signed int _t52;
				intOrPtr _t56;
				signed int _t58;
				int _t60;
				signed int* _t84;
				signed int* _t87;
				signed int* _t90;
				signed int* _t93;
				WCHAR* _t108;
				signed int* _t109;
				signed int _t110;

				_t107 = __edx;
				_t92 = __ebx;
				_t52 =  *0x1c0454; // 0x885926af
				_v8 = _t52 ^ _t110;
				_t109 = _a8;
				_t108 = _a4;
				_v48 = _a12;
				if(_t108 != 0) {
					if(lstrlenW(_t108) >= 0x104) {
						goto L1;
					} else {
						_push(__ebx);
						_t93 =  &(_t109[8]);
						_t58 = E0006A9BB(_t93, _t108); // executed
						if(_t58 != 0) {
							_t97 = _v48;
							_push( &_v44);
							_push(0);
							_push(_t108);
							if(_v48 == 0) {
								_t60 = GetFileAttributesExW();
							} else {
								_t60 = E00068918(_t97);
							}
							if(_t60 != 0) {
								_t109[8] = _v44 & 0x0000007f;
								_t107 = 0;
								_t109[6] = E00153BE0(_v16, 0x20, 0);
								_t109[6] = _t109[6] | _v12;
								_t109[7] = 0;
								if(E00068968( &_v40) == 0) {
									 *_t109 = 0;
									_t109[1] = 0;
								} else {
									_t90 = E00068AB1(0,  &_v52, _t108,  &_v40, 0xffffffff);
									 *_t109 =  *_t90;
									_t109[1] = _t90[1];
								}
								if(E00068968( &_v32) == 0) {
									_t109[4] = 0;
									_t109[5] = 0;
								} else {
									_t87 = E00068AB1(0,  &_v52, _t108,  &_v32, 0xffffffff);
									_t109[4] =  *_t87;
									_t109[5] = _t87[1];
								}
								if(E00068968( &_v24) == 0) {
									_t109[2] = 0;
									_t109[3] = 0;
								} else {
									_t84 = E00068AB1(0,  &_v52, _t108,  &_v24, 0xffffffff);
									_t109[2] =  *_t84;
									_t109[3] = _t84[1];
								}
								if(( *_t109 | _t109[1]) == 0) {
									 *_t109 = _t109[2];
									_t109[1] = _t109[3];
								}
								if((_t109[4] | _t109[5]) == 0) {
									_t109[4] = _t109[2];
									_t109[5] = _t109[3];
								}
								_t56 = 1;
							} else {
								goto L9;
							}
						} else {
							 *_t93 = _t58;
							L9:
							_t56 = 0;
						}
						_pop(_t92);
					}
				} else {
					L1:
					_t56 = 0;
				}
				return E00150836(_t56, _t92, _v8 ^ _t110, _t107, _t108, _t109);
			}

0x00068b7d
0x00068b7d
0x00068b85
0x00068b8c
0x00068b93
0x00068b97
0x00068b9a
0x00068b9f
0x00068bb4
0x00000000
0x00068bb6
0x00068bb6
0x00068bb8
0x00068bbc
0x00068bc3
0x00068bca
0x00068bd2
0x00068bd3
0x00068bd4
0x00068bd7
0x00068be0
0x00068bd9
0x00068bd9
0x00068bd9
0x00068be8
0x00068bf6
0x00068bfc
0x00068c05
0x00068c0b
0x00068c11
0x00068c1f
0x00068c3b
0x00068c3d
0x00068c21
0x00068c2a
0x00068c31
0x00068c36
0x00068c36
0x00068c4b
0x00068c6c
0x00068c6f
0x00068c4d
0x00068c56
0x00068c5d
0x00068c63
0x00068c63
0x00068c7d
0x00068c9e
0x00068ca1
0x00068c7f
0x00068c88
0x00068c8f
0x00068c95
0x00068c95
0x00068ca9
0x00068cae
0x00068cb3
0x00068cb3
0x00068cbc
0x00068cc1
0x00068cc7
0x00068cc7
0x00068ccc
0x00000000
0x00000000
0x00000000
0x00068bc5
0x00068bc5
0x00068bea
0x00068bea
0x00068bea
0x00068ccd
0x00068ccd
0x00068ba1
0x00068ba1
0x00068ba1
0x00068ba1
0x00068cdb

APIs

lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,885926AF), ref: 00068BA9

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: f0cf73441c844e9a6ef11938f0b11430eb32da5711ff6336513598e5ba0064b0
Instruction ID: ba09d5e02e7c32db095f478bf33d231387d43f8e488900d6cac075535dec7e10
Opcode Fuzzy Hash: f0cf73441c844e9a6ef11938f0b11430eb32da5711ff6336513598e5ba0064b0
Instruction Fuzzy Hash: 7B511A719047059FC724DF69C9818ABB7F9FF18360710CA2EE4A6E7651EB30E944CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00054DA0 Relevance: 3.1, APIs: 2, Instructions: 75networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,00000000,00000000,00000003,00000000), ref: 00054E15
GetLastError.KERNEL32(?,?,00000001,885926AF), ref: 00054E22

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: ConnectErrorInternetLast
String ID:
API String ID: 674002449-0
Opcode ID: cf72986a0583dfd4e857c8c3eaa2932c003816c851f8cc9bf2d15c4f77d581ad
Instruction ID: a21c466d147e14ec356fe6971a21da318da934976501e79753841505cad9ded9
Opcode Fuzzy Hash: cf72986a0583dfd4e857c8c3eaa2932c003816c851f8cc9bf2d15c4f77d581ad
Instruction Fuzzy Hash: 33217F71604A04AFD724DB64CC46BABB7F8FB08B10F10461DE966976D0EB75A940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00054140 Relevance: 3.1, APIs: 2, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

_memmove_s.LIBCMT ref: 000541BA

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: _memmove_s
String ID:
API String ID: 800865076-0
Opcode ID: 57ac8d7570ef90a08de0bdbc226ed930f8988691f9c772728623dcae53b81b27
Instruction ID: ce0d791c2ffcf0fa16870538839ab078eed86e2dad086e8d06b09379aeb74a84
Opcode Fuzzy Hash: 57ac8d7570ef90a08de0bdbc226ed930f8988691f9c772728623dcae53b81b27
Instruction Fuzzy Hash: 9D219331600904EF9B10DF68C899DEFF3A9EFA4315B108599FC145B311DA31AD99CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0006B072 Relevance: 3.1, APIs: 2, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E0006B072(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t27;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t48;
				intOrPtr* _t49;
				intOrPtr* _t54;
				intOrPtr _t60;
				void* _t61;

				_push(4);
				E00151A19(0x168e29, __ebx, __edi, __esi);
				_t60 = __ecx;
				 *((intOrPtr*)(_t61 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x17b060;
				_t45 =  *((intOrPtr*)(__ecx + 0x48));
				 *((intOrPtr*)(_t61 - 4)) = 1;
				if(_t45 != 0) {
					 *((intOrPtr*)( *_t45))(1);
				}
				_t46 =  *((intOrPtr*)(_t60 + 0x70));
				if(_t46 != 0) {
					_t55 = _t60 + 0x4c;
					 *((intOrPtr*)( *_t46 + 0xc))(_t60 + 0x4c);
					_t54 =  *((intOrPtr*)(_t60 + 0x70));
					if(_t54 != 0) {
						 *((intOrPtr*)( *_t54 + 4))(1);
					}
				}
				_t47 =  *((intOrPtr*)( *((intOrPtr*)(_t60 + 0x78))));
				if(_t47 != 0) {
					 *((intOrPtr*)( *_t47))(1);
				}
				_t48 =  *((intOrPtr*)( *((intOrPtr*)(_t60 + 0x78)) + 4));
				if(_t48 != 0) {
					 *((intOrPtr*)( *_t48))(1);
				}
				_t49 =  *((intOrPtr*)( *((intOrPtr*)(_t60 + 0x78)) + 8));
				if(_t49 != 0) {
					 *((intOrPtr*)( *_t49))(1);
				}
				_push( *((intOrPtr*)(_t60 + 0x78)));
				E0005C3AB();
				_t27 =  *(_t60 + 0x80);
				if(_t27 != 0 && _t27 != 0xffffffff) {
					__imp__ReleaseActCtx(_t27); // executed
					 *(_t60 + 0x80) =  *(_t60 + 0x80) | 0xffffffff;
				}
				 *((char*)(_t61 - 4)) = 0;
				E00071C62(_t60 + 0x74);
				return E00151AF1(E00051190( *((intOrPtr*)(_t60 + 0x34)) - 0x10, _t55));
			}

0x0006b072
0x0006b079
0x0006b07e
0x0006b080
0x0006b083
0x0006b089
0x0006b08f
0x0006b094
0x0006b099
0x0006b099
0x0006b09b
0x0006b0a0
0x0006b0a4
0x0006b0a8
0x0006b0ab
0x0006b0b0
0x0006b0b5
0x0006b0b5
0x0006b0b0
0x0006b0bb
0x0006b0bf
0x0006b0c4
0x0006b0c4
0x0006b0c9
0x0006b0ce
0x0006b0d3
0x0006b0d3
0x0006b0d8
0x0006b0dd
0x0006b0e2
0x0006b0e2
0x0006b0e4
0x0006b0e7
0x0006b0ec
0x0006b0f5
0x0006b0fd
0x0006b103
0x0006b103
0x0006b10d
0x0006b111
0x0006b126

APIs

__EH_prolog3.LIBCMT ref: 0006B079
RtlReleaseActivationContext.NTDLL(?,00000004,0006B18C), ref: 0006B0FD

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: ActivationContextH_prolog3Release
String ID:
API String ID: 1979592854-0
Opcode ID: 00f760b4f03651a7c6a98ba750c6dfe9f860451747a80b70ce00b5b187e31b40
Instruction ID: 4b933d39df67877b627a91f4aa0ca91102bcb31b28c2b95c1fd91df4d3b34dd9
Opcode Fuzzy Hash: 00f760b4f03651a7c6a98ba750c6dfe9f860451747a80b70ce00b5b187e31b40
Instruction Fuzzy Hash: F3215974201B01CFEB29DF79C498A2ABBF1BF4A711B14455CE563CB6B0CB31A841CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00054A30 Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00054A30(void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				void* __esi;
				signed int _t21;
				WCHAR* _t24;
				intOrPtr _t25;
				long _t34;
				intOrPtr _t36;
				signed int _t47;
				intOrPtr _t50;
				signed int _t52;
				void* _t53;
				void* _t63;

				_t63 = __fp0;
				_push(0xffffffff);
				_push(0x1744b0);
				_push( *[fs:0x0]);
				_t21 =  *0x1c0454; // 0x885926af
				_push(_t21 ^ _t52);
				 *[fs:0x0] =  &_v16;
				_v20 = _t53 - 0x10;
				_t50 = _a4;
				_t24 =  *(_t50 + 0xc);
				_t38 =  *(_t24 - 0xc);
				_v24 = 0;
				_t47 = 0 |  *(_t24 - 0xc) != 0x00000000;
				if(_t47 != 0) {
					_t34 = GetFileAttributesW(_t24); // executed
					_t10 = _t34 != 0xffffffff;
					_t38 = 0 | _t10;
					_v24 = _t10;
				}
				_t25 = E000552F0(_t38, _t63, _t50); // executed
				_t36 = _t25;
				_v28 = _t36;
				E000549A0(_t50); // executed
				if(_t47 != 0) {
					_v8 = 0;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t50 + 0x8c)) + 0x50))))();
					if(_t36 == 0 && _v24 == _t36 && GetFileAttributesW( *(_t50 + 0xc)) != 0) {
						E00054A20(_t50);
					}
				}
				 *[fs:0x0] = _v16;
				return _t36;
			}

0x00054a30
0x00054a33
0x00054a35
0x00054a40
0x00054a47
0x00054a4e
0x00054a52
0x00054a58
0x00054a5b
0x00054a5e
0x00054a61
0x00054a6b
0x00054a72
0x00054a76
0x00054a79
0x00054a84
0x00054a84
0x00054a87
0x00054a87
0x00054a8b
0x00054a90
0x00054a92
0x00054a95
0x00054a9c
0x00054a9e
0x00054ab4
0x00054ace
0x00054ae5
0x00054ae5
0x00054ace
0x00054aef
0x00054afd

APIs

GetFileAttributesW.KERNEL32(?,885926AF), ref: 00054A79
GetFileAttributesW.KERNEL32(?), ref: 00054AD9

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2b4bcdd43d9b405c8174f810e567f8f79e46ffb4ef5eaf6778d9b05b5dc597e8
Instruction ID: 8e837cff73e2e8f5d9ad07c2c0387c0d3b11441acf55b4539da97a85250ea3f6
Opcode Fuzzy Hash: 2b4bcdd43d9b405c8174f810e567f8f79e46ffb4ef5eaf6778d9b05b5dc597e8
Instruction Fuzzy Hash: 9921DF75A006059FC754DF68D890BAFF7F8EF44725F10862AEC2693280DB31A984CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 000609C5 Relevance: 3.1, APIs: 2, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E000609C5(intOrPtr __ebx, intOrPtr __edx, intOrPtr* _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				struct tagRECT _v24;
				void* __edi;
				void* __esi;
				signed int _t21;
				intOrPtr _t37;
				intOrPtr _t38;
				intOrPtr* _t40;
				signed int _t41;

				_t37 = __edx;
				_t29 = __ebx;
				_t21 =  *0x1c0454; // 0x885926af
				_t22 = _t21 ^ _t41;
				_v8 = _t21 ^ _t41;
				_t40 = _a4;
				if((_a12 & 0x10000000) == 0 && (E0006342B(_t40) & 0x50000000) == 0) {
					_push(_t38);
					_v24.left = 0;
					_v24.top = 0;
					_v24.right = 0;
					_v24.bottom = 0;
					GetWindowRect( *(_t40 + 0x20),  &_v24);
					_t22 = _a8;
					_t33 =  *_t22;
					if( *_t22 == _v24.left && _t22 == _v24.top && (E0005F82E(__ebx, _t33, _t37, GetWindow( *(_t40 + 0x20), 4)) == 0 || E000635A9(_t27) == 0) &&  *((intOrPtr*)( *_t40 + 0x148))() != 0) {
						_t22 = E0005F0CF(_t40, _t37, 0); // executed
					}
					_pop(_t38);
				}
				return E00150836(_t22, _t29, _v8 ^ _t41, _t37, _t38, _t40);
			}

0x000609c5
0x000609c5
0x000609cd
0x000609d2
0x000609d4
0x000609df
0x000609e2
0x000609f2
0x000609fc
0x000609ff
0x00060a02
0x00060a05
0x00060a08
0x00060a0e
0x00060a11
0x00060a16
0x00060a51
0x00060a51
0x00060a56
0x00060a56
0x00060a63

APIs

Part of subcall function 0006342B: GetWindowLongW.USER32(?,000000F0), ref: 00063436

GetWindowRect.USER32(?,00051AB5), ref: 00060A08
GetWindow.USER32(?,00000004), ref: 00060A25

Part of subcall function 000635A9: IsWindowEnabled.USER32(?), ref: 000635B2

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Window$EnabledLongRect
String ID:
API String ID: 3170195891-0
Opcode ID: 192926e45dee9198627d9978aabcc534dad7995cbfdf0d0a71d166621eee4bc3
Instruction ID: ee55f37287e8d49288adc366d8292ca9e944cd5e6fe867ec4990d30b9f759ba6
Opcode Fuzzy Hash: 192926e45dee9198627d9978aabcc534dad7995cbfdf0d0a71d166621eee4bc3
Instruction Fuzzy Hash: 8A114F30A00209DBCB22EFA9CD44ABFF7FABF94340F104159E816A7251DB74EE40CA56

Uniqueness

Uniqueness Score: -1.00%

Function 0006035B Relevance: 3.0, APIs: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0006035B(intOrPtr __ebx, void* __ecx, intOrPtr __edx, intOrPtr __edi, void* __eflags) {
				signed int _v8;
				struct _OSVERSIONINFOW _v284;
				void* __esi;
				void* __ebp;
				signed int _t13;
				intOrPtr _t25;
				void* _t27;
				intOrPtr _t31;
				void* _t33;
				void* _t34;
				intOrPtr _t35;
				signed int _t39;
				void* _t40;

				_t32 = __edi;
				_t31 = __edx;
				_t27 = __ecx;
				_t26 = __ebx;
				_t37 = _t39;
				_t40 = _t39 - 0x118;
				_t13 =  *0x1c0454; // 0x885926af
				_v8 = _t13 ^ _t39;
				_push(_t33);
				_t34 = E0006B628(__ebx, __edi, _t33, __eflags);
				if(_t34 == 0) {
					L2:
					E000655E0(_t27);
				}
				if( *((intOrPtr*)(_t34 + 0x88)) == 0) {
					E00151B30( &_v284, 0, 0x114);
					_t40 = _t40 + 0xc;
					_v284.dwOSVersionInfoSize = 0x114;
					if(GetVersionExW( &_v284) == 0) {
						goto L2;
					} else {
						_t46 = _v284.dwMajorVersion - 6;
						if(_v284.dwMajorVersion >= 6) {
							_t25 = E0005F6A6(_t26,  *((intOrPtr*)( *((intOrPtr*)(E0006B628(_t26, _t32, _t34, _t46) + 0x78)) + 8)), _t32, _t34, _t46); // executed
							 *((intOrPtr*)(_t34 + 0x84)) = _t25;
						}
						 *((intOrPtr*)(_t34 + 0x88)) = 1;
					}
				}
				_pop(_t35);
				return E00150836( *((intOrPtr*)(_t34 + 0x84)), _t26, _v8 ^ _t37, _t31, _t32, _t35);
			}

0x0006035b
0x0006035b
0x0006035b
0x0006035b
0x0006035e
0x00060360
0x00060366
0x0006036d
0x00060370
0x00060376
0x0006037a
0x0006037c
0x0006037c
0x0006037c
0x00060388
0x00060398
0x0006039d
0x000603a7
0x000603b9
0x00000000
0x000603bb
0x000603bb
0x000603c2
0x000603cf
0x000603d4
0x000603d4
0x000603da
0x000603da
0x000603b9
0x000603ef
0x000603f6

APIs

_memset.LIBCMT ref: 00060398
GetVersionExW.KERNEL32(?), ref: 000603B1

Part of subcall function 000655E0: __CxxThrowException@8.LIBCMT ref: 000655F6

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Exception@8ThrowVersion_memset
String ID:
API String ID: 2306329403-0
Opcode ID: 1ea3d0657a2b906edda8b9295091e29127ea358c4a1b514d87b2469983142483
Instruction ID: f8f00a856cd3f8f13474431f513a68fe7c9d89db214fd36d058fcc2717a06426
Opcode Fuzzy Hash: 1ea3d0657a2b906edda8b9295091e29127ea358c4a1b514d87b2469983142483
Instruction Fuzzy Hash: EF01B570900618CFDB64EB64CC46BDA73E9AF04305F404099E959E7292DF74AE88CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00087909 Relevance: 3.0, APIs: 2, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00087909(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16) {
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t14;
				intOrPtr _t17;
				void* _t18;
				void* _t29;
				intOrPtr _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t30 = __edi;
				_t29 = __edx;
				_t23 = __ebx;
				_t11 = SetErrorMode(0); // executed
				SetErrorMode(_t11 | 0x00008001); // executed
				_t14 = E0006B628(__ebx, __edi, SetErrorMode, _t35);
				_t33 = _a4;
				 *((intOrPtr*)(_t14 + 8)) = _t33;
				 *((intOrPtr*)(_t14 + 0xc)) = _t33;
				E0006ADC0(_t14); // executed
				_t17 =  *((intOrPtr*)(E0006B628(__ebx, __edi, _t33, _t35) + 4));
				_t36 = _t17;
				if(_t17 != 0) {
					 *((intOrPtr*)(_t17 + 0x48)) = _a12;
					 *((intOrPtr*)(_t17 + 0x4c)) = _a16;
					 *((intOrPtr*)(_t17 + 0x44)) = _t33;
					E0008772D(_t17, _t29, _t36);
				}
				_t18 = E0006B628(_t23, _t30, _t33, _t36);
				_t37 =  *((char*)(_t18 + 0x14));
				_pop(_t34);
				if( *((char*)(_t18 + 0x14)) == 0) {
					E00069D08(_t34, _t37);
				}
				return 1;
			}

0x00087909
0x00087909
0x00087909
0x00087909
0x00087917
0x0008791f
0x00087921
0x00087926
0x0008792b
0x0008792e
0x00087931
0x0008793b
0x0008793e
0x00087940
0x00087945
0x0008794b
0x00087950
0x00087953
0x00087953
0x00087958
0x0008795d
0x00087961
0x00087962
0x00087964
0x00087964
0x0008796d

APIs

SetErrorMode.KERNEL32(00000000), ref: 00087917
SetErrorMode.KERNEL32(00000000), ref: 0008791F

Part of subcall function 0006ADC0: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0006ADF3
Part of subcall function 0006ADC0: SetLastError.KERNEL32(0000006F), ref: 0006AE0A

Part of subcall function 0008772D: GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 0008776A
Part of subcall function 0008772D: PathFindExtensionW.SHLWAPI(?), ref: 00087784
Part of subcall function 0008772D: __wcsdup.LIBCMT ref: 000877CE
Part of subcall function 0008772D: __wcsdup.LIBCMT ref: 0008780C
Part of subcall function 0008772D: __wcsdup.LIBCMT ref: 00087840

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Error__wcsdup$FileModeModuleName$ExtensionFindLastPath
String ID:
API String ID: 972848482-0
Opcode ID: 0807f850f98caaa32412bf6c08f6e412277bb0b9987643757b0dd7d9c2a646f6
Instruction ID: aeded771762b9d4abc0912282fd7e78dfbfcbb7837d718fc7e857b1c8d551227
Opcode Fuzzy Hash: 0807f850f98caaa32412bf6c08f6e412277bb0b9987643757b0dd7d9c2a646f6
Instruction Fuzzy Hash: 8DF0A9B0A182144FDB50BF64D804AAD3BD9AF04320F05445AF4899B3A3CA34D940CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0005F6A6 Relevance: 3.0, APIs: 2, Instructions: 35
networkCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0005F6A6(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t15;
				intOrPtr* _t18;
				intOrPtr _t19;
				intOrPtr _t21;
				void* _t31;
				void* _t32;
				void* _t33;

				_t33 = __eflags;
				E00151BC0(__ebx, __edi, __esi);
				_t31 = __ecx;
				 *((intOrPtr*)(_t32 - 0x20)) = 0;
				_t15 = E0006B628(__ebx, 0, __ecx, _t33);
				__imp__ActivateActCtx( *((intOrPtr*)(_t15 + 0x80)), _t32 - 0x20, 0x1aa848, 0x14);
				 *((intOrPtr*)(_t32 - 0x1c)) = 0;
				if(_t15 != 0) {
					 *((intOrPtr*)(_t32 - 4)) = 0;
					E0005F677(_t31, _t32 - 0x24);
					_t18 =  *((intOrPtr*)(_t31 + 0x10));
					__eflags = _t18;
					_t27 = 0 | __eflags != 0x00000000;
					if(__eflags == 0) {
						_t18 = E000655E0(_t27); // executed
					}
					_t19 =  *_t18(); // executed
					 *((intOrPtr*)(_t32 - 0x1c)) = _t19;
					 *((intOrPtr*)(_t32 - 4)) = 0xfffffffe;
					E0005F714();
					_t21 =  *((intOrPtr*)(_t32 - 0x1c));
				} else {
					_t21 = 0;
				}
				return E00151C05(_t21);
			}

0x0005f6a6
0x0005f6ad
0x0005f6b2
0x0005f6b6
0x0005f6bd
0x0005f6c8
0x0005f6ce
0x0005f6d3
0x0005f6d9
0x0005f6e2
0x0005f6e7
0x0005f6ec
0x0005f6ee
0x0005f6f3
0x0005f6f5
0x0005f6f5
0x0005f6fa
0x0005f6fc
0x0005f6ff
0x0005f706
0x0005f70b
0x0005f6d5
0x0005f6d5
0x0005f6d5
0x0005f713

APIs

ActivateActCtx.KERNEL32(?,?), ref: 0005F6C8
InitNetworkAddressControl.SHELL32(?), ref: 0005F6FA

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: ActivateAddressControlInitNetwork
String ID:
API String ID: 3189851245-0
Opcode ID: cab21f2fe7ac9b069496ab2d6a703c6821d2c274c7d11dda37971cd6704a6c60
Instruction ID: d02a08183ce839f4dfb6e3c728f73fec244961e654f7932dfa93f86c0ec41659
Opcode Fuzzy Hash: cab21f2fe7ac9b069496ab2d6a703c6821d2c274c7d11dda37971cd6704a6c60
Instruction Fuzzy Hash: 3BF0627590020A9BCF11EFB4CC459FEB2F5BF88302B104529E822E7162DB788A45DB10

Uniqueness

Uniqueness Score: -1.00%

Function 0006A25A Relevance: 3.0, APIs: 2, Instructions: 32
fileCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0006A25A(void* __ecx, void* _a4, long _a8) {
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t8;
				void* _t12;
				long _t14;
				void* _t15;

				_t14 = _a8;
				_t15 = __ecx;
				if(_t14 != 0) {
					_t8 = WriteFile( *(__ecx + 4), _a4, _t14,  &_a8, 0); // executed
					if(_t8 == 0) {
						_t8 = E000876C4(_t12, _t14, _t15, GetLastError(),  *((intOrPtr*)(_t15 + 0xc)));
					}
					_t18 = _a8 - _t14;
					if(_a8 != _t14) {
						_push( *((intOrPtr*)(_t15 + 0xc)));
						return E0008767E(_t12, _t14, _t15, _t18, 0xd, 0xffffffff);
					}
				}
				return _t8;
			}

0x0006a261
0x0006a264
0x0006a268
0x0006a277
0x0006a27f
0x0006a28b
0x0006a28b
0x0006a290
0x0006a293
0x0006a295
0x00000000
0x0006a29c
0x0006a293
0x0006a2a4

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0006A277
GetLastError.KERNEL32(?), ref: 0006A284

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 1fbfc41370014c2e09317079200c2590c486241103acc8769b45e16fe8e485ea
Instruction ID: e220d6dce43a3f35885f33e83345c577260c0ba9bfe00b533ead7ae1a07c8ca4
Opcode Fuzzy Hash: 1fbfc41370014c2e09317079200c2590c486241103acc8769b45e16fe8e485ea
Instruction Fuzzy Hash: E4F0AE361046057BCB216B99DC05E87BB6DEFC1770F108215B96C554A0DA31D450CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00154B78 Relevance: 3.0, APIs: 2, Instructions: 32
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E00154B78(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t20;
				signed int _t22;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t34;

				_push(0xc);
				_push(0x1b6b80);
				E00151BC0(__ebx, __edi, __esi);
				 *(_t32 - 0x1c) =  *(_t32 - 0x1c) | 0xffffffff;
				_t31 =  *((intOrPtr*)(_t32 + 8));
				_t34 = _t31;
				_t35 = _t34 != 0;
				if(_t34 != 0) {
					__eflags =  *(_t31 + 0xc) & 0x00000040;
					if(( *(_t31 + 0xc) & 0x00000040) == 0) {
						E0015F4E8(_t31);
						 *(_t32 - 4) =  *(_t32 - 4) & 0x00000000;
						_t20 = E00154B0B(__ebx, _t31); // executed
						 *(_t32 - 0x1c) = _t20;
						 *(_t32 - 4) = 0xfffffffe;
						E00154BE4(_t31);
					} else {
						_t9 = _t31 + 0xc;
						 *_t9 =  *(_t31 + 0xc) & 0x00000000;
						__eflags =  *_t9;
					}
					_t22 =  *(_t32 - 0x1c);
				} else {
					 *((intOrPtr*)(E00151F1F(_t35))) = 0x16;
					_t22 = E00159345() | 0xffffffff;
				}
				return E00151C05(_t22);
			}

0x00154b78
0x00154b7a
0x00154b7f
0x00154b84
0x00154b8a
0x00154b8d
0x00154b92
0x00154b94
0x00154bab
0x00154baf
0x00154bbf
0x00154bc5
0x00154bca
0x00154bd0
0x00154bd3
0x00154bda
0x00154bb1
0x00154bb1
0x00154bb1
0x00154bb1
0x00154bb1
0x00154bb5
0x00154b96
0x00154b9b
0x00154ba6
0x00154ba6
0x00154bbd

APIs

Part of subcall function 00151F1F: __getptd_noexit.LIBCMT ref: 00151F1F

__lock_file.LIBCMT ref: 00154BBF

Part of subcall function 0015F4E8: __lock.LIBCMT ref: 0015F50D

__fclose_nolock.LIBCMT ref: 00154BCA

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: cb4e6308a4d9df492031a4d5ee24d0642ffecd5bb6e1bdd6ca95ddcb059824fc
Instruction ID: 88c913fe2d0cfde015249937196d4482c39b5539a57044844bc6d039240a4403
Opcode Fuzzy Hash: cb4e6308a4d9df492031a4d5ee24d0642ffecd5bb6e1bdd6ca95ddcb059824fc
Instruction Fuzzy Hash: 66F09030905705EBDB21BB74880679E7BE06F1133BF218249EC35AE0D2C77C8A499E56

Uniqueness

Uniqueness Score: -1.00%

Function 00061E0F Relevance: 3.0, APIs: 2, Instructions: 32
threadCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00061E0F(void* __ebx, void* __eflags, intOrPtr _a4) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HHOOK__* _t6;
				void* _t10;
				intOrPtr _t11;
				void* _t12;
				struct HHOOK__* _t13;

				_push(E0005E58B);
				_t6 = E00071BD8(__ebx, 0x1c3910, _t10, _t12, __eflags);
				_t13 = _t6;
				if(_t13 == 0) {
					_t6 = E000655E0(0x1c3910);
				}
				_t11 = _a4;
				if( *((intOrPtr*)(_t13 + 0x14)) == _t11) {
					return _t6;
				} else {
					if( *(_t13 + 0x28) == 0) {
						_t6 = SetWindowsHookExW(5, 0x61bfe, 0, GetCurrentThreadId()); // executed
						 *(_t13 + 0x28) = _t6;
						if(_t6 == 0) {
							_t6 = E000655A8(0x1c3910);
						}
					}
					 *((intOrPtr*)(_t13 + 0x14)) = _t11;
					return _t6;
				}
			}

0x00061e16
0x00061e20
0x00061e25
0x00061e29
0x00061e2b
0x00061e2b
0x00061e30
0x00061e36
0x00061e66
0x00061e38
0x00061e3c
0x00061e4e
0x00061e54
0x00061e59
0x00061e5b
0x00061e5b
0x00061e59
0x00061e60
0x00000000
0x00061e60

APIs

Part of subcall function 00071BD8: __EH_prolog3.LIBCMT ref: 00071BDF

GetCurrentThreadId.KERNEL32(Function_0000E58B,?,?,?,00064584), ref: 00061E3E
SetWindowsHookExW.USER32(00000005,00061BFE,00000000,00000000), ref: 00061E4E

Part of subcall function 000655E0: __CxxThrowException@8.LIBCMT ref: 000655F6

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: CurrentException@8H_prolog3HookThreadThrowWindows
String ID:
API String ID: 1226552664-0
Opcode ID: 16b7f00f2e6effa62a69a53d9f691a3722973a28781f65c362cca397a7870454
Instruction ID: ef6d9fbd1cef9bf9d51018242ba91f34a1166436be16d2b5f0442fa6b5267777
Opcode Fuzzy Hash: 16b7f00f2e6effa62a69a53d9f691a3722973a28781f65c362cca397a7870454
Instruction Fuzzy Hash: DCF02731600F046BD3311B929C0ABDB76EBDBD07A2F440129FA4A96580EB31E840C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 0006A618 Relevance: 3.0, APIs: 2, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0006A618(void* __ebx, intOrPtr _a4, intOrPtr _a8) {
				void* __edi;
				void* __ebp;
				WCHAR* _t4;
				WCHAR* _t13;

				_t4 = E000512F0(_a8, 0x104); // executed
				_t13 = _t4;
				E00151B30(_t13, 0, 0x104);
				_push(E00150EEF(_t13, 0x104, _a4, 0xffffffff));
				E00053DF0();
				PathStripToRootW(_t13);
				return E000561B0(__ebx, _a8, _t13, 0xffffffff);
			}

0x0006a628
0x0006a62e
0x0006a633
0x0006a644
0x0006a645
0x0006a64e
0x0006a661

APIs

_memset.LIBCMT ref: 0006A633
PathStripToRootW.SHLWAPI(00000000), ref: 0006A64E

Part of subcall function 000561B0: _wcsnlen.LIBCMT ref: 000561C9

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: PathRootStrip_memset_wcsnlen
String ID:
API String ID: 3507110420-0
Opcode ID: a26a92a92650a1252cdedca36fae2de90479403fce1765c79e33b4448bf55fdb
Instruction ID: ff916b83bb90d963f9e8dabd1ee2f5c3be993eb61e3675e5c249c5008d9e6428
Opcode Fuzzy Hash: a26a92a92650a1252cdedca36fae2de90479403fce1765c79e33b4448bf55fdb
Instruction Fuzzy Hash: 5CE0923610012477CA0276A59C46EFF373DCFDA772F144215FE38572D28E34695582B9

Uniqueness

Uniqueness Score: -1.00%

Function 0005D4D4 Relevance: 3.0, APIs: 2, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0005D4D4(intOrPtr* __ecx, int _a4, int _a8, long _a12) {
				_Unknown_base(*)()* _t11;
				long _t12;
				intOrPtr* _t17;

				_t17 = __ecx;
				_t11 =  *(__ecx + 0x5c);
				if(_t11 != 0) {
					L3:
					_t12 = CallWindowProcW(_t11,  *(_t17 + 0x20), _a4, _a8, _a12); // executed
					return _t12;
				}
				_t11 =  *( *((intOrPtr*)( *__ecx + 0xfc))());
				if(_t11 != 0) {
					goto L3;
				}
				return DefWindowProcW( *(__ecx + 0x20), _a4, _a8, _a12);
			}

0x0005d4da
0x0005d4dc
0x0005d4e1
0x0005d505
0x0005d512
0x00000000
0x0005d512
0x0005d4eb
0x0005d4ef
0x00000000
0x00000000
0x00000000

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 0005D4FD
CallWindowProcW.USER32(?,?,?,?,?), ref: 0005D512

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: ProcWindow$Call
String ID:
API String ID: 2316559721-0
Opcode ID: 84fef13e14b6bda78019be8030122442709ff6b9c64cbd1db81294987d0cf618
Instruction ID: 64e65d1a33d43ee0fafb1fa097087105eb063f70fb4efff29a92ad2e2dddcf5d
Opcode Fuzzy Hash: 84fef13e14b6bda78019be8030122442709ff6b9c64cbd1db81294987d0cf618
Instruction Fuzzy Hash: 9DF0F836104609FFCF215FA5DC08E9B7BF9FF08356B09446AF95986520E732D960EB90

Uniqueness

Uniqueness Score: -1.00%

Function 000634B7 Relevance: 3.0, APIs: 2, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E000634B7(void* __ecx, WCHAR* _a4) {
				void* __ebp;
				int _t8;
				int _t10;
				void* _t14;

				_t12 = __ecx;
				_t14 = __ecx;
				if(__ecx == 0) {
					L1:
					E000655E0(_t12);
				}
				_t8 = IsWindow( *(_t14 + 0x20));
				if(_t8 == 0) {
					if( *((intOrPtr*)(_t14 + 0x6c)) == _t8) {
						goto L1;
					} else {
						L4:
						_pop(_t14);
						goto ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t14 + 0x6c)))) + 0x88)));
					}
				}
				if( *((intOrPtr*)(_t14 + 0x6c)) != 0) {
					goto L4;
				}
				_t10 = SetWindowTextW( *(_t14 + 0x20), _a4); // executed
				return _t10;
			}

0x000634b7
0x000634bd
0x000634c1
0x000634c3
0x000634c3
0x000634c3
0x000634cb
0x000634d3
0x000634d8
0x00000000
0x000634da
0x000634da
0x000634df
0x000634e1
0x000634e1
0x000634d8
0x000634eb
0x00000000
0x00000000
0x000634f3
0x000634fb

APIs

IsWindow.USER32(?), ref: 000634CB

Part of subcall function 000655E0: __CxxThrowException@8.LIBCMT ref: 000655F6

SetWindowTextW.USER32 ref: 000634F3

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Window$Exception@8TextThrow
String ID:
API String ID: 735465941-0
Opcode ID: dcbd716182fc188c1fad43040449beead7c54a5f2802eea887573f3cc7d6b2bb
Instruction ID: da33a675869648a311866af6dd0eb71b77aa0c40ec30fc09bb58effa3e28065d
Opcode Fuzzy Hash: dcbd716182fc188c1fad43040449beead7c54a5f2802eea887573f3cc7d6b2bb
Instruction Fuzzy Hash: 65F03033504A14DFCB725B55D808A92F7F6FF55362F00846AE48A82921DF31B950CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 0005E893 Relevance: 3.0, APIs: 2, Instructions: 24
libraryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 79%

			E0005E893(void* __ecx, void* __esi, void* __eflags) {
				void* _t12;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t15;
				void* _t17;
				void* _t19;
				void* _t22;
				void* _t23;

				_t23 = __eflags;
				E00151BC0(_t17, _t19, __esi);
				 *((intOrPtr*)(_t22 - 0x20)) = 0;
				_t12 = E0006B628(_t17, _t19, 0, _t23);
				__imp__ActivateActCtx( *((intOrPtr*)(_t12 + 0x80)), _t22 - 0x20, 0x1aa728, 0x10); // executed
				 *(_t22 - 0x1c) = 0;
				if(_t12 != 0) {
					 *((intOrPtr*)(_t22 - 4)) = 0;
					_t13 = LoadLibraryW( *(_t22 + 8)); // executed
					 *(_t22 - 0x1c) = _t13;
					 *((intOrPtr*)(_t22 - 4)) = 0xfffffffe;
					E0005E8E8();
					_t15 =  *(_t22 - 0x1c);
				} else {
					_t15 = 0;
				}
				return E00151C05(_t15);
			}

0x0005e893
0x0005e89a
0x0005e8a1
0x0005e8a8
0x0005e8b3
0x0005e8b9
0x0005e8be
0x0005e8c4
0x0005e8ca
0x0005e8d0
0x0005e8d3
0x0005e8da
0x0005e8df
0x0005e8c0
0x0005e8c0
0x0005e8c0
0x0005e8e7

APIs

ActivateActCtx.KERNEL32(?,00064351), ref: 0005E8B3
LoadLibraryW.KERNEL32(?,?,00095C4A,00000004,00074747,00000000,00000004,000B7B6F,?,?,?), ref: 0005E8CA

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: ActivateLibraryLoad
String ID:
API String ID: 389599620-0
Opcode ID: 201855c7e181d43b1db9f1ca3962d7cf401e0270dd9b6b59c35d9177279d40ec
Instruction ID: bf9f57c0ced4eb5062317f6c69fda83504758791af2accf78835e844ea7b07ea
Opcode Fuzzy Hash: 201855c7e181d43b1db9f1ca3962d7cf401e0270dd9b6b59c35d9177279d40ec
Instruction Fuzzy Hash: F3F03070C00219EBCF11AFA0CC456EEBAB4FF08752F104566F859E62A1CB754685EF50

Uniqueness

Uniqueness Score: -1.00%

Function 0006A3D9 Relevance: 3.0, APIs: 2, Instructions: 21
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0006A3D9(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				int _t8;
				void* _t11;
				void* _t13;
				intOrPtr* _t14;

				_push(0);
				_push(_a8);
				_t14 = __ecx;
				_push(_a4);
				 *((intOrPtr*)( *__ecx + 0x2c))();
				_t8 = SetEndOfFile( *(__ecx + 4)); // executed
				if(_t8 == 0) {
					return E000876C4(_t11, _t13, _t14, GetLastError(),  *((intOrPtr*)(_t14 + 0xc)));
				}
				return _t8;
			}

0x0006a3df
0x0006a3e1
0x0006a3e4
0x0006a3e6
0x0006a3eb
0x0006a3f1
0x0006a3f9
0x00000000
0x0006a405
0x0006a40c

APIs

SetEndOfFile.KERNEL32(?), ref: 0006A3F1
GetLastError.KERNEL32(?), ref: 0006A3FE

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: 34904deb01eae6102b94d0b4a2bf6f79077692bcbb68fc8c03c8fe640720c158
Instruction ID: 6f448274de27ef07db9652c58f84bff3cb774faa7347547d18eaf74ad1745415
Opcode Fuzzy Hash: 34904deb01eae6102b94d0b4a2bf6f79077692bcbb68fc8c03c8fe640720c158
Instruction Fuzzy Hash: 74E04632104204BBDB216FA1DC09E86BFA9FF94361B108025F99A86571DA72E8A0EB40

Uniqueness

Uniqueness Score: -1.00%

Function 00153C8E Relevance: 3.0, APIs: 2, Instructions: 19
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00153C8E(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t8;
				void* _t20;
				void* _t21;

				_t21 = __eflags;
				_t12 = __ebx;
				E00151BC0(__ebx, __edi, __esi);
				_t8 = E00157F08(__ebx, __edx, _t21);
				_t1 = _t20 - 4;
				 *(_t20 - 4) =  *(_t20 - 4) & 0x00000000;
				E00153C6F( *((intOrPtr*)(_t8 + 0x54))( *((intOrPtr*)(_t8 + 0x58)), 0x1b6ab8, 0xc));
				_t10 =  *((intOrPtr*)(_t20 - 0x14));
				_t14 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t20 - 0x14))))));
				 *((intOrPtr*)(_t20 - 0x1c)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t20 - 0x14))))));
				return E001575C2(_t12,  *_t1, _t14, _t10);
			}

0x00153c8e
0x00153c8e
0x00153c95
0x00153c9a
0x00153c9f
0x00153c9f
0x00153caa
0x00153caf
0x00153cb4
0x00153cb6
0x00153cc2

APIs

__getptd.LIBCMT ref: 00153C9A

Part of subcall function 00157F08: __getptd_noexit.LIBCMT ref: 00157F0B
Part of subcall function 00157F08: __amsg_exit.LIBCMT ref: 00157F18

Part of subcall function 00153C6F: __getptd_noexit.LIBCMT ref: 00153C74
Part of subcall function 00153C6F: __freeptd.LIBCMT ref: 00153C7E
Part of subcall function 00153C6F: ExitThread.KERNEL32 ref: 00153C87

__XcptFilter.LIBCMT ref: 00153CBB

Part of subcall function 001575C2: __getptd_noexit.LIBCMT ref: 001575C8

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
String ID:
API String ID: 418257734-0
Opcode ID: f982f3bef20f6bbd73a17aab77f2d62928d4e5dc6d9434681f67d965d80f219f
Instruction ID: ce50bd7942730f718173e9706afc89f91a636613c838e327323095ee3766f35f
Opcode Fuzzy Hash: f982f3bef20f6bbd73a17aab77f2d62928d4e5dc6d9434681f67d965d80f219f
Instruction Fuzzy Hash: 7BE0ECB5904600EFDB09FBA4D846F6D7775AF54702F204049F5226F2E2DB75AA44AB20

Uniqueness

Uniqueness Score: -1.00%

Function 00069D08 Relevance: 3.0, APIs: 2, Instructions: 15
threadCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00069D08(void* __esi, void* __eflags) {
				void* _t3;
				void* _t4;
				struct HHOOK__* _t6;
				void* _t7;
				void* _t8;

				_t3 = E0006B628(_t7, _t8, __esi, __eflags);
				_t13 =  *((char*)(_t3 + 0x14));
				if( *((char*)(_t3 + 0x14)) == 0) {
					_push(__esi);
					_t4 = E0006B059(_t7, _t8, __esi, _t13);
					_t6 = SetWindowsHookExW(0xffffffff, E00069B6D, 0, GetCurrentThreadId()); // executed
					 *(_t4 + 0x2c) = _t6;
					return _t6;
				}
				return _t3;
			}

0x00069d08
0x00069d0d
0x00069d11
0x00069d13
0x00069d14
0x00069d2b
0x00069d31
0x00000000
0x00069d34
0x00069d35

APIs

GetCurrentThreadId.KERNEL32(?,00087969), ref: 00069D1B
SetWindowsHookExW.USER32(000000FF,Function_00019B6D,00000000,00000000), ref: 00069D2B

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: CurrentHookThreadWindows
String ID:
API String ID: 1904029216-0
Opcode ID: edb98772078be980646a28e29147bb2a94993bfd802e9f6613a1711f864e988f
Instruction ID: 11b04264c17208eef621b41d1164b8abd3570c6cf4fb73cf13be1e75d1f0ac6e
Opcode Fuzzy Hash: edb98772078be980646a28e29147bb2a94993bfd802e9f6613a1711f864e988f
Instruction Fuzzy Hash: 7AD0A7B18083106EE7212BB07D0DF553AD99B01321F101351F528D58D2C73448C04B55

Uniqueness

Uniqueness Score: -1.00%

Function 00153E26 Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00153E26(int _a4) {

				E00153DFB(_a4);
				ExitProcess(_a4);
			}

0x00153e2e
0x00153e37

APIs

___crtCorExitProcess.LIBCMT ref: 00153E2E

Part of subcall function 00153DFB: GetModuleHandleW.KERNEL32(mscoree.dll,?,00153E33,?,?,00151042,000000FF,0000001E,00000001,00000000,00000000,?,0015A71D,?,00000001,?), ref: 00153E05
Part of subcall function 00153DFB: GetProcAddress.KERNEL32(00000000,CorExitProcess,?,00153E33,?,?,00151042,000000FF,0000001E,00000001,00000000,00000000,?,0015A71D,?,00000001), ref: 00153E15

ExitProcess.KERNEL32 ref: 00153E37

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 11e8ceb53bcb7327ab9989dc7575a76775b7867e673942d619267b4e37085220
Instruction ID: 30ffd993532cc0d799dc9f1fe0d64b8edd723c390708fd9536491a569987ec09
Opcode Fuzzy Hash: 11e8ceb53bcb7327ab9989dc7575a76775b7867e673942d619267b4e37085220
Instruction Fuzzy Hash: AEB09232004108BBCB012F6ADC0A8597F3AEB807A1F504024F8690A072DF72AED29AC0

Uniqueness

Uniqueness Score: -1.00%

Function 0006AA93 Relevance: 1.6, APIs: 1, Instructions: 146
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0006AA93(void* __ecx, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				char _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				signed int _v544;
				intOrPtr _v548;
				char _v552;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t51;
				intOrPtr _t55;
				void* _t59;
				void* _t61;
				signed int _t66;
				signed int _t68;
				void* _t73;
				void* _t75;
				void* _t82;
				void* _t84;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t94;
				intOrPtr _t98;
				intOrPtr _t99;
				void* _t102;
				intOrPtr _t103;
				signed int _t107;

				_t105 = _t107;
				_t51 =  *0x1c0454; // 0x885926af
				_v8 = _t51 ^ _t107;
				_a8 = _a8 & 0xffff7fff;
				_push(_t84);
				_t102 = __ecx;
				 *(__ecx + 8) =  *(__ecx + 8) & 0x00000000;
				 *(__ecx + 4) =  *(__ecx + 4) | 0xffffffff;
				_t98 = _a12;
				_v532 = _a4;
				_v540 = _t98;
				E000542D0(__ecx + 0xc);
				if(_v532 == 0) {
					L38:
					__eflags = _t98;
					if(_t98 != 0) {
						 *((intOrPtr*)(_t98 + 8)) = 3;
						E00056590(_t98, _v532);
					}
					goto L40;
				} else {
					_t96 = 0x104;
					_t59 = E0006A1DF(_v532, 0x104, 0);
					_t112 = _t59;
					if(_t59 < 0) {
						_t98 = _v540;
						goto L38;
					}
					_t61 = E0006A7E8(_t84, 0x104, 0, _t102, _t112,  &_v528, _v532, _v540); // executed
					if(_t61 == 0) {
						L40:
						_t55 = 0;
						L41:
						_pop(_t99);
						_pop(_t103);
						_pop(_t85);
						return E00150836(_t55, _t85, _v8 ^ _t105, _t96, _t99, _t103);
					}
					E00056590(0,  &_v528);
					_t94 = _a8;
					_t66 = _t94 & 0x00000003;
					_v536 = 0;
					if(_t66 == 0) {
						_v536 = 0x80000000;
					} else {
						_t82 = _t66 - 1;
						if(_t82 == 0) {
							_v536 = 0x40000000;
						} else {
							if(_t82 == 1) {
								_v536 = 0xc0000000;
							}
						}
					}
					_t68 = _t94 & 0x00000070;
					if(_t68 == 0 || _t68 == 0x10) {
						L19:
						_t86 = 0;
						__eflags = 0;
						goto L20;
					} else {
						if(_t68 == 0x20) {
							_t86 = 1;
							L20:
							_v552 = 0xc;
							_v548 = 0;
							_v544 =  !(_t94 >> 7) & 0x00000001;
							if((_t94 & 0x00001000) == 0) {
								_t73 = 3;
							} else {
								asm("sbb eax, eax");
								_t73 = ( ~(_t94 & 0x00002000) & 0x00000002) + 2;
							}
							_t96 = 0x80;
							if((_t94 & 0x00010000) != 0) {
								_t96 = 0x20000080;
							}
							if((_t94 & 0x00020000) != 0) {
								_t96 = _t96 | 0x80000000;
							}
							if((_t94 & 0x00040000) != 0) {
								_t96 = _t96 | 0x10000000;
							}
							if((_t94 & 0x00080000) != 0) {
								_t96 = _t96 | 0x08000000;
							}
							_t95 =  *((intOrPtr*)(_t102 + 0x10));
							_push(0);
							_push(_t96);
							_push(_t73);
							_push( &_v552);
							_push(_t86);
							_push(_v536);
							_push(_v532);
							if( *((intOrPtr*)(_t102 + 0x10)) == 0) {
								_t75 = CreateFileW(); // executed
							} else {
								_t75 = E000688A4(_t95);
							}
							if(_t75 != 0xffffffff) {
								 *(_t102 + 4) = _t75;
								_t55 = 1;
								 *((intOrPtr*)(_t102 + 8)) = 1;
								goto L41;
							} else {
								E0006A7B9(0, _v540, _v532);
								goto L40;
							}
						}
						if(_t68 == 0x30) {
							_push(2);
							L17:
							_pop(_t86);
							goto L20;
						}
						if(_t68 != 0x40) {
							goto L19;
						}
						_push(3);
						goto L17;
					}
				}
			}

0x0006aa96
0x0006aa9e
0x0006aaa5
0x0006aaab
0x0006aab2
0x0006aab4
0x0006aab6
0x0006aaba
0x0006aabf
0x0006aac5
0x0006aacb
0x0006aad1
0x0006aadd
0x0006ac5f
0x0006ac5f
0x0006ac61
0x0006ac6c
0x0006ac73
0x0006ac73
0x00000000
0x0006aae3
0x0006aaeb
0x0006aaf0
0x0006aaf5
0x0006aaf7
0x0006ac59
0x00000000
0x0006ac59
0x0006ab10
0x0006ab17
0x0006ac78
0x0006ac78
0x0006ac7a
0x0006ac7d
0x0006ac7e
0x0006ac81
0x0006ac88
0x0006ac88
0x0006ab27
0x0006ab2c
0x0006ab34
0x0006ab36
0x0006ab3c
0x0006ab5c
0x0006ab3e
0x0006ab3e
0x0006ab3f
0x0006ab50
0x0006ab41
0x0006ab42
0x0006ab44
0x0006ab44
0x0006ab42
0x0006ab3f
0x0006ab68
0x0006ab6b
0x0006ab8f
0x0006ab8f
0x0006ab8f
0x00000000
0x0006ab72
0x0006ab75
0x0006ab8c
0x0006ab91
0x0006ab9b
0x0006aba5
0x0006abab
0x0006abb7
0x0006abce
0x0006abb9
0x0006abc2
0x0006abc7
0x0006abc7
0x0006abcf
0x0006abda
0x0006abdc
0x0006abdc
0x0006abe7
0x0006abe9
0x0006abe9
0x0006abf5
0x0006abf7
0x0006abf7
0x0006ac03
0x0006ac05
0x0006ac05
0x0006ac0b
0x0006ac0e
0x0006ac0f
0x0006ac10
0x0006ac17
0x0006ac18
0x0006ac19
0x0006ac1f
0x0006ac27
0x0006ac30
0x0006ac29
0x0006ac29
0x0006ac29
0x0006ac39
0x0006ac4e
0x0006ac53
0x0006ac54
0x00000000
0x0006ac3b
0x0006ac47
0x00000000
0x0006ac47
0x0006ac39
0x0006ab7a
0x0006ab85
0x0006ab87
0x0006ab87
0x00000000
0x0006ab87
0x0006ab7f
0x00000000
0x00000000
0x0006ab81
0x00000000
0x0006ab81
0x0006ab6b

APIs

Part of subcall function 0006A7E8: __EH_prolog3_GS.LIBCMT ref: 0006A7F2
Part of subcall function 0006A7E8: GetFullPathNameW.KERNEL32(00000000,00000104,00000000,?,00000268,0006A9CD,00000000,?,00000000,?,00068BC1,?,?,00000000), ref: 0006A830

CreateFileW.KERNEL32(00000000,80000000,00000000,0000000C,00000003,00000080,00000000), ref: 0006AC30

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: CreateFileFullH_prolog3_NamePath
String ID:
API String ID: 2133410154-0
Opcode ID: 63098a3e7a65abf45d6062b5e9207c582be9d1b9926a4aae1b45cb147a42f024
Instruction ID: 80ed60983ef0ff8cf768d881c06608f29380c4c026317c3d24913c4c0c3612cb
Opcode Fuzzy Hash: 63098a3e7a65abf45d6062b5e9207c582be9d1b9926a4aae1b45cb147a42f024
Instruction Fuzzy Hash: 4951F3716402099BEB74AB28CC89BEAB3E7EF52314F144599E515E2191D778DE80CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00052020 Relevance: 1.6, APIs: 1, Instructions: 105
windowCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00052020(void* __ebx, int _a4) {
				long _v8;
				char _v16;
				char _v20;
				void* __ecx;
				void* __edi;
				void* __esi;
				signed int _t29;
				intOrPtr* _t34;
				intOrPtr* _t39;
				signed int** _t47;
				intOrPtr* _t48;
				void* _t53;
				signed int _t71;
				signed int _t73;
				intOrPtr _t79;
				signed int _t84;
				intOrPtr* _t87;
				intOrPtr* _t89;

				_t52 = __ebx;
				_push(0xffffffff);
				_push(0x1742f0);
				_push( *[fs:0x0]);
				_push(_t53);
				_t29 =  *0x1c0454; // 0x885926af
				_push(_t29 ^ _t84);
				 *[fs:0x0] =  &_v16;
				_t82 = _t53;
				_t78 = _a4;
				SendMessageW( *(_t53 + 0x2dc), 0x402, _a4, 0); // executed
				_t34 = E00065761();
				_t87 = _t34;
				_t55 = 0 | _t87 == 0x00000000;
				if(_t87 == 0) {
					_push(0x80004005);
					_t34 = E00051330(__ebx, _t55, _t78, _t82);
				}
				_v20 =  *((intOrPtr*)( *((intOrPtr*)( *_t34 + 0xc))))() + 0x10;
				_v8 = 0;
				E00051400( &_v20, 0x1a0f40, _t78);
				_t39 = E00065761();
				_t89 = _t39;
				_t59 = 0 | _t89 == 0x00000000;
				if(_t89 == 0) {
					_push(0x80004005);
					_t39 = E00051330(_t52, _t59, _t78, _t82);
				}
				_a4 =  *((intOrPtr*)( *((intOrPtr*)( *_t39 + 0xc))))() + 0x10;
				_v8 = 1;
				_t79 = _v20;
				E000691E2( &_a4,  &_a4, 0x73, _t79,  *((intOrPtr*)(_t82 + 0x41c)));
				_t71 = _a4;
				E000634B7(_t82, _t71); // executed
				_v8 = 0;
				_t47 = _a4 + 0xfffffff0;
				asm("lock xadd [ecx], edx");
				_t73 = (_t71 | 0xffffffff) - 1;
				if(_t73 <= 0) {
					_t73 =  *( *_t47);
					 *((intOrPtr*)( *((intOrPtr*)(_t73 + 4))))(_t47);
				}
				_t48 = _t79 - 0x10;
				_v8 = 0xffffffff;
				asm("lock xadd [ecx], edx");
				if((_t73 | 0xffffffff) - 1 <= 0) {
					_t48 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t48)) + 4))))(_t48);
				}
				 *[fs:0x0] = _v16;
				return _t48;
			}

0x00052020
0x00052023
0x00052025
0x00052030
0x00052031
0x00052034
0x0005203b
0x0005203f
0x00052045
0x00052047
0x00052059
0x0005205f
0x00052066
0x00052068
0x0005206d
0x0005206f
0x00052074
0x00052074
0x00052085
0x00052092
0x00052099
0x000520a1
0x000520a8
0x000520aa
0x000520af
0x000520b1
0x000520b6
0x000520b6
0x000520c7
0x000520ca
0x000520d4
0x000520df
0x000520e4
0x000520ea
0x000520ef
0x000520f6
0x000520ff
0x00052103
0x00052106
0x0005210a
0x00052110
0x00052110
0x00052112
0x00052115
0x00052122
0x00052129
0x00052133
0x00052133
0x00052138
0x00052145

APIs

SendMessageW.USER32(?,00000402,?,00000000), ref: 00052059

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ecb214b263f1d5a6f9a3b72ca265158f7b0384f93cc5a82e8f17ca5c3cea1d83
Instruction ID: 211a081f4e54a1bce1adb3b13ac39c543f0c56004d49cb0f50bc1a3136a53d61
Opcode Fuzzy Hash: ecb214b263f1d5a6f9a3b72ca265158f7b0384f93cc5a82e8f17ca5c3cea1d83
Instruction Fuzzy Hash: E6318F75600A05AFD704DB68CC51FABB7A9FF89720F14826DF925DB292DB30A905CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00060A66 Relevance: 1.6, APIs: 1, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00060A66(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t46;
				intOrPtr _t62;
				signed int _t64;
				signed int _t68;
				intOrPtr _t71;
				intOrPtr _t76;
				intOrPtr* _t82;
				void* _t84;
				void* _t88;

				_t88 = __eflags;
				_push(0x44);
				E00151AB8(0x168814, __ebx, __edi, __esi);
				_push(E0005E58B);
				 *((intOrPtr*)(_t84 - 0x28)) =  *((intOrPtr*)(_t84 + 8));
				_t62 = E00071BD8(__ebx, 0x1c3910, __edi, __esi, _t88);
				_t71 = 0;
				 *((intOrPtr*)(_t84 - 0x2c)) = _t62;
				if((0 | _t62 != 0x00000000) == 0) {
					E000655E0(0x1c3910);
				}
				_t64 = 7;
				_t7 = _t62 + 0x58; // 0x58
				_t46 = memcpy(_t84 - 0x50, _t7, _t64 << 2);
				_t76 =  *((intOrPtr*)(_t84 + 0x10));
				_t82 =  *((intOrPtr*)(_t84 - 0x28));
				 *(_t62 + 0x60) = _t46;
				 *(_t62 + 0x58) =  *(_t84 + 0xc);
				 *((intOrPtr*)(_t62 + 0x5c)) = _t76;
				 *((intOrPtr*)(_t62 + 0x64)) =  *((intOrPtr*)(_t84 + 0x18));
				 *((intOrPtr*)(_t84 - 4)) = _t71;
				if(_t76 == 2 &&  *((intOrPtr*)(_t82 + 0x68)) != _t71) {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t82 + 0x68)))) + 0x60))(_t71);
					_t71 = 0;
				}
				 *((intOrPtr*)(_t84 - 0x24)) = _t71;
				 *((intOrPtr*)(_t84 - 0x20)) = _t71;
				 *((intOrPtr*)(_t84 - 0x1c)) = _t71;
				 *((intOrPtr*)(_t84 - 0x18)) = _t71;
				 *((intOrPtr*)(_t84 - 0x28)) = _t71;
				if(_t76 == 0x110) {
					E0005E9EC(_t82, _t84 - 0x24, _t84 - 0x28);
				}
				 *((intOrPtr*)(_t84 - 0x34)) =  *((intOrPtr*)( *_t82 + 0x114))(_t76,  *((intOrPtr*)(_t84 + 0x14)),  *((intOrPtr*)(_t84 + 0x18)));
				if(_t76 == 0x110) {
					E000609C5(_t62, _t71, _t82, _t84 - 0x24,  *((intOrPtr*)(_t84 - 0x28))); // executed
				}
				_t36 = _t62 + 0x58; // 0x58
				_t68 = 7;
				_t83 = _t84 - 0x50;
				memcpy(_t36, _t84 - 0x50, _t68 << 2);
				return E00151B14(_t62, _t84 - 0x50 + _t68 + _t68, _t83);
			}

0x00060a66
0x00060a66
0x00060a6d
0x00060a75
0x00060a7f
0x00060a87
0x00060a8b
0x00060a92
0x00060a97
0x00060a99
0x00060a99
0x00060aa3
0x00060aa4
0x00060aaa
0x00060aac
0x00060ab2
0x00060ab5
0x00060abb
0x00060abe
0x00060ac1
0x00060ac4
0x00060aca
0x00060ad7
0x00060ada
0x00060ada
0x00060adc
0x00060adf
0x00060ae2
0x00060ae5
0x00060ae8
0x00060af1
0x00060afc
0x00060afc
0x00060b12
0x00060b1b
0x00060b25
0x00060b25
0x00060b5a
0x00060b5d
0x00060b5e
0x00060b61
0x00060b68

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00060A6D

Part of subcall function 00071BD8: __EH_prolog3.LIBCMT ref: 00071BDF

Part of subcall function 000655E0: __CxxThrowException@8.LIBCMT ref: 000655F6

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Exception@8H_prolog3H_prolog3_catch_Throw
String ID:
API String ID: 2399685165-0
Opcode ID: bde06c099889525557255b5b3bbe4fc32c9535d30752746e3b465e98302afde6
Instruction ID: 729e14c47df04c3b36a406bf0d8ceef1b6bda8230edee8b757a50d5c603eb930
Opcode Fuzzy Hash: bde06c099889525557255b5b3bbe4fc32c9535d30752746e3b465e98302afde6
Instruction Fuzzy Hash: 4C31F971E00609DFCF09DFA9C8819DEBBF6BF88310F11846AE905BB251D774A941CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 000511B0 Relevance: 1.6, APIs: 1, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 54%

			E000511B0(signed int* __ecx, signed int _a4) {
				signed int* _v8;
				void* __edi;
				intOrPtr* _t17;
				void* _t18;
				void* _t22;
				void* _t25;
				intOrPtr _t26;
				intOrPtr* _t31;
				signed int _t32;
				void* _t43;
				void* _t44;
				void* _t46;
				signed int _t47;
				intOrPtr* _t48;

				_t47 =  *__ecx;
				_t26 =  *((intOrPtr*)(_t47 - 0xc));
				_t48 = _t47 - 0x10;
				_v8 = __ecx;
				_t17 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t48)) + 0x10))))(_t43, _t46, _t25, __ecx);
				_t31 = _t17; // executed
				_t18 =  *((intOrPtr*)( *((intOrPtr*)( *_t17))))(_a4, 2); // executed
				_t44 = _t18;
				_t52 = _t44;
				if(_t44 == 0) {
					E00051240(_t31, _t44, _t52);
				}
				_t19 = _a4;
				if(_t26 < _a4) {
					_t19 = _t26;
				}
				_t8 = _t48 + 0x10; // 0x0
				_t9 = _t44 + 0x10; // 0x10
				_t32 = _t9;
				_a4 = _t32;
				E00150B32(_t32, _t19 + _t19 + 2, _t8, _t19 + _t19 + 2);
				 *((intOrPtr*)(_t44 + 4)) = _t26;
				_t12 = _t48 + 0xc; // -4
				_t22 = _t12;
				asm("lock xadd [eax], ecx");
				if((_t32 | 0xffffffff) - 1 <= 0) {
					_t22 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t48)) + 4))))(_t48);
				}
				 *_v8 = _a4;
				return _t22;
			}

0x000511b6
0x000511b8
0x000511bb
0x000511be
0x000511c9
0x000511d5
0x000511d7
0x000511d9
0x000511db
0x000511dd
0x000511df
0x000511df
0x000511e4
0x000511e9
0x000511eb
0x000511eb
0x000511f2
0x000511f6
0x000511f6
0x000511fb
0x000511fe
0x00051206
0x00051209
0x00051209
0x0005120f
0x00051216
0x00051220
0x00051220
0x0005122a
0x00051230

APIs

_memcpy_s.LIBCMT ref: 000511FE

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: _memcpy_s
String ID:
API String ID: 2001391462-0
Opcode ID: c19cdbb899385b3a08b2b0100a88ddeedf1a44e1d66fda4f2f5ae6d72dc4d584
Instruction ID: d3fddc7170871bc38077d5d190dffdfe85bc40d4904e891c34095a351820087a
Opcode Fuzzy Hash: c19cdbb899385b3a08b2b0100a88ddeedf1a44e1d66fda4f2f5ae6d72dc4d584
Instruction Fuzzy Hash: C1116D76600A04AFC719CF98C881CAAB7A9FF89350711869DE9198B351EB31ED04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0015A381 Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0015A381(signed int _a4, signed int _a8, long _a12) {
				void* _t10;
				long _t11;
				long _t12;
				signed int _t13;
				signed int _t17;
				long _t19;
				long _t24;

				_t17 = _a4;
				if(_t17 == 0) {
					L3:
					_t24 = _t17 * _a8;
					__eflags = _t24;
					if(_t24 == 0) {
						_t24 = _t24 + 1;
						__eflags = _t24;
					}
					goto L5;
					L6:
					_t10 = RtlAllocateHeap( *0x1c7b24, 8, _t24); // executed
					__eflags = 0;
					if(0 == 0) {
						goto L7;
					}
					L14:
					return _t10;
					goto L15;
					L7:
					__eflags =  *0x1c7e5c;
					if( *0x1c7e5c == 0) {
						_t19 = _a12;
						__eflags = _t19;
						if(_t19 != 0) {
							 *_t19 = 0xc;
						}
					} else {
						_t11 = E0015A6E4(_t10, _t24);
						__eflags = _t11;
						if(_t11 != 0) {
							L5:
							_t10 = 0;
							__eflags = _t24 - 0xffffffe0;
							if(_t24 > 0xffffffe0) {
								goto L7;
							} else {
								goto L6;
							}
						} else {
							_t12 = _a12;
							__eflags = _t12;
							if(_t12 != 0) {
								 *_t12 = 0xc;
							}
							_t10 = 0;
						}
					}
					goto L14;
				} else {
					_t13 = 0xffffffe0;
					_t27 = _t13 / _t17 - _a8;
					if(_t13 / _t17 >= _a8) {
						goto L3;
					} else {
						 *((intOrPtr*)(E00151F1F(_t27))) = 0xc;
						return 0;
					}
				}
				L15:
			}

0x0015a386
0x0015a38b
0x0015a3a8
0x0015a3ad
0x0015a3af
0x0015a3b1
0x0015a3b3
0x0015a3b3
0x0015a3b3
0x00000000
0x0015a3bb
0x0015a3c4
0x0015a3ca
0x0015a3cc
0x00000000
0x00000000
0x0015a400
0x0015a402
0x00000000
0x0015a3ce
0x0015a3ce
0x0015a3d5
0x0015a3f3
0x0015a3f6
0x0015a3f8
0x0015a3fa
0x0015a3fa
0x0015a3d7
0x0015a3d8
0x0015a3de
0x0015a3e0
0x0015a3b4
0x0015a3b4
0x0015a3b6
0x0015a3b9
0x00000000
0x00000000
0x00000000
0x00000000
0x0015a3e2
0x0015a3e2
0x0015a3e5
0x0015a3e7
0x0015a3e9
0x0015a3e9
0x0015a3ef
0x0015a3ef
0x0015a3e0
0x00000000
0x0015a38d
0x0015a391
0x0015a394
0x0015a397
0x00000000
0x0015a399
0x0015a39e
0x0015a3a7
0x0015a3a7
0x0015a397
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0015A767,?,?,00000000,00000000,00000000,?,00157EBA,00000001,00000214,?,0015A71D), ref: 0015A3C4

Part of subcall function 00151F1F: __getptd_noexit.LIBCMT ref: 00151F1F

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 04bb6d035c5285175a6d0df24bc851690447278dbc174e6742a8668586502375
Instruction ID: cd13b0be989a9e4b508389a7f2c16d3258a76f4e36f4a04d50748105a5c853e6
Opcode Fuzzy Hash: 04bb6d035c5285175a6d0df24bc851690447278dbc174e6742a8668586502375
Instruction Fuzzy Hash: 5601F131280215DBEB689F25CC18B6B3795BF8132AF444329EC358F1D0E7B4CC48C681

Uniqueness

Uniqueness Score: -1.00%

Function 00069513 Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00069513(void* __edi, WCHAR* _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16, signed int _a20) {
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v64;
				void* __ebx;
				void* __ebp;
				void* _t21;
				char _t33;

				_t26 = _a8;
				 *_a8 = 0x1000;
				if(_a4 != 0) {
					_t33 = 0x3c;
					E00151B30( &_v64, 0, _t33);
					_v64 = _t33;
					_v44 = 0x824;
					_v48 = E000512F0(_a12, 0x825);
					_v16 = 0x824;
					_v20 = E000512F0(_a16, 0x825);
					_t21 = E0006920A(_a4,  &_v64, _t26, _a20, 0x2000000); // executed
					E000561B0(_t26, _a12, __edi, 0xffffffff);
					E000561B0(_t26, _a16, __edi, 0xffffffff);
					return _t21;
				}
				return 0;
			}

0x00069520
0x00069523
0x00069529
0x00069532
0x0006953a
0x00069542
0x0006954e
0x0006955e
0x00069561
0x00069575
0x00069580
0x0006958c
0x00069596
0x00000000
0x0006959d
0x00000000

APIs

_memset.LIBCMT ref: 0006953A

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 3f0ac9d0e5f20c0bf3d6e2857ae6d66b1e8f847cafeb0c096f88870a01358c88
Instruction ID: a161b81691ed5fa94481ede01e7d36f2e30daadd325bb4590c305ef73f81e4c6
Opcode Fuzzy Hash: 3f0ac9d0e5f20c0bf3d6e2857ae6d66b1e8f847cafeb0c096f88870a01358c88
Instruction Fuzzy Hash: 53016D71900219BBDB10AFA8DC85FDF7BB9EF08361F108115FD25AB292DA709914CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00071BD8 Relevance: 1.5, APIs: 1, Instructions: 43
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E00071BD8(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				long* _t24;
				intOrPtr _t25;
				intOrPtr* _t30;
				void* _t31;

				_t23 = __ecx;
				_t22 = __ebx;
				_push(4);
				E00151A19(0x169849, __ebx, __edi, __esi);
				_t30 = __ecx;
				if((0 |  *((intOrPtr*)(_t31 + 8)) != 0x00000000) == 0) {
					L1:
					E000655E0(_t23);
				}
				if( *_t30 == 0) {
					_t23 =  *0x1c3c08; // 0x0
					if(_t23 != 0) {
						L5:
						_t19 = E000717D6(_t23); // executed
						 *_t30 = _t19;
						if(_t19 == 0) {
							goto L1;
						}
					} else {
						 *((intOrPtr*)(_t31 - 0x10)) = 0x1c3c0c;
						 *(_t31 - 4) =  *(_t31 - 4) & 0x00000000;
						_t21 = E000718EE(0x1c3c0c);
						 *(_t31 - 4) =  *(_t31 - 4) | 0xffffffff;
						_t23 = _t21;
						 *0x1c3c08 = _t21;
						if(_t21 == 0) {
							goto L1;
						} else {
							goto L5;
						}
					}
				}
				_t24 =  *0x1c3c08; // 0x0
				_t28 = E00071678(_t24,  *_t30);
				_t39 = _t28;
				if(_t28 == 0) {
					_t17 =  *((intOrPtr*)(_t31 + 8))();
					_t25 =  *0x1c3c08; // 0x0
					_t28 = _t17;
					E00071995(_t22, _t25, _t17, _t30, _t39,  *_t30, _t17);
				}
				return E00151AF1(_t28);
			}

0x00071bd8
0x00071bd8
0x00071bd8
0x00071bdf
0x00071be4
0x00071bf0
0x00071bf2
0x00071bf2
0x00071bf2
0x00071bfa
0x00071bfc
0x00071c04
0x00071c27
0x00071c27
0x00071c2c
0x00071c30
0x00000000
0x00000000
0x00071c06
0x00071c0b
0x00071c0e
0x00071c12
0x00071c17
0x00071c1b
0x00071c1d
0x00071c25
0x00000000
0x00000000
0x00000000
0x00000000
0x00071c25
0x00071c04
0x00071c34
0x00071c3f
0x00071c41
0x00071c43
0x00071c45
0x00071c48
0x00071c4e
0x00071c53
0x00071c53
0x00071c5f

APIs

__EH_prolog3.LIBCMT ref: 00071BDF

Part of subcall function 000655E0: __CxxThrowException@8.LIBCMT ref: 000655F6

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID:
API String ID: 3670251406-0
Opcode ID: 5f3c500b3597f3ed37b56ff03ee5509070d962c10a1f9bbe04591589a1e30812
Instruction ID: a22f01be91af21165fd81637790b5442f84d38317ca999e69f1d8f83d816fef8
Opcode Fuzzy Hash: 5f3c500b3597f3ed37b56ff03ee5509070d962c10a1f9bbe04591589a1e30812
Instruction Fuzzy Hash: 64017530A002469BDB15AF6CC852AAD7AA6AF91351B14C42DE4559B2D1EF34CD81C709

Uniqueness

Uniqueness Score: -1.00%

Function 0005FA5D Relevance: 1.5, APIs: 1, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E0005FA5D(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				void* _t11;
				struct HWND__* _t13;
				int _t15;
				void* _t18;
				void* _t22;
				int _t23;
				void* _t24;

				_t22 = __edx;
				_t19 = __ecx;
				_t18 = __ebx;
				_t24 = __ecx;
				_t10 =  *((intOrPtr*)(__ecx + 0x20));
				_t23 = 0;
				if(_t10 != 0) {
					L4:
					_push(_t23);
					_t11 = E0005F7BA(_t18, _t19, _t23, _t24, __eflags);
					__eflags = _t11 - _t23;
					if(_t11 == _t23) {
						_t11 = E000655E0(_t19);
					}
					_t4 = _t11 + 0x1c; // 0x1c
					E00072579(_t4, _t22,  *(_t24 + 0x20));
					L7:
					_t13 =  *(_t24 + 0x20);
					__eflags = _t13 - _t23;
					if(_t13 != _t23) {
						L9:
						__eflags =  *((intOrPtr*)(_t24 + 0x6c)) - _t23;
						if( *((intOrPtr*)(_t24 + 0x6c)) != _t23) {
							_t15 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t24 + 0x6c)))) + 0x58))();
						} else {
							_t15 = DestroyWindow(_t13); // executed
						}
						_t23 = _t15;
						L13:
						return _t23;
					}
					__eflags =  *((intOrPtr*)(_t24 + 0x6c)) - _t23;
					if( *((intOrPtr*)(_t24 + 0x6c)) == _t23) {
						goto L13;
					}
					goto L9;
				}
				if( *((intOrPtr*)(__ecx + 0x6c)) != 0) {
					__eflags = _t10;
					if(__eflags == 0) {
						goto L7;
					}
					goto L4;
				}
				return 0;
			}

0x0005fa5d
0x0005fa5d
0x0005fa5d
0x0005fa60
0x0005fa62
0x0005fa66
0x0005fa6a
0x0005fa79
0x0005fa79
0x0005fa7a
0x0005fa7f
0x0005fa81
0x0005fa83
0x0005fa83
0x0005fa8b
0x0005fa8e
0x0005fa93
0x0005fa93
0x0005fa96
0x0005fa98
0x0005fa9f
0x0005fa9f
0x0005faa2
0x0005fab2
0x0005faa4
0x0005faa5
0x0005faa5
0x0005fab5
0x0005fab7
0x00000000
0x0005fab7
0x0005fa9a
0x0005fa9d
0x00000000
0x00000000
0x00000000
0x0005fa9d
0x0005fa6f
0x0005fa75
0x0005fa77
0x00000000
0x00000000
0x00000000
0x0005fa77
0x00000000

APIs

DestroyWindow.USER32 ref: 0005FAA5

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: DestroyWindow
String ID:
API String ID: 3375834691-0
Opcode ID: 7ea0a8516217d73e1dd12ae38f1ef9e8e51ec74c7a6b2675935a6b08337b758d
Instruction ID: 8e791e972fa4a3bf52ad40b3a84257a8978a596160a8df871647ab4642d713f2
Opcode Fuzzy Hash: 7ea0a8516217d73e1dd12ae38f1ef9e8e51ec74c7a6b2675935a6b08337b758d
Instruction Fuzzy Hash: 3AF04972200A029F4772DA25D84483B73E2FBC83523240D3AE8CAC3611EA34DC89CB13

Uniqueness

Uniqueness Score: -1.00%

Function 0006AA20 Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0006AA20(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t23;
				void* _t35;
				intOrPtr* _t39;
				void* _t40;

				_t35 = __edx;
				_t28 = __ebx;
				_push(0x14);
				E00151A19(0x172749, __ebx, __edi, __esi);
				_t39 = __ecx;
				_t42 =  *((intOrPtr*)(_t40 + 8));
				if( *((intOrPtr*)(_t40 + 8)) == 0) {
					E000655E0(__ecx);
				}
				 *(_t39 + 4) =  *(_t39 + 4) | 0xffffffff;
				 *((intOrPtr*)(_t39 + 8)) = 0;
				 *((intOrPtr*)(_t39 + 0x10)) =  *((intOrPtr*)(_t40 + 0x10));
				E0006A9D1(_t28, _t40 - 0x20, 0, _t39, _t42);
				 *((intOrPtr*)(_t40 - 4)) = 0;
				_t23 =  *((intOrPtr*)( *_t39 + 0x24))( *((intOrPtr*)(_t40 + 8)),  *((intOrPtr*)(_t40 + 0xc)), _t40 - 0x20, 0, 0xffffffff, 0);
				_t43 = _t23;
				if(_t23 == 0) {
					_push( *((intOrPtr*)(_t40 - 0x10)));
					E0008767E(_t28, 0, _t39, _t43,  *((intOrPtr*)(_t40 - 0x18)),  *((intOrPtr*)(_t40 - 0x14)));
				}
				 *((intOrPtr*)(_t40 - 0x20)) = 0x17af50;
				return E00151AF1(E00051190( *((intOrPtr*)(_t40 - 0x10)) + 0xfffffff0, _t35));
			}

0x0006aa20
0x0006aa20
0x0006aa20
0x0006aa27
0x0006aa2c
0x0006aa30
0x0006aa33
0x0006aa35
0x0006aa35
0x0006aa3d
0x0006aa48
0x0006aa4b
0x0006aa4e
0x0006aa61
0x0006aa64
0x0006aa67
0x0006aa69
0x0006aa6b
0x0006aa74
0x0006aa74
0x0006aa7f
0x0006aa90

APIs

__EH_prolog3.LIBCMT ref: 0006AA27

Part of subcall function 000655E0: __CxxThrowException@8.LIBCMT ref: 000655F6

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID:
API String ID: 3670251406-0
Opcode ID: c8146f18167d9cd792905897b1756c111b004854fadf9da1e39f7775dae15058
Instruction ID: cc459062f4bc03b837311a10fe70697b79bbec85c9b2fcfe91431bf3cce4bcc7
Opcode Fuzzy Hash: c8146f18167d9cd792905897b1756c111b004854fadf9da1e39f7775dae15058
Instruction Fuzzy Hash: 3D017C30900619EBCF25EFA4CD018EEBBB2FF55360B20460EF875672A1DB308510DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00060B6B Relevance: 1.5, APIs: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00060B6B(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				void* __esi;
				void* __ebp;
				void* _t10;
				long _t11;
				void* _t14;
				void* _t15;
				void* _t16;
				void* _t17;
				struct HWND__* _t19;

				if(_a8 != 0x360) {
					_t19 = _a4;
					_t10 = E0005F85A(_t14, _t15, _t16, _t17, _t19, __eflags, _t19);
					__eflags = _t10;
					if(_t10 == 0) {
						L5:
						_t11 = DefWindowProcW(_t19, _a8, _a12, _a16);
						L6:
						return _t11;
					}
					__eflags =  *((intOrPtr*)(_t10 + 0x20)) - _t19;
					if(__eflags != 0) {
						goto L5;
					}
					_t11 = E00060A66(_t14, _t17, _t19, __eflags, _t10, _t19, _a8, _a12, _a16); // executed
					goto L6;
				}
				return 1;
			}

0x00060b77
0x00060b7f
0x00060b83
0x00060b88
0x00060b8a
0x00060ba3
0x00060bad
0x00060bb3
0x00000000
0x00060bb3
0x00060b8c
0x00060b8f
0x00000000
0x00000000
0x00060b9c
0x00000000
0x00060b9c
0x00000000

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6b1bc5a0d83c7890dee8e94623253d5e7f86b3a707530bff717e5c0f2e0b0b0
Instruction ID: 11292db87b7f1e3e096b85291852533c6a02aad37f74f5d7c2a2963a8a3a3407
Opcode Fuzzy Hash: a6b1bc5a0d83c7890dee8e94623253d5e7f86b3a707530bff717e5c0f2e0b0b0
Instruction Fuzzy Hash: ACF01C32041219BBCF125E90DD04CEF3BAAEF48365F04D451FA5951021C736CA60EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0007021F Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0007021F(void* __ebx, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a16) {
				void* __ebp;
				void* _t14;
				void* _t15;
				void* _t21;
				void* _t22;
				signed int _t23;

				_t21 = __edx;
				_t15 = __ecx;
				_t14 = __ebx;
				_t7 = _a4;
				if(_a4 == 0) {
					L1:
					_t7 = E000655E0(_t15);
				}
				if(_a16 == 0) {
					goto L1;
				}
				_push(_t23);
				E00056620(_t14, _t7 + 0x1c); // executed
				E001559F6(_t22, _a4, _a16);
				asm("sbb esi, esi");
				E00051190(_a4 + 0xfffffff0, _t21);
				return  ~_t23;
			}

0x0007021f
0x0007021f
0x0007021f
0x00070224
0x00070229
0x0007022b
0x0007022b
0x0007022b
0x00070234
0x00000000
0x00000000
0x00070236
0x0007023e
0x00070249
0x00070255
0x0007025c
0x00070265

APIs

__wcsicoll.LIBCMT ref: 00070249

Part of subcall function 000655E0: __CxxThrowException@8.LIBCMT ref: 000655F6

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Exception@8Throw__wcsicoll
String ID:
API String ID: 558878061-0
Opcode ID: 93d59e15ed567e7377cbae3142e2f12b27c662fc3e10bb400167b3fd6d004638
Instruction ID: a84b2204dd188665684e6ec7d8ebad38233cd215bbb77607a77f25f453380ada
Opcode Fuzzy Hash: 93d59e15ed567e7377cbae3142e2f12b27c662fc3e10bb400167b3fd6d004638
Instruction Fuzzy Hash: 37E0ED32200118A6CB01AE68EC62ADB3B999F003A5F004216FD1A86293DF20D941C2E8

Uniqueness

Uniqueness Score: -1.00%

Function 00065767 Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00065767(intOrPtr __ecx, intOrPtr _a4, signed int _a8) {
				void* __edi;
				void* __esi;
				intOrPtr* _t11;
				void* _t15;
				intOrPtr _t16;
				intOrPtr _t17;

				_t17 = _a4;
				_t16 = __ecx;
				if(_t17 >= 0) {
					_t11 = E00151013(_t15, __ecx, _t17, (_t17 + 1) * _a8 + 0x10); // executed
					if(_t11 == 0) {
						goto L1;
					}
					 *(_t11 + 4) =  *(_t11 + 4) & 0x00000000;
					 *_t11 = _t16;
					 *((intOrPtr*)(_t11 + 0xc)) = 1;
					 *((intOrPtr*)(_t11 + 8)) = _t17;
					return _t11;
				}
				L1:
				return 0;
			}

0x0006576d
0x00065771
0x00065775
0x00065786
0x0006578e
0x00000000
0x00000000
0x00065790
0x00065794
0x00065796
0x0006579d
0x00000000
0x0006579d
0x00065777
0x00000000

APIs

_malloc.LIBCMT ref: 00065786

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: de06064f1e8e3c997279749936b391ef213fe52429c9fea0e1929fc1c5faac9d
Instruction ID: f7271139fd838377c0987c1b050a0cbf6aeda902f4b7cf1ce6f81b3586f78629
Opcode Fuzzy Hash: de06064f1e8e3c997279749936b391ef213fe52429c9fea0e1929fc1c5faac9d
Instruction Fuzzy Hash: 8DE06D32504616ABC7108B49E804B4ABBDDEFA5372F168426E818CF262CB71E8448BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0006CCE1 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0006CCE1(void* __ebx, void* __ecx, void* __edi, intOrPtr _a4) {
				void* __esi;
				void* __ebp;
				void* _t5;
				intOrPtr* _t6;
				void* _t9;
				void* _t13;
				void* _t14;
				void* _t15;

				_t14 = __edi;
				_t9 = __ebx;
				_t17 = _a4;
				_t15 = __ecx;
				if(_a4 == 0) {
					E000655E0(__ecx);
				}
				_push( *((intOrPtr*)(_t15 + 0x14)));
				_push(_a4);
				_t5 = E00155118(_t9, _t13, _t14, _t15, _t17); // executed
				_t18 = _t5 - 0xffff;
				if(_t5 == 0xffff) {
					_t6 = E00151F32(_t18);
					_push( *((intOrPtr*)(_t15 + 0xc)));
					return E0008767E(_t9, _t14,  *((intOrPtr*)(_t15 + 0xc)), _t18, 0xd,  *_t6);
				}
				return _t5;
			}

0x0006cce1
0x0006cce1
0x0006cce6
0x0006cceb
0x0006cced
0x0006ccef
0x0006ccef
0x0006ccf4
0x0006ccf7
0x0006ccfa
0x0006cd01
0x0006cd06
0x0006cd0b
0x0006cd10
0x00000000
0x0006cd15
0x0006cd1c

APIs

_fputws.LIBCMT ref: 0006CCFA

Part of subcall function 000655E0: __CxxThrowException@8.LIBCMT ref: 000655F6

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Exception@8Throw_fputws
String ID:
API String ID: 1492218265-0
Opcode ID: db2022c9c808ac1ec4478325eb081e3496248be88d4a81e053eab70553b6efd5
Instruction ID: 75c793e7d69df4164ecec2ead3b2354aad69db7086d43d6d89716912fef1fae6
Opcode Fuzzy Hash: db2022c9c808ac1ec4478325eb081e3496248be88d4a81e053eab70553b6efd5
Instruction Fuzzy Hash: 08E02632000914BFDB203B90EC02FAA3B9ADF103B1F308037F90C5B4619F30AC5892A4

Uniqueness

Uniqueness Score: -1.00%

Function 000716E4 Relevance: 1.5, APIs: 1, Instructions: 21
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 88%

			E000716E4(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t19;
				void* _t20;

				_push(8);
				E00151A4C(0x169803, __ebx, __edi, __esi);
				_t19 = __ecx;
				if( *__ecx == 0) {
					E00072399(0x10);
					 *(_t20 - 4) =  *(_t20 - 4) & 0x00000000;
					if( *__ecx == 0) {
						 *__ecx =  *((intOrPtr*)(_t20 + 8))();
					}
					 *(_t20 - 4) =  *(_t20 - 4) | 0xffffffff;
					E0007240B(0x10);
				}
				return E00151AF1( *_t19);
			}

0x000716e4
0x000716eb
0x000716f0
0x000716f6
0x000716fa
0x00071701
0x00071707
0x0007170c
0x0007170c
0x0007170e
0x00071714
0x00071714
0x00071720

APIs

__EH_prolog3_catch.LIBCMT ref: 000716EB

Part of subcall function 00072399: EnterCriticalSection.KERNEL32(001C3DE0,?,?,00000002,?,000716FF,00000010,00000008,0006B656,0006B5ED,0005E58B,0006A15B,0006918A,?,00000000,00000004), ref: 000723D3
Part of subcall function 00072399: InitializeCriticalSection.KERNEL32(?,?,?,00000002,?,000716FF,00000010,00000008,0006B656,0006B5ED,0005E58B,0006A15B,0006918A,?,00000000,00000004), ref: 000723E5
Part of subcall function 00072399: LeaveCriticalSection.KERNEL32(001C3DE0,?,?,00000002,?,000716FF,00000010,00000008,0006B656,0006B5ED,0005E58B,0006A15B,0006918A,?,00000000,00000004), ref: 000723F2
Part of subcall function 00072399: EnterCriticalSection.KERNEL32(?,?,?,00000002,?,000716FF,00000010,00000008,0006B656,0006B5ED,0005E58B,0006A15B,0006918A,?,00000000,00000004), ref: 00072402

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: CriticalSection$Enter$H_prolog3_catchInitializeLeave
String ID:
API String ID: 1641187343-0
Opcode ID: 34a6a64af242812f0ea486c46a8d01c071534085a482c5ad18162a92d976c6b3
Instruction ID: cef073214a0cf5d2bf19de78a1ca020084e38039db745f12e3d97bd8cc1f6f5b
Opcode Fuzzy Hash: 34a6a64af242812f0ea486c46a8d01c071534085a482c5ad18162a92d976c6b3
Instruction Fuzzy Hash: 44E01234640205E7E761EFA8C44178876E46F10315F108569F9D4EB1C1DBB48941DB14

Uniqueness

Uniqueness Score: -1.00%

Function 0006AC8B Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0006AC8B(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t18;
				void* _t22;

				_t18 = __edx;
				_push(4);
				E00151A19(0x168df8, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t22 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x17aef4;
				E00051110(__ecx + 0xc, E00065761());
				 *(_t22 - 4) =  *(_t22 - 4) & 0x00000000;
				E0006AA20(__ebx, __ecx, _t18, __edi, __ecx,  *(_t22 - 4),  *((intOrPtr*)(_t22 + 8)),  *((intOrPtr*)(_t22 + 0xc)), 0); // executed
				return E00151AF1(__ecx);
			}

0x0006ac8b
0x0006ac8b
0x0006ac92
0x0006ac99
0x0006ac9c
0x0006acab
0x0006acb0
0x0006acbe
0x0006acca

APIs

__EH_prolog3.LIBCMT ref: 0006AC92

Part of subcall function 0006AA20: __EH_prolog3.LIBCMT ref: 0006AA27

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 7edd55f0d2718beecaa9c88a3b9dc4f72c8d802a47d1e6f53132bcb863ab25d9
Instruction ID: 57f4c03e04d680455836081cdf4e7be2f1e59da85f59f6ddf36796027b179d71
Opcode Fuzzy Hash: 7edd55f0d2718beecaa9c88a3b9dc4f72c8d802a47d1e6f53132bcb863ab25d9
Instruction Fuzzy Hash: 6AE08C70640510EBCB12BF94DD02B9EBA65AF20711F10850AB9257B282CFB04A54CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0005F40B Relevance: 1.5, APIs: 1, Instructions: 18
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0005F40B(void* __ecx, intOrPtr _a4) {
				signed int _t9;
				int _t12;

				 *((intOrPtr*)(__ecx + 0x60)) = _a4;
				_t9 =  *(__ecx + 0x58);
				if((_t9 & 0x00000010) != 0) {
					 *(__ecx + 0x58) = _t9 & 0xffffffef;
					_t12 = PostMessageW( *(__ecx + 0x20), 0, 0, 0); // executed
					return _t12;
				}
				return _t9;
			}

0x0005f413
0x0005f416
0x0005f41b
0x0005f420
0x0005f42b
0x00000000
0x0005f42b
0x0005f432

APIs

PostMessageW.USER32 ref: 0005F42B

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f7d59d50c14b99e2d7675b5e4cd6e6e5cd7dfa5476109e34886f194d17308f86
Instruction ID: 748a38bc8956cfdf0dc628620947c3850d1d4118ff7d640ceba34d51fead1cb3
Opcode Fuzzy Hash: f7d59d50c14b99e2d7675b5e4cd6e6e5cd7dfa5476109e34886f194d17308f86
Instruction Fuzzy Hash: 84D012B25102449FA300DF28CC44D773BADEB543143140569B858CA291D331DC53CA10

Uniqueness

Uniqueness Score: -1.00%

Function 00063F8D Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00063F8D(intOrPtr* __ecx, int _a4) {
				int _t8;
				intOrPtr* _t12;

				_t12 = __ecx;
				if(( *(__ecx + 0x58) & 0x00000018) != 0) {
					_push(_a4);
					 *((intOrPtr*)( *__ecx + 0x8c))();
				}
				_t8 = EndDialog( *(_t12 + 0x20), _a4); // executed
				return _t8;
			}

0x00063f93
0x00063f99
0x00063f9b
0x00063fa0
0x00063fa0
0x00063fac
0x00063fb4

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,0006435E,000000FF,00000000,?,?,00051AB5,885926AF), ref: 00063FAC

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: ac6efec958cebf8ffc4e14d68f4d160291454121797d40dc2bcbfdb0ebad1ad7
Instruction ID: 39c8ba236b430f28a170b1849fe00fcb6fbb8e5ee42b63dac9a0003b573834a9
Opcode Fuzzy Hash: ac6efec958cebf8ffc4e14d68f4d160291454121797d40dc2bcbfdb0ebad1ad7
Instruction Fuzzy Hash: 0ED01736004648EBDB215F59D808E86BFF9EF493A0F058069F98986930CA7299609B90

Uniqueness

Uniqueness Score: -1.00%

Function 0015118E Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0015118E(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t9;
				void* _t17;

				_push(0xc);
				_push(0x1b6a98);
				E00151BC0(__ebx, __edi, __esi);
				E00153E3E();
				 *(_t17 - 4) =  *(_t17 - 4) & 0x00000000;
				_t9 = E001510A7( *((intOrPtr*)(_t17 + 8))); // executed
				 *((intOrPtr*)(_t17 - 0x1c)) = _t9;
				 *(_t17 - 4) = 0xfffffffe;
				E001511C4();
				return E00151C05( *((intOrPtr*)(_t17 - 0x1c)));
			}

0x0015118e
0x00151190
0x00151195
0x0015119a
0x0015119f
0x001511a6
0x001511ac
0x001511af
0x001511b6
0x001511c3

APIs

Part of subcall function 00153E3E: __lock.LIBCMT ref: 00153E40

__onexit_nolock.LIBCMT ref: 001511A6

Part of subcall function 001510A7: RtlDecodePointer.NTDLL(?,?,?,?,?,001511AB,00074106,001B6A98,0000000C,001511D7,00074106,?,000741FF,00074106), ref: 001510BC
Part of subcall function 001510A7: DecodePointer.KERNEL32(?,?,?,?,?,001511AB,00074106,001B6A98,0000000C,001511D7,00074106,?,000741FF,00074106), ref: 001510C9
Part of subcall function 001510A7: __realloc_crt.LIBCMT ref: 00151106
Part of subcall function 001510A7: __realloc_crt.LIBCMT ref: 0015111C
Part of subcall function 001510A7: EncodePointer.KERNEL32(00000000,?,?,?,?,?,001511AB,00074106,001B6A98,0000000C,001511D7,00074106,?,000741FF,00074106), ref: 0015112E
Part of subcall function 001510A7: EncodePointer.KERNEL32(00074106,?,?,?,?,?,001511AB,00074106,001B6A98,0000000C,001511D7,00074106,?,000741FF,00074106), ref: 00151142
Part of subcall function 001510A7: EncodePointer.KERNEL32(-00000004,?,?,?,?,?,001511AB,00074106,001B6A98,0000000C,001511D7,00074106,?,000741FF,00074106), ref: 0015114A

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Pointer$Encode$Decode__realloc_crt$__lock__onexit_nolock
String ID:
API String ID: 3536590627-0
Opcode ID: 175056b6cb01dd6e7de56104a37d3d2db7c465d0285532875c0a63d5b995374f
Instruction ID: 502ac11a744d26a7c04c1446201986a7877248e499f572768f8276453f7ecb49
Opcode Fuzzy Hash: 175056b6cb01dd6e7de56104a37d3d2db7c465d0285532875c0a63d5b995374f
Instruction Fuzzy Hash: 51D05E35C01245FACF11FBB4C80279CB6B0AF61313F208244F8306F0D2CB741A498B00

Uniqueness

Uniqueness Score: -1.00%

Function 00063582 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00063582(void* __ecx, int _a4) {
				int _t7;

				if( *((intOrPtr*)(__ecx + 0x6c)) != 0) {
					goto ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x6c)))) + 0xa0)));
				}
				_t7 = ShowWindow( *(__ecx + 0x20), _a4); // executed
				return _t7;
			}

0x0006358b
0x000635a3
0x000635a3
0x00063593
0x0006359a

APIs

ShowWindow.USER32(?,?), ref: 00063593

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 8431845c5d0acf2dbf0ef1354f45354b80359d7f0d56fec44db49dc7de029f35
Instruction ID: c83b148e82e327e645bb6d4f3b287ec3a0ff4d6b39c8876f6f6bd76a24de4f05
Opcode Fuzzy Hash: 8431845c5d0acf2dbf0ef1354f45354b80359d7f0d56fec44db49dc7de029f35
Instruction Fuzzy Hash: 51D09E76144648DFC7409B45D408F617BB6FB59315F5040E9E5490A571C73399A2DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00157D1B Relevance: 1.5, APIs: 1, Instructions: 3COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,0016301E,001C72E0,00000314,00000000,?,?,?,?,?,00157517,001C72E0,Microsoft Visual C++ Runtime Library,00012010), ref: 00157D1D

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 89107ca19781d3637f96717c00e902b5e79dcef8c419672c6c323caefbf49bad
Instruction ID: 0208619a367f921c4099b32ea52b8c459e23564412ede02550f27aaccdb3eaca
Opcode Fuzzy Hash: 89107ca19781d3637f96717c00e902b5e79dcef8c419672c6c323caefbf49bad
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0007F44C Relevance: 51.8, APIs: 28, Strings: 1, Instructions: 1017
windowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 80%

			E0007F44C(intOrPtr* __ecx) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				struct tagRECT _v72;
				struct tagRECT _v88;
				struct tagRECT _v104;
				struct tagRECT _v124;
				char _v144;
				signed int _v148;
				struct tagMONITORINFO* _v152;
				signed int _v156;
				struct tagMONITORINFO* _v160;
				struct tagPOINT _v168;
				int _v172;
				intOrPtr* _v176;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t494;
				struct HMONITOR__* _t500;
				signed int _t506;
				signed int _t507;
				struct tagMONITORINFO* _t508;
				intOrPtr _t509;
				long _t510;
				int _t511;
				intOrPtr* _t515;
				struct tagMONITORINFO* _t517;
				void* _t519;
				intOrPtr _t554;
				int _t559;
				RECT* _t561;
				struct tagMONITORINFO* _t562;
				int _t566;
				int _t569;
				RECT* _t573;
				struct tagMONITORINFO* _t580;
				struct tagMONITORINFO* _t581;
				struct tagMONITORINFO* _t582;
				void* _t584;
				RECT* _t589;
				int _t599;
				struct tagMONITORINFO* _t602;
				struct tagMONITORINFO* _t603;
				RECT* _t609;
				long _t611;
				struct tagMONITORINFO* _t614;
				struct tagMONITORINFO* _t617;
				struct tagMONITORINFO* _t618;
				void* _t619;
				struct tagMONITORINFO* _t621;
				struct tagMONITORINFO* _t625;
				struct tagMONITORINFO* _t629;
				struct tagMONITORINFO* _t633;
				struct tagMONITORINFO* _t641;
				int _t647;
				struct tagMONITORINFO* _t652;
				void* _t656;
				struct tagMONITORINFO* _t657;
				struct tagMONITORINFO* _t659;
				intOrPtr* _t661;
				intOrPtr _t668;
				struct tagMONITORINFO* _t669;
				struct tagMONITORINFO* _t670;
				signed int _t673;
				long _t680;
				int _t684;
				intOrPtr _t688;
				struct tagMONITORINFO** _t690;
				struct tagMONITORINFO* _t691;
				struct tagMONITORINFO* _t694;
				intOrPtr* _t707;
				void* _t708;
				int _t712;
				struct tagMONITORINFO* _t716;
				struct tagMONITORINFO* _t717;
				intOrPtr _t718;
				struct tagMONITORINFO* _t724;
				long _t728;
				long* _t731;
				struct tagMONITORINFO* _t739;
				long _t757;
				intOrPtr* _t764;
				long _t765;
				signed int _t767;
				intOrPtr _t772;
				RECT* _t775;
				intOrPtr _t776;
				struct tagMONITORINFO* _t778;
				struct tagMONITORINFO* _t784;
				RECT* _t787;
				struct tagMONITORINFO* _t788;
				signed int _t801;
				struct tagMONITORINFO* _t802;
				struct tagMONITORINFO* _t804;
				void* _t805;
				struct tagMONITORINFO* _t808;
				intOrPtr _t811;
				long _t813;
				struct tagMONITORINFO* _t821;
				void* _t826;
				struct tagMONITORINFO* _t830;
				struct tagMONITORINFO* _t831;
				struct tagMONITORINFO* _t832;
				intOrPtr* _t834;
				void* _t835;
				signed int _t836;
				long _t838;
				long _t839;
				RECT* _t840;
				void* _t841;
				void* _t856;
				struct tagMONITORINFO* _t858;
				struct tagMONITORINFO* _t859;
				struct tagMONITORINFO* _t860;
				struct tagMONITORINFO* _t861;
				intOrPtr _t862;
				int _t865;
				signed int _t868;
				void* _t874;
				struct tagMONITORINFO* _t885;
				signed int _t890;
				int _t899;
				void* _t987;
				void* _t989;

				_t888 = _t890;
				_t494 =  *0x1c0454; // 0x885926af
				_v8 = _t494 ^ _t890;
				_t707 = __ecx;
				_t834 =  *((intOrPtr*)( *__ecx + 0x1c0))();
				_v176 = _t834;
				if(IsWindow( *(__ecx + 0x20)) == 0 || _t834 == 0 || IsWindow( *(_t834 + 0x20)) == 0 ||  *((intOrPtr*)(_t834 + 0xb68)) != 0) {
					L218:
					_pop(_t835);
					_pop(_t856);
					_pop(_t708);
					return E00150836(_t498, _t708, _v8 ^ _t888, _t809, _t835, _t856);
				} else {
					_t712 =  *(_t707 + 0x148);
					if(_t712 == 0 ||  *((intOrPtr*)( *_t712 + 0xf0))() == 0) {
						L8:
						_v152 = 0;
						goto L9;
					} else {
						_v152 = 1;
						_t899 =  *0x1c3f04; // 0x0
						if(_t899 == 0) {
							L9:
							_t500 =  &_v144;
							_v40.left = 0;
							_v40.top = 0;
							_v40.right = 0;
							_v40.bottom = 0;
							_v144 = 0x28;
							__imp__MonitorFromPoint( *(_t707 + 0x12c), 2, _t500);
							if(GetMonitorInfoW(_t500,  *(_t707 + 0x128)) == 0) {
								SystemParametersInfoW(0x30, 0,  &_v40, 0);
							} else {
								CopyRect( &_v40,  &_v124);
							}
							_t836 =  *((intOrPtr*)( *_t707 + 0x204))();
							_v156 = _t836;
							_t506 = E00063445(_t707);
							_t858 = _v40.right;
							_t507 = _t506 & 0x00400000;
							_v148 = _t507;
							if( *((intOrPtr*)(_t707 + 0x1080)) != 0) {
								_t831 =  *(_t707 + 0x1098);
								_t805 = _t836 + _t836;
								if(_t507 == 0) {
									_t694 = _t858 - _t805 -  *(_t707 + 0x128);
									__eflags = _t694;
								} else {
									_t694 =  *(_t707 + 0x128) - _t805 - _v40.left;
								}
								if(_t831 < _t694) {
									_t694 = _t831;
								}
								_t832 =  *(_t707 + 0x109c);
								 *(_t707 + 0x1098) = _t694;
								_t808 = _v40.bottom +  *((intOrPtr*)(_t707 + 0x10a4)) -  *(_t707 + 0x12c) -  *((intOrPtr*)(_t707 + 0x10ac)) - _t836 + _t836;
								if(_t832 < _t808) {
									_t808 = _t832;
								}
								 *(_t707 + 0x109c) = _t808;
							}
							_t508 =  *(_t707 + 0x128);
							_t716 = _t508;
							if(_t508 >= _t858) {
								_t716 = _t858;
							}
							if(_v40.left <= _t716) {
								__eflags = _t508 - _t858;
								if(__eflags >= 0) {
									_t508 = _t858;
								}
							} else {
								_t508 = _v40.left;
							}
							 *(_t707 + 0x128) = _t508;
							if( *(_t707 + 0x148) != 0) {
								L35:
								_t509 =  *((intOrPtr*)(_t707 + 0x1080));
								_t717 =  *(_t707 + 0x1098);
								_t859 =  *(_t707 + 0x109c);
								_v24.right = _t717;
								_v24.bottom = _t859;
								if(_t509 == 0 &&  *((intOrPtr*)(_t707 + 0x1084)) == _t509) {
									_t690 =  *((intOrPtr*)( *_v176 + 0x2a4))( &(_v72.right), 1);
									_t717 =  *_t690;
									_t859 = _t690[1];
									_v24.right = _t717;
									_v24.bottom = _t859;
								}
								if( *((intOrPtr*)(_t707 + 0x1080)) == 0 &&  *((intOrPtr*)(_t707 + 0x1084)) == 0) {
									_t859 = _t859 + _t836 + _t836;
									_t688 =  *((intOrPtr*)(_t707 + 0xed4));
									_t801 = _t717 + _t836 * 2;
									_v24.right = _t801;
									_v24.bottom = _t859;
									if(_t688 >= 0) {
										if(_t688 <= 1) {
											_t802 = _t801 +  *((intOrPtr*)(_t707 + 0xecc));
											__eflags = _t802;
											_v24.right = _t802;
										} else {
											if(_t688 <= 3) {
												_t859 = _t859 +  *((intOrPtr*)(_t707 + 0xecc));
												_v24.bottom = _t859;
											}
										}
									}
								}
								if( *((intOrPtr*)(_t707 + 0x144)) == 0) {
									__eflags = _v152;
									if(__eflags == 0) {
										goto L54;
									}
									_t510 = _v156;
									_v24.bottom =  &(_v24.bottom->rcMonitor.top);
									_t828 = _t510 + _t510;
									_v56.right = _v24.right - _t510 + _t510 + _t510;
									_v56.left = _t510;
									_v56.top = _t510;
									_v56.bottom = _t510 + 0xa;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									__eflags =  *0x1c3f04;
									if(__eflags != 0) {
										goto L55;
									}
									_t885 = _t707 + 0xff0;
									__eflags = _t885;
									if(_t885 == 0) {
										L51:
										 *((intOrPtr*)(_t885->cbSize + 0x160))(_t707, 0);
										SendMessageW( *(_t707 + 0x1010), 0x401, 1, 0);
										_t680 =  *0x1c3b5c; // 0xffffffff
										__eflags = _t680 - 0xffffffff;
										if(__eflags != 0) {
											SendMessageW( *(_t707 + 0x1010), 0x418, 0, _t680);
										}
										E000DF9C4(_t707, _t885, _t828, __eflags, _t707, 0x3e9c, _t707 + 0xfe0, 1);
										goto L54;
									}
									__eflags = _t885->rcWork.bottom;
									if(__eflags != 0) {
										goto L55;
									}
									goto L51;
								} else {
									_t684 = GetSystemMetrics(0x33);
									_v24.bottom = _t859 + _t684 + 5 + GetSystemMetrics(6) * 2;
									L54:
									_t510 = _v156;
									L55:
									_t718 =  *((intOrPtr*)(_t707 + 0xf20));
									if(_t718 == 0xffffffff || _v24.bottom <= _t718) {
										_t860 = 0;
										__eflags = 0;
									} else {
										_t860 = 0;
										if( *((intOrPtr*)(_t707 + 0x1080)) == 0 &&  *((intOrPtr*)(_t707 + 0x1084)) == 0) {
											_t882 = _v156 + _v156;
											_t673 =  *((intOrPtr*)( *_v176 + 0x354))();
											asm("cdq");
											 *(_t707 + 0xeb4) = 1;
											_v24.bottom = _v156 + _v156 - (_t718 - _t882) % _t673 + _t718 - _t882 + 2;
											_t510 = _v156;
											_t860 = 0;
										}
										 *(_t707 + 0xef0) = 1;
									}
									if( *(_t707 + 0x108c) != _t860) {
										_v56.left = _t510;
										_t826 = ((0 |  *((intOrPtr*)(_t707 + 0x1090)) - _t860 <= 0x00000000) - 0x00000001 & 0x00000003) + 9;
										if( *(_t707 + 0x1088) == _t860) {
											_t787 = _v24.bottom - _t510;
											_v56.top = _t787;
											_t788 = _t787 + _t826;
											__eflags = _t788;
											_v56.right = _v24.right - _t510 + _t510 + _t510;
											_v56.bottom = _t788;
										} else {
											_v56.top = _t510;
											_v56.right = _v24.right - _t510 + _t510 + _t510;
											_v56.bottom = _t510 + _t826;
										}
										_v24.bottom = _v24.bottom + _t826;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t860 = 0;
									}
									if(_v148 != _t860) {
										L69:
										_v160 = 1;
										goto L70;
									} else {
										_v160 = _t860;
										if( *((intOrPtr*)(_t707 + 0xeb8)) == _t860) {
											L70:
											_t511 =  *(_t707 + 0x148);
											_t929 = _t511 - _t860;
											if(_t511 != _t860) {
												_t860 = E0006EA25(0x1be4bc,  *((intOrPtr*)(_t511 + 0x6c)));
												_t838 = 0;
												_v152 = _t860;
												__eflags = _t860;
												if(__eflags == 0) {
													L87:
													_v88.left = _t838;
													_v88.top = _t838;
													_v88.right = _t838;
													_v88.bottom = _t838;
													SetRectEmpty( &_v88);
													_v168.y = _t838;
													_t515 = E00074709(_t707, _t838, _t860, _t929);
													_t809 =  *_t515;
													if( *((intOrPtr*)( *_t515 + 0x2e4))() != 0) {
														_t874 = E0007ED49(_t707, _t707, _t809);
														if(_t874 != 0) {
															_t647 =  *(_t707 + 0x148);
															_v172 = _t647;
															if(_t647 != 0 &&  *((intOrPtr*)(_t647 + 0xb4)) != 0) {
																if(_v148 == 0) {
																	RedrawWindow( *(_t874 + 0x20), 0, 0, 0x105);
																}
																if( *((intOrPtr*)(_t874 + 0x10b0)) != 0 &&  *((intOrPtr*)(_t707 + 0x10b0)) == 0) {
																	asm("movsd");
																	asm("movsd");
																	asm("movsd");
																	asm("movsd");
																	_t772 =  *((intOrPtr*)(_v172 + 0x6c));
																	if(_t772 != 0 &&  *((intOrPtr*)(_t772 + 0x20)) != 0) {
																		E0006636C(_t772,  &_v88);
																		 *(_t707 + 0x12c) = _v88.top;
																		_v168.y = 1;
																		if( *(_t707 + 0xea4) != 4) {
																			__eflags = _v148;
																			_t652 = _v88.right;
																			if(_v148 != 0) {
																				_t652 = _t652 + _v24.right;
																				__eflags = _t652;
																			}
																		} else {
																			_t652 = _v88.left;
																			if(_v148 == 0) {
																				_t652 = _t652 - _v24.right;
																			}
																		}
																		 *(_t707 + 0x128) = _t652;
																	}
																}
															}
														}
													}
													_t839 = 0;
													if(_v148 == 0) {
														L105:
														if(_v160 != _t839 ||  *(_t707 + 0x128) + _v24.right <= _v40.right) {
															goto L145;
														} else {
															_t868 = _v24.right;
															_t839 = 0;
															goto L108;
														}
													} else {
														_t868 = _v24.right;
														if( *(_t707 + 0x128) - _t868 < _v40.left) {
															L108:
															_t614 = E0007ED49(_t707, _t707, _t809);
															_v160 = _t614;
															if(_t614 == _t839) {
																_t764 = _v152;
																__eflags = _t764 - _t839;
																if(_t764 == _t839) {
																	L128:
																	_t765 = _v40.left;
																	__eflags = _v148 - _t839;
																	if(_v148 == _t839) {
																		__eflags =  *((intOrPtr*)(_t707 + 0xeb8)) - _t839;
																		if( *((intOrPtr*)(_t707 + 0xeb8)) == _t839) {
																			_t617 = _v40.right - _t868 - 1;
																			__eflags = _t617;
																		} else {
																			_t617 = _t765 + 1;
																		}
																	} else {
																		_t617 = _t868 + _t765 + 1;
																	}
																	 *(_t707 + 0x128) = _t617;
																	 *(_t707 + 0xea4) = _t839;
																	L134:
																	if(_v148 != 0) {
																		_t618 = _v40.right;
																		__eflags =  *(_t707 + 0x128) - _t618;
																		if( *(_t707 + 0x128) <= _t618) {
																			L140:
																			if( *((intOrPtr*)(_t707 + 0xeec)) != 0) {
																				L145:
																				_t517 =  *(_t707 + 0x12c);
																				_t861 = _v24.bottom;
																				if(_t517 + _t861 <= _v40.bottom) {
																					_t840 = 0;
																					__eflags = 0;
																					L171:
																					if(_t517 < _v40.top) {
																						_t559 =  *(_t707 + 0x148);
																						if(_t559 == _t840 ||  *((intOrPtr*)(_t559 + 0x6c)) == _t840 || E0007ED49(_t707, _t707, _t809) != 0) {
																							 *(_t707 + 0x12c) = _v40.top;
																						} else {
																							_t566 =  *(_t707 + 0x148);
																							_v72.right.x =  *(_t566 + 0x5c);
																							_v72.bottom = _t840;
																							ClientToScreen( *( *((intOrPtr*)(_t566 + 0x6c)) + 0x20),  &(_v72.right));
																							_t569 =  *(_t707 + 0x148);
																							_v168.y =  *((intOrPtr*)(_t569 + 0x60));
																							_v168.x = _t840;
																							ClientToScreen( *( *((intOrPtr*)(_t569 + 0x6c)) + 0x20),  &_v168);
																							 *(_t707 + 0x12c) = _v168.y;
																							if(_v152 == _t840 ||  *((intOrPtr*)( *_v152 + 0x160))() == 0) {
																								_t573 = 0;
																								__eflags = 0;
																							} else {
																								_t573 = 1;
																							}
																							 *(_t707 + 0xea4) = _t573;
																						}
																						_t561 = _v40.bottom;
																						if( *(_t707 + 0x12c) + _t861 > _t561) {
																							_t739 = _v40.top;
																							_t562 = _t561 - _t739;
																							 *(_t707 + 0x12c) = _t739;
																							if(_t861 > _t562) {
																								_t861 = _t562;
																								 *(_t707 + 0xeb4) = 1;
																								 *(_t707 + 0xef0) = 1;
																							}
																							 *(_t707 + 0xea4) = _t840;
																						}
																					}
																					if( *(_t707 + 0xef0) != _t840 &&  *((intOrPtr*)(_t707 + 0xef4)) != _t840 &&  *((intOrPtr*)(_t707 + 0x1080)) == _t840 &&  *((intOrPtr*)(_t707 + 0x1084)) == _t840) {
																						_v24.right = _v24.right + GetSystemMetrics(2);
																						if(IsRectEmpty(_t707 + 0x10a0) == 0) {
																							 *((intOrPtr*)(_t707 + 0x10a8)) =  *((intOrPtr*)(_t707 + 0x10a8)) + GetSystemMetrics(2);
																						}
																					}
																					 *((intOrPtr*)(_t707 + 0x138)) = _v24.right;
																					 *((intOrPtr*)(_t707 + 0x13c)) = _t861;
																					_t519 = E000748C1(_t840);
																					_t498 =  *0x1c3f04; // 0x0
																					if(_t519 != 0 ||  *((intOrPtr*)(_t707 + 0xee8)) != _t840 || _t498 != _t840) {
																						if(_t498 == _t840) {
																							_t554 =  *((intOrPtr*)(_t707 + 0xfc0));
																							_v24.right = _v24.right + _t554;
																							_t861 = _t861 + _t554;
																						}
																						if( *((intOrPtr*)(_t707 + 0x144)) == _t840) {
																							_push(0x14);
																							_push(_t861);
																							_push(_v24.right);
																							asm("sbb eax, eax");
																							_push( *(_t707 + 0x12c));
																							_t724 =  *(_t707 + 0x128) - ( ~_v148 & _v24.right);
																							__eflags = _t724;
																							_push(_t724);
																						} else {
																							_push(0x16);
																							_push(_t861);
																							_push(_v24.right);
																							_push(0xffffffff);
																							_push(0xffffffff);
																						}
																						_push(_t840);
																						_t498 = E00063614(_t707);
																						_t987 =  *0x1c3f04 - _t840; // 0x0
																						if(_t987 != 0) {
																							_t498 =  *((intOrPtr*)( *_v176 + 0x3e0))();
																						}
																					}
																					if( *((intOrPtr*)(_t707 + 0xfc0)) != _t840) {
																						_t989 =  *0x1c3f04 - _t840; // 0x0
																						if(_t989 == 0) {
																							_t498 =  *(_t707 + 0x148);
																							if(_t498 != _t840 &&  *((intOrPtr*)(_t498 + 0x6c)) != _t840) {
																								 *(_t707 + 0xebc) = 1;
																								_t862 =  *((intOrPtr*)(_t498 + 0x6c));
																								_v168.y =  *(_t707 + 0xebc);
																								_v56.left = _t840;
																								_v56.top = _t840;
																								_v56.right = _t840;
																								_v56.bottom = _t840;
																								_v72.left = _t840;
																								_v72.top = _t840;
																								_v72.right.x = _t840;
																								_v72.bottom = _t840;
																								GetWindowRect( *(_t707 + 0x20),  &_v72);
																								if(_v148 == _t840) {
																									_t728 = _v72.right.x + 1;
																									__eflags = _t728;
																								} else {
																									_t728 = _v72.left -  *((intOrPtr*)(_t707 + 0xfc0)) - 1;
																								}
																								_t811 =  *((intOrPtr*)(_t707 + 0xfc0));
																								_t841 = _v72.top;
																								_v104.top = _t841;
																								_v104.left = _t728;
																								_v104.right = _t811 + _t728;
																								_v104.bottom = _t841 + _t811 - _t841 + _v72.bottom;
																								E0006632B(_t862,  &_v104);
																								if(IntersectRect( &_v56,  &_v104,  *(_t707 + 0x148) + 0x54) != 0) {
																									InvalidateRect( *(_t862 + 0x20),  *(_t707 + 0x148) + 0x54, 1);
																									UpdateWindow( *(_t862 + 0x20));
																								}
																								_t813 = _v72.left;
																								_t731 =  &(_v72.bottom->left);
																								_v24.top = _t731;
																								_v24.left = _t813;
																								_t809 = _t813 + _v72.right.x - _t813 +  *((intOrPtr*)(_t707 + 0xfc0));
																								_v24.bottom = _t731 +  *((intOrPtr*)(_t707 + 0xfc0));
																								_v24.right = _t813 + _v72.right.x - _t813 +  *((intOrPtr*)(_t707 + 0xfc0));
																								E0006632B(_t862,  &_v24);
																								if(IntersectRect( &_v56,  &_v24,  *(_t707 + 0x148) + 0x54) != 0) {
																									InvalidateRect( *(_t862 + 0x20),  *(_t707 + 0x148) + 0x54, 1);
																									UpdateWindow( *(_t862 + 0x20));
																								}
																								_t498 = _v168.y;
																								 *(_t707 + 0xebc) = _v168.y;
																								_t840 = 0;
																							}
																						}
																					}
																					if( *(_t707 + 0xef0) != _t840 &&  *((intOrPtr*)(_t707 + 0xef4)) != _t840 &&  *((intOrPtr*)(_t707 + 0x1080)) == _t840 &&  *((intOrPtr*)(_t707 + 0x1084)) == _t840) {
																						_t498 = RedrawWindow( *(_t707 + 0x20), _t840, _t840, 0x105);
																					}
																					goto L218;
																				}
																				_v172 =  *((intOrPtr*)(_t707 + 0x10ac)) -  *((intOrPtr*)(_t707 + 0x10a4));
																				if( *(_t707 + 0x108c) != 0) {
																					_t611 = _v156;
																					_t809 = _t611 + _t611;
																					_v56.right = _v24.right - _t611 + _t611 + _t611;
																					_v56.left = _t611;
																					_v56.top = _t611;
																					_v56.bottom = _v172 + _t611;
																					asm("movsd");
																					asm("movsd");
																					asm("movsd");
																					asm("movsd");
																					_t861 = _v24.bottom;
																					 *(_t707 + 0x1088) = 1;
																				}
																				_t840 = 0;
																				 *(_t707 + 0xee4) = 0;
																				_v104.left = 0;
																				_v104.top = 0;
																				_v104.right = 0;
																				_v104.bottom = 0;
																				_t580 =  *((intOrPtr*)( *_t707 + 0x1cc))( &_v104);
																				_v160 = _t580;
																				if(_t580 == 0) {
																					L162:
																					__eflags = _v168.y - _t840;
																					if(_v168.y == _t840) {
																						 *(_t707 + 0x12c) =  *(_t707 + 0x12c) - _t861;
																						_t581 = E0007ED49(_t707, _t707, _t809);
																						__eflags = _t581;
																						if(_t581 != 0) {
																							_t584 =  *((intOrPtr*)( *_v176 + 0x354))();
																							_t366 = _t707 + 0x12c;
																							 *_t366 =  *(_t707 + 0x12c) + _t584 + _v156 * 2;
																							__eflags =  *_t366;
																						}
																					} else {
																						 *(_t707 + 0x12c) = _v88.bottom - _t861 - 1;
																					}
																					goto L166;
																				} else {
																					_t589 =  *(_t707 + 0xea4);
																					if(_t589 == 4 || _t589 == 3) {
																						goto L162;
																					} else {
																						_v72.right.x = _v104.right;
																						_v72.bottom = 0;
																						ClientToScreen(_v160->rcWork.bottom,  &(_v72.right));
																						_v168.y = _v104.top - _t861;
																						_v168.x = 0;
																						ClientToScreen(_v160->rcWork.bottom,  &_v168);
																						_t599 = _v168.y;
																						if(_t599 >= 0) {
																							 *(_t707 + 0x12c) = _t599;
																							__eflags = _v152;
																							if(_v152 == 0) {
																								L160:
																								__eflags = 0;
																								L161:
																								 *(_t707 + 0xea4) = 0;
																								L166:
																								_t582 = _v40.top;
																								if( *(_t707 + 0x12c) < _t582) {
																									 *(_t707 + 0x12c) = _t582;
																									 *(_t707 + 0xea4) = _t840;
																								}
																								_t517 =  *(_t707 + 0x12c);
																								if(_t517 + _t861 > _v40.bottom) {
																									_t861 = _v40.bottom - _t517;
																									 *(_t707 + 0xeb4) = 1;
																									 *(_t707 + 0xef0) = 1;
																								}
																								goto L171;
																							}
																							_t602 =  *((intOrPtr*)( *_v152 + 0x160))();
																							__eflags = _t602;
																							if(_t602 == 0) {
																								goto L160;
																							}
																							_push(2);
																							_pop(0);
																							goto L161;
																						}
																						_t861 = _t861 + _t599;
																						_t603 = _v40.top;
																						_t809 = _v40.bottom - _t861;
																						if(_v40.bottom - _t861 >= _t861 - _t603) {
																							_t861 = _v40.bottom -  *(_t707 + 0x12c);
																							 *(_t707 + 0xee4) = 1;
																							_v24.bottom = _t861;
																							__eflags =  *(_t707 + 0x108c);
																							if( *(_t707 + 0x108c) != 0) {
																								_t757 = _v156;
																								 *(_t707 + 0x1088) =  *(_t707 + 0x1088) & 0;
																								_t865 = _v172;
																								_t609 = _t861 - _t865 - _t757;
																								_v56.top = _t609;
																								_v56.left = _t757;
																								_t809 = _v24.right - _t757 + _t757 + _t757;
																								_v56.right = _v24.right - _t757 + _t757 + _t757;
																								_v56.bottom = _t609 + _t865;
																								asm("movsd");
																								asm("movsd");
																								asm("movsd");
																								asm("movsd");
																								_t861 = _v24.bottom;
																								_t840 = 0;
																								__eflags = 0;
																							}
																						} else {
																							 *(_t707 + 0x12c) = _t603;
																							 *(_t707 + 0xea4) = 0;
																						}
																						 *(_t707 + 0xeb4) = 1;
																						 *(_t707 + 0xef0) = 1;
																						goto L166;
																					}
																				}
																			}
																			_t619 = E000748C1(0);
																			if(_t619 == 1) {
																				L144:
																				 *((intOrPtr*)(_t707 + 0xee0)) = 0;
																				goto L145;
																			}
																			if(_t619 != 3) {
																				goto L145;
																			}
																			 *(_t707 + 0xee4) = 0;
																			goto L144;
																		}
																		 *(_t707 + 0x128) = _t618;
																		L139:
																		 *(_t707 + 0xea4) = 0;
																		goto L140;
																	}
																	if( *(_t707 + 0x128) >= _t765) {
																		goto L140;
																	}
																	 *(_t707 + 0x128) = _t765;
																	goto L139;
																}
																_t621 =  *((intOrPtr*)( *_t764 + 0x160))();
																__eflags = _t621;
																if(_t621 != 0) {
																	goto L128;
																}
																asm("movsd");
																asm("movsd");
																asm("movsd");
																asm("movsd");
																E0006636C(_v152,  &_v56);
																__eflags = _v148;
																_t767 = _v24.right;
																if(_v148 == 0) {
																	_t625 = _v56.left - _v24.right;
																	__eflags = _t625;
																} else {
																	_t625 = _v56.right + _t767;
																}
																 *(_t707 + 0x128) = _t625;
																__eflags = _t625 + _t767 - _v40.right;
																if(_t625 + _t767 >= _v40.right) {
																	_t629 = _v40.right - _t767 - 1;
																	__eflags = _t629;
																	 *(_t707 + 0x128) = _t629;
																}
																 *(_t707 + 0xea4) = 4;
																L127:
																_t765 = _v40.left;
																goto L134;
															}
															_v72.left = _t839;
															_v72.top = _t839;
															_v72.right.x = _t839;
															_v72.bottom = _t839;
															GetWindowRect( *(_t614 + 0x20),  &_v72);
															if(_v148 == _t839) {
																_t633 = _v72.left - _t868;
																__eflags = _t633;
															} else {
																_t633 = _v72.right.x + _t868;
															}
															_t769 =  *((intOrPtr*)(_t707 + 0x10bc));
															 *(_t707 + 0x128) = _t633;
															if( *((intOrPtr*)(_t707 + 0x10bc)) != _t839 && E000E7713(_t769) == 0) {
																asm("movsd");
																asm("movsd");
																asm("movsd");
																asm("movsd");
																E0006636C(_v160,  &_v72);
																if(_v148 == 0) {
																	_t641 = _v72.right.x - _v24.right;
																	__eflags = _t641;
																} else {
																	_t641 = _v72.left + _v24.right;
																}
																 *(_t707 + 0x128) = _t641;
															}
															asm("sbb eax, eax");
															 *(_t707 + 0xea4) = 4 +  ~_v148;
															goto L127;
														}
														goto L105;
													}
												}
												__eflags =  *((intOrPtr*)(_t860->cbSize + 0x16c))();
												if(__eflags == 0) {
													goto L87;
												}
												_t656 = E000E23ED(_t860,  *(_t707 + 0x148));
												_t775 = 2;
												_t657 = _t656 - _t775;
												__eflags = _t657;
												if(_t657 == 0) {
													 *(_t707 + 0xea4) = _t775;
													_t821 =  *((intOrPtr*)(_t707 + 0x134)) -  *((intOrPtr*)( *(_t707 + 0x148) + 0x60)) +  *((intOrPtr*)( *(_t707 + 0x148) + 0x58)) - _v24.bottom + 1;
													__eflags = _t821;
													 *(_t707 + 0x12c) = _t821;
													goto L87;
												}
												_t659 = _t657 - 1;
												__eflags = _t659;
												if(_t659 == 0) {
													_t776 =  *((intOrPtr*)(_t707 + 0x130));
													_t661 =  *(_t707 + 0x148) + 0x54;
													__eflags = _v148;
													if(__eflags == 0) {
														_t778 = _t776 +  *((intOrPtr*)(_t661 + 8)) -  *_t661;
														__eflags = _t778;
													} else {
														_t778 = _t776 -  *((intOrPtr*)(_t661 + 8)) +  *_t661;
													}
													 *(_t707 + 0x128) = _t778;
													 *(_t707 + 0x12c) =  *((intOrPtr*)(_t707 + 0x134)) -  *((intOrPtr*)(_t661 + 0xc)) +  *((intOrPtr*)(_t661 + 4)) + 1;
													 *(_t707 + 0xea4) = 3;
													goto L87;
												}
												__eflags = _t659 - 1;
												if(__eflags != 0) {
													goto L87;
												}
												 *(_t707 + 0x12c) =  *((intOrPtr*)(_t707 + 0x134)) -  *((intOrPtr*)( *(_t707 + 0x148) + 0x60)) +  *((intOrPtr*)( *(_t707 + 0x148) + 0x58)) + 1;
												_t668 =  *((intOrPtr*)(_t707 + 0x130));
												 *(_t707 + 0xea4) = 4;
												__eflags = _v148;
												if(_v148 == 0) {
													_t669 = _t668 - _v24.right;
													_t784 = _v40.left;
													 *(_t707 + 0x128) = _t669;
													__eflags = _t669 - _t784;
													if(__eflags >= 0) {
														goto L87;
													}
													L81:
													 *(_t707 + 0x128) = _t784;
													 *(_t707 + 0xea4) = _t838;
													goto L87;
												}
												_t670 = _t668 + _v24.right;
												_t784 = _v40.right;
												 *(_t707 + 0x128) = _t670;
												__eflags = _t670 - _t784;
												if(__eflags <= 0) {
													goto L87;
												}
												goto L81;
											}
											_v152 = _t860;
											_t838 = 0;
											goto L87;
										}
										goto L69;
									}
								}
							} else {
								_t691 =  *(_t707 + 0x12c);
								_t830 = _v40.bottom;
								_t804 = _t691;
								if(_t691 >= _t830) {
									_t804 = _t830;
								}
								if(_v40.top <= _t804) {
									__eflags = _t691 - _t830;
									if(__eflags >= 0) {
										_t691 = _t830;
									}
								} else {
									_t691 = _v40.top;
								}
								 *(_t707 + 0x12c) = _t691;
								goto L35;
							}
						}
						goto L8;
					}
				}
			}

0x0007f44f
0x0007f457
0x0007f45e
0x0007f463
0x0007f477
0x0007f479
0x0007f483
0x0008021a
0x0008021d
0x0008021e
0x00080221
0x00080228
0x0007f4ac
0x0007f4ac
0x0007f4b4
0x0007f4d4
0x0007f4d4
0x00000000
0x0007f4c2
0x0007f4c2
0x0007f4cc
0x0007f4d2
0x0007f4da
0x0007f4da
0x0007f4e9
0x0007f4f2
0x0007f4f5
0x0007f4f8
0x0007f4fb
0x0007f505
0x0007f514
0x0007f52e
0x0007f516
0x0007f51e
0x0007f51e
0x0007f53e
0x0007f542
0x0007f548
0x0007f553
0x0007f556
0x0007f55b
0x0007f563
0x0007f565
0x0007f56b
0x0007f570
0x0007f583
0x0007f583
0x0007f572
0x0007f57a
0x0007f57a
0x0007f58b
0x0007f58d
0x0007f58d
0x0007f58f
0x0007f595
0x0007f5b5
0x0007f5b9
0x0007f5bb
0x0007f5bb
0x0007f5bd
0x0007f5bd
0x0007f5c3
0x0007f5c9
0x0007f5cd
0x0007f5cf
0x0007f5cf
0x0007f5d4
0x0007f5db
0x0007f5dd
0x0007f5df
0x0007f5df
0x0007f5d6
0x0007f5d6
0x0007f5d6
0x0007f5e8
0x0007f5ee
0x0007f617
0x0007f617
0x0007f61d
0x0007f623
0x0007f629
0x0007f62c
0x0007f631
0x0007f649
0x0007f64f
0x0007f651
0x0007f654
0x0007f657
0x0007f657
0x0007f662
0x0007f66f
0x0007f671
0x0007f677
0x0007f67a
0x0007f67d
0x0007f682
0x0007f687
0x0007f699
0x0007f699
0x0007f69f
0x0007f689
0x0007f68c
0x0007f68e
0x0007f694
0x0007f694
0x0007f68c
0x0007f687
0x0007f682
0x0007f6ae
0x0007f6c6
0x0007f6cc
0x00000000
0x00000000
0x0007f6d2
0x0007f6db
0x0007f6df
0x0007f6e6
0x0007f6e9
0x0007f6ec
0x0007f6f2
0x0007f6fe
0x0007f6ff
0x0007f700
0x0007f701
0x0007f702
0x0007f709
0x00000000
0x00000000
0x0007f70b
0x0007f711
0x0007f713
0x0007f71b
0x0007f722
0x0007f73d
0x0007f73f
0x0007f744
0x0007f747
0x0007f757
0x0007f757
0x0007f76a
0x00000000
0x0007f76a
0x0007f715
0x0007f719
0x00000000
0x00000000
0x00000000
0x0007f6b0
0x0007f6b2
0x0007f6be
0x0007f76f
0x0007f76f
0x0007f775
0x0007f775
0x0007f77e
0x0007f7df
0x0007f7df
0x0007f785
0x0007f785
0x0007f78d
0x0007f79d
0x0007f7ab
0x0007f7b5
0x0007f7b8
0x0007f7c8
0x0007f7cb
0x0007f7d1
0x0007f7d1
0x0007f7d3
0x0007f7d3
0x0007f7e7
0x0007f7f1
0x0007f801
0x0007f80a
0x0007f82e
0x0007f832
0x0007f835
0x0007f835
0x0007f837
0x0007f83a
0x0007f80c
0x0007f816
0x0007f81b
0x0007f81e
0x0007f81e
0x0007f83d
0x0007f843
0x0007f844
0x0007f845
0x0007f846
0x0007f847
0x0007f847
0x0007f84f
0x0007f85f
0x0007f85f
0x00000000
0x0007f851
0x0007f851
0x0007f85d
0x0007f869
0x0007f869
0x0007f86f
0x0007f871
0x0007f88d
0x0007f88f
0x0007f893
0x0007f899
0x0007f89b
0x0007f9aa
0x0007f9ae
0x0007f9b1
0x0007f9b4
0x0007f9b7
0x0007f9ba
0x0007f9c0
0x0007f9c6
0x0007f9cb
0x0007f9d7
0x0007f9e4
0x0007f9e8
0x0007f9ee
0x0007f9f4
0x0007f9fc
0x0007fa17
0x0007fa23
0x0007fa23
0x0007fa2f
0x0007fa45
0x0007fa46
0x0007fa47
0x0007fa48
0x0007fa49
0x0007fa4e
0x0007fa5a
0x0007fa69
0x0007fa6f
0x0007fa79
0x0007fa8c
0x0007fa93
0x0007fa96
0x0007fa98
0x0007fa98
0x0007fa98
0x0007fa7b
0x0007fa82
0x0007fa85
0x0007fa87
0x0007fa87
0x0007fa85
0x0007fa9b
0x0007fa9b
0x0007fa4e
0x0007fa2f
0x0007f9fc
0x0007f9e8
0x0007faa1
0x0007faa9
0x0007fabb
0x0007fac1
0x00000000
0x0007fad9
0x0007fad9
0x0007fadc
0x00000000
0x0007fadc
0x0007faab
0x0007fab1
0x0007fab9
0x0007fade
0x0007fae0
0x0007fae5
0x0007faed
0x0007fb8a
0x0007fb90
0x0007fb92
0x0007fc00
0x0007fc00
0x0007fc03
0x0007fc09
0x0007fc11
0x0007fc17
0x0007fc23
0x0007fc23
0x0007fc19
0x0007fc19
0x0007fc19
0x0007fc0b
0x0007fc0b
0x0007fc0b
0x0007fc24
0x0007fc2a
0x0007fc30
0x0007fc38
0x0007fc4a
0x0007fc4d
0x0007fc53
0x0007fc61
0x0007fc67
0x0007fc85
0x0007fc85
0x0007fc8b
0x0007fc94
0x0007fecb
0x0007fecb
0x0007fecd
0x0007fed0
0x0007fed6
0x0007fede
0x0007ff77
0x0007fef8
0x0007fef8
0x0007ff01
0x0007ff04
0x0007ff11
0x0007ff17
0x0007ff20
0x0007ff26
0x0007ff39
0x0007ff45
0x0007ff51
0x0007ff6a
0x0007ff6a
0x0007ff65
0x0007ff67
0x0007ff67
0x0007ff6c
0x0007ff6c
0x0007ff83
0x0007ff8a
0x0007ff8c
0x0007ff8f
0x0007ff91
0x0007ff99
0x0007ff9b
0x0007ffa0
0x0007ffa6
0x0007ffa6
0x0007ffac
0x0007ffac
0x0007ff8a
0x0007ffb8
0x0007ffda
0x0007ffec
0x0007fff6
0x0007fff6
0x0007ffec
0x00080000
0x00080006
0x0008000c
0x00080013
0x00080018
0x00080028
0x0008002a
0x00080030
0x00080033
0x00080033
0x0008003b
0x00080055
0x00080059
0x0008005a
0x0008005d
0x00080062
0x00080068
0x00080068
0x0008006a
0x0008003d
0x0008003d
0x0008003f
0x00080040
0x00080043
0x00080045
0x00080045
0x0008006b
0x0008006e
0x00080073
0x00080079
0x00080083
0x00080083
0x00080079
0x0008008f
0x00080095
0x0008009b
0x000800a1
0x000800a9
0x000800be
0x000800c8
0x000800d2
0x000800d8
0x000800db
0x000800de
0x000800e1
0x000800e4
0x000800e7
0x000800ea
0x000800ed
0x000800f0
0x000800fc
0x0008010d
0x0008010d
0x000800fe
0x00080107
0x00080107
0x0008010e
0x00080114
0x0008011e
0x00080128
0x0008012e
0x00080131
0x00080134
0x00080155
0x00080166
0x0008016f
0x0008016f
0x00080175
0x00080186
0x00080187
0x00080190
0x00080193
0x00080198
0x0008019e
0x000801a1
0x000801bc
0x000801cd
0x000801d6
0x000801d6
0x000801dc
0x000801e2
0x000801e8
0x000801e8
0x000800a9
0x0008009b
0x000801f0
0x00080214
0x00080214
0x00000000
0x000801f0
0x0007fcad
0x0007fcb3
0x0007fcb5
0x0007fcbe
0x0007fcc5
0x0007fcce
0x0007fcd1
0x0007fcd6
0x0007fce2
0x0007fce3
0x0007fce4
0x0007fce5
0x0007fce6
0x0007fce9
0x0007fce9
0x0007fcf5
0x0007fcfd
0x0007fd03
0x0007fd06
0x0007fd09
0x0007fd0c
0x0007fd0f
0x0007fd15
0x0007fd1d
0x0007fe4c
0x0007fe4c
0x0007fe52
0x0007fe62
0x0007fe6a
0x0007fe6f
0x0007fe71
0x0007fe7b
0x0007fe8a
0x0007fe8a
0x0007fe8a
0x0007fe8a
0x0007fe54
0x0007fe5a
0x0007fe5a
0x00000000
0x0007fd23
0x0007fd23
0x0007fd2c
0x00000000
0x0007fd3b
0x0007fd3e
0x0007fd4e
0x0007fd51
0x0007fd5c
0x0007fd72
0x0007fd78
0x0007fd7e
0x0007fd86
0x0007fe1d
0x0007fe23
0x0007fe29
0x0007fe42
0x0007fe42
0x0007fe44
0x0007fe44
0x0007fe90
0x0007fe90
0x0007fe99
0x0007fe9b
0x0007fea1
0x0007fea1
0x0007fea7
0x0007feb3
0x0007feba
0x0007febd
0x0007fec3
0x0007fec3
0x00000000
0x0007feb3
0x0007fe33
0x0007fe39
0x0007fe3b
0x00000000
0x00000000
0x0007fe3d
0x0007fe3f
0x00000000
0x0007fe3f
0x0007fd8f
0x0007fd91
0x0007fd98
0x0007fd9c
0x0007fdaf
0x0007fdb5
0x0007fdbf
0x0007fdc2
0x0007fdc8
0x0007fdca
0x0007fdd3
0x0007fde0
0x0007fde8
0x0007fdea
0x0007fdef
0x0007fdf2
0x0007fdf4
0x0007fdf7
0x0007fe03
0x0007fe04
0x0007fe05
0x0007fe06
0x0007fe07
0x0007fe0a
0x0007fe0a
0x0007fe0a
0x0007fd9e
0x0007fd9e
0x0007fda4
0x0007fda4
0x0007fe0f
0x0007fe15
0x00000000
0x0007fe15
0x0007fd2c
0x0007fd1d
0x0007fc6a
0x0007fc72
0x0007fc7f
0x0007fc7f
0x00000000
0x0007fc7f
0x0007fc77
0x00000000
0x00000000
0x0007fc79
0x00000000
0x0007fc79
0x0007fc55
0x0007fc5b
0x0007fc5b
0x00000000
0x0007fc5b
0x0007fc40
0x00000000
0x00000000
0x0007fc42
0x00000000
0x0007fc42
0x0007fb96
0x0007fb9c
0x0007fb9e
0x00000000
0x00000000
0x0007fbb2
0x0007fbb3
0x0007fbb4
0x0007fbb9
0x0007fbba
0x0007fbbf
0x0007fbc6
0x0007fbc9
0x0007fbd5
0x0007fbd5
0x0007fbcb
0x0007fbce
0x0007fbce
0x0007fbd8
0x0007fbe0
0x0007fbe3
0x0007fbea
0x0007fbea
0x0007fbeb
0x0007fbeb
0x0007fbf1
0x0007fbfb
0x0007fbfb
0x00000000
0x0007fbfb
0x0007fafa
0x0007fafd
0x0007fb00
0x0007fb03
0x0007fb06
0x0007fb12
0x0007fb1e
0x0007fb1e
0x0007fb14
0x0007fb17
0x0007fb17
0x0007fb20
0x0007fb26
0x0007fb2e
0x0007fb4b
0x0007fb4c
0x0007fb4d
0x0007fb52
0x0007fb53
0x0007fb5f
0x0007fb6c
0x0007fb6c
0x0007fb61
0x0007fb64
0x0007fb64
0x0007fb6f
0x0007fb6f
0x0007fb7d
0x0007fb82
0x00000000
0x0007fb82
0x00000000
0x0007fab9
0x0007faa9
0x0007f8ab
0x0007f8ad
0x00000000
0x00000000
0x0007f8bb
0x0007f8c2
0x0007f8c3
0x0007f8c3
0x0007f8c5
0x0007f99a
0x0007f9a3
0x0007f9a3
0x0007f9a4
0x00000000
0x0007f9a4
0x0007f8cb
0x0007f8cb
0x0007f8cc
0x0007f943
0x0007f949
0x0007f94c
0x0007f952
0x0007f95e
0x0007f95e
0x0007f954
0x0007f957
0x0007f957
0x0007f960
0x0007f976
0x0007f97c
0x00000000
0x0007f97c
0x0007f8ce
0x0007f8cf
0x00000000
0x00000000
0x0007f8eb
0x0007f8f1
0x0007f8f7
0x0007f901
0x0007f907
0x0007f91f
0x0007f922
0x0007f925
0x0007f92b
0x0007f92d
0x00000000
0x00000000
0x0007f92f
0x0007f92f
0x0007f935
0x00000000
0x0007f935
0x0007f909
0x0007f90c
0x0007f90f
0x0007f915
0x0007f917
0x00000000
0x00000000
0x00000000
0x0007f91d
0x0007f873
0x0007f879
0x00000000
0x0007f879
0x00000000
0x0007f85d
0x0007f84f
0x0007f5f0
0x0007f5f0
0x0007f5f6
0x0007f5f9
0x0007f5fd
0x0007f5ff
0x0007f5ff
0x0007f604
0x0007f60b
0x0007f60d
0x0007f60f
0x0007f60f
0x0007f606
0x0007f606
0x0007f606
0x0007f611
0x00000000
0x0007f611
0x0007f5ee
0x00000000
0x0007f4d2
0x0007f4b4

APIs

IsWindow.USER32(?), ref: 0007F47F
IsWindow.USER32(?), ref: 0007F494
MonitorFromPoint.USER32(?,?,00000002), ref: 0007F505
GetMonitorInfoW.USER32(00000000), ref: 0007F50C
CopyRect.USER32(?,?), ref: 0007F51E
SystemParametersInfoW.USER32 ref: 0007F52E
GetSystemMetrics.USER32 ref: 0007F6B2
GetSystemMetrics.USER32 ref: 0007F6B8
SendMessageW.USER32(?,00000401,00000001,00000000), ref: 0007F73D
SendMessageW.USER32(?,00000418,00000000,FFFFFFFF), ref: 0007F757
SetRectEmpty.USER32 ref: 0007F9BA
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 0007FA23
GetWindowRect.USER32(?,?), ref: 0007FB06
ClientToScreen.USER32(?,?), ref: 0007FD51
ClientToScreen.USER32(?,?), ref: 0007FD78
ClientToScreen.USER32(?,?), ref: 0007FF11
ClientToScreen.USER32(?,?), ref: 0007FF39
GetSystemMetrics.USER32 ref: 0007FFD4
IsRectEmpty.USER32 ref: 0007FFE4
GetSystemMetrics.USER32 ref: 0007FFF0
GetWindowRect.USER32(?,?), ref: 000800F0
IntersectRect.USER32(?,?,-00000054), ref: 00080151
InvalidateRect.USER32(?,-00000054,00000001), ref: 00080166
UpdateWindow.USER32 ref: 0008016F
IntersectRect.USER32(?,?,-00000054), ref: 000801B8
InvalidateRect.USER32(?,-00000054,00000001), ref: 000801CD
UpdateWindow.USER32 ref: 000801D6
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00080214

Strings

(, xrefs: 0007F4FB

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Rect$Window$System$ClientMetricsScreen$EmptyInfoIntersectInvalidateMessageMonitorRedrawSendUpdate$CopyFromParametersPoint
String ID: (
API String ID: 840757265-3887548279
Opcode ID: 10ca32b89cc5417f8bb950736e8d45b46520d45b72693de1e7dbb82e037a8ec8
Instruction ID: 7533f2c84ac3f5e5d945fabfa3b1c4dce69e128a164f0785ab4fec90b3c5ba7b
Opcode Fuzzy Hash: 10ca32b89cc5417f8bb950736e8d45b46520d45b72693de1e7dbb82e037a8ec8
Instruction Fuzzy Hash: BFA2F871E0021A9FCB55CF68C984AEDB7F1BF48300F1881BAE84DAB256DB749985CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0005B2E0 Relevance: 27.2, APIs: 18, Instructions: 171
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0005B2E0() {
				void* _v8;
				signed int _v12;
				char _v20;
				signed int _v32;
				short _v36;
				struct _SID_IDENTIFIER_AUTHORITY _v40;
				struct _GENERIC_MAPPING _v56;
				struct _PRIVILEGE_SET _v76;
				void* _v80;
				void* _v84;
				int _v88;
				void* _v92;
				struct _SECURITY_DESCRIPTOR* _v96;
				struct _ACL* _v100;
				long _v104;
				long _v108;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t44;
				signed int _t45;
				int _t70;
				struct _ACL* _t75;
				void* _t76;
				long _t89;
				void* _t90;
				long _t91;
				struct _SECURITY_DESCRIPTOR* _t93;
				void* _t94;
				signed int _t95;

				_push(0xfffffffe);
				_push(0x1b7200);
				_push(E00151C20);
				_push( *[fs:0x0]);
				_t44 =  *0x1c0454; // 0x885926af
				_v12 = _v12 ^ _t44;
				_t45 = _t44 ^ _t95;
				_v32 = _t45;
				_push(_t45);
				 *[fs:0x0] =  &_v20;
				_t89 = 0;
				_v88 = 0;
				_v104 = 0x14;
				_t75 = 0;
				_v100 = 0;
				_v80 = 0;
				_v84 = 0;
				_v92 = 0;
				_t93 = 0;
				_v96 = 0;
				_v40.Value = 0;
				_v36 = 0x500;
				_v8 = 0;
				if(OpenThreadToken(GetCurrentThread(), 0xa, 1,  &_v84) != 0 || GetLastError() == 0x3f0 && OpenProcessToken(GetCurrentProcess(), 0xa,  &_v84) != 0) {
					_t86 =  &_v92;
					if(DuplicateToken(_v84, 2,  &_v92) == 0) {
						goto L15;
					}
					_t86 =  &_v40;
					if(AllocateAndInitializeSid( &_v40, 2, 0x20, 0x220, _t89, _t89, _t89, _t89, _t89, _t89,  &_v80) == 0) {
						goto L15;
					}
					_t93 = LocalAlloc(0x40, 0x14);
					_v96 = _t93;
					if(_t93 != _t89 && InitializeSecurityDescriptor(_t93, 1) != 0) {
						_t23 = GetLengthSid(_v80) + 0x10; // 0x10
						_t91 = _t23;
						_t75 = LocalAlloc(0x40, _t91);
						_v100 = _t75;
						if(_t75 != 0 && InitializeAcl(_t75, _t91, 2) != 0 && AddAccessAllowedAce(_t75, 2, 3, _v80) != 0 && SetSecurityDescriptorDacl(_t93, 1, _t75, 0) != 0) {
							_t86 = _v80;
							SetSecurityDescriptorGroup(_t93, _v80, 0);
							SetSecurityDescriptorOwner(_t93, _v80, 0);
							if(IsValidSecurityDescriptor(_t93) != 0) {
								_v56.GenericRead = 1;
								_v56.GenericWrite = 2;
								_v56.GenericExecute = 0;
								_v56.GenericAll = 3;
								_t86 =  &_v56;
								_t70 = AccessCheck(_t93, _v92, 1,  &_v56,  &_v76,  &_v104,  &_v108,  &_v88);
								if(_t70 == 0) {
									_v88 = _t70;
								}
							}
						}
						_t89 = 0;
					}
					goto L15;
				} else {
					L15:
					_v8 = 0xfffffffe;
					E0005B4DE(_t75, _t89, _t93);
					 *[fs:0x0] = _v20;
					_pop(_t90);
					_pop(_t94);
					_pop(_t76);
					return E00150836(_v88, _t76, _v32 ^ _t95, _t86, _t90, _t94);
				}
			}

0x0005b2e3
0x0005b2e5
0x0005b2ea
0x0005b2f5
0x0005b2f9
0x0005b2fe
0x0005b301
0x0005b303
0x0005b309
0x0005b30d
0x0005b313
0x0005b315
0x0005b318
0x0005b31f
0x0005b321
0x0005b324
0x0005b327
0x0005b32a
0x0005b32d
0x0005b32f
0x0005b332
0x0005b335
0x0005b33b
0x0005b355
0x0005b383
0x0005b395
0x00000000
0x00000000
0x0005b3ae
0x0005b3ba
0x00000000
0x00000000
0x0005b3ca
0x0005b3cc
0x0005b3d1
0x0005b3f2
0x0005b3f2
0x0005b3fe
0x0005b400
0x0005b405
0x0005b442
0x0005b447
0x0005b454
0x0005b463
0x0005b465
0x0005b46c
0x0005b473
0x0005b47a
0x0005b491
0x0005b49c
0x0005b4a4
0x0005b4a6
0x0005b4a6
0x0005b4a4
0x0005b463
0x0005b4a9
0x0005b4a9
0x00000000
0x0005b4ab
0x0005b4ab
0x0005b4ab
0x0005b4b2
0x0005b4bd
0x0005b4c5
0x0005b4c6
0x0005b4c7
0x0005b4d5
0x0005b4d5

APIs

GetCurrentThread.KERNEL32(0000000A,00000001,?,885926AF), ref: 0005B346
OpenThreadToken.ADVAPI32(00000000), ref: 0005B34D
GetLastError.KERNEL32 ref: 0005B357
GetCurrentProcess.KERNEL32(0000000A,?), ref: 0005B36E
OpenProcessToken.ADVAPI32(00000000), ref: 0005B375
DuplicateToken.ADVAPI32(?,00000002,?), ref: 0005B38D
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0005B3B2
LocalAlloc.KERNEL32(00000040,00000014), ref: 0005B3C4
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 0005B3DA
GetLengthSid.ADVAPI32(?), ref: 0005B3EC
LocalAlloc.KERNEL32(00000040,00000010), ref: 0005B3F8
InitializeAcl.ADVAPI32(00000000,00000010,00000002), ref: 0005B40F
AddAccessAllowedAce.ADVAPI32(00000000,00000002,00000003,?), ref: 0005B426
SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 0005B436
SetSecurityDescriptorGroup.ADVAPI32(00000000,?,00000000), ref: 0005B447
SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 0005B454
IsValidSecurityDescriptor.ADVAPI32(00000000), ref: 0005B45B
AccessCheck.ADVAPI32(00000000,?,00000001,00000001,?,00000014,?,?), ref: 0005B49C

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: DescriptorSecurity$InitializeToken$AccessAllocCurrentLocalOpenProcessThread$AllocateAllowedCheckDaclDuplicateErrorGroupLastLengthOwnerValid
String ID:
API String ID: 1293491508-0
Opcode ID: 47a4f0b656b9c8eba06780af7b6fae9aa62f2a4244203da00dcba702b7959dd4
Instruction ID: c11a294004e3f9fc19454cfc2d9548db40ed09b63d347437714ecdcc62445169
Opcode Fuzzy Hash: 47a4f0b656b9c8eba06780af7b6fae9aa62f2a4244203da00dcba702b7959dd4
Instruction Fuzzy Hash: C8513C71A40308ABEB20CFE5DC49FAFBBB9FB49701F004119F606AA5D1D7B49985CB60

Uniqueness

Uniqueness Score: -1.00%

Function 000E9E10 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 340
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 87%

			E000E9E10(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags, signed long long __fp0) {
				void* _t140;
				int _t143;
				intOrPtr _t145;
				struct HDC__* _t146;
				signed int _t148;
				signed int _t151;
				intOrPtr _t152;
				void* _t156;
				intOrPtr _t160;
				struct HDC__* _t161;
				unsigned int _t163;
				signed int _t165;
				intOrPtr _t168;
				signed int _t176;
				int _t177;
				signed int _t180;
				int _t183;
				signed int _t186;
				int _t187;
				signed char _t190;
				signed int _t194;
				signed int _t196;
				signed int _t200;
				signed char _t205;
				signed int _t207;
				signed char _t208;
				void* _t214;
				void* _t219;
				void* _t224;
				int _t231;
				unsigned int _t232;
				int _t235;
				int _t237;
				int _t239;
				signed int _t241;
				signed int _t261;
				signed int _t263;
				signed int _t265;
				signed char _t266;
				intOrPtr _t285;
				int _t289;
				void* _t291;
				signed long long* _t292;
				signed long long _t299;

				_t299 = __fp0;
				_t279 = __edx;
				_push(0x48);
				E00151A19(0x16edeb, __ebx, __edi, __esi);
				_t285 = __ecx;
				 *((intOrPtr*)(_t291 - 0x50)) = __ecx;
				if( *(_t291 + 0x18) == 0x64) {
					L59:
					_t140 = 1;
				} else {
					_t143 =  *((intOrPtr*)(_t291 + 0x14)) -  *(_t291 + 0xc);
					_t231 = 0;
					 *(_t291 - 0x18) = _t143;
					if(_t143 <= 0) {
						goto L59;
					} else {
						_t289 =  *((intOrPtr*)(_t291 + 0x10)) -  *(_t291 + 8);
						 *(_t291 - 0x54) = _t289;
						if(_t289 <= 0) {
							goto L59;
						} else {
							if( *0x1c3b44 > 8) {
								__eflags =  *(_t291 + 0x24) - 0xffffffff;
								if( *(_t291 + 0x24) == 0xffffffff) {
									L8:
									E00065EC1(_t291 - 0x40);
									_t145 =  *((intOrPtr*)(_t285 + 4));
									 *(_t291 - 4) = _t231;
									__eflags = _t145 - _t231;
									if(_t145 != _t231) {
										_t146 =  *(_t145 + 4);
									} else {
										_t146 = 0;
									}
									_t148 = E000664F6(_t231, _t291 - 0x40, _t279, _t285, CreateCompatibleDC(_t146));
									__eflags = _t148;
									if(_t148 != 0) {
										 *(_t291 - 0x20) = _t231;
										 *((intOrPtr*)(_t291 - 0x24)) = 0x179fa0;
										 *(_t291 - 4) = 1;
										_t151 = E000667CA(_t231, _t291 - 0x24, _t279, _t285, CreateCompatibleBitmap( *( *((intOrPtr*)(_t285 + 4)) + 4), _t289,  *(_t291 - 0x18)));
										__eflags = _t151;
										if(_t151 != 0) {
											_t152 = E00066881( *(_t291 - 0x3c),  *(_t291 - 0x20));
											__eflags = _t152 - _t231;
											_t247 = 0 | __eflags != 0x00000000;
											 *((intOrPtr*)(_t291 - 0x4c)) = _t152;
											if(__eflags == 0) {
												E000655E0(_t247);
											}
											 *(_t291 - 0x44) =  *(_t291 - 0x18);
											 *(_t291 - 0x48) = _t289;
											_t156 = E000E9034(_t291 - 0x48, _t291 - 0x10);
											 *(_t291 - 0x44) = _t156;
											__eflags = _t156 - _t231;
											if(_t156 == _t231) {
												goto L14;
											} else {
												__eflags =  *(_t291 - 0x10) - _t231;
												if( *(_t291 - 0x10) == _t231) {
													goto L14;
												} else {
													SelectObject( *(_t291 - 0x3c), _t156);
													_t160 =  *((intOrPtr*)(_t285 + 4));
													__eflags = _t160 - _t231;
													if(_t160 != _t231) {
														_t161 =  *(_t160 + 4);
													} else {
														_t161 = 0;
													}
													BitBlt( *(_t291 - 0x3c), _t231, _t231, _t289,  *(_t291 - 0x18), _t161,  *(_t291 + 8),  *(_t291 + 0xc), 0xcc0020);
													_t163 =  *(_t291 + 0x1c);
													__eflags = _t163 - 0xffffffff;
													if(_t163 != 0xffffffff) {
														_t279 = (_t163 & 0x000000ff) << 8;
														_t253 = (_t163 >> 0x00000008 & 0x000000ff | (_t163 & 0x000000ff) << 0x00000008) << 0x00000008 | _t163 >> 0x00000010 & 0x000000ff;
														__eflags = _t253;
														 *(_t291 + 0x1c) = _t253;
													}
													_t165 =  *(_t291 - 0x18) * _t289;
													__eflags = _t165 - _t231;
													if(_t165 > _t231) {
														 *(_t291 - 0x2c) = _t165;
														do {
															__eflags =  *(_t291 + 0x20);
															_t232 =  *( *(_t291 - 0x10));
															if( *(_t291 + 0x20) <= 0) {
																_t232 -  *(_t291 + 0x1c) = _t232 !=  *(_t291 + 0x1c);
																if(_t232 !=  *(_t291 + 0x1c)) {
																	goto L32;
																}
															} else {
																_t214 = E00155F20(_t279, (_t232 & 0x000000ff) - ( *(_t291 + 0x1c) & 0x000000ff));
																_pop(_t253);
																__eflags = _t214 -  *(_t291 + 0x20);
																if(_t214 >=  *(_t291 + 0x20)) {
																	L32:
																	__eflags =  *(_t291 + 0x18) - 0xffffffff;
																	if( *(_t291 + 0x18) != 0xffffffff) {
																		__eflags =  *(_t291 + 0x24) - 0xffffffff;
																		if( *(_t291 + 0x24) != 0xffffffff) {
																			_t176 = _t232 & 0x000000ff;
																			 *(_t291 - 0x28) = _t232 >> 0x00000008 & 0x000000ff;
																			 *(_t291 - 0x14) = _t232 >> 0x00000010 & 0x000000ff;
																			_t235 = ( *(_t291 + 0x24) >> 0x00000010 & 0x000000ff) - _t176;
																			 *(_t291 - 0x1c) = _t176;
																			_t177 = MulDiv(_t235,  *(_t291 + 0x18), 0x64);
																			__eflags = _t177 +  *(_t291 - 0x1c) - 0xff;
																			if(_t177 +  *(_t291 - 0x1c) <= 0xff) {
																				_t180 = MulDiv(_t235,  *(_t291 + 0x18), 0x64) +  *(_t291 - 0x1c);
																				__eflags = _t180;
																				 *(_t291 - 0x30) = _t180;
																			} else {
																				 *(_t291 - 0x30) = 0xff;
																			}
																			_t237 = ( *(_t291 + 0x24) >> 0x00000008 & 0x000000ff) -  *(_t291 - 0x28);
																			_t183 = MulDiv(_t237,  *(_t291 + 0x18), 0x64);
																			__eflags = _t183 +  *(_t291 - 0x28) - 0xff;
																			if(_t183 +  *(_t291 - 0x28) <= 0xff) {
																				_t186 = MulDiv(_t237,  *(_t291 + 0x18), 0x64) +  *(_t291 - 0x28);
																				__eflags = _t186;
																				 *(_t291 - 0x1c) = _t186;
																			} else {
																				 *(_t291 - 0x1c) = 0xff;
																			}
																			_t239 = ( *(_t291 + 0x24) & 0x000000ff) -  *(_t291 - 0x14);
																			_t187 = MulDiv(_t239,  *(_t291 + 0x18), 0x64);
																			__eflags = _t187 +  *(_t291 - 0x14) - 0xff;
																			if(_t187 +  *(_t291 - 0x14) <= 0xff) {
																				_t190 = MulDiv(_t239,  *(_t291 + 0x18), 0x64) +  *(_t291 - 0x14);
																				__eflags = _t190;
																			} else {
																				_t190 = 0xff;
																			}
																			_t194 = (_t190 & 0x000000ff | 0xffffff00) << 0x00000008 |  *(_t291 - 0x1c) & 0x000000ff;
																			__eflags = _t194;
																			_t261 =  *(_t291 - 0x30) & 0x000000ff;
																			goto L52;
																		} else {
																			asm("fild dword [ebp+0x18]");
																			_t292 = _t292 - 0x18;
																			_t299 = _t299 *  *0x184450;
																			asm("fst qword [esp+0x10]");
																			asm("fst qword [esp+0x8]");
																			 *_t292 = _t299;
																			_push(_t232);
																			_t196 = E000E91C4(_t253) | 0xff000000;
																		}
																	} else {
																		asm("cdq");
																		_t263 = 3;
																		_t200 = (( *0x1c39b6 & 0x000000ff) + (_t232 & 0x000000ff) * 2) / _t263;
																		 *(_t291 - 0x14) = 0xff;
																		__eflags = _t200 - 0xff;
																		if(_t200 <= 0xff) {
																			 *(_t291 - 0x14) = _t200;
																		}
																		asm("cdq");
																		_t265 = 3;
																		_t205 = (( *0x1c39b5 & 0x000000ff) + (_t232 >> 0x00000008 & 0x000000ff) * 2) / _t265;
																		_t266 = 0xff;
																		__eflags = _t205 - 0xff;
																		if(_t205 <= 0xff) {
																			_t266 = _t205;
																		}
																		_t207 = ( *0x1c39b4 & 0x000000ff) + (_t232 >> 0x00000010 & 0x000000ff) * 2;
																		asm("cdq");
																		_t241 = 3;
																		_t208 = _t207 / _t241;
																		_t279 = _t207 % _t241;
																		__eflags = _t208 - 0xff;
																		if(_t208 > 0xff) {
																			_t208 = 0xff;
																		}
																		_t194 = (_t208 & 0x000000ff | 0xffffff00) << 0x00000008 | _t266 & 0x000000ff;
																		_t261 =  *(_t291 - 0x14) & 0x000000ff;
																		L52:
																		_t196 = _t194 << 0x00000008 | _t261;
																		__eflags = _t196;
																	}
																	_t253 =  *(_t291 - 0x10);
																	 *( *(_t291 - 0x10)) = _t196;
																} else {
																	_t219 = E00155F20(_t279, (_t232 >> 0x00000008 & 0x000000ff) - ( *(_t291 + 0x1c) >> 0x00000008 & 0x000000ff));
																	_pop(_t253);
																	__eflags = _t219 -  *(_t291 + 0x20);
																	if(_t219 >=  *(_t291 + 0x20)) {
																		goto L32;
																	} else {
																		_t224 = E00155F20(_t279, (_t232 >> 0x00000010 & 0x000000ff) - ( *(_t291 + 0x1c) >> 0x00000010 & 0x000000ff));
																		_pop(_t253);
																		__eflags = _t224 -  *(_t291 + 0x20);
																		if(_t224 >=  *(_t291 + 0x20)) {
																			goto L32;
																		}
																	}
																}
															}
															 *(_t291 - 0x10) =  &(( *(_t291 - 0x10))[1]);
															_t117 = _t291 - 0x2c;
															 *_t117 =  *(_t291 - 0x2c) - 1;
															__eflags =  *_t117;
														} while ( *_t117 != 0);
														_t285 =  *((intOrPtr*)(_t291 - 0x50));
														_t289 =  *(_t291 - 0x54);
														_t231 = 0;
														__eflags = 0;
													}
													BitBlt( *( *((intOrPtr*)(_t285 + 4)) + 4),  *(_t291 + 8),  *(_t291 + 0xc), _t289,  *(_t291 - 0x18),  *(_t291 - 0x3c), _t231, _t231, 0xcc0020);
													_t168 =  *((intOrPtr*)(_t291 - 0x4c));
													__eflags = _t168 - _t231;
													if(_t168 != _t231) {
														_t231 =  *(_t168 + 4);
													}
													E00066881( *(_t291 - 0x3c), _t231);
													DeleteObject( *(_t291 - 0x44));
													 *(_t291 - 4) = 0;
													 *((intOrPtr*)(_t291 - 0x24)) = 0x179fa0;
													E00051420(_t291 - 0x24, _t279);
													_t134 = _t291 - 4;
													 *_t134 =  *(_t291 - 4) | 0xffffffff;
													__eflags =  *_t134;
													E00066577(_t291 - 0x40);
													goto L59;
												}
											}
										} else {
											L14:
											 *(_t291 - 4) = 0;
											 *((intOrPtr*)(_t291 - 0x24)) = 0x179fa0;
											E00051420(_t291 - 0x24, _t279);
											goto L12;
										}
									} else {
										L12:
										 *(_t291 - 4) =  *(_t291 - 4) | 0xffffffff;
										E00066577(_t291 - 0x40);
										goto L7;
									}
								} else {
									__eflags =  *(_t291 + 0x18) - 0x64;
									if( *(_t291 + 0x18) <= 0x64) {
										goto L8;
									} else {
										L7:
										_t140 = 0;
									}
								}
							} else {
								E000B755D( *((intOrPtr*)(__ecx + 4)), _t291 + 8);
								goto L59;
							}
						}
					}
				}
				return E00151AF1(_t140);
			}

0x000e9e10
0x000e9e10
0x000e9e10
0x000e9e17
0x000e9e20
0x000e9e22
0x000e9e25
0x000ea1ee
0x000ea1f0
0x000e9e2b
0x000e9e2e
0x000e9e31
0x000e9e33
0x000e9e38
0x00000000
0x000e9e3e
0x000e9e41
0x000e9e44
0x000e9e49
0x00000000
0x000e9e4f
0x000e9e56
0x000e9e69
0x000e9e6d
0x000e9e7c
0x000e9e7f
0x000e9e84
0x000e9e87
0x000e9e8a
0x000e9e8c
0x000e9e92
0x000e9e8e
0x000e9e8e
0x000e9e8e
0x000e9ea0
0x000e9ea5
0x000e9ea7
0x000e9eb7
0x000e9eba
0x000e9ecb
0x000e9ed9
0x000e9ede
0x000e9ee0
0x000e9efd
0x000e9f04
0x000e9f06
0x000e9f09
0x000e9f0e
0x000e9f10
0x000e9f10
0x000e9f18
0x000e9f23
0x000e9f26
0x000e9f2b
0x000e9f2e
0x000e9f30
0x00000000
0x000e9f32
0x000e9f32
0x000e9f35
0x00000000
0x000e9f37
0x000e9f3b
0x000e9f41
0x000e9f44
0x000e9f46
0x000e9f4c
0x000e9f48
0x000e9f48
0x000e9f48
0x000e9f64
0x000e9f6a
0x000e9f6d
0x000e9f70
0x000e9f7d
0x000e9f8b
0x000e9f8b
0x000e9f8d
0x000e9f8d
0x000e9f93
0x000e9f96
0x000e9f98
0x000e9fa4
0x000e9fac
0x000e9fac
0x000e9fb3
0x000e9fb5
0x000ea018
0x000ea01a
0x00000000
0x00000000
0x000e9fb7
0x000e9fc1
0x000e9fc6
0x000e9fc7
0x000e9fca
0x000ea020
0x000ea020
0x000ea024
0x000ea098
0x000ea09c
0x000ea0cd
0x000ea0d0
0x000ea0d9
0x000ea0ea
0x000ea0ed
0x000ea0f0
0x000ea0f5
0x000ea0f7
0x000ea106
0x000ea106
0x000ea109
0x000ea0f9
0x000ea0f9
0x000ea0f9
0x000ea115
0x000ea11e
0x000ea123
0x000ea125
0x000ea134
0x000ea134
0x000ea137
0x000ea127
0x000ea127
0x000ea127
0x000ea13e
0x000ea147
0x000ea14c
0x000ea14e
0x000ea15c
0x000ea15c
0x000ea150
0x000ea150
0x000ea150
0x000ea16e
0x000ea16e
0x000ea170
0x00000000
0x000ea09e
0x000ea09e
0x000ea0a1
0x000ea0a4
0x000ea0aa
0x000ea0ae
0x000ea0b2
0x000ea0b5
0x000ea0bb
0x000ea0bb
0x000ea026
0x000ea035
0x000ea036
0x000ea037
0x000ea039
0x000ea03c
0x000ea03e
0x000ea040
0x000ea040
0x000ea057
0x000ea058
0x000ea059
0x000ea05b
0x000ea05d
0x000ea05f
0x000ea061
0x000ea061
0x000ea070
0x000ea075
0x000ea076
0x000ea077
0x000ea077
0x000ea079
0x000ea07b
0x000ea07d
0x000ea07d
0x000ea08d
0x000ea08f
0x000ea174
0x000ea177
0x000ea177
0x000ea177
0x000ea179
0x000ea17c
0x000e9fcc
0x000e9fe0
0x000e9fe5
0x000e9fe6
0x000e9fe9
0x00000000
0x000e9feb
0x000e9fff
0x000ea004
0x000ea005
0x000ea008
0x00000000
0x000ea00e
0x000ea008
0x000e9fe9
0x000e9fca
0x000ea17e
0x000ea182
0x000ea182
0x000ea182
0x000ea182
0x000ea18b
0x000ea18e
0x000ea191
0x000ea191
0x000ea191
0x000ea1ad
0x000ea1b3
0x000ea1b6
0x000ea1b8
0x000ea1ba
0x000ea1ba
0x000ea1c1
0x000ea1c9
0x000ea1d2
0x000ea1d6
0x000ea1dd
0x000ea1e2
0x000ea1e2
0x000ea1e2
0x000ea1e9
0x00000000
0x000ea1e9
0x000e9f35
0x000e9ee2
0x000e9ee2
0x000e9ee5
0x000e9ee9
0x000e9ef0
0x00000000
0x000e9ef0
0x000e9ea9
0x000e9ea9
0x000e9ea9
0x000e9eb0
0x00000000
0x000e9eb0
0x000e9e6f
0x000e9e6f
0x000e9e73
0x00000000
0x000e9e75
0x000e9e75
0x000e9e75
0x000e9e75
0x000e9e73
0x000e9e58
0x000e9e5f
0x00000000
0x000e9e5f
0x000e9e56
0x000e9e49
0x000e9e38
0x000ea1f6

APIs

__EH_prolog3.LIBCMT ref: 000E9E17

Part of subcall function 000B755D: FillRect.USER32 ref: 000B7571

Strings

d, xrefs: 000E9E6F

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: FillH_prolog3Rect
String ID: d
API String ID: 1863035756-2564639436
Opcode ID: 9845aed9fb626a97bf6b12bc3f559d6765dced0f08045f8f503b48162324e2e8
Instruction ID: fc6e2e1880989c479c245d0944e740e062526d063cfa0828c8535d51c528dc91
Opcode Fuzzy Hash: 9845aed9fb626a97bf6b12bc3f559d6765dced0f08045f8f503b48162324e2e8
Instruction Fuzzy Hash: 78C1B971A002599FCF14DFA9CC819EEBBF5EF09300F10416AF921F6291C735AA55DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00079FFD Relevance: 21.3, APIs: 14, Instructions: 262
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00079FFD(signed int __ecx, void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HWND__* _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t104;
				int _t107;
				signed int _t108;
				signed int _t109;
				void* _t114;
				signed int _t115;
				signed int _t121;
				signed int _t123;
				int _t124;
				int _t125;
				signed int _t129;
				signed int _t134;
				signed int _t137;
				void* _t141;
				signed char _t143;
				intOrPtr _t148;
				signed int _t153;
				void* _t160;
				signed int _t165;
				signed int _t172;
				signed int _t174;
				signed int _t175;
				signed int _t182;
				signed int _t192;
				signed int _t194;
				signed int _t195;
				signed int _t198;
				signed int _t199;
				void* _t202;
				intOrPtr _t203;

				_t191 = __edx;
				_t166 = __ecx;
				_t165 = __ecx;
				_t203 =  *0x1c3f04; // 0x0
				if(_t203 == 0 ||  *((intOrPtr*)(__ecx + 0xb04)) != 0) {
					__eflags =  *(_t165 + 0x164);
					if( *(_t165 + 0x164) != 0) {
						goto L10;
					}
					_t199 = _t198 | 0xffffffff;
					__eflags =  *(_t165 + 0xb78) - _t199;
					if( *(_t165 + 0xb78) != _t199) {
						ReleaseCapture();
						_t104 =  *(_t165 + 0xc90);
						__eflags = _t104;
						if(__eflags != 0) {
							E0005F82E(_t165, _t166, _t191, SetCapture( *(_t104 + 0x20)));
							_t34 = _t165 + 0xc90;
							 *_t34 =  *(_t165 + 0xc90) & 0x00000000;
							__eflags =  *_t34;
						}
						 *(_t165 + 0xb7c) =  *((intOrPtr*)( *_t165 + 0x390))(_a8, _a12);
						_t107 = E00074F8E(_t165, __eflags,  *(_t165 + 0xb78));
						_t199 = _t107;
						__eflags = _t199;
						if(_t199 == 0) {
							L47:
							return _t107;
						} else {
							_t108 = E0006EA07(_t199, 0x187b60);
							_a4 = _a4 & 0x00000000;
							_v16 = _t108;
							_t109 =  *(_t165 + 0xb78);
							_t194 =  *(_t199 + 0x24) & 0xfffdffff;
							_v12 = _t194;
							__eflags = _t109 -  *(_t165 + 0xb7c);
							if(_t109 ==  *(_t165 + 0xb7c)) {
								_v8 = _t109;
								_t141 =  *((intOrPtr*)( *_t165 + 0x390))(_a8, _a12);
								__eflags = _t141 - _v8;
								if(_t141 == _v8) {
									E000750EE(_t165, _t194, _v8);
									_t143 =  *(_t199 + 0x24);
									__eflags = _t143 & 0x00040000;
									if((_t143 & 0x00040000) == 0) {
										_a4 =  *((intOrPtr*)(_t199 + 0x20));
										__eflags = _t143 & 0x00000002;
										if((_t143 & 0x00000002) != 0) {
											__eflags = _t194 & 0x00100000;
											if((_t194 & 0x00100000) != 0) {
												_t194 = _t194 & 0xffefffff;
												__eflags = _t194;
											}
											_t195 = _t194 ^ 0x00010000;
											__eflags = _t195;
											_v12 = _t195;
										}
									}
								}
							}
							__eflags =  *0x1c3f28;
							if( *0x1c3f28 == 0) {
								SendMessageW( *(E00061441(_t165) + 0x20), 0x362, 0xe001, 0);
							}
							_t192 =  *(_t165 + 0xb78);
							 *(_t165 + 0xb78) =  *(_t165 + 0xb78) | 0xffffffff;
							 *(_t165 + 0xb7c) =  *(_t165 + 0xb7c) | 0xffffffff;
							_v8 =  *(_t165 + 0x20);
							 *((intOrPtr*)( *_t165 + 0x364))();
							_t114 =  *((intOrPtr*)( *_t165 + 0x390))(_a8, _a12);
							__eflags = _t114 - _t192;
							if(_t114 != _t192) {
								L35:
								_t115 = IsWindow(_v8);
								__eflags = _t115;
								if(_t115 != 0) {
									_t124 = IsIconic(_v8);
									__eflags = _t124;
									if(_t124 == 0) {
										_t125 = IsZoomed(_v8);
										__eflags = _t125;
										if(_t125 != 0) {
											 *((intOrPtr*)( *_t199 + 0x24))();
										}
									}
								}
								goto L39;
							} else {
								_t129 =  *((intOrPtr*)( *_t165 + 0x3e4))(_t199);
								__eflags = _t129;
								if(_t129 != 0) {
									goto L35;
								}
								__eflags = _a4 - _t129;
								if(_a4 == _t129) {
									goto L35;
								}
								__eflags = _a4 - 0xffffffff;
								if(_a4 == 0xffffffff) {
									goto L35;
								}
								E00076CF9(_t165, _t191, _t192);
								UpdateWindow( *(_t165 + 0x20));
								E000C54D9(0x1c40ec, _t191, _a4);
								_t134 =  *((intOrPtr*)( *_t199 + 0x24))();
								__eflags = _t134;
								if(_t134 != 0) {
									L39:
									_t107 = IsWindow(_v8);
									__eflags = _t107;
									if(_t107 == 0) {
										goto L47;
									}
									__eflags = _t192 -  *((intOrPtr*)(_t165 + 0xbd4));
									if(_t192 >=  *((intOrPtr*)(_t165 + 0xbd4))) {
										goto L47;
									}
									__eflags = _v16;
									_t172 = _t165;
									if(__eflags == 0) {
										 *((intOrPtr*)( *_t165 + 0x374))(_t192, _v12);
									} else {
										_t123 = E00074F8E(_t172, __eflags, _t192);
										__eflags = _t123;
										if(_t123 != 0) {
											 *(_t123 + 0x24) =  *(_t123 + 0x24) & 0xfffdffff;
										}
									}
									E000750EE(_t165, _t192, _t192);
									_t174 = _t165;
									E00076CF9(_t174, _t191, _t192);
									UpdateWindow( *(_t165 + 0x20));
									_t175 = _t174 | 0xffffffff;
									__eflags = _t175;
									_t121 = _t175;
									L46:
									_push(_a12);
									 *(_t165 + 0xc8c) = _t175;
									_push(_a8);
									_push(0);
									 *(_t165 + 0xc88) = _t121;
									return E00079BD2(_t165, _t165, _t191, _t192, _t199, __eflags);
								}
								_t182 =  *0x1c4948; // 0x0
								__eflags = _t182;
								if(_t182 == 0) {
									L34:
									SendMessageW( *(E00061441(_t165) + 0x20), 0x111, _a4, 0);
									goto L39;
								}
								_t137 = E000872F7(_t182, _a4);
								__eflags = _t137;
								if(_t137 != 0) {
									goto L39;
								}
								goto L34;
							}
						}
					}
					_t107 =  *((intOrPtr*)( *_t165 + 0x390))(_a8, _a12);
					__eflags = _t107 - _t199;
					if(_t107 != _t199) {
						goto L47;
					}
					E000BF454(_t165, _t191, _a4, _a8, _a12);
					_t121 = _t199;
					_t175 = _t199;
					goto L46;
				} else {
					if( *((intOrPtr*)(__ecx + 0xb30)) != 0) {
						_t148 =  *((intOrPtr*)(__ecx + 0xc98));
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t202 = _a8 - _v32;
						if(_t202 >= 5) {
							_t160 = E00155F20(__edx,  *((intOrPtr*)(_t148 + 0x5c)) - _a8);
							_pop(_t166);
							if(_t160 > 6) {
								_push(_t202);
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0xc98)))) + 0x34))();
								_t166 = __ecx;
								 *((intOrPtr*)( *__ecx + 0x208))();
							}
						}
						SetRectEmpty(_t165 + 0xc68);
						 *((intOrPtr*)(_t165 + 0xc98)) = 0;
						 *((intOrPtr*)(_t165 + 0xb30)) = 0;
						RedrawWindow( *(_t165 + 0x20), 0, 0, 0x505);
						ReleaseCapture();
						_t153 =  *(_t165 + 0xc90);
						if(_t153 != 0) {
							E0005F82E(_t165, _t166, _t191, SetCapture( *(_t153 + 0x20)));
							 *(_t165 + 0xc90) = 0;
						}
						 *((intOrPtr*)( *_t165 + 0x2d4))(1);
					}
					_t166 = _t165;
					L10:
					return E000BF454(_t166, _t191, _a4, _a8, _a12);
				}
			}

0x00079ffd
0x00079ffd
0x0007a00a
0x0007a00c
0x0007a012
0x0007a0e4
0x0007a0ea
0x00000000
0x00000000
0x0007a0ec
0x0007a0ef
0x0007a0f5
0x0007a126
0x0007a12c
0x0007a132
0x0007a134
0x0007a140
0x0007a145
0x0007a145
0x0007a145
0x0007a145
0x0007a164
0x0007a16a
0x0007a16f
0x0007a171
0x0007a173
0x0007a36c
0x0007a36c
0x0007a179
0x0007a180
0x0007a188
0x0007a18c
0x0007a18f
0x0007a195
0x0007a19b
0x0007a19e
0x0007a1a4
0x0007a1a9
0x0007a1b3
0x0007a1b9
0x0007a1bc
0x0007a1c3
0x0007a1c8
0x0007a1cb
0x0007a1d0
0x0007a1d5
0x0007a1d8
0x0007a1da
0x0007a1dc
0x0007a1e2
0x0007a1e4
0x0007a1e4
0x0007a1e4
0x0007a1ea
0x0007a1ea
0x0007a1f0
0x0007a1f0
0x0007a1da
0x0007a1d0
0x0007a1bc
0x0007a1f3
0x0007a1fa
0x0007a212
0x0007a212
0x0007a21b
0x0007a221
0x0007a228
0x0007a22f
0x0007a236
0x0007a246
0x0007a24c
0x0007a24e
0x0007a2c5
0x0007a2c8
0x0007a2ce
0x0007a2d0
0x0007a2d5
0x0007a2db
0x0007a2dd
0x0007a2e2
0x0007a2e8
0x0007a2ea
0x0007a2f0
0x0007a2f0
0x0007a2ea
0x0007a2dd
0x00000000
0x0007a250
0x0007a255
0x0007a25b
0x0007a25d
0x00000000
0x00000000
0x0007a25f
0x0007a262
0x00000000
0x00000000
0x0007a264
0x0007a268
0x00000000
0x00000000
0x0007a26d
0x0007a275
0x0007a283
0x0007a28c
0x0007a28f
0x0007a291
0x0007a2f3
0x0007a2f6
0x0007a2fc
0x0007a2fe
0x00000000
0x00000000
0x0007a300
0x0007a306
0x00000000
0x00000000
0x0007a308
0x0007a30c
0x0007a30e
0x0007a329
0x0007a310
0x0007a311
0x0007a316
0x0007a318
0x0007a31a
0x0007a31a
0x0007a318
0x0007a332
0x0007a338
0x0007a33a
0x0007a342
0x0007a348
0x0007a348
0x0007a34b
0x0007a34d
0x0007a34d
0x0007a350
0x0007a356
0x0007a35b
0x0007a35d
0x00000000
0x0007a363
0x0007a293
0x0007a299
0x0007a29b
0x0007a2a9
0x0007a2bd
0x00000000
0x0007a2bd
0x0007a2a0
0x0007a2a5
0x0007a2a7
0x00000000
0x00000000
0x00000000
0x0007a2a7
0x0007a24e
0x0007a173
0x0007a0ff
0x0007a105
0x0007a107
0x00000000
0x00000000
0x0007a118
0x0007a11d
0x0007a11f
0x00000000
0x0007a024
0x0007a02a
0x0007a030
0x0007a03c
0x0007a03d
0x0007a03e
0x0007a03f
0x0007a043
0x0007a049
0x0007a052
0x0007a057
0x0007a05b
0x0007a065
0x0007a066
0x0007a06b
0x0007a06d
0x0007a06d
0x0007a05b
0x0007a07a
0x0007a08c
0x0007a092
0x0007a098
0x0007a09e
0x0007a0a4
0x0007a0ac
0x0007a0b8
0x0007a0bd
0x0007a0bd
0x0007a0c9
0x0007a0c9
0x0007a0cf
0x0007a0d1
0x00000000
0x0007a0da

APIs

SetRectEmpty.USER32 ref: 0007A07A
RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 0007A098
ReleaseCapture.USER32 ref: 0007A09E
SetCapture.USER32(?), ref: 0007A0B1
ReleaseCapture.USER32 ref: 0007A126
SetCapture.USER32(?), ref: 0007A139
SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 0007A212
UpdateWindow.USER32 ref: 0007A275
SendMessageW.USER32(?,00000111,000000FF,00000000), ref: 0007A2BD
IsWindow.USER32(?), ref: 0007A2C8
IsIconic.USER32(?), ref: 0007A2D5
IsZoomed.USER32(?), ref: 0007A2E2
IsWindow.USER32(?), ref: 0007A2F6
UpdateWindow.USER32 ref: 0007A342

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Window$Capture$MessageReleaseSendUpdate$EmptyIconicRectRedrawZoomed
String ID:
API String ID: 2500574155-0
Opcode ID: 611cc428bae2d0502d2b557e280c2504aba28519db28538412b8070ee043792f
Instruction ID: b920f39f435f882add840ee22691fa68e51dde7809de252c61a97f21ef0b28b3
Opcode Fuzzy Hash: 611cc428bae2d0502d2b557e280c2504aba28519db28538412b8070ee043792f
Instruction Fuzzy Hash: B6A15C31A00604EFDF159F68CC88AAD3BB6BF89311F148579F81D9B2A2CB35D980CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0005A810 Relevance: 20.0, APIs: 3, Strings: 8, Instructions: 787
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E0005A810(void* __fp0, intOrPtr _a4, intOrPtr* _a8) {
				struct _SECURITY_ATTRIBUTES* _v8;
				char _v16;
				signed int _v20;
				char _v540;
				void* _v544;
				char _v548;
				WCHAR* _v552;
				char _v556;
				char _v560;
				char _v564;
				char _v568;
				signed int _v572;
				intOrPtr* _v576;
				struct _SECURITY_ATTRIBUTES* _v580;
				intOrPtr _v584;
				intOrPtr _v588;
				char _v612;
				char _v620;
				char _v1008;
				intOrPtr _v1500;
				intOrPtr _v1504;
				char _v1544;
				char _v1548;
				char _v1740;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t239;
				signed int _t240;
				intOrPtr* _t243;
				intOrPtr* _t247;
				intOrPtr* _t251;
				intOrPtr* _t255;
				intOrPtr* _t259;
				intOrPtr* _t263;
				intOrPtr* _t267;
				intOrPtr* _t270;
				intOrPtr* _t274;
				signed int _t281;
				intOrPtr* _t282;
				signed int* _t283;
				intOrPtr* _t285;
				intOrPtr* _t286;
				signed int* _t287;
				signed int** _t289;
				signed int _t290;
				signed int _t291;
				signed int** _t304;
				signed int** _t306;
				signed int** _t308;
				short* _t310;
				signed int _t311;
				signed int** _t313;
				signed int** _t315;
				intOrPtr _t316;
				signed int _t335;
				void* _t337;
				signed int _t344;
				void* _t346;
				intOrPtr _t356;
				void* _t361;
				intOrPtr* _t365;
				signed int** _t369;
				signed int _t377;
				signed int _t386;
				int _t392;
				intOrPtr* _t394;
				signed int** _t400;
				signed int** _t401;
				signed int** _t403;
				signed int** _t405;
				signed int** _t406;
				signed int** _t408;
				signed int** _t410;
				signed int** _t412;
				void* _t429;
				intOrPtr* _t432;
				void* _t433;
				void* _t434;
				void* _t436;
				signed int _t438;
				signed int _t440;
				intOrPtr _t466;
				char _t475;
				signed int _t512;
				signed int _t519;
				signed int _t546;
				void* _t573;
				signed int _t574;
				signed int _t577;
				signed int _t580;
				signed int _t582;
				signed int _t584;
				signed int _t586;
				signed int _t588;
				signed int _t590;
				signed int _t592;
				signed int _t594;
				signed int _t601;
				signed int _t605;
				signed int _t607;
				signed int _t609;
				signed int _t611;
				signed int _t613;
				signed int _t615;
				signed int _t617;
				void* _t619;
				WCHAR* _t620;
				intOrPtr* _t622;
				void* _t623;
				void* _t628;
				intOrPtr _t629;
				signed int** _t631;
				signed int** _t633;
				intOrPtr* _t635;
				intOrPtr* _t637;
				void* _t639;
				signed int _t640;
				void* _t641;
				void* _t642;
				void* _t643;
				void* _t644;
				intOrPtr* _t646;
				intOrPtr* _t648;
				intOrPtr* _t650;
				intOrPtr* _t652;
				intOrPtr* _t654;
				intOrPtr* _t656;
				intOrPtr* _t658;
				intOrPtr* _t660;
				intOrPtr* _t665;
				void* _t676;

				_t676 = __fp0;
				_push(0xffffffff);
				_push(0x174a94);
				_push( *[fs:0x0]);
				_t642 = _t641 - 0x6bc;
				_t239 =  *0x1c0454; // 0x885926af
				_t240 = _t239 ^ _t640;
				_v20 = _t240;
				_push(_t429);
				_push(_t628);
				_push(_t619);
				_push(_t240);
				 *[fs:0x0] =  &_v16;
				_v576 = _a8;
				_v580 = 0;
				_t243 = E00065761();
				_t646 = _t243;
				_t442 = 0 | _t646 == 0x00000000;
				if(_t646 == 0) {
					_push(0x80004005);
					_t243 = E00051330(_t429, _t442, _t619, _t628);
				}
				_v548 =  *((intOrPtr*)( *((intOrPtr*)( *_t243 + 0xc))))() + 0x10;
				_v8 = 1;
				_t247 = E00065761();
				_t648 = _t247;
				_t445 = 0 | _t648 == 0x00000000;
				if(_t648 == 0) {
					_push(0x80004005);
					_t247 = E00051330(_t429, _t445, _t619, _t628);
				}
				_v568 =  *((intOrPtr*)( *((intOrPtr*)( *_t247 + 0xc))))() + 0x10;
				_v8 = 2;
				_t251 = E00065761();
				_t650 = _t251;
				_t448 = 0 | _t650 == 0x00000000;
				if(_t650 == 0) {
					_push(0x80004005);
					_t251 = E00051330(_t429, _t448, _t619, _t628);
				}
				_v560 =  *((intOrPtr*)( *((intOrPtr*)( *_t251 + 0xc))))() + 0x10;
				_v8 = 3;
				_t255 = E00065761();
				_t652 = _t255;
				_t451 = 0 | _t652 == 0x00000000;
				if(_t652 == 0) {
					_push(0x80004005);
					_t255 = E00051330(_t429, _t451, _t619, _t628);
				}
				_v552 =  *((intOrPtr*)( *((intOrPtr*)( *_t255 + 0xc))))() + 0x10;
				_v8 = 4;
				_t259 = E00065761();
				_t654 = _t259;
				_t454 = 0 | _t654 == 0x00000000;
				if(_t654 == 0) {
					_push(0x80004005);
					_t259 = E00051330(_t429, _t454, _t619, _t628);
				}
				_v556 =  *((intOrPtr*)( *((intOrPtr*)( *_t259 + 0xc))))() + 0x10;
				_v8 = 5;
				_t263 = E00065761();
				_t656 = _t263;
				_t457 = 0 | _t656 == 0x00000000;
				if(_t656 == 0) {
					_push(0x80004005);
					_t263 = E00051330(_t429, _t457, _t619, _t628);
				}
				_v564 =  *((intOrPtr*)( *((intOrPtr*)( *_t263 + 0xc))))() + 0x10;
				_v8 = 6;
				_t267 = E00065761();
				_t658 = _t267;
				_t460 = 0 | _t658 == 0x00000000;
				if(_t658 == 0) {
					_push(0x80004005);
					_t267 = E00051330(_t429, _t460, _t619, _t628);
				}
				_t39 =  *((intOrPtr*)( *((intOrPtr*)( *_t267 + 0xc))))() + 0x10; // 0x10
				_t430 = _t39;
				_v588 = _t430;
				_v8 = 7;
				_t270 = E00065761();
				_t660 = _t270;
				_t463 = 0 | _t660 == 0x00000000;
				_t661 = _t660 == 0;
				if(_t660 == 0) {
					_push(0x80004005);
					_t270 = E00051330(_t430, _t463, _t619, _t628);
				}
				_t45 =  *((intOrPtr*)( *((intOrPtr*)( *_t270 + 0xc))))() + 0x10; // 0x10
				_t629 = _t45;
				_v584 = _t629;
				_v8 = 8;
				E000566F0( *_t270, _t661, _t676,  &_v1740);
				_v8 = 9;
				__imp__SHGetFolderPathW(0, 0x801c, 0, 0,  &_v540);
				_t274 =  &_v540;
				_t573 = _t274 + 2;
				do {
					_t466 =  *_t274;
					_t274 = _t274 + 2;
				} while (_t466 != 0);
				E00054140( &_v552,  &_v540, _t274 - _t573 >> 1);
				E0005BFE0( &_v552, L"\\Exam Shield", 0xc);
				_t620 = _v552;
				if(GetFileAttributesW(_t620) != 0xffffffff) {
					L39:
					_push(0x12c);
					_t281 = E0006A156();
					__eflags = _t281;
					if(_t281 != 0) {
						E000563E0( &_v568, _t281, 0x12c);
					}
					_t574 =  &_v544;
					_t282 = E0005C0A0(_t430, _t574,  &_v568, L"ExamShieldVersion.txt");
					_t643 = _t642 + 0xc;
					_v8 = 0xb;
					_t470 =  *_t282;
					_t283 =  *_t282 - 0x10;
					_t631 = _v560 + 0xfffffff0;
					__eflags = _t283 - _t631;
					if(_t283 == _t631) {
						L48:
						_v8 = 9;
						_t285 = _v544 + 0xfffffff0;
						asm("lock xadd [ecx], edx");
						__eflags = (_t574 | 0xffffffff) - 1;
						if((_t574 | 0xffffffff) - 1 <= 0) {
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t285)) + 4))))(_t285);
						}
						_t577 =  &_v544;
						_t286 = E0005C0A0(_t430, _t577,  &_v552, L"\\ExamShieldVersion.dat");
						_t644 = _t643 + 0xc;
						_v8 = 0xc;
						_t473 =  *_t286;
						_t287 =  *_t286 - 0x10;
						_t633 = _v556 + 0xfffffff0;
						__eflags = _t287 - _t633;
						if(_t287 == _t633) {
							L57:
							_v8 = 9;
							_t289 = _v544 + 0xfffffff0;
							asm("lock xadd [ecx], edx");
							_t579 = (_t577 | 0xffffffff) - 1;
							__eflags = _t579;
							if(_t579 <= 0) {
								_t579 =  *( *_t289);
								 *((intOrPtr*)( *((intOrPtr*)(_t579 + 4))))(_t289);
							}
							_push(0xc8);
							_t290 = E0006A156();
							__eflags = _t290;
							if(_t290 != 0) {
								E000563E0( &_v548, _t290, 0xc8);
							}
							_t475 = _v548;
							__eflags =  *(_t475 - 0xc);
							if( *(_t475 - 0xc) > 0) {
								_t601 =  &_v548;
								_t365 = E00054060( &_v544, L"?id=", _t601);
								_t644 = _t644 + 0xc;
								_v8 = 0xd;
								E0005BFE0( &_v560,  *_t365,  *((intOrPtr*)( *_t365 - 0xc)));
								_v8 = 9;
								_t369 = _v544 + 0xfffffff0;
								asm("lock xadd [ecx], edx");
								_t579 = (_t601 | 0xffffffff) - 1;
								__eflags = _t579;
								if(_t579 <= 0) {
									_t579 =  *( *_t369);
									 *((intOrPtr*)( *((intOrPtr*)(_t579 + 4))))(_t369);
								}
							}
							_t476 = _v560;
							_t291 = _v560 - 0x10;
							_t635 = _v1548 + 0xfffffff0;
							_v572 = _t291;
							__eflags = _t291 - _t635;
							if(_t291 == _t635) {
								L71:
								_t432 = _v556 + 0xfffffff0;
								_t637 = _v1544 + 0xfffffff0;
								_v544 = _t432;
								__eflags = _t432 - _t637;
								if(_t432 == _t637) {
									L78:
									_v1504 = 0;
									_v1500 = 0;
									E0005BEC0( &_v1008, "ExamShield Version");
									__eflags =  *((char*)(_a4 + 0xb8));
									if(__eflags != 0) {
										_v620 = 1;
										E0005BEC0( &_v1008, "ExamShield (Compatibility Check) Version");
									}
									__eflags = E00064645(_t432,  &_v1740, _t579, 0, _t637, __eflags) - 1;
									if(__eflags == 0) {
										E0006CC06( &_v612, __eflags);
										_v8 = 0xf;
										__eflags = E0006CADE( &_v612, _v556, 0x4000, 0);
										if(__eflags != 0) {
											E0006D006( &_v612, __eflags,  &_v564);
											E0006CEA7( &_v612);
											_t622 = _v576;
											_t580 =  &_v564;
											E00053FD0(_t622, _t580);
											_v580 = 1;
											_v8 = 9;
											E0006CEE5(_t432,  &_v612, _t580, _t622, 1, __eflags);
											_v8 = 8;
											E000568F0(_t432, _t580, _t622, __eflags,  &_v1740);
											_v8 = 7;
											_t304 = _v584 + 0xfffffff0;
											asm("lock xadd [ecx], edx");
											_t582 = (_t580 | 0xffffffff) - 1;
											__eflags = _t582;
										} else {
											E00064BAD(_t432, 0, 1, __eflags, L"Unable to open file", 0, 0);
											_t335 = E00065761();
											__eflags = _t335;
											_t508 = 0 | __eflags != 0x00000000;
											if(__eflags == 0) {
												_push(0x80004005);
												_t335 = E00051330(_t432, _t508, 0, 1);
											}
											_t337 =  *((intOrPtr*)( *((intOrPtr*)( *_t335 + 0xc))))();
											_t622 = _v576;
											 *_t622 = _t337 + 0x10;
											E000542D0(_t622);
											_v580 = 1;
											_v8 = 9;
											E0006CEE5(_t432,  &_v612,  *_t335, _t622, 1, __eflags);
											_t512 =  &_v1740;
											_v8 = 8;
											E000568F0(_t432,  *_t335, _t622, __eflags, _t512);
											_v8 = 7;
											_t304 = _v584 + 0xfffffff0;
											_t582 =  &(_t304[3]);
											asm("lock xadd [edx], ecx");
											__eflags = (_t512 | 0xffffffff) - 1;
										}
									} else {
										E0006D0E0(_t432,  &_v1740, _t579, 0, 1, __eflags);
										_t344 = E00065761();
										__eflags = _t344;
										_t516 = 0 | __eflags != 0x00000000;
										if(__eflags == 0) {
											_push(0x80004005);
											_t344 = E00051330(_t432, _t516, 0, 1);
										}
										_t346 =  *((intOrPtr*)( *((intOrPtr*)( *_t344 + 0xc))))();
										_t622 = _v576;
										 *_t622 = _t346 + 0x10;
										E000542D0(_t622);
										_t519 =  &_v1740;
										_v580 = 1;
										_v8 = 8;
										E000568F0(_t432,  *_t344, _t622, __eflags, _t519);
										_v8 = 7;
										_t304 = _v584 + 0xfffffff0;
										_t582 =  &(_t304[3]);
										asm("lock xadd [edx], ecx");
										__eflags = (_t519 | 0xffffffff) - 1;
									}
									if(__eflags <= 0) {
										_t582 =  *( *_t304);
										 *((intOrPtr*)( *((intOrPtr*)(_t582 + 4))))(_t304);
									}
									_v8 = 6;
									_t306 = _v588 + 0xfffffff0;
									asm("lock xadd [ecx], edx");
									_t584 = (_t582 | 0xffffffff) - 1;
									__eflags = _t584;
									if(_t584 <= 0) {
										_t584 =  *( *_t306);
										 *((intOrPtr*)( *((intOrPtr*)(_t584 + 4))))(_t306);
									}
									_v8 = 5;
									_t308 = _v564 + 0xfffffff0;
									asm("lock xadd [ecx], edx");
									_t586 = (_t584 | 0xffffffff) - 1;
									__eflags = _t586;
									if(_t586 <= 0) {
										_t586 =  *( *_t308);
										 *((intOrPtr*)( *((intOrPtr*)(_t586 + 4))))(_t308);
									}
									_v8 = 4;
									asm("lock xadd [ecx], edx");
									_t588 = (_t586 | 0xffffffff) - 1;
									__eflags = _t588;
									if(_t588 <= 0) {
										_t588 =  *( *((intOrPtr*)( *_t432)) + 4);
										 *_t588(_t432);
									}
									_v8 = 3;
									_t310 =  &(_v552[0xfffffffffffffff8]);
									asm("lock xadd [ecx], edx");
									_t590 = (_t588 | 0xffffffff) - 1;
									__eflags = _t590;
									if(_t590 <= 0) {
										_t590 =  *( *_t310);
										 *((intOrPtr*)( *((intOrPtr*)(_t590 + 4))))(_t310);
									}
									_t311 = _v572;
									_v8 = 2;
									asm("lock xadd [ecx], edx");
									_t592 = (_t590 | 0xffffffff) - 1;
									__eflags = _t592;
									if(_t592 <= 0) {
										_t592 =  *( *_t311);
										 *((intOrPtr*)( *((intOrPtr*)(_t592 + 4))))(_t311);
									}
									_v8 = 1;
									_t313 = _v568 + 0xfffffff0;
									asm("lock xadd [ecx], edx");
									_t594 = (_t592 | 0xffffffff) - 1;
									__eflags = _t594;
									if(_t594 <= 0) {
										_t594 =  *( *_t313);
										 *((intOrPtr*)( *((intOrPtr*)(_t594 + 4))))(_t313);
									}
									_v8 = 0;
									_t315 = _v548 + 0xfffffff0;
									asm("lock xadd [ecx], edx");
									_t596 = (_t594 | 0xffffffff) - 1;
									__eflags = (_t594 | 0xffffffff) - 1;
									if((_t594 | 0xffffffff) - 1 <= 0) {
										_t596 =  *( *_t315);
										 *((intOrPtr*)( *((intOrPtr*)( *( *_t315) + 4))))(_t315);
									}
									_t316 = _t622;
									L106:
									 *[fs:0x0] = _v16;
									_pop(_t623);
									_pop(_t639);
									_pop(_t433);
									return E00150836(_t316, _t433, _v20 ^ _t640, _t596, _t623, _t639);
								}
								__eflags =  *(_t637 + 0xc);
								if( *(_t637 + 0xc) < 0) {
									L77:
									E00054140( &_v1544, _v556,  *((intOrPtr*)(_v556 - 0xc)));
									goto L78;
								}
								__eflags =  *_t432 -  *_t637;
								if( *_t432 !=  *_t637) {
									goto L77;
								}
								_t434 = E000541F0(_t432);
								asm("lock xadd [edi], edx");
								_t579 = (_t579 | 0xffffffff) - 1;
								__eflags = _t579;
								if(_t579 <= 0) {
									_t356 =  *((intOrPtr*)( *_t637));
									_t579 =  *(_t356 + 4);
									 *( *(_t356 + 4))(_t637);
								}
								_v1544 = _t434 + 0x10;
								_t432 = _v544;
								goto L78;
							} else {
								__eflags =  *(_t635 + 0xc);
								if( *(_t635 + 0xc) < 0) {
									L70:
									E00054140( &_v1548, _t476,  *((intOrPtr*)(_t476 - 0xc)));
									goto L71;
								}
								_t579 = _t291;
								__eflags =  *_t579 -  *_t635;
								if( *_t579 !=  *_t635) {
									goto L70;
								}
								_t361 = E000541F0(_t579);
								_t644 = _t644 + 4;
								_t436 = _t361;
								asm("lock xadd [edi], edx");
								_t579 = (_t579 | 0xffffffff) - 1;
								__eflags = _t579;
								if(_t579 <= 0) {
									_t579 =  *( *((intOrPtr*)( *_t635)) + 4);
									 *_t579(_t635);
								}
								_v1548 = _t436 + 0x10;
								goto L71;
							}
						} else {
							__eflags = _t633[3];
							if(_t633[3] < 0) {
								L56:
								E00054140( &_v556, _t473,  *((intOrPtr*)(_t473 - 0xc)));
								goto L57;
							}
							_t577 =  *_t287;
							__eflags = _t577 -  *_t633;
							if(_t577 !=  *_t633) {
								goto L56;
							}
							_t377 = E000541F0(_t287);
							_t438 = _t377;
							_t644 = _t644 + 4;
							asm("lock xadd [edi], eax");
							__eflags = (_t377 | 0xffffffff) - 1;
							if((_t377 | 0xffffffff) - 1 <= 0) {
								_t577 =  *( *_t633);
								 *((intOrPtr*)( *((intOrPtr*)(_t577 + 4))))(_t633);
							}
							_v556 = _t438 + 0x10;
							goto L57;
						}
					} else {
						__eflags = _t631[3];
						if(_t631[3] < 0) {
							L47:
							E00054140( &_v560, _t470,  *((intOrPtr*)(_t470 - 0xc)));
							goto L48;
						}
						_t574 =  *_t283;
						__eflags = _t574 -  *_t631;
						if(_t574 !=  *_t631) {
							goto L47;
						}
						_t386 = E000541F0(_t283);
						_t440 = _t386;
						_t643 = _t643 + 4;
						asm("lock xadd [edi], eax");
						__eflags = (_t386 | 0xffffffff) - 1;
						if((_t386 | 0xffffffff) - 1 <= 0) {
							_t574 =  *( *_t631);
							 *((intOrPtr*)( *((intOrPtr*)(_t574 + 4))))(_t631);
						}
						_t430 = _t440 + 0x10;
						_v560 = _t440 + 0x10;
						goto L48;
					}
				}
				_t392 = CreateDirectoryW(_t620, 0);
				_t664 = _t392;
				if(_t392 != 0) {
					goto L39;
				}
				E00064BAD(_t430, _t620, _t629, _t664, L"Unable to create directory", _t392, _t392);
				_t394 = E00065761();
				_t665 = _t394;
				_t543 = 0 | _t665 == 0x00000000;
				_t666 = _t665 == 0;
				if(_t665 == 0) {
					_push(0x80004005);
					_t394 = E00051330(_t430, _t543, _t620, _t629);
				}
				 *_v576 =  *((intOrPtr*)( *((intOrPtr*)( *_t394 + 0xc))))() + 0x10;
				E000542D0(_v576);
				_t546 =  &_v1740;
				_v580 = 1;
				_v8 = 8;
				E000568F0(_t430,  *_t394, _t620, _t666, _t546);
				_t64 = _t629 - 0x10; // 0x0
				_t400 = _t64;
				_v8 = 7;
				_t66 =  &(_t400[3]); // 0xc
				_t605 = _t66;
				asm("lock xadd [edx], ecx");
				if((_t546 | 0xffffffff) - 1 <= 0) {
					_t605 =  *( *_t400);
					 *((intOrPtr*)( *((intOrPtr*)(_t605 + 4))))(_t400);
				}
				_t68 = _t430 - 0x10; // 0x0
				_t401 = _t68;
				_v8 = 6;
				asm("lock xadd [ecx], edx");
				_t607 = (_t605 | 0xffffffff) - 1;
				if(_t607 <= 0) {
					_t607 =  *( *_t401);
					 *((intOrPtr*)( *((intOrPtr*)(_t607 + 4))))(_t401);
				}
				_v8 = 5;
				_t403 = _v564 + 0xfffffff0;
				asm("lock xadd [ecx], edx");
				_t609 = (_t607 | 0xffffffff) - 1;
				if(_t609 <= 0) {
					_t609 =  *( *_t403);
					 *((intOrPtr*)( *((intOrPtr*)(_t609 + 4))))(_t403);
				}
				_v8 = 4;
				_t405 = _v556 + 0xfffffff0;
				asm("lock xadd [ecx], edx");
				_t611 = (_t609 | 0xffffffff) - 1;
				if(_t611 <= 0) {
					_t611 =  *( *_t405);
					 *((intOrPtr*)( *((intOrPtr*)(_t611 + 4))))(_t405);
				}
				_t406 = _t620 - 0x10;
				_v8 = 3;
				asm("lock xadd [ecx], edx");
				_t613 = (_t611 | 0xffffffff) - 1;
				if(_t613 <= 0) {
					_t613 =  *( *_t406);
					 *((intOrPtr*)( *((intOrPtr*)(_t613 + 4))))(_t406);
				}
				_v8 = 2;
				_t408 = _v560 + 0xfffffff0;
				asm("lock xadd [ecx], edx");
				_t615 = (_t613 | 0xffffffff) - 1;
				if(_t615 <= 0) {
					_t615 =  *( *_t408);
					 *((intOrPtr*)( *((intOrPtr*)(_t615 + 4))))(_t408);
				}
				_v8 = 1;
				_t410 = _v568 + 0xfffffff0;
				asm("lock xadd [ecx], edx");
				_t617 = (_t615 | 0xffffffff) - 1;
				if(_t617 <= 0) {
					_t617 =  *( *_t410);
					 *((intOrPtr*)( *((intOrPtr*)(_t617 + 4))))(_t410);
				}
				_v8 = 0;
				_t412 = _v548 + 0xfffffff0;
				asm("lock xadd [ecx], edx");
				_t596 = (_t617 | 0xffffffff) - 1;
				if((_t617 | 0xffffffff) - 1 <= 0) {
					_t596 =  *( *_t412);
					 *((intOrPtr*)( *((intOrPtr*)( *( *_t412) + 4))))(_t412);
				}
				_t316 = _v576;
				goto L106;
			}

0x0005a810
0x0005a813
0x0005a815
0x0005a820
0x0005a821
0x0005a827
0x0005a82c
0x0005a82e
0x0005a831
0x0005a832
0x0005a833
0x0005a834
0x0005a838
0x0005a841
0x0005a847
0x0005a851
0x0005a858
0x0005a85a
0x0005a85f
0x0005a861
0x0005a866
0x0005a866
0x0005a877
0x0005a87d
0x0005a884
0x0005a88b
0x0005a88d
0x0005a892
0x0005a894
0x0005a899
0x0005a899
0x0005a8aa
0x0005a8b0
0x0005a8b4
0x0005a8bb
0x0005a8bd
0x0005a8c2
0x0005a8c4
0x0005a8c9
0x0005a8c9
0x0005a8da
0x0005a8e0
0x0005a8e4
0x0005a8eb
0x0005a8ed
0x0005a8f2
0x0005a8f4
0x0005a8f9
0x0005a8f9
0x0005a90a
0x0005a910
0x0005a914
0x0005a91b
0x0005a91d
0x0005a922
0x0005a924
0x0005a929
0x0005a929
0x0005a93a
0x0005a940
0x0005a944
0x0005a94b
0x0005a94d
0x0005a952
0x0005a954
0x0005a959
0x0005a959
0x0005a96a
0x0005a970
0x0005a974
0x0005a97b
0x0005a97d
0x0005a982
0x0005a984
0x0005a989
0x0005a989
0x0005a997
0x0005a997
0x0005a99a
0x0005a9a0
0x0005a9a4
0x0005a9ab
0x0005a9ad
0x0005a9b0
0x0005a9b2
0x0005a9b4
0x0005a9b9
0x0005a9b9
0x0005a9c7
0x0005a9c7
0x0005a9ca
0x0005a9d7
0x0005a9db
0x0005a9f2
0x0005a9f6
0x0005a9fc
0x0005aa02
0x0005aa05
0x0005aa05
0x0005aa08
0x0005aa0b
0x0005aa22
0x0005aa34
0x0005aa39
0x0005aa49
0x0005abe2
0x0005abe2
0x0005abe7
0x0005abec
0x0005abee
0x0005abfc
0x0005abfc
0x0005ac0d
0x0005ac14
0x0005ac19
0x0005ac1c
0x0005ac20
0x0005ac28
0x0005ac2b
0x0005ac2e
0x0005ac30
0x0005ac7d
0x0005ac7d
0x0005ac87
0x0005ac90
0x0005ac95
0x0005ac97
0x0005aca1
0x0005aca1
0x0005acaf
0x0005acb6
0x0005acbb
0x0005acbe
0x0005acc2
0x0005acca
0x0005accd
0x0005acd0
0x0005acd2
0x0005ad1f
0x0005ad1f
0x0005ad29
0x0005ad32
0x0005ad36
0x0005ad37
0x0005ad39
0x0005ad3d
0x0005ad43
0x0005ad43
0x0005ad45
0x0005ad4a
0x0005ad4f
0x0005ad51
0x0005ad5f
0x0005ad5f
0x0005ad64
0x0005ad6a
0x0005ad6e
0x0005ad70
0x0005ad83
0x0005ad88
0x0005ad8b
0x0005ad9c
0x0005ada1
0x0005adab
0x0005adb4
0x0005adb8
0x0005adb9
0x0005adbb
0x0005adbf
0x0005adc5
0x0005adc5
0x0005adbb
0x0005adc7
0x0005add3
0x0005add6
0x0005add9
0x0005addf
0x0005ade1
0x0005ae32
0x0005ae3e
0x0005ae41
0x0005ae44
0x0005ae4a
0x0005ae4c
0x0005aea7
0x0005aeb4
0x0005aeba
0x0005aec0
0x0005aec8
0x0005aecf
0x0005aedc
0x0005aee3
0x0005aee3
0x0005aef8
0x0005aefa
0x0005af71
0x0005af77
0x0005af92
0x0005af94
0x0005b029
0x0005b034
0x0005b039
0x0005b03f
0x0005b048
0x0005b053
0x0005b059
0x0005b05d
0x0005b069
0x0005b06d
0x0005b072
0x0005b07c
0x0005b085
0x0005b089
0x0005b08a
0x0005af9a
0x0005afa1
0x0005afa6
0x0005afad
0x0005afaf
0x0005afb4
0x0005afb6
0x0005afbb
0x0005afbb
0x0005afc7
0x0005afc9
0x0005afd2
0x0005afd6
0x0005afe1
0x0005afe7
0x0005afeb
0x0005aff0
0x0005aff7
0x0005affb
0x0005b000
0x0005b00a
0x0005b00d
0x0005b013
0x0005b018
0x0005b018
0x0005aefc
0x0005aefc
0x0005af01
0x0005af08
0x0005af0a
0x0005af0f
0x0005af11
0x0005af16
0x0005af16
0x0005af22
0x0005af24
0x0005af2d
0x0005af31
0x0005af36
0x0005af3d
0x0005af43
0x0005af47
0x0005af4c
0x0005af56
0x0005af59
0x0005af5f
0x0005af64
0x0005af64
0x0005b08c
0x0005b090
0x0005b096
0x0005b096
0x0005b098
0x0005b0a2
0x0005b0ab
0x0005b0af
0x0005b0b0
0x0005b0b2
0x0005b0b6
0x0005b0bc
0x0005b0bc
0x0005b0be
0x0005b0c8
0x0005b0d1
0x0005b0d5
0x0005b0d6
0x0005b0d8
0x0005b0dc
0x0005b0e2
0x0005b0e2
0x0005b0e4
0x0005b0ee
0x0005b0f2
0x0005b0f3
0x0005b0f5
0x0005b0fb
0x0005b0ff
0x0005b0ff
0x0005b101
0x0005b10b
0x0005b114
0x0005b118
0x0005b119
0x0005b11b
0x0005b11f
0x0005b125
0x0005b125
0x0005b127
0x0005b12d
0x0005b137
0x0005b13b
0x0005b13c
0x0005b13e
0x0005b142
0x0005b148
0x0005b148
0x0005b14a
0x0005b154
0x0005b15d
0x0005b161
0x0005b162
0x0005b164
0x0005b168
0x0005b16e
0x0005b16e
0x0005b170
0x0005b17a
0x0005b183
0x0005b187
0x0005b188
0x0005b18a
0x0005b18e
0x0005b194
0x0005b194
0x0005b196
0x0005b198
0x0005b19b
0x0005b1a3
0x0005b1a4
0x0005b1a5
0x0005b1b3
0x0005b1b3
0x0005ae4e
0x0005ae55
0x0005ae91
0x0005aea2
0x00000000
0x0005aea2
0x0005ae59
0x0005ae5b
0x00000000
0x00000000
0x0005ae68
0x0005ae6d
0x0005ae71
0x0005ae72
0x0005ae74
0x0005ae78
0x0005ae7a
0x0005ae7e
0x0005ae7e
0x0005ae83
0x0005ae89
0x00000000
0x0005ade3
0x0005ade3
0x0005adea
0x0005ae22
0x0005ae2d
0x00000000
0x0005ae2d
0x0005adec
0x0005adf0
0x0005adf2
0x00000000
0x00000000
0x0005adf7
0x0005adfc
0x0005adff
0x0005ae04
0x0005ae08
0x0005ae09
0x0005ae0b
0x0005ae11
0x0005ae15
0x0005ae15
0x0005ae1a
0x00000000
0x0005ae1a
0x0005acd4
0x0005acd4
0x0005acdb
0x0005ad0f
0x0005ad1a
0x00000000
0x0005ad1a
0x0005acdd
0x0005acdf
0x0005ace1
0x00000000
0x00000000
0x0005ace4
0x0005ace9
0x0005aceb
0x0005acf1
0x0005acf6
0x0005acf8
0x0005acfc
0x0005ad02
0x0005ad02
0x0005ad07
0x00000000
0x0005ad07
0x0005ac32
0x0005ac32
0x0005ac39
0x0005ac6d
0x0005ac78
0x00000000
0x0005ac78
0x0005ac3b
0x0005ac3d
0x0005ac3f
0x00000000
0x00000000
0x0005ac42
0x0005ac47
0x0005ac49
0x0005ac4f
0x0005ac54
0x0005ac56
0x0005ac5a
0x0005ac60
0x0005ac60
0x0005ac62
0x0005ac65
0x00000000
0x0005ac65
0x0005ac30
0x0005aa52
0x0005aa58
0x0005aa5a
0x00000000
0x00000000
0x0005aa67
0x0005aa6c
0x0005aa73
0x0005aa75
0x0005aa78
0x0005aa7a
0x0005aa7c
0x0005aa81
0x0005aa81
0x0005aa98
0x0005aa9a
0x0005aa9f
0x0005aaa6
0x0005aab0
0x0005aab4
0x0005aab9
0x0005aab9
0x0005aabc
0x0005aac0
0x0005aac0
0x0005aac6
0x0005aacd
0x0005aad1
0x0005aad7
0x0005aad7
0x0005aad9
0x0005aad9
0x0005aadc
0x0005aae6
0x0005aaea
0x0005aaed
0x0005aaf1
0x0005aaf7
0x0005aaf7
0x0005aaf9
0x0005ab03
0x0005ab0c
0x0005ab10
0x0005ab13
0x0005ab17
0x0005ab1d
0x0005ab1d
0x0005ab1f
0x0005ab29
0x0005ab32
0x0005ab36
0x0005ab39
0x0005ab3d
0x0005ab43
0x0005ab43
0x0005ab45
0x0005ab48
0x0005ab52
0x0005ab56
0x0005ab59
0x0005ab5d
0x0005ab63
0x0005ab63
0x0005ab65
0x0005ab6f
0x0005ab78
0x0005ab7c
0x0005ab7f
0x0005ab83
0x0005ab89
0x0005ab89
0x0005ab8b
0x0005ab95
0x0005ab9e
0x0005aba2
0x0005aba5
0x0005aba9
0x0005abaf
0x0005abaf
0x0005abb1
0x0005abbb
0x0005abc4
0x0005abc8
0x0005abcb
0x0005abcf
0x0005abd5
0x0005abd5
0x0005abd7
0x00000000

APIs

SHGetFolderPathW.SHELL32(00000000,0000801C,00000000,00000000,?), ref: 0005A9F6
GetFileAttributesW.KERNEL32(?,\Exam Shield,0000000C,?,?), ref: 0005AA40
CreateDirectoryW.KERNEL32(?,00000000), ref: 0005AA52

Part of subcall function 00051330: _vwprintf.LIBCMT ref: 0005139E
Part of subcall function 00051330: _vswprintf_s.LIBCMT ref: 000513DD

Part of subcall function 000563E0: FindResourceW.KERNEL32(?,?,00000006,?,?,00000002,?,0006919A,00000000,?,?,00000000,00000004,000691DE,?,?), ref: 000563FB

Part of subcall function 00054140: _memmove_s.LIBCMT ref: 000541BA

Part of subcall function 000563E0: _wmemcpy_s.LIBCMT ref: 00056476

Part of subcall function 00054140: _memcpy_s.LIBCMT ref: 000541C7

Part of subcall function 0005BEC0: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,0005AEC5,ExamShield Version,000000C8), ref: 0005BEDA
Part of subcall function 0005BEC0: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,-00000001,?,0005AEC5,ExamShield Version,000000C8,?,?,?,?,?,0000012C), ref: 0005BF0D

Strings

ExamShieldVersion.txt, xrefs: 0005AC01
\ExamShieldVersion.dat, xrefs: 0005ACA3
Unable to open file, xrefs: 0005AF9C
?id=, xrefs: 0005AD7D
\Exam Shield, xrefs: 0005AA29
Unable to create directory, xrefs: 0005AA62
ExamShield (Compatibility Check) Version, xrefs: 0005AED1
ExamShield Version, xrefs: 0005AEA9

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: ByteCharMultiWide$AttributesCreateDirectoryFileFindFolderPathResource_memcpy_s_memmove_s_vswprintf_s_vwprintf_wmemcpy_s
String ID: ?id=$ExamShield (Compatibility Check) Version$ExamShield Version$ExamShieldVersion.txt$Unable to create directory$Unable to open file$\Exam Shield$\ExamShieldVersion.dat
API String ID: 2139102132-1125860661
Opcode ID: 0cc865d5fd2980505d2c0c3117f65958c3c028a86c78fa05108fe4bd1c2b688e
Instruction ID: 8869bfe789b02e4d5f438c1fdcb940c3828d0c4534758ed36a8de9e2fa96e71f
Opcode Fuzzy Hash: 0cc865d5fd2980505d2c0c3117f65958c3c028a86c78fa05108fe4bd1c2b688e
Instruction Fuzzy Hash: 2562FF306016059FDB54DB6CCC95B9AB3B5BF95320F2483D8E4299B2E2DB30AE49CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0006F43C Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E0006F43C(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				void* __ebx;
				void* _t5;
				struct HINSTANCE__* _t6;
				void* _t7;
				_Unknown_base(*)()* _t8;
				struct HINSTANCE__* _t10;
				_Unknown_base(*)()* _t11;
				void* _t24;
				void* _t26;
				intOrPtr _t28;

				_t26 = __ecx;
				_t28 =  *0x1c397c; // 0x0
				if(_t28 == 0) {
					if( *((intOrPtr*)(__ecx + 0x218)) != 0) {
						L5:
						 *((intOrPtr*)(_t26 + 0x218)) = 1;
						_t6 = E0006EF88(1, _t24, L"D2D1.dll");
						 *0x1c3964 = _t6;
						if(_t6 == 0) {
							L9:
							_t7 = 0;
							L14:
							return _t7;
						}
						_t8 = GetProcAddress(_t6, "D2D1CreateFactory");
						if(_t8 == 0) {
							L10:
							 *0x1c3978 = GetProcAddress( *0x1c3964, "D2D1MakeRotateMatrix");
							_t10 = E0006EF88(1, _t24, L"DWrite.dll");
							 *0x1c3968 = _t10;
							if(_t10 != 0) {
								_t11 = GetProcAddress(_t10, "DWriteCreateFactory");
								if(_t11 != 0) {
									 *_t11(_a8, 0x17baf0, 0x1c3970);
								}
							}
							__imp__CoCreateInstance(0x1a0710, 0, 1, 0x1a0900, 0x1c3974);
							 *0x1c397c = 1;
							_t7 = 1;
							goto L14;
						}
						_push(0x1c396c);
						_push(0);
						_push(0x17bb44);
						_push(_a4);
						if( *_t8() >= 0) {
							goto L10;
						}
						 *0x1c396c = 0;
						goto L9;
					}
					__imp__CoInitialize(0);
					if(_t5 >= 0) {
						goto L5;
					}
					return 0;
				}
				return 1;
			}

0x0006f445
0x0006f447
0x0006f44d
0x0006f45d
0x0006f471
0x0006f47a
0x0006f480
0x0006f486
0x0006f48d
0x0006f4bb
0x0006f4bb
0x0006f51f
0x00000000
0x0006f51f
0x0006f49b
0x0006f49f
0x0006f4bf
0x0006f4d1
0x0006f4d6
0x0006f4dc
0x0006f4e3
0x0006f4eb
0x0006f4ef
0x0006f4fe
0x0006f4fe
0x0006f4ef
0x0006f511
0x0006f517
0x0006f51d
0x00000000
0x0006f51d
0x0006f4a1
0x0006f4a6
0x0006f4a7
0x0006f4ac
0x0006f4b3
0x00000000
0x00000000
0x0006f4b5
0x00000000
0x0006f4b5
0x0006f460
0x0006f468
0x00000000
0x00000000
0x00000000
0x0006f46a
0x00000000

APIs

CoInitialize.OLE32(00000000), ref: 0006F460

Strings

D2D1MakeRotateMatrix, xrefs: 0006F4BF
DWrite.dll, xrefs: 0006F4CC
D2D1.dll, xrefs: 0006F475
D2D1CreateFactory, xrefs: 0006F495
DWriteCreateFactory, xrefs: 0006F4E5

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Initialize
String ID: D2D1.dll$D2D1CreateFactory$D2D1MakeRotateMatrix$DWrite.dll$DWriteCreateFactory
API String ID: 2538663250-1403614551
Opcode ID: 491cb7540dc05639e6d1dc56b46348abc10008240946292a889f5c8332834c52
Instruction ID: c5b36b96cdacd994fa4d2d7d7e5512e2ba694b3accae2c9b44598fd1dd54a6d2
Opcode Fuzzy Hash: 491cb7540dc05639e6d1dc56b46348abc10008240946292a889f5c8332834c52
Instruction Fuzzy Hash: 6F115C3174A7057AC7116F75BCC5D37BEBAE785B28320853AF41AE3490DBB0D980CA50

Uniqueness

Uniqueness Score: -1.00%

Function 00056B10 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 463
windowthreadCOMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E00056B10(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				int _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				char _v576;
				struct HWND__* _v580;
				char _v584;
				char _v588;
				char _v592;
				char _v596;
				char _v600;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t140;
				signed int _t141;
				struct HWND__* _t144;
				signed int _t145;
				intOrPtr* _t149;
				intOrPtr* _t152;
				intOrPtr* _t156;
				signed int _t161;
				signed int _t162;
				signed int _t163;
				void* _t165;
				signed int _t166;
				signed int _t173;
				signed int** _t176;
				signed int** _t178;
				signed int** _t180;
				void* _t197;
				intOrPtr* _t200;
				void* _t205;
				intOrPtr* _t208;
				signed int _t210;
				intOrPtr* _t214;
				intOrPtr* _t222;
				signed int _t229;
				intOrPtr* _t234;
				intOrPtr* _t242;
				void* _t245;
				struct HWND__* _t246;
				void* _t248;
				signed int _t251;
				void* _t269;
				signed int _t284;
				char _t321;
				intOrPtr _t322;
				signed int _t324;
				signed int _t325;
				signed int _t327;
				signed int _t331;
				signed int _t335;
				signed int _t345;
				void* _t349;
				void* _t350;
				struct HWND__* _t351;
				signed int _t352;
				signed int _t353;
				void* _t357;
				void* _t361;
				void* _t363;
				signed int _t364;
				void* _t365;
				void* _t366;
				intOrPtr* _t371;
				void* _t383;
				void* _t386;

				_push(0xffffffff);
				_push(0x1743fd);
				_push( *[fs:0x0]);
				_t366 = _t365 - 0x248;
				_t140 =  *0x1c0454; // 0x885926af
				_t141 = _t140 ^ _t364;
				_v20 = _t141;
				_push(_t245);
				_push(_t349);
				_push(_t141);
				 *[fs:0x0] =  &_v16;
				_t361 = __ecx;
				E00064332(_t245, __ecx, __edx, _t349, __fp0);
				if( *((char*)(_t361 + 0x460)) == 0) {
					_t246 = 0;
					__eflags = 0;
				} else {
					_t234 = E00065761();
					_t246 = 0;
					_t371 = _t234;
					_t308 = 0 | _t371 == 0x00000000;
					if(_t371 == 0) {
						_push(0x80004005);
						_t234 = E00051330(0, _t308, _t349, _t361);
					}
					_v580 =  *((intOrPtr*)( *((intOrPtr*)( *_t234 + 0xc))))() + 0x10;
					_v8 = _t246;
					E000614A8(_t246, _t361 + 0x3ec, _t349,  &_v580);
					E00053780(_t246,  &_v580, _t349, L"ExamShield Program", L"ExamShield (Compatibility Check) Program");
					_t345 = _v580;
					E000634B7(_t361 + 0x3ec, _t345);
					_v8 = 0xffffffff;
					_t242 = _v580 + 0xfffffff0;
					asm("lock xadd [ecx], edx");
					if((_t345 | 0xffffffff) - 1 <= 0) {
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t242)) + 4))))(_t242);
					}
				}
				_t350 = _t361 + 0x180;
				if(_t350 != _t246) {
					_t144 =  *(_t350 + 0x20);
				} else {
					_t144 = 0;
				}
				if(_t350 != _t246) {
					_v580 =  *(_t350 + 0x20);
				} else {
					_v580 = _t246;
				}
				_t145 = GetWindowLongW(_t144, 0xfffffff0);
				_t317 = _v580;
				SetWindowLongW(_v580, 0xfffffff0, _t145 | 0x00000008);
				if(_t350 != _t246) {
					_t351 =  *(_t350 + 0x20);
				} else {
					_t351 = 0;
				}
				SendMessageW(_t351, 0x40a, 1, 0x64);
				_t251 =  *(_t361 + 0x2e4);
				_t352 =  *(_t251 - 0x10);
				_t149 = _t251 - 0x10;
				if( *((intOrPtr*)(_t251 - 0xc)) != _t246) {
					_t317 = _t149 + 0xc;
					if( *((intOrPtr*)(_t149 + 0xc)) >= _t246) {
						asm("lock xadd [edx], ecx");
						__eflags = (_t251 | 0xffffffff) - 1;
						if((_t251 | 0xffffffff) - 1 <= 0) {
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t149)) + 4))))(_t149);
						}
						_t317 =  *_t352;
						_t229 =  *((intOrPtr*)( *((intOrPtr*)( *_t352 + 0xc))))() + 0x10;
						__eflags = _t229;
						 *(_t361 + 0x2e4) = _t229;
					} else {
						if( *((intOrPtr*)(_t251 - 8)) < _t246) {
							_push(0x80070057);
							E00051330(_t246, _t251, _t352, _t361);
						}
						 *((intOrPtr*)(_t251 - 0xc)) = _t246;
						 *( *(_t361 + 0x2e4)) = 0;
					}
				}
				_t353 = _t352 | 0xffffffff;
				 *(_t361 + 0x2f8) = _t353;
				 *((intOrPtr*)(_t361 + 0x2f0)) = _t246;
				 *((intOrPtr*)(_t361 + 0x2f4)) = _t246;
				_v576 = _t246;
				_v572 = _t246;
				_v568 = _t246;
				_v564 = _t246;
				_v560 = _t246;
				_v556 = _t246;
				if(E00068B7D(_t246, _t317,  *((intOrPtr*)(_t361 + 0xc4)),  &_v576, _t246) == _t246 || ( *(_t361 + 0x108) |  *(_t361 + 0x10c)) != 0 ||  *((intOrPtr*)(_t361 + 0xf0)) == _t246) {
					L32:
					_t152 = E00065761();
					__eflags = _t152 - _t246;
					_t254 = 0 | __eflags != 0x00000000;
					if(__eflags == 0) {
						_push(0x80004005);
						_t152 = E00051330(_t246, _t254, _t353, _t361);
					}
					_v584 =  *((intOrPtr*)( *((intOrPtr*)( *_t152 + 0xc))))() + 0x10;
					_v8 = 2;
					_t156 = E00065761();
					__eflags = _t156 - _t246;
					_t257 = 0 | __eflags != 0x00000000;
					if(__eflags == 0) {
						_push(0x80004005);
						_t156 = E00051330(_t246, _t257, _t353, _t361);
					}
					_v588 =  *((intOrPtr*)( *((intOrPtr*)( *_t156 + 0xc))))() + 0x10;
					_v8 = 3;
					_t354 = _t361 + 0xc0;
					_t247 = _t361 + 0x124;
					_t161 = E00069513(_t361 + 0xc0,  *((intOrPtr*)(_t361 + 0xc0)), _t361 + 0x124,  &_v588,  &_v584,  &_v596);
					__eflags = _t161;
					if(_t161 != 0) {
						L41:
						_t162 = E00150DBA(_v584, 0x2f);
						_t321 = _v584;
						__eflags = _t162;
						if(_t162 == 0) {
							L43:
							_t163 = E00150DBA(_t321, 0x5c);
							__eflags = _t163;
							if(_t163 == 0) {
								L48:
								_t355 = _t361 + 0x2e0;
								E00054260(_t361 + 0x2e0,  &_v584);
								L49:
								_t322 =  *((intOrPtr*)(_t361 + 0x2dc));
								__eflags =  *(_t322 - 0xc);
								_t165 = _t361 + 0x2dc;
								if( *(_t322 - 0xc) > 0) {
									E00054260(_t355, _t165);
								}
								_t166 = E00065761();
								__eflags = _t166;
								_t265 = 0 | __eflags != 0x00000000;
								if(__eflags == 0) {
									_push(0x80004005);
									_t166 = E00051330(_t247, _t265, _t355, _t361);
								}
								_v592 =  *((intOrPtr*)( *((intOrPtr*)( *_t166 + 0xc))))() + 0x10;
								_v8 = 6;
								_t324 =  &_v592;
								E000691E2(_v588, _t324, 0x66,  *_t355, _v588);
								E000634B7(_t361 + 0x1f4, _v592);
								_push(0);
								_push(4);
								_push(0);
								_push(0);
								_push(_t361);
								_push(E00052000);
								_t173 = E0006A073(_t247, _t324,  *_t355, _t361, __eflags);
								 *(_t361 + 0x2ec) = _t173;
								__eflags = _t173;
								if(_t173 != 0) {
									 *((intOrPtr*)(_t173 + 0x28)) = 0;
									_t269 =  *( *(_t361 + 0x2ec) + 0x2c);
									ResumeThread(_t269);
									_v8 = 3;
									_t176 = _v592 + 0xfffffff0;
									_t325 =  &(_t176[3]);
									asm("lock xadd [edx], ecx");
									__eflags = (_t269 | 0xffffffff) - 1;
								} else {
									E00063F8D(_t361, 2);
									_v8 = 3;
									_t176 = _v592 + 0xfffffff0;
									asm("lock xadd [ecx], edx");
									_t325 = (_t324 | 0xffffffff) - 1;
									__eflags = _t325;
								}
								if(__eflags <= 0) {
									_t325 =  *( *_t176);
									 *((intOrPtr*)( *((intOrPtr*)(_t325 + 4))))(_t176);
								}
								goto L58;
							}
							_t321 = _v584;
							_t284 = _t163 - _t321 >> 1;
							__eflags = _t284 - 0xffffffff;
							if(_t284 == 0xffffffff) {
								goto L48;
							}
							L45:
							__eflags =  *((intOrPtr*)(_t321 - 0xc)) - 1;
							if( *((intOrPtr*)(_t321 - 0xc)) <= 1) {
								goto L48;
							}
							_t331 =  &_v600;
							_t197 = E00053AD0( &_v584, _t331,  *((intOrPtr*)(_t321 - 0xc)) - _t284 - 1);
							_t355 = _t361 + 0x2e0;
							_v8 = 5;
							E00054260(_t361 + 0x2e0, _t197);
							_v8 = 3;
							_t200 = _v600 + 0xfffffff0;
							asm("lock xadd [ecx], edx");
							__eflags = (_t331 | 0xffffffff) - 1;
							if((_t331 | 0xffffffff) - 1 <= 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t200)) + 4))))(_t200);
							}
							goto L49;
						}
						_t284 = _t162 - _t321 >> 1;
						__eflags = _t284 - 0xffffffff;
						if(_t284 != 0xffffffff) {
							goto L45;
						}
						goto L43;
					} else {
						_t335 =  &_v580;
						_t205 = E00054060(_t335, L"http://", _t354);
						_t366 = _t366 + 0xc;
						_v8 = 4;
						E00054260(_t354, _t205);
						_v8 = 3;
						_t208 = _v580 + 0xfffffff0;
						asm("lock xadd [ecx], edx");
						__eflags = (_t335 | 0xffffffff) - 1;
						if((_t335 | 0xffffffff) - 1 <= 0) {
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t208)) + 4))))(_t208);
						}
						_t325 =  &_v584;
						_t210 = E00069513( *_t354,  *_t354, _t247,  &_v588, _t325,  &_v596);
						__eflags = _t210;
						if(_t210 != 0) {
							goto L41;
						} else {
							E00063F8D(_t361, 2);
							L58:
							_v8 = 2;
							_t178 = _v588 + 0xfffffff0;
							asm("lock xadd [ecx], edx");
							_t327 = (_t325 | 0xffffffff) - 1;
							__eflags = _t327;
							if(_t327 <= 0) {
								_t327 =  *( *_t178);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 + 4))))(_t178);
							}
							_v8 = 0xffffffff;
							_t180 = _v584 + 0xfffffff0;
							asm("lock xadd [ecx], edx");
							_t329 = (_t327 | 0xffffffff) - 1;
							__eflags = (_t327 | 0xffffffff) - 1;
							goto L61;
						}
					}
				} else {
					_t214 = E00065761();
					_t383 = _t214 - _t246;
					_t295 = 0 | _t383 != 0x00000000;
					_t384 = (_t383 != 0) - _t246;
					if(_t383 != 0 == _t246) {
						_push(0x80004005);
						_t214 = E00051330(_t246, _t295, _t353, _t361);
					}
					_v580 =  *((intOrPtr*)( *((intOrPtr*)( *_t214 + 0xc))))() + 0x10;
					_v8 = 1;
					E000691C8( &_v580, 0x82,  *((intOrPtr*)(_t361 + 0xc4)));
					_t329 = _v580;
					if(E00064BAD(_t246, _t353, _t361, _t384, _v580, 4, _t246) == 6) {
						_v8 = _t353;
						_t222 = _v580 + 0xfffffff0;
						asm("lock xadd [ecx], edi");
						_t353 = _t353 - 1;
						__eflags = _t353;
						if(_t353 <= 0) {
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t222)) + 4))))(_t222);
						}
						goto L32;
					} else {
						E00063F8D(_t361, 2);
						_v8 = _t353;
						_t180 = _v580 + 0xfffffff0;
						asm("lock xadd [ecx], edi");
						_t386 = _t353 - 1;
						L61:
						if(_t386 <= 0) {
							_t329 =  *( *_t180);
							 *((intOrPtr*)( *((intOrPtr*)( *( *_t180) + 4))))(_t180);
						}
						 *[fs:0x0] = _v16;
						_pop(_t357);
						_pop(_t363);
						_pop(_t248);
						return E00150836(1, _t248, _v20 ^ _t364, _t329, _t357, _t363);
					}
				}
			}

0x00056b13
0x00056b15
0x00056b20
0x00056b21
0x00056b27
0x00056b2c
0x00056b2e
0x00056b31
0x00056b33
0x00056b34
0x00056b38
0x00056b3e
0x00056b40
0x00056b4c
0x00056be7
0x00056be7
0x00056b52
0x00056b52
0x00056b59
0x00056b5b
0x00056b5d
0x00056b62
0x00056b64
0x00056b69
0x00056b69
0x00056b7a
0x00056b8d
0x00056b90
0x00056ba5
0x00056baa
0x00056bb7
0x00056bbc
0x00056bc9
0x00056bd2
0x00056bd9
0x00056be3
0x00056be3
0x00056bd9
0x00056be9
0x00056bf1
0x00056bf7
0x00056bf3
0x00056bf3
0x00056bf3
0x00056bfc
0x00056c09
0x00056bfe
0x00056bfe
0x00056bfe
0x00056c12
0x00056c18
0x00056c25
0x00056c2d
0x00056c33
0x00056c2f
0x00056c2f
0x00056c2f
0x00056c40
0x00056c46
0x00056c4c
0x00056c52
0x00056c55
0x00056c5a
0x00056c5d
0x00056c81
0x00056c86
0x00056c88
0x00056c92
0x00056c92
0x00056c94
0x00056c9d
0x00056c9d
0x00056ca0
0x00056c5f
0x00056c62
0x00056c64
0x00056c69
0x00056c69
0x00056c6e
0x00056c79
0x00056c79
0x00056c5d
0x00056cb4
0x00056cb8
0x00056cbe
0x00056cc4
0x00056cca
0x00056cd0
0x00056cd6
0x00056cdc
0x00056ce2
0x00056ce8
0x00056cf5
0x00056dbe
0x00056dbe
0x00056dc5
0x00056dc7
0x00056dcc
0x00056dce
0x00056dd3
0x00056dd3
0x00056de4
0x00056dea
0x00056df1
0x00056df8
0x00056dfa
0x00056dff
0x00056e01
0x00056e06
0x00056e06
0x00056e17
0x00056e32
0x00056e3c
0x00056e42
0x00056e4a
0x00056e4f
0x00056e51
0x00056eca
0x00056ed3
0x00056ed8
0x00056ee1
0x00056ee3
0x00056ef0
0x00056ef3
0x00056efb
0x00056efd
0x00056f69
0x00056f6f
0x00056f78
0x00056f7d
0x00056f7d
0x00056f83
0x00056f87
0x00056f8d
0x00056f92
0x00056f92
0x00056f97
0x00056f9e
0x00056fa0
0x00056fa5
0x00056fa7
0x00056fac
0x00056fac
0x00056fbd
0x00056fc3
0x00056fd3
0x00056fda
0x00056fec
0x00056ff1
0x00056ff3
0x00056ff5
0x00056ff7
0x00056ff9
0x00056ffa
0x00056fff
0x00057004
0x0005700a
0x0005700c
0x00057033
0x00057040
0x00057044
0x0005704a
0x00057054
0x00057057
0x0005705d
0x00057062
0x0005700e
0x00057012
0x00057017
0x00057021
0x0005702a
0x0005702e
0x0005702f
0x0005702f
0x00057064
0x00057068
0x0005706e
0x0005706e
0x00000000
0x00057064
0x00056eff
0x00056f09
0x00056f0b
0x00056f0e
0x00000000
0x00000000
0x00056f10
0x00056f10
0x00056f14
0x00000000
0x00000000
0x00056f1d
0x00056f2a
0x00056f2f
0x00056f38
0x00056f3c
0x00056f41
0x00056f4b
0x00056f54
0x00056f59
0x00056f5b
0x00056f65
0x00056f65
0x00000000
0x00056f5b
0x00056ee9
0x00056eeb
0x00056eee
0x00000000
0x00000000
0x00000000
0x00056e53
0x00056e54
0x00056e60
0x00056e65
0x00056e6b
0x00056e6f
0x00056e74
0x00056e7e
0x00056e87
0x00056e8c
0x00056e8e
0x00056e98
0x00056e98
0x00056ea3
0x00056eb3
0x00056eb8
0x00056eba
0x00000000
0x00056ebc
0x00056ec0
0x00057070
0x00057070
0x0005707a
0x00057083
0x00057087
0x00057088
0x0005708a
0x0005708e
0x00057094
0x00057094
0x00057096
0x000570a3
0x000570ac
0x000570b0
0x000570b1
0x00000000
0x000570b1
0x00056eba
0x00056d19
0x00056d19
0x00056d20
0x00056d22
0x00056d25
0x00056d27
0x00056d29
0x00056d2e
0x00056d2e
0x00056d3f
0x00056d45
0x00056d5f
0x00056d64
0x00056d76
0x00056d9c
0x00056da5
0x00056dab
0x00056daf
0x00056db0
0x00056db2
0x00056dbc
0x00056dbc
0x00000000
0x00056d78
0x00056d7c
0x00056d81
0x00056d8a
0x00056d90
0x00056d95
0x000570b3
0x000570b3
0x000570b7
0x000570bd
0x000570bd
0x000570c7
0x000570cf
0x000570d0
0x000570d1
0x000570df
0x000570df
0x00056d76

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00056C12
SetWindowLongW.USER32 ref: 00056C25
SendMessageW.USER32(?,0000040A,00000001,00000064), ref: 00056C40
_wcsrchr.LIBCMT ref: 00056ED3
_wcsrchr.LIBCMT ref: 00056EF3
ResumeThread.KERNEL32(?,Function_00002000,?,00000000,00000000,00000004,00000000,?,?,00000066,?,?), ref: 00057044

Strings

http://, xrefs: 00056E5A
ExamShield (Compatibility Check) Program, xrefs: 00056B95
ExamShield Program, xrefs: 00056B9A

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: LongWindow_wcsrchr$MessageResumeSendThread
String ID: ExamShield (Compatibility Check) Program$ExamShield Program$http://
API String ID: 3879238834-1264212893
Opcode ID: f663b32ac67792c1bcf3a8955d462f32caefa9dd98c890c77c9b126404656a94
Instruction ID: a159c9bb124dc0c0857309972cbf5348a2bf208254a6b58e1b39140aeaf8de5d
Opcode Fuzzy Hash: f663b32ac67792c1bcf3a8955d462f32caefa9dd98c890c77c9b126404656a94
Instruction Fuzzy Hash: CD02BF716006019FD764DB68CC85BAEB3B5FF84321F1487ACE52A9B2D1DB31AE85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00150836 Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E00150836(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x1c0454; // 0x885926af
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x1c7c30 = _t6;
				 *0x1c7c2c = _t22;
				 *0x1c7c28 = _t25;
				 *0x1c7c24 = _t21;
				 *0x1c7c20 = _t27;
				 *0x1c7c1c = _t26;
				 *0x1c7c48 = ss;
				 *0x1c7c3c = cs;
				 *0x1c7c18 = ds;
				 *0x1c7c14 = es;
				 *0x1c7c10 = fs;
				 *0x1c7c0c = gs;
				asm("pushfd");
				_pop( *0x1c7c40);
				 *0x1c7c34 =  *_t31;
				 *0x1c7c38 = _v0;
				 *0x1c7c44 =  &_a4;
				 *0x1c7b80 = 0x10001;
				_t11 =  *0x1c7c38; // 0x0
				 *0x1c7b34 = _t11;
				 *0x1c7b28 = 0xc0000409;
				 *0x1c7b2c = 1;
				_t12 =  *0x1c0454; // 0x885926af
				_v812 = _t12;
				_t13 =  *0x1c0458; // 0x77a6d950
				_v808 = _t13;
				 *0x1c7b78 = IsDebuggerPresent();
				_push(1);
				E001631A3(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x19d8cc);
				if( *0x1c7b78 == 0) {
					_push(1);
					E001631A3(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x00150836
0x00150836
0x00150836
0x00150836
0x00150836
0x00150836
0x00150836
0x0015083c
0x0015083e
0x0015083e
0x001582fe
0x00158303
0x00158309
0x0015830f
0x00158315
0x0015831b
0x00158321
0x00158328
0x0015832f
0x00158336
0x0015833d
0x00158344
0x0015834b
0x0015834c
0x00158355
0x0015835d
0x00158365
0x00158370
0x0015837a
0x0015837f
0x00158384
0x0015838e
0x00158398
0x0015839d
0x001583a3
0x001583a8
0x001583b4
0x001583b9
0x001583bb
0x001583c3
0x001583ce
0x001583db
0x001583dd
0x001583df
0x001583e4
0x001583f8

APIs

IsDebuggerPresent.KERNEL32 ref: 001583AE
SetUnhandledExceptionFilter.KERNEL32 ref: 001583C3
UnhandledExceptionFilter.KERNEL32(0019D8CC), ref: 001583CE
GetCurrentProcess.KERNEL32(C0000409), ref: 001583EA
TerminateProcess.KERNEL32(00000000), ref: 001583F1

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 56f302a9a6bbc22c33fbecede5e05fb8e9ecdbc05eb14c96216e50a5cdf9da4b
Instruction ID: fa135920bddc440f67a3a8ea92d19de4145df80889550d197adfe6b410542715
Opcode Fuzzy Hash: 56f302a9a6bbc22c33fbecede5e05fb8e9ecdbc05eb14c96216e50a5cdf9da4b
Instruction Fuzzy Hash: 2C21FDB4809206CFD711DF69FD88A543FB4BB08311F10145AE91987AE1EBF4DAC58F98

Uniqueness

Uniqueness Score: -1.00%

Function 000992A2 Relevance: 7.5, APIs: 5, Instructions: 44
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E000992A2(intOrPtr __ebx, void* __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, int _a4) {
				signed int _v8;
				char _v264;
				short _v268;
				void* __ebp;
				signed int _t12;
				struct HKL__* _t19;
				intOrPtr _t27;
				void* _t28;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				signed int _t39;

				_t35 = __esi;
				_t34 = __edi;
				_t33 = __edx;
				_t28 = __ecx;
				_t27 = __ebx;
				_t37 = _t39;
				_t12 =  *0x1c0454; // 0x885926af
				_v8 = _t12 ^ _t39;
				if(GetKeyboardState( &_v264) == 0) {
					E000655E0(_t28);
				}
				E00151B30( &_v268, 0, 4);
				_t19 = GetKeyboardLayout( *(E000695BD() + 0x30));
				return E00150836(0 | ToUnicodeEx(_a4, MapVirtualKeyW(_a4, 0),  &_v264,  &_v268, 2, 0, _t19) > 0x00000000, _t27, _v8 ^ _t37, _t33, _t34, _t35);
			}

0x000992a2
0x000992a2
0x000992a2
0x000992a2
0x000992a2
0x000992a5
0x000992ad
0x000992b4
0x000992c6
0x000992c8
0x000992c8
0x000992d8
0x000992e8
0x0009932a

APIs

GetKeyboardState.USER32(?), ref: 000992BE
_memset.LIBCMT ref: 000992D8
GetKeyboardLayout.USER32 ref: 000992E8
MapVirtualKeyW.USER32(?,00000000), ref: 00099306
ToUnicodeEx.USER32 ref: 00099310

Part of subcall function 000655E0: __CxxThrowException@8.LIBCMT ref: 000655F6

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Keyboard$Exception@8LayoutStateThrowUnicodeVirtual_memset
String ID:
API String ID: 505339058-0
Opcode ID: 9b9093a1b63609ff70b3ec7a1a605a0cbd3ba336c7a8b848887f0cd79eda931a
Instruction ID: 89c4c18033a84d50c0f12a707c62954fb8ca163b396663c9bbd41531bc0a6217
Opcode Fuzzy Hash: 9b9093a1b63609ff70b3ec7a1a605a0cbd3ba336c7a8b848887f0cd79eda931a
Instruction Fuzzy Hash: CB016771604208BBDB11AB64DC46FDE77BDAF18700F404065B646D64E1EB709AD4DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0006BB41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74
libraryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0006BB41(intOrPtr __ebx, void* __ecx, intOrPtr __edx, intOrPtr _a4, int _a8) {
				signed int _v8;
				short _v16;
				short _v564;
				intOrPtr _v568;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t15;
				struct HINSTANCE__* _t20;
				intOrPtr* _t27;
				intOrPtr _t34;
				intOrPtr _t39;
				intOrPtr _t40;
				signed int _t41;
				void* _t43;
				intOrPtr _t44;
				signed int _t49;
				void* _t50;

				_t39 = __edx;
				_t34 = __ebx;
				_t47 = _t49;
				_t50 = _t49 - 0x234;
				_t15 =  *0x1c0454; // 0x885926af
				_v8 = _t15 ^ _t49;
				_t53 = _a8 - 0x800;
				_v568 = _a4;
				_t43 = __ecx;
				if(_a8 != 0x800) {
					__eflags = GetLocaleInfoW(_a8, 3,  &_v16, 4);
					if(__eflags == 0) {
						goto L10;
					} else {
						goto L4;
					}
				} else {
					_push(E00150E8C( &_v16, 4, "LOC"));
					E00053DF0();
					_t50 = _t50 + 0x10;
					L4:
					_push(_t40);
					_t41 =  *(E00151F1F(_t53));
					 *(E00151F1F(_t53)) =  *_t23 & 0x00000000;
					_push( &_v16);
					_v568 = E00151EBC( &_v564, 0x112, 0x111, _t43, _v568);
					_t27 = E00151F1F(_t53);
					_t54 =  *_t27;
					if( *_t27 == 0) {
						 *(E00151F1F(__eflags)) = _t41;
					} else {
						E0005CD3F( *((intOrPtr*)(E00151F1F(_t54))));
					}
					_pop(_t40);
					if(_v568 == 0xffffffff || _v568 >= 0x112) {
						L10:
						_t20 = 0;
						__eflags = 0;
					} else {
						_t20 = LoadLibraryExW( &_v564, 0, 0);
					}
				}
				_pop(_t44);
				return E00150836(_t20, _t34, _v8 ^ _t47, _t39, _t40, _t44);
			}

0x0006bb41
0x0006bb41
0x0006bb44
0x0006bb46
0x0006bb4c
0x0006bb53
0x0006bb56
0x0006bb61
0x0006bb67
0x0006bb6c
0x0006bb94
0x0006bb96
0x00000000
0x00000000
0x00000000
0x00000000
0x0006bb6e
0x0006bb7b
0x0006bb7c
0x0006bb81
0x0006bb9c
0x0006bb9c
0x0006bba2
0x0006bba9
0x0006bbaf
0x0006bbd1
0x0006bbd7
0x0006bbdc
0x0006bbdf
0x0006bbf5
0x0006bbe1
0x0006bbe8
0x0006bbed
0x0006bbfe
0x0006bbff
0x0006bc1c
0x0006bc1c
0x0006bc1c
0x0006bc09
0x0006bc14
0x0006bc14
0x0006bbff
0x0006bc23
0x0006bc2a

APIs

GetLocaleInfoW.KERNEL32(00000800,00000003,00000800,00000004), ref: 0006BB8E
__snwprintf_s.LIBCMT ref: 0006BBC9
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 0006BC14

Part of subcall function 00151F1F: __getptd_noexit.LIBCMT ref: 00151F1F

Strings

LOC, xrefs: 0006BB6E

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: InfoLibraryLoadLocale__getptd_noexit__snwprintf_s
String ID: LOC
API String ID: 3175857669-519433814
Opcode ID: 7a3cf0b04cbd39422110f3f5cb1e3db3ee8c076a96de03d74b408aff9caa2f38
Instruction ID: 96b34d747372d9bc2481e45868d264b5cf55fa56e28112c739054005420cb38b
Opcode Fuzzy Hash: 7a3cf0b04cbd39422110f3f5cb1e3db3ee8c076a96de03d74b408aff9caa2f38
Instruction Fuzzy Hash: C2218670901208FBDB21BB64CC4ABAE77B9AF15711F0000A5B915EF192DB789B88CB61

Uniqueness

Uniqueness Score: -1.00%

Function 000543D0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 274
COMMONCrypto

Download Yara Rule

C-Code - Quality: 45%

			E000543D0(long long __fp0, intOrPtr* _a4) {
				char _v8;
				char _v16;
				intOrPtr* _v20;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				signed int _t96;
				intOrPtr* _t99;
				intOrPtr* _t103;
				intOrPtr* _t107;
				intOrPtr* _t111;
				intOrPtr* _t115;
				intOrPtr* _t119;
				intOrPtr* _t123;
				intOrPtr* _t127;
				intOrPtr* _t131;
				intOrPtr* _t135;
				intOrPtr* _t139;
				intOrPtr* _t144;
				intOrPtr* _t148;
				signed int _t156;
				void* _t159;
				intOrPtr* _t161;
				intOrPtr* _t227;
				signed int _t229;
				intOrPtr* _t230;
				intOrPtr* _t232;
				intOrPtr* _t234;
				intOrPtr* _t236;
				intOrPtr* _t238;
				intOrPtr* _t240;
				intOrPtr* _t242;
				intOrPtr* _t244;
				intOrPtr* _t246;
				intOrPtr* _t248;
				intOrPtr* _t250;
				intOrPtr* _t252;
				intOrPtr* _t254;
				signed int _t258;
				long long _t259;

				_t259 = __fp0;
				_push(0xffffffff);
				_push(0x174823);
				_push( *[fs:0x0]);
				_push(_t159);
				_t96 =  *0x1c0454; // 0x885926af
				_push(_t96 ^ _t229);
				 *[fs:0x0] =  &_v16;
				_t227 = _a4;
				 *_t227 = 0x1a0f9c;
				_t99 = E00065761();
				_t230 = _t99;
				_t166 = 0 | _t230 == 0x00000000;
				if(_t230 == 0) {
					_push(0x80004005);
					_t99 = E00051330(_t159, _t166, 0, _t227);
				}
				 *((intOrPtr*)(_t227 + 8)) =  *((intOrPtr*)( *((intOrPtr*)( *_t99 + 0xc))))() + 0x10;
				_v8 = 0;
				_t103 = E00065761();
				_t232 = _t103;
				_t169 = 0 | _t232 == 0x00000000;
				if(_t232 == 0) {
					_push(0x80004005);
					_t103 = E00051330(_t159, _t169, 0, _t227);
				}
				 *((intOrPtr*)(_t227 + 0xc)) =  *((intOrPtr*)( *((intOrPtr*)( *_t103 + 0xc))))() + 0x10;
				_v8 = 1;
				_t107 = E00065761();
				_t234 = _t107;
				_t172 = 0 | _t234 == 0x00000000;
				if(_t234 == 0) {
					_push(0x80004005);
					_t107 = E00051330(1, _t172, 0, _t227);
				}
				 *((intOrPtr*)(_t227 + 0x10)) =  *((intOrPtr*)( *((intOrPtr*)( *_t107 + 0xc))))() + 0x10;
				_v8 = 2;
				_t111 = E00065761();
				_t236 = _t111;
				_t175 = 0 | _t236 == 0x00000000;
				if(_t236 == 0) {
					_push(0x80004005);
					_t111 = E00051330(1, _t175, 0, _t227);
				}
				 *((intOrPtr*)(_t227 + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)( *_t111 + 0xc))))() + 0x10;
				_v8 = 3;
				_t115 = E00065761();
				_t238 = _t115;
				_t178 = 0 | _t238 == 0x00000000;
				if(_t238 == 0) {
					_push(0x80004005);
					_t115 = E00051330(1, _t178, 0, _t227);
				}
				 *((intOrPtr*)(_t227 + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)( *_t115 + 0xc))))() + 0x10;
				_v8 = 4;
				_t119 = E00065761();
				_t240 = _t119;
				_t181 = 0 | _t240 == 0x00000000;
				if(_t240 == 0) {
					_push(0x80004005);
					_t119 = E00051330(1, _t181, 0, _t227);
				}
				 *((intOrPtr*)(_t227 + 0x1c)) =  *((intOrPtr*)( *((intOrPtr*)( *_t119 + 0xc))))() + 0x10;
				_v8 = 5;
				_t123 = E00065761();
				_t242 = _t123;
				_t184 = 0 | _t242 == 0x00000000;
				if(_t242 == 0) {
					_push(0x80004005);
					_t123 = E00051330(1, _t184, 0, _t227);
				}
				 *((intOrPtr*)(_t227 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *_t123 + 0xc))))() + 0x10;
				_v8 = 6;
				_t127 = E00065761();
				_t244 = _t127;
				_t187 = 0 | _t244 == 0x00000000;
				if(_t244 == 0) {
					_push(0x80004005);
					_t127 = E00051330(1, _t187, 0, _t227);
				}
				 *((intOrPtr*)(_t227 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)( *_t127 + 0xc))))() + 0x10;
				_v8 = 7;
				_t131 = E00065761();
				_t246 = _t131;
				_t190 = 0 | _t246 == 0x00000000;
				if(_t246 == 0) {
					_push(0x80004005);
					_t131 = E00051330(1, _t190, 0, _t227);
				}
				 *((intOrPtr*)(_t227 + 0x28)) =  *((intOrPtr*)( *((intOrPtr*)( *_t131 + 0xc))))() + 0x10;
				_v8 = 8;
				_t135 = E00065761();
				_t248 = _t135;
				_t193 = 0 | _t248 == 0x00000000;
				if(_t248 == 0) {
					_push(0x80004005);
					_t135 = E00051330(1, _t193, 0, _t227);
				}
				 *((intOrPtr*)(_t227 + 0x2c)) =  *((intOrPtr*)( *((intOrPtr*)( *_t135 + 0xc))))() + 0x10;
				_v8 = 9;
				_t139 = E00065761();
				_t250 = _t139;
				_t196 = 0 | _t250 == 0x00000000;
				if(_t250 == 0) {
					_push(0x80004005);
					_t139 = E00051330(1, _t196, 0, _t227);
				}
				 *((intOrPtr*)(_t227 + 0x30)) =  *((intOrPtr*)( *((intOrPtr*)( *_t139 + 0xc))))() + 0x10;
				_v8 = 0xa;
				asm("fldz");
				 *((long long*)(_t227 + 0x48)) = _t259;
				 *((intOrPtr*)(_t227 + 0x34)) = 0;
				 *((intOrPtr*)(_t227 + 0x38)) = 1;
				 *((intOrPtr*)(_t227 + 0x3c)) = 1;
				 *((intOrPtr*)(_t227 + 0x40)) = 1;
				 *((intOrPtr*)(_t227 + 0x44)) = 1;
				 *((intOrPtr*)(_t227 + 0x50)) = 0;
				 *((intOrPtr*)(_t227 + 0x54)) = 0;
				 *((intOrPtr*)(_t227 + 0x58)) = 0;
				 *((intOrPtr*)(_t227 + 0x5c)) = 0x400;
				 *((intOrPtr*)(_t227 + 0x60)) = 1;
				 *((intOrPtr*)(_t227 + 0x64)) = 1;
				E00056620(1, "*/*");
				_v8 = 0xb;
				 *((intOrPtr*)(_t227 + 0x6c)) = 0;
				 *((intOrPtr*)(_t227 + 0x70)) = 0;
				 *((intOrPtr*)(_t227 + 0x74)) = 0;
				 *((intOrPtr*)(_t227 + 0x78)) = 0;
				_t144 = E00065761();
				_t252 = _t144;
				_t200 = 0 | _t252 == 0x00000000;
				if(_t252 == 0) {
					_push(0x80004005);
					_t144 = E00051330(1, _t200, 0, _t227);
				}
				 *((intOrPtr*)(_t227 + 0x7c)) =  *((intOrPtr*)( *((intOrPtr*)( *_t144 + 0xc))))() + 0x10;
				_v8 = 0xc;
				_t148 = E00065761();
				_t254 = _t148;
				_t203 = 0 | _t254 == 0x00000000;
				_t255 = _t254 == 0;
				if(_t254 == 0) {
					_push(0x80004005);
					_t148 = E00051330(1, _t203, 0, _t227);
				}
				 *((intOrPtr*)(_t227 + 0x80)) =  *((intOrPtr*)( *((intOrPtr*)( *_t148 + 0xc))))() + 0x10;
				_v8 = 0xd;
				 *((short*)(_t227 + 0x84)) = 0;
				 *((intOrPtr*)(_t227 + 0x88)) = 0;
				E0006A523(_t227 + 0x8c, _t255);
				_t161 = _t227 + 0xa0;
				_v8 = 0xe;
				_t207 = _t161;
				_v20 = _t161;
				E0006AD00(_t161, 0);
				_v8 = 0xf;
				 *_t161 = 0x178f6c;
				_t162 = _t161 + 8;
				if(InitializeCriticalSectionAndSpinCount(_t161 + 8, 0) == 0) {
					_t156 = GetLastError();
					if(_t156 > 0) {
						_t156 = _t156 & 0x0000ffff | 0x80070000;
						_t258 = _t156;
					}
					if(_t258 < 0) {
						_push(_t156);
						E00051330(_t162, _t207, 0, _t227);
					}
				}
				 *((intOrPtr*)(_t227 + 0xc0)) = 0;
				 *[fs:0x0] = _v16;
				return _t227;
			}

0x000543d0
0x000543d3
0x000543d5
0x000543e0
0x000543e2
0x000543e5
0x000543ec
0x000543f0
0x000543f6
0x000543f9
0x000543ff
0x00054408
0x0005440a
0x0005440f
0x00054411
0x00054416
0x00054416
0x00054427
0x0005442a
0x0005442d
0x00054434
0x00054436
0x0005443b
0x0005443d
0x00054442
0x00054442
0x00054453
0x0005445b
0x0005445e
0x00054465
0x00054467
0x0005446c
0x0005446e
0x00054473
0x00054473
0x00054484
0x00054487
0x0005448b
0x00054492
0x00054494
0x00054499
0x0005449b
0x000544a0
0x000544a0
0x000544b1
0x000544b4
0x000544b8
0x000544bf
0x000544c1
0x000544c6
0x000544c8
0x000544cd
0x000544cd
0x000544de
0x000544e1
0x000544e5
0x000544ec
0x000544ee
0x000544f3
0x000544f5
0x000544fa
0x000544fa
0x0005450b
0x0005450e
0x00054512
0x00054519
0x0005451b
0x00054520
0x00054522
0x00054527
0x00054527
0x00054538
0x0005453b
0x0005453f
0x00054546
0x00054548
0x0005454d
0x0005454f
0x00054554
0x00054554
0x00054565
0x00054568
0x0005456c
0x00054573
0x00054575
0x0005457a
0x0005457c
0x00054581
0x00054581
0x00054592
0x00054595
0x00054599
0x000545a0
0x000545a2
0x000545a7
0x000545a9
0x000545ae
0x000545ae
0x000545bf
0x000545c2
0x000545c6
0x000545cd
0x000545cf
0x000545d4
0x000545d6
0x000545db
0x000545db
0x000545ec
0x000545ef
0x000545f3
0x000545fa
0x00054600
0x00054603
0x00054606
0x00054609
0x0005460c
0x0005460f
0x00054612
0x00054615
0x00054618
0x0005461f
0x00054622
0x00054625
0x0005462a
0x0005462e
0x00054631
0x00054634
0x00054637
0x0005463a
0x00054641
0x00054643
0x00054648
0x0005464a
0x0005464f
0x0005464f
0x00054660
0x00054663
0x00054667
0x0005466e
0x00054670
0x00054673
0x00054675
0x00054677
0x0005467c
0x0005467c
0x0005468d
0x00054695
0x00054699
0x000546a6
0x000546ac
0x000546b1
0x000546b7
0x000546bc
0x000546be
0x000546c1
0x000546c6
0x000546ca
0x000546d1
0x000546dd
0x000546df
0x000546e7
0x000546ee
0x000546f3
0x000546f3
0x000546f5
0x000546f7
0x000546f8
0x000546f8
0x000546f5
0x000546fd
0x00054708
0x00054716

APIs

Part of subcall function 00051330: _vwprintf.LIBCMT ref: 0005139E
Part of subcall function 00051330: _vswprintf_s.LIBCMT ref: 000513DD

InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,*/*,?,00000000,00174823,000000FF,?,00051603), ref: 000546D5
GetLastError.KERNEL32(?,?,?,?,?,?,*/*,?,00000000,00174823,000000FF,?,00051603,?,0000007C,00000000), ref: 000546DF

Strings

*/*, xrefs: 000545F5

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: CountCriticalErrorInitializeLastSectionSpin_vswprintf_s_vwprintf
String ID: */*
API String ID: 1724895703-54324127
Opcode ID: 1425d98e17614a4708cd0dfb71391ed06a60d08c7c7b1ddb9af16c349d15c173
Instruction ID: c828bbff8d4f4e750fa1ffc36ba15725bf3917c5baad56402c0b1d4a50c73571
Opcode Fuzzy Hash: 1425d98e17614a4708cd0dfb71391ed06a60d08c7c7b1ddb9af16c349d15c173
Instruction Fuzzy Hash: D8A1FD70600A00CFDB50EB78C8927AFB7E1EF84700F288A5DD59BDB752DB34A9859B40

Uniqueness

Uniqueness Score: -1.00%

Function 00052150 Relevance: 4.3, Strings: 3, Instructions: 540
COMMONCrypto

Download Yara Rule

C-Code - Quality: 36%

			E00052150(void* __ebx, intOrPtr __ecx, signed long long __fp0, signed int _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, signed int _a20) {
				char _v8;
				char _v16;
				char _v20;
				char _v36;
				intOrPtr _v72;
				char _v76;
				char _v80;
				char _v84;
				signed int _v88;
				char _v92;
				char _v96;
				char _v100;
				intOrPtr _v112;
				void* __edi;
				void* __esi;
				signed int _t155;
				intOrPtr* _t158;
				signed int _t162;
				signed int _t165;
				intOrPtr* _t168;
				intOrPtr* _t169;
				signed int _t173;
				signed int _t176;
				intOrPtr* _t179;
				intOrPtr* _t180;
				intOrPtr* _t186;
				signed int _t192;
				signed int _t197;
				signed int** _t204;
				intOrPtr* _t205;
				intOrPtr* _t206;
				signed int** _t216;
				signed int** _t218;
				signed int** _t220;
				signed int** _t222;
				intOrPtr* _t224;
				intOrPtr* _t239;
				intOrPtr* _t247;
				signed int _t252;
				intOrPtr* _t259;
				signed int _t264;
				signed int _t316;
				signed int _t356;
				signed int _t361;
				signed int _t369;
				signed int _t371;
				signed int _t376;
				signed int _t378;
				signed int _t380;
				signed int _t382;
				void* _t394;
				intOrPtr _t395;
				intOrPtr _t396;
				signed int _t399;
				void* _t401;
				signed int _t402;
				signed int _t403;
				signed int _t404;
				signed int _t405;
				signed int _t406;
				signed int _t407;
				signed int _t408;
				signed int _t410;
				signed int _t412;
				signed long long* _t413;
				signed long long* _t414;
				signed long long* _t421;
				intOrPtr* _t422;
				signed int _t424;
				intOrPtr* _t426;
				intOrPtr* _t429;
				signed int _t431;
				intOrPtr* _t433;
				intOrPtr* _t436;
				intOrPtr* _t438;
				intOrPtr* _t441;
				intOrPtr* _t444;
				signed long long _t451;

				_t451 = __fp0;
				_t269 = __ebx;
				_push(0xffffffff);
				_push(0x1742c0);
				_push( *[fs:0x0]);
				_t412 = (_t410 & 0xffffffc0) - 0x6c;
				_push(_t401);
				_push(_t394);
				_t155 =  *0x1c0454; // 0x885926af
				_push(_t155 ^ _t412);
				 *[fs:0x0] =  &_v16;
				_v72 = __ecx;
				_t158 = E00065761();
				_t422 = _t158;
				_t272 = 0 | _t422 == 0x00000000;
				if(_t422 == 0) {
					_push(0x80004005);
					_t158 = E00051330(__ebx, _t272, _t394, _t401);
				}
				_v92 =  *((intOrPtr*)( *((intOrPtr*)( *_t158 + 0xc))))() + 0x10;
				_t402 = _a12;
				_t395 = _a8;
				_v8 = 0;
				_t424 = _t402;
				if(_t424 > 0) {
					L14:
					_t162 = E00065761();
					__eflags = _t162;
					_t275 = 0 | __eflags != 0x00000000;
					if(__eflags == 0) {
						_push(0x80004005);
						_t162 = E00051330(_t269, _t275, _t395, _t402);
					}
					_t165 =  *((intOrPtr*)( *((intOrPtr*)( *_t162 + 0xc))))() + 0x10;
					__eflags = _t165;
					_v88 = _t165;
					asm("fild qword [ebp+0xc]");
					_v8 = 3;
					_t413 = _t412 - 8;
					_t451 = _t451 *  *0x1a1b80;
					 *_t413 = _t451;
					_push(L"%0.2f");
					_push( &_v88);
					E00051400();
					_t403 = _v88;
					_t414 =  &(_t413[2]);
					_push(_t403);
					_push(0x7d);
				} else {
					if(_t424 < 0 || _t395 < 0x400) {
						_t259 = E00065761();
						_t426 = _t259;
						_t347 = 0 | _t426 == 0x00000000;
						if(_t426 == 0) {
							_push(0x80004005);
							_t259 = E00051330(_t269, _t347, _t395, _t402);
						}
						_v88 =  *((intOrPtr*)( *((intOrPtr*)( *_t259 + 0xc))))() + 0x10;
						_push(_t402);
						_v8 = 1;
						E00051400( &_v88, L"%I64u", _t395);
						_t403 = _v88;
						_t414 = _t412 + 0x10;
						_push(_t403);
						_push(0x79);
					} else {
						__eflags = _t402;
						if(__eflags > 0) {
							goto L14;
						} else {
							if(__eflags < 0) {
								L11:
								_t264 = E00065761();
								__eflags = _t264;
								_t351 = 0 | __eflags != 0x00000000;
								if(__eflags == 0) {
									_push(0x80004005);
									_t264 = E00051330(_t269, _t351, _t395, _t402);
								}
								_v88 =  *((intOrPtr*)( *((intOrPtr*)( *_t264 + 0xc))))() + 0x10;
								asm("fild qword [ebp+0xc]");
								_v8 = 2;
								_t421 = _t412 - 8;
								_t451 = _t451 *  *0x1a1b88;
								 *_t421 = _t451;
								_push(L"%0.1f");
								_push( &_v88);
								E00051400();
								_t403 = _v88;
								_t414 =  &(_t421[2]);
								_push(_t403);
								_push(0x7b);
							} else {
								__eflags = _t395 - 0x100000;
								if(_t395 >= 0x100000) {
									goto L14;
								} else {
									goto L11;
								}
							}
						}
					}
				}
				_t356 =  &_v92;
				_push(_t356);
				E000691C8();
				_t168 = _t403 - 0x10;
				_v20 = 0;
				asm("lock xadd [ecx], edx");
				if((_t356 | 0xffffffff) - 1 <= 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t168)) + 4))))(_t168);
				}
				_t169 = E00065761();
				_t429 = _t169;
				_t280 = 0 | _t429 == 0x00000000;
				if(_t429 == 0) {
					_push(0x80004005);
					_t169 = E00051330(_t269, _t280, _t395, _t403);
				}
				_v96 =  *((intOrPtr*)( *((intOrPtr*)( *_t169 + 0xc))))() + 0x10;
				_t404 = _a20;
				_t396 = _a16;
				_v8 = 4;
				_t431 = _t404;
				if(_t431 > 0) {
					L33:
					_t173 = E00065761();
					__eflags = _t173;
					_t283 = 0 | __eflags != 0x00000000;
					if(__eflags == 0) {
						_push(0x80004005);
						_t173 = E00051330(_t269, _t283, _t396, _t404);
					}
					_t176 =  *((intOrPtr*)( *((intOrPtr*)( *_t173 + 0xc))))() + 0x10;
					__eflags = _t176;
					_v88 = _t176;
					asm("fild qword [ebp+0x14]");
					_v8 = 7;
					 *(_t414 - 8) = _t451 *  *0x1a1b80;
					_push(L"%0.2f");
					_push( &_v88);
					E00051400();
					_t405 = _v88;
					_push(_t405);
					_push(0x7d);
				} else {
					if(_t431 < 0 || _t396 < 0x400) {
						_t247 = E00065761();
						_t433 = _t247;
						_t338 = 0 | _t433 == 0x00000000;
						if(_t433 == 0) {
							_push(0x80004005);
							_t247 = E00051330(_t269, _t338, _t396, _t404);
						}
						_v88 =  *((intOrPtr*)( *((intOrPtr*)( *_t247 + 0xc))))() + 0x10;
						_push(_t404);
						_v8 = 5;
						E00051400( &_v88, L"%I64u", _t396);
						_t405 = _v88;
						_push(_t405);
						_push(0x79);
					} else {
						__eflags = _t404;
						if(__eflags > 0) {
							goto L33;
						} else {
							if(__eflags < 0) {
								L30:
								_t252 = E00065761();
								__eflags = _t252;
								_t342 = 0 | __eflags != 0x00000000;
								if(__eflags == 0) {
									_push(0x80004005);
									_t252 = E00051330(_t269, _t342, _t396, _t404);
								}
								_v88 =  *((intOrPtr*)( *((intOrPtr*)( *_t252 + 0xc))))() + 0x10;
								asm("fild qword [ebp+0x14]");
								_v8 = 6;
								 *(_t414 - 8) = _t451 *  *0x1a1b88;
								_push(L"%0.1f");
								_push( &_v88);
								E00051400();
								_t405 = _v88;
								_push(_t405);
								_push(0x7b);
							} else {
								__eflags = _t396 - 0x100000;
								if(_t396 >= 0x100000) {
									goto L33;
								} else {
									goto L30;
								}
							}
						}
					}
				}
				_t361 =  &_v96;
				_push(_t361);
				E000691C8();
				_t179 = _t405 - 0x10;
				_v20 = 4;
				asm("lock xadd [ecx], edx");
				if((_t361 | 0xffffffff) - 1 <= 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t179)) + 4))))(_t179);
				}
				_t180 = E00065761();
				_t436 = _t180;
				_t288 = 0 | _t436 == 0x00000000;
				if(_t436 == 0) {
					_push(0x80004005);
					_t180 = E00051330(_t269, _t288, _t396, _t405);
				}
				_v80 =  *((intOrPtr*)( *((intOrPtr*)( *_t180 + 0xc))))() + 0x10;
				_v8 = 8;
				E000691E2(_v96,  &_v80, 0x75, _v92, _v96);
				_t186 = E00065761();
				_t438 = _t186;
				_t292 = 0 | _t438 == 0x00000000;
				if(_t438 == 0) {
					_push(0x80004005);
					_t186 = E00051330(_t269, _t292, _t396, _t405);
				}
				_v100 =  *((intOrPtr*)( *((intOrPtr*)( *_t186 + 0xc))))() + 0x10;
				_t406 = _a4;
				_v8 = 9;
				if(_t406 >= 0x3c) {
					_t398 = 0x88888889 * _t406 >> 0x20 >> 5;
					_t407 = _t406 - (0x88888889 * _t406 >> 0x20 >> 5 << 4) - (0x88888889 * _t406 >> 0x20 >> 5) + (0x88888889 * _t406 >> 0x20 >> 5 << 4) - (0x88888889 * _t406 >> 0x20 >> 5) + (0x88888889 * _t406 >> 0x20 >> 5 << 4) - (0x88888889 * _t406 >> 0x20 >> 5) + (0x88888889 * _t406 >> 0x20 >> 5 << 4) - (0x88888889 * _t406 >> 0x20 >> 5);
					_t192 = E00065761();
					__eflags = _t192;
					_t300 = 0 | __eflags != 0x00000000;
					if(__eflags == 0) {
						_push(0x80004005);
						_t192 = E00051330(_t269, _t300, _t398, _t407);
					}
					_v76 =  *((intOrPtr*)( *((intOrPtr*)( *_t192 + 0xc))))() + 0x10;
					_v8 = 0xb;
					E00051400( &_v76, L"%u", _t407);
					_t197 = E00065761();
					__eflags = _t197;
					_t304 = 0 | __eflags != 0x00000000;
					if(__eflags == 0) {
						_push(0x80004005);
						_t197 = E00051330(_t269, _t304, _t398, _t407);
					}
					_t369 =  *_t197;
					_v88 =  *((intOrPtr*)( *((intOrPtr*)(_t369 + 0xc))))() + 0x10;
					_v8 = 0xc;
					E00051400( &_v88, L"%u", _t398);
					_t396 = _v76;
					__eflags = _t407;
					_t408 = _v88;
					if(_t407 != 0) {
						E000691E2( &_v88,  &_v100, 0x78, _t408, _t396);
					} else {
						_t369 =  &_v100;
						E000691C8(_t369, 0x77, _t408);
					}
					_t204 = _t408 - 0x10;
					_v8 = 0xb;
					asm("lock xadd [ecx], edx");
					_t371 = (_t369 | 0xffffffff) - 1;
					__eflags = _t371;
					if(_t371 <= 0) {
						_t371 =  *( *_t204);
						 *((intOrPtr*)( *((intOrPtr*)(_t371 + 4))))(_t204);
					}
					_t205 = _t396 - 0x10;
				} else {
					_t239 = E00065761();
					_t441 = _t239;
					_t333 = 0 | _t441 == 0x00000000;
					if(_t441 == 0) {
						_push(0x80004005);
						_t239 = E00051330(_t269, _t333, _t396, _t406);
					}
					_v88 =  *((intOrPtr*)( *((intOrPtr*)( *_t239 + 0xc))))() + 0x10;
					_v8 = 0xa;
					E00051400( &_v88, L"%u", _t406);
					_t408 = _v88;
					_t371 =  &_v100;
					E000691C8(_t371, 0x76, _t408);
					_t205 = _t408 - 0x10;
				}
				_v8 = 9;
				asm("lock xadd [ecx], edx");
				if((_t371 | 0xffffffff) - 1 <= 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t205)) + 4))))(_t205);
				}
				_t206 = E00065761();
				_t444 = _t206;
				_t310 = 0 | _t444 == 0x00000000;
				if(_t444 == 0) {
					_push(0x80004005);
					_t206 = E00051330(_t269, _t310, _t396, _t408);
				}
				_v84 =  *((intOrPtr*)( *((intOrPtr*)( *_t206 + 0xc))))() + 0x10;
				_v8 = 0xd;
				E000691E2(_v80,  &_v84, 0x7f, _v100, _v80);
				_t399 = _v88;
				E000634B7(_t399 + 0x248, _v100);
				E00063582(_t399 + 0x248, 1);
				_t316 = _t399 + 0x444;
				E00063582(_t316, 1);
				_v36 = 9;
				_t216 = _v112 + 0xfffffff0;
				_t376 =  &(_t216[3]);
				asm("lock xadd [edx], ecx");
				if((_t316 | 0xffffffff) - 1 <= 0) {
					_t376 =  *( *_t216);
					 *((intOrPtr*)( *((intOrPtr*)(_t376 + 4))))(_t216);
				}
				_v8 = 8;
				_t218 = _v100 + 0xfffffff0;
				asm("lock xadd [ecx], edx");
				_t378 = (_t376 | 0xffffffff) - 1;
				if(_t378 <= 0) {
					_t378 =  *( *_t218);
					 *((intOrPtr*)( *((intOrPtr*)(_t378 + 4))))(_t218);
				}
				_v8 = 4;
				_t220 = _v80 + 0xfffffff0;
				asm("lock xadd [ecx], edx");
				_t380 = (_t378 | 0xffffffff) - 1;
				if(_t380 <= 0) {
					_t380 =  *( *_t220);
					 *((intOrPtr*)( *((intOrPtr*)(_t380 + 4))))(_t220);
				}
				_v8 = 0;
				_t222 = _v96 + 0xfffffff0;
				asm("lock xadd [ecx], edx");
				_t382 = (_t380 | 0xffffffff) - 1;
				if(_t382 <= 0) {
					_t382 =  *( *_t222);
					 *((intOrPtr*)( *((intOrPtr*)(_t382 + 4))))(_t222);
				}
				_v8 = 0xffffffff;
				_t224 = _v92 + 0xfffffff0;
				asm("lock xadd [ecx], edx");
				if((_t382 | 0xffffffff) - 1 <= 0) {
					_t224 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t224)) + 4))))(_t224);
				}
				 *[fs:0x0] = _v16;
				return _t224;
			}

0x00052150
0x00052150
0x00052156
0x00052158
0x00052163
0x00052164
0x00052167
0x00052168
0x00052169
0x00052170
0x00052175
0x0005217b
0x0005217f
0x00052186
0x00052188
0x0005218d
0x0005218f
0x00052194
0x00052194
0x000521a5
0x000521a9
0x000521ac
0x000521af
0x000521ba
0x000521bc
0x00052288
0x00052288
0x0005228f
0x00052291
0x00052296
0x00052298
0x0005229d
0x0005229d
0x000522ab
0x000522ab
0x000522ae
0x000522b2
0x000522b5
0x000522bd
0x000522c0
0x000522ca
0x000522cd
0x000522d2
0x000522d3
0x000522d8
0x000522dc
0x000522df
0x000522e0
0x000521c2
0x000521c2
0x000521cc
0x000521d3
0x000521d5
0x000521da
0x000521dc
0x000521e1
0x000521e1
0x000521f2
0x000521f6
0x00052202
0x0005220a
0x0005220f
0x00052213
0x00052216
0x00052217
0x0005221e
0x0005221e
0x00052220
0x00000000
0x00052222
0x00052222
0x0005222c
0x0005222c
0x00052233
0x00052235
0x0005223a
0x0005223c
0x00052241
0x00052241
0x00052252
0x00052256
0x00052259
0x00052261
0x00052264
0x0005226e
0x00052271
0x00052276
0x00052277
0x0005227c
0x00052280
0x00052283
0x00052284
0x00052224
0x00052224
0x0005222a
0x00000000
0x00000000
0x00000000
0x00000000
0x0005222a
0x00052222
0x00052220
0x000521c2
0x000522e2
0x000522e6
0x000522e7
0x000522ec
0x000522ef
0x000522fd
0x00052304
0x0005230e
0x0005230e
0x00052310
0x00052317
0x00052319
0x0005231e
0x00052320
0x00052325
0x00052325
0x00052336
0x0005233a
0x0005233d
0x00052340
0x00052348
0x0005234a
0x00052416
0x00052416
0x0005241d
0x0005241f
0x00052424
0x00052426
0x0005242b
0x0005242b
0x00052439
0x00052439
0x0005243c
0x00052440
0x00052443
0x00052458
0x0005245b
0x00052460
0x00052461
0x00052466
0x0005246d
0x0005246e
0x00052350
0x00052350
0x0005235a
0x00052361
0x00052363
0x00052368
0x0005236a
0x0005236f
0x0005236f
0x00052380
0x00052384
0x00052390
0x00052398
0x0005239d
0x000523a4
0x000523a5
0x000523ac
0x000523ac
0x000523ae
0x00000000
0x000523b0
0x000523b0
0x000523ba
0x000523ba
0x000523c1
0x000523c3
0x000523c8
0x000523ca
0x000523cf
0x000523cf
0x000523e0
0x000523e4
0x000523e7
0x000523fc
0x000523ff
0x00052404
0x00052405
0x0005240a
0x00052411
0x00052412
0x000523b2
0x000523b2
0x000523b8
0x00000000
0x00000000
0x00000000
0x00000000
0x000523b8
0x000523b0
0x000523ae
0x00052350
0x00052470
0x00052474
0x00052475
0x0005247a
0x0005247d
0x0005248b
0x00052492
0x0005249c
0x0005249c
0x0005249e
0x000524a5
0x000524a7
0x000524ac
0x000524ae
0x000524b3
0x000524b3
0x000524c4
0x000524c8
0x000524e1
0x000524e6
0x000524ed
0x000524ef
0x000524f4
0x000524f6
0x000524fb
0x000524fb
0x0005250c
0x00052510
0x00052513
0x0005251e
0x00052587
0x00052595
0x00052597
0x0005259e
0x000525a0
0x000525a5
0x000525a7
0x000525ac
0x000525ac
0x000525bd
0x000525cc
0x000525d4
0x000525dc
0x000525e3
0x000525e5
0x000525ea
0x000525ec
0x000525f1
0x000525f1
0x000525f6
0x00052602
0x00052611
0x00052619
0x0005261e
0x00052625
0x00052627
0x0005262b
0x00052645
0x0005262d
0x00052630
0x00052635
0x00052635
0x0005264a
0x0005264d
0x0005265b
0x0005265f
0x00052660
0x00052662
0x00052666
0x0005266c
0x0005266c
0x0005266e
0x00052520
0x00052520
0x00052527
0x00052529
0x0005252e
0x00052530
0x00052535
0x00052535
0x00052546
0x00052555
0x0005255d
0x00052562
0x0005256c
0x00052571
0x00052576
0x00052576
0x00052677
0x0005267f
0x00052686
0x00052690
0x00052690
0x00052692
0x00052699
0x0005269b
0x000526a0
0x000526a2
0x000526a7
0x000526a7
0x000526b8
0x000526bc
0x000526d5
0x000526de
0x000526e9
0x000526f6
0x000526fd
0x00052703
0x00052708
0x00052714
0x00052717
0x0005271d
0x00052724
0x00052728
0x0005272e
0x0005272e
0x00052730
0x0005273c
0x00052745
0x00052749
0x0005274c
0x00052750
0x00052756
0x00052756
0x00052758
0x00052764
0x0005276d
0x00052771
0x00052774
0x00052778
0x0005277e
0x0005277e
0x00052780
0x0005278c
0x00052795
0x00052799
0x0005279c
0x000527a0
0x000527a6
0x000527a6
0x000527a8
0x000527b7
0x000527c0
0x000527c7
0x000527d1
0x000527d1
0x000527d7
0x000527e4

Strings

%0.2f, xrefs: 000522CD, 0005245B
%0.1f, xrefs: 00052271, 000523FF
%I64u, xrefs: 000521FC, 0005238A

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Window$Show
String ID: %0.1f$%0.2f$%I64u
API String ID: 990937876-915588803
Opcode ID: 89ef683b6a939224c75c1babd95c1e7b025f12a781afb784e44fcda5d1a1ab9e
Instruction ID: d153df70b61cecf35869b237735265121d91fdff498561502e4f1e086542c15a
Opcode Fuzzy Hash: 89ef683b6a939224c75c1babd95c1e7b025f12a781afb784e44fcda5d1a1ab9e
Instruction Fuzzy Hash: 7612E0702047419FD754DB68C851B9FB7E5BF8A321F04865CF99ADB292DB30D809CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00057200 Relevance: 4.3, Strings: 3, Instructions: 528
COMMONCrypto

Download Yara Rule

C-Code - Quality: 33%

			E00057200(void* __ebx, signed long long __fp0, signed int _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, signed int _a20) {
				char _v8;
				char _v16;
				char _v20;
				char _v24;
				char _v72;
				char _v76;
				char _v80;
				signed int _v84;
				char _v88;
				char _v92;
				signed int _v96;
				void* __edi;
				void* __esi;
				signed int _t149;
				intOrPtr* _t152;
				signed int _t156;
				signed int _t159;
				intOrPtr* _t162;
				intOrPtr* _t163;
				signed int _t167;
				signed int _t170;
				intOrPtr* _t173;
				intOrPtr* _t174;
				intOrPtr* _t180;
				signed int _t186;
				signed int _t191;
				signed int** _t198;
				intOrPtr* _t199;
				intOrPtr* _t200;
				signed int** _t207;
				signed int** _t209;
				signed int** _t211;
				signed int** _t213;
				intOrPtr* _t215;
				intOrPtr* _t230;
				intOrPtr* _t238;
				signed int _t243;
				intOrPtr* _t250;
				signed int _t255;
				signed int _t341;
				signed int _t346;
				signed int _t354;
				signed int _t356;
				signed int _t360;
				signed int _t362;
				signed int _t364;
				signed int _t366;
				signed int _t368;
				void* _t380;
				intOrPtr _t381;
				intOrPtr _t382;
				void* _t386;
				signed int _t387;
				signed int _t388;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				signed int _t395;
				signed int _t397;
				signed long long* _t398;
				signed long long* _t399;
				signed long long* _t406;
				intOrPtr* _t407;
				signed int _t409;
				intOrPtr* _t411;
				intOrPtr* _t414;
				signed int _t416;
				intOrPtr* _t418;
				intOrPtr* _t421;
				intOrPtr* _t423;
				intOrPtr* _t426;
				intOrPtr* _t429;
				signed long long _t436;

				_t436 = __fp0;
				_t260 = __ebx;
				_push(0xffffffff);
				_push(0x174190);
				_push( *[fs:0x0]);
				_t397 = (_t395 & 0xffffffc0) - 0x6c;
				_push(_t386);
				_push(_t380);
				_t149 =  *0x1c0454; // 0x885926af
				_push(_t149 ^ _t397);
				 *[fs:0x0] =  &_v16;
				_t152 = E00065761();
				_t407 = _t152;
				_t262 = 0 | _t407 == 0x00000000;
				if(_t407 == 0) {
					_push(0x80004005);
					_t152 = E00051330(__ebx, _t262, _t380, _t386);
				}
				_v88 =  *((intOrPtr*)( *((intOrPtr*)( *_t152 + 0xc))))() + 0x10;
				_t387 = _a12;
				_t381 = _a8;
				_v8 = 0;
				_t409 = _t387;
				if(_t409 > 0) {
					L14:
					_t156 = E00065761();
					__eflags = _t156;
					_t265 = 0 | __eflags != 0x00000000;
					if(__eflags == 0) {
						_push(0x80004005);
						_t156 = E00051330(_t260, _t265, _t381, _t387);
					}
					_t159 =  *((intOrPtr*)( *((intOrPtr*)( *_t156 + 0xc))))() + 0x10;
					__eflags = _t159;
					_v84 = _t159;
					asm("fild qword [ebp+0xc]");
					_v8 = 3;
					_t398 = _t397 - 8;
					_t436 = _t436 *  *0x1a1b80;
					 *_t398 = _t436;
					_push(L"%0.2f");
					_push( &_v84);
					E00051400();
					_t388 = _v84;
					_t399 =  &(_t398[2]);
					_push(_t388);
					_push(0x7d);
				} else {
					if(_t409 < 0 || _t381 < 0x400) {
						_t250 = E00065761();
						_t411 = _t250;
						_t332 = 0 | _t411 == 0x00000000;
						if(_t411 == 0) {
							_push(0x80004005);
							_t250 = E00051330(_t260, _t332, _t381, _t387);
						}
						_v84 =  *((intOrPtr*)( *((intOrPtr*)( *_t250 + 0xc))))() + 0x10;
						_push(_t387);
						_v8 = 1;
						E00051400( &_v84, L"%I64u", _t381);
						_t388 = _v84;
						_t399 = _t397 + 0x10;
						_push(_t388);
						_push(0x79);
					} else {
						__eflags = _t387;
						if(__eflags > 0) {
							goto L14;
						} else {
							if(__eflags < 0) {
								L11:
								_t255 = E00065761();
								__eflags = _t255;
								_t336 = 0 | __eflags != 0x00000000;
								if(__eflags == 0) {
									_push(0x80004005);
									_t255 = E00051330(_t260, _t336, _t381, _t387);
								}
								_v84 =  *((intOrPtr*)( *((intOrPtr*)( *_t255 + 0xc))))() + 0x10;
								asm("fild qword [ebp+0xc]");
								_v8 = 2;
								_t406 = _t397 - 8;
								_t436 = _t436 *  *0x1a1b88;
								 *_t406 = _t436;
								_push(L"%0.1f");
								_push( &_v84);
								E00051400();
								_t388 = _v84;
								_t399 =  &(_t406[2]);
								_push(_t388);
								_push(0x7b);
							} else {
								__eflags = _t381 - 0x100000;
								if(_t381 >= 0x100000) {
									goto L14;
								} else {
									goto L11;
								}
							}
						}
					}
				}
				_t341 =  &_v88;
				_push(_t341);
				E000691C8();
				_t162 = _t388 - 0x10;
				_v20 = 0;
				asm("lock xadd [ecx], edx");
				if((_t341 | 0xffffffff) - 1 <= 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t162)) + 4))))(_t162);
				}
				_t163 = E00065761();
				_t414 = _t163;
				_t270 = 0 | _t414 == 0x00000000;
				if(_t414 == 0) {
					_push(0x80004005);
					_t163 = E00051330(_t260, _t270, _t381, _t388);
				}
				_v92 =  *((intOrPtr*)( *((intOrPtr*)( *_t163 + 0xc))))() + 0x10;
				_t389 = _a20;
				_t382 = _a16;
				_v8 = 4;
				_t416 = _t389;
				if(_t416 > 0) {
					L33:
					_t167 = E00065761();
					__eflags = _t167;
					_t273 = 0 | __eflags != 0x00000000;
					if(__eflags == 0) {
						_push(0x80004005);
						_t167 = E00051330(_t260, _t273, _t382, _t389);
					}
					_t170 =  *((intOrPtr*)( *((intOrPtr*)( *_t167 + 0xc))))() + 0x10;
					__eflags = _t170;
					_v84 = _t170;
					asm("fild qword [ebp+0x14]");
					_v8 = 7;
					 *(_t399 - 8) = _t436 *  *0x1a1b80;
					_push(L"%0.2f");
					_push( &_v84);
					E00051400();
					_t390 = _v84;
					_push(_t390);
					_push(0x7d);
				} else {
					if(_t416 < 0 || _t382 < 0x400) {
						_t238 = E00065761();
						_t418 = _t238;
						_t323 = 0 | _t418 == 0x00000000;
						if(_t418 == 0) {
							_push(0x80004005);
							_t238 = E00051330(_t260, _t323, _t382, _t389);
						}
						_v84 =  *((intOrPtr*)( *((intOrPtr*)( *_t238 + 0xc))))() + 0x10;
						_push(_t389);
						_v8 = 5;
						E00051400( &_v84, L"%I64u", _t382);
						_t390 = _v84;
						_push(_t390);
						_push(0x79);
					} else {
						__eflags = _t389;
						if(__eflags > 0) {
							goto L33;
						} else {
							if(__eflags < 0) {
								L30:
								_t243 = E00065761();
								__eflags = _t243;
								_t327 = 0 | __eflags != 0x00000000;
								if(__eflags == 0) {
									_push(0x80004005);
									_t243 = E00051330(_t260, _t327, _t382, _t389);
								}
								_v84 =  *((intOrPtr*)( *((intOrPtr*)( *_t243 + 0xc))))() + 0x10;
								asm("fild qword [ebp+0x14]");
								_v8 = 6;
								 *(_t399 - 8) = _t436 *  *0x1a1b88;
								_push(L"%0.1f");
								_push( &_v84);
								E00051400();
								_t390 = _v84;
								_push(_t390);
								_push(0x7b);
							} else {
								__eflags = _t382 - 0x100000;
								if(_t382 >= 0x100000) {
									goto L33;
								} else {
									goto L30;
								}
							}
						}
					}
				}
				_t346 =  &_v92;
				_push(_t346);
				E000691C8();
				_t173 = _t390 - 0x10;
				_v20 = 4;
				asm("lock xadd [ecx], edx");
				if((_t346 | 0xffffffff) - 1 <= 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t173)) + 4))))(_t173);
				}
				_t174 = E00065761();
				_t421 = _t174;
				_t278 = 0 | _t421 == 0x00000000;
				if(_t421 == 0) {
					_push(0x80004005);
					_t174 = E00051330(_t260, _t278, _t382, _t390);
				}
				_v80 =  *((intOrPtr*)( *((intOrPtr*)( *_t174 + 0xc))))() + 0x10;
				_v8 = 8;
				E000691E2(_v92,  &_v80, 0x75, _v88, _v92);
				_t180 = E00065761();
				_t423 = _t180;
				_t282 = 0 | _t423 == 0x00000000;
				if(_t423 == 0) {
					_push(0x80004005);
					_t180 = E00051330(_t260, _t282, _t382, _t390);
				}
				_v96 =  *((intOrPtr*)( *((intOrPtr*)( *_t180 + 0xc))))() + 0x10;
				_t391 = _a4;
				_v8 = 9;
				if(_t391 >= 0x3c) {
					_t384 = 0x88888889 * _t391 >> 0x20 >> 5;
					_t392 = _t391 - (0x88888889 * _t391 >> 0x20 >> 5 << 4) - (0x88888889 * _t391 >> 0x20 >> 5) + (0x88888889 * _t391 >> 0x20 >> 5 << 4) - (0x88888889 * _t391 >> 0x20 >> 5) + (0x88888889 * _t391 >> 0x20 >> 5 << 4) - (0x88888889 * _t391 >> 0x20 >> 5) + (0x88888889 * _t391 >> 0x20 >> 5 << 4) - (0x88888889 * _t391 >> 0x20 >> 5);
					_t186 = E00065761();
					__eflags = _t186;
					_t290 = 0 | __eflags != 0x00000000;
					if(__eflags == 0) {
						_push(0x80004005);
						_t186 = E00051330(_t260, _t290, _t384, _t392);
					}
					_v76 =  *((intOrPtr*)( *((intOrPtr*)( *_t186 + 0xc))))() + 0x10;
					_v8 = 0xb;
					E00051400( &_v76, L"%u", _t392);
					_t191 = E00065761();
					__eflags = _t191;
					_t294 = 0 | __eflags != 0x00000000;
					if(__eflags == 0) {
						_push(0x80004005);
						_t191 = E00051330(_t260, _t294, _t384, _t392);
					}
					_t354 =  *_t191;
					_v84 =  *((intOrPtr*)( *((intOrPtr*)(_t354 + 0xc))))() + 0x10;
					_v8 = 0xc;
					E00051400( &_v84, L"%u", _t384);
					_t382 = _v76;
					__eflags = _t392;
					_t393 = _v84;
					if(_t392 != 0) {
						E000691E2( &_v84,  &_v96, 0x78, _t393, _t382);
					} else {
						_t354 =  &_v96;
						E000691C8(_t354, 0x77, _t393);
					}
					_t198 = _t393 - 0x10;
					_v8 = 0xb;
					asm("lock xadd [ecx], edx");
					_t356 = (_t354 | 0xffffffff) - 1;
					__eflags = _t356;
					if(_t356 <= 0) {
						_t356 =  *( *_t198);
						 *((intOrPtr*)( *((intOrPtr*)(_t356 + 4))))(_t198);
					}
					_t199 = _t382 - 0x10;
				} else {
					_t230 = E00065761();
					_t426 = _t230;
					_t318 = 0 | _t426 == 0x00000000;
					if(_t426 == 0) {
						_push(0x80004005);
						_t230 = E00051330(_t260, _t318, _t382, _t391);
					}
					_v84 =  *((intOrPtr*)( *((intOrPtr*)( *_t230 + 0xc))))() + 0x10;
					_v8 = 0xa;
					E00051400( &_v84, L"%u", _t391);
					_t393 = _v84;
					_t356 =  &_v96;
					E000691C8(_t356, 0x76, _t393);
					_t199 = _t393 - 0x10;
				}
				_v8 = 9;
				asm("lock xadd [ecx], edx");
				if((_t356 | 0xffffffff) - 1 <= 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t199)) + 4))))(_t199);
				}
				_t200 = E00065761();
				_t429 = _t200;
				_t300 = 0 | _t429 == 0x00000000;
				if(_t429 == 0) {
					_push(0x80004005);
					_t200 = E00051330(_t260, _t300, _t382, _t393);
				}
				_v72 =  *((intOrPtr*)( *((intOrPtr*)( *_t200 + 0xc))))() + 0x10;
				_v8 = 0xd;
				_t360 = _v96;
				E000691E2(_v80,  &_v72, 0x7f, _t360, _v80);
				_v24 = 9;
				_t207 = _v88 + 0xfffffff0;
				asm("lock xadd [ecx], edx");
				_t362 = (_t360 | 0xffffffff) - 1;
				if(_t362 <= 0) {
					_t362 =  *( *_t207);
					 *((intOrPtr*)( *((intOrPtr*)(_t362 + 4))))(_t207);
				}
				_v8 = 8;
				_t209 = _v96 + 0xfffffff0;
				asm("lock xadd [ecx], edx");
				_t364 = (_t362 | 0xffffffff) - 1;
				if(_t364 <= 0) {
					_t364 =  *( *_t209);
					 *((intOrPtr*)( *((intOrPtr*)(_t364 + 4))))(_t209);
				}
				_v8 = 4;
				_t211 = _v80 + 0xfffffff0;
				asm("lock xadd [ecx], edx");
				_t366 = (_t364 | 0xffffffff) - 1;
				if(_t366 <= 0) {
					_t366 =  *( *_t211);
					 *((intOrPtr*)( *((intOrPtr*)(_t366 + 4))))(_t211);
				}
				_v8 = 0;
				_t213 = _v92 + 0xfffffff0;
				asm("lock xadd [ecx], edx");
				_t368 = (_t366 | 0xffffffff) - 1;
				if(_t368 <= 0) {
					_t368 =  *( *_t213);
					 *((intOrPtr*)( *((intOrPtr*)(_t368 + 4))))(_t213);
				}
				_v8 = 0xffffffff;
				_t215 = _v88 + 0xfffffff0;
				asm("lock xadd [ecx], edx");
				if((_t368 | 0xffffffff) - 1 <= 0) {
					_t215 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t215)) + 4))))(_t215);
				}
				 *[fs:0x0] = _v16;
				return _t215;
			}

0x00057200
0x00057200
0x00057206
0x00057208
0x00057213
0x00057214
0x00057217
0x00057218
0x00057219
0x00057220
0x00057225
0x0005722b
0x00057232
0x00057234
0x00057239
0x0005723b
0x00057240
0x00057240
0x00057251
0x00057255
0x00057258
0x0005725b
0x00057266
0x00057268
0x00057334
0x00057334
0x0005733b
0x0005733d
0x00057342
0x00057344
0x00057349
0x00057349
0x00057357
0x00057357
0x0005735a
0x0005735e
0x00057361
0x00057369
0x0005736c
0x00057376
0x00057379
0x0005737e
0x0005737f
0x00057384
0x00057388
0x0005738b
0x0005738c
0x0005726e
0x0005726e
0x00057278
0x0005727f
0x00057281
0x00057286
0x00057288
0x0005728d
0x0005728d
0x0005729e
0x000572a2
0x000572ae
0x000572b6
0x000572bb
0x000572bf
0x000572c2
0x000572c3
0x000572ca
0x000572ca
0x000572cc
0x00000000
0x000572ce
0x000572ce
0x000572d8
0x000572d8
0x000572df
0x000572e1
0x000572e6
0x000572e8
0x000572ed
0x000572ed
0x000572fe
0x00057302
0x00057305
0x0005730d
0x00057310
0x0005731a
0x0005731d
0x00057322
0x00057323
0x00057328
0x0005732c
0x0005732f
0x00057330
0x000572d0
0x000572d0
0x000572d6
0x00000000
0x00000000
0x00000000
0x00000000
0x000572d6
0x000572ce
0x000572cc
0x0005726e
0x0005738e
0x00057392
0x00057393
0x00057398
0x0005739b
0x000573a9
0x000573b0
0x000573ba
0x000573ba
0x000573bc
0x000573c3
0x000573c5
0x000573ca
0x000573cc
0x000573d1
0x000573d1
0x000573e2
0x000573e6
0x000573e9
0x000573ec
0x000573f4
0x000573f6
0x000574c2
0x000574c2
0x000574c9
0x000574cb
0x000574d0
0x000574d2
0x000574d7
0x000574d7
0x000574e5
0x000574e5
0x000574e8
0x000574ec
0x000574ef
0x00057504
0x00057507
0x0005750c
0x0005750d
0x00057512
0x00057519
0x0005751a
0x000573fc
0x000573fc
0x00057406
0x0005740d
0x0005740f
0x00057414
0x00057416
0x0005741b
0x0005741b
0x0005742c
0x00057430
0x0005743c
0x00057444
0x00057449
0x00057450
0x00057451
0x00057458
0x00057458
0x0005745a
0x00000000
0x0005745c
0x0005745c
0x00057466
0x00057466
0x0005746d
0x0005746f
0x00057474
0x00057476
0x0005747b
0x0005747b
0x0005748c
0x00057490
0x00057493
0x000574a8
0x000574ab
0x000574b0
0x000574b1
0x000574b6
0x000574bd
0x000574be
0x0005745e
0x0005745e
0x00057464
0x00000000
0x00000000
0x00000000
0x00000000
0x00057464
0x0005745c
0x0005745a
0x000573fc
0x0005751c
0x00057520
0x00057521
0x00057526
0x00057529
0x00057537
0x0005753e
0x00057548
0x00057548
0x0005754a
0x00057551
0x00057553
0x00057558
0x0005755a
0x0005755f
0x0005755f
0x00057570
0x00057574
0x0005758d
0x00057592
0x00057599
0x0005759b
0x000575a0
0x000575a2
0x000575a7
0x000575a7
0x000575b8
0x000575bc
0x000575bf
0x000575ca
0x00057633
0x00057641
0x00057643
0x0005764a
0x0005764c
0x00057651
0x00057653
0x00057658
0x00057658
0x00057669
0x00057678
0x00057680
0x00057688
0x0005768f
0x00057691
0x00057696
0x00057698
0x0005769d
0x0005769d
0x000576a2
0x000576ae
0x000576bd
0x000576c5
0x000576ca
0x000576d1
0x000576d3
0x000576d7
0x000576f1
0x000576d9
0x000576dc
0x000576e1
0x000576e1
0x000576f6
0x000576f9
0x00057707
0x0005770b
0x0005770c
0x0005770e
0x00057712
0x00057718
0x00057718
0x0005771a
0x000575cc
0x000575cc
0x000575d3
0x000575d5
0x000575da
0x000575dc
0x000575e1
0x000575e1
0x000575f2
0x00057601
0x00057609
0x0005760e
0x00057618
0x0005761d
0x00057622
0x00057622
0x00057723
0x0005772b
0x00057732
0x0005773c
0x0005773c
0x0005773e
0x00057745
0x00057747
0x0005774c
0x0005774e
0x00057753
0x00057753
0x00057764
0x00057768
0x00057774
0x00057781
0x00057786
0x00057792
0x0005779b
0x0005779f
0x000577a2
0x000577a6
0x000577ac
0x000577ac
0x000577ae
0x000577ba
0x000577c3
0x000577c7
0x000577ca
0x000577ce
0x000577d4
0x000577d4
0x000577d6
0x000577e2
0x000577eb
0x000577ef
0x000577f2
0x000577f6
0x000577fc
0x000577fc
0x000577fe
0x0005780a
0x00057813
0x00057817
0x0005781a
0x0005781e
0x00057824
0x00057824
0x00057826
0x00057835
0x0005783e
0x00057845
0x0005784f
0x0005784f
0x00057855
0x00057862

Strings

%0.2f, xrefs: 00057379, 00057507
%0.1f, xrefs: 0005731D, 000574AB
%I64u, xrefs: 000572A8, 00057436

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID:
String ID: %0.1f$%0.2f$%I64u
API String ID: 0-915588803
Opcode ID: 2d0248dc64c5e3756b0b0b639a98c90a183f40dd8452862a2cfcd18baa83dc5a
Instruction ID: aaf899f8d3d83a9742ae8648196d051320fa5240557bf305b5177bb9e3b1a738
Opcode Fuzzy Hash: 2d0248dc64c5e3756b0b0b639a98c90a183f40dd8452862a2cfcd18baa83dc5a
Instruction Fuzzy Hash: A512E1302087019FE754DB28DC55B9FB7E5BF89321F148A5CF999CB2A2DB309809DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0006FD0F Relevance: 64.8, APIs: 43, Instructions: 304
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E0006FD0F(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t109;
				signed int _t111;
				long _t114;
				long _t115;
				long _t116;
				long _t117;
				long _t118;
				long _t119;
				long _t124;
				long _t135;
				struct HBRUSH__* _t136;
				struct HBRUSH__* _t137;
				struct HBRUSH__* _t139;
				long _t198;
				long _t200;
				signed int _t203;
				signed char _t237;
				void* _t252;
				intOrPtr _t256;
				void* _t257;
				void* _t264;
				void* _t266;
				void* _t268;

				_t245 = __edx;
				_push(0x20);
				E00151A19(0x1693b3, __ebx, __edi, __esi);
				_t256 = __ecx;
				_t252 = GetSysColor;
				if(GetSysColor(0x16) != 0xffffff) {
					L3:
					_t109 = 0;
					__eflags = 0;
				} else {
					_t200 = GetSysColor(0xf);
					if(_t200 != 0) {
						goto L3;
					} else {
						_t109 = _t200 + 1;
					}
				}
				 *((intOrPtr*)(_t256 + 0x184)) = _t109;
				if(GetSysColor(0x15) != 0) {
					L7:
					_t111 = 0;
					__eflags = 0;
				} else {
					_t198 = GetSysColor(0xf);
					_t262 = _t198 - 0xffffff;
					if(_t198 != 0xffffff) {
						goto L7;
					} else {
						_t111 = 1;
					}
				}
				_t203 = 0;
				_push(0);
				 *((intOrPtr*)(_t256 + 0x188)) = _t111;
				E0006661F(0, _t257 - 0x2c, _t245, _t252, _t256, _t262);
				 *(_t257 - 4) = 0;
				 *((intOrPtr*)(_t256 + 0x1ac)) = GetDeviceCaps( *(_t257 - 0x24), 0xc);
				_t114 = GetSysColor(0xf);
				 *(_t256 + 0x14) = _t114;
				 *(_t256 + 0x4c) = _t114;
				_t115 = GetSysColor(0x10);
				 *(_t256 + 0x18) = _t115;
				 *(_t256 + 0x50) = _t115;
				_t116 = GetSysColor(0x15);
				 *(_t256 + 0x28) = _t116;
				 *(_t256 + 0x58) = _t116;
				_t117 = GetSysColor(0x16);
				 *(_t256 + 0x2c) = _t117;
				 *(_t256 + 0x5c) = _t117;
				_t118 = GetSysColor(0x14);
				 *(_t256 + 0x1c) = _t118;
				 *(_t256 + 0x54) = _t118;
				_t119 = GetSysColor(0x12);
				 *(_t256 + 0x20) = _t119;
				 *(_t256 + 0x60) = _t119;
				 *((intOrPtr*)(_t256 + 0x30)) = GetSysColor(0x11);
				 *((intOrPtr*)(_t256 + 0x24)) = GetSysColor(6);
				 *(_t256 + 0x34) = GetSysColor(0xd);
				 *((intOrPtr*)(_t256 + 0x38)) = GetSysColor(0xe);
				_t124 = GetSysColor(5);
				 *(_t256 + 0x64) = _t124;
				 *(_t256 + 0x48) = _t124;
				 *(_t256 + 0x68) = GetSysColor(8);
				 *((intOrPtr*)(_t256 + 0x6c)) = GetSysColor(9);
				 *((intOrPtr*)(_t256 + 0x70)) = GetSysColor(7);
				 *(_t256 + 0x74) = GetSysColor(2);
				 *(_t256 + 0x78) = GetSysColor(3);
				 *((intOrPtr*)(_t256 + 0x80)) = GetSysColor(0x1b);
				 *((intOrPtr*)(_t256 + 0x84)) = GetSysColor(0x1c);
				 *((intOrPtr*)(_t256 + 0x88)) = GetSysColor(0xa);
				 *((intOrPtr*)(_t256 + 0x8c)) = GetSysColor(0xb);
				 *((intOrPtr*)(_t256 + 0x7c)) = GetSysColor(0x13);
				if( *((intOrPtr*)(_t256 + 0x184)) == 0) {
					_t135 = GetSysColor(0x1a);
					 *(_t256 + 0x40) = 0xff0000;
					 *(_t256 + 0x44) = 0x800080;
				} else {
					_t135 =  *(_t256 + 0x68);
					 *(_t256 + 0x40) = _t135;
					 *(_t256 + 0x44) = _t135;
				}
				 *(_t256 + 0x3c) = _t135;
				_t136 = GetSysColorBrush(0x10);
				_t264 = _t136 - _t203;
				_t208 = 0 | _t264 != 0x00000000;
				 *(_t256 + 0xc) = _t136;
				if(_t264 != 0 == _t203) {
					L12:
					E000655E0(_t208);
				}
				_t137 = GetSysColorBrush(0x14);
				_t266 = _t137 - _t203;
				_t208 = 0 | _t266 != 0x00000000;
				 *(_t256 + 8) = _t137;
				if(_t266 != 0 == _t203) {
					goto L12;
				}
				_t139 = GetSysColorBrush(5);
				_t268 = _t139 - _t203;
				_t208 = 0 | _t268 != 0x00000000;
				 *(_t256 + 0x10) = _t139;
				if(_t268 != 0 == _t203) {
					goto L12;
				}
				E00066824(_t256 + 0x90);
				_t254 = CreateSolidBrush;
				E000667CA(_t203, _t256 + 0x90, _t245, CreateSolidBrush, CreateSolidBrush( *(_t256 + 0x14)));
				E00066824(_t256 + 0xc8);
				E000667CA(_t203, _t256 + 0xc8, _t245, CreateSolidBrush, CreateSolidBrush( *(_t256 + 0x4c)));
				E00066824(_t256 + 0xb0);
				E000667CA(_t203, _t256 + 0xb0, _t245, _t254, CreateSolidBrush( *(_t256 + 0x74)));
				E00066824(_t256 + 0xb8);
				E000667CA(_t203, _t256 + 0xb8, _t245, _t254, CreateSolidBrush( *(_t256 + 0x78)));
				E00066824(_t256 + 0x98);
				E000667CA(_t203, _t256 + 0x98, _t245, _t254, CreateSolidBrush( *(_t256 + 0x34)));
				E00066824(_t256 + 0xa8);
				E000667CA(_t203, _t256 + 0xa8, _t245, _t254, CreateSolidBrush( *(_t256 + 0x28)));
				E00066824(_t256 + 0xc0);
				E000667CA(_t203, _t256 + 0xc0, _t245, _t254, CreateSolidBrush( *(_t256 + 0x64)));
				E00066824(_t256 + 0xd0);
				_t204 = CreatePen;
				E000667CA(CreatePen, _t256 + 0xd0, _t245, _t254, CreatePen(0, 1,  *0x1c39cc));
				E00066824(_t256 + 0xd8);
				E000667CA(CreatePen, _t256 + 0xd8, _t245, _t254, CreatePen(0, 1,  *0x1c39e4));
				E00066824(_t256 + 0xe0);
				E000667CA(_t204, _t256 + 0xe0, _t245, _t254, CreatePen(0, 1,  *0x1c39e8));
				_t203 = _t256 + 0xa0;
				if(_t203 != 0 &&  *((intOrPtr*)(_t203 + 4)) != 0) {
					E00066824(_t203);
				}
				if( *((intOrPtr*)(_t256 + 0x1ac)) <= 8) {
					__eflags = E0006EBDD(_t203,  *((intOrPtr*)(_t257 - 0x28)));
					_t208 = 0 | __eflags != 0x00000000;
					if(__eflags == 0) {
						goto L12;
					} else {
						_t94 = _t257 - 0x14;
						 *_t94 =  *(_t257 - 0x14) & 0x00000000;
						__eflags =  *_t94;
						_t256 = 0x179fa0;
						 *((intOrPtr*)(_t257 - 0x18)) = 0x179fa0;
						 *(_t257 - 4) = 1;
						E000667CA(_t203, _t257 - 0x18, _t245, _t254, _t170);
						E000667CA(_t203, _t203, _t245, _t254, CreatePatternBrush( *(_t257 - 0x14)));
						 *(_t257 - 4) = 0;
						 *((intOrPtr*)(_t257 - 0x18)) = 0x179fa0;
						E00051420(_t257 - 0x18, _t245);
					}
				} else {
					_t237 =  *((intOrPtr*)(_t256 + 0x16));
					 *(_t257 - 0xd) =  *(_t256 + 0x14);
					_t246 = _t237 & 0x000000ff;
					asm("cdq");
					_t247 =  *(_t256 + 0x15) & 0x000000ff;
					asm("cdq");
					_t245 =  *(_t257 - 0xd) & 0x000000ff;
					asm("cdq");
					E000667CA(_t203, _t203, _t245, _t254, CreateSolidBrush((((( *(_t256 + 0x1e) & 0x000000ff) - (_t237 & 0x000000ff) - _t246 >> 0x00000001) + _t237 & 0x000000ff) << 0x00000008 | (( *(_t256 + 0x1d) & 0x000000ff) - ( *(_t256 + 0x15) & 0x000000ff) - _t247 >> 0x00000001) + ( *(_t256 + 0x15) & 0x000000ff) & 0x000000ff) << 0x00000008 | (( *(_t256 + 0x1c) & 0x000000ff) - ( *(_t257 - 0xd) & 0x000000ff) - _t245 >> 0x00000001) +  *(_t257 - 0xd) & 0x000000ff));
				}
				E00099AAC();
				_t103 = _t257 - 4;
				 *(_t257 - 4) =  *(_t257 - 4) | 0xffffffff;
				 *0x1c5394 = 1;
				return E00151AF1(E00066673(_t203, _t257 - 0x2c, _t245, _t254, _t256,  *_t103));
			}

0x0006fd0f
0x0006fd0f
0x0006fd16
0x0006fd1b
0x0006fd1d
0x0006fd2e
0x0006fd3b
0x0006fd3b
0x0006fd3b
0x0006fd30
0x0006fd32
0x0006fd36
0x00000000
0x0006fd38
0x0006fd38
0x0006fd38
0x0006fd36
0x0006fd3f
0x0006fd49
0x0006fd58
0x0006fd58
0x0006fd58
0x0006fd4b
0x0006fd4d
0x0006fd4f
0x0006fd51
0x00000000
0x0006fd53
0x0006fd55
0x0006fd55
0x0006fd51
0x0006fd5a
0x0006fd5c
0x0006fd60
0x0006fd66
0x0006fd70
0x0006fd7b
0x0006fd81
0x0006fd85
0x0006fd88
0x0006fd8b
0x0006fd8f
0x0006fd92
0x0006fd95
0x0006fd99
0x0006fd9c
0x0006fd9f
0x0006fda3
0x0006fda6
0x0006fda9
0x0006fdad
0x0006fdb0
0x0006fdb3
0x0006fdb7
0x0006fdba
0x0006fdc1
0x0006fdc8
0x0006fdcf
0x0006fdd6
0x0006fdd9
0x0006fddd
0x0006fde0
0x0006fde7
0x0006fdee
0x0006fdf5
0x0006fdfc
0x0006fe03
0x0006fe0a
0x0006fe14
0x0006fe1e
0x0006fe28
0x0006fe30
0x0006fe39
0x0006fe48
0x0006fe4a
0x0006fe51
0x0006fe3b
0x0006fe3b
0x0006fe3e
0x0006fe41
0x0006fe41
0x0006fe60
0x0006fe63
0x0006fe67
0x0006fe69
0x0006fe6c
0x0006fe71
0x0006fe73
0x0006fe73
0x0006fe73
0x0006fe7a
0x0006fe7e
0x0006fe80
0x0006fe83
0x0006fe88
0x00000000
0x00000000
0x0006fe8c
0x0006fe90
0x0006fe92
0x0006fe95
0x0006fe9a
0x00000000
0x00000000
0x0006fea2
0x0006feaa
0x0006feb9
0x0006fec4
0x0006fed5
0x0006fee0
0x0006fef1
0x0006fefc
0x0006ff0d
0x0006ff18
0x0006ff29
0x0006ff34
0x0006ff45
0x0006ff50
0x0006ff61
0x0006ff6c
0x0006ff77
0x0006ff8a
0x0006ff95
0x0006ffad
0x0006ffb8
0x0006ffd0
0x0006ffd5
0x0006ffdd
0x0006ffe7
0x0006ffe7
0x0006fff3
0x00070063
0x00070065
0x0007006a
0x00000000
0x00070070
0x00070070
0x00070070
0x00070070
0x00070074
0x00070079
0x00070080
0x00070084
0x00070095
0x0007009d
0x000700a1
0x000700a4
0x000700a4
0x0006fff5
0x0006fff5
0x0006fffb
0x00070002
0x00070007
0x0007000a
0x0007001b
0x0007002b
0x0007003a
0x00070050
0x00070050
0x000700a9
0x000700ae
0x000700ae
0x000700b5
0x000700c9

APIs

__EH_prolog3.LIBCMT ref: 0006FD16
GetSysColor.USER32 ref: 0006FD25
GetSysColor.USER32 ref: 0006FD32
GetSysColor.USER32 ref: 0006FD45
GetSysColor.USER32 ref: 0006FD4D
GetDeviceCaps.GDI32(?,0000000C), ref: 0006FD73
GetSysColor.USER32 ref: 0006FD81
GetSysColor.USER32 ref: 0006FD8B
GetSysColor.USER32 ref: 0006FD95
GetSysColor.USER32 ref: 0006FD9F
GetSysColor.USER32 ref: 0006FDA9
GetSysColor.USER32 ref: 0006FDB3
GetSysColor.USER32 ref: 0006FDBD
GetSysColor.USER32 ref: 0006FDC4
GetSysColor.USER32 ref: 0006FDCB
GetSysColor.USER32 ref: 0006FDD2
GetSysColor.USER32 ref: 0006FDD9
GetSysColor.USER32 ref: 0006FDE3
GetSysColor.USER32 ref: 0006FDEA
GetSysColor.USER32 ref: 0006FDF1
GetSysColor.USER32 ref: 0006FDF8
GetSysColor.USER32 ref: 0006FDFF
GetSysColor.USER32 ref: 0006FE06
GetSysColor.USER32 ref: 0006FE10
GetSysColor.USER32 ref: 0006FE1A
GetSysColor.USER32 ref: 0006FE24
GetSysColor.USER32 ref: 0006FE2E
GetSysColor.USER32 ref: 0006FE48
GetSysColorBrush.USER32 ref: 0006FE63
GetSysColorBrush.USER32 ref: 0006FE7A
GetSysColorBrush.USER32 ref: 0006FE8C
CreateSolidBrush.GDI32(?), ref: 0006FEB0
CreateSolidBrush.GDI32(?), ref: 0006FECC
CreateSolidBrush.GDI32(?), ref: 0006FEE8
CreateSolidBrush.GDI32(?), ref: 0006FF04
CreateSolidBrush.GDI32(?), ref: 0006FF20
CreateSolidBrush.GDI32(?), ref: 0006FF3C
CreateSolidBrush.GDI32(?), ref: 0006FF58
CreatePen.GDI32(00000000,00000001,00000000), ref: 0006FF81
CreatePen.GDI32(00000000,00000001,00000000), ref: 0006FFA4
CreatePen.GDI32(00000000,00000001,00000000), ref: 0006FFC7
CreateSolidBrush.GDI32(?), ref: 0007004B
CreatePatternBrush.GDI32(00000000), ref: 0007008C

Part of subcall function 00066824: DeleteObject.GDI32(00000000), ref: 00066833

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Color$BrushCreate$Solid$CapsDeleteDeviceH_prolog3ObjectPattern
String ID:
API String ID: 3754413814-0
Opcode ID: 2c9369f823125f0bb0ed2dd662fcad052198f7e120a3db29e84f7a689be80967
Instruction ID: 8c815d56b6cf48e130898a24e961ff1ffdd0a0b00480c3b23ce82eb72ce72159
Opcode Fuzzy Hash: 2c9369f823125f0bb0ed2dd662fcad052198f7e120a3db29e84f7a689be80967
Instruction Fuzzy Hash: 87B16C70900B449FD720AF75CC59BEBBAE6AF84704F00492DE29686592EE71A548DF60

Uniqueness

Uniqueness Score: -1.00%

Function 000BB48F Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 323
fileCOMMON

Download Yara Rule

C-Code - Quality: 99%

			E000BB48F(void* __ebx, intOrPtr* __ecx, void* __edx, void** __edi, void* __esi, void* __eflags) {
				int _t125;
				void* _t128;
				void* _t132;
				int _t136;
				signed char _t139;
				signed int _t140;
				int _t152;
				void* _t153;
				int _t155;
				int _t156;
				int _t160;
				long _t168;
				long _t169;
				void* _t178;
				void* _t182;
				void* _t183;
				int _t185;
				int _t221;
				void* _t229;
				intOrPtr* _t232;
				void* _t233;
				void* _t235;

				_t230 = __edi;
				_t229 = __edx;
				_push(0xa90);
				E00151A82(0x16ce62, __ebx, __edi, __esi);
				_t125 =  *(_t235 + 8);
				_t232 = __ecx;
				 *((intOrPtr*)(_t235 - 0xa40)) = __ecx;
				 *(_t235 - 0xa30) = _t125;
				if( *((intOrPtr*)(__ecx + 0x24)) == 0) {
					__eflags = _t125;
					_t208 = 0 | __eflags != 0x00000000;
					if(__eflags == 0) {
						E000655E0(_t208);
					}
					_t230 = _t232 + 0x88;
					E00071DB5(_t230);
					E00056620(0,  *(_t235 - 0xa30));
					 *((intOrPtr*)(_t235 - 4)) = 0;
					_t128 = E0006C4BC(_t235 - 0xa2c, 0x1a18bc, 0);
					__eflags = _t128 - 0xffffffff;
					if(_t128 == 0xffffffff) {
						_t182 = E0006C4BC(_t235 - 0xa2c, 0x1809dc, 0);
						__eflags = _t182 - 0xffffffff;
						if(_t182 == 0xffffffff) {
							_t227 = _t235 - 0xa2c;
							_t183 = E0006C4BC(_t235 - 0xa2c, 0x17b6fc, 0);
							__eflags = _t183 - 0xffffffff;
							if(_t183 == 0xffffffff) {
								_t185 = GetModuleFileNameW(0, _t235 - 0x828, 0x104);
								__eflags = _t185;
								if(_t185 != 0) {
									E001562F9(_t227, _t235 - 0x828, _t235 - 0x18, 3, _t235 - 0x620, 0x100, 0, 0, 0, 0);
									E001562F9(_t227,  *(_t235 - 0xa30), 0, 0, 0, 0, _t235 - 0x420, 0x100, _t235 - 0xa28, 0x100);
									E0015650B(_t235 - 0x220, 0x104, _t235 - 0x18, _t235 - 0x620, _t235 - 0x420, _t235 - 0xa28);
									E00054140(_t235 - 0xa2c, _t235 - 0x220, E0015161A(_t235 - 0x220));
									_t232 =  *((intOrPtr*)(_t235 - 0xa40));
								}
							}
						}
					}
					__eflags =  *(_t235 + 0xc);
					if( *(_t235 + 0xc) <= 0) {
						L13:
						 *(_t235 - 0xa34) = 0x2010;
						__eflags =  *(_t232 + 0x30);
						if(__eflags != 0) {
							 *(_t235 - 0xa34) = 0x3010;
						}
						 *(_t235 - 0xa38) =  *(_t235 - 0xa2c);
						_t132 = LoadImageW( *(E0006B628(0, _t230, _t232, __eflags) + 8),  *(_t235 - 0xa38), 0, 0, 0,  *(_t235 - 0xa34));
						 *_t230 = _t132;
						__eflags = _t132;
						if(_t132 != 0) {
							_t136 = GetObjectW(_t132, 0x18, _t235 - 0xa9c);
							__eflags = _t136;
							if(_t136 != 0) {
								 *(_t232 + 0x14) = 1;
								E00054260(_t232 + 0x94, _t235 - 0xa2c);
								_t139 = GetFileAttributesW( *(_t235 - 0xa2c));
								__eflags = _t139 & 0x00000001;
								if((_t139 & 0x00000001) != 0) {
									 *(_t232 + 0x20) = 1;
								}
								_t140 =  *(_t235 - 0xa8a) & 0x0000ffff;
								 *(_t232 + 8) = _t140;
								__eflags = _t140 - 8;
								if(_t140 <= 8) {
									L46:
									__eflags =  *(_t235 - 0xa8a) - 0x20;
									if( *(_t235 - 0xa8a) >= 0x20) {
										E000B6EC7(0, _t229, _t230, _t232,  *_t230,  *((intOrPtr*)(_t232 + 0x38)));
									}
									E000B6CE5(_t232);
									_t230 = _t232 + 0x8c;
									E00071DB5(_t230);
									_t232 = _t232 + 0x90;
									 *_t230 = 0;
									E00071DB5(_t232);
									 *_t232 = 0;
									E00051190( &(( *(_t235 - 0xa2c))[0xfffffffffffffff8]), _t229);
									__eflags = 1;
									L49:
									return E00151B05(0, _t230, _t232);
								} else {
									__eflags = _t140 - 0x20;
									if(_t140 >= 0x20) {
										goto L46;
									}
									__eflags =  *_t230;
									if( *_t230 == 0) {
										goto L46;
									}
									E00065EC1(_t235 - 0xa58);
									 *((char*)(_t235 - 4)) = 1;
									E000664F6(0, _t235 - 0xa58, _t229, _t230, CreateCompatibleDC(0));
									_t152 = GetObjectW( *_t230, 0x18, _t235 - 0xa84);
									__eflags = _t152;
									if(_t152 != 0) {
										_t153 =  *_t230;
										_t233 = SelectObject;
										__eflags = _t153;
										if(_t153 == 0) {
											 *(_t235 - 0xa30) = 0;
										} else {
											 *(_t235 - 0xa30) = SelectObject( *(_t235 - 0xa54), _t153);
										}
										__eflags =  *(_t235 - 0xa30);
										if( *(_t235 - 0xa30) == 0) {
											L45:
											 *((char*)(_t235 - 4)) = 0;
											E00066577(_t235 - 0xa58);
											_t232 =  *((intOrPtr*)(_t235 - 0xa40));
											goto L46;
										} else {
											_t221 =  *(_t235 - 0xa7c);
											_t155 =  *(_t235 - 0xa80);
											 *(_t235 - 0xa38) = _t155;
											 *(_t235 - 0xa48) = _t221;
											_t156 = CreateCompatibleBitmap( *(_t235 - 0xa54), _t155, _t221);
											 *(_t235 - 0xa34) = _t156;
											__eflags = _t156;
											if(_t156 != 0) {
												E00065EC1(_t235 - 0xa68);
												 *((char*)(_t235 - 4)) = 2;
												E000664F6(0, _t235 - 0xa68, _t229, _t230, CreateCompatibleDC( *(_t235 - 0xa54)));
												_t160 = SelectObject( *(_t235 - 0xa64),  *(_t235 - 0xa34));
												 *(_t235 - 0x18) = _t160;
												__eflags = _t160;
												if(_t160 != 0) {
													BitBlt( *(_t235 - 0xa64), 0, 0,  *(_t235 - 0xa38),  *(_t235 - 0xa48),  *(_t235 - 0xa54), 0, 0, 0xcc0020);
													 *(_t235 - 0xa3c) = 0;
													__eflags =  *(_t235 - 0xa38);
													if( *(_t235 - 0xa38) <= 0) {
														L43:
														SelectObject( *(_t235 - 0xa64),  *(_t235 - 0x18));
														SelectObject( *(_t235 - 0xa54),  *(_t235 - 0xa30));
														DeleteObject( *_t230);
														 *_t230 =  *(_t235 - 0xa34);
														L44:
														 *((char*)(_t235 - 4)) = 1;
														E00066577(_t235 - 0xa68);
														goto L45;
													} else {
														goto L34;
													}
													do {
														L34:
														 *(_t235 - 0xa44) = 0;
														__eflags =  *(_t235 - 0xa48);
														if( *(_t235 - 0xa48) <= 0) {
															goto L42;
														} else {
															goto L35;
														}
														do {
															L35:
															_t168 = GetPixel( *(_t235 - 0xa64),  *(_t235 - 0xa3c),  *(_t235 - 0xa44));
															__eflags =  *((short*)(_t235 - 0xa72)) - 0x18;
															 *(_t235 - 0xa6c) = _t168;
															if( *((short*)(_t235 - 0xa72)) != 0x18) {
																L38:
																_t169 = E000B6D1E(0, _t230, _t233, _t168, 0);
																goto L39;
															}
															__eflags =  *0x1bdc80; // 0x1
															if(__eflags != 0) {
																goto L38;
															}
															_t169 = E000B6DA0(_t229, __eflags, _t168);
															L39:
															__eflags =  *(_t235 - 0xa6c) - _t169;
															if( *(_t235 - 0xa6c) != _t169) {
																SetPixel( *(_t235 - 0xa64),  *(_t235 - 0xa3c),  *(_t235 - 0xa44), _t169);
															}
															 *(_t235 - 0xa44) =  *(_t235 - 0xa44) + 1;
															__eflags =  *(_t235 - 0xa44) -  *(_t235 - 0xa48);
														} while ( *(_t235 - 0xa44) <  *(_t235 - 0xa48));
														L42:
														 *(_t235 - 0xa3c) =  *(_t235 - 0xa3c) + 1;
														__eflags =  *(_t235 - 0xa3c) -  *(_t235 - 0xa38);
													} while ( *(_t235 - 0xa3c) <  *(_t235 - 0xa38));
													goto L43;
												}
												SelectObject( *(_t235 - 0xa54),  *(_t235 - 0xa30));
												DeleteObject( *(_t235 - 0xa34));
												goto L44;
											}
											SelectObject( *(_t235 - 0xa54),  *(_t235 - 0xa30));
											goto L45;
										}
									}
									 *((char*)(_t235 - 4)) = 0;
									E00066577(_t235 - 0xa58);
									goto L46;
								}
							}
							DeleteObject( *_t230);
							 *_t230 = 0;
						}
						goto L12;
					} else {
						_t178 = CreateFileW( *(_t235 - 0xa30), 0x80000000, 1, 0, 3, 0, 0);
						 *(_t235 - 0xa34) = _t178;
						__eflags = _t178 - 0xffffffff;
						if(_t178 == 0xffffffff) {
							goto L13;
						}
						 *(_t235 - 0xa38) = GetFileSize(_t178, 0);
						CloseHandle( *(_t235 - 0xa34));
						__eflags =  *(_t235 - 0xa38) -  *(_t235 + 0xc);
						if( *(_t235 - 0xa38) <=  *(_t235 + 0xc)) {
							goto L13;
						}
						L12:
						E00051190( &(( *(_t235 - 0xa2c))[0xfffffffffffffff8]), _t229);
						goto L1;
					}
				}
				L1:
				goto L49;
			}

0x000bb48f
0x000bb48f
0x000bb48f
0x000bb499
0x000bb49e
0x000bb4a1
0x000bb4a5
0x000bb4ab
0x000bb4b4
0x000bb4bf
0x000bb4c1
0x000bb4c6
0x000bb4c8
0x000bb4c8
0x000bb4cd
0x000bb4d4
0x000bb4e5
0x000bb4f6
0x000bb4f9
0x000bb4fe
0x000bb501
0x000bb513
0x000bb518
0x000bb51b
0x000bb527
0x000bb52d
0x000bb532
0x000bb535
0x000bb548
0x000bb54e
0x000bb550
0x000bb574
0x000bb593
0x000bb5c0
0x000bb5e2
0x000bb5e7
0x000bb5e7
0x000bb550
0x000bb535
0x000bb51b
0x000bb5ed
0x000bb5f0
0x000bb64d
0x000bb64d
0x000bb657
0x000bb65a
0x000bb65c
0x000bb65c
0x000bb66c
0x000bb68a
0x000bb690
0x000bb692
0x000bb694
0x000bb6a0
0x000bb6a6
0x000bb6a8
0x000bb6c3
0x000bb6ca
0x000bb6d5
0x000bb6db
0x000bb6dd
0x000bb6df
0x000bb6df
0x000bb6e6
0x000bb6ed
0x000bb6f0
0x000bb6f3
0x000bb940
0x000bb940
0x000bb948
0x000bb94f
0x000bb94f
0x000bb956
0x000bb95b
0x000bb962
0x000bb967
0x000bb96e
0x000bb970
0x000bb97e
0x000bb980
0x000bb987
0x000bb988
0x000bb98d
0x000bb6f9
0x000bb6f9
0x000bb6fc
0x00000000
0x00000000
0x000bb702
0x000bb704
0x00000000
0x00000000
0x000bb710
0x000bb716
0x000bb727
0x000bb737
0x000bb73d
0x000bb73f
0x000bb754
0x000bb756
0x000bb75c
0x000bb75e
0x000bb771
0x000bb760
0x000bb769
0x000bb769
0x000bb777
0x000bb77d
0x000bb92c
0x000bb932
0x000bb935
0x000bb93a
0x00000000
0x000bb783
0x000bb783
0x000bb789
0x000bb797
0x000bb79d
0x000bb7a3
0x000bb7a9
0x000bb7af
0x000bb7b1
0x000bb7cc
0x000bb7d7
0x000bb7e8
0x000bb7f9
0x000bb7fb
0x000bb7fe
0x000bb800
0x000bb842
0x000bb848
0x000bb84e
0x000bb854
0x000bb8f4
0x000bb8fd
0x000bb90b
0x000bb90f
0x000bb91b
0x000bb91d
0x000bb923
0x000bb927
0x00000000
0x00000000
0x00000000
0x00000000
0x000bb85a
0x000bb85a
0x000bb85a
0x000bb860
0x000bb866
0x00000000
0x00000000
0x00000000
0x00000000
0x000bb868
0x000bb868
0x000bb87a
0x000bb880
0x000bb888
0x000bb88e
0x000bb8a0
0x000bb8a2
0x00000000
0x000bb8a2
0x000bb890
0x000bb896
0x00000000
0x00000000
0x000bb899
0x000bb8a7
0x000bb8a7
0x000bb8ad
0x000bb8c2
0x000bb8c2
0x000bb8c8
0x000bb8d4
0x000bb8d4
0x000bb8dc
0x000bb8dc
0x000bb8e8
0x000bb8e8
0x00000000
0x000bb85a
0x000bb80e
0x000bb816
0x00000000
0x000bb816
0x000bb7bf
0x00000000
0x000bb7bf
0x000bb77d
0x000bb747
0x000bb74a
0x00000000
0x000bb74a
0x000bb6f3
0x000bb6ac
0x000bb6b2
0x000bb6b2
0x00000000
0x000bb5f2
0x000bb604
0x000bb60a
0x000bb610
0x000bb613
0x00000000
0x00000000
0x000bb623
0x000bb629
0x000bb632
0x000bb638
0x00000000
0x00000000
0x000bb63a
0x000bb643
0x00000000
0x000bb643
0x000bb5f0
0x000bb4b6
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 000BB499
GetModuleFileNameW.KERNEL32(00000000,?,00000104,0017B6FC,00000000,001809DC,00000000,001A18BC,00000000,?,?,00000A90,000BBA4D,?,00000000,00000084), ref: 000BB548
__wsplitpath_s.LIBCMT ref: 000BB574
__wsplitpath_s.LIBCMT ref: 000BB593
__wmakepath_s.LIBCMT ref: 000BB5C0
_wcslen.LIBCMT ref: 000BB5CC
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000BB604

Strings

, xrefs: 000BB940

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: File__wsplitpath_s$CreateH_prolog3_ModuleName__wmakepath_s_wcslen
String ID:
API String ID: 1221639053-3916222277
Opcode ID: 4b8bd262e67468becbe86207b970d66b7be47c1d90857ff0e98539ece5ab2033
Instruction ID: 11e50d94e8bd7969c1c2714c9450ce7a16bc5f2b4d6693140fc42446faf1f7c5
Opcode Fuzzy Hash: 4b8bd262e67468becbe86207b970d66b7be47c1d90857ff0e98539ece5ab2033
Instruction Fuzzy Hash: 26D10871A00228AFDF21AF60CC85AEDBBB9AF19315F1000E9F50AA2951DB755FC4DF52

Uniqueness

Uniqueness Score: -1.00%

Function 00079574 Relevance: 41.0, APIs: 27, Instructions: 457
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00079574(void* __ebx, RECT* __ecx, signed int __edi, void* __esi, void* __eflags) {
				RECT* _t162;
				signed int _t174;
				signed int _t179;
				signed int _t184;
				struct HWND__* _t186;
				RECT* _t188;
				signed int _t189;
				signed int _t193;
				signed int _t195;
				signed int _t207;
				signed int _t212;
				RECT* _t218;
				RECT* _t221;
				signed int _t222;
				void* _t231;
				signed int _t239;
				void* _t250;
				signed int _t252;
				signed int _t261;
				signed short _t262;
				void* _t274;
				signed int _t280;
				signed int _t304;
				signed int _t305;
				void* _t323;
				signed int _t327;
				struct HWND__* _t328;
				RECT* _t331;
				void* _t333;
				void* _t336;
				void* _t339;
				void* _t342;

				_t327 = __edi;
				_t281 = __ecx;
				_push(0x58);
				E00151A82(0x169bd1, __ebx, __edi, __esi);
				_push( *(_t333 + 0x10));
				_t280 = __ecx;
				_push( *(_t333 + 0xc));
				 *(_t333 - 0x24) =  *((intOrPtr*)( *__ecx + 0x390))();
				_t162 =  *0x1c3f34; // 0x0
				_t331 = 0;
				if(_t162 == __ecx) {
					L4:
					_t339 =  *0x1c3f04 - _t331; // 0x0
					if(_t339 != 0) {
						L7:
						if( *(_t333 - 0x24) >= _t331) {
							_t328 = E00074F8E(_t280, __eflags,  *(_t333 - 0x24));
							__eflags = _t328 - _t331;
							if(_t328 == _t331) {
								goto L76;
							}
							 *((intOrPtr*)( *_t280 + 0x258))( *(_t333 - 0x24));
							 *0x1c3f08 = _t331;
							__eflags =  *0x1c3f30 - _t331; // 0x0
							if(__eflags == 0) {
								L22:
								__eflags =  *0x1c3f04 - _t331; // 0x0
								if(__eflags != 0) {
									L24:
									__eflags =  *((intOrPtr*)(_t280 + 0xb04)) - _t331;
									if( *((intOrPtr*)(_t280 + 0xb04)) != _t331) {
										L66:
										 *(_t280 + 0xb78) =  *(_t333 - 0x24);
										E000750EE(_t280, _t328,  *(_t333 - 0x24));
										__eflags =  *(_t328 + 0x24) & 0x00040000;
										if(( *(_t328 + 0x24) & 0x00040000) == 0) {
											L69:
											 *(_t328 + 0x24) =  *(_t328 + 0x24) | 0x00020000;
											E00076CF9(_t280, _t325,  *(_t333 - 0x24));
											UpdateWindow( *(_t280 + 0x20));
											 *((intOrPtr*)( *_t280 + 0x414))( *((intOrPtr*)(_t328 + 0x20)));
											_t287 = _t328;
											_t174 =  *((intOrPtr*)(_t328->i + 0x20))(_t280, _t331);
											__eflags = _t174;
											if(_t174 == 0) {
												 *((intOrPtr*)(_t280 + 0xc90)) = E0005F82E(_t280, _t287, _t325, SetCapture( *(_t280 + 0x20)));
											} else {
												_t179 = E000A4CFE(_t280 + 0xbc8, _t328, _t331);
												__eflags = _t179;
												if(_t179 != 0) {
													_t146 = _t328 + 0x24;
													 *_t146 =  *(_t328 + 0x24) & 0xfffdffff;
													__eflags =  *_t146;
												}
												 *(_t280 + 0xb78) =  *(_t280 + 0xb78) | 0xffffffff;
												 *(_t280 + 0xb7c) =  *(_t280 + 0xb7c) | 0xffffffff;
												 *((intOrPtr*)( *_t280 + 0x3b0))(0xffffffff);
												_t287 = _t280;
												E00076CF9(_t280, _t325,  *(_t333 - 0x24));
												UpdateWindow( *(_t280 + 0x20));
											}
											L74:
											__eflags =  *0x1c3f08 - _t331; // 0x0
											if(__eflags != 0) {
												 *0x1c3f08 = _t331;
												 *0x1c3f34 = _t331;
												E00077484(_t287, _t325, _t331);
												RedrawWindow( *(_t280 + 0x20), _t331, _t331, 0x505);
											}
											goto L76;
										}
										_t184 = E0006EA07(_t328, 0x1bde9c);
										__eflags = _t184;
										if(_t184 != 0) {
											goto L69;
										}
										 *(_t280 + 0xb78) =  *(_t280 + 0xb78) | 0xffffffff;
										goto L76;
									}
									__eflags =  *((intOrPtr*)(_t280 + 0xb44)) - _t331;
									if( *((intOrPtr*)(_t280 + 0xb44)) != _t331) {
										goto L66;
									}
									_t326 =  *_t280;
									 *(_t333 - 0x28) =  *(_t280 + 0xb80);
									_t186 =  *(_t333 - 0x24);
									 *(_t280 + 0xb80) = _t186;
									 *(_t333 - 0x20) = _t331;
									 *(_t333 - 0x1c) = _t331;
									 *(_t333 - 0x18) = _t331;
									 *(_t333 - 0x14) = _t331;
									 *((intOrPtr*)( *_t280 + 0x36c))(_t186, _t333 - 0x20);
									__eflags =  *(_t333 - 0x28) - 0xffffffff;
									if(__eflags != 0) {
										E00076CF9(_t280, _t326,  *(_t333 - 0x28));
									}
									_t188 = E00074F8E(_t280, __eflags,  *(_t280 + 0xb80));
									__eflags = _t188 - _t331;
									_t295 = 0 | __eflags != 0x00000000;
									 *(_t280 + 0xc98) = _t188;
									if(__eflags == 0) {
										_t188 = E000655E0(_t295);
									}
									 *(_t280 + 0xb2c) =  *(_t333 + 8) & 0x00000008;
									_t325 = _t188->left;
									_t189 =  *((intOrPtr*)(_t188->left + 0x60))();
									__eflags = _t189;
									if(_t189 != 0) {
										E00076CF9(_t280, _t325,  *(_t333 - 0x24));
										UpdateWindow( *(_t280 + 0x20));
										_t193 =  *((intOrPtr*)( *( *(_t280 + 0xc98)) + 0x3c))();
										__eflags = _t193;
										if(_t193 == 0) {
											L39:
											_t287 =  *(_t280 + 0xc98);
											_t195 =  *((intOrPtr*)( *( *(_t280 + 0xc98)) + 0x50))();
											__eflags = _t195;
											if(_t195 == 0) {
												L65:
												 *(_t280 + 0xc98) = _t331;
												goto L74;
											}
											_t287 =  *(_t280 + 0xc98);
											__eflags =  *((intOrPtr*)( *( *(_t280 + 0xc98)) + 0x74))();
											if(__eflags == 0) {
												goto L65;
											}
											E000DEEB6(_t333 - 0x64, __eflags);
											_t325 = _t333 - 0x64;
											 *(_t333 - 4) = _t331;
											 *((intOrPtr*)( *( *(_t280 + 0xc98)) + 0xc))(_t333 - 0x64);
											 *((intOrPtr*)( *_t280 + 0x414))( *((intOrPtr*)(_t328 + 0x20)));
											 *0x1c3fd0 = _t331;
											_t328 =  *(_t280 + 0x20);
											 *(_t280 + 0xc80) =  *(_t333 + 0xc);
											 *(_t280 + 0xc84) =  *(_t333 + 0x10);
											__eflags =  *0x1c3f08 - _t331; // 0x0
											if(__eflags != 0) {
												 *0x1c3f04 = 1;
											}
											_push(0x1c3f88);
											_push(_t333 - 0x20);
											_push(3);
											_t304 = _t333 - 0x64;
											 *(_t333 - 0x28) = E000DF215(_t280, _t304, _t328, _t331, __eflags);
											_t207 = IsWindow(_t328);
											__eflags = _t207;
											if(_t207 != 0) {
												 *(_t333 - 0x30) = _t331;
												 *(_t333 - 0x2c) = _t331;
												GetCursorPos(_t333 - 0x30);
												ScreenToClient( *(_t280 + 0x20), _t333 - 0x30);
												__eflags =  *0x1c3fd0 - _t331; // 0x0
												if(__eflags == 0) {
													L63:
													_t212 =  *(_t333 - 0x24);
													_t325 =  *_t280;
													_t304 = _t280;
													 *(_t280 + 0xb7c) = _t212;
													 *((intOrPtr*)( *_t280 + 0x3b0))(_t212);
													L64:
													_t305 = _t304 | 0xffffffff;
													 *(_t280 + 0xc84) = _t305;
													 *(_t333 - 4) = _t305;
													_t287 = _t333 - 0x64;
													 *(_t280 + 0xc98) = _t331;
													 *(_t280 + 0xc80) = _t305;
													E000DEEE3(_t280, _t333 - 0x64, _t328, _t331, __eflags);
													goto L74;
												}
												_push( *(_t333 - 0x2c));
												__eflags = PtInRect(_t333 - 0x20,  *(_t333 - 0x30));
												if(__eflags != 0) {
													goto L63;
												}
												__eflags =  *(_t333 - 0x28) - 1;
												if( *(_t333 - 0x28) == 1) {
													L61:
													_t218 =  *(_t280 + 0xc98);
													__eflags = _t218 - _t331;
													if(__eflags != 0) {
														InvalidateRect( *(_t280 + 0x20), _t218 + 0x54, 1);
													}
													goto L64;
												}
												_t221 =  *(_t280 + 0xc98);
												__eflags = _t221 - _t331;
												if(_t221 == _t331) {
													goto L61;
												}
												__eflags =  *0x1c3fcc - _t331; // 0x0
												if(__eflags != 0) {
													goto L61;
												}
												_t325 =  *_t280;
												_t304 = _t280;
												_t222 =  *((intOrPtr*)( *_t280 + 0x37c))(_t221,  *(_t333 - 0x28));
												__eflags = _t222;
												if(_t222 == 0) {
													goto L61;
												}
												 *((intOrPtr*)( *_t280 + 0x34c))(E00074E38(_t280,  *(_t280 + 0xc98)));
												 *((intOrPtr*)( *_t280 + 0x3e0))();
												RedrawWindow( *(_t280 + 0x20), _t331, _t331, 0x505);
												_t309 = _t280;
												 *((intOrPtr*)( *_t280 + 0x2d4))(1);
												_t328 = GetParent;
												_t231 = E0005F82E(_t280, _t280, _t325, GetParent( *(_t280 + 0x20)));
												__eflags = _t231 - _t331;
												if(_t231 != _t331) {
													__eflags =  *((intOrPtr*)(_t231 + 0x20)) - _t331;
													if( *((intOrPtr*)(_t231 + 0x20)) != _t331) {
														RedrawWindow( *(E0005F82E(_t280, _t309, _t325, GetParent( *(_t280 + 0x20))) + 0x20), _t331, _t331, 0x505);
													}
												}
												__eflags =  *0x1c3f08 - _t331; // 0x0
												if(__eflags == 0) {
													_t309 = _t280;
													 *((intOrPtr*)( *_t280 + 0x208))();
													RedrawWindow( *(_t280 + 0x20), _t331, _t331, 0x505);
												}
												_t304 = E0005F82E(_t280, _t309, _t325, GetParent( *(_t280 + 0x20)));
												__eflags = E0006EA07(_t304, 0x1860b8);
												if(__eflags != 0) {
													_t239 = E0006EA25(0x1bced8, E0005F82E(_t280, _t304, _t325, GetParent( *(E0005F82E(_t280, _t304, _t325, GetParent( *(_t280 + 0x20))) + 0x20))));
													_pop(_t304);
													__eflags = _t239 - _t331;
													if(__eflags != 0) {
														_t325 =  *_t239;
														_t304 = _t239;
														 *((intOrPtr*)( *_t239 + 0x20c))();
													}
												}
												goto L64;
											} else {
												__eflags =  *0x1c3f08 - _t331; // 0x0
												if(__eflags != 0) {
													 *0x1c3f04 = _t331;
													 *0x1c3f08 = _t331;
													 *0x1c3f34 = _t331;
												}
												 *(_t333 - 4) =  *(_t333 - 4) | 0xffffffff;
												E000DEEE3(_t280, _t333 - 0x64, _t328, _t331, __eflags);
												goto L76;
											}
										}
										_t250 = E00155F20(_t325,  *(_t333 + 0xc) -  *(_t333 - 0x18));
										__eflags = _t250 - 6;
										if(_t250 > 6) {
											goto L39;
										}
										__eflags =  *0x1c3f08 - _t331; // 0x0
										if(__eflags != 0) {
											goto L39;
										}
										_t287 =  *(_t280 + 0xc98);
										 *(_t280 + 0xb30) = 1;
										_t328 = _t280 + 0xc68;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t252 =  *((intOrPtr*)( *( *(_t280 + 0xc98)) + 0x38))();
										__eflags = _t252;
										if(_t252 != 0) {
											InflateRect(_t280 + 0xc68, 2, 2);
										}
										 *((intOrPtr*)(_t280 + 0xc90)) = E0005F82E(_t280, _t287, _t325, SetCapture( *(_t280 + 0x20)));
										SetCursor( *0x1c3a80);
										_t331 = 0;
										goto L74;
									} else {
										 *(_t280 + 0xb80) =  *(_t280 + 0xb80) | 0xffffffff;
										__eflags =  *(_t333 - 0x28) - 0xffffffff;
										 *(_t280 + 0xc98) = _t331;
										if( *(_t333 - 0x28) != 0xffffffff) {
											E00076CF9(_t280, _t325,  *(_t333 - 0x28));
										}
										goto L76;
									}
								}
								__eflags =  *0x1c3f08 - _t331; // 0x0
								if(__eflags == 0) {
									goto L66;
								}
								goto L24;
							}
							_t261 =  *((intOrPtr*)( *_t280 + 0x41c))();
							__eflags = _t261;
							if(_t261 == 0) {
								goto L22;
							}
							__eflags =  *0x1c3f04 - _t331; // 0x0
							if(__eflags != 0) {
								goto L24;
							}
							_t262 = GetAsyncKeyState(0x12);
							__eflags = 0x00008000 & _t262;
							if((0x00008000 & _t262) != 0) {
								 *0x1c3f08 = 1;
								_t28 = _t280 + 0xb7c;
								 *_t28 =  *(_t280 + 0xb7c) | 0xffffffff;
								__eflags =  *_t28;
								 *(_t280 + 0xb80) =  *(_t333 - 0x24);
								 *0x1c3f34 = _t280;
							}
							goto L22;
						} else {
							_t328 = _t327 | 0xffffffff;
							 *(_t280 + 0xb78) = _t328;
							_t342 =  *0x1c3f04 - _t331; // 0x0
							if(_t342 != 0 &&  *((intOrPtr*)(_t280 + 0xb04)) == _t331) {
								_t319 =  *(_t280 + 0xb80);
								 *(_t280 + 0xb80) = _t328;
								if( *(_t280 + 0xb80) != _t328) {
									E00076CF9(_t280, _t325, _t319);
									UpdateWindow( *(_t280 + 0x20));
								}
								 *((intOrPtr*)( *_t280 + 0x3b0))(_t328);
							}
							if( *((intOrPtr*)( *_t280 + 0x1c8))() != 0) {
								SetCursor( *0x1c3a8c);
							}
							E000BF36D(_t280,  *(_t333 + 8),  *(_t333 + 0xc),  *(_t333 + 0x10));
							L76:
							return E00151B05(_t280, _t328, _t331);
						}
					}
					L5:
					_t327 = GetParent;
					_t274 = E0006EA25(0x1845c0, E0005F82E(_t280, _t281, _t325, GetParent( *(_t280 + 0x20))));
					_pop(_t323);
					if(_t274 != 0) {
						E00063652(_t280, E0005F82E(_t280, _t323, _t325, GetParent( *(_t280 + 0x20))), _t325);
					}
					goto L7;
				}
				_t336 =  *0x1c3f04 - _t331; // 0x0
				if(_t336 == 0) {
					goto L5;
				} else {
					_t281 = _t162;
					 *0x1c3f34 = __ecx;
					if(_t281 != 0) {
						_t325 =  *(_t281 + 0xb80);
						 *(_t281 + 0xb80) =  *(_t281 + 0xb80) | 0xffffffff;
						E00076CF9(_t281,  *(_t281 + 0xb80),  *(_t281 + 0xb80));
					}
					goto L4;
				}
			}

0x00079574
0x00079574
0x00079574
0x0007957b
0x00079580
0x00079583
0x00079585
0x00079590
0x00079593
0x00079598
0x0007959c
0x000795c5
0x000795c5
0x000795cb
0x00079601
0x00079604
0x00079684
0x00079686
0x00079688
0x00000000
0x00000000
0x00079695
0x0007969b
0x000796a1
0x000796a7
0x000796f1
0x000796f1
0x000796f7
0x00079705
0x00079705
0x0007970b
0x00079ada
0x00079ae0
0x00079ae6
0x00079aeb
0x00079af2
0x00079b10
0x00079b13
0x00079b1c
0x00079b24
0x00079b31
0x00079b3b
0x00079b3d
0x00079b40
0x00079b42
0x00079b9a
0x00079b44
0x00079b4c
0x00079b51
0x00079b53
0x00079b55
0x00079b55
0x00079b55
0x00079b55
0x00079b5e
0x00079b65
0x00079b70
0x00079b79
0x00079b7b
0x00079b83
0x00079b83
0x00079ba0
0x00079ba0
0x00079ba6
0x00079ba9
0x00079baf
0x00079bb5
0x00079bc4
0x00079bc4
0x00000000
0x00079ba6
0x00079afb
0x00079b00
0x00079b02
0x00000000
0x00000000
0x00079b04
0x00000000
0x00079b04
0x00079711
0x00079717
0x00000000
0x00000000
0x00079723
0x00079728
0x0007972b
0x00079732
0x00079738
0x0007973b
0x0007973e
0x00079741
0x00079744
0x0007974a
0x0007974e
0x00079755
0x00079755
0x00079762
0x00079769
0x0007976b
0x0007976e
0x00079776
0x00079778
0x00079778
0x00079783
0x00079789
0x0007978d
0x00079790
0x00079792
0x000797bf
0x000797c7
0x000797d5
0x000797d8
0x000797da
0x00079855
0x00079855
0x0007985d
0x00079860
0x00079862
0x00079acf
0x00079acf
0x00000000
0x00079acf
0x00079868
0x00079873
0x00079875
0x00000000
0x00000000
0x0007987e
0x0007988b
0x0007988f
0x00079892
0x0007989c
0x000798a5
0x000798ab
0x000798ae
0x000798b7
0x000798bd
0x000798c3
0x000798c5
0x000798c5
0x000798cf
0x000798d7
0x000798d8
0x000798da
0x000798e3
0x000798e6
0x000798ec
0x000798ee
0x0007991f
0x00079922
0x00079925
0x00079932
0x00079938
0x0007993e
0x00079a94
0x00079a94
0x00079a97
0x00079a9a
0x00079a9c
0x00079aa2
0x00079aa8
0x00079aa8
0x00079aad
0x00079ab3
0x00079ab6
0x00079ab9
0x00079abf
0x00079ac5
0x00000000
0x00079ac5
0x00079944
0x00079954
0x00079956
0x00000000
0x00000000
0x0007995c
0x00079960
0x00079a79
0x00079a79
0x00079a7f
0x00079a81
0x00079a8c
0x00079a8c
0x00000000
0x00079a81
0x00079966
0x0007996c
0x0007996e
0x00000000
0x00000000
0x00079974
0x0007997a
0x00000000
0x00000000
0x00079983
0x00079986
0x00079988
0x0007998e
0x00079990
0x00000000
0x00000000
0x000799a8
0x000799b2
0x000799c2
0x000799cc
0x000799ce
0x000799d7
0x000799e0
0x000799e5
0x000799e7
0x000799e9
0x000799ec
0x00079a03
0x00079a03
0x000799ec
0x00079a09
0x00079a0f
0x00079a13
0x00079a15
0x00079a25
0x00079a25
0x00079a3b
0x00079a42
0x00079a44
0x00079a62
0x00079a68
0x00079a69
0x00079a6b
0x00079a6d
0x00079a6f
0x00079a71
0x00079a71
0x00079a6b
0x00000000
0x000798f0
0x000798f0
0x000798f6
0x000798f8
0x000798fe
0x00079904
0x00079904
0x0007990a
0x00079911
0x00000000
0x00079911
0x000798ee
0x000797e3
0x000797e9
0x000797ec
0x00000000
0x00000000
0x000797ee
0x000797f4
0x00000000
0x00000000
0x000797f6
0x000797fc
0x00079809
0x0007980f
0x00079810
0x00079811
0x00079812
0x00079815
0x00079818
0x0007981a
0x00079827
0x00079827
0x0007983c
0x00079848
0x0007984e
0x00000000
0x00079794
0x00079794
0x0007979b
0x0007979f
0x000797a5
0x000797b0
0x000797b0
0x00000000
0x000797a5
0x00079792
0x000796f9
0x000796ff
0x00000000
0x00000000
0x00000000
0x000796ff
0x000796ad
0x000796b3
0x000796b5
0x00000000
0x00000000
0x000796b7
0x000796bd
0x00000000
0x00000000
0x000796c1
0x000796cc
0x000796cf
0x000796d4
0x000796de
0x000796de
0x000796de
0x000796e5
0x000796eb
0x000796eb
0x00000000
0x00079606
0x00079606
0x00079609
0x0007960f
0x00079615
0x0007961f
0x00079625
0x0007962d
0x00079632
0x0007963a
0x0007963a
0x00079645
0x00079645
0x00079657
0x0007965f
0x0007965f
0x00079670
0x00079bca
0x00079bcf
0x00079bcf
0x00079604
0x000795cd
0x000795d0
0x000795e4
0x000795ea
0x000795ed
0x000795fc
0x000795fc
0x00000000
0x000795ed
0x0007959e
0x000795a4
0x00000000
0x000795a6
0x000795a6
0x000795a8
0x000795b0
0x000795b2
0x000795b8
0x000795c0
0x000795c0
0x00000000
0x000795b0

APIs

__EH_prolog3_GS.LIBCMT ref: 0007957B
GetParent.USER32(?), ref: 000795D6
GetParent.USER32(?), ref: 000795F2
UpdateWindow.USER32 ref: 0007963A
SetCursor.USER32 ref: 0007965F
GetAsyncKeyState.USER32 ref: 000796C1
UpdateWindow.USER32 ref: 000797C7
InflateRect.USER32 ref: 00079827
SetCapture.USER32(?), ref: 00079830
SetCursor.USER32(00000000), ref: 00079848
IsWindow.USER32(?), ref: 000798E6
GetCursorPos.USER32(?), ref: 00079925
ScreenToClient.USER32(?,?), ref: 00079932
PtInRect.USER32(?,?,?), ref: 0007994E
RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 000799C2
GetParent.USER32(?), ref: 000799DD
GetParent.USER32(?), ref: 000799F1
RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 00079A03
RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 00079A25
GetParent.USER32(?), ref: 00079A2E
GetParent.USER32(?), ref: 00079A49
GetParent.USER32(?), ref: 00079A54
InvalidateRect.USER32(?,?,00000001), ref: 00079A8C
RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 00079BC4

Part of subcall function 00076CF9: InvalidateRect.USER32(?,?,00000001), ref: 00076D6E
Part of subcall function 00076CF9: InflateRect.USER32 ref: 00076DB4
Part of subcall function 00076CF9: RedrawWindow.USER32(?,?,00000000,00000401), ref: 00076DC7

UpdateWindow.USER32 ref: 00079B24
UpdateWindow.USER32 ref: 00079B83
SetCapture.USER32(?), ref: 00079B8E

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Window$Parent$RectRedraw$Update$Cursor$CaptureInflateInvalidate$AsyncClientH_prolog3_ScreenState
String ID:
API String ID: 991125134-0
Opcode ID: f5abd3ece257c80c2dd2bebd045ecc1366872ce50759c22a7735984087ede34b
Instruction ID: 960194ce06f86adea471ebac2d911eda3cdef22df223a74647fe03f34e3af746
Opcode Fuzzy Hash: f5abd3ece257c80c2dd2bebd045ecc1366872ce50759c22a7735984087ede34b
Instruction Fuzzy Hash: 59028D74A00200AFCF55AF64CC88AAD7BB5FF09710F148679F81A9B2A6DB358984CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00081607 Relevance: 40.8, APIs: 27, Instructions: 344
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E00081607(intOrPtr* __ecx, void* __edx, void* __edi, RECT* _a4) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				struct tagRECT _v72;
				struct tagRECT _v88;
				struct tagRECT _v104;
				struct tagRECT _v120;
				struct tagRECT _v136;
				struct tagRECT _v152;
				RECT* _v156;
				intOrPtr _v160;
				signed int _v164;
				signed int _v168;
				intOrPtr _v172;
				void* __ebx;
				void* __esi;
				signed int _t147;
				signed int _t157;
				long _t158;
				intOrPtr _t160;
				signed int _t203;
				intOrPtr* _t241;
				void* _t242;
				void* _t247;
				void* _t248;
				intOrPtr* _t255;
				void* _t268;
				void* _t282;
				long _t285;
				intOrPtr _t289;
				intOrPtr _t290;
				signed int _t297;
				void* _t310;

				_t269 = __edi;
				_t268 = __edx;
				_t295 = _t297;
				_t147 =  *0x1c0454; // 0x885926af
				_v8 = _t147 ^ _t297;
				_t149 = _a4;
				_t241 = __ecx;
				_v156 = _a4;
				if( *((intOrPtr*)(__ecx + 0xfc0)) > 0) {
					_t149 = E0006176A(__ecx, __edi);
					_v160 = _t149;
					if(_t149 != 0 &&  *((intOrPtr*)(_t149 + 0x20)) != 0) {
						_push(__edi);
						_v168 = E00063445(__ecx) & 0x00400000;
						_v24.left = 0;
						_v24.top = 0;
						_v24.right = 0;
						_v24.bottom = 0;
						GetClientRect( *(__ecx + 0x20),  &_v24);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t285 = 0;
						if(_v156 == 0) {
							L15:
							_v136.left = _t285;
							_v136.top = _t285;
							_v136.right = _t285;
							_v136.bottom = _t285;
							GetWindowRect( *(_t241 + 0x20),  &_v136);
							_t310 =  *0x1bcff0 - _t285; // 0x1
							if(_t310 != 0) {
								L17:
								_t157 =  *(_t241 + 0xfc0);
								_t247 = _t241 + 0xfc4;
								_v164 = _t157;
								 *(_t241 + 0xfc0) = _t285;
								if(_t247 != _t285 &&  *((intOrPtr*)(_t247 + 4)) != _t285) {
									_t157 = E00066824(_t247);
								}
								_t248 = _t241 + 0xfcc;
								if(_t248 != _t285 &&  *((intOrPtr*)(_t248 + 4)) != _t285) {
									_t157 = E00066824(_t248);
								}
								_t158 = _t157 | 0xffffffff;
								_v104.left = _t158;
								_v104.top = _t158;
								_v104.right = _t158;
								_v104.bottom = _t158;
								_v156 = 0x41c;
								_t160 =  *((intOrPtr*)( *_t241 + 0x1c0))();
								_v172 = _t160;
								 *(_t160 + 0xb68) = 1;
								if(_v168 == _t285) {
									_push(0x41e);
									_v156 = 0x41e;
									_push(_v24.bottom - _v24.top - _v164);
									_push(_v24.right - _v24.left - _v164);
									_push(0xffffffff);
									_push(0xffffffff);
								} else {
									GetWindowRect( *(_t241 + 0x20),  &_v104);
									_t203 = _v164;
									_push(0x41c);
									_push(_v24.bottom - _v24.top - _t203);
									_push(_v24.right - _v24.left - _t203);
									_push(_v104.top);
									_push(_v104.left + _t203);
								}
								_push(_t285);
								E00063614(_t241);
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								if(IsRectEmpty( &_v56) == 0) {
									_t290 = _v160;
									MapWindowPoints( *(_t241 + 0x20),  *(_t290 + 0x20),  &_v120, 2);
									RedrawWindow( *(_t290 + 0x20),  &_v120, 0, 0x185);
								}
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								if(IsRectEmpty( &_v88) == 0 && EqualRect( &_v56,  &_v88) == 0) {
									_t289 = _v160;
									MapWindowPoints( *(_t241 + 0x20),  *(_t289 + 0x20),  &_v120, 2);
									RedrawWindow( *(_t289 + 0x20),  &_v120, 0, 0x185);
								}
								UpdateWindow( *(_v160 + 0x20));
								_push(_v156);
								_push(_v24.bottom - _v24.top);
								 *(_t241 + 0xfc0) = _v164;
								_push(_v24.right - _v24.left);
								_t255 = _t241;
								if(_v168 == 0) {
									_push(0xffffffff);
									_push(0xffffffff);
								} else {
									_push(_v104.top);
									_push(_v104.left);
								}
								_push(0);
								E00063614(_t255);
								if(IsRectEmpty( &_v56) == 0) {
									InvalidateRect( *(_t241 + 0x20),  &_v56, 1);
								}
								if(IsRectEmpty( &_v88) == 0 && EqualRect( &_v56,  &_v88) == 0) {
									InvalidateRect( *(_t241 + 0x20),  &_v88, 1);
								}
								UpdateWindow( *(_t241 + 0x20));
								 *(_v172 + 0xb68) =  *(_v172 + 0xb68) & 0x00000000;
							} else {
								_v40.left = _t285;
								_v40.top = _t285;
								_v40.right = _t285;
								_v40.bottom = _t285;
								GetWindowRect( *(_v160 + 0x20),  &_v40);
								_v72.left = _t285;
								_v72.top = _t285;
								_v72.right = _t285;
								_v72.bottom = _t285;
								UnionRect( &_v72,  &_v136,  &_v40);
								if(EqualRect( &_v72,  &_v40) != 0) {
									goto L17;
								}
							}
						} else {
							CopyRect( &_v40, _v156);
							E0006632B(_t241,  &_v40);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							if(_v168 == 0) {
								_v72.left = _v24.right -  *(_t241 + 0xfc0) - 1;
							} else {
								_v72.right = _v24.left +  *(_t241 + 0xfc0) + 1;
							}
							if(IntersectRect( &_v56,  &_v40,  &_v72) == 0) {
								SetRectEmpty( &_v56);
							}
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_v152.top = _v24.bottom -  *(_t241 + 0xfc0) - 1;
							if(IntersectRect( &_v88,  &_v40,  &_v152) == 0) {
								SetRectEmpty( &_v88);
							}
							if(IsRectEmpty( &_v56) == 0 || IsRectEmpty( &_v88) == 0) {
								_t285 = 0;
								goto L15;
							}
						}
						_pop(_t269);
					}
				}
				_pop(_t282);
				_pop(_t242);
				return E00150836(_t149, _t242, _v8 ^ _t295, _t268, _t269, _t282);
			}

0x00081607
0x00081607
0x0008160a
0x00081612
0x00081619
0x0008161c
0x00081621
0x00081625
0x00081631
0x00081637
0x0008163c
0x00081644
0x00081653
0x00081660
0x0008166d
0x00081670
0x00081673
0x00081676
0x00081679
0x00081685
0x00081686
0x00081687
0x00081688
0x0008168f
0x00081690
0x00081691
0x00081692
0x00081693
0x0008169b
0x0008176e
0x0008177e
0x00081784
0x00081787
0x0008178a
0x0008178d
0x0008178f
0x00081795
0x000817e9
0x000817e9
0x000817ef
0x000817f5
0x000817fb
0x00081803
0x0008180a
0x0008180a
0x0008180f
0x00081817
0x0008181e
0x0008181e
0x00081823
0x00081826
0x00081829
0x0008182c
0x0008182f
0x0008183b
0x00081841
0x00081847
0x0008184d
0x0008185d
0x00081895
0x00081896
0x000818a8
0x000818b5
0x000818b6
0x000818b8
0x0008185f
0x00081866
0x00081872
0x0008187a
0x0008187b
0x00081884
0x00081888
0x0008188d
0x0008188d
0x000818ba
0x000818bd
0x000818c8
0x000818c9
0x000818ca
0x000818cf
0x000818d8
0x000818da
0x000818ed
0x00081901
0x00081901
0x0008190d
0x0008190e
0x0008190f
0x00081913
0x0008191f
0x00081933
0x00081946
0x0008195a
0x0008195a
0x0008196f
0x00081977
0x00081983
0x0008198a
0x00081992
0x00081993
0x0008199b
0x000819a5
0x000819a7
0x0008199d
0x0008199d
0x000819a0
0x000819a0
0x000819a9
0x000819aa
0x000819bd
0x000819c8
0x000819c8
0x000819d6
0x000819f3
0x000819f3
0x000819f8
0x00081a00
0x00081797
0x000817a4
0x000817a7
0x000817aa
0x000817ad
0x000817b0
0x000817c1
0x000817c4
0x000817c7
0x000817ca
0x000817cd
0x000817e3
0x00000000
0x00000000
0x000817e3
0x000816a1
0x000816ab
0x000816b7
0x000816c9
0x000816ca
0x000816cb
0x000816cc
0x000816cd
0x000816eb
0x000816cf
0x000816dc
0x000816dc
0x00081702
0x00081708
0x00081708
0x00081720
0x00081721
0x00081722
0x00081724
0x00081725
0x00081742
0x00081748
0x00081748
0x0008175c
0x0008176c
0x00000000
0x0008176c
0x0008175c
0x00081a07
0x00081a07
0x00081644
0x00081a0b
0x00081a0e
0x00081a15

APIs

Part of subcall function 00063445: GetWindowLongW.USER32(?,000000EC), ref: 00063450

GetClientRect.USER32 ref: 00081679
CopyRect.USER32(?,?), ref: 000816AB

Part of subcall function 0006632B: ScreenToClient.USER32(?,?), ref: 0006633C
Part of subcall function 0006632B: ScreenToClient.USER32(?,?), ref: 00066349

IntersectRect.USER32(?,?,?), ref: 000816FA
SetRectEmpty.USER32 ref: 00081708
IntersectRect.USER32(?,?,?), ref: 0008173A
SetRectEmpty.USER32 ref: 00081748
IsRectEmpty.USER32 ref: 00081758
IsRectEmpty.USER32 ref: 00081762
GetWindowRect.USER32(?,?), ref: 0008178D
GetWindowRect.USER32(?,?), ref: 000817B0
UnionRect.USER32(?,?,?), ref: 000817CD
EqualRect.USER32 ref: 000817DB
GetWindowRect.USER32(?,?), ref: 00081866
IsRectEmpty.USER32 ref: 000818D0
MapWindowPoints.USER32 ref: 000818ED
RedrawWindow.USER32(?,?,00000000,00000185), ref: 00081901
IsRectEmpty.USER32 ref: 0008191B
EqualRect.USER32 ref: 00081929
MapWindowPoints.USER32 ref: 00081946
RedrawWindow.USER32(?,?,00000000,00000185), ref: 0008195A
UpdateWindow.USER32 ref: 0008196F
IsRectEmpty.USER32 ref: 000819B3
InvalidateRect.USER32(?,?,00000001), ref: 000819C8
IsRectEmpty.USER32 ref: 000819CE
EqualRect.USER32 ref: 000819E0
InvalidateRect.USER32(?,?,00000001), ref: 000819F3
UpdateWindow.USER32 ref: 000819F8

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Rect$Window$Empty$ClientEqual$IntersectInvalidatePointsRedrawScreenUpdate$CopyLongUnion
String ID:
API String ID: 4119827998-0
Opcode ID: 4c6fbd18f45a5730fdcf6efe3c3841878cd32847ef14d10862e4c9a2499a73ac
Instruction ID: 72c47cd430ae00fb761050489582972a8214233a423c7be49d30a11a3d719721
Opcode Fuzzy Hash: 4c6fbd18f45a5730fdcf6efe3c3841878cd32847ef14d10862e4c9a2499a73ac
Instruction Fuzzy Hash: C6D1E672900219EFDF11DFA4C984AEEB7F9BF08700F1042AAE949E7155DB71AA45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 000BB990 Relevance: 40.7, APIs: 22, Strings: 1, Instructions: 421
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E000BB990(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t218;
				intOrPtr _t228;
				struct HDC__* _t234;
				struct HDC__* _t237;
				int _t238;
				int _t250;
				void* _t252;
				int _t253;
				void* _t254;
				void* _t258;
				long _t266;
				long _t267;
				void* _t274;
				void* _t280;
				void* _t281;
				void* _t285;
				intOrPtr _t292;
				int _t302;
				signed int _t308;
				intOrPtr _t313;
				void _t315;
				int* _t319;
				int* _t320;
				intOrPtr* _t321;
				int _t325;
				void* _t331;
				void* _t339;
				long long _t342;

				_t318 = __edi;
				_t310 = __edx;
				_push(0x84);
				_t209 = E00151A19(0x16cea2, __ebx, __edi, __esi);
				_t280 = __ecx;
				_t325 = 0;
				if( *((intOrPtr*)(__ecx + 0x24)) != 0) {
					L14:
					return E00151AF1(_t209);
				} else {
					asm("fld1");
					_t342 = st0;
					asm("fucomp st2");
					asm("fnstsw ax");
					st1 = _t342;
					if((_t209 & 0x00000044) != 0) {
						st0 = _t342;
					} else {
						_t308 =  *(__ecx + 0xa8);
						 *((long long*)(__ecx + 0xb0)) = _t342;
						 *((intOrPtr*)(__ecx + 8)) = 0;
						if(_t308 != 0xffffffff) {
							 *(__ecx + 0xa8) =  *(__ecx + 0xa8) | 0xffffffff;
							 *(__ecx + 0xa4) = _t308;
						}
						 *(_t331 - 0x30) = _t325;
						 *(_t331 - 0x2c) = _t325;
						 *(_t331 - 0x28) = _t325;
						 *(_t331 - 0x24) = _t325;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *((intOrPtr*)(_t280 + 0x50)) =  *((intOrPtr*)(_t280 + 0x58));
						 *((intOrPtr*)(_t280 + 0x54)) =  *((intOrPtr*)(_t280 + 0x5c));
						 *(_t331 - 0x30) = 0;
						 *(_t331 - 0x2c) = 0;
						 *(_t331 - 0x28) = 0;
						 *(_t331 - 0x24) = 0;
						_t318 = _t280 + 0x78;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *((intOrPtr*)(_t280 + 0x58)) = 0;
						 *((intOrPtr*)(_t280 + 0x5c)) = 0;
						 *((intOrPtr*)(_t280 + 0x60)) = 0;
						 *((intOrPtr*)(_t280 + 0x64)) = 0;
						_t325 = 0;
					}
					_t209 = _t280 + 0x88;
					if( *(_t280 + 0x88) == _t325) {
						L9:
						E000B6CE5(_t280);
						_t339 =  *0x1c5690 - _t325; // 0x0
						if(_t339 != 0) {
							_push( *((intOrPtr*)(_t280 + 0x50)));
							_push(_t280 + 0x88);
							E000B8012(_t280, _t318, _t325, _t339);
						}
						_t319 = _t280 + 0x8c;
						E00071DB5(_t319);
						 *_t319 = _t325;
						_t320 = _t280 + 0x90;
						E00071DB5(_t320);
						 *_t320 = _t325;
						_t340 =  *((intOrPtr*)(_t280 + 0x2c)) - _t325;
						if( *((intOrPtr*)(_t280 + 0x2c)) != _t325) {
							_push( *((intOrPtr*)(_t280 + 0xc)));
							E000B7BEE(_t280, _t280, _t310, _t320, _t325, _t340, _t342);
						}
						_t209 =  *0x1c39b0; // 0xa0a0a0
						 *(_t280 + 0xac) = _t209;
						goto L14;
					} else {
						_t338 =  *((intOrPtr*)(_t280 + 0x14)) - _t325;
						if( *((intOrPtr*)(_t280 + 0x14)) == _t325) {
							__eflags =  *((intOrPtr*)(_t280 + 0xc4)) - _t325;
							if( *((intOrPtr*)(_t280 + 0xc4)) == _t325) {
								goto L14;
							} else {
								E00071DB5(_t209);
								_t285 =  *(_t280 + 0xbc);
								_t218 =  *((intOrPtr*)(_t280 + 0xd8));
								__eflags = _t285 - _t325;
								if(_t285 == _t325) {
									goto L9;
								} else {
									_t318 = SelectObject;
									while(1) {
										_t218 - _t325 = (_t218 != _t325) - _t325;
										if(_t218 != _t325 == _t325) {
											break;
										}
										_t315 =  *_t285;
										_t285 =  *(_t285 + 8);
										 *(_t331 - 0x4c) = _t315;
										__eflags = 0 - _t285;
										asm("sbb edx, edx");
										if(0 == _t285) {
											break;
										} else {
											_t310 =  *_t218;
											 *((intOrPtr*)(_t331 - 0x5c)) =  *_t218;
											 *(_t331 - 0x20) =  *(_t218 + 8);
											 *(_t331 - 0x54) = _t325;
											 *((intOrPtr*)(_t331 - 0x58)) = 0x184484;
											 *(_t331 - 0x1c) = _t285 & 0x0000ffff;
											 *(_t331 - 4) = _t325;
											_t237 = E000B9C6E(_t280, _t331 - 0x58,  *_t218, _t285 & 0x0000ffff,  *(_t218 + 8));
											__eflags = _t237;
											if(_t237 == 0) {
												L23:
												_t238 = 0x2000;
												__eflags =  *((intOrPtr*)(_t280 + 0x30)) - _t325;
												if( *((intOrPtr*)(_t280 + 0x30)) != _t325) {
													__eflags =  *0x1c3b20 - _t325; // 0x0
													if(__eflags == 0) {
														__eflags =  *0x1c3b1c - _t325; // 0x0
														if(__eflags == 0) {
															_t238 = 0x3000;
														}
													}
												}
												 *(_t331 - 0x10) = LoadImageW( *(_t331 - 0x20),  *(_t331 - 0x1c), _t325, _t325, _t325, _t238);
											} else {
												_t274 = E000667F8(_t280, _t331 - 0x58, _t310);
												 *(_t331 - 0x10) = _t274;
												__eflags = _t274 - _t325;
												if(_t274 == _t325) {
													goto L23;
												}
											}
											GetObjectW( *(_t331 - 0x10), 0x18, _t331 - 0x78);
											__eflags =  *(_t331 - 0x66) - 0x20;
											 *(_t280 + 8) =  *(_t331 - 0x66) & 0x0000ffff;
											if( *(_t331 - 0x66) < 0x20) {
												__eflags =  *(_t331 - 0x66) - 8;
												if( *(_t331 - 0x66) <= 8) {
													L32:
													__eflags =  *0x1c3b1c - _t325; // 0x0
													if(__eflags != 0) {
														goto L33;
													}
												} else {
													__eflags =  *((intOrPtr*)(_t280 + 0x30)) - _t325;
													if( *((intOrPtr*)(_t280 + 0x30)) != _t325) {
														L33:
														__eflags =  *(_t331 - 0x10) - _t325;
														if(__eflags != 0) {
															E00065EC1(_t331 - 0x48);
															 *(_t331 - 4) = 1;
															E000664F6(_t280, _t331 - 0x48, _t310, _t318, CreateCompatibleDC(_t325));
															_t250 = GetObjectW( *(_t331 - 0x10), 0x18, _t331 - 0x90);
															__eflags = _t250;
															if(_t250 != 0) {
																_t252 = SelectObject( *(_t331 - 0x44),  *(_t331 - 0x10));
																 *(_t331 - 0x20) = _t252;
																__eflags = _t252 - _t325;
																if(_t252 != _t325) {
																	_t302 =  *(_t331 - 0x88);
																	_t253 =  *(_t331 - 0x8c);
																	 *(_t331 - 0x34) = _t253;
																	 *(_t331 - 0x38) = _t302;
																	_t254 = CreateCompatibleBitmap( *(_t331 - 0x44), _t253, _t302);
																	 *(_t331 - 0x1c) = _t254;
																	__eflags = _t254 - _t325;
																	if(_t254 != _t325) {
																		E00065EC1(_t331 - 0x30);
																		 *(_t331 - 4) = 2;
																		E000664F6(_t280, _t331 - 0x30, _t310, _t318, CreateCompatibleDC( *(_t331 - 0x44)));
																		_t258 = SelectObject( *(_t331 - 0x2c),  *(_t331 - 0x1c));
																		 *(_t331 - 0x50) = _t258;
																		__eflags = _t258 - _t325;
																		if(_t258 != _t325) {
																			BitBlt( *(_t331 - 0x2c), _t325, _t325,  *(_t331 - 0x34),  *(_t331 - 0x38),  *(_t331 - 0x44), _t325, _t325, 0xcc0020);
																			 *(_t331 - 0x14) = _t325;
																			__eflags =  *(_t331 - 0x34) - _t325;
																			if( *(_t331 - 0x34) > _t325) {
																				do {
																					 *(_t331 - 0x18) = _t325;
																					__eflags =  *(_t331 - 0x38) - _t325;
																					if( *(_t331 - 0x38) > _t325) {
																						do {
																							_t266 = GetPixel( *(_t331 - 0x2c),  *(_t331 - 0x14),  *(_t331 - 0x18));
																							__eflags =  *((short*)(_t331 - 0x7e)) - 0x18;
																							 *(_t331 - 0x60) = _t266;
																							if( *((short*)(_t331 - 0x7e)) != 0x18) {
																								L45:
																								_t267 = E000B6D1E(_t280, _t318, _t325, _t266, _t325);
																							} else {
																								__eflags =  *0x1bdc80 - _t325; // 0x1
																								if(__eflags != 0) {
																									goto L45;
																								} else {
																									_t267 = E000B6DA0(_t310, __eflags, _t266);
																								}
																							}
																							__eflags =  *(_t331 - 0x60) - _t267;
																							if( *(_t331 - 0x60) != _t267) {
																								SetPixel( *(_t331 - 0x2c),  *(_t331 - 0x14),  *(_t331 - 0x18), _t267);
																							}
																							 *(_t331 - 0x18) =  *(_t331 - 0x18) + 1;
																							__eflags =  *(_t331 - 0x18) -  *(_t331 - 0x38);
																						} while ( *(_t331 - 0x18) <  *(_t331 - 0x38));
																					}
																					 *(_t331 - 0x14) =  *(_t331 - 0x14) + 1;
																					__eflags =  *(_t331 - 0x14) -  *(_t331 - 0x34);
																				} while ( *(_t331 - 0x14) <  *(_t331 - 0x34));
																			}
																			SelectObject( *(_t331 - 0x2c),  *(_t331 - 0x50));
																			SelectObject( *(_t331 - 0x44),  *(_t331 - 0x20));
																			DeleteObject( *(_t331 - 0x10));
																			 *(_t331 - 0x10) =  *(_t331 - 0x1c);
																		} else {
																			SelectObject( *(_t331 - 0x44),  *(_t331 - 0x20));
																			DeleteObject( *(_t331 - 0x1c));
																		}
																		 *(_t331 - 4) = 1;
																		E00066577(_t331 - 0x30);
																	} else {
																		SelectObject( *(_t331 - 0x44),  *(_t331 - 0x20));
																	}
																}
															}
															 *(_t331 - 4) = 0;
															E00066577(_t331 - 0x48);
														}
													} else {
														goto L32;
													}
												}
											} else {
												E000B6EC7(_t280, _t310, _t318, _t325,  *(_t331 - 0x10),  *((intOrPtr*)(_t280 + 0x38)));
											}
											_push(_t325);
											_push( *(_t331 - 0x10));
											E000BBEFC(_t280, _t280, _t318, _t325, __eflags, _t342);
											DeleteObject( *(_t331 - 0x10));
											 *(_t331 - 4) =  *(_t331 - 4) | 0xffffffff;
											 *((intOrPtr*)(_t331 - 0x58)) = 0x179fa0;
											E00051420(_t331 - 0x58, _t310);
											__eflags =  *(_t331 - 0x4c) - _t325;
											if( *(_t331 - 0x4c) != _t325) {
												_t218 =  *((intOrPtr*)(_t331 - 0x5c));
												_t285 =  *(_t331 - 0x4c);
												continue;
											} else {
												goto L9;
											}
										}
										goto L63;
									}
									E000655E0(_t285);
									asm("int3");
									_push(0x14);
									E00151A19(0x16cf11, _t280, _t318, _t325);
									_t281 = _t285;
									 *(_t331 - 0x10) = _t281;
									 *_t281 = 0x184474;
									E00065EC1(_t281 + 0x40);
									 *((intOrPtr*)(_t281 + 0x50)) = 0;
									 *((intOrPtr*)(_t281 + 0x54)) = 0;
									 *((intOrPtr*)(_t281 + 0x58)) = 0;
									 *((intOrPtr*)(_t281 + 0x5c)) = 0;
									 *((intOrPtr*)(_t281 + 0x60)) = 0;
									 *((intOrPtr*)(_t281 + 0x64)) = 0;
									_t321 = _t281 + 0x68;
									 *_t321 = 0;
									 *((intOrPtr*)(_t321 + 4)) = 0;
									 *((intOrPtr*)(_t321 + 8)) = 0;
									 *((intOrPtr*)(_t321 + 0xc)) = 0;
									 *(_t331 - 4) = 0;
									 *((intOrPtr*)(_t281 + 0x78)) = 0;
									 *((intOrPtr*)(_t281 + 0x7c)) = 0;
									 *((intOrPtr*)(_t281 + 0x80)) = 0;
									 *((intOrPtr*)(_t281 + 0x84)) = 0;
									E00051110(_t281 + 0x94, E00065761());
									 *((intOrPtr*)(_t281 + 0x9c)) = 0;
									 *((intOrPtr*)(_t281 + 0x98)) = 0x179fa0;
									E000762E4(_t281 + 0xb8, 0xa);
									E000B6FA3(_t281 + 0xd4, 0xa);
									_t290 = _t281 + 0xf0;
									E00076317(_t281 + 0xf0, 0xa);
									 *(_t331 - 4) = 5;
									 *((intOrPtr*)(_t281 + 0x18)) = 0;
									 *((intOrPtr*)(_t281 + 0x20)) = 0;
									 *((intOrPtr*)(_t281 + 0x24)) = 0;
									 *((intOrPtr*)(_t281 + 4)) = 0;
									 *((intOrPtr*)(_t281 + 0x2c)) = 0;
									 *((intOrPtr*)(_t281 + 0xc)) = 0;
									 *((intOrPtr*)(_t281 + 0x88)) = 0;
									 *((intOrPtr*)(_t281 + 0x8c)) = 0;
									 *((intOrPtr*)(_t281 + 0x90)) = 0;
									 *((intOrPtr*)(_t281 + 0x14)) = 0;
									__eflags =  *0x1c56d4; // 0x1
									if(__eflags != 0) {
										_t292 = 1;
										__eflags = 1;
									} else {
										 *0x1c5694 = CreateCompatibleDC(0);
										_t234 = CreateCompatibleDC(0);
										 *0x1c5698 = _t234;
										__eflags =  *0x1c5694; // 0x0
										if(__eflags == 0) {
											L59:
											E00065E44(_t290);
										} else {
											__eflags = _t234;
											if(_t234 == 0) {
												goto L59;
											}
										}
										_t292 = 1;
										 *0x1c56d4 = 1;
									}
									 *(_t331 - 0x20) = 0;
									asm("fld1");
									 *(_t331 - 0x1c) = 0;
									 *((long long*)(_t281 + 0xb0)) = _t342;
									 *(_t331 - 0x18) = 0;
									 *(_t331 - 0x14) = 0;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									 *(_t281 + 0xa4) =  *(_t281 + 0xa4) | 0xffffffff;
									 *(_t281 + 0xa8) =  *(_t281 + 0xa8) | 0xffffffff;
									asm("movsd");
									_t228 = 0x10;
									 *((intOrPtr*)(_t281 + 0x50)) = _t228;
									 *(_t331 - 0x20) = 0;
									 *(_t331 - 0x1c) = 0;
									 *(_t331 - 0x18) = 0;
									 *(_t331 - 0x14) = 0;
									asm("movsd");
									asm("movsd");
									_t313 = 0xf;
									asm("movsd");
									 *((intOrPtr*)(_t281 + 0x54)) = _t313;
									__eflags = 0;
									 *((intOrPtr*)(_t281 + 0x30)) = _t292;
									 *((intOrPtr*)(_t281 + 0x3c)) = _t292;
									 *((intOrPtr*)(_t281 + 0x58)) = 0;
									 *((intOrPtr*)(_t281 + 0x5c)) = 0;
									 *((intOrPtr*)(_t281 + 0x60)) = 0;
									 *((intOrPtr*)(_t281 + 0x64)) = 0;
									asm("movsd");
									 *((intOrPtr*)(_t281 + 0x1c)) = 0;
									 *((intOrPtr*)(_t281 + 0xa0)) = 0;
									 *((intOrPtr*)(_t281 + 0x28)) = 0;
									 *((intOrPtr*)(_t281 + 8)) = 0;
									 *((intOrPtr*)(_t281 + 0x10)) = 0x82;
									 *((intOrPtr*)(_t281 + 0x34)) = 0;
									 *((intOrPtr*)(_t281 + 0x38)) = 0;
									E000BB990(_t281, _t281, 0, _t281 + 0x78, _t331 - 0x20, 0);
									return E00151AF1(_t281);
								}
							}
						} else {
							E000BB48F(_t280, _t280, _t310, _t318, _t325, _t338,  *((intOrPtr*)(_t280 + 0x94)), _t325);
							goto L9;
						}
					}
				}
				L63:
			}

0x000bb990
0x000bb990
0x000bb990
0x000bb99a
0x000bb99f
0x000bb9a1
0x000bb9a6
0x000bbaa1
0x000bbaa6
0x000bb9ac
0x000bb9b2
0x000bb9b4
0x000bb9b6
0x000bb9b8
0x000bb9ba
0x000bb9bf
0x000bba2e
0x000bb9c1
0x000bb9c1
0x000bb9c7
0x000bb9cd
0x000bb9d3
0x000bb9d5
0x000bb9dc
0x000bb9dc
0x000bb9e5
0x000bb9e8
0x000bb9eb
0x000bb9ee
0x000bb9f7
0x000bb9f8
0x000bb9f9
0x000bb9fa
0x000bb9fb
0x000bba01
0x000bba06
0x000bba09
0x000bba0c
0x000bba0f
0x000bba12
0x000bba18
0x000bba19
0x000bba1a
0x000bba1d
0x000bba1e
0x000bba21
0x000bba24
0x000bba27
0x000bba2a
0x000bba2a
0x000bba30
0x000bba38
0x000bba4d
0x000bba4f
0x000bba54
0x000bba5a
0x000bba5c
0x000bba65
0x000bba66
0x000bba66
0x000bba6b
0x000bba72
0x000bba77
0x000bba79
0x000bba80
0x000bba85
0x000bba87
0x000bba8a
0x000bba8c
0x000bba91
0x000bba91
0x000bba96
0x000bba9b
0x00000000
0x000bba3a
0x000bba3a
0x000bba3d
0x000bbaa7
0x000bbaad
0x00000000
0x000bbaaf
0x000bbab0
0x000bbab5
0x000bbabb
0x000bbac1
0x000bbac3
0x00000000
0x000bbac5
0x000bbac5
0x000bbad3
0x000bbada
0x000bbadc
0x00000000
0x00000000
0x000bbae2
0x000bbae4
0x000bbae7
0x000bbaec
0x000bbaee
0x000bbaf2
0x00000000
0x000bbaf8
0x000bbaf8
0x000bbafd
0x000bbb00
0x000bbb03
0x000bbb06
0x000bbb11
0x000bbb18
0x000bbb1b
0x000bbb20
0x000bbb22
0x000bbb33
0x000bbb33
0x000bbb38
0x000bbb3b
0x000bbb3d
0x000bbb43
0x000bbb45
0x000bbb4b
0x000bbb4d
0x000bbb4d
0x000bbb4b
0x000bbb43
0x000bbb62
0x000bbb24
0x000bbb27
0x000bbb2c
0x000bbb2f
0x000bbb31
0x00000000
0x00000000
0x000bbb31
0x000bbb6e
0x000bbb74
0x000bbb7d
0x000bbb80
0x000bbb92
0x000bbb97
0x000bbb9e
0x000bbb9e
0x000bbba4
0x00000000
0x00000000
0x000bbb99
0x000bbb99
0x000bbb9c
0x000bbbaa
0x000bbbaa
0x000bbbad
0x000bbbb6
0x000bbbbc
0x000bbbca
0x000bbbdb
0x000bbbe1
0x000bbbe3
0x000bbbef
0x000bbbf1
0x000bbbf4
0x000bbbf6
0x000bbbfc
0x000bbc02
0x000bbc0d
0x000bbc10
0x000bbc13
0x000bbc19
0x000bbc1c
0x000bbc1e
0x000bbc30
0x000bbc38
0x000bbc46
0x000bbc51
0x000bbc53
0x000bbc56
0x000bbc58
0x000bbc85
0x000bbc8b
0x000bbc8e
0x000bbc91
0x000bbc93
0x000bbc93
0x000bbc96
0x000bbc99
0x000bbc9b
0x000bbca4
0x000bbcaa
0x000bbcaf
0x000bbcb2
0x000bbcc4
0x000bbcc6
0x000bbcb4
0x000bbcb4
0x000bbcba
0x00000000
0x000bbcbc
0x000bbcbd
0x000bbcbd
0x000bbcba
0x000bbccb
0x000bbcce
0x000bbcda
0x000bbcda
0x000bbce0
0x000bbce6
0x000bbce6
0x000bbc9b
0x000bbceb
0x000bbcf1
0x000bbcf1
0x000bbc93
0x000bbcfc
0x000bbd04
0x000bbd09
0x000bbd12
0x000bbc5a
0x000bbc60
0x000bbc65
0x000bbc65
0x000bbd18
0x000bbd1c
0x000bbc20
0x000bbc26
0x000bbc26
0x000bbc1e
0x000bbbf6
0x000bbd24
0x000bbd28
0x000bbd28
0x00000000
0x00000000
0x00000000
0x000bbb9c
0x000bbb82
0x000bbb88
0x000bbb88
0x000bbd2d
0x000bbd2e
0x000bbd33
0x000bbd3b
0x000bbd41
0x000bbd48
0x000bbd4f
0x000bbd54
0x000bbd57
0x000bbacd
0x000bbad0
0x00000000
0x000bbd5d
0x00000000
0x000bbd5d
0x000bbd57
0x00000000
0x000bbaf2
0x000bbd62
0x000bbd67
0x000bbd68
0x000bbd6f
0x000bbd74
0x000bbd76
0x000bbd7c
0x000bbd82
0x000bbd89
0x000bbd8c
0x000bbd8f
0x000bbd92
0x000bbd95
0x000bbd98
0x000bbd9b
0x000bbd9e
0x000bbda0
0x000bbda3
0x000bbda6
0x000bbda9
0x000bbdac
0x000bbdaf
0x000bbdb2
0x000bbdb8
0x000bbdca
0x000bbdcf
0x000bbdd5
0x000bbde7
0x000bbdf4
0x000bbdfb
0x000bbe01
0x000bbe06
0x000bbe0a
0x000bbe0d
0x000bbe10
0x000bbe13
0x000bbe16
0x000bbe19
0x000bbe1c
0x000bbe22
0x000bbe28
0x000bbe2e
0x000bbe31
0x000bbe37
0x000bbe6f
0x000bbe6f
0x000bbe39
0x000bbe41
0x000bbe46
0x000bbe4c
0x000bbe51
0x000bbe57
0x000bbe5d
0x000bbe5d
0x000bbe59
0x000bbe59
0x000bbe5b
0x00000000
0x00000000
0x000bbe5b
0x000bbe64
0x000bbe65
0x000bbe65
0x000bbe70
0x000bbe73
0x000bbe75
0x000bbe78
0x000bbe7e
0x000bbe81
0x000bbe87
0x000bbe88
0x000bbe89
0x000bbe8a
0x000bbe91
0x000bbe98
0x000bbe9b
0x000bbe9c
0x000bbea1
0x000bbea4
0x000bbea7
0x000bbeaa
0x000bbeb3
0x000bbeb4
0x000bbeb7
0x000bbeb8
0x000bbeb9
0x000bbebc
0x000bbebe
0x000bbec1
0x000bbec6
0x000bbec9
0x000bbecc
0x000bbecf
0x000bbed2
0x000bbed3
0x000bbed6
0x000bbedc
0x000bbedf
0x000bbee2
0x000bbee9
0x000bbeec
0x000bbeef
0x000bbefb
0x000bbefb
0x000bbac3
0x000bba3f
0x000bba48
0x00000000
0x000bba48
0x000bba3d
0x000bba38
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 000BB99A
LoadImageW.USER32 ref: 000BBB5C
GetObjectW.GDI32(885926AF,00000018,?), ref: 000BBB6E
CreateCompatibleDC.GDI32(00000000), ref: 000BBBC0
GetObjectW.GDI32(885926AF,00000018,?), ref: 000BBBDB
SelectObject.GDI32(00062E00,885926AF), ref: 000BBBEF
CreateCompatibleBitmap.GDI32(00062E00,?,?), ref: 000BBC13
SelectObject.GDI32(00062E00,00064351), ref: 000BBC26
CreateCompatibleDC.GDI32(00062E00), ref: 000BBC3C
SelectObject.GDI32(?,?), ref: 000BBC51
SelectObject.GDI32(00062E00,00064351), ref: 000BBC60
DeleteObject.GDI32(?), ref: 000BBC65
BitBlt.GDI32(?,00000000,00000000,?,00000000,00062E00,00000000,00000000,00CC0020), ref: 000BBC85
GetPixel.GDI32(?,00051AB5,?), ref: 000BBCA4
SetPixel.GDI32(?,00051AB5,?,00000000), ref: 000BBCDA
SelectObject.GDI32(?,?), ref: 000BBCFC
SelectObject.GDI32(00062E00,00064351), ref: 000BBD04
DeleteObject.GDI32(885926AF), ref: 000BBD09
DeleteObject.GDI32(885926AF), ref: 000BBD3B
__EH_prolog3.LIBCMT ref: 000BBD6F
CreateCompatibleDC.GDI32(00000000), ref: 000BBE3A
CreateCompatibleDC.GDI32(00000000), ref: 000BBE46

Strings

, xrefs: 000BBB74

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$Delete$H_prolog3Pixel$BitmapImageLoad
String ID:
API String ID: 1197801157-3916222277
Opcode ID: 6dd9e960f16e8d3275110bc2246b4e287e779d259c164dd2e619348627a06360
Instruction ID: 0731efc29086d6908f268cd002dc489852af8f041a8e60343f88d4cd9d938a10
Opcode Fuzzy Hash: 6dd9e960f16e8d3275110bc2246b4e287e779d259c164dd2e619348627a06360
Instruction Fuzzy Hash: C8022970D00218DFCF55DFA4C885AEEBFB5FF08700F14816AE819AA256D7B59985CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 000BBEFC Relevance: 37.8, APIs: 25, Instructions: 260
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E000BBEFC(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				int _t130;
				void* _t131;
				void* _t136;
				void* _t139;
				void* _t142;
				void* _t146;
				void* _t147;
				void* _t150;
				void* _t170;
				void* _t171;
				signed int _t182;
				void* _t188;
				void* _t206;
				void* _t211;
				intOrPtr* _t212;
				void* _t214;
				void* _t216;
				long long* _t217;
				void* _t221;

				_t221 = __fp0;
				_push(0x180);
				_t130 = E00151A82(0x16cf4d, __ebx, __edi, __esi);
				_t211 =  *(_t216 + 8);
				_t214 = __ecx;
				 *(_t216 - 0x124) = _t211;
				if( *((intOrPtr*)(__ecx + 0x24)) == 0) {
					 *(_t216 - 0x14c) = 0;
					__eflags =  *0x1c5690; // 0x0
					if(__eflags != 0) {
						 *(_t216 - 0x14c) = 1;
						_t188 = CopyImage(_t211, 0, 0, 0, 0x2000);
						_push( *((intOrPtr*)(_t214 + 0x50)));
						 *(_t216 - 0x124) = _t188;
						_push(_t216 - 0x124);
						_t130 = E000B8012(0, _t211, _t214, __eflags);
						_t211 =  *(_t216 - 0x124);
					}
					_t131 = E000746CF(_t130, _t214);
					__eflags = _t131;
					if(_t131 == 0) {
						L9:
						E00065EC1(_t216 - 0x140);
						 *(_t216 - 4) = 1;
						E000664F6(0, _t216 - 0x140, _t209, _t211, CreateCompatibleDC(0));
						_t136 = GetObjectW(_t211, 0x18, _t216 - 0x174);
						__eflags = _t136;
						if(_t136 != 0) {
							__eflags =  *(_t216 + 0xc);
							if( *(_t216 + 0xc) != 0) {
								 *(_t214 + 8) =  *(_t216 - 0x162) & 0x0000ffff;
							}
							 *(_t216 - 0x148) =  *(_t216 - 0x170);
							 *(_t216 - 0x12c) =  *(_t216 - 0x16c);
							_t139 =  *(_t214 + 0x88);
							__eflags = _t139;
							if(_t139 == 0) {
								__eflags = _t211;
								_t211 = SelectObject;
								 *(_t216 - 0x128) = 0;
								if(__eflags == 0) {
									 *(_t216 - 0x120) = 0;
								} else {
									 *(_t216 - 0x120) = SelectObject( *(_t216 - 0x13c),  *(_t216 - 0x124));
								}
								__eflags =  *(_t216 - 0x120);
								if( *(_t216 - 0x120) == 0) {
									goto L10;
								} else {
									goto L24;
								}
							} else {
								_t170 = GetObjectW(_t139, 0x18, _t216 - 0x174);
								__eflags = _t170;
								if(_t170 == 0) {
									goto L10;
								}
								_t171 =  *(_t214 + 0x88);
								_t211 = SelectObject;
								__eflags = _t171;
								if(_t171 == 0) {
									 *(_t216 - 0x120) = 0;
								} else {
									 *(_t216 - 0x120) = SelectObject( *(_t216 - 0x13c), _t171);
								}
								__eflags =  *(_t216 - 0x120);
								if( *(_t216 - 0x120) != 0) {
									 *(_t216 - 0x128) =  *(_t216 - 0x170);
									 *(_t216 - 0x12c) =  *(_t216 - 0x16c);
									L24:
									_t142 = CreateCompatibleBitmap( *(_t216 - 0x13c),  *(_t216 - 0x128) +  *(_t216 - 0x148),  *(_t216 - 0x12c));
									 *(_t216 - 0x130) = _t142;
									__eflags = _t142;
									if(_t142 != 0) {
										E00065EC1(_t216 - 0x15c);
										 *(_t216 - 4) = 2;
										E000664F6(0, _t216 - 0x15c, _t209, _t211, CreateCompatibleDC( *(_t216 - 0x13c)));
										_t146 = SelectObject( *(_t216 - 0x158),  *(_t216 - 0x130));
										 *(_t216 - 0x144) = _t146;
										__eflags = _t146;
										if(_t146 != 0) {
											__eflags =  *(_t214 + 0x88);
											if( *(_t214 + 0x88) != 0) {
												BitBlt( *(_t216 - 0x158), 0, 0,  *(_t216 - 0x128),  *(_t216 - 0x12c),  *(_t216 - 0x13c), 0, 0, 0xcc0020);
											}
											__eflags =  *(_t216 - 0x124);
											if( *(_t216 - 0x124) == 0) {
												_t147 = 0;
												__eflags = 0;
											} else {
												_t147 = SelectObject( *(_t216 - 0x13c),  *(_t216 - 0x124));
											}
											__eflags = _t147;
											if(_t147 != 0) {
												BitBlt( *(_t216 - 0x158),  *(_t216 - 0x128), 0,  *(_t216 - 0x148),  *(_t216 - 0x12c),  *(_t216 - 0x13c), 0, 0, 0xcc0020);
												SelectObject( *(_t216 - 0x158),  *(_t216 - 0x144));
												__eflags =  *(_t216 - 0x120);
												if( *(_t216 - 0x120) != 0) {
													SelectObject( *(_t216 - 0x13c),  *(_t216 - 0x120));
												}
												_t150 =  *(_t214 + 0x88);
												__eflags = _t150;
												if(_t150 != 0) {
													DeleteObject(_t150);
												}
												 *(_t214 + 0x88) =  *(_t216 - 0x130);
												 *(_t214 + 0x18) = 1;
												E000B6CE5(_t214);
												_t212 = _t214 + 0x8c;
												E00071DB5(_t212);
												 *_t212 = 0;
												_t211 = _t214 + 0x90;
												E00071DB5(_t211);
												 *_t211 = 0;
												__eflags =  *(_t216 - 0x14c);
												if( *(_t216 - 0x14c) != 0) {
													DeleteObject( *(_t216 - 0x124));
												}
												_t214 =  *((intOrPtr*)(_t214 + 4)) - 1;
											} else {
												SelectObject( *(_t216 - 0x158),  *(_t216 - 0x144));
												__eflags =  *(_t216 - 0x120);
												if( *(_t216 - 0x120) != 0) {
													SelectObject( *(_t216 - 0x13c),  *(_t216 - 0x120));
												}
												DeleteObject( *(_t216 - 0x130));
												__eflags = _t214;
											}
											 *(_t216 - 4) = 1;
											E00066577(_t216 - 0x15c);
											 *(_t216 - 4) =  *(_t216 - 4) | 0xffffffff;
											E00066577(_t216 - 0x140);
											L2:
											return E00151B05(0, _t211, _t214);
										}
										__eflags =  *(_t216 - 0x120);
										if( *(_t216 - 0x120) != 0) {
											SelectObject( *(_t216 - 0x13c),  *(_t216 - 0x120));
										}
										DeleteObject( *(_t216 - 0x130));
										 *(_t216 - 4) = 1;
										E00066577(_t216 - 0x15c);
										goto L10;
									}
									__eflags =  *(_t216 - 0x120);
									if( *(_t216 - 0x120) != 0) {
										SelectObject( *(_t216 - 0x13c),  *(_t216 - 0x120));
									}
								}
								goto L10;
							}
						}
						L10:
						 *(_t216 - 4) =  *(_t216 - 4) | 0xffffffff;
						_t130 = E00066577(_t216 - 0x140);
						goto L1;
					}
					_t130 = GetObjectW(_t211, 0x18, _t216 - 0x18c);
					__eflags = _t130;
					if(_t130 == 0) {
						goto L1;
					}
					__eflags =  *((intOrPtr*)(_t216 - 0x184)) -  *((intOrPtr*)(_t214 + 0x54));
					if(__eflags != 0) {
						_t206 = _t216 - 0x11c;
						E000BBD68(0, _t206, _t211, _t214, __eflags, _t221);
						 *(_t216 - 0x114) =  *(_t216 - 0x17a) & 0x0000ffff;
						 *(_t216 - 0xcc) =  *(_t214 + 0x58);
						 *((intOrPtr*)(_t216 - 0xc8)) =  *((intOrPtr*)(_t214 + 0x5c));
						_t182 =  *(_t216 - 0x188);
						asm("cdq");
						_t209 = _t182 %  *(_t214 + 0x58);
						_push(_t206);
						_push(_t206);
						 *(_t216 - 4) = 0;
						 *_t217 =  *((long long*)(_t214 + 0xb0));
						 *(_t216 - 0x94) = _t211;
						 *(_t216 - 0x118) = _t182 /  *(_t214 + 0x58);
						E000B917C(0, _t216 - 0x11c, _t182 %  *(_t214 + 0x58), _t211, _t214, __eflags);
						 *(_t216 - 0xf8) = 1;
						DeleteObject(_t211);
						_t34 = _t216 - 4;
						 *_t34 =  *(_t216 - 4) | 0xffffffff;
						__eflags =  *_t34;
						 *(_t216 - 0x124) =  *(_t216 - 0x94);
						E000B9CE9(0, _t216 - 0x11c, _t182 %  *(_t214 + 0x58), _t211, _t214,  *_t34);
						_t211 =  *(_t216 - 0x124);
					}
					goto L9;
				}
				L1:
				goto L2;
			}

0x000bbefc
0x000bbefc
0x000bbf06
0x000bbf0b
0x000bbf0e
0x000bbf12
0x000bbf1b
0x000bbf28
0x000bbf2e
0x000bbf34
0x000bbf3f
0x000bbf49
0x000bbf4f
0x000bbf52
0x000bbf5e
0x000bbf5f
0x000bbf64
0x000bbf64
0x000bbf6c
0x000bbf71
0x000bbf73
0x000bc027
0x000bc02d
0x000bc033
0x000bc047
0x000bc056
0x000bc05c
0x000bc05e
0x000bc074
0x000bc077
0x000bc080
0x000bc080
0x000bc089
0x000bc095
0x000bc09b
0x000bc0a1
0x000bc0a3
0x000bc106
0x000bc108
0x000bc10e
0x000bc114
0x000bc12c
0x000bc116
0x000bc124
0x000bc124
0x000bc132
0x000bc138
0x00000000
0x00000000
0x00000000
0x00000000
0x000bc0a5
0x000bc0af
0x000bc0b5
0x000bc0b7
0x00000000
0x00000000
0x000bc0b9
0x000bc0bf
0x000bc0c5
0x000bc0c7
0x000bc0da
0x000bc0c9
0x000bc0d2
0x000bc0d2
0x000bc0e0
0x000bc0e6
0x000bc0f2
0x000bc0fe
0x000bc13e
0x000bc157
0x000bc15d
0x000bc163
0x000bc165
0x000bc18c
0x000bc197
0x000bc1a8
0x000bc1b9
0x000bc1bb
0x000bc1c1
0x000bc1c3
0x000bc1fb
0x000bc201
0x000bc224
0x000bc224
0x000bc22a
0x000bc230
0x000bc242
0x000bc242
0x000bc232
0x000bc23e
0x000bc23e
0x000bc244
0x000bc246
0x000bc2c6
0x000bc2d8
0x000bc2da
0x000bc2e0
0x000bc2ee
0x000bc2ee
0x000bc2f0
0x000bc2f6
0x000bc2f8
0x000bc2fb
0x000bc2fb
0x000bc309
0x000bc30f
0x000bc316
0x000bc31b
0x000bc322
0x000bc327
0x000bc329
0x000bc330
0x000bc335
0x000bc337
0x000bc33d
0x000bc345
0x000bc345
0x000bc34e
0x000bc248
0x000bc254
0x000bc256
0x000bc25c
0x000bc26a
0x000bc26a
0x000bc272
0x000bc278
0x000bc278
0x000bc281
0x000bc285
0x000bc28a
0x000bc294
0x000bbf20
0x000bbf25
0x000bbf25
0x000bc1c5
0x000bc1cb
0x000bc1d9
0x000bc1d9
0x000bc1e1
0x000bc1ed
0x000bc1f1
0x00000000
0x000bc1f1
0x000bc167
0x000bc16d
0x000bc17f
0x000bc17f
0x000bc16d
0x00000000
0x000bc0e6
0x000bc0a3
0x000bc060
0x000bc060
0x000bc06a
0x00000000
0x000bc06a
0x000bbf83
0x000bbf89
0x000bbf8b
0x00000000
0x00000000
0x000bbf93
0x000bbf96
0x000bbf9c
0x000bbfa2
0x000bbfb4
0x000bbfbd
0x000bbfc6
0x000bbfcc
0x000bbfd2
0x000bbfd3
0x000bbfd6
0x000bbfd7
0x000bbfde
0x000bbfe1
0x000bbfe4
0x000bbfea
0x000bbff0
0x000bbff6
0x000bc000
0x000bc00c
0x000bc00c
0x000bc00c
0x000bc016
0x000bc01c
0x000bc021
0x000bc021
0x00000000
0x000bbf96
0x000bbf1d
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 000BBF06
CopyImage.USER32 ref: 000BBF49
GetObjectW.GDI32(?,00000018,?), ref: 000BBF83
DeleteObject.GDI32(?), ref: 000BC000
CreateCompatibleDC.GDI32(00000000), ref: 000BC03A
GetObjectW.GDI32(?,00000018,?), ref: 000BC056

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Object$CompatibleCopyCreateDeleteH_prolog3_Image
String ID:
API String ID: 641560573-0
Opcode ID: 702e3200035711f746cf5204bc9d002a0d53bad94fce8087aa9d8bd7cf478ef1
Instruction ID: 8d2b25a3fbdca4e08a31dd65234bf4a2996e3953b9b27e970bf2f9c9567b68b4
Opcode Fuzzy Hash: 702e3200035711f746cf5204bc9d002a0d53bad94fce8087aa9d8bd7cf478ef1
Instruction Fuzzy Hash: C1C1F071900229EFDF62AF64CC84BEDBBB5BF09300F1085E9E54AA2261DB715E94DF50

Uniqueness

Uniqueness Score: -1.00%

Function 000BC888 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 278
windowCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E000BC888(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				signed int _t127;
				int _t132;
				void* _t134;
				int _t136;
				signed int _t137;
				int _t153;
				void* _t154;
				int _t156;
				void* _t157;
				void* _t161;
				long _t169;
				long _t170;
				int _t182;
				int _t189;
				signed int _t193;
				int _t204;
				void* _t215;
				void* _t217;
				signed int _t223;
				int* _t224;
				int* _t225;
				void* _t226;
				void* _t227;
				void* _t234;

				_t234 = __fp0;
				_t215 = __edx;
				_push(0x7c);
				E00151A19(0x16cfd0, __ebx, __edi, __esi);
				_t217 = __ecx;
				_t189 = 0;
				 *(_t227 - 0x28) =  *(_t227 + 0xc);
				_t127 =  *(_t227 + 8) & 0x0000ffff;
				if( *((intOrPtr*)(__ecx + 0x24)) != 0 || _t127 == 0) {
					L54:
					return E00151AF1(_t189);
				} else {
					asm("sbb esi, esi");
					_t223 =  !( ~(_t127 & 0xffff0000)) & _t127;
					 *(_t227 - 0x14) = _t223;
					if( *((intOrPtr*)(_t227 + 0x10)) != 0) {
						__eflags = _t223;
						if(_t223 == 0) {
							L6:
							 *(_t227 - 0x34) = _t189;
							 *((intOrPtr*)(_t227 - 0x38)) = 0x184484;
							 *(_t227 - 4) = _t189;
							if(E000B9C6E(_t189, _t227 - 0x38, _t215,  *(_t227 + 8) & 0x0000ffff,  *(_t227 + 0xc)) == 0) {
								__eflags =  *(_t227 + 0xc) - _t189;
								if(__eflags == 0) {
									 *(_t227 - 0x28) =  *(E0006B628(_t189, _t217, _t223, __eflags) + 0xc);
								}
								_t132 = 0x2000;
								__eflags =  *((intOrPtr*)(_t217 + 0x30)) - _t189;
								if( *((intOrPtr*)(_t217 + 0x30)) != _t189) {
									__eflags =  *0x1c3b1c - _t189; // 0x0
									if(__eflags == 0) {
										_t132 = 0x3000;
									}
								}
								_t134 = LoadImageW( *(_t227 - 0x28),  *(_t227 + 8) & 0x0000ffff, _t189, _t189, _t189, _t132);
							} else {
								_t134 = E000667F8(_t189, _t227 - 0x38, _t215);
							}
							 *(_t227 + 0xc) = _t134;
							if(_t134 != _t189) {
								_t136 = GetObjectW( *(_t227 + 0xc), 0x18, _t227 - 0x88);
								__eflags = _t136;
								if(_t136 != 0) {
									__eflags =  *(_t227 - 0x76) - 0x20;
									if( *(_t227 - 0x76) < 0x20) {
										__eflags =  *(_t227 - 0x76) - 8;
										if( *(_t227 - 0x76) <= 8) {
											L22:
											__eflags =  *0x1c3b1c - _t189; // 0x0
											if(__eflags == 0) {
												L43:
												_t137 =  *(_t227 - 0x76) & 0x0000ffff;
												_t193 =  *(_t217 + 8);
												__eflags = _t193 - _t137;
												if(_t193 > _t137) {
													_t137 = _t193;
												}
												 *(_t217 + 8) = _t137;
												__eflags =  *((intOrPtr*)(_t227 + 0x10)) - _t189;
												if( *((intOrPtr*)(_t227 + 0x10)) == _t189) {
													 *(_t217 + 0x88) =  *(_t227 + 0xc);
												} else {
													__eflags = _t223 - _t189;
													if(__eflags != 0) {
														 *(_t227 + 8) =  *(_t217 + 4);
														 *(E0010A1D7(_t217 + 0xf0, _t215, __eflags, _t223)) =  *(_t227 + 8);
													}
													E000BBEFC(_t189, _t217, _t217, _t223, __eflags, _t234,  *(_t227 + 0xc), _t189);
													__eflags = _t223 - _t189;
													if(__eflags != 0) {
														E000B8B87(_t217 + 0xb8, __eflags, _t223);
														E000B8B87(_t217 + 0xd4, __eflags,  *(_t227 - 0x28));
													}
													DeleteObject( *(_t227 + 0xc));
												}
												E000B6CE5(_t217);
												_t224 = _t217 + 0x8c;
												E00071DB5(_t224);
												 *_t224 = _t189;
												_t225 = _t217 + 0x90;
												E00071DB5(_t225);
												_t120 = _t227 - 4;
												 *_t120 =  *(_t227 - 4) | 0xffffffff;
												__eflags =  *_t120;
												 *_t225 = _t189;
												 *((intOrPtr*)(_t227 - 0x38)) = 0x179fa0;
												E00051420(_t227 - 0x38, _t215);
												L53:
												_t189 = 1;
												__eflags = 1;
												goto L54;
											}
											L23:
											E00065EC1(_t227 - 0x48);
											 *(_t227 - 4) = 1;
											E000664F6(_t189, _t227 - 0x48, _t215, _t217, CreateCompatibleDC(_t189));
											_t153 = GetObjectW( *(_t227 + 0xc), 0x18, _t227 - 0x70);
											__eflags = _t153;
											if(_t153 != 0) {
												_t226 = SelectObject;
												_t154 = SelectObject( *(_t227 - 0x44),  *(_t227 + 0xc));
												 *(_t227 - 0x20) = _t154;
												__eflags = _t154 - _t189;
												if(_t154 == _t189) {
													L42:
													 *(_t227 - 4) = _t189;
													E00066577(_t227 - 0x48);
													_t223 =  *(_t227 - 0x14);
													goto L43;
												}
												_t204 =  *(_t227 - 0x68);
												_t156 =  *(_t227 - 0x6c);
												 *(_t227 - 0x1c) = _t156;
												 *(_t227 - 0x18) = _t204;
												_t157 = CreateCompatibleBitmap( *(_t227 - 0x44), _t156, _t204);
												 *(_t227 - 0x24) = _t157;
												__eflags = _t157 - _t189;
												if(_t157 != _t189) {
													E00065EC1(_t227 - 0x58);
													 *(_t227 - 4) = 2;
													E000664F6(_t189, _t227 - 0x58, _t215, _t217, CreateCompatibleDC( *(_t227 - 0x44)));
													_t161 = SelectObject( *(_t227 - 0x54),  *(_t227 - 0x24));
													 *(_t227 - 0x30) = _t161;
													__eflags = _t161 - _t189;
													if(_t161 != _t189) {
														BitBlt( *(_t227 - 0x54), _t189, _t189,  *(_t227 - 0x1c),  *(_t227 - 0x18),  *(_t227 - 0x44), _t189, _t189, 0xcc0020);
														 *(_t227 - 0x10) = _t189;
														__eflags =  *(_t227 - 0x1c) - _t189;
														if( *(_t227 - 0x1c) <= _t189) {
															L40:
															SelectObject( *(_t227 - 0x54),  *(_t227 - 0x30));
															SelectObject( *(_t227 - 0x44),  *(_t227 - 0x20));
															DeleteObject( *(_t227 + 0xc));
															 *(_t227 + 0xc) =  *(_t227 - 0x24);
															L41:
															 *(_t227 - 4) = 1;
															E00066577(_t227 - 0x58);
															goto L42;
														} else {
															goto L31;
														}
														do {
															L31:
															 *(_t227 + 8) = _t189;
															__eflags =  *(_t227 - 0x18) - _t189;
															if( *(_t227 - 0x18) <= _t189) {
																goto L39;
															} else {
																goto L32;
															}
															do {
																L32:
																_t169 = GetPixel( *(_t227 - 0x54),  *(_t227 - 0x10),  *(_t227 + 8));
																__eflags =  *((short*)(_t227 - 0x5e)) - 0x18;
																 *(_t227 - 0x2c) = _t169;
																if( *((short*)(_t227 - 0x5e)) != 0x18) {
																	L35:
																	_t170 = E000B6D1E(_t189, _t217, _t226, _t169, _t189);
																	goto L36;
																}
																__eflags =  *0x1bdc80 - _t189; // 0x1
																if(__eflags != 0) {
																	goto L35;
																}
																_t170 = E000B6DA0(_t215, __eflags, _t169);
																L36:
																__eflags =  *(_t227 - 0x2c) - _t170;
																if( *(_t227 - 0x2c) != _t170) {
																	SetPixel( *(_t227 - 0x54),  *(_t227 - 0x10),  *(_t227 + 8), _t170);
																}
																 *(_t227 + 8) =  *(_t227 + 8) + 1;
																__eflags =  *(_t227 + 8) -  *(_t227 - 0x18);
															} while ( *(_t227 + 8) <  *(_t227 - 0x18));
															L39:
															 *(_t227 - 0x10) =  *(_t227 - 0x10) + 1;
															__eflags =  *(_t227 - 0x10) -  *(_t227 - 0x1c);
														} while ( *(_t227 - 0x10) <  *(_t227 - 0x1c));
														goto L40;
													}
													SelectObject( *(_t227 - 0x44),  *(_t227 - 0x20));
													DeleteObject( *(_t227 - 0x24));
													goto L41;
												}
												SelectObject( *(_t227 - 0x44),  *(_t227 - 0x20));
												goto L42;
											}
											 *(_t227 - 4) = _t189;
											E00066577(_t227 - 0x48);
											goto L43;
										}
										__eflags =  *((intOrPtr*)(_t217 + 0x30)) - _t189;
										if( *((intOrPtr*)(_t217 + 0x30)) != _t189) {
											goto L23;
										}
										goto L22;
									}
									E000B6EC7(_t189, _t215, _t217, _t223,  *(_t227 + 0xc),  *((intOrPtr*)(_t217 + 0x38)));
									goto L43;
								}
								DeleteObject( *(_t227 + 0xc));
								goto L15;
							} else {
								L15:
								 *(_t227 - 4) =  *(_t227 - 4) | 0xffffffff;
								 *((intOrPtr*)(_t227 - 0x38)) = 0x179fa0;
								E00051420(_t227 - 0x38, _t215);
								goto L54;
							}
						}
						_t182 = E0007939D(__ecx + 0xb8, _t223, 0);
						__eflags = _t182;
						if(_t182 != 0) {
							goto L53;
						}
						goto L6;
					}
					E00071DB5(__ecx + 0x88);
					E000F3B2B(__ecx + 0xb8);
					E000F3B2B(_t217 + 0xd4);
					E000D0797(_t217 + 0xf0, _t217);
					goto L6;
				}
			}

0x000bc888
0x000bc888
0x000bc888
0x000bc88f
0x000bc894
0x000bc899
0x000bc89b
0x000bc89e
0x000bc8a5
0x000bcc11
0x000bcc18
0x000bc8b3
0x000bc8bd
0x000bc8c1
0x000bc8c3
0x000bc8c9
0x000bc8fa
0x000bc8fc
0x000bc913
0x000bc913
0x000bc916
0x000bc928
0x000bc932
0x000bc93e
0x000bc941
0x000bc94b
0x000bc94b
0x000bc94e
0x000bc953
0x000bc956
0x000bc958
0x000bc95e
0x000bc960
0x000bc960
0x000bc95e
0x000bc971
0x000bc934
0x000bc937
0x000bc937
0x000bc977
0x000bc97c
0x000bc9a2
0x000bc9a8
0x000bc9aa
0x000bc9b7
0x000bc9bc
0x000bc9ce
0x000bc9d3
0x000bc9da
0x000bc9da
0x000bc9e0
0x000bcb6b
0x000bcb6b
0x000bcb6f
0x000bcb72
0x000bcb74
0x000bcb76
0x000bcb76
0x000bcb78
0x000bcb7b
0x000bcb7e
0x000bcbd2
0x000bcb80
0x000bcb80
0x000bcb82
0x000bcb8e
0x000bcb99
0x000bcb99
0x000bcba1
0x000bcba6
0x000bcba8
0x000bcbb1
0x000bcbbf
0x000bcbbf
0x000bcbc7
0x000bcbc7
0x000bcbda
0x000bcbdf
0x000bcbe6
0x000bcbeb
0x000bcbed
0x000bcbf4
0x000bcbf9
0x000bcbf9
0x000bcbf9
0x000bcc00
0x000bcc02
0x000bcc09
0x000bcc0e
0x000bcc10
0x000bcc10
0x00000000
0x000bcc10
0x000bc9e6
0x000bc9e9
0x000bc9ef
0x000bc9fd
0x000bca0b
0x000bca11
0x000bca13
0x000bca28
0x000bca31
0x000bca33
0x000bca36
0x000bca38
0x000bcb5d
0x000bcb60
0x000bcb63
0x000bcb68
0x00000000
0x000bcb68
0x000bca3e
0x000bca41
0x000bca49
0x000bca4c
0x000bca4f
0x000bca55
0x000bca58
0x000bca5a
0x000bca6c
0x000bca74
0x000bca82
0x000bca8d
0x000bca8f
0x000bca92
0x000bca94
0x000bcac1
0x000bcac7
0x000bcaca
0x000bcacd
0x000bcb32
0x000bcb38
0x000bcb40
0x000bcb45
0x000bcb4e
0x000bcb51
0x000bcb54
0x000bcb58
0x00000000
0x00000000
0x00000000
0x00000000
0x000bcacf
0x000bcacf
0x000bcacf
0x000bcad2
0x000bcad5
0x00000000
0x00000000
0x00000000
0x00000000
0x000bcad7
0x000bcad7
0x000bcae0
0x000bcae6
0x000bcaeb
0x000bcaee
0x000bcb00
0x000bcb02
0x00000000
0x000bcb02
0x000bcaf0
0x000bcaf6
0x00000000
0x00000000
0x000bcaf9
0x000bcb07
0x000bcb07
0x000bcb0a
0x000bcb16
0x000bcb16
0x000bcb1c
0x000bcb22
0x000bcb22
0x000bcb27
0x000bcb27
0x000bcb2d
0x000bcb2d
0x00000000
0x000bcacf
0x000bca9c
0x000bcaa1
0x00000000
0x000bcaa1
0x000bca62
0x00000000
0x000bca62
0x000bca18
0x000bca1b
0x00000000
0x000bca1b
0x000bc9d5
0x000bc9d8
0x00000000
0x00000000
0x00000000
0x000bc9d8
0x000bc9c4
0x00000000
0x000bc9c4
0x000bc9af
0x00000000
0x000bc97e
0x000bc97e
0x000bc97e
0x000bc985
0x000bc98c
0x00000000
0x000bc98c
0x000bc97c
0x000bc906
0x000bc90b
0x000bc90d
0x00000000
0x00000000
0x00000000
0x000bc90d
0x000bc8d2
0x000bc8dd
0x000bc8e8
0x000bc8f3
0x00000000
0x000bc8f3

APIs

LoadImageW.USER32 ref: 000BC971
GetObjectW.GDI32(?,00000018,?), ref: 000BC9A2
DeleteObject.GDI32(?), ref: 000BC9AF
CreateCompatibleDC.GDI32(00000000), ref: 000BC9F3
GetObjectW.GDI32(?,00000018,?), ref: 000BCA0B
SelectObject.GDI32(?,?), ref: 000BCA31
CreateCompatibleBitmap.GDI32(?,?,?), ref: 000BCA4F
SelectObject.GDI32(?,?), ref: 000BCA62
CreateCompatibleDC.GDI32(?), ref: 000BCA78
SelectObject.GDI32(?,?), ref: 000BCA8D
SelectObject.GDI32(?,?), ref: 000BCA9C
DeleteObject.GDI32(?), ref: 000BCAA1
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 000BCAC1
GetPixel.GDI32(?,?,?), ref: 000BCAE0
SetPixel.GDI32(?,?,?,00000000), ref: 000BCB16
SelectObject.GDI32(?,?), ref: 000BCB38
SelectObject.GDI32(?,?), ref: 000BCB40
DeleteObject.GDI32(?), ref: 000BCB45
DeleteObject.GDI32(?), ref: 000BCBC7
__EH_prolog3.LIBCMT ref: 000BC88F

Part of subcall function 00071DB5: DeleteObject.GDI32(00000000), ref: 00071DCE

Strings

, xrefs: 000BC9B7

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Object$Select$Delete$CompatibleCreate$Pixel$BitmapH_prolog3ImageLoad
String ID:
API String ID: 2657855633-3916222277
Opcode ID: a711095b82cee45b2323eb9df891598bbe7b7a288ea52d8fc6d66990ab88187c
Instruction ID: cc635281e767e1256e1650acb917fce1e9050b5221f3244004de3f174811700e
Opcode Fuzzy Hash: a711095b82cee45b2323eb9df891598bbe7b7a288ea52d8fc6d66990ab88187c
Instruction Fuzzy Hash: E8B11571900209EBDF65EFA0CC85DEDBBB5FF08314F10812AF91AA6162DB359E94DB50

Uniqueness

Uniqueness Score: -1.00%

Function 000B9F36 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 237
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E000B9F36(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t121;
				void* _t122;
				void* _t137;
				int _t150;
				void* _t156;
				struct HBITMAP__* _t160;
				void* _t165;
				int _t172;
				intOrPtr* _t185;
				signed int _t201;
				void* _t205;
				int _t207;
				intOrPtr _t211;
				void* _t212;

				_t205 = __edx;
				_push(0xd8);
				E00151A82(0x16cd1d, __ebx, __edi, __esi);
				_t211 =  *((intOrPtr*)(_t212 + 8));
				_t207 = 0;
				_t185 = __ecx;
				if( *((intOrPtr*)(_t211 + 0x24)) == 0) {
					__eflags =  *(_t211 + 0x88);
					if( *(_t211 + 0x88) != 0) {
						E000B9073(_t211);
					}
					__eflags =  *0x1c3b0c - _t207; // 0x1
					if(__eflags == 0) {
						 *(_t211 + 0x88) = CopyImage( *(_t185 + 0x88), _t207, _t207, _t207, 0x2000);
						_t121 =  *(_t185 + 0x8c);
						__eflags = _t121 - _t207;
						if(_t121 != _t207) {
							 *((intOrPtr*)(_t211 + 0x8c)) = CopyImage(_t121, _t207, _t207, _t207, 0x2000);
						}
						_t122 =  *(_t185 + 0x90);
						__eflags = _t122 - _t207;
						if(_t122 != _t207) {
							 *((intOrPtr*)(_t211 + 0x90)) = CopyImage(_t122, _t207, _t207, _t207, 0x2000);
						}
						goto L25;
					} else {
						_t150 = GetObjectW( *(_t185 + 0x88), 0x18, _t212 - 0xe4);
						__eflags = _t150 - 0x18;
						if(_t150 != 0x18) {
							L25:
							 *((intOrPtr*)(_t211 + 0x50)) =  *((intOrPtr*)(_t185 + 0x50));
							 *((intOrPtr*)(_t211 + 0x54)) =  *((intOrPtr*)(_t185 + 0x54));
							 *((intOrPtr*)(_t211 + 0x60)) =  *((intOrPtr*)(_t185 + 0x60));
							 *((intOrPtr*)(_t211 + 0x64)) =  *((intOrPtr*)(_t185 + 0x64));
							 *((intOrPtr*)(_t211 + 0x14)) =  *((intOrPtr*)(_t185 + 0x14));
							E00054260(_t211 + 0x94, _t185 + 0x94);
							 *((intOrPtr*)(_t211 + 0x18)) =  *((intOrPtr*)(_t185 + 0x18));
							 *((intOrPtr*)(_t211 + 4)) =  *((intOrPtr*)(_t185 + 4));
							 *((intOrPtr*)(_t211 + 0xa4)) =  *((intOrPtr*)(_t185 + 0xa4));
							 *((intOrPtr*)(_t211 + 0x20)) =  *((intOrPtr*)(_t185 + 0x20));
							 *((intOrPtr*)(_t211 + 0xac)) =  *((intOrPtr*)(_t185 + 0xac));
							 *((intOrPtr*)(_t211 + 0x28)) =  *((intOrPtr*)(_t185 + 0x28));
							 *((intOrPtr*)(_t211 + 8)) =  *((intOrPtr*)(_t185 + 8));
							 *((long long*)(_t211 + 0xb0)) =  *((long long*)(_t185 + 0xb0));
							_t137 =  *(_t185 + 0xbc);
							__eflags = _t137 - _t207;
							if(__eflags == 0) {
								L31:
								_t185 =  *((intOrPtr*)(_t185 + 0xd8));
								while(1) {
									__eflags = _t185 - _t207;
									if(__eflags == 0) {
										break;
									}
									_t185 =  *_t185;
									E000B8B87(_t211 + 0xd4, __eflags,  *((intOrPtr*)(_t185 + 8)));
								}
								__eflags = 1;
								L35:
								return E00151B05(_t185, _t207, _t211);
							}
							while(1) {
								 *(_t212 - 0x94) =  *_t137;
								 *(_t212 - 0x9c) =  *(_t137 + 8);
								E000B8B87(_t211 + 0xb8, __eflags,  *(_t137 + 8));
								 *(_t212 - 0x98) =  *(_t212 - 0x98) | 0xffffffff;
								__eflags = E000A7D8E(_t185 + 0xf0, __eflags,  *(_t212 - 0x9c), _t212 - 0x98);
								if(__eflags != 0) {
									 *(E0010A1D7(_t211 + 0xf0, _t205, __eflags,  *(_t212 - 0x9c))) =  *(_t212 - 0x98);
								}
								__eflags =  *(_t212 - 0x94) - _t207;
								if(__eflags == 0) {
									goto L31;
								}
								_t137 =  *(_t212 - 0x94);
							}
							goto L31;
						}
						 *(_t212 - 0x9c) = E00155F20(_t205,  *((intOrPtr*)(_t212 - 0xdc)));
						 *(_t212 - 0xbc) =  *(_t212 - 0xe0);
						E00065EC1(_t212 - 0xac);
						 *(_t212 - 4) = _t207;
						E000664F6(_t185, _t212 - 0xac, _t205, _t207, CreateCompatibleDC(_t207));
						_t156 =  *(_t185 + 0x88);
						__eflags = _t156 - _t207;
						if(_t156 == _t207) {
							 *(_t212 - 0x98) = _t207;
						} else {
							 *(_t212 - 0x98) = SelectObject( *(_t212 - 0xa8), _t156);
						}
						__eflags =  *(_t212 - 0x98) - _t207;
						if( *(_t212 - 0x98) == _t207) {
							L20:
							 *(_t212 - 4) =  *(_t212 - 4) | 0xffffffff;
							E00066577(_t212 - 0xac);
							goto L25;
						} else {
							 *(_t212 - 0x90) = _t207;
							E00151B30(_t212 - 0x8c, _t207, 0x50);
							__eflags =  *((short*)(_t212 - 0xd2)) - 0x18;
							if( *((short*)(_t212 - 0xd2)) < 0x18) {
								L13:
								_t160 = CreateCompatibleBitmap( *(_t212 - 0xa8),  *(_t212 - 0xbc),  *(_t212 - 0x9c));
								L14:
								 *(_t212 - 0x94) = _t160;
								__eflags = _t160 - _t207;
								if(_t160 != _t207) {
									E00065EC1(_t212 - 0xcc);
									 *(_t212 - 4) = 1;
									E000664F6(_t185, _t212 - 0xcc, _t205, _t207, CreateCompatibleDC( *(_t212 - 0xa8)));
									_t165 = SelectObject( *(_t212 - 0xc8),  *(_t212 - 0x94));
									 *(_t212 - 0xb4) = _t165;
									__eflags = _t165 - _t207;
									if(_t165 == _t207) {
										DeleteObject( *(_t212 - 0x94));
									} else {
										BitBlt( *(_t212 - 0xc8), _t207, _t207,  *(_t212 - 0xbc),  *(_t212 - 0x9c),  *(_t212 - 0xa8), _t207, _t207, 0xcc0020);
										SelectObject( *(_t212 - 0xc8),  *(_t212 - 0xb4));
										 *(_t211 + 0x88) =  *(_t212 - 0x94);
									}
									 *(_t212 - 4) = 0;
									E00066577(_t212 - 0xcc);
								}
								SelectObject( *(_t212 - 0xa8),  *(_t212 - 0x98));
								goto L20;
							}
							_t172 = GetObjectW( *(_t185 + 0x88), 0x54, _t212 - 0x90);
							__eflags = _t172;
							if(_t172 == 0) {
								goto L13;
							}
							_t201 = 0xa;
							memset(_t212 - 0x38, 0, _t201 << 2);
							 *(_t212 - 0x38) =  *(_t212 - 0xe0);
							 *((intOrPtr*)(_t212 - 0x34)) =  *((intOrPtr*)(_t212 - 0xdc));
							 *((short*)(_t212 - 0x30)) =  *((intOrPtr*)(_t212 - 0xd4));
							 *((short*)(_t212 - 0x2e)) =  *((intOrPtr*)(_t212 - 0xd2));
							 *((intOrPtr*)(_t212 - 0x2c)) = 0;
							 *(_t212 - 0xb0) = 0;
							 *(_t212 - 0x3c) = 0x28;
							_t160 = CreateDIBSection( *(_t212 - 0xa8), _t212 - 0x3c, 0, _t212 - 0xb0, 0, 0);
							_t207 = 0;
							goto L14;
						}
					}
				}
				goto L35;
			}

0x000b9f36
0x000b9f36
0x000b9f40
0x000b9f45
0x000b9f48
0x000b9f4a
0x000b9f4f
0x000b9f58
0x000b9f5e
0x000b9f62
0x000b9f62
0x000b9f67
0x000b9f6d
0x000ba1a0
0x000ba1a6
0x000ba1ac
0x000ba1ae
0x000ba1bf
0x000ba1bf
0x000ba1c5
0x000ba1cb
0x000ba1cd
0x000ba1de
0x000ba1de
0x00000000
0x000b9f73
0x000b9f82
0x000b9f88
0x000b9f8b
0x000ba1e4
0x000ba1e7
0x000ba1ed
0x000ba1f3
0x000ba1f9
0x000ba1ff
0x000ba20f
0x000ba217
0x000ba21d
0x000ba226
0x000ba22f
0x000ba238
0x000ba241
0x000ba247
0x000ba250
0x000ba256
0x000ba25c
0x000ba25e
0x000ba2c9
0x000ba2c9
0x000ba2e1
0x000ba2e1
0x000ba2e3
0x00000000
0x00000000
0x000ba2d4
0x000ba2dc
0x000ba2dc
0x000ba2e7
0x000ba2e8
0x000ba2ed
0x000ba2ed
0x000ba268
0x000ba26d
0x000ba27a
0x000ba280
0x000ba285
0x000ba2a4
0x000ba2a6
0x000ba2bf
0x000ba2bf
0x000ba2c1
0x000ba2c7
0x00000000
0x00000000
0x000ba262
0x000ba262
0x00000000
0x000ba268
0x000b9f9c
0x000b9faf
0x000b9fb5
0x000b9fbb
0x000b9fcb
0x000b9fd0
0x000b9fd6
0x000b9fd8
0x000b9fef
0x000b9fda
0x000b9fe7
0x000b9fe7
0x000b9ff5
0x000b9ffb
0x000ba17b
0x000ba17b
0x000ba185
0x00000000
0x000ba001
0x000ba00b
0x000ba011
0x000ba019
0x000ba021
0x000ba09e
0x000ba0b0
0x000ba0b6
0x000ba0b6
0x000ba0bc
0x000ba0be
0x000ba0ca
0x000ba0d5
0x000ba0e6
0x000ba0f7
0x000ba0fd
0x000ba103
0x000ba105
0x000ba154
0x000ba107
0x000ba128
0x000ba13a
0x000ba146
0x000ba146
0x000ba160
0x000ba164
0x000ba164
0x000ba175
0x00000000
0x000ba175
0x000ba032
0x000ba038
0x000ba03a
0x00000000
0x00000000
0x000ba03e
0x000ba044
0x000ba04c
0x000ba055
0x000ba05f
0x000ba06a
0x000ba07a
0x000ba07d
0x000ba08d
0x000ba094
0x000ba09a
0x00000000
0x000ba09a
0x000b9ffb
0x000b9f6d
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 000B9F40
GetObjectW.GDI32(?,00000018,?), ref: 000B9F82
CreateCompatibleDC.GDI32(00000000), ref: 000B9FBE
SelectObject.GDI32(?,?), ref: 000B9FE1
_memset.LIBCMT ref: 000BA011
GetObjectW.GDI32(?,00000054,?), ref: 000BA032
CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 000BA094
CreateCompatibleDC.GDI32(?), ref: 000BA0D9
SelectObject.GDI32(?,?), ref: 000BA0F7

Strings

(, xrefs: 000BA08D

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Object$Create$CompatibleSelect$H_prolog3_Section_memset
String ID: (
API String ID: 1904682052-3887548279
Opcode ID: 0772cc8dd9576ac8351cade90dcf07a070797e42bd3f2a7fc2abe29bf9034cb5
Instruction ID: 8130d68129ac792b2150532550094cba3aa379f0efd5b5574186e00f73b6ad90
Opcode Fuzzy Hash: 0772cc8dd9576ac8351cade90dcf07a070797e42bd3f2a7fc2abe29bf9034cb5
Instruction Fuzzy Hash: 46B1F670A00618EFDB61DF68CC84FDABBB5FF49700F1085A9E94DA6252DB315A84DF21

Uniqueness

Uniqueness Score: -1.00%

Function 000B7BEE Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 263
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E000B7BEE(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, signed long long __fp0) {
				void* _t149;
				signed int _t155;
				void* _t158;
				void* _t159;
				unsigned int _t161;
				intOrPtr _t164;
				void* _t165;
				signed int _t175;
				intOrPtr _t177;
				void* _t186;
				signed char _t188;
				signed int _t200;
				void* _t209;
				signed int _t217;
				short _t240;
				int _t247;
				signed char* _t250;
				void* _t251;
				long long* _t252;
				signed long long _t259;
				signed long long _t263;

				_t259 = __fp0;
				_t244 = __edi;
				_t237 = __edx;
				_push(0xfc);
				E00151A82(0x16cb5a, __ebx, __edi, __esi);
				_t209 = __ecx;
				_t247 = 0;
				 *((intOrPtr*)(__ecx + 0x2c)) = 1;
				 *((intOrPtr*)(__ecx + 0xc)) =  *((intOrPtr*)(_t251 + 8));
				if( *((intOrPtr*)(__ecx + 0x88)) == 0 ||  *0x1c3b44 <= 8) {
					L4:
					return E00151B05(_t209, _t244, _t247);
				} else {
					E00065EC1(_t251 - 0xb8);
					 *(_t251 - 4) = 0;
					E000664F6(__ecx, _t251 - 0xb8, __edx, __edi, CreateCompatibleDC(0));
					if(GetObjectW( *(_t209 + 0x88), 0x18, _t251 - 0x108) != 0) {
						_t244 = SelectObject;
						 *(_t251 - 0x94) =  *(_t251 - 0x104);
						 *(_t251 - 0xa4) =  *(_t251 - 0x100);
						_t149 =  *(_t209 + 0x88);
						__eflags = _t149;
						if(_t149 == 0) {
							 *(_t251 - 0x9c) = 0;
						} else {
							 *(_t251 - 0x9c) = SelectObject( *(_t251 - 0xb4), _t149);
						}
						__eflags =  *(_t251 - 0x9c) - _t247;
						if( *(_t251 - 0x9c) == _t247) {
							goto L3;
						} else {
							E00065EC1(_t251 - 0xc8);
							 *(_t251 - 4) = 1;
							E000664F6(_t209, _t251 - 0xc8, _t237, _t244, CreateCompatibleDC( *(_t251 - 0xb4)));
							_t155 =  *(_t251 - 0x94);
							_t217 =  *(_t251 - 0xa4);
							 *((short*)(_t251 - 0x30)) = 1;
							_t240 = 0x20;
							 *(_t251 - 0x38) = _t155;
							 *(_t251 - 0x34) = _t217;
							 *(_t251 - 0x3c) = 0x28;
							 *((short*)(_t251 - 0x2e)) = _t240;
							 *(_t251 - 0x2c) = _t247;
							 *(_t251 - 0x28) = _t217 * _t155;
							 *(_t251 - 0x24) = _t247;
							 *(_t251 - 0x20) = _t247;
							 *(_t251 - 0x1c) = _t247;
							 *(_t251 - 0x18) = _t247;
							 *(_t251 - 0xd4) = _t247;
							_t158 = CreateDIBSection( *(_t251 - 0xc4), _t251 - 0x3c, _t247, _t251 - 0xd4, _t247, _t247);
							 *(_t251 - 0xa0) = _t158;
							__eflags = _t158 - _t247;
							if(_t158 != _t247) {
								_t159 = SelectObject( *(_t251 - 0xc4), _t158);
								 *(_t251 - 0xd8) = _t159;
								__eflags = _t159 - _t247;
								if(_t159 != _t247) {
									BitBlt( *(_t251 - 0xc4), _t247, _t247,  *(_t251 - 0x94),  *(_t251 - 0xa4),  *(_t251 - 0xb4), _t247, _t247, 0xcc0020);
									_t161 =  *(_t209 + 0xc);
									 *(_t251 - 0x98) = 0x82;
									__eflags = _t161 - _t247;
									if(_t161 > _t247) {
										 *(_t251 - 0x98) = _t161;
									}
									__eflags =  *((intOrPtr*)(_t209 + 8)) - 0x20;
									if( *((intOrPtr*)(_t209 + 8)) != 0x20) {
										E000E90DD(_t251 - 0xd0, _t251 - 0xc8);
										_t164 =  *((intOrPtr*)(_t209 + 0xa4));
										 *(_t251 - 4) = 2;
										__eflags = _t164 - 0xffffffff;
										if(__eflags == 0) {
											_t164 =  *0x1c39ac; // 0xf0f0f0
										}
										_push(0xffffffff);
										_push(_t164);
										_push( *(_t251 - 0x98));
										 *(_t251 - 0xe0) =  *(_t251 - 0x94);
										 *(_t251 - 0xe8) = _t247;
										 *(_t251 - 0xe4) = _t247;
										 *(_t251 - 0xdc) =  *(_t251 - 0xa4);
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t165 = E000EA4B1(_t209, _t251 - 0xd0, _t240, _t252 - 0x10, _t251 - 0xe8, __eflags, _t259);
										 *(_t251 - 4) = 1;
										E000E90F4(_t165, _t251 - 0xd0);
										_t244 = SelectObject;
										goto L28;
									} else {
										_t175 = GetObjectW( *(_t251 - 0xa0), 0x54, _t251 - 0x90);
										__eflags = _t175;
										if(_t175 == 0) {
											L11:
											 *(_t251 - 4) = 0;
											E00066577(_t251 - 0xc8);
											goto L3;
										}
										__eflags =  *((short*)(_t251 - 0x7e)) - 0x20;
										if( *((short*)(_t251 - 0x7e)) != 0x20) {
											goto L11;
										}
										_t177 =  *((intOrPtr*)(_t251 - 0x7c));
										__eflags = _t177 - _t247;
										if(_t177 != _t247) {
											 *(_t251 - 0x94) = _t247;
											__eflags =  *(_t251 - 0x88) *  *(_t251 - 0x8c);
											if( *(_t251 - 0x88) *  *(_t251 - 0x8c) <= 0) {
												L28:
												SelectObject( *(_t251 - 0xc4),  *(_t251 - 0xd8));
												SelectObject( *(_t251 - 0xb4),  *(_t251 - 0x9c));
												DeleteObject( *(_t209 + 0x88));
												 *(_t209 + 0x88) =  *(_t251 - 0xa0);
												_t247 = 1;
												goto L20;
											}
											asm("fild dword [ebp-0x98]");
											_t250 = _t177 + 1;
											 *(_t251 - 0xa8) = _t259 *  *0x184450;
											do {
												_t186 = E000E9611((( *(_t250 - 1) & 0x000000ff) << 0x00000008 |  *_t250 & 0x000000ff) << 0x00000008 | _t250[1] & 0x000000ff, _t251 - 0xf0, _t251 - 0xe0, _t251 - 0xd0);
												_t252 = _t252 - 0x30;
												 *(_t252 + 0x28) =  *(_t251 - 0xa8);
												 *(_t252 + 0x20) =  *(_t251 - 0xa8);
												_t263 =  *(_t251 - 0xa8);
												 *(_t252 + 0x18) = _t263;
												asm("fldz");
												 *(_t252 + 0x10) = _t263;
												 *((long long*)(_t252 + 8)) =  *((long long*)(_t251 - 0xd0));
												 *_t252 =  *((long long*)(_t251 - 0xf0));
												_push(E000E93E5(_t186));
												_t188 = E000E91C4(_t250[1] & 0x000000ff);
												 *(_t251 - 0x98) = _t188;
												asm("cdq");
												_t250[1] = (_t188 & 0x000000ff) * (_t250[2] & 0x000000ff) / 0xff;
												asm("cdq");
												 *_t250 = ( *(_t251 - 0x98) >> 0x00000008 & 0x000000ff) * (_t250[2] & 0x000000ff) / 0xff;
												_t200 = ( *(_t251 - 0x98) >> 0x00000010 & 0x000000ff) * (_t250[2] & 0x000000ff);
												asm("cdq");
												 *(_t251 - 0x94) =  *(_t251 - 0x94) + 1;
												_t250 =  &(_t250[4]);
												 *((char*)(_t250 - 5)) = _t200 / 0xff;
												__eflags =  *(_t251 - 0x94) -  *(_t251 - 0x88) *  *(_t251 - 0x8c);
											} while ( *(_t251 - 0x94) <  *(_t251 - 0x88) *  *(_t251 - 0x8c));
											goto L28;
										}
										L20:
										 *(_t251 - 4) = 0;
										E00066577(_t251 - 0xc8);
										 *(_t251 - 4) =  *(_t251 - 4) | 0xffffffff;
										E00066577(_t251 - 0xb8);
										goto L4;
									}
								}
								SelectObject( *(_t251 - 0xb4),  *(_t251 - 0x9c));
								DeleteObject( *(_t251 - 0xa0));
								goto L11;
							}
							SelectObject( *(_t251 - 0xb4),  *(_t251 - 0x9c));
							goto L11;
						}
					}
					L3:
					 *(_t251 - 4) =  *(_t251 - 4) | 0xffffffff;
					E00066577(_t251 - 0xb8);
					goto L4;
				}
			}

0x000b7bee
0x000b7bee
0x000b7bee
0x000b7bee
0x000b7bf8
0x000b7bfd
0x000b7c05
0x000b7c07
0x000b7c0a
0x000b7c13
0x000b7c69
0x000b7c6e
0x000b7c1e
0x000b7c24
0x000b7c2a
0x000b7c3a
0x000b7c56
0x000b7c77
0x000b7c7d
0x000b7c89
0x000b7c8f
0x000b7c95
0x000b7c97
0x000b7caa
0x000b7c99
0x000b7ca2
0x000b7ca2
0x000b7cb0
0x000b7cb6
0x00000000
0x000b7cb8
0x000b7cbe
0x000b7cc9
0x000b7cda
0x000b7cdf
0x000b7ce5
0x000b7cf0
0x000b7cf4
0x000b7cf7
0x000b7cfa
0x000b7d12
0x000b7d19
0x000b7d1d
0x000b7d20
0x000b7d23
0x000b7d26
0x000b7d29
0x000b7d2c
0x000b7d2f
0x000b7d35
0x000b7d3b
0x000b7d41
0x000b7d43
0x000b7d6e
0x000b7d70
0x000b7d76
0x000b7d78
0x000b7db7
0x000b7dbd
0x000b7dc0
0x000b7dca
0x000b7dcc
0x000b7dce
0x000b7dce
0x000b7dd4
0x000b7dd8
0x000b7f61
0x000b7f66
0x000b7f6c
0x000b7f70
0x000b7f73
0x000b7f75
0x000b7f75
0x000b7f80
0x000b7f82
0x000b7f83
0x000b7f89
0x000b7f95
0x000b7f9b
0x000b7fa1
0x000b7fb2
0x000b7fb3
0x000b7fb4
0x000b7fbb
0x000b7fbc
0x000b7fc7
0x000b7fcb
0x000b7fd0
0x00000000
0x000b7dde
0x000b7ded
0x000b7df3
0x000b7df5
0x000b7d53
0x000b7d59
0x000b7d5d
0x00000000
0x000b7d5d
0x000b7dfb
0x000b7e00
0x00000000
0x00000000
0x000b7e06
0x000b7e09
0x000b7e0b
0x000b7e3f
0x000b7e45
0x000b7e47
0x000b7fd6
0x000b7fe2
0x000b7ff0
0x000b7ff8
0x000b8006
0x000b800c
0x00000000
0x000b800c
0x000b7e4d
0x000b7e53
0x000b7e5c
0x000b7e62
0x000b7e8d
0x000b7e92
0x000b7e9b
0x000b7ea5
0x000b7ea9
0x000b7eaf
0x000b7eb3
0x000b7eb5
0x000b7ebf
0x000b7ec9
0x000b7ed1
0x000b7ed2
0x000b7edb
0x000b7ee7
0x000b7ef3
0x000b7f05
0x000b7f11
0x000b7f1f
0x000b7f22
0x000b7f2a
0x000b7f30
0x000b7f33
0x000b7f43
0x000b7f43
0x00000000
0x000b7f4f
0x000b7e0d
0x000b7e13
0x000b7e17
0x000b7e1c
0x000b7e26
0x00000000
0x000b7e2b
0x000b7dd8
0x000b7d86
0x000b7d8e
0x00000000
0x000b7d8e
0x000b7d51
0x00000000
0x000b7d51
0x000b7cb6
0x000b7c58
0x000b7c58
0x000b7c62
0x00000000
0x000b7c67

APIs

__EH_prolog3_GS.LIBCMT ref: 000B7BF8
CreateCompatibleDC.GDI32(00000000), ref: 000B7C2D
GetObjectW.GDI32(?,00000018,?), ref: 000B7C4E
SelectObject.GDI32(?,?), ref: 000B7CA0
CreateCompatibleDC.GDI32(?), ref: 000B7CCD
CreateDIBSection.GDI32(?,0006330F,00000000,?,00000000,00000000), ref: 000B7D35
SelectObject.GDI32(?,?), ref: 000B7D51
SelectObject.GDI32(?,00000000), ref: 000B7D6E
SelectObject.GDI32(?,?), ref: 000B7D86
DeleteObject.GDI32(?), ref: 000B7D8E
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 000B7DB7
GetObjectW.GDI32(?,00000054,?), ref: 000B7DED
SelectObject.GDI32(?,?), ref: 000B7FE2
SelectObject.GDI32(?,?), ref: 000B7FF0
DeleteObject.GDI32(?), ref: 000B7FF8

Strings

(, xrefs: 000B7D12
, xrefs: 000B7DFB

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Object$Select$Create$CompatibleDelete$H_prolog3_Section
String ID: $(
API String ID: 339215182-55695022
Opcode ID: e56f5f30b10ab94cd111529193e09bdaf90d3f4d19a79dda03d917718ad54568
Instruction ID: d8094fe1496c9536eb68dcd2846d8865c078dbd531a5908f8231ebb683c11af4
Opcode Fuzzy Hash: e56f5f30b10ab94cd111529193e09bdaf90d3f4d19a79dda03d917718ad54568
Instruction Fuzzy Hash: B2C14A70904268DFDB65DF64CD85BEDBBB5EF59300F0080EAE58DA6292DB305A84CF61

Uniqueness

Uniqueness Score: -1.00%

Function 000A44FC Relevance: 28.9, APIs: 19, Instructions: 446
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E000A44FC(void* __ebx, int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t158;
				void* _t159;
				WCHAR* _t163;
				struct HWND__* _t166;
				struct HWND__* _t168;
				intOrPtr* _t179;
				struct HWND__* _t205;
				struct HWND__* _t208;
				void* _t213;
				struct HWND__* _t215;
				intOrPtr _t218;
				struct HWND__* _t219;
				struct HWND__* _t227;
				void* _t233;
				int _t235;
				void* _t248;
				void* _t250;
				int _t262;
				struct HWND__* _t263;
				void* _t332;
				intOrPtr _t334;
				void* _t337;
				void* _t338;
				void* _t350;

				_t332 = __edx;
				_push(0xa8);
				E00151A82(0x16b9ff, __ebx, __edi, __esi);
				_t334 =  *((intOrPtr*)(_t338 + 8));
				_t262 = __ecx;
				 *(_t338 - 0x80) = __ecx;
				E000D0797(__ecx + 0x1bc, _t334);
				E000A4D27(_t338 - 0xb4, 0xa);
				_t267 = _t262;
				 *(_t338 - 4) = 0;
				E000A01D5(_t262, _t262, _t334, 0, _t338 - 0xb4, 1, 0, 0);
				 *(_t338 - 0x84) = 0;
				_t337 = AppendMenuW;
				while( *(_t338 - 0x84) != 1 ||  *((intOrPtr*)(_t338 + 0xc)) == 0) {
					 *(_t338 - 0x7c) = 1;
					_t158 =  *((intOrPtr*)(_t338 - 0xb0));
					if(_t158 == 0) {
						L51:
						 *(_t338 - 0x84) =  &( *(_t338 - 0x84)->i);
						if( *(_t338 - 0x84) < 2) {
							continue;
						}
						break;
					} else {
						while(_t158 != 0) {
							 *((intOrPtr*)(_t338 - 0x90)) =  *_t158;
							_t262 = E0006EA25(0x1845c0,  *((intOrPtr*)(_t158 + 8)));
							_pop(_t267);
							if(_t262 == 0 || IsWindow( *(_t262 + 0x20)) == 0) {
								L49:
								if( *((intOrPtr*)(_t338 - 0x90)) != 0) {
									_t158 =  *((intOrPtr*)(_t338 - 0x90));
									continue;
								}
								_t262 =  *(_t338 - 0x80);
								goto L51;
							} else {
								_t267 = _t262;
								if( *((intOrPtr*)( *_t262 + 0x288))() == 0) {
									goto L49;
								}
								_t267 = _t262;
								if( *((intOrPtr*)( *_t262 + 0x1c4))() == 0) {
									goto L49;
								}
								_t267 = _t262;
								if(E0006EA07(_t262, 0x1bced8) == 0) {
									__eflags =  *(_t338 - 0x84);
								} else {
									_t350 =  *(_t338 - 0x84) - 1;
								}
								if(_t350 == 0) {
									goto L49;
								} else {
									E00051110(_t338 - 0x8c, E00065761());
									 *(_t338 - 4) = 1;
									 *((intOrPtr*)( *_t262 + 0x28c))(_t338 - 0x8c);
									if(E0006EA07(_t262, 0x191814) == 0 || E0006EA07(_t262, 0x1bf448) != 0) {
										_t205 = E0006EA07(_t262, 0x1876d0);
										__eflags = _t205;
										if(_t205 == 0) {
											_t208 = E000A7D8E( *(_t338 - 0x80) + 0x1bc, __eflags, E000634FE(_t262), _t338 - 0x88);
											__eflags = _t208;
											if(_t208 == 0) {
												__eflags =  *(_t338 - 0x7c) - _t208;
												if( *(_t338 - 0x7c) != _t208) {
													__eflags =  *(_t338 - 0x84) - 1;
													if( *(_t338 - 0x84) == 1) {
														_t215 = GetMenuItemCount( *(_t334 + 4));
														__eflags = _t215;
														if(_t215 > 0) {
															AppendMenuW( *(_t334 + 4), 0x800, 0, 0);
														}
													}
												}
												 *(_t338 - 0x88) =  *(_t338 - 0x8c);
												AppendMenuW( *(_t334 + 4), 0, E000634FE(_t262),  *(_t338 - 0x88));
												 *(_t338 - 0x7c) =  *(_t338 - 0x7c) & 0x00000000;
												_t213 = E000634FE(_t262);
												__eflags =  *(_t338 - 0x80) + 0x1bc;
												 *(E0010A1D7( *(_t338 - 0x80) + 0x1bc, _t332,  *(_t338 - 0x80) + 0x1bc, _t213)) = _t262;
											}
											goto L48;
										}
										_t262 = E0006EA25(0x1876d0, _t262);
										_t218 = E000DC9F8(_t262);
										 *((intOrPtr*)(_t338 - 0x98)) = _t218;
										_t219 = SendMessageW( *(_t218 + 0x20), 0x40c, 0, 0);
										_t309 =  *(_t262 + 0x2ac);
										 *(_t338 - 0x78) =  *(_t338 - 0x78) & 0x00000000;
										 *(_t338 - 0x88) = _t219;
										 *(_t338 - 0x74) =  *(_t262 + 0x2ac);
										 *((intOrPtr*)(_t338 - 0x70)) = 0x230;
										__eflags = _t219;
										if(__eflags == 0) {
											goto L48;
										} else {
											goto L33;
										}
										do {
											L33:
											SendMessageW( *( *((intOrPtr*)(_t338 - 0x98)) + 0x20), 0x41c,  *(_t338 - 0x78), _t338 - 0x74);
											_t262 = E0006EA25(0x1845c0, E0005F85A(_t262, _t309, _t332, _t334, _t337, __eflags,  *((intOrPtr*)(_t338 - 0x54))));
											_pop(_t309);
											__eflags = _t262;
											if(_t262 != 0) {
												_t309 = _t262;
												_t227 =  *((intOrPtr*)( *_t262 + 0x288))();
												__eflags = _t227;
												if(_t227 != 0) {
													 *((intOrPtr*)( *_t262 + 0x28c))(_t338 - 0x8c);
													__eflags =  *(_t338 - 0x7c);
													if( *(_t338 - 0x7c) != 0) {
														__eflags =  *(_t338 - 0x84) - 1;
														if( *(_t338 - 0x84) == 1) {
															_t235 = GetMenuItemCount( *(_t334 + 4));
															__eflags = _t235;
															if(_t235 > 0) {
																AppendMenuW( *(_t334 + 4), 0x800, 0, 0);
															}
														}
													}
													 *(_t338 - 0x94) =  *(_t338 - 0x8c);
													AppendMenuW( *(_t334 + 4), 0, E000634FE(_t262),  *(_t338 - 0x94));
													 *(_t338 - 0x7c) =  *(_t338 - 0x7c) & 0x00000000;
													_t233 = E000634FE(_t262);
													_t309 =  *(_t338 - 0x80) + 0x1bc;
													__eflags =  *(_t338 - 0x80) + 0x1bc;
													 *(E0010A1D7( *(_t338 - 0x80) + 0x1bc, _t332,  *(_t338 - 0x80) + 0x1bc, _t233)) = _t262;
												}
											}
											 *(_t338 - 0x78) =  *(_t338 - 0x78) + 1;
											__eflags =  *(_t338 - 0x78) -  *(_t338 - 0x88);
										} while (__eflags < 0);
									} else {
										_t262 =  *((intOrPtr*)( *_t262 + 0x3a4))();
										 *(_t338 - 0x94) = _t262;
										if(_t262 == 0) {
											L48:
											_t267 =  *(_t338 - 0x8c) + 0xfffffff0;
											 *(_t338 - 4) = 0;
											E00051190( *(_t338 - 0x8c) + 0xfffffff0, _t332);
											goto L49;
										}
										 *(_t338 - 0x78) =  *(_t338 - 0x78) & 0x00000000;
										if( *((intOrPtr*)( *_t262 + 0x1a8))() > 0) {
											goto L21;
											L22:
											_t248 =  *((intOrPtr*)( *_t262 + 0x288))();
											_t356 = _t248;
											if(_t248 == 0) {
												goto L29;
											}
											_t250 = E000634FE(_t262);
											 *((intOrPtr*)(_t338 - 0x98)) =  *(_t338 - 0x80) + 0x1bc;
											if(E000A7D8E( *(_t338 - 0x80) + 0x1bc, _t356, _t250, _t338 - 0x88) != 0) {
												goto L29;
											}
											 *((intOrPtr*)( *_t262 + 0x28c))(_t338 - 0x8c);
											if( *(_t338 - 0x7c) != 0 &&  *(_t338 - 0x84) == 1 && GetMenuItemCount( *(_t334 + 4)) > 0) {
												AppendMenuW( *(_t334 + 4), 0x800, 0, 0);
											}
											 *(_t338 - 0x7c) =  *(_t338 - 0x8c);
											AppendMenuW( *(_t334 + 4), 0, E000634FE(_t262),  *(_t338 - 0x7c));
											 *(_t338 - 0x7c) =  *(_t338 - 0x7c) & 0x00000000;
											 *(E0010A1D7( *((intOrPtr*)(_t338 - 0x98)), _t332,  *(_t338 - 0x7c), E000634FE(_t262))) = _t262;
											L29:
											 *(_t338 - 0x78) =  *(_t338 - 0x78) + 1;
											if( *(_t338 - 0x78) <  *((intOrPtr*)( *( *(_t338 - 0x94)) + 0x1a8))()) {
												_t262 =  *(_t338 - 0x94);
												L21:
												_t262 = E0006EA25(0x1845c0,  *((intOrPtr*)( *_t262 + 0x1ac))( *(_t338 - 0x78)));
												if(_t262 == 0) {
													goto L29;
												}
												goto L22;
											}
										}
									}
									goto L48;
								}
							}
						}
						E000655E0(_t267);
						L56:
						_t168 = E0006EA25(0x17da3c, E0005F82E(_t262, _t267, _t332,  *(_t338 - 0x7c)));
						_pop(_t267);
						__eflags = _t168;
						if(__eflags != 0) {
							_t263 =  *(_t168 + 0x434);
							__eflags = _t263;
							if(__eflags != 0) {
								E00051110(_t338 - 0x78, E00065761());
								 *(_t338 - 4) = 2;
								 *((intOrPtr*)(_t263->i + 0x28c))(_t338 - 0x78);
								 *(_t338 - 0x88) =  *(_t338 - 0x78);
								AppendMenuW( *(_t334 + 4), 0, E000634FE(_t263),  *(_t338 - 0x88));
								 *(E0010A1D7( *(_t338 - 0x80) + 0x1bc, _t332, __eflags, E000634FE(_t263))) = _t263;
								_t267 =  *(_t338 - 0x78) + 0xfffffff0;
								__eflags =  *(_t338 - 0x78) + 0xfffffff0;
								 *(_t338 - 4) = 0;
								E00051190( *(_t338 - 0x78) + 0xfffffff0, _t332);
							}
							_t262 =  *(_t338 - 0x80);
						}
						_t166 = GetWindow( *(_t338 - 0x7c), 2);
						L61:
						 *(_t338 - 0x7c) = _t166;
						if(_t166 != 0) {
							goto L56;
						}
						_t179 =  *((intOrPtr*)(_t262 + 0x1a0));
						_t369 = _t179;
						if(_t179 == 0) {
							L69:
							if( *((intOrPtr*)(_t262 + 0x1e8)) != 0) {
								if(GetMenuItemCount( *(_t334 + 4)) > 0) {
									AppendMenuW( *(_t334 + 4), 0x800, 0, 0);
								}
								_t163 =  *(_t262 + 0x1ec);
								AppendMenuW( *(_t334 + 4), 0, _t262, _t163);
							}
							 *(_t338 - 4) =  *(_t338 - 4) | 0xffffffff;
							E000A4D4F(_t338 - 0xb4);
							return E00151B05(_t262, _t334, _t337);
						}
						while(1) {
							 *((intOrPtr*)(_t338 - 0x90)) =  *_t179;
							_t262 = E0006EA25(0x1bec6c, E0005F85A(_t262,  *_t179, _t332, _t334, _t337, _t369,  *((intOrPtr*)(_t179 + 8))));
							_t370 = _t262;
							if(_t262 != 0) {
								E00051110(_t338 - 0x78, E00065761());
								 *(_t338 - 4) = 3;
								 *((intOrPtr*)( *_t262 + 0x28c))(_t338 - 0x78);
								 *(_t338 - 0x88) =  *(_t338 - 0x78);
								AppendMenuW( *(_t334 + 4), 0, E000634FE(_t262),  *(_t338 - 0x88));
								 *(E0010A1D7( *(_t338 - 0x80) + 0x1bc, _t332, _t370, E000634FE(_t262))) = _t262;
								 *(_t338 - 4) = 0;
								E00051190( *(_t338 - 0x78) + 0xfffffff0, _t332);
							}
							if( *((intOrPtr*)(_t338 - 0x90)) == 0) {
								break;
							}
							_t179 =  *((intOrPtr*)(_t338 - 0x90));
						}
						_t262 =  *(_t338 - 0x80);
						goto L69;
					}
				}
				_t159 = E0006EA25(0x17e958,  *((intOrPtr*)(_t262 + 0xe4)));
				_pop(_t267);
				if(_t159 == 0 ||  *((intOrPtr*)(_t338 + 0xc)) != 0) {
					goto L69;
				} else {
					_t166 = GetWindow( *(_t159 + 0x110), 5);
					goto L61;
				}
			}

0x000a44fc
0x000a44fc
0x000a4506
0x000a450b
0x000a450e
0x000a4516
0x000a4519
0x000a4526
0x000a4538
0x000a453a
0x000a453d
0x000a4542
0x000a4548
0x000a454e
0x000a4563
0x000a4566
0x000a456e
0x000a4955
0x000a4955
0x000a4962
0x00000000
0x00000000
0x00000000
0x000a4574
0x000a457c
0x000a458e
0x000a4599
0x000a459c
0x000a459f
0x000a4945
0x000a494c
0x000a4576
0x00000000
0x000a4576
0x000a4952
0x00000000
0x000a45b6
0x000a45b8
0x000a45c2
0x00000000
0x00000000
0x000a45ca
0x000a45d4
0x00000000
0x00000000
0x000a45df
0x000a45e8
0x000a45f3
0x000a45ea
0x000a45ea
0x000a45ea
0x000a45fa
0x00000000
0x000a4600
0x000a460c
0x000a461c
0x000a4620
0x000a4634
0x000a4778
0x000a477d
0x000a477f
0x000a48c4
0x000a48c9
0x000a48cb
0x000a48cd
0x000a48d0
0x000a48d2
0x000a48d9
0x000a48de
0x000a48e4
0x000a48e6
0x000a48f4
0x000a48f4
0x000a48e6
0x000a48d9
0x000a48fe
0x000a4915
0x000a4917
0x000a491d
0x000a4926
0x000a4931
0x000a4931
0x00000000
0x000a48cb
0x000a4791
0x000a4796
0x000a47a7
0x000a47ad
0x000a47b3
0x000a47b9
0x000a47bd
0x000a47c3
0x000a47c6
0x000a47cd
0x000a47cf
0x00000000
0x00000000
0x00000000
0x00000000
0x000a47d5
0x000a47d5
0x000a47ea
0x000a4803
0x000a4806
0x000a4807
0x000a4809
0x000a4811
0x000a4813
0x000a4819
0x000a481b
0x000a4828
0x000a482e
0x000a4832
0x000a4834
0x000a483b
0x000a4840
0x000a4846
0x000a4848
0x000a4856
0x000a4856
0x000a4848
0x000a483b
0x000a4860
0x000a4877
0x000a4879
0x000a487f
0x000a4888
0x000a4888
0x000a4893
0x000a4893
0x000a481b
0x000a4895
0x000a489b
0x000a489b
0x000a464e
0x000a4658
0x000a465a
0x000a4662
0x000a4933
0x000a4939
0x000a493c
0x000a4940
0x00000000
0x000a4940
0x000a466a
0x000a4678
0x000a467e
0x000a46aa
0x000a46ae
0x000a46b4
0x000a46b6
0x00000000
0x00000000
0x000a46c5
0x000a46d4
0x000a46e1
0x00000000
0x00000000
0x000a46ee
0x000a46f8
0x000a471c
0x000a471c
0x000a4726
0x000a4737
0x000a4739
0x000a4750
0x000a4752
0x000a475a
0x000a4766
0x000a4680
0x000a4686
0x000a469e
0x000a46a4
0x00000000
0x00000000
0x00000000
0x000a46a4
0x000a476c
0x000a4678
0x00000000
0x000a4634
0x000a45fa
0x000a459f
0x000a4999
0x000a499e
0x000a49ac
0x000a49b2
0x000a49b3
0x000a49b5
0x000a49b7
0x000a49bd
0x000a49bf
0x000a49ca
0x000a49d7
0x000a49db
0x000a49e6
0x000a49fd
0x000a4a15
0x000a4a1a
0x000a4a1a
0x000a4a1d
0x000a4a21
0x000a4a21
0x000a4a26
0x000a4a26
0x000a4a2e
0x000a4a2e
0x000a4a34
0x000a4a39
0x00000000
0x00000000
0x000a4a3f
0x000a4a45
0x000a4a47
0x000a4aed
0x000a4af4
0x000a4b01
0x000a4b0f
0x000a4b0f
0x000a4b11
0x000a4b24
0x000a4b24
0x000a4b26
0x000a4b30
0x000a4b3a
0x000a4b3a
0x000a4a55
0x000a4a5a
0x000a4a70
0x000a4a74
0x000a4a76
0x000a4a81
0x000a4a8e
0x000a4a92
0x000a4a9d
0x000a4ab4
0x000a4acc
0x000a4ad4
0x000a4ad8
0x000a4ad8
0x000a4ae4
0x00000000
0x00000000
0x000a4a4f
0x000a4a4f
0x000a4aea
0x00000000
0x000a4aea
0x000a456e
0x000a4973
0x000a4979
0x000a497c
0x00000000
0x000a498c
0x000a4a2e
0x00000000
0x000a4a2e

APIs

__EH_prolog3_GS.LIBCMT ref: 000A4506
IsWindow.USER32(?), ref: 000A45A8
GetMenuItemCount.USER32(00000001), ref: 000A4706
AppendMenuW.USER32 ref: 000A471C
AppendMenuW.USER32 ref: 000A4737
SendMessageW.USER32(?,0000040C,00000000,00000000), ref: 000A47AD
SendMessageW.USER32(?,0000041C,00000000,?), ref: 000A47EA
GetMenuItemCount.USER32(00000001), ref: 000A4840
AppendMenuW.USER32 ref: 000A4856
AppendMenuW.USER32 ref: 000A4877
GetMenuItemCount.USER32(00000001), ref: 000A48DE
AppendMenuW.USER32 ref: 000A48F4
AppendMenuW.USER32 ref: 000A4915
AppendMenuW.USER32 ref: 000A49FD
GetWindow.USER32(?,00000005), ref: 000A4A2E
AppendMenuW.USER32 ref: 000A4AB4
GetMenuItemCount.USER32(00000000), ref: 000A4AF9
AppendMenuW.USER32 ref: 000A4B0F
AppendMenuW.USER32 ref: 000A4B24

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Menu$Append$CountItem$MessageSendWindow$H_prolog3_
String ID:
API String ID: 2495817426-0
Opcode ID: 8c692723f47982cd3432b3868683266bb257be4bd2d471ac994eebf0e9c73c2f
Instruction ID: 21a22e8c9e7b7c372226569cf2c2cfa2f58fc87657fab749b8aaeff9cb84b288
Opcode Fuzzy Hash: 8c692723f47982cd3432b3868683266bb257be4bd2d471ac994eebf0e9c73c2f
Instruction Fuzzy Hash: AB023C34A042199FEF64AFA4CC95BADB7B5BF45301F1440ADE509AB293DFB09984CF11

Uniqueness

Uniqueness Score: -1.00%

Function 000B790E Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 237
windowCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 92%

			E000B790E(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				int _t111;
				int _t120;
				void* _t123;
				signed int _t129;
				void* _t132;
				int _t133;
				int _t136;
				intOrPtr* _t137;
				void* _t138;
				long _t139;
				long _t146;
				int _t150;
				void* _t151;
				intOrPtr _t158;
				signed int _t167;
				intOrPtr* _t170;
				void* _t179;
				short _t182;
				int _t185;
				void* _t188;
				int _t190;
				void** _t192;
				void* _t193;
				void* _t194;
				void* _t202;

				_t202 = __fp0;
				_t179 = __edx;
				_push(0x9c);
				E00151A82(0x16cb11, __ebx, __edi, __esi);
				_t188 = __ecx;
				if( *(_t193 + 8) != 0) {
					_t111 = __ecx + 0x90;
					 *(_t193 - 0x40) = _t111;
					_t185 = _t111;
					L7:
					E00071DB5(_t185);
					 *_t185 = 0;
					__eflags =  *(_t188 + 0x88);
					if( *(_t188 + 0x88) != 0) {
						__eflags =  *0x1c3b44 - 8;
						if( *0x1c3b44 <= 8) {
							goto L8;
						}
						E00065EC1(_t193 - 0x60);
						 *(_t193 - 4) = 0;
						E000664F6(0, _t193 - 0x60, _t179, _t185, CreateCompatibleDC(0));
						_t120 = GetObjectW( *(_t188 + 0x88), 0x18, _t193 - 0xa8);
						__eflags = _t120;
						if(_t120 != 0) {
							_t185 = SelectObject;
							 *(_t193 - 0x44) =  *(_t193 - 0xa4);
							 *(_t193 - 0x4c) =  *(_t193 - 0xa0);
							_t123 =  *(_t188 + 0x88);
							__eflags = _t123;
							if(_t123 == 0) {
								 *(_t193 - 0x48) = 0;
							} else {
								 *(_t193 - 0x48) = SelectObject( *(_t193 - 0x5c), _t123);
							}
							__eflags =  *(_t193 - 0x48);
							if( *(_t193 - 0x48) != 0) {
								E00065EC1(_t193 - 0x78);
								 *(_t193 - 4) = 1;
								E000664F6(0, _t193 - 0x78, _t179, _t185, CreateCompatibleDC( *(_t193 - 0x5c)));
								_t129 =  *(_t193 - 0x44);
								_t167 =  *(_t193 - 0x4c);
								 *((short*)(_t193 - 0x30)) = 1;
								_t182 = 0x20;
								 *(_t193 - 0x38) = _t129;
								 *(_t193 - 0x34) = _t167;
								 *(_t193 - 0x3c) = 0x28;
								 *((short*)(_t193 - 0x2e)) = _t182;
								 *((intOrPtr*)(_t193 - 0x2c)) = 0;
								 *(_t193 - 0x28) = _t167 * _t129;
								 *((intOrPtr*)(_t193 - 0x24)) = 0;
								 *((intOrPtr*)(_t193 - 0x20)) = 0;
								 *((intOrPtr*)(_t193 - 0x1c)) = 0;
								 *((intOrPtr*)(_t193 - 0x18)) = 0;
								 *(_t193 - 0x7c) = 0;
								_t132 = CreateDIBSection( *(_t193 - 0x74), _t193 - 0x3c, 0, _t193 - 0x7c, 0, 0);
								 *( *(_t193 - 0x40)) = _t132;
								__eflags = _t132;
								if(_t132 != 0) {
									_t133 = SelectObject( *(_t193 - 0x74), _t132);
									 *(_t193 - 0x80) = _t133;
									__eflags = _t133;
									if(_t133 != 0) {
										__eflags =  *((intOrPtr*)(_t188 + 8)) - 0x20;
										if( *((intOrPtr*)(_t188 + 8)) != 0x20) {
											 *(_t193 - 0x40) =  *(_t188 + 0xa4);
										} else {
											 *(_t193 - 0x40) =  *(_t193 - 0x40) | 0xffffffff;
										}
										BitBlt( *(_t193 - 0x74), 0, 0,  *(_t193 - 0x44),  *(_t193 - 0x4c),  *(_t193 - 0x5c), 0, 0, 0xcc0020);
										__eflags =  *(_t193 + 8);
										if( *(_t193 + 8) != 0) {
											_t136 =  *(_t193 - 0x40);
											__eflags = _t136 - 0xffffffff;
											if(__eflags == 0) {
												_t136 =  *0x1c39ac; // 0xf0f0f0
											}
											 *(_t193 - 0x50) = _t136;
											_t137 = E00074709(0, _t185, _t188, __eflags);
											_t170 = _t137;
											_t138 =  *((intOrPtr*)( *_t137 + 0xc0))();
											__eflags =  *0x1c3b44 - 8;
											if( *0x1c3b44 > 8) {
												_t139 = E000E90FB(_t170, _t138, 0x43);
											} else {
												_t139 =  *0x1c39b0; // 0xa0a0a0
											}
											 *(_t193 - 0x64) = _t139;
											 *(_t193 - 0x40) = 0;
											__eflags =  *(_t193 - 0x44);
											if( *(_t193 - 0x44) > 0) {
												do {
													_t190 = 0;
													__eflags =  *(_t193 - 0x4c);
													if( *(_t193 - 0x4c) <= 0) {
														goto L38;
													} else {
														goto L35;
													}
													do {
														L35:
														_t146 = GetPixel( *(_t193 - 0x74),  *(_t193 - 0x40), _t190);
														__eflags = _t146 -  *(_t193 - 0x50);
														if(_t146 !=  *(_t193 - 0x50)) {
															SetPixel( *(_t193 - 0x74),  *(_t193 - 0x40), _t190,  *(_t193 - 0x64));
														}
														_t190 = _t190 + 1;
														__eflags = _t190 -  *(_t193 - 0x4c);
													} while (_t190 <  *(_t193 - 0x4c));
													L38:
													 *(_t193 - 0x40) =  *(_t193 - 0x40) + 1;
													__eflags =  *(_t193 - 0x40) -  *(_t193 - 0x44);
												} while ( *(_t193 - 0x40) <  *(_t193 - 0x44));
											}
											goto L39;
										} else {
											E000E90DD(_t193 - 0x68, _t193 - 0x78);
											_t150 =  *(_t193 - 0x40);
											 *(_t193 - 4) = 2;
											__eflags = _t150 - 0xffffffff;
											if(__eflags == 0) {
												_t150 =  *0x1c39ac; // 0xf0f0f0
											}
											_push(0xffffffff);
											_push(0);
											_push(_t150);
											_push( *((intOrPtr*)(_t188 + 0x10)));
											 *(_t193 - 0x88) =  *(_t193 - 0x44);
											 *(_t193 - 0x84) =  *(_t193 - 0x4c);
											 *((intOrPtr*)(_t193 - 0x90)) = 0;
											 *((intOrPtr*)(_t193 - 0x8c)) = 0;
											asm("movsd");
											asm("movsd");
											asm("movsd");
											asm("movsd");
											_t151 = E000E9E10(0, _t193 - 0x68, _t182, _t194 - 0x10, _t193 - 0x90, __eflags, _t202);
											 *(_t193 - 4) = 1;
											E000E90F4(_t151, _t193 - 0x68);
											_t185 = SelectObject;
											L39:
											SelectObject( *(_t193 - 0x74),  *(_t193 - 0x80));
											SelectObject( *(_t193 - 0x5c),  *(_t193 - 0x48));
											_t188 = 1;
											L20:
											 *(_t193 - 4) = 0;
											E00066577(_t193 - 0x78);
											 *(_t193 - 4) =  *(_t193 - 4) | 0xffffffff;
											E00066577(_t193 - 0x60);
											L5:
											return E00151B05(0, _t185, _t188);
										}
									}
									SelectObject( *(_t193 - 0x5c),  *(_t193 - 0x48));
									_t192 =  *(_t193 - 0x40);
									DeleteObject( *_t192);
									 *_t192 = 0;
									_t188 = 0;
									__eflags = 0;
									goto L20;
								}
								SelectObject( *(_t193 - 0x5c),  *(_t193 - 0x48));
								 *(_t193 - 4) = 0;
								E00066577(_t193 - 0x78);
							}
						}
						 *(_t193 - 4) =  *(_t193 - 4) | 0xffffffff;
						E00066577(_t193 - 0x60);
						L4:
						goto L5;
					}
					L8:
					goto L5;
				}
				_t158 =  *((intOrPtr*)(__ecx + 8));
				_t185 = __ecx + 0x8c;
				 *(_t193 - 0x40) = _t185;
				if(_t158 <= 4 ||  *((intOrPtr*)(__ecx + 0x34)) != 0) {
					if(_t158 != 0) {
						goto L7;
					}
				}
			}

0x000b790e
0x000b790e
0x000b790e
0x000b7918
0x000b791f
0x000b7924
0x000b794a
0x000b7950
0x000b7953
0x000b7955
0x000b7956
0x000b795b
0x000b795d
0x000b7963
0x000b796a
0x000b7971
0x00000000
0x00000000
0x000b7976
0x000b797c
0x000b7989
0x000b799d
0x000b79a3
0x000b79a5
0x000b79bb
0x000b79c1
0x000b79ca
0x000b79cd
0x000b79d3
0x000b79d5
0x000b79e2
0x000b79d7
0x000b79dd
0x000b79dd
0x000b79e5
0x000b79e8
0x000b79ed
0x000b79f5
0x000b7a03
0x000b7a08
0x000b7a0b
0x000b7a13
0x000b7a17
0x000b7a1a
0x000b7a1d
0x000b7a2f
0x000b7a36
0x000b7a3a
0x000b7a3d
0x000b7a40
0x000b7a43
0x000b7a46
0x000b7a49
0x000b7a4c
0x000b7a4f
0x000b7a58
0x000b7a5a
0x000b7a5c
0x000b7a7a
0x000b7a7c
0x000b7a7f
0x000b7a81
0x000b7ab8
0x000b7abc
0x000b7aca
0x000b7abe
0x000b7abe
0x000b7abe
0x000b7ae2
0x000b7ae8
0x000b7aeb
0x000b7b5a
0x000b7b5d
0x000b7b60
0x000b7b62
0x000b7b62
0x000b7b67
0x000b7b6a
0x000b7b71
0x000b7b73
0x000b7b79
0x000b7b80
0x000b7b8c
0x000b7b82
0x000b7b82
0x000b7b82
0x000b7b91
0x000b7b94
0x000b7b97
0x000b7b9a
0x000b7b9c
0x000b7b9c
0x000b7b9e
0x000b7ba1
0x00000000
0x00000000
0x00000000
0x00000000
0x000b7ba3
0x000b7ba3
0x000b7baa
0x000b7bb0
0x000b7bb3
0x000b7bbf
0x000b7bbf
0x000b7bc5
0x000b7bc6
0x000b7bc6
0x000b7bcb
0x000b7bcb
0x000b7bd1
0x000b7bd1
0x000b7b9c
0x00000000
0x000b7aed
0x000b7af4
0x000b7af9
0x000b7afc
0x000b7b00
0x000b7b03
0x000b7b05
0x000b7b05
0x000b7b0d
0x000b7b0f
0x000b7b10
0x000b7b11
0x000b7b14
0x000b7b1d
0x000b7b26
0x000b7b2c
0x000b7b3a
0x000b7b3b
0x000b7b3c
0x000b7b40
0x000b7b41
0x000b7b49
0x000b7b4d
0x000b7b52
0x000b7bd6
0x000b7bdc
0x000b7be4
0x000b7be8
0x000b7a9a
0x000b7a9d
0x000b7aa0
0x000b7aa5
0x000b7aac
0x000b7942
0x000b7947
0x000b7947
0x000b7aeb
0x000b7a89
0x000b7a8b
0x000b7a90
0x000b7a96
0x000b7a98
0x000b7a98
0x00000000
0x000b7a98
0x000b7a64
0x000b7a69
0x000b7a6c
0x000b7a6c
0x000b79e8
0x000b79a7
0x000b79ae
0x000b7940
0x00000000
0x000b7940
0x000b7965
0x00000000
0x000b7967
0x000b7926
0x000b7929
0x000b792f
0x000b7935
0x000b793e
0x00000000
0x00000000
0x000b793e

APIs

__EH_prolog3_GS.LIBCMT ref: 000B7918
CreateCompatibleDC.GDI32(00000000), ref: 000B797F
GetObjectW.GDI32(?,00000018,?), ref: 000B799D
SelectObject.GDI32(?,?), ref: 000B79DB
CreateCompatibleDC.GDI32(?), ref: 000B79F9
CreateDIBSection.GDI32(?,0006330F,00000000,?,00000000,00000000), ref: 000B7A4F
SelectObject.GDI32(?,?), ref: 000B7A64
SelectObject.GDI32(?,00000000), ref: 000B7A7A
SelectObject.GDI32(?,?), ref: 000B7A89
DeleteObject.GDI32(00000030), ref: 000B7A90
BitBlt.GDI32(?,00000000,00000000,00062E00,?,?,00000000,00000000,00CC0020), ref: 000B7AE2
GetPixel.GDI32(?,00000030,00000000), ref: 000B7BAA
SetPixel.GDI32(?,00000030,00000000,?), ref: 000B7BBF
SelectObject.GDI32(?,?), ref: 000B7BDC
SelectObject.GDI32(?,?), ref: 000B7BE4

Strings

(, xrefs: 000B7A2F

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Object$Select$Create$CompatiblePixel$DeleteH_prolog3_Section
String ID: (
API String ID: 1942225872-3887548279
Opcode ID: 8ed03ffe00037bf42e5b00d4e8d5068d634277c93a1eab4728a242d795192f6f
Instruction ID: 25a1cb925e3eaa4a901b699208ffc4b509afc2ad539e36998c8557b3d24fc1c7
Opcode Fuzzy Hash: 8ed03ffe00037bf42e5b00d4e8d5068d634277c93a1eab4728a242d795192f6f
Instruction Fuzzy Hash: ACA1DF71D04218EFCF65DFA4CD85AEDBBB5BF48310F20412AE51AA72A1DB305A86DF10

Uniqueness

Uniqueness Score: -1.00%

Function 00095B3B Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 73
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E00095B3B(intOrPtr* __ecx, void* __eflags) {
				void* __esi;
				struct HINSTANCE__* _t40;
				intOrPtr* _t55;

				_t55 = __ecx;
				_push(L"UxTheme.dll");
				 *__ecx = 0x17f650;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				 *((intOrPtr*)(__ecx + 8)) = 0;
				 *((intOrPtr*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0;
				 *((intOrPtr*)(__ecx + 0xc)) = 0;
				 *((intOrPtr*)(__ecx + 0x18)) = 0;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				 *((intOrPtr*)(__ecx + 0x20)) = 0;
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				 *((intOrPtr*)(__ecx + 0x28)) = 0;
				 *((intOrPtr*)(__ecx + 0x2c)) = 0;
				 *((intOrPtr*)(__ecx + 0x30)) = 0;
				 *((intOrPtr*)(__ecx + 0x34)) = 0;
				 *((intOrPtr*)(__ecx + 0x38)) = 0;
				 *((intOrPtr*)(__ecx + 0x3c)) = 0;
				 *((intOrPtr*)(__ecx + 0x40)) = 0;
				 *((intOrPtr*)(__ecx + 0x44)) = 0;
				 *((intOrPtr*)(__ecx + 0x48)) = 0;
				_t40 = E0005E893(__ecx, __ecx, __eflags);
				 *(__ecx + 0x4c) = _t40;
				if(_t40 == 0) {
					 *((intOrPtr*)(__ecx + 0x50)) = 0;
					 *((intOrPtr*)(__ecx + 0x54)) = 0;
					 *((intOrPtr*)(__ecx + 0x58)) = 0;
					 *((intOrPtr*)(__ecx + 0x5c)) = 0;
					 *((intOrPtr*)(__ecx + 0x60)) = 0;
					 *((intOrPtr*)(__ecx + 0x64)) = 0;
					 *((intOrPtr*)(__ecx + 0x68)) = 0;
				} else {
					 *((intOrPtr*)(_t55 + 0x50)) = GetProcAddress(_t40, "OpenThemeData");
					 *((intOrPtr*)(_t55 + 0x54)) = GetProcAddress( *(_t55 + 0x4c), "CloseThemeData");
					 *((intOrPtr*)(_t55 + 0x58)) = GetProcAddress( *(_t55 + 0x4c), "DrawThemeBackground");
					 *((intOrPtr*)(_t55 + 0x5c)) = GetProcAddress( *(_t55 + 0x4c), "GetThemeColor");
					 *((intOrPtr*)(_t55 + 0x60)) = GetProcAddress( *(_t55 + 0x4c), "GetThemeSysColor");
					 *((intOrPtr*)(_t55 + 0x64)) = GetProcAddress( *(_t55 + 0x4c), "GetCurrentThemeName");
					 *((intOrPtr*)(_t55 + 0x68)) = GetProcAddress( *(_t55 + 0x4c), "GetWindowTheme");
					E000952B4(_t55);
				}
				return _t55;
			}

0x00095b3e
0x00095b43
0x00095b48
0x00095b4e
0x00095b51
0x00095b54
0x00095b57
0x00095b5a
0x00095b5d
0x00095b60
0x00095b63
0x00095b66
0x00095b69
0x00095b6c
0x00095b6f
0x00095b72
0x00095b75
0x00095b78
0x00095b7b
0x00095b7e
0x00095b81
0x00095b84
0x00095b8a
0x00095b8f
0x00095bf9
0x00095bfc
0x00095bff
0x00095c02
0x00095c05
0x00095c08
0x00095c0b
0x00095b91
0x00095ba7
0x00095bb4
0x00095bc1
0x00095bce
0x00095bdb
0x00095be8
0x00095bef
0x00095bf2
0x00095bf2
0x00095c12

APIs

Part of subcall function 0005E893: ActivateActCtx.KERNEL32(?,00064351), ref: 0005E8B3

GetProcAddress.KERNEL32(00000000,OpenThemeData,77474F70,?,00095C4A,00000004,00074747,00000000,00000004,000B7B6F,?,?,?), ref: 00095B9D
GetProcAddress.KERNEL32(?,CloseThemeData,?,00095C4A,00000004,00074747,00000000,00000004,000B7B6F,?,?,?), ref: 00095BAA
GetProcAddress.KERNEL32(?,DrawThemeBackground,?,00095C4A,00000004,00074747,00000000,00000004,000B7B6F,?,?,?), ref: 00095BB7
GetProcAddress.KERNEL32(?,GetThemeColor,?,00095C4A,00000004,00074747,00000000,00000004,000B7B6F,?,?,?), ref: 00095BC4
GetProcAddress.KERNEL32(?,GetThemeSysColor,?,00095C4A,00000004,00074747,00000000,00000004,000B7B6F,?,?,?), ref: 00095BD1
GetProcAddress.KERNEL32(?,GetCurrentThemeName,?,00095C4A,00000004,00074747,00000000,00000004,000B7B6F,?,?,?), ref: 00095BDE
GetProcAddress.KERNEL32(?,GetWindowTheme,?,00095C4A,00000004,00074747,00000000,00000004,000B7B6F,?,?,?), ref: 00095BEB

Strings

GetThemeColor, xrefs: 00095BB9
UxTheme.dll, xrefs: 00095B43
DrawThemeBackground, xrefs: 00095BAC
OpenThemeData, xrefs: 00095B97
GetCurrentThemeName, xrefs: 00095BD3
GetThemeSysColor, xrefs: 00095BC6
GetWindowTheme, xrefs: 00095BE0
CloseThemeData, xrefs: 00095B9F

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: AddressProc$Activate
String ID: CloseThemeData$DrawThemeBackground$GetCurrentThemeName$GetThemeColor$GetThemeSysColor$GetWindowTheme$OpenThemeData$UxTheme.dll
API String ID: 2388279185-1975976892
Opcode ID: 7d6af93c692d272481d4ac6a21c0f85c90e7c8ac5c90554fc88473651225271a
Instruction ID: b352085e20cee97f4fab9c15274ca5c4e189673d4b5c526657311d6fe9e8a35c
Opcode Fuzzy Hash: 7d6af93c692d272481d4ac6a21c0f85c90e7c8ac5c90554fc88473651225271a
Instruction Fuzzy Hash: E03125B0951B909FCB31AF6B9985807FBF9BFA4B00311891FE58A93A61D7B5A041DF40

Uniqueness

Uniqueness Score: -1.00%

Function 0012048A Relevance: 24.4, APIs: 16, Instructions: 368
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0012048A(void* __ebx, void* __ecx, int __edx, void* __edi, struct tagRECT* __esi, void* __eflags) {
				intOrPtr _t137;
				int _t138;
				struct tagRECT* _t155;
				int _t163;
				struct tagRECT* _t164;
				int _t166;
				int _t172;
				int _t179;
				void* _t190;
				intOrPtr _t198;
				int _t200;
				int _t205;
				int _t206;
				struct tagRECT* _t207;
				int* _t215;
				intOrPtr _t216;
				void* _t220;
				intOrPtr _t224;
				int _t250;
				int _t256;
				intOrPtr _t259;
				struct tagPOINT _t265;
				RECT* _t269;
				struct tagRECT* _t273;
				int _t274;
				intOrPtr* _t278;
				int* _t280;
				void* _t282;

				_t270 = __esi;
				_t262 = __edx;
				_push(0x68);
				E00151A82(0x170f35, __ebx, __edi, __esi);
				_t220 = __ecx;
				_t265 = 0;
				 *((intOrPtr*)(__ecx + 0x38)) = 0;
				if( *((intOrPtr*)(__ecx + 0x44)) == 0 ||  *((intOrPtr*)(__ecx + 0x48)) == 0) {
					L60:
					return E00151B05(_t220, _t265, _t270);
				} else {
					_t286 =  *((intOrPtr*)(__ecx + 0x50));
					if( *((intOrPtr*)(__ecx + 0x50)) == 0) {
						_t280 = E0005C37C(_t286, 0x350);
						 *(_t282 - 0x68) = _t280;
						 *(_t282 - 4) = 0;
						_t287 = _t280;
						if(_t280 == 0) {
							_t215 = 0;
							__eflags = 0;
						} else {
							E000FF1C8(_t220, _t280, __edx, 0, _t280, _t287);
							 *_t280 = 0x191444;
							_t215 = _t280;
						}
						 *(_t282 - 4) =  *(_t282 - 4) | 0xffffffff;
						_t259 =  *((intOrPtr*)(_t220 + 0x44));
						 *(_t220 + 0x50) = _t215;
						_t216 =  *0x1c564c; // 0x0
						 *(_t282 - 0x40) = _t265;
						 *(_t282 - 0x3c) = _t265;
						 *(_t282 - 0x38) = _t265;
						 *(_t282 - 0x34) = _t265;
						if(_t216 == _t265) {
							_t216 = E00060DD3(_t259);
						}
						_t262 =  *( *(_t220 + 0x50));
						 *((intOrPtr*)(_t262 + 0x328))(_t265, 0x1a18c0, _t216, _t282 - 0x40, _t265,  *0x1bf300, 0x40000000, 0x20, 0xf, _t265);
					}
					_t137 =  *0x1c6034; // 0x4
					 *((intOrPtr*)(_t282 - 0x6c)) = _t137;
					_t138 =  *0x1c6038; // 0x4
					 *(_t282 - 0x68) = _t138;
					 *(_t282 - 0x5c) = _t265;
					 *(_t282 - 0x58) = _t265;
					GetCursorPos(_t282 - 0x5c);
					_t270 =  *(_t282 - 0x58) -  *(_t220 + 8);
					 *(_t282 - 0x74) =  *(_t282 - 0x5c) -  *(_t220 + 4);
					 *(_t282 - 0x70) =  *(_t282 - 0x58) -  *(_t220 + 8);
					if(E00155F20(_t262,  *(_t282 - 0x5c) -  *(_t220 + 4)) >=  *((intOrPtr*)(_t282 - 0x6c)) || E00155F20(_t262, _t270) >=  *(_t282 - 0x68) || IsRectEmpty(_t220 + 0xc) == 0 ||  *((intOrPtr*)(_t282 + 8)) != _t265) {
						 *((intOrPtr*)(_t220 + 0x30)) = 1;
						E000A2233(1);
						if(IsRectEmpty(_t220 + 0x1c) != 0) {
						}
						 *(_t282 - 0x60) =  *(_t282 - 0x60) & 0x00000000;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t273 = _t220 + 0xc;
						if(IsRectEmpty(_t273) != 0) {
							if(E0006EA07( *((intOrPtr*)(_t220 + 0x44)), 0x1bd608) == 0) {
								_t200 = E0006EA07( *((intOrPtr*)(_t220 + 0x44)), 0x1845c0);
								__eflags = _t200;
								if(_t200 != 0) {
									_t278 = E0006EA25(0x1845c0,  *((intOrPtr*)(_t220 + 0x44)));
									_t269 = _t220 + 0xc;
									GetWindowRect( *( *((intOrPtr*)(_t220 + 0x44)) + 0x20), _t269);
									_t205 =  *((intOrPtr*)( *_t278 + 0x224))(0);
									__eflags = _t205;
									if(_t205 == 0) {
										 *((intOrPtr*)(_t220 + 0x14)) =  *((intOrPtr*)(_t278 + 0x1e0)) -  *((intOrPtr*)(_t278 + 0x1d8)) + _t269->left;
										_t256 =  *((intOrPtr*)(_t278 + 0x1e4)) -  *((intOrPtr*)(_t278 + 0x1dc)) +  *((intOrPtr*)(_t220 + 0x10));
										__eflags = _t256;
										 *(_t220 + 0x18) = _t256;
									}
									_push( *(_t220 + 8));
									_t206 = PtInRect(_t269,  *(_t220 + 4));
									__eflags = _t206;
									if(_t206 == 0) {
										_t207 = _t220 + 0xc;
										_t250 =  *(_t220 + 4) - _t207->left - 5;
										__eflags = _t250;
										OffsetRect(_t207, _t250, _t206);
									}
								}
							} else {
								GetWindowRect( *( *((intOrPtr*)(_t220 + 0x44)) + 0x20), _t273);
							}
							 *(_t282 - 0x60) = 1;
						}
						 *(_t282 - 0x64) =  *(_t282 - 0x64) & 0x00000000;
						_t265 = _t220 + 0x4c;
						 *(_t282 - 0x54) =  *_t265;
						_t274 = 0;
						 *(_t282 - 0x20) = 0;
						 *((intOrPtr*)(_t282 - 0x1c)) = 0;
						 *((intOrPtr*)(_t282 - 0x18)) = 0;
						 *((intOrPtr*)(_t282 - 0x14)) = 0;
						SetRectEmpty(_t282 - 0x20);
						_t224 =  *((intOrPtr*)(_t220 + 0x48));
						 *(_t282 - 0x68) = 0;
						if(_t224 != 0) {
							_t198 =  *((intOrPtr*)(_t224 + 0x1b8));
							if(_t198 != 0 &&  *((intOrPtr*)(_t198 + 8)) != 0 &&  *((intOrPtr*)(_t198 + 4)) != 0) {
								 *(_t282 - 0x68) = 1;
							}
						}
						E000A0C76(_t224,  *((intOrPtr*)(_t220 + 0x44)),  *(_t282 - 0x5c),  *(_t282 - 0x58), _t282 - 0x20, _t282 - 0x64, _t265);
						_t155 =  *(_t282 - 0x54);
						if(_t155 != _t274 &&  *(_t220 + 0x34) != 0xffffffff && (_t155 !=  *_t265 ||  *(_t282 - 0x64) == _t274)) {
							E0012007F(_t220, _t265, _t155);
							 *(_t282 - 0x60) = 1;
						}
						 *(_t282 - 0x54) = 1;
						if(E0006EA07( *((intOrPtr*)(_t220 + 0x44)), 0x1bd608) == 0) {
							if(E0006EA07( *((intOrPtr*)(_t220 + 0x44)), 0x1845c0) != 0) {
								_t262 =  *(E0006EA25(0x1845c0,  *((intOrPtr*)(_t220 + 0x44))));
								 *(_t282 - 0x54) =  *((intOrPtr*)(_t262 + 0x188))();
							}
							_t274 = 0;
						}
						_t157 =  *_t265;
						if( *_t265 == _t274 ||  *(_t282 - 0x54) == _t274) {
							L52:
							OffsetRect(_t220 + 0xc,  *(_t282 - 0x74),  *(_t282 - 0x70));
							 *(_t220 + 4) =  *(_t282 - 0x5c);
							 *(_t220 + 8) =  *(_t282 - 0x58);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t163 = IsRectEmpty(_t220 + 0x1c);
							__eflags = _t163;
							_t164 =  *0x1c3b48; // 0x4
							if(_t163 == 0) {
								_t164 =  *0x1c3b4c; // 0x3
							}
							 *(_t282 - 0x54) = _t164;
							_t270 = _t220 + 0x1c;
							 *(_t282 - 0x30) = 0;
							 *((intOrPtr*)(_t282 - 0x2c)) = 0;
							 *((intOrPtr*)(_t282 - 0x28)) = 0;
							 *((intOrPtr*)(_t282 - 0x24)) = 0;
							_t166 = IsRectEmpty(_t220 + 0x1c);
							__eflags = _t166;
							if(_t166 != 0) {
								_push( *(_t282 - 0x58));
								_t270 = _t220 + 0xc;
								_t172 = PtInRect(_t270,  *(_t282 - 0x5c));
								__eflags = _t172;
								if(_t172 == 0) {
									asm("cdq");
									_t262 =  *(_t282 - 0x5c) - (_t270->right - _t270->left - _t262 >> 1) + _t270->left;
									_t179 =  *(_t282 - 0x58) -  *((intOrPtr*)(_t220 + 0x10)) + 5;
									__eflags = _t179;
									OffsetRect(_t270, _t262, _t179);
								}
							}
							__eflags =  *(_t282 - 0x68);
							_t265 = _t282 - 0x30;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							if(__eflags == 0) {
								L59:
								_push( *(_t220 + 0x40));
								_t270 =  *(_t282 - 0x54);
								_push(_t270);
								_push( *(_t282 - 0x60));
								_push(_t282 - 0x30);
								_push(_t282 - 0x50);
								E0011FE57(_t220, _t220, _t262, _t265, _t270, __eflags);
								 *(_t220 + 0x40) = _t270;
								goto L60;
							} else {
								__eflags = IsRectEmpty(_t220 + 0x1c);
								if(__eflags != 0) {
									goto L60;
								}
								goto L59;
							}
						} else {
							_t270 = E0006EA25(0x191814, _t157);
							if(_t270 == 0) {
								L47:
								__eflags =  *(_t282 - 0x64);
								if( *(_t282 - 0x64) == 0) {
									goto L52;
								}
								__eflags =  *(_t220 + 0x34) - 0xffffffff;
								if( *(_t220 + 0x34) == 0xffffffff) {
									__eflags =  *(_t282 - 0x60);
									if( *(_t282 - 0x60) == 0) {
										E00120185(_t220, _t262, 0);
									}
									E0011FEEB(_t220,  *_t265, 0);
									 *(_t220 + 0x34) = 1;
								}
								goto L60;
							}
							if( *(_t282 - 0x64) == 0) {
								goto L52;
							}
							if( *((intOrPtr*)(_t270->left + 0x3ac))() <= 1 ||  *((intOrPtr*)(_t270->left + 0x3b0))() == 0) {
								if( *((intOrPtr*)(_t270->left + 0x3ac))() <= 0) {
									goto L47;
								}
								_t190 =  *((intOrPtr*)(_t270->left + 0x3b0))();
								_t314 = _t190;
								if(_t190 != 0) {
									goto L47;
								}
								goto L46;
							} else {
								L46:
								_push( *(_t282 - 0x60));
								_push(_t270);
								E0012027A(_t220, _t220, _t262, _t265, _t270, _t314);
								goto L60;
							}
						}
					} else {
						goto L60;
					}
				}
			}

0x0012048a
0x0012048a
0x0012048a
0x00120491
0x00120496
0x00120498
0x0012049a
0x001204a0
0x001208b5
0x001208ba
0x001204af
0x001204af
0x001204b2
0x001204be
0x001204c1
0x001204c4
0x001204c7
0x001204c9
0x001204dc
0x001204dc
0x001204cb
0x001204cd
0x001204d2
0x001204d8
0x001204d8
0x001204de
0x001204e2
0x001204e5
0x001204e8
0x001204ed
0x001204f0
0x001204f3
0x001204f6
0x001204fb
0x001204fd
0x001204fd
0x00120505
0x00120523
0x00120523
0x00120529
0x0012052e
0x00120531
0x00120536
0x0012053d
0x00120540
0x00120543
0x00120552
0x00120556
0x00120559
0x00120565
0x00120591
0x00120594
0x001205a5
0x001205a5
0x001205aa
0x001205b1
0x001205b2
0x001205b3
0x001205b4
0x001205b5
0x001205c1
0x001205d6
0x001205f3
0x001205f8
0x001205fa
0x00120607
0x0012060c
0x00120613
0x0012061f
0x00120625
0x00120627
0x00120637
0x00120646
0x00120646
0x00120649
0x00120649
0x0012064c
0x00120653
0x00120659
0x0012065b
0x00120661
0x00120666
0x00120666
0x0012066b
0x0012066b
0x0012065b
0x001205d8
0x001205df
0x001205df
0x00120671
0x00120671
0x00120678
0x0012067c
0x00120681
0x00120684
0x0012068a
0x0012068d
0x00120690
0x00120693
0x00120696
0x0012069c
0x0012069f
0x001206a4
0x001206a6
0x001206ae
0x001206ba
0x001206ba
0x001206ae
0x001206d3
0x001206d8
0x001206dd
0x001206f1
0x001206f6
0x001206f6
0x00120705
0x00120713
0x00120725
0x00120730
0x0012073c
0x0012073c
0x0012073f
0x0012073f
0x00120741
0x00120745
0x001207eb
0x001207f5
0x001207fe
0x00120804
0x0012080f
0x00120810
0x00120811
0x00120812
0x0012081a
0x0012081c
0x0012081e
0x00120823
0x00120825
0x00120825
0x0012082a
0x0012082f
0x00120833
0x00120836
0x00120839
0x0012083c
0x0012083f
0x00120841
0x00120843
0x00120845
0x00120848
0x0012084f
0x00120855
0x00120857
0x00120861
0x0012086e
0x00120873
0x00120873
0x00120878
0x00120878
0x00120857
0x0012087e
0x00120882
0x00120885
0x00120886
0x00120887
0x00120888
0x00120889
0x00120899
0x00120899
0x0012089c
0x0012089f
0x001208a0
0x001208a6
0x001208aa
0x001208ad
0x001208b2
0x00000000
0x0012088b
0x00120895
0x00120897
0x00000000
0x00000000
0x00000000
0x00120897
0x00120754
0x0012075f
0x00120765
0x001207b6
0x001207b8
0x001207bb
0x00000000
0x00000000
0x001207bd
0x001207c1
0x001207c7
0x001207ca
0x001207cf
0x001207cf
0x001207da
0x001207df
0x001207df
0x00000000
0x001207c1
0x0012076b
0x00000000
0x00000000
0x0012077a
0x00120796
0x00000000
0x00000000
0x0012079c
0x001207a2
0x001207a4
0x00000000
0x00000000
0x00000000
0x001207a6
0x001207a6
0x001207a6
0x001207ab
0x001207ac
0x00000000
0x001207ac
0x0012077a
0x00000000
0x00000000
0x00000000
0x00120565

APIs

__EH_prolog3_GS.LIBCMT ref: 00120491
GetCursorPos.USER32(?), ref: 00120543
IsRectEmpty.USER32 ref: 00120577
IsRectEmpty.USER32 ref: 0012059D
IsRectEmpty.USER32 ref: 001205B9
GetWindowRect.USER32(?,00000000), ref: 001205DF
SetRectEmpty.USER32 ref: 00120696

Part of subcall function 0005C37C: _malloc.LIBCMT ref: 0005C39A

GetWindowRect.USER32(?,00000000), ref: 00120613
PtInRect.USER32(00000000,?,00000000), ref: 00120653
OffsetRect.USER32 ref: 0012066B

Part of subcall function 000FF1C8: __EH_prolog3.LIBCMT ref: 000FF1CF
Part of subcall function 000FF1C8: SetRectEmpty.USER32 ref: 000FF2D6
Part of subcall function 000FF1C8: SetRectEmpty.USER32 ref: 000FF2DF

OffsetRect.USER32 ref: 001207F5
IsRectEmpty.USER32 ref: 0012081A
IsRectEmpty.USER32 ref: 0012083F
PtInRect.USER32(00000000,?,?), ref: 0012084F
OffsetRect.USER32 ref: 00120878
IsRectEmpty.USER32 ref: 0012088F

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Rect$Empty$Offset$Window$CursorH_prolog3H_prolog3__malloc
String ID:
API String ID: 1330315114-0
Opcode ID: 9714e548a3b8436c4c92a1f5aab0174fa76c2c25ffa902b8d2951bf4c7ac7e6a
Instruction ID: bd8ee6f4f0da2088ece8b0023c8adbc41067f7fecf1de9dbe5ed916cf0bb050f
Opcode Fuzzy Hash: 9714e548a3b8436c4c92a1f5aab0174fa76c2c25ffa902b8d2951bf4c7ac7e6a
Instruction Fuzzy Hash: 1DE16D71900224DFCF16DFA8D884AAEBBB5FF48700F144269E905EB256E731E991CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00074321 Relevance: 24.2, APIs: 16, Instructions: 245
windowCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E00074321(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				RECT* _t114;
				void* _t140;
				void* _t144;
				void* _t160;
				RECT* _t193;
				intOrPtr _t204;
				intOrPtr* _t234;
				void* _t237;

				_t231 = __edx;
				_push(0x48);
				E00151A82(0x169a51, __ebx, __edi, __esi);
				_t114 =  *(_t237 + 8);
				_t193 =  *(_t237 + 0x14);
				_t234 = __ecx;
				 *((intOrPtr*)(_t237 - 0x24)) =  *((intOrPtr*)(_t237 + 0x20));
				 *((intOrPtr*)(_t237 - 0x28)) =  *((intOrPtr*)(_t237 + 0x24));
				 *(_t237 - 0x54) = _t114;
				 *((intOrPtr*)(_t237 - 0x4c)) = 0;
				 *((intOrPtr*)(_t237 - 0x50)) = 0x17ad2c;
				 *(_t237 - 4) = 0;
				 *(_t237 - 0x34) = 0;
				 *((intOrPtr*)(_t237 - 0x38)) = 0x17ad2c;
				 *(_t237 - 0x3c) = 0;
				 *((intOrPtr*)(_t237 - 0x40)) = 0x17ad2c;
				 *(_t237 - 4) = 2;
				E000667CA(_t193, _t237 - 0x38, __edx, __ecx, CreateRectRgnIndirect(_t114));
				CopyRect(_t237 - 0x20,  *(_t237 - 0x54));
				InflateRect(_t237 - 0x20,  ~( *(_t237 + 0xc)),  ~( *(_t237 + 0x10)));
				IntersectRect(_t237 - 0x20, _t237 - 0x20,  *(_t237 - 0x54));
				E000667CA(_t193, _t237 - 0x40, _t231, _t234, CreateRectRgnIndirect(_t237 - 0x20));
				E000667CA(_t193, _t237 - 0x50, _t231, _t234, CreateRectRgn(0, 0, 0, 0));
				E00074154(_t237 - 0x50, _t237 - 0x38, _t237 - 0x40, 3);
				_t239 =  *((intOrPtr*)(_t237 - 0x24));
				if( *((intOrPtr*)(_t237 - 0x24)) == 0) {
					 *((intOrPtr*)(_t237 - 0x24)) = E00074183(_t193, _t234, 0x17ad2c, _t239);
				}
				_t204 =  *((intOrPtr*)(_t237 - 0x24));
				if((0 | _t204 != 0x00000000) == 0) {
					E000655E0(_t204);
				}
				if( *((intOrPtr*)(_t237 - 0x28)) == 0) {
					 *((intOrPtr*)(_t237 - 0x28)) = _t204;
				}
				 *((intOrPtr*)(_t237 - 0x2c)) = 0;
				 *((intOrPtr*)(_t237 - 0x30)) = 0x17ad2c;
				 *((intOrPtr*)(_t237 - 0x44)) = 0;
				 *((intOrPtr*)(_t237 - 0x48)) = 0x17ad2c;
				 *(_t237 - 4) = 4;
				if(_t193 != 0) {
					E000667CA(_t193, _t237 - 0x30, 0, _t234, CreateRectRgn(0, 0, 0, 0));
					SetRectRgn( *(_t237 - 0x34),  *_t193, _t193->top, _t193->right, _t193->bottom);
					CopyRect(_t237 - 0x20, _t193);
					InflateRect(_t237 - 0x20,  ~( *(_t237 + 0x18)),  ~( *(_t237 + 0x1c)));
					IntersectRect(_t237 - 0x20, _t237 - 0x20, _t193);
					SetRectRgn( *(_t237 - 0x3c),  *(_t237 - 0x20),  *(_t237 - 0x1c),  *(_t237 - 0x18),  *(_t237 - 0x14));
					E00074154(_t237 - 0x30, _t237 - 0x38, _t237 - 0x40, 3);
					if( *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x24)) + 4)) ==  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x28)) + 4))) {
						E000667CA(_t193, _t237 - 0x48, 0, _t234, CreateRectRgn(0, 0, 0, 0));
						E00074154(_t237 - 0x48, _t237 - 0x30, _t237 - 0x50, 3);
					}
				}
				if( *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x24)) + 4)) !=  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x28)) + 4)) && _t193 != 0) {
					E000662A0(_t234, _t237 - 0x30);
					 *((intOrPtr*)( *_t234 + 0x50))(_t237 - 0x20);
					_t160 = E000668DD(_t234,  *((intOrPtr*)(_t237 - 0x28)));
					PatBlt( *(_t234 + 4),  *(_t237 - 0x20),  *(_t237 - 0x1c),  *(_t237 - 0x18) -  *(_t237 - 0x20),  *(_t237 - 0x14) -  *(_t237 - 0x1c), 0x5a0049);
					E000668DD(_t234, _t160);
				}
				_t140 = _t237 - 0x48;
				if( *((intOrPtr*)(_t237 - 0x44)) == 0) {
					_t140 = _t237 - 0x50;
				}
				E000662A0(_t234, _t140);
				 *((intOrPtr*)( *_t234 + 0x50))(_t237 - 0x20);
				_t144 = E000668DD(_t234,  *((intOrPtr*)(_t237 - 0x24)));
				_t194 = _t144;
				PatBlt( *(_t234 + 4),  *(_t237 - 0x20),  *(_t237 - 0x1c),  *(_t237 - 0x18) -  *(_t237 - 0x20),  *(_t237 - 0x14) -  *(_t237 - 0x1c), 0x5a0049);
				if(_t144 != 0) {
					E000668DD(_t234, _t194);
				}
				E000662A0(_t234, 0);
				 *(_t237 - 4) = 3;
				 *((intOrPtr*)(_t237 - 0x48)) = 0x17ad2c;
				E00051420(_t237 - 0x48, 0);
				 *(_t237 - 4) = 2;
				 *((intOrPtr*)(_t237 - 0x30)) = 0x17ad2c;
				E00051420(_t237 - 0x30, 0);
				 *(_t237 - 4) = 1;
				 *((intOrPtr*)(_t237 - 0x40)) = 0x17ad2c;
				E00051420(_t237 - 0x40, 0);
				 *(_t237 - 4) = 0;
				 *((intOrPtr*)(_t237 - 0x38)) = 0x17ad2c;
				E00051420(_t237 - 0x38, 0);
				 *(_t237 - 4) =  *(_t237 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t237 - 0x50)) = 0x17ad2c;
				E00051420(_t237 - 0x50, 0);
				return E00151B05(_t194, _t234, 0x17ad2c);
			}

0x00074321
0x00074321
0x00074328
0x0007432d
0x00074330
0x00074333
0x00074338
0x0007433e
0x00074348
0x0007434b
0x0007434e
0x00074351
0x00074354
0x00074357
0x0007435a
0x0007435d
0x00074361
0x0007436f
0x0007437b
0x00074391
0x0007439f
0x000743b3
0x000743c8
0x000743da
0x000743df
0x000743e3
0x000743ea
0x000743ea
0x000743ed
0x000743fb
0x000743fd
0x000743fd
0x00074405
0x00074407
0x00074407
0x0007440a
0x0007440d
0x00074410
0x00074413
0x00074416
0x0007441c
0x00074430
0x00074443
0x0007444e
0x00074464
0x00074470
0x00074485
0x00074498
0x000744a9
0x000744bb
0x000744cd
0x000744cd
0x000744a9
0x000744de
0x000744ea
0x000744f7
0x000744ff
0x00074522
0x0007452b
0x0007452b
0x00074534
0x00074537
0x00074539
0x00074539
0x0007453f
0x0007454c
0x00074554
0x0007455f
0x00074577
0x0007457f
0x00074584
0x00074584
0x0007458d
0x00074595
0x00074599
0x0007459c
0x000745a4
0x000745a8
0x000745ab
0x000745b3
0x000745b7
0x000745ba
0x000745c2
0x000745c6
0x000745c9
0x000745ce
0x000745d5
0x000745d8
0x000745e2

APIs

__EH_prolog3_GS.LIBCMT ref: 00074328
CreateRectRgnIndirect.GDI32(?), ref: 00074365
CopyRect.USER32(?,?), ref: 0007437B
InflateRect.USER32 ref: 00074391
IntersectRect.USER32(?,?,?), ref: 0007439F
CreateRectRgnIndirect.GDI32(?), ref: 000743A9
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 000743BE

Part of subcall function 00074154: CombineRgn.GDI32(?,?,?,?), ref: 00074179

CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00074426
SetRectRgn.GDI32(?,0000000A,?,?,?), ref: 00074443
CopyRect.USER32(?,0000000A), ref: 0007444E
InflateRect.USER32 ref: 00074464
IntersectRect.USER32(?,?,0000000A), ref: 00074470
SetRectRgn.GDI32(?,?,?,?,0000000A), ref: 00074485
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 000744B1

Part of subcall function 00074183: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 000741CC
Part of subcall function 00074183: CreatePatternBrush.GDI32(00000000), ref: 000741D9
Part of subcall function 00074183: DeleteObject.GDI32(00000000), ref: 000741E5

Part of subcall function 000668DD: SelectObject.GDI32(?,00000000), ref: 00066903
Part of subcall function 000668DD: SelectObject.GDI32(?,?), ref: 00066919

PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 00074522
PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 00074577

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Rect$Create$Object$CopyIndirectInflateIntersectSelect$BitmapBrushCombineDeleteH_prolog3_Pattern
String ID:
API String ID: 3107162742-0
Opcode ID: 074281de1a0e5cbd000068496e4f5dc1a77765697dedc997c579b6b25b71d747
Instruction ID: 23c22e51db5f4d1a48b69a5a6d8aaf3e28954a0ff7489b6c2d99b949e8c5eabd
Opcode Fuzzy Hash: 074281de1a0e5cbd000068496e4f5dc1a77765697dedc997c579b6b25b71d747
Instruction Fuzzy Hash: 7CA1E1B1900119AFCF05EFE4D995EEEBBB9BF48300F148019F50AA7291DB359A85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 000B7727 Relevance: 24.2, APIs: 16, Instructions: 157
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E000B7727(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				int _t83;
				void* _t84;
				int _t86;
				int _t88;
				int _t89;
				int _t93;
				long _t103;
				void* _t104;
				void* _t113;
				int _t118;
				void* _t124;
				int _t127;
				long _t128;
				void* _t131;
				void* _t132;

				_t124 = __edx;
				_push(0x54);
				E00151A19(0x16cade, __ebx, __edi, __esi);
				_t113 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x88)) != 0) {
					__eflags =  *((intOrPtr*)(_t132 + 0xc)) - 0xffffffff;
					if( *((intOrPtr*)(_t132 + 0xc)) == 0xffffffff) {
						L4:
						E00065EC1(_t132 - 0x38);
						_t126 = CreateCompatibleDC;
						 *(_t132 - 4) = 0;
						E000664F6(_t113, _t132 - 0x38, _t124, CreateCompatibleDC, CreateCompatibleDC(0));
						_t83 = GetObjectW( *(_t113 + 0x88), 0x18, _t132 - 0x60);
						__eflags = _t83;
						if(_t83 != 0) {
							_t84 =  *(_t113 + 0x88);
							__eflags = _t84;
							_t131 = SelectObject;
							if(_t84 == 0) {
								_t15 = _t132 - 0x18;
								 *_t15 =  *(_t132 - 0x18) & 0x00000000;
								__eflags =  *_t15;
							} else {
								 *(_t132 - 0x18) = SelectObject( *(_t132 - 0x34), _t84);
							}
							__eflags =  *(_t132 - 0x18);
							if( *(_t132 - 0x18) == 0) {
								goto L5;
							} else {
								_t118 =  *(_t132 - 0x58);
								_t88 =  *(_t132 - 0x5c);
								 *(_t132 - 0x20) = _t88;
								 *(_t132 - 0x1c) = _t118;
								_t89 = CreateCompatibleBitmap( *(_t132 - 0x34), _t88, _t118);
								 *(_t132 - 0x24) = _t89;
								__eflags = _t89;
								if(_t89 != 0) {
									E00065EC1(_t132 - 0x48);
									 *(_t132 - 4) = 1;
									E000664F6(_t113, _t132 - 0x48, _t124, _t126, CreateCompatibleDC( *(_t132 - 0x34)));
									_t93 = SelectObject( *(_t132 - 0x44),  *(_t132 - 0x24));
									_t127 = 0;
									 *(_t132 - 0x28) = _t93;
									__eflags = _t93;
									if(_t93 != 0) {
										BitBlt( *(_t132 - 0x44), 0, 0,  *(_t132 - 0x20),  *(_t132 - 0x1c),  *(_t132 - 0x34), 0, 0, 0xcc0020);
										 *(_t132 - 0x14) = 0;
										__eflags =  *(_t132 - 0x20);
										if( *(_t132 - 0x20) > 0) {
											do {
												 *(_t132 - 0x10) = _t127;
												__eflags =  *(_t132 - 0x1c) - _t127;
												if( *(_t132 - 0x1c) > _t127) {
													do {
														_t103 = GetPixel( *(_t132 - 0x44),  *(_t132 - 0x14),  *(_t132 - 0x10));
														__eflags =  *((intOrPtr*)(_t132 + 0xc)) - 0xffffffff;
														_t128 = _t103;
														if( *((intOrPtr*)(_t132 + 0xc)) == 0xffffffff) {
															__eflags =  *((short*)(_t132 - 0x4e)) - 0x18;
															if( *((short*)(_t132 - 0x4e)) != 0x18) {
																L22:
																_t104 = E000B6D1E(_t113, _t128, _t131, _t128,  *((intOrPtr*)(_t132 + 8)));
															} else {
																__eflags =  *0x1bdc80;
																if(__eflags != 0) {
																	goto L22;
																} else {
																	_t104 = E000B6DA0(_t124, __eflags, _t128);
																}
															}
															__eflags = _t128 - _t104;
															if(_t128 != _t104) {
																_push(_t104);
																goto L25;
															}
														} else {
															__eflags = _t128 -  *((intOrPtr*)(_t132 + 0xc));
															if(_t128 ==  *((intOrPtr*)(_t132 + 0xc))) {
																_push( *((intOrPtr*)(_t132 + 0x10)));
																L25:
																SetPixel( *(_t132 - 0x44),  *(_t132 - 0x14),  *(_t132 - 0x10), ??);
															}
														}
														 *(_t132 - 0x10) =  *(_t132 - 0x10) + 1;
														__eflags =  *(_t132 - 0x10) -  *(_t132 - 0x1c);
													} while ( *(_t132 - 0x10) <  *(_t132 - 0x1c));
													_t127 = 0;
													__eflags = 0;
												}
												 *(_t132 - 0x14) =  *(_t132 - 0x14) + 1;
												__eflags =  *(_t132 - 0x14) -  *(_t132 - 0x20);
											} while ( *(_t132 - 0x14) <  *(_t132 - 0x20));
										}
										SelectObject( *(_t132 - 0x44),  *(_t132 - 0x28));
										SelectObject( *(_t132 - 0x34),  *(_t132 - 0x18));
										DeleteObject( *(_t113 + 0x88));
										 *(_t113 + 0x88) =  *(_t132 - 0x24);
										 *(_t132 - 4) = 0;
										E00066577(_t132 - 0x48);
										 *(_t132 - 4) =  *(_t132 - 4) | 0xffffffff;
										E00066577(_t132 - 0x38);
										_t86 = 1;
										__eflags = 1;
									} else {
										SelectObject( *(_t132 - 0x34),  *(_t132 - 0x18));
										DeleteObject( *(_t132 - 0x24));
										 *(_t132 - 4) = 0;
										E00066577(_t132 - 0x48);
										goto L5;
									}
								} else {
									SelectObject( *(_t132 - 0x34),  *(_t132 - 0x18));
									goto L5;
								}
							}
						} else {
							L5:
							 *(_t132 - 4) =  *(_t132 - 4) | 0xffffffff;
							E00066577(_t132 - 0x38);
							goto L1;
						}
					} else {
						__eflags =  *((intOrPtr*)(_t132 + 0x10)) - 0xffffffff;
						if( *((intOrPtr*)(_t132 + 0x10)) == 0xffffffff) {
							goto L1;
						} else {
							goto L4;
						}
					}
				} else {
					L1:
					_t86 = 0;
				}
				return E00151AF1(_t86);
			}

0x000b7727
0x000b7727
0x000b772e
0x000b7733
0x000b773d
0x000b7746
0x000b774a
0x000b7752
0x000b7755
0x000b775a
0x000b7761
0x000b776a
0x000b777b
0x000b7781
0x000b7783
0x000b7793
0x000b7799
0x000b779b
0x000b77a1
0x000b77ae
0x000b77ae
0x000b77ae
0x000b77a3
0x000b77a9
0x000b77a9
0x000b77b2
0x000b77b6
0x00000000
0x000b77b8
0x000b77b8
0x000b77bb
0x000b77c3
0x000b77c6
0x000b77c9
0x000b77cf
0x000b77d2
0x000b77d4
0x000b77e3
0x000b77eb
0x000b77f5
0x000b7800
0x000b7802
0x000b7804
0x000b7807
0x000b7809
0x000b7842
0x000b7848
0x000b784b
0x000b784e
0x000b7850
0x000b7850
0x000b7853
0x000b7856
0x000b7858
0x000b7861
0x000b7867
0x000b786b
0x000b786d
0x000b7879
0x000b787e
0x000b7891
0x000b7895
0x000b7880
0x000b7880
0x000b7887
0x00000000
0x000b7889
0x000b788a
0x000b788a
0x000b7887
0x000b789a
0x000b789c
0x000b789e
0x00000000
0x000b789e
0x000b786f
0x000b786f
0x000b7872
0x000b7874
0x000b789f
0x000b78a8
0x000b78a8
0x000b7872
0x000b78ae
0x000b78b4
0x000b78b4
0x000b78b9
0x000b78b9
0x000b78b9
0x000b78bb
0x000b78c1
0x000b78c1
0x000b7850
0x000b78cc
0x000b78d4
0x000b78dc
0x000b78e8
0x000b78ee
0x000b78f2
0x000b78f7
0x000b78fe
0x000b7905
0x000b7905
0x000b780b
0x000b7811
0x000b7816
0x000b781f
0x000b7823
0x00000000
0x000b7823
0x000b77d6
0x000b77dc
0x00000000
0x000b77dc
0x000b77d4
0x000b7785
0x000b7785
0x000b7785
0x000b778c
0x00000000
0x000b778c
0x000b774c
0x000b774c
0x000b7750
0x00000000
0x00000000
0x00000000
0x00000000
0x000b7750
0x000b773f
0x000b773f
0x000b773f
0x000b773f
0x000b790b

APIs

__EH_prolog3.LIBCMT ref: 000B772E
CreateCompatibleDC.GDI32(00000000), ref: 000B7764
GetObjectW.GDI32(?,00000018,?), ref: 000B777B
SelectObject.GDI32(?,?), ref: 000B77A7
CreateCompatibleBitmap.GDI32(?,?,?), ref: 000B77C9
SelectObject.GDI32(?,00000000), ref: 000B77DC
CreateCompatibleDC.GDI32(?), ref: 000B77EF
SelectObject.GDI32(?,?), ref: 000B7800
SelectObject.GDI32(?,00000000), ref: 000B7811
DeleteObject.GDI32(?), ref: 000B7816
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 000B7842
GetPixel.GDI32(?,?,?), ref: 000B7861
SetPixel.GDI32(?,?,?,00000000), ref: 000B78A8
SelectObject.GDI32(?,?), ref: 000B78CC
SelectObject.GDI32(?,00000000), ref: 000B78D4
DeleteObject.GDI32(?), ref: 000B78DC

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$DeletePixel$BitmapH_prolog3
String ID:
API String ID: 3639146769-0
Opcode ID: d689e60c2808180945cccf37524858039bc2c25904a5e0438d5b9bcf2ad6f295
Instruction ID: 3588785eae4889fc85297f4e66e113ea4c7401c7486c82fb18aed85fa4fa3718
Opcode Fuzzy Hash: d689e60c2808180945cccf37524858039bc2c25904a5e0438d5b9bcf2ad6f295
Instruction Fuzzy Hash: F951F831C48209EBCF52DFA0CD49AEEBFB6FF94311F204125E519B21A1DB315A96DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0006C0C3 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 126
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0006C0C3(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v210;
				char _v212;
				int _v316;
				intOrPtr _v320;
				char _v324;
				intOrPtr _v328;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t46;
				struct HINSTANCE__* _t50;
				signed int _t51;
				signed short _t55;
				signed int _t56;
				void* _t73;
				intOrPtr _t74;
				signed int _t78;
				signed int _t80;
				void* _t87;
				signed int _t90;
				void* _t91;
				struct HINSTANCE__* _t92;
				short* _t93;
				signed int _t95;
				signed int _t96;
				void* _t97;
				signed int _t99;
				signed int _t101;
				void* _t102;
				void* _t104;

				_t87 = __edx;
				_t99 = _t101;
				_t102 = _t101 - 0x144;
				_t46 =  *0x1c0454; // 0x885926af
				_v8 = _t46 ^ _t99;
				_v328 = _a4;
				_push(L"KERNEL32.DLL");
				_v320 = _a8;
				_t95 = 0;
				_t50 = E0005E893(__ecx, 0, __eflags);
				if(_t50 != 0) {
					_t50 = GetProcAddress(_t50, "GetThreadPreferredUILanguages");
					_t92 = _t50;
					if(_t92 != 0) {
						_v212 = 0;
						_v324 = 0;
						E00151B30( &_v210, 0, 0xc8);
						_t104 = _t102 + 0xc;
						_v316 = 0x65;
						_t50 = _t92->i(0x34,  &_v324,  &_v212,  &_v316);
						if(_t50 != 0) {
							_t93 =  &_v212;
							if(_v212 != 0) {
								while(_t95 < 0x14) {
									_t74 = E001542C4(_t93, 0, 0x10);
									_t104 = _t104 + 0xc;
									_t111 = _t74;
									if(_t74 != 0 &&  *((intOrPtr*)(E00151F1F(_t111))) != 0x22) {
										 *((intOrPtr*)(_t99 + _t95 * 4 - 0x134)) = _t74;
										_t95 = _t95 + 1;
									}
									_t50 = E0015161A(_t93);
									_t93 = _t93 + 2 + _t50 * 2;
									if( *_t93 != 0) {
										continue;
									}
									goto L10;
								}
							}
						}
					}
				}
				L10:
				__imp__GetUserDefaultUILanguage();
				_t51 = _t50 & 0x0000ffff;
				_t78 = _t51 & 0x000003ff;
				_v316 = _t78;
				 *((intOrPtr*)(_t99 + _t95 * 4 - 0x134)) = ConvertDefaultLocale(_t51 & 0x0000fc00 | _t78);
				_t55 = ConvertDefaultLocale(_v316);
				 *(_t99 + _t95 * 4 - 0x130) = _t55;
				__imp__GetSystemDefaultUILanguage();
				_t56 = _t55 & 0x0000ffff;
				_t80 = _t56 & 0x000003ff;
				_v316 = _t80;
				 *((intOrPtr*)(_t99 + _t95 * 4 - 0x12c)) = ConvertDefaultLocale(_t56 & 0x0000fc00 | _t80);
				 *((intOrPtr*)(_t99 + _t95 * 4 - 0x128)) = ConvertDefaultLocale(_v316);
				_t96 = _t95 + 4;
				if( *0x1c3920 == 0) {
					 *((intOrPtr*)(_t99 + _t96 * 4 - 0x134)) = 0x800;
					_t96 = _t96 + 1;
				}
				_t90 = 0;
				if(_t96 <= 0) {
					L15:
				} else {
					while(E0006BB41(0xfc00, _v328, _t87, _v320,  *((intOrPtr*)(_t99 + _t90 * 4 - 0x134))) == 0) {
						_t90 = _t90 + 1;
						if(_t90 < _t96) {
							continue;
						} else {
							goto L15;
						}
						goto L16;
					}
				}
				L16:
				_pop(_t91);
				_pop(_t97);
				_pop(_t73);
				return E00150836(0, _t73, _v8 ^ _t99, _t87, _t91, _t97);
			}

0x0006c0c3
0x0006c0c6
0x0006c0c8
0x0006c0ce
0x0006c0d5
0x0006c0dd
0x0006c0e7
0x0006c0ec
0x0006c0f2
0x0006c0f4
0x0006c0fc
0x0006c108
0x0006c10e
0x0006c112
0x0006c11f
0x0006c12e
0x0006c134
0x0006c139
0x0006c153
0x0006c15d
0x0006c161
0x0006c163
0x0006c170
0x0006c172
0x0006c181
0x0006c183
0x0006c186
0x0006c188
0x0006c194
0x0006c19b
0x0006c19b
0x0006c19d
0x0006c1a2
0x0006c1ab
0x00000000
0x00000000
0x00000000
0x0006c1ab
0x0006c172
0x0006c170
0x0006c161
0x0006c112
0x0006c1ad
0x0006c1ad
0x0006c1b9
0x0006c1be
0x0006c1ce
0x0006c1dc
0x0006c1e3
0x0006c1e5
0x0006c1ec
0x0006c1f2
0x0006c1f7
0x0006c202
0x0006c210
0x0006c219
0x0006c220
0x0006c22a
0x0006c22c
0x0006c237
0x0006c237
0x0006c238
0x0006c23c
0x0006c261
0x00000000
0x0006c23e
0x0006c25c
0x0006c25f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0006c25f
0x0006c23e
0x0006c263
0x0006c266
0x0006c267
0x0006c26a
0x0006c271

APIs

Part of subcall function 0005E893: ActivateActCtx.KERNEL32(?,00064351), ref: 0005E8B3

GetProcAddress.KERNEL32(00000000,GetThreadPreferredUILanguages), ref: 0006C108
_memset.LIBCMT ref: 0006C134
_wcstoul.LIBCMT ref: 0006C17C
_wcslen.LIBCMT ref: 0006C19D

Part of subcall function 00151F1F: __getptd_noexit.LIBCMT ref: 00151F1F

GetUserDefaultUILanguage.KERNEL32 ref: 0006C1AD
ConvertDefaultLocale.KERNEL32(?), ref: 0006C1D4
ConvertDefaultLocale.KERNEL32(?), ref: 0006C1E3
GetSystemDefaultUILanguage.KERNEL32 ref: 0006C1EC
ConvertDefaultLocale.KERNEL32(?), ref: 0006C208
ConvertDefaultLocale.KERNEL32(?), ref: 0006C217

Strings

KERNEL32.DLL, xrefs: 0006C0E7
e, xrefs: 0006C153
GetThreadPreferredUILanguages, xrefs: 0006C102

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Default$ConvertLocale$Language$ActivateAddressProcSystemUser__getptd_noexit_memset_wcslen_wcstoul
String ID: GetThreadPreferredUILanguages$KERNEL32.DLL$e
API String ID: 2962385649-2285706205
Opcode ID: c9323fd120fc9cca7b46165cf54cff2887f5b1b18888fa8924b11590c6ae0da8
Instruction ID: 40d8f47356c9fe32514fe672ac1453025642eaa2168bfc222f0a250e76115573
Opcode Fuzzy Hash: c9323fd120fc9cca7b46165cf54cff2887f5b1b18888fa8924b11590c6ae0da8
Instruction Fuzzy Hash: 2D41B171901228ABEB61AFA4DC85BEE77F5AF49700F0104AAEC49E7181DB749E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0008102D Relevance: 22.7, APIs: 15, Instructions: 232
timeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0008102D(intOrPtr* __ecx, int __edx, intOrPtr _a4) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				int _v60;
				intOrPtr _v64;
				intOrPtr* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t114;
				signed int _t121;
				intOrPtr _t126;
				int _t144;
				intOrPtr _t169;
				void* _t176;
				void* _t178;
				intOrPtr _t182;
				intOrPtr* _t183;
				intOrPtr _t194;
				RECT* _t200;
				RECT* _t201;
				void* _t202;
				int _t210;
				void* _t211;
				signed int _t214;
				intOrPtr _t215;

				_t196 = __edx;
				_t114 =  *0x1c0454; // 0x885926af
				_v8 = _t114 ^ _t214;
				_t183 = __ecx;
				_v68 =  *((intOrPtr*)( *__ecx + 0x1c0))();
				_v24.left = 0;
				_v24.top = 0;
				_v24.right = 0;
				_v24.bottom = 0;
				GetClientRect( *(__ecx + 0x20),  &_v24);
				_t215 =  *0x1c3f04; // 0x0
				if(_t215 == 0) {
					_t182 =  *((intOrPtr*)(_t183 + 0xfc0));
					_v24.right = _v24.right - _t182;
					_v24.bottom = _v24.bottom - _t182;
				}
				_t121 =  *((intOrPtr*)( *_t183 + 0x204))();
				_v60 = _t121;
				InflateRect( &_v24,  ~_t121,  ~_t121);
				_t126 =  *((intOrPtr*)(_t183 + 0xed4));
				if(_t126 == 0) {
					_v24.left = _v24.left +  *((intOrPtr*)(_t183 + 0xecc));
				} else {
					_t176 = _t126 - 1;
					if(_t176 == 0) {
						_v24.right = _v24.right -  *((intOrPtr*)(_t183 + 0xecc));
					} else {
						_t178 = _t176 - 1;
						if(_t178 == 0) {
							_v24.top = _v24.top +  *((intOrPtr*)(_t183 + 0xecc));
						} else {
							if(_t178 == 1) {
								_v24.bottom = _v24.bottom -  *((intOrPtr*)(_t183 + 0xecc));
							}
						}
					}
				}
				_v24.top = _v24.top +  *((intOrPtr*)(_t183 + 0xfec)) -  *((intOrPtr*)(_t183 + 0xfe4));
				if( *((intOrPtr*)(_t183 + 0x1088)) == 0) {
					_v24.bottom = _v24.bottom +  *((intOrPtr*)(_t183 + 0x10a4)) -  *((intOrPtr*)(_t183 + 0x10ac));
				} else {
					_v24.top = _v24.top +  *((intOrPtr*)(_t183 + 0x10ac)) -  *((intOrPtr*)(_t183 + 0x10a4));
				}
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				SetRectEmpty(_t183 + 0xef8);
				SetRectEmpty(_t183 + 0xf08);
				_t210 = 0;
				_v64 = 0x14;
				if( *((intOrPtr*)(_t183 + 0xef0)) == 0) {
					if( *((intOrPtr*)(_t183 + 0xee8)) == 0) {
						_v64 = 0x1c;
						KillTimer( *(_t183 + 0x20), 2);
						 *((intOrPtr*)(_t183 + 0xf18)) = 0;
					}
				} else {
					if( *((intOrPtr*)(_t183 + 0xef4)) == 0) {
						if( *((intOrPtr*)( *_t183 + 0x1dc))() != 0) {
							_t196 = _v60;
							_t194 =  *((intOrPtr*)(_t183 + 0xf1c));
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							 *((intOrPtr*)(_t183 + 0xefc)) =  *((intOrPtr*)(_t183 + 0xefc)) + _t196;
							_v24.top = _v24.top + _t194 + _t196;
							 *((intOrPtr*)(_t183 + 0xf04)) =  *((intOrPtr*)(_t183 + 0xefc)) + _t194;
							_t210 = 0;
						}
						if( *((intOrPtr*)( *_t183 + 0x1e0))() != 0) {
							_t169 =  *((intOrPtr*)(_t183 + 0xf1c));
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							 *((intOrPtr*)(_t183 + 0xf0c)) =  *((intOrPtr*)(_t183 + 0xf14)) - _t169;
							_v24.bottom = _v24.bottom - _t169 + _v60;
							_t210 = 0;
						}
					} else {
						_v24.right = _v24.right - GetSystemMetrics(2);
					}
				}
				if(_a4 != _t210 || EqualRect( &_v56, _t183 + 0xef8) == 0 || EqualRect( &_v40, _t183 + 0xf08) == 0) {
					_t196 =  *_v68;
					 *((intOrPtr*)( *_v68 + 0x234))(_t210, _v24.left, _v24.top, _v24.right - _v24.left, _v24.bottom - _v24.top, _v64, _t210);
					 *((intOrPtr*)(_t183 + 0xec4)) = _v24.bottom - _v24.top;
				} else {
					 *((intOrPtr*)( *_v68 + 0x208))();
				}
				_t200 = _t183 + 0xef8;
				_v60 = _t210;
				_t144 = EqualRect( &_v56, _t200);
				_t211 = InvalidateRect;
				if(_t144 == 0) {
					InvalidateRect( *(_t183 + 0x20),  &_v56, 1);
					InvalidateRect( *(_t183 + 0x20), _t200, 1);
					_v60 = 1;
				}
				_t201 = _t183 + 0xf08;
				if(EqualRect( &_v40, _t201) == 0) {
					InvalidateRect( *(_t183 + 0x20),  &_v40, 1);
					InvalidateRect( *(_t183 + 0x20), _t201, 1);
					_v60 = 1;
				}
				_pop(_t202);
				if(_v60 != 0) {
					UpdateWindow( *(_t183 + 0x20));
				}
				return E00150836(_v60, _t183, _v8 ^ _t214, _t196, _t202, _t211);
			}

0x0008102d
0x00081035
0x0008103c
0x00081040
0x0008104b
0x00081057
0x0008105a
0x0008105d
0x00081060
0x00081063
0x00081069
0x0008106f
0x00081071
0x00081077
0x0008107a
0x0008107a
0x00081081
0x00081087
0x00081092
0x0008109e
0x000810a0
0x000810d2
0x000810a2
0x000810a2
0x000810a3
0x000810c7
0x000810a5
0x000810a5
0x000810a6
0x000810bc
0x000810a8
0x000810a9
0x000810b1
0x000810b1
0x000810a9
0x000810a6
0x000810a3
0x000810e1
0x000810ea
0x00081109
0x000810ec
0x000810f8
0x000810f8
0x00081118
0x00081119
0x0008111a
0x0008111b
0x00081125
0x00081126
0x00081127
0x00081128
0x00081130
0x00081139
0x0008113b
0x0008113d
0x0008114a
0x000811e6
0x000811ed
0x000811f4
0x000811fa
0x000811fa
0x00081150
0x00081156
0x00081174
0x00081176
0x00081179
0x00081188
0x00081189
0x0008118a
0x0008118b
0x0008118c
0x0008119c
0x0008119f
0x000811a5
0x000811a5
0x000811b3
0x000811b5
0x000811c4
0x000811c5
0x000811c6
0x000811c7
0x000811d3
0x000811d9
0x000811dc
0x000811dc
0x00081158
0x00081160
0x00081160
0x00081156
0x00081203
0x00081243
0x00081258
0x00081264
0x0008122d
0x00081232
0x00081232
0x0008126a
0x00081275
0x00081278
0x0008127e
0x00081286
0x00081291
0x00081299
0x0008129b
0x0008129b
0x000812a2
0x000812b5
0x000812c0
0x000812c8
0x000812ca
0x000812ca
0x000812d5
0x000812d6
0x000812db
0x000812db
0x000812f1

APIs

GetClientRect.USER32 ref: 00081063
InflateRect.USER32 ref: 00081092
SetRectEmpty.USER32 ref: 00081130
SetRectEmpty.USER32 ref: 00081139
GetSystemMetrics.USER32 ref: 0008115A
KillTimer.USER32 ref: 000811F4
EqualRect.USER32 ref: 00081216
EqualRect.USER32 ref: 00081227
EqualRect.USER32 ref: 00081278
InvalidateRect.USER32(?,?,00000001), ref: 00081291
InvalidateRect.USER32(?,?,00000001), ref: 00081299
EqualRect.USER32 ref: 000812AD
InvalidateRect.USER32(?,?,00000001), ref: 000812C0
InvalidateRect.USER32(?,?,00000001), ref: 000812C8
UpdateWindow.USER32 ref: 000812DB

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Rect$EqualInvalidate$Empty$ClientInflateKillMetricsSystemTimerUpdateWindow
String ID:
API String ID: 2140115980-0
Opcode ID: 74069808e0035158590663cf1ae5eca26b33970fa580c6bb5adb3a3b87c046a1
Instruction ID: d2bb081521b88ae23d65ed87e23e3be08d7834c0a20c4b57cef1a253a89a80b7
Opcode Fuzzy Hash: 74069808e0035158590663cf1ae5eca26b33970fa580c6bb5adb3a3b87c046a1
Instruction Fuzzy Hash: 9D91F67190021A9FCF11DFA4C984AEE7BB9BF08300F1445B5EC49EB255C7B1A982CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00084EAD Relevance: 21.2, APIs: 14, Instructions: 206
timewindowCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00084EAD(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagPOINT _v32;
				struct tagPOINT _v44;
				signed int __ebx;
				RECT* __edi;
				signed int __esi;
				signed int __ebp;
				void* _t71;
				intOrPtr* _t72;
				void* _t75;
				void* _t81;
				intOrPtr _t86;
				void* _t88;
				intOrPtr* _t89;
				void* _t97;

				_t81 = __edx;
				_t77 = __ecx;
				_t88 = __ecx;
				KillTimer( *(__ecx + 0x20), 1);
				KillTimer( *(_t88 + 0x20), 2);
				_t84 =  *((intOrPtr*)(_t88 + 0xbcc));
				 *(_t88 + 0xd34) =  *(_t88 + 0xd34) & 0x00000000;
				 *(_t88 + 0xd38) =  *(_t88 + 0xd38) & 0x00000000;
				if( *((intOrPtr*)(_t88 + 0xbcc)) == 0) {
					L24:
					_t77 = _t88;
					_pop(_t88);
					_push(_t77);
					_t75 = _t77;
					_push(_t88);
					E00066824(_t75 + 0xc78);
					E000C1641(_t75, _t75 + 0xc78, _t81, _t75 + 0xc94);
					_t79 = _t75;
					_t71 = E000C0262(_t75, _t81);
					_t97 =  *0x1c3f34 - _t75; // 0x0
					if(_t97 == 0) {
						 *0x1c3f34 =  *0x1c3f34 & 0x00000000;
					}
					_t89 =  *0x1c3f70; // 0x0
					if(_t89 != 0) {
						while(1) {
							_v8 = _t89;
							_t72 = _t89;
							if(_t89 == 0) {
								break;
							}
							_t86 =  *((intOrPtr*)(_t72 + 8));
							_t89 =  *_t89;
							_t101 = _t86;
							if(_t86 == 0) {
								break;
							} else {
								_t71 = E0005F85A(_t75, _t79, _t81, _t86, _t89, _t101,  *((intOrPtr*)(_t86 + 0x20)));
								if(_t71 == 0 || _t86 != _t75) {
									if(_t89 != 0) {
										continue;
									} else {
									}
								} else {
									L12:
									_t71 = E00073835(0x1c3f6c, _v8);
								}
							}
							goto L14;
						}
						E000655E0(_t79);
						goto L12;
					}
					L14:
					return _t71;
				} else {
					_push(__ebx);
					while(1) {
						__eax = __edi;
						__eflags = __edi;
						if(__edi == 0) {
							break;
						} else {
							__edi = __edi->left;
							__ebx = __eax;
							_pop(__ecx);
							_pop(__ecx);
							__eflags = __ebx;
							if(__ebx != 0) {
								__eax =  *__ebx;
								__ecx = __ebx;
								__eax =  *((intOrPtr*)( *__ebx + 0x70))();
								__eflags = __eax;
								if(__eax != 0) {
									__ebx =  *(__ebx + 0x8c);
									__eflags = __ebx;
									if(__ebx != 0) {
										__eax = IsWindow( *(__ebx + 0x20));
										__eflags = __eax;
										if(__eax != 0) {
											__eax =  *__ebx;
											__ecx = __ebx;
											 *((intOrPtr*)( *__ebx + 0x1d8))() = PostMessageW( *(__ebx + 0x20), 0x10, 0, 0);
										}
									}
								}
							}
						}
						__eflags = __edi;
						if(__edi != 0) {
							continue;
						} else {
							_pop(__ebx);
							goto L24;
						}
						goto L49;
					}
					__eax = E000655E0(__ecx);
					asm("int3");
					_push(__ebp);
					__ebp = __esp;
					__esp = __esp - 0x1c;
					__eax =  *0x1c0454; // 0x885926af
					_v24.top = __eax;
					_push(__ebx);
					_push(__esi);
					_push(__edi);
					__eax =  &_v44;
					__edi = 0;
					__esi = __ecx;
					_v44.x = 0;
					_v44.y = 0;
					GetCursorPos( &_v44) =  &_v44;
					__eax = ScreenToClient( *(__esi + 0x20),  &_v44);
					__eflags = _v8 - 1;
					if(_v8 != 1) {
						__eflags = _a4 - 2;
						if(_a4 != 2) {
							__eax =  *0x17c038; // 0x14
							__eflags = _a4 - __eax;
							if(_a4 == __eax) {
								__eax =  &_v24;
								_v24.left = 0;
								_v24.top = 0;
								_v24.right = 0;
								_v24.bottom = 0;
								__eax = GetClientRect( *(__esi + 0x20),  &_v24);
								_push(_v32.y);
								__eax =  &_v24;
								__eax = PtInRect( &_v24, _v32.x);
								__eflags = __eax;
								if(__eax != 0) {
									__eax =  *__esi;
									__ecx = __esi;
									__eax =  *((intOrPtr*)( *__esi + 0x390))(_v32.x, _v32.y);
									__ecx =  *(__esi + 0xb98);
									__eflags = __ecx - __eax;
									if(__ecx == __eax) {
										__eflags = __ecx - 0xffffffff;
										if(__ecx != 0xffffffff) {
											__edx =  *__esi;
											__ecx = __esi;
											__eax =  *((intOrPtr*)(__edx + 0x258))(__eax);
										}
									}
								}
							}
						} else {
							__eax = KillTimer( *(__esi + 0x20), 2);
							__eflags =  *(__esi + 0xd38);
							if( *(__esi + 0xd38) != 0) {
								GetParent( *(__esi + 0x20)) = E0005F82E(__ebx, __ecx, __edx, __eax);
								__eax = E0006EA25(0x1bcffc, __eax);
								_pop(__ecx);
								_pop(__ecx);
								_push(_v32.y);
								__ebx = __eax;
								 *(__esi + 0xd38) =  *(__esi + 0xd38) + 0x54;
								__eax = PtInRect( *(__esi + 0xd38) + 0x54, _v32.x);
								__eflags = __eax;
								if(__eax == 0) {
									__ecx =  *(__esi + 0xd38);
									__eax =  *( *(__esi + 0xd38));
									__eax =  *((intOrPtr*)( *( *(__esi + 0xd38)) + 0x58))();
									 *(__esi + 0xd38) = 0;
									__eflags = __ebx;
									if(__ebx != 0) {
										__eax =  *0x1c564c; // 0x0
										__eflags = __eax;
										if(__eflags == 0) {
											__ecx = __esi;
											__eax = E00060DD3(__esi);
										}
										_push(__ebx);
										_push(__eax);
										__eax = E0008032A(__ebx, __edx, __edi, __esi, __eflags);
									}
								}
							}
						}
					} else {
						__eax = KillTimer( *(__esi + 0x20), 1);
						__ecx =  *(__esi + 0xc94);
						__eflags = __ecx;
						if(__ecx != 0) {
							__eflags =  *(__ecx + 0x20);
							if( *(__ecx + 0x20) != 0) {
								__eax = E00063582(__ecx, 0);
							}
						}
						__eax =  *(__esi + 0xd38);
						__eflags = __eax - __edi;
						if(__eax == __edi) {
							L31:
							__eax =  *__esi;
							__ecx = __esi;
							__eax =  *((intOrPtr*)( *__esi + 0x43c))();
							__ebx =  *(__esi + 0xd34);
							 *(__esi + 0xd34) = __edi;
							__eflags = __ebx - __edi;
							if(__ebx != __edi) {
								__eax =  *(__esi + 0xb7c);
								__eflags = __eax - __edi;
								if(__eax >= __edi) {
									__eflags = __eax -  *((intOrPtr*)(__esi + 0xbd4));
									if(__eflags < 0) {
										__ecx = __esi;
										__eax = E00074F8E(__esi, __eflags, __eax);
										__eflags = __eax - __ebx;
										if(__eax == __ebx) {
											__eax =  *__ebx;
											__ecx = __ebx;
											__eax =  *((intOrPtr*)( *__ebx + 0xc8))(__esi);
										}
									}
								}
							}
						} else {
							_push(_v32.y);
							__eax = __eax + 0x54;
							__eax = PtInRect(__eax, _v32);
							__eflags = __eax;
							if(__eax == 0) {
								goto L31;
							}
						}
					}
					__ecx = _v8;
					_pop(__edi);
					_pop(__esi);
					__ecx = _v8 ^ __ebp;
					__eflags = __ecx;
					_pop(__ebx);
					__eax = E00150836(__eax, __ebx, __ecx, __edx, __edi, __esi);
					__esp = __ebp;
					_pop(__ebp);
					return __eax;
				}
				L49:
			}

0x00084ead
0x00084ead
0x00084eb7
0x00084ebe
0x00084ec5
0x00084ec7
0x00084ecd
0x00084ed4
0x00084edd
0x00084f3d
0x00084f3e
0x00084f40
0x00075444
0x00075446
0x00075448
0x0007544f
0x0007545b
0x00075460
0x00075462
0x00075467
0x0007546d
0x0007546f
0x0007546f
0x00075476
0x0007547e
0x00075481
0x00075481
0x00075484
0x00075488
0x00000000
0x00000000
0x0007548a
0x0007548d
0x0007548f
0x00075491
0x00000000
0x00075493
0x00075496
0x0007549d
0x000754a5
0x00000000
0x00000000
0x000754a7
0x000754ae
0x000754ae
0x000754b6
0x000754b6
0x0007549d
0x00000000
0x000754bb
0x000754a9
0x00000000
0x000754a9
0x000754bc
0x000754bf
0x00084edf
0x00084edf
0x00084ee0
0x00084ee0
0x00084ee2
0x00084ee4
0x00000000
0x00084ee6
0x00084ee9
0x00084ef5
0x00084ef7
0x00084ef8
0x00084ef9
0x00084efb
0x00084efd
0x00084eff
0x00084f01
0x00084f04
0x00084f06
0x00084f08
0x00084f0e
0x00084f10
0x00084f15
0x00084f1b
0x00084f1d
0x00084f1f
0x00084f21
0x00084f32
0x00084f32
0x00084f1d
0x00084f10
0x00084f06
0x00084efb
0x00084f38
0x00084f3a
0x00000000
0x00084f3c
0x00084f3c
0x00000000
0x00084f3c
0x00000000
0x00084f3a
0x00084f46
0x00084f4b
0x00084f4e
0x00084f4f
0x00084f51
0x00084f54
0x00084f5b
0x00084f5e
0x00084f5f
0x00084f60
0x00084f61
0x00084f64
0x00084f67
0x00084f69
0x00084f6c
0x00084f75
0x00084f7c
0x00084f82
0x00084f86
0x00085026
0x0008502a
0x000850b5
0x000850ba
0x000850bd
0x000850c9
0x000850d0
0x000850d3
0x000850d6
0x000850d9
0x000850dc
0x000850e2
0x000850e5
0x000850ec
0x000850f2
0x000850f4
0x000850f9
0x000850fe
0x00085100
0x00085106
0x0008510c
0x0008510e
0x00085110
0x00085113
0x00085115
0x00085118
0x0008511a
0x0008511a
0x00085113
0x0008510e
0x000850f4
0x00085030
0x00085035
0x0008503b
0x00085041
0x00085051
0x0008505c
0x00085061
0x00085062
0x00085063
0x00085066
0x00085071
0x00085075
0x0008507b
0x0008507d
0x00085083
0x00085089
0x0008508b
0x0008508e
0x00085094
0x00085096
0x0008509c
0x000850a1
0x000850a3
0x000850a5
0x000850a7
0x000850a7
0x000850ac
0x000850ad
0x000850ae
0x000850ae
0x00085096
0x0008507d
0x00085041
0x00084f8c
0x00084f91
0x00084f97
0x00084f9d
0x00084f9f
0x00084fa1
0x00084fa4
0x00084fa7
0x00084fa7
0x00084fa4
0x00084fac
0x00084fb2
0x00084fb4
0x00084fce
0x00084fce
0x00084fd0
0x00084fd2
0x00084fd8
0x00084fde
0x00084fe4
0x00084fe6
0x00084fec
0x00084ff2
0x00084ff4
0x00084ffa
0x00085000
0x00085007
0x00085009
0x0008500e
0x00085010
0x00085016
0x00085019
0x0008501b
0x0008501b
0x00085010
0x00085000
0x00084ff4
0x00084fb6
0x00084fb6
0x00084fb9
0x00084fc0
0x00084fc6
0x00084fc8
0x00000000
0x00000000
0x00084fc8
0x00084fb4
0x00085120
0x00085123
0x00085124
0x00085125
0x00085125
0x00085127
0x00085128
0x0008512d
0x0008512d
0x0008512e
0x0008512e
0x00000000

APIs

KillTimer.USER32 ref: 00084EBE
KillTimer.USER32 ref: 00084EC5
IsWindow.USER32(?), ref: 00084F15
PostMessageW.USER32 ref: 00084F32
GetCursorPos.USER32(?), ref: 00084F6F
ScreenToClient.USER32(?,?), ref: 00084F7C
KillTimer.USER32 ref: 00084F91
PtInRect.USER32(?,?,?), ref: 00084FC0
KillTimer.USER32 ref: 00085035
GetParent.USER32(?), ref: 0008504A
PtInRect.USER32(?,?,?), ref: 00085075
KillTimer.USER32 ref: 000850C3
GetClientRect.USER32 ref: 000850DC
PtInRect.USER32(?,?,?), ref: 000850EC

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: KillTimer$Rect$Client$CursorMessageParentPostScreenWindow
String ID:
API String ID: 2803392424-0
Opcode ID: c79f2ba412154611e2194c52c785de3ec6f9630c21cd334ae5b850093fec2e14
Instruction ID: 4e8d89a1de78f22ed957b25de3d173c191c0bc39bcb2eb4810c118b6cb2005d1
Opcode Fuzzy Hash: c79f2ba412154611e2194c52c785de3ec6f9630c21cd334ae5b850093fec2e14
Instruction Fuzzy Hash: C67182316006059FCF21AF64CC88BAEBBF6FF48701F10452DF59A97261DB75A881CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0007348A Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E0007348A(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _t41;
				void* _t44;
				intOrPtr _t57;
				intOrPtr _t84;
				intOrPtr _t86;
				intOrPtr _t88;
				intOrPtr _t90;
				intOrPtr _t92;
				intOrPtr _t94;
				intOrPtr _t96;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t102;
				intOrPtr _t104;
				void* _t105;
				void* _t109;

				_t105 = __edx;
				_push(4);
				E00151A19(0x1699b0, __ebx, __edi, __esi);
				_t108 = 0;
				if( *((intOrPtr*)(_t109 + 8)) == 0) {
					_t41 = 0;
					__eflags = 0;
				} else {
					E00056620(__ebx,  *((intOrPtr*)(_t109 + 8)));
					 *((intOrPtr*)(_t109 - 4)) = 0;
					_t44 = E0005BF90(_t109 + 8, L"MFCButton");
					_t112 = _t44;
					if(_t44 != 0) {
						__eflags = E0005BF90(_t109 + 8, L"MFCColorButton");
						if(__eflags != 0) {
							__eflags = E0005BF90(_t109 + 8, L"MFCEditBrowse");
							if(__eflags != 0) {
								__eflags = E0005BF90(_t109 + 8, L"MFCFontComboBox");
								if(__eflags != 0) {
									__eflags = E0005BF90(_t109 + 8, L"MFCLink");
									if(__eflags != 0) {
										__eflags = E0005BF90(_t109 + 8, L"MFCMaskedEdit");
										if(__eflags != 0) {
											__eflags = E0005BF90(_t109 + 8, L"MFCMenuButton");
											if(__eflags != 0) {
												__eflags = E0005BF90(_t109 + 8, L"MFCPropertyGrid");
												if(__eflags != 0) {
													__eflags = E0005BF90(_t109 + 8, L"MFCShellList");
													if(__eflags != 0) {
														__eflags = E0005BF90(_t109 + 8, L"MFCShellTree");
														if(__eflags != 0) {
															__eflags = E0005BF90(_t109 + 8, L"MFCVSListBox");
															if(__eflags == 0) {
																_t84 = E0005C37C(__eflags, 0x1d0);
																 *((intOrPtr*)(_t109 - 0x10)) = _t84;
																 *((char*)(_t109 - 4)) = 0xb;
																__eflags = _t84;
																if(__eflags == 0) {
																	goto L34;
																} else {
																	_t57 = E000A837C(__ebx, _t84, _t105, __edi, 0, __eflags);
																}
																goto L35;
															}
														} else {
															_t86 = E0005C37C(__eflags, 0x84);
															 *((intOrPtr*)(_t109 - 0x10)) = _t86;
															 *((char*)(_t109 - 4)) = 0xa;
															__eflags = _t86;
															if(__eflags == 0) {
																goto L34;
															} else {
																_t57 = E000A8CB7(_t86, __eflags);
															}
															goto L35;
														}
													} else {
														_t88 = E0005C37C(__eflags, 0x154);
														 *((intOrPtr*)(_t109 - 0x10)) = _t88;
														 *((char*)(_t109 - 4)) = 9;
														__eflags = _t88;
														if(__eflags == 0) {
															goto L34;
														} else {
															_t57 = E000A54EB(_t88, __eflags);
														}
														goto L35;
													}
												} else {
													_t90 = E0005C37C(__eflags, 0x3c8);
													 *((intOrPtr*)(_t109 - 0x10)) = _t90;
													 *((char*)(_t109 - 4)) = 8;
													__eflags = _t90;
													if(__eflags == 0) {
														goto L34;
													} else {
														_t57 = E000AE723(__ebx, _t90, _t105, __edi, 0, __eflags);
													}
													goto L35;
												}
											} else {
												_t92 = E0005C37C(__eflags, 0x770);
												 *((intOrPtr*)(_t109 - 0x10)) = _t92;
												 *((char*)(_t109 - 4)) = 7;
												__eflags = _t92;
												if(__eflags == 0) {
													goto L34;
												} else {
													_t57 = E000AEABC(_t92, __eflags);
												}
												goto L35;
											}
										} else {
											_t94 = E0005C37C(__eflags, 0xa0);
											 *((intOrPtr*)(_t109 - 0x10)) = _t94;
											 *((char*)(_t109 - 4)) = 6;
											__eflags = _t94;
											if(__eflags == 0) {
												goto L34;
											} else {
												_t57 = E000AF234(_t94, __eflags);
											}
											goto L35;
										}
									} else {
										_t96 = E0005C37C(__eflags, 0x768);
										 *((intOrPtr*)(_t109 - 0x10)) = _t96;
										 *((char*)(_t109 - 4)) = 5;
										__eflags = _t96;
										if(__eflags == 0) {
											goto L34;
										} else {
											_t57 = E000B12A7(__ebx, _t96, _t105, __edi, 0, __eflags, __fp0);
										}
										goto L35;
									}
								} else {
									_t98 = E0005C37C(__eflags, 0x80);
									 *((intOrPtr*)(_t109 - 0x10)) = _t98;
									 *((char*)(_t109 - 4)) = 4;
									__eflags = _t98;
									if(__eflags == 0) {
										goto L34;
									} else {
										_t57 = E000B1962(__ebx, _t98, _t105, __edi, 0, __eflags);
									}
									goto L35;
								}
							} else {
								_t100 = E0005C37C(__eflags, 0xb8);
								 *((intOrPtr*)(_t109 - 0x10)) = _t100;
								 *((char*)(_t109 - 4)) = 3;
								__eflags = _t100;
								if(__eflags == 0) {
									goto L34;
								} else {
									_t57 = E000B28E6(__ebx, _t100, _t105, __edi, 0, __eflags);
								}
								goto L35;
							}
						} else {
							_t102 = E0005C37C(__eflags, 0x7ac);
							 *((intOrPtr*)(_t109 - 0x10)) = _t102;
							 *((char*)(_t109 - 4)) = 2;
							__eflags = _t102;
							if(__eflags == 0) {
								goto L34;
							} else {
								_t57 = E000B3754(__ebx, _t102, _t105, __eflags, __fp0);
							}
							goto L35;
						}
					} else {
						_t104 = E0005C37C(_t112, 0x750);
						 *((intOrPtr*)(_t109 - 0x10)) = _t104;
						 *((char*)(_t109 - 4)) = 1;
						_t113 = _t104;
						if(_t104 == 0) {
							L34:
							_t57 = 0;
							__eflags = 0;
						} else {
							_t57 = E000B42D7(__ebx, _t104, _t105, __edi, 0, _t113, __fp0);
						}
						L35:
						_t108 = _t57;
					}
					E00051190( *((intOrPtr*)(_t109 + 8)) + 0xfffffff0, _t105);
					_t41 = _t108;
				}
				return E00151AF1(_t41);
			}

0x0007348a
0x0007348a
0x00073491
0x00073496
0x0007349b
0x0007370a
0x0007370a
0x000734a1
0x000734a7
0x000734b4
0x000734b7
0x000734bc
0x000734be
0x000734f3
0x000734f5
0x0007352a
0x0007352c
0x00073561
0x00073563
0x00073598
0x0007359a
0x000735cf
0x000735d1
0x00073606
0x00073608
0x0007363d
0x0007363f
0x00073674
0x00073676
0x000736a4
0x000736a6
0x000736d4
0x000736d6
0x000736e3
0x000736e5
0x000736e8
0x000736ec
0x000736ee
0x00000000
0x000736f0
0x000736f0
0x000736f0
0x00000000
0x000736ee
0x000736a8
0x000736b3
0x000736b5
0x000736b8
0x000736bc
0x000736be
0x00000000
0x000736c0
0x000736c0
0x000736c0
0x00000000
0x000736be
0x00073678
0x00073683
0x00073685
0x00073688
0x0007368c
0x0007368e
0x00000000
0x00073690
0x00073690
0x00073690
0x00000000
0x0007368e
0x00073641
0x0007364c
0x0007364e
0x00073651
0x00073655
0x00073657
0x00000000
0x0007365d
0x0007365d
0x0007365d
0x00000000
0x00073657
0x0007360a
0x00073615
0x00073617
0x0007361a
0x0007361e
0x00073620
0x00000000
0x00073626
0x00073626
0x00073626
0x00000000
0x00073620
0x000735d3
0x000735de
0x000735e0
0x000735e3
0x000735e7
0x000735e9
0x00000000
0x000735ef
0x000735ef
0x000735ef
0x00000000
0x000735e9
0x0007359c
0x000735a7
0x000735a9
0x000735ac
0x000735b0
0x000735b2
0x00000000
0x000735b8
0x000735b8
0x000735b8
0x00000000
0x000735b2
0x00073565
0x00073570
0x00073572
0x00073575
0x00073579
0x0007357b
0x00000000
0x00073581
0x00073581
0x00073581
0x00000000
0x0007357b
0x0007352e
0x00073539
0x0007353b
0x0007353e
0x00073542
0x00073544
0x00000000
0x0007354a
0x0007354a
0x0007354a
0x00000000
0x00073544
0x000734f7
0x00073502
0x00073504
0x00073507
0x0007350b
0x0007350d
0x00000000
0x00073513
0x00073513
0x00073513
0x00000000
0x0007350d
0x000734c0
0x000734cb
0x000734cd
0x000734d0
0x000734d4
0x000734d6
0x000736f7
0x000736f7
0x000736f7
0x000734dc
0x000734dc
0x000734dc
0x000736f9
0x000736f9
0x000736f9
0x00073701
0x00073706
0x00073706
0x00073711

APIs

__EH_prolog3.LIBCMT ref: 00073491

Part of subcall function 0005C37C: _malloc.LIBCMT ref: 0005C39A

Part of subcall function 000B42D7: __EH_prolog3.LIBCMT ref: 000B42DE

Strings

MFCEditBrowse, xrefs: 0007351D
MFCPropertyGrid, xrefs: 00073630
MFCShellList, xrefs: 00073667
MFCMenuButton, xrefs: 000735F9
MFCColorButton, xrefs: 000734E6
MFCFontComboBox, xrefs: 00073554
MFCLink, xrefs: 0007358B
MFCShellTree, xrefs: 00073697
MFCVSListBox, xrefs: 000736C7
MFCButton, xrefs: 000734AC
MFCMaskedEdit, xrefs: 000735C2

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: H_prolog3$_malloc
String ID: MFCButton$MFCColorButton$MFCEditBrowse$MFCFontComboBox$MFCLink$MFCMaskedEdit$MFCMenuButton$MFCPropertyGrid$MFCShellList$MFCShellTree$MFCVSListBox
API String ID: 1683881009-2110171958
Opcode ID: 5e53d6fd2a996c1c35f3cd61282acac6b78c34f278cf63e266fd50dce5b90c73
Instruction ID: 62b848216676ab4c11225dd04b264372e32302fdc36d14b30dfb8afc0bdd77de
Opcode Fuzzy Hash: 5e53d6fd2a996c1c35f3cd61282acac6b78c34f278cf63e266fd50dce5b90c73
Instruction Fuzzy Hash: 24518860A0820AB9EF58E778A8537FE76D05F18740F10C02DF90D962D3EFB45B44A65A

Uniqueness

Uniqueness Score: -1.00%

Function 000B8012 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 172
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E000B8012(signed int __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t98;
				signed int _t100;
				int _t105;
				void* _t113;
				int _t123;
				void* _t130;
				int _t135;
				int _t136;
				void*** _t143;
				signed int _t144;
				signed int _t146;
				int _t147;
				void* _t150;
				void* _t153;

				_t134 = __ebx;
				_push(0xa8);
				E00151A82(0x16cb8d, __ebx, __edi, __esi);
				_t149 =  *(_t153 + 8);
				_t98 =  *_t149;
				_t146 =  *(_t153 + 0xc);
				 *(_t153 - 0x84) = _t146;
				if(_t98 != 0) {
					_t134 = GetObjectW;
					if(GetObjectW(_t98, 0x18, _t153 - 0xb4) != 0) {
						_t100 =  *(_t153 - 0xb0);
						 *(_t153 - 0x7c) = _t100;
						asm("cdq");
						_t144 = _t100 % _t146;
						 *(_t153 - 0x80) =  *(_t153 - 0xac);
						 *(_t153 - 0x68) = _t100 / _t146;
						if( *((short*)(_t153 - 0xa2)) != 0x20) {
							E00065EC1(_t153 - 0x98);
							_t146 = 0;
							 *(_t153 - 4) = 0;
							E000664F6(GetObjectW, _t153 - 0x98, _t144, 0, CreateCompatibleDC(0));
							_t150 =  *_t149;
							if(_t150 == 0) {
								 *(_t153 - 0x74) = 0;
							} else {
								 *(_t153 - 0x74) = SelectObject( *(_t153 - 0x94), _t150);
							}
							if( *(_t153 - 0x74) != _t146) {
								_t105 =  *(_t153 - 0x68);
								if(_t105 <= _t146) {
									L35:
									SelectObject( *(_t153 - 0x94),  *(_t153 - 0x74));
									_t149 = 1;
									L25:
									 *(_t153 - 4) =  *(_t153 - 4) | 0xffffffff;
									E00066577(_t153 - 0x98);
									L2:
									return E00151B05(_t134, _t146, _t149);
								}
								_t146 = SetPixel;
								_t135 = 0;
								 *(_t153 - 0x78) = 0;
								 *(_t153 - 0x7c) = _t105;
								do {
									 *(_t153 - 0x68) =  *(_t153 - 0x68) & 0x00000000;
									if( *(_t153 - 0x80) <= 0) {
										goto L34;
									}
									asm("cdq");
									 *(_t153 - 0x70) =  *(_t153 - 0x84) - _t144;
									 *(_t153 - 0x70) =  *(_t153 - 0x70) >> 1;
									do {
										 *(_t153 - 0x6c) = _t135;
										_t136 = _t135 +  *(_t153 - 0x84) - 1;
										_t113 =  *(_t153 - 0x70);
										if(_t113 <= 0) {
											goto L33;
										}
										 *(_t153 - 0x88) = _t113;
										do {
											 *(_t153 - 0x9c) = GetPixel( *(_t153 - 0x94),  *(_t153 - 0x6c),  *(_t153 - 0x68));
											SetPixel( *(_t153 - 0x94),  *(_t153 - 0x6c),  *(_t153 - 0x68), GetPixel( *(_t153 - 0x94), _t136,  *(_t153 - 0x68)));
											SetPixel( *(_t153 - 0x94), _t136,  *(_t153 - 0x68),  *(_t153 - 0x9c));
											 *(_t153 - 0x6c) =  *(_t153 - 0x6c) + 1;
											_t136 = _t136 - 1;
											_t83 = _t153 - 0x88;
											 *_t83 =  *(_t153 - 0x88) - 1;
										} while ( *_t83 != 0);
										L33:
										 *(_t153 - 0x68) =  *(_t153 - 0x68) + 1;
										_t135 =  *(_t153 - 0x78);
									} while ( *(_t153 - 0x68) <  *(_t153 - 0x80));
									L34:
									_t135 = _t135 +  *(_t153 - 0x84);
									_t91 = _t153 - 0x7c;
									 *_t91 =  *(_t153 - 0x7c) - 1;
									 *(_t153 - 0x78) = _t135;
								} while ( *_t91 != 0);
								goto L35;
							}
							_t149 = 0;
							goto L25;
						}
						if(GetObjectW( *_t149, 0x54, _t153 - 0x64) == 0 ||  *((short*)(_t153 - 0x52)) != 0x20) {
							goto L4;
						} else {
							_t123 =  *(_t153 - 0x50);
							if(_t123 == 0) {
								goto L4;
							}
							if( *(_t153 - 0x68) <= 0) {
								goto L1;
							}
							 *(_t153 - 0x6c) = _t123;
							_t134 = _t146 << 2;
							do {
								if( *(_t153 - 0x80) <= 0) {
									goto L18;
								}
								_t147 =  *(_t153 - 0x6c);
								asm("cdq");
								 *(_t153 - 0x70) = _t146 - _t144;
								 *(_t153 - 0x70) =  *(_t153 - 0x70) >> 1;
								 *(_t153 - 0x78) =  *(_t153 - 0x80);
								do {
									_t130 =  *(_t153 - 0x70);
									_t144 = _t147;
									_t143 = _t147 + _t134 - 4;
									if(_t130 <= 0) {
										goto L16;
									}
									 *(_t153 - 0x74) = _t130;
									do {
										_t149 =  *_t144;
										 *_t144 =  *_t143;
										 *_t143 =  *_t144;
										_t144 = _t144 + 4;
										_t143 = _t143 - 4;
										_t33 = _t153 - 0x74;
										 *_t33 =  *(_t153 - 0x74) - 1;
									} while ( *_t33 != 0);
									L16:
									_t147 = _t147 + ( *(_t153 - 0x7c) << 2);
									_t36 = _t153 - 0x78;
									 *_t36 =  *(_t153 - 0x78) - 1;
								} while ( *_t36 != 0);
								_t146 =  *(_t153 - 0x84);
								L18:
								 *(_t153 - 0x6c) =  *(_t153 - 0x6c) + _t134;
								_t41 = _t153 - 0x68;
								 *_t41 =  *(_t153 - 0x68) - 1;
							} while ( *_t41 != 0);
							goto L1;
						}
					}
					L4:
					goto L2;
				}
				L1:
				goto L2;
			}

0x000b8012
0x000b8012
0x000b801c
0x000b8021
0x000b8024
0x000b8026
0x000b8029
0x000b8031
0x000b803e
0x000b8052
0x000b8058
0x000b805e
0x000b8061
0x000b8062
0x000b8072
0x000b8075
0x000b8078
0x000b8111
0x000b8116
0x000b8119
0x000b8129
0x000b812e
0x000b8132
0x000b8146
0x000b8134
0x000b8141
0x000b8141
0x000b814c
0x000b8166
0x000b816b
0x000b8229
0x000b8232
0x000b823a
0x000b8150
0x000b8150
0x000b815a
0x000b8036
0x000b803b
0x000b803b
0x000b8177
0x000b817d
0x000b817f
0x000b8182
0x000b8185
0x000b8185
0x000b818d
0x00000000
0x00000000
0x000b8199
0x000b819c
0x000b819f
0x000b81a2
0x000b81a8
0x000b81ab
0x000b81af
0x000b81b4
0x00000000
0x00000000
0x000b81b6
0x000b81bc
0x000b81cd
0x000b81e9
0x000b81fb
0x000b81fd
0x000b8200
0x000b8201
0x000b8201
0x000b8201
0x000b8209
0x000b8209
0x000b820f
0x000b8212
0x000b8217
0x000b8217
0x000b821d
0x000b821d
0x000b8220
0x000b8220
0x00000000
0x000b8185
0x000b814e
0x00000000
0x000b814e
0x000b808a
0x00000000
0x000b8093
0x000b8093
0x000b8098
0x00000000
0x00000000
0x000b809e
0x00000000
0x00000000
0x000b80a0
0x000b80a8
0x000b80ae
0x000b80b2
0x00000000
0x00000000
0x000b80b6
0x000b80b9
0x000b80bc
0x000b80c2
0x000b80c5
0x000b80c8
0x000b80c8
0x000b80cb
0x000b80cd
0x000b80d3
0x00000000
0x00000000
0x000b80d5
0x000b80d8
0x000b80da
0x000b80dc
0x000b80de
0x000b80e0
0x000b80e3
0x000b80e6
0x000b80e6
0x000b80e6
0x000b80eb
0x000b80f1
0x000b80f3
0x000b80f3
0x000b80f3
0x000b80f8
0x000b80fe
0x000b80fe
0x000b8101
0x000b8101
0x000b8101
0x00000000
0x000b8106
0x000b808a
0x000b8054
0x00000000
0x000b8054
0x000b8033
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 000B801C
GetObjectW.GDI32(00000000,00000018,?), ref: 000B804E
GetObjectW.GDI32(?,00000054,?), ref: 000B8086
CreateCompatibleDC.GDI32(00000000), ref: 000B811C
SelectObject.GDI32(?,?), ref: 000B813B
GetPixel.GDI32(?,?,00000000), ref: 000B81C8
GetPixel.GDI32(?,?,00000000), ref: 000B81DA
SetPixel.GDI32(?,?,00000000,00000000), ref: 000B81E9
SetPixel.GDI32(?,?,00000000,?), ref: 000B81FB
SelectObject.GDI32(?,?), ref: 000B8232

Strings

, xrefs: 000B8064
, xrefs: 000B808C

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: ObjectPixel$Select$CompatibleCreateH_prolog3_
String ID: $
API String ID: 1266819874-227171996
Opcode ID: 01db9059e3b84a9ce0ebbb330e786ee4d604e78c593633ccac65f5a5e3740448
Instruction ID: 17223c8b0de3459f35c275965ec9ee1a26211a0f42ea7bc12b4800c8d5564bed
Opcode Fuzzy Hash: 01db9059e3b84a9ce0ebbb330e786ee4d604e78c593633ccac65f5a5e3740448
Instruction Fuzzy Hash: 9B710570D00218DBDF61DFA9CC85AEDBBB9FF18354F208169D508A7262DB319985DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00081E9E Relevance: 19.8, APIs: 13, Instructions: 269
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00081E9E(intOrPtr* __ecx, intOrPtr __edx) {
				signed int _v8;
				struct tagRECT _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				struct HWND__* _v36;
				RECT* _v40;
				signed int _v44;
				intOrPtr _v48;
				struct tagMSG _v72;
				struct tagMSG _v100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t89;
				intOrPtr _t96;
				void* _t119;
				void* _t122;
				intOrPtr* _t124;
				intOrPtr* _t130;
				void* _t132;
				RECT* _t153;
				intOrPtr _t154;
				intOrPtr _t159;
				void* _t165;
				void* _t176;
				void* _t177;
				intOrPtr _t180;
				intOrPtr _t183;
				RECT* _t184;
				intOrPtr _t186;
				intOrPtr _t187;
				intOrPtr* _t193;
				signed int _t194;

				_t182 = __edx;
				_t155 = __ecx;
				_t89 =  *0x1c0454; // 0x885926af
				_v8 = _t89 ^ _t194;
				_t193 = __ecx;
				if(__ecx != 0) {
					_t155 =  *((intOrPtr*)(__ecx + 0x20));
					_v36 =  *((intOrPtr*)(__ecx + 0x20));
				} else {
					_v36 = 0;
				}
				_t184 = PeekMessageW;
				_push(0);
				_t153 = 0xf;
				_push(_t153);
				_push(_t153);
				_push(0);
				while(PeekMessageW( &_v100, ??, ??, ??, ??) != 0) {
					if(GetMessageW( &_v100, 0, _t153, _t153) == 0) {
						L12:
						_t96 = 0;
						L58:
						return E00150836(_t96, _t153, _v8 ^ _t194, _t182, _t184, _t193);
					} else {
						DispatchMessageW( &_v100);
						_push(0);
						_push(_t153);
						_push(_t153);
						_push(0);
						continue;
					}
				}
				if(GetCapture() != 0) {
					goto L12;
				} else {
					E0005F82E(_t153, _t155, _t182, SetCapture( *(_t193 + 0x20)));
					_t153 = 0;
					_v32 = 0;
					_v24.left = 0;
					_v24.top = 0;
					_v24.right = 0;
					_v24.bottom = 0;
					GetWindowRect( *(_t193 + 0x20),  &_v24);
					_t184 = 1;
					 *(_t193 + 0x1080) = 1;
					 *( *((intOrPtr*)( *_t193 + 0x1c0))() + 0xd14) = 1;
					_t159 =  *((intOrPtr*)(_t193 + 0xfd4));
					_v28 =  *((intOrPtr*)(_t193 + 0xfc0));
					 *((intOrPtr*)(_t193 + 0xfc0)) = 0;
					if(_t159 != 0 &&  *((intOrPtr*)(_t159 + 0x20)) != 0) {
						E00063582(_t159, 0);
					}
					_t160 = _t193;
					_v40 = _t153;
					_v44 =  *((intOrPtr*)( *_t193 + 0x204))();
					while(E0005F82E(_t153, _t160, _t182, GetCapture()) == _t193) {
						if(GetMessageW( &_v72, _t153, _t153, _t153) == 0) {
							_push(_v72.wParam);
							E0006BE0C();
							break;
						}
						_t119 = _v72.message - 0x200;
						if(_t119 == 0) {
							_v40 = _t184;
							if((E00063445(_t193) & 0x00400000) == 0) {
								_t122 = _v72.pt - _v24.left;
							} else {
								_t122 = _v24.right - _v72.pt;
							}
							_t186 = _v24.bottom;
							_t183 = _v48;
							_t124 = _t122 + _v44 * 2 + _v28;
							if( *((intOrPtr*)(_t193 + 0x1088)) == _t153) {
								_t165 = _t183 - _v24.top;
							} else {
								_t165 = _t186 - _t183;
							}
							_t154 =  *((intOrPtr*)(_t193 + 0x1094));
							if(_t154 <= _t165) {
								_t153 = 0;
								if( *((intOrPtr*)(_t193 + 0x1088)) == 0) {
									_t182 = _t183 - _v24.top;
								} else {
									_t182 = _t186 - _t183;
								}
							} else {
								_t182 = _t154;
								_t153 = 0;
							}
							_t160 =  *((intOrPtr*)(_t193 + 0x1090));
							if(_t160 <= _t153) {
								_t124 = _v24.right - _v24.left - _v28;
							} else {
								if(_t160 > _t124) {
									_t124 = _t160;
								}
							}
							_t187 =  *((intOrPtr*)(_t193 + 0x109c));
							if(_t124 !=  *((intOrPtr*)(_t193 + 0x1098)) || _t182 != _t187) {
								 *((intOrPtr*)(_t193 + 0x1098)) = _t124;
								 *((intOrPtr*)(_t193 + 0x109c)) = _t182;
								if( *((intOrPtr*)(_t193 + 0x1088)) != _t153 && _t182 >  *((intOrPtr*)(_t193 + 0x1094))) {
									 *((intOrPtr*)(_t193 + 0x12c)) = _v48 -  *((intOrPtr*)(_t193 + 0x10ac)) -  *((intOrPtr*)(_t193 + 0x10a4)) -  *((intOrPtr*)( *_t193 + 0x204))() - 1;
								}
								_t184 = 1;
								 *((intOrPtr*)( *_t193 + 0x174))(1);
								_t130 =  *((intOrPtr*)( *_t193 + 0x1c0))();
								_t182 =  *_t130;
								 *((intOrPtr*)( *_t130 + 0x3e0))();
								_t132 = _t193 + 0xf28;
								if(_t132 != _t153 &&  *((intOrPtr*)(_t132 + 0x20)) != _t153) {
									E00081D0C(_t153, _t193, _t193, 5, GetScrollPos( *(_t193 + 0xf48), 2), _t132);
								}
								RedrawWindow( *(_t193 + 0x20), _t153, _t153, 0x581);
								_t160 = _t193;
								E000805CC(_t193, _t184, _t153);
								 *((intOrPtr*)(_t193 + 0x1084)) = _t184;
							} else {
								_t184 = 1;
							}
							continue;
						}
						if(_t119 == 0) {
							_v32 = _t184;
							 *((intOrPtr*)(_t193 + 0xfc0)) = _v28;
							if(_v40 != _t153) {
								_t176 = _t193 + 0xfc4;
								if(_t176 != _t153 &&  *((intOrPtr*)(_t176 + 4)) != _t153) {
									E00066824(_t176);
								}
								_t177 = _t193 + 0xfcc;
								if(_t177 != _t153 &&  *((intOrPtr*)(_t177 + 4)) != _t153) {
									E00066824(_t177);
								}
								 *((intOrPtr*)( *_t193 + 0x174))(_t184);
								E000805CC(_t193, _t184, _t153);
								_t180 =  *((intOrPtr*)(_t193 + 0xfd4));
								if(_t180 != _t153 &&  *((intOrPtr*)(_t180 + 0x20)) != _t153) {
									E0007F1ED(_t180, _t182, _t184);
								}
								E00063582(_t193, 4);
							}
							break;
						}
						DispatchMessageW( &_v72);
					}
					ReleaseCapture();
					if(IsWindow(_v36) != 0) {
						 *(_t193 + 0x1080) = _t153;
						 *( *((intOrPtr*)( *_t193 + 0x1c0))() + 0xd14) = _t153;
					}
					_t96 = _v32;
					goto L58;
				}
			}

0x00081e9e
0x00081e9e
0x00081ea6
0x00081ead
0x00081eb2
0x00081eb9
0x00081ec0
0x00081ec3
0x00081ebb
0x00081ebb
0x00081ebb
0x00081ec6
0x00081ecc
0x00081ecf
0x00081ed0
0x00081ed1
0x00081ed2
0x00081efb
0x00081ee5
0x00081f8b
0x00081f8b
0x000821bd
0x000821cb
0x00081eeb
0x00081eef
0x00081ef5
0x00081ef7
0x00081ef8
0x00081ef9
0x00000000
0x00081ef9
0x00081ee5
0x00081f0d
0x00000000
0x00081f0f
0x00081f19
0x00081f21
0x00081f27
0x00081f2a
0x00081f2d
0x00081f30
0x00081f33
0x00081f36
0x00081f40
0x00081f43
0x00081f4f
0x00081f5b
0x00081f61
0x00081f64
0x00081f6c
0x00081f74
0x00081f74
0x00081f7b
0x00081f7d
0x00081f86
0x00081f95
0x00081fb8
0x00082189
0x0008218c
0x00000000
0x0008218c
0x00081fc1
0x00081fc6
0x00081fde
0x00081feb
0x00081ff8
0x00081fed
0x00081ff0
0x00081ff0
0x00081ffe
0x00082001
0x00082007
0x00082010
0x0008201a
0x00082012
0x00082014
0x00082014
0x0008201d
0x00082025
0x0008202d
0x00082035
0x0008203d
0x00082037
0x00082039
0x00082039
0x00082027
0x00082027
0x00082029
0x00082029
0x00082040
0x00082048
0x00082058
0x0008204a
0x0008204c
0x0008204e
0x0008204e
0x0008204c
0x0008205b
0x00082067
0x00082071
0x00082077
0x00082083
0x000820ab
0x000820ab
0x000820b5
0x000820b9
0x000820c3
0x000820c9
0x000820cd
0x000820d3
0x000820db
0x000820f6
0x000820f6
0x00082105
0x0008210c
0x0008210e
0x00082113
0x00081f92
0x00081f94
0x00081f94
0x00000000
0x00082067
0x00081fca
0x00082121
0x00082124
0x0008212d
0x0008212f
0x00082137
0x0008213e
0x0008213e
0x00082143
0x0008214b
0x00082152
0x00082152
0x0008215c
0x00082165
0x0008216a
0x00082172
0x00082179
0x00082179
0x00082182
0x00082182
0x00000000
0x0008212d
0x00081fd4
0x00081fd4
0x00082191
0x000821a2
0x000821a8
0x000821b4
0x000821b4
0x000821ba
0x00000000
0x000821ba

APIs

GetMessageW.USER32 ref: 00081EDD
DispatchMessageW.USER32(?), ref: 00081EEF
PeekMessageW.USER32(?,00000000,0000000F,0000000F,00000000), ref: 00081EFF
GetCapture.USER32 ref: 00081F05
SetCapture.USER32(?), ref: 00081F12
GetWindowRect.USER32(?,?), ref: 00081F36
GetCapture.USER32 ref: 00081F95
GetMessageW.USER32 ref: 00081FB0
DispatchMessageW.USER32(?), ref: 00081FD4
GetScrollPos.USER32(?,00000002), ref: 000820EB
RedrawWindow.USER32(?,00000000,00000000,00000581), ref: 00082105

Part of subcall function 00063582: ShowWindow.USER32(?,?), ref: 00063593

ReleaseCapture.USER32 ref: 00082191
IsWindow.USER32(?), ref: 0008219A

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Message$CaptureWindow$Dispatch$PeekRectRedrawReleaseScrollShow
String ID:
API String ID: 1149966214-0
Opcode ID: ecd74a0b8441baedea3b8188420062e980f92979afbfaa9e8e15e3ddf08e8d89
Instruction ID: ebf316e40450c71d39566e692956232f74aaba118a002a7cb1f04a8e44e4d095
Opcode Fuzzy Hash: ecd74a0b8441baedea3b8188420062e980f92979afbfaa9e8e15e3ddf08e8d89
Instruction Fuzzy Hash: F3A12C71A006099FDB24EFA4C9999FEB7F9FF48300F14452DE69A97252CB30AD81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0008646A Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 397
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0008646A(signed int* __ecx, RECT* _a4) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t155;
				signed int _t158;
				signed int _t163;
				signed int _t166;
				intOrPtr _t178;
				signed int _t181;
				signed int _t191;
				void* _t193;
				signed int _t198;
				signed int _t202;
				signed int _t203;
				signed int _t205;
				signed int _t206;
				signed int _t209;
				signed int _t211;
				signed int _t216;
				signed int _t218;
				signed int _t219;
				signed int _t226;
				int _t228;
				signed char _t229;
				signed int _t230;
				signed int* _t232;
				signed int _t235;
				signed int* _t248;
				signed int _t257;
				signed int _t260;
				intOrPtr _t283;

				_t155 =  *0x1c0454; // 0x885926af
				_v8 = _t155 ^ _t260;
				_t232 = __ecx;
				_t157 =  *((intOrPtr*)(__ecx + 0xb7c));
				_t257 = 0;
				_v64 = 0;
				if( *((intOrPtr*)(__ecx + 0xb7c)) >= 0) {
					_t158 = E000A4CDB(__ecx + 0xbc8, _t157);
					_v48 = _t158;
					__eflags = _t158;
					if(_t158 != 0) {
						_t257 =  *(_t158 + 8);
					}
				} else {
					_v48 = 0;
				}
				_t256 = _a4;
				_v60 = _v60 & 0x00000000;
				_v56 = _t257;
				_v52 = _t257;
				_v44 = _t232[0x2df];
				if(_t256 == 9) {
					_t229 = GetKeyState(0x10);
					_t230 = 0;
					_t20 = (_t230 & 0xffffff00 | (_t229 & 0x00000080) == 0x00000000) + 0x26; // 0x26
					_t256 = (_t230 & 0xffffff00 | (_t229 & 0x00000080) == 0x00000000) + _t20;
					_a4 = _t256;
				}
				_t255 = _v48;
				_t161 = 1;
				_t235 = _t255;
				if(_t256 == 0xd) {
					_v64 = 1;
					_t257 = E0006EA25(0x1bddfc, _t257);
					__eflags = _t257;
					if(_t257 == 0) {
						goto L103;
					}
					_t166 =  *((intOrPtr*)( *_t257 + 0xec))();
					__eflags = _t166;
					if(_t166 != 0) {
						L89:
						SendMessageW( *(E00061441(_t232) + 0x20), 0x362, 0xe001, 0);
						 *((intOrPtr*)( *_t232 + 0x3e4))(_t257);
						goto L90;
					}
					_t191 =  *((intOrPtr*)( *_t257 + 0xc8))(0);
					__eflags = _t191;
					if(_t191 != 0) {
						goto L103;
					}
					goto L89;
				} else {
					if(_t256 <= 0x20) {
						L13:
						if( *0x1c3f04 != 0 || (0x00008000 & GetAsyncKeyState(0x11)) != 0) {
							L103:
							_t163 = _v64;
							goto L104;
						} else {
							_t193 = E000992A2(_t232, 0x8000, _t255, _t256, _t257, _t256);
							_t274 = _t193;
							if(_t193 == 0) {
								L82:
								__eflags =  *0x1be4d8;
								if( *0x1be4d8 == 0) {
									goto L103;
								}
								__eflags = _t232[0x33c];
								if(__eflags != 0) {
									goto L103;
								}
								_v56 = _v56 & 0x00000000;
								__eflags = E000A7D8E( &(_t232[0x34f]), __eflags, _t256,  &_v56);
								if(__eflags == 0) {
									goto L103;
								}
								_push(0);
								_push(_v56);
								_t248 = _t232;
								L79:
								E00085805(_t248, _t255, __eflags);
								L22:
								_t163 = 1;
								L104:
								return E00150836(_t163, _t232, _v8 ^ _t260, _t255, _t256, _t257);
							}
							_t198 = E0009932D(_t255, _t256);
							_t256 = _t198;
							_v52 = _t198;
							if(E0009A01A( &(_t232[0x32b]), _t274,  &_v52,  &_v48) == 0) {
								goto L82;
							}
							_t256 = _v48;
							_t202 = _t232[0x2f3];
							_v52 = _t256;
							_t255 = 0;
							while(_t202 != 0) {
								_t235 = _t202;
								__eflags = _t202;
								if(_t202 == 0) {
									L38:
									_t161 = E000655E0(_t235);
									L39:
									_t255 = 0;
									__eflags = 0;
									_v48 = 0;
									L40:
									__eflags = _t232[0x342];
									if(_t232[0x342] == 0) {
										L43:
										_v64 = _t161;
										_t203 = _t232[0x2f5];
										__eflags = _t203;
										if(_t203 == 0) {
											goto L103;
										}
										__eflags = _t255;
										if(_t255 == 0) {
											L46:
											_t257 = _t232[0x2f4];
											_v44 = _t203 - 1;
											L48:
											__eflags = _t257 - _t255;
											if(_t257 == _t255) {
												goto L103;
											} else {
												goto L49;
											}
											while(1) {
												L49:
												_v60 = _t257;
												_t205 = _t257;
												__eflags = _t257;
												if(_t257 == 0) {
													goto L38;
												}
												_t256 =  *((intOrPtr*)(_t205 + 8));
												__eflags =  *(_t256 + 0x24) & 0x00000001;
												_t257 =  *(_t257 + 4);
												if(( *(_t256 + 0x24) & 0x00000001) != 0) {
													L53:
													_v44 = _v44 - 1;
													__eflags = _t257;
													if(_t257 != 0) {
														L56:
														__eflags = _t257 - _v48;
														if(_t257 != _v48) {
															continue;
														}
														L57:
														_t206 = _v60;
														__eflags = _t206;
														if(_t206 == 0) {
															goto L103;
														}
														_v52 =  *((intOrPtr*)(_t206 + 8));
														_v60 = 1;
														L90:
														if(_v52 != _v56) {
															if(_v60 != 0 && _t232[0x344] == 0) {
																 *((intOrPtr*)( *_t232 + 0x258))(_v44);
															}
															_t283 =  *0x1c3f04; // 0x0
															if(_t283 != 0) {
																_t232[0x2e0] = _v44;
															}
															_t232[0x2df] = _v44;
															_v24.left = 0;
															_v24.top = 0;
															_v24.right = 0;
															_v24.bottom = 0;
															GetClientRect(_t232[8],  &_v24);
															_t257 = _v52 + 0x54;
															_t256 =  &_v40;
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															if(_v40.top >= _v24.top && _v40.bottom <= _v24.bottom) {
																_t181 = _v56;
																_t257 = InvalidateRect;
																if(_t181 != 0) {
																	InvalidateRect(_t232[8], _t181 + 0x54, 1);
																}
																InvalidateRect(_t232[8],  &_v40, 1);
																UpdateWindow(_t232[8]);
															}
															_t178 =  *((intOrPtr*)(_v52 + 0x20));
															if(_t178 != 0xffffffff) {
																_t255 =  *_t232;
																 *((intOrPtr*)( *_t232 + 0x414))(_t178);
															}
														}
														goto L103;
													}
													__eflags = _t232[0x342] - _t257;
													if(_t232[0x342] != _t257) {
														goto L22;
													}
													_t257 = _t232[0x2f4];
													_t209 = _t232[0x2f5] - 1;
													__eflags = _t209;
													_v44 = _t209;
													goto L56;
												}
												_t211 = IsRectEmpty(_t256 + 0x54);
												__eflags = _t211;
												if(_t211 != 0) {
													goto L53;
												}
												__eflags =  *((intOrPtr*)(_t256 + 0x20)) - 0xfffffffe;
												if( *((intOrPtr*)(_t256 + 0x20)) != 0xfffffffe) {
													goto L57;
												}
												goto L53;
											}
											goto L38;
										}
										_t257 =  *(_t255 + 4);
										__eflags = _t257;
										if(_t257 != 0) {
											_t64 =  &_v44;
											 *_t64 = _v44 - 1;
											__eflags =  *_t64;
											goto L48;
										}
										goto L46;
									}
									__eflags = _t235 - _t232[0x2f3];
									if(_t235 != _t232[0x2f3]) {
										goto L43;
									}
									__eflags = _t256 - 0x23;
									if(_t256 != 0x23) {
										goto L22;
									}
									goto L43;
								}
								_t235 =  *(_t235 + 8);
								_t202 =  *_t202;
								__eflags = _t235;
								if(_t235 == 0) {
									goto L38;
								}
								__eflags = _t235 - _t256;
								if(_t235 == _t256) {
									_v44 = _t255;
									L73:
									_t257 = E0006EA25(0x1bddfc, _t256);
									if(_t257 == 0) {
										goto L90;
									}
									_push(0);
									if( *((intOrPtr*)( *_t257 + 0xc8))() == 0) {
										__eflags =  *(_t256 + 0x24) & 0x00040000;
										_t248 = _t232;
										if(__eflags == 0) {
											_t216 =  *((intOrPtr*)( *_t232 + 0x3e4))(_t257);
											_v64 = _t216;
											__eflags = _t216;
											if(_t216 == 0) {
												goto L90;
											}
											goto L22;
										}
										_push(_t256);
										_push(0);
										goto L79;
									}
									_t257 =  *(_t257 + 0x8c);
									if(_t257 != 0) {
										SendMessageW( *(_t257 + 0x20), 0x100, 0x24, 0);
									}
									goto L90;
								}
								_t255 = _t255 + 1;
								__eflags = _t255;
							}
							goto L73;
						}
					}
					if(_t256 <= 0x22) {
						__eflags = _t232[0x342];
						if(_t232[0x342] == 0) {
							goto L103;
						}
						_t218 = _t232[0x343];
						__eflags = _t218;
						if(_t218 <= 0) {
							goto L103;
						}
						_t257 = _t232[0x2df];
						_t256 = 0;
						_t232[0x344] = 1;
						__eflags = _t218;
						if(_t218 <= 0) {
							L64:
							_t219 = _t232[0x2df];
							_t232[0x344] = _t232[0x344] & 0x00000000;
							__eflags = _t257 - _t219;
							if(_t257 != _t219) {
								_t255 =  *_t232;
								 *((intOrPtr*)( *_t232 + 0x258))(_t219);
							}
							goto L22;
						}
						__eflags = _a4 - 0x21;
						_t91 = _a4 != 0x21;
						__eflags = _t91;
						_v56 = (0 | _t91) + (0 | _t91) + 0x26;
						do {
							 *((intOrPtr*)( *_t232 + 0x3fc))(_v56);
							_t256 = _t256 + 1;
							__eflags = _t256 - _t232[0x343];
						} while (_t256 < _t232[0x343]);
						goto L64;
					}
					if(_t256 == 0x23) {
						goto L39;
					}
					if(_t256 == 0x24) {
						_t255 = 0;
						__eflags = 0;
						_v48 = 0;
						L19:
						__eflags = _t232[0x342];
						if(_t232[0x342] == 0) {
							L23:
							__eflags = _t232[0x2f5];
							_v64 = _t161;
							if(_t232[0x2f5] == 0) {
								goto L103;
							}
							__eflags = _t255;
							if(_t255 == 0) {
								L26:
								_t257 = _t232[0x2f3];
								_v44 = _v44 & 0x00000000;
								L28:
								__eflags = _t257 - _t255;
								if(_t257 == _t255) {
									goto L103;
								} else {
									goto L29;
								}
								while(1) {
									L29:
									_v60 = _t257;
									_t226 = _t257;
									__eflags = _t257;
									if(_t257 == 0) {
										goto L38;
									}
									_t256 =  *((intOrPtr*)(_t226 + 8));
									__eflags =  *(_t256 + 0x24) & 0x00000001;
									_t257 =  *_t257;
									if(( *(_t256 + 0x24) & 0x00000001) != 0) {
										L33:
										_v44 = _v44 + 1;
										__eflags = _t257;
										if(_t257 != 0) {
											L36:
											__eflags = _t257 - _v48;
											if(_t257 != _v48) {
												continue;
											}
											goto L57;
										}
										__eflags = _t232[0x342] - _t257;
										if(_t232[0x342] != _t257) {
											goto L22;
										}
										_t257 = _t232[0x2f3];
										_t53 =  &_v44;
										 *_t53 = _v44 & 0x00000000;
										__eflags =  *_t53;
										goto L36;
									}
									_t228 = IsRectEmpty(_t256 + 0x54);
									__eflags = _t228;
									if(_t228 != 0) {
										goto L33;
									}
									__eflags =  *((intOrPtr*)(_t256 + 0x20)) - 0xfffffffe;
									if( *((intOrPtr*)(_t256 + 0x20)) != 0xfffffffe) {
										goto L57;
									}
									goto L33;
								}
								goto L38;
							}
							_t257 =  *_t255;
							__eflags = _t257;
							if(_t257 != 0) {
								_t40 =  &_v44;
								 *_t40 = _v44 + 1;
								__eflags =  *_t40;
								goto L28;
							}
							goto L26;
						}
						__eflags = _t235 - _t232[0x2f4];
						if(_t235 != _t232[0x2f4]) {
							goto L23;
						}
						__eflags = _t256 - 0x24;
						if(_t256 == 0x24) {
							goto L23;
						}
						goto L22;
					}
					if(_t256 == 0x26) {
						goto L40;
					}
					if(_t256 == 0x28) {
						goto L19;
					}
					goto L13;
				}
			}

0x00086472
0x00086479
0x0008647e
0x00086480
0x00086486
0x00086489
0x0008648e
0x0008649c
0x000864a1
0x000864a4
0x000864a6
0x000864a8
0x000864a8
0x00086490
0x00086490
0x00086490
0x000864ab
0x000864b4
0x000864b8
0x000864bb
0x000864be
0x000864c4
0x000864c8
0x000864d2
0x000864d6
0x000864d6
0x000864da
0x000864da
0x000864dd
0x000864e2
0x000864e3
0x000864e8
0x0008684d
0x00086855
0x00086859
0x0008685b
0x00000000
0x00000000
0x00086865
0x0008686b
0x0008686d
0x00086883
0x00086899
0x000868a4
0x00000000
0x000868a4
0x00086875
0x0008687b
0x0008687d
0x00000000
0x00000000
0x00000000
0x000864ee
0x000864f1
0x00086518
0x0008651f
0x00086966
0x00086966
0x00000000
0x0008653b
0x0008653c
0x00086541
0x00086543
0x00086808
0x00086808
0x0008680f
0x00000000
0x00000000
0x00086815
0x0008681c
0x00000000
0x00000000
0x00086822
0x00086836
0x00086838
0x00000000
0x00000000
0x0008683e
0x00086840
0x00086843
0x000867e5
0x000867e5
0x0008659d
0x0008659f
0x00086969
0x00086977
0x00086977
0x0008654a
0x0008654f
0x0008655f
0x00086569
0x00000000
0x00000000
0x0008656f
0x00086572
0x00086578
0x0008657b
0x00086782
0x00086766
0x00086768
0x0008676a
0x00086625
0x00086625
0x0008662a
0x0008662a
0x0008662a
0x0008662c
0x0008662f
0x0008662f
0x00086636
0x00086649
0x00086649
0x0008664c
0x00086652
0x00086654
0x00000000
0x00000000
0x0008665a
0x0008665c
0x00086665
0x00086665
0x0008666c
0x00086674
0x00086674
0x00086676
0x00000000
0x00000000
0x00000000
0x00000000
0x0008667c
0x0008667c
0x0008667c
0x0008667f
0x00086681
0x00086683
0x00000000
0x00000000
0x00086685
0x00086688
0x0008668c
0x0008668f
0x000866a5
0x000866a5
0x000866a8
0x000866aa
0x000866c8
0x000866c8
0x000866cb
0x00000000
0x00000000
0x000866cd
0x000866cd
0x000866d0
0x000866d2
0x00000000
0x00000000
0x000866db
0x000866de
0x000868aa
0x000868b0
0x000868bb
0x000868cc
0x000868cc
0x000868d2
0x000868d8
0x000868dd
0x000868dd
0x000868e6
0x000868ee
0x000868f1
0x000868f4
0x000868f7
0x00086901
0x0008690a
0x0008690d
0x00086910
0x00086911
0x00086912
0x00086913
0x0008691a
0x00086924
0x00086927
0x0008692f
0x0008693a
0x0008693a
0x00086945
0x0008694a
0x0008694a
0x00086953
0x00086959
0x0008695b
0x00086960
0x00086960
0x00086959
0x00000000
0x000868b0
0x000866ac
0x000866b2
0x00000000
0x00000000
0x000866be
0x000866c4
0x000866c4
0x000866c5
0x00000000
0x000866c5
0x00086695
0x0008669b
0x0008669d
0x00000000
0x00000000
0x0008669f
0x000866a3
0x00000000
0x00000000
0x00000000
0x000866a3
0x00000000
0x0008667c
0x0008665e
0x00086661
0x00086663
0x00086671
0x00086671
0x00086671
0x00000000
0x00086671
0x00000000
0x00086663
0x00086638
0x0008663e
0x00000000
0x00000000
0x00086640
0x00086643
0x00000000
0x00000000
0x00000000
0x00086643
0x00086770
0x00086773
0x00086775
0x00086777
0x00000000
0x00000000
0x0008677d
0x0008677f
0x00086788
0x0008678b
0x00086796
0x0008679c
0x00000000
0x00000000
0x000867a4
0x000867b0
0x000867d7
0x000867de
0x000867e0
0x000867f2
0x000867f8
0x000867fb
0x000867fd
0x00000000
0x00000000
0x00000000
0x00086803
0x000867e2
0x000867e3
0x00000000
0x000867e3
0x000867b2
0x000867ba
0x000867cc
0x000867cc
0x00000000
0x000867ba
0x00086781
0x00086781
0x00086781
0x00000000
0x00086786
0x0008651f
0x000864f6
0x000866ea
0x000866f1
0x00000000
0x00000000
0x000866f7
0x000866fd
0x000866ff
0x00000000
0x00000000
0x00086705
0x0008670b
0x0008670d
0x00086717
0x00086719
0x00086741
0x00086741
0x00086747
0x0008674e
0x00086750
0x00086756
0x0008675b
0x0008675b
0x00000000
0x00086750
0x0008671d
0x00086721
0x00086721
0x00086728
0x0008672b
0x00086732
0x00086738
0x00086739
0x00086739
0x00000000
0x0008672b
0x000864ff
0x00000000
0x00000000
0x00086508
0x00086582
0x00086582
0x00086584
0x00086587
0x00086587
0x0008658e
0x000865a5
0x000865a5
0x000865ac
0x000865af
0x00000000
0x00000000
0x000865b5
0x000865b7
0x000865bf
0x000865bf
0x000865c5
0x000865ce
0x000865ce
0x000865d0
0x00000000
0x00000000
0x00000000
0x00000000
0x000865d6
0x000865d6
0x000865d6
0x000865d9
0x000865db
0x000865dd
0x00000000
0x00000000
0x000865df
0x000865e2
0x000865e6
0x000865e8
0x00086602
0x00086602
0x00086605
0x00086607
0x0008661b
0x0008661b
0x0008661e
0x00000000
0x00000000
0x00000000
0x00086620
0x00086609
0x0008660f
0x00000000
0x00000000
0x00086611
0x00086617
0x00086617
0x00086617
0x00000000
0x00086617
0x000865ee
0x000865f4
0x000865f6
0x00000000
0x00000000
0x000865f8
0x000865fc
0x00000000
0x00000000
0x00000000
0x000865fc
0x00000000
0x000865d6
0x000865b9
0x000865bb
0x000865bd
0x000865cb
0x000865cb
0x000865cb
0x00000000
0x000865cb
0x00000000
0x000865bd
0x00086590
0x00086596
0x00000000
0x00000000
0x00086598
0x0008659b
0x00000000
0x00000000
0x00000000
0x0008659b
0x0008650d
0x00000000
0x00000000
0x00086516
0x00000000
0x00000000
0x00000000
0x00086516

APIs

GetKeyState.USER32(00000010), ref: 000864C8
GetAsyncKeyState.USER32 ref: 00086527
IsRectEmpty.USER32 ref: 000865EE
IsRectEmpty.USER32 ref: 00086695
SendMessageW.USER32(?,00000100,00000024,00000000), ref: 000867CC
SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 00086899
GetClientRect.USER32 ref: 00086901
InvalidateRect.USER32(?,?,00000001), ref: 0008693A
InvalidateRect.USER32(?,?,00000001), ref: 00086945
UpdateWindow.USER32 ref: 0008694A

Strings

!, xrefs: 0008671D

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Rect$EmptyInvalidateMessageSendState$AsyncClientUpdateWindow
String ID: !
API String ID: 348497913-2657877971
Opcode ID: 9dd9f991253cc237c61c0286fda39a989a7eefe1bda0939052905a10dc887fe0
Instruction ID: 4b329168d87155dd4a5742fff05a694971dcdc6a4939cd336b6c37caa388e591
Opcode Fuzzy Hash: 9dd9f991253cc237c61c0286fda39a989a7eefe1bda0939052905a10dc887fe0
Instruction Fuzzy Hash: 5FE19231A00614DFDF61EF54C884BADB7F5BF48714F1A417AE889AB295DB32AC80CB51

Uniqueness

Uniqueness Score: -1.00%

Function 000F81FD Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 269
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E000F81FD(void* __ecx, void* __edx, struct tagPOINT _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr* _a28, signed int _a32, RECT* _a36) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				long _v44;
				long _v48;
				long _v52;
				long _v56;
				RECT* _v60;
				signed int _v64;
				long _v68;
				long _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t137;
				intOrPtr _t140;
				intOrPtr _t141;
				void* _t142;
				long _t149;
				long _t162;
				long _t167;
				intOrPtr _t172;
				void* _t175;
				void* _t176;
				void* _t177;
				long _t181;
				long _t191;
				RECT* _t197;
				intOrPtr* _t207;
				void* _t208;
				void* _t233;
				long _t234;
				intOrPtr* _t235;
				signed int _t236;
				void* _t248;

				_t233 = __edx;
				_t208 = __ecx;
				_t137 =  *0x1c0454; // 0x885926af
				_v8 = _t137 ^ _t236;
				_v64 = _v64 | 0xffffffff;
				_t207 = _a28;
				_t235 = _a12;
				_v60 = _a36;
				_t140 = _a20;
				_t234 = 0;
				_v68 = 0;
				if(_t140 != 0) {
					L3:
					_t141 =  *((intOrPtr*)(_t140 + 0x1b8));
					if(_t141 != _t234 &&  *((intOrPtr*)(_t141 + 8)) != _t234 &&  *((intOrPtr*)(_t141 + 4)) != _t234) {
						_v68 = 1;
						_v64 =  *((intOrPtr*)(_t141 + 0x100));
					}
					L7:
					_v40.left = _t234;
					_v40.top = _t234;
					_v40.right = _t234;
					_v40.bottom = _t234;
					if(_t235 == _t234) {
						if(_v60 == _t234) {
							L35:
							_t142 = 0;
							L36:
							return E00150836(_t142, _t207, _v8 ^ _t236, _t233, _t234, _t235);
						}
						CopyRect( &_v40, _v60);
						L11:
						_v60 = _t234;
						_v72 = _t234;
						_t235 = E0006EA25(0x1bec6c, _t235);
						if(_t235 != _t234) {
							_t197 =  *((intOrPtr*)( *_t235 + 0x1a0))();
							_v60 = _t197;
							_v56 = _t234;
							_v52 = _t234;
							_v48 = _t234;
							_v44 = _t234;
							_v24.left = _t234;
							_v24.top = _t234;
							_v24.right = _t234;
							_v24.bottom = _t234;
							 *((intOrPtr*)( *_t235 + 0x32c))( &_v56,  &_v24);
							_v72 = _v24.bottom - _v24.top;
						}
						if(_a24 == _t234) {
							if(_v68 == _t234) {
								_t235 = _a16;
								_push(_a8);
								_t234 = PtInRect;
								_v24.left = _v40.left - _t235;
								_t149 = _v40.top;
								_v24.top = _t149 - _t235;
								_v24.bottom = _t149 + _v60 + _t235;
								_v24.right = _v40.right + _t235;
								if(PtInRect( &_v24, _a4.x) == 0) {
									L41:
									_push(_a8);
									_v24.right = _v40.left + _t235;
									_v24.bottom = _v40.bottom + _t235;
									if(PtInRect( &_v24, _a4.x) == 0) {
										L43:
										_push(_a8);
										_v24.left = _v40.left - _t235;
										_t162 = _v40.bottom;
										_v24.top = _t162 - _v72 - _t235;
										_v24.bottom = _t162 + _t235;
										_v24.right = _v40.right + _t235;
										if(PtInRect( &_v24, _a4.x) == 0) {
											L45:
											_t167 = _v40.right - _t235;
											goto L33;
										}
										_t172 = 0x8000;
										if((_a32 & 0x00008000) != 0) {
											goto L27;
										}
										goto L45;
									}
									_t172 = 0x1000;
									if((_a32 & 0x00001000) != 0) {
										goto L27;
									}
									goto L43;
								}
								_t172 = 0x2000;
								if((_a32 & 0x00002000) != 0) {
									goto L27;
								}
								goto L41;
							}
							_t175 = _v64 - 4;
							goto L16;
						} else {
							if(_v68 == _t234) {
								_t235 = _a16;
								_push(_a8);
								_t234 = PtInRect;
								_v24.left = _v40.left - _t235;
								_t181 = _v40.top;
								_v24.top = _t181 - _t235;
								_v24.bottom = _t181;
								_v24.right = _v40.right + _t235;
								if(PtInRect( &_v24, _a4.x) == 0) {
									L28:
									_push(_a8);
									_v24.right = _v40.left;
									_v24.bottom = _v40.bottom + _t235;
									if(PtInRect( &_v24, _a4.x) == 0) {
										L30:
										_push(_a8);
										_v24.left = _v40.left - _t235;
										_t191 = _v40.bottom;
										_v24.top = _t191;
										_v24.bottom = _t191 + _t235;
										_v24.right = _v40.right + _t235;
										if(PtInRect( &_v24, _a4.x) == 0) {
											L32:
											_t167 = _v40.right;
											L33:
											_push(_a8);
											_v24.left = _t167;
											_v24.top = _v40.top - _t235;
											if(PtInRect( &_v24, _a4) == 0) {
												goto L35;
											}
											_t172 = 0x4000;
											if((_a32 & 0x00004000) != 0) {
												L27:
												 *_t207 = _t172;
												L24:
												_t142 = 1;
												goto L36;
											}
											goto L35;
										}
										_t172 = 0x8000;
										if((_a32 & 0x00008000) != 0) {
											goto L27;
										}
										goto L32;
									}
									_t172 = 0x1000;
									if((_a32 & 0x00001000) != 0) {
										goto L27;
									}
									goto L30;
								}
								_t172 = 0x2000;
								if((_a32 & 0x00002000) == 0) {
									goto L28;
								}
								goto L27;
							}
							_t175 = _v64 - _t234;
							_t248 = _t175;
							L16:
							if(_t248 == 0) {
								 *_t207 = 0x1000;
								goto L24;
							}
							_t176 = _t175 - 1;
							if(_t176 == 0) {
								 *_t207 = 0x4000;
								goto L24;
							}
							_t177 = _t176 - 1;
							if(_t177 == 0) {
								 *_t207 = 0x2000;
								goto L24;
							}
							if(_t177 != 1) {
								goto L35;
							}
							 *_t207 = 0x8000;
							goto L24;
						}
					}
					GetWindowRect( *(_t235 + 0x20),  &_v40);
					goto L11;
				}
				if(_t235 == 0) {
					goto L7;
				}
				_t140 = E000F7EDC(0x1bea58, _t233, E0005F82E(_t207, _t208, _t233, GetParent( *(_t235 + 0x20))));
				if(_t140 == 0) {
					goto L7;
				}
				goto L3;
			}

0x000f81fd
0x000f81fd
0x000f8205
0x000f820c
0x000f8212
0x000f8217
0x000f821b
0x000f821f
0x000f8222
0x000f8225
0x000f8227
0x000f822c
0x000f8250
0x000f8250
0x000f8258
0x000f826a
0x000f8271
0x000f8271
0x000f8274
0x000f8274
0x000f8277
0x000f827a
0x000f827d
0x000f8282
0x000f8296
0x000f8417
0x000f8417
0x000f8419
0x000f8427
0x000f8427
0x000f82a3
0x000f82a9
0x000f82af
0x000f82b2
0x000f82ba
0x000f82c0
0x000f82c6
0x000f82d3
0x000f82db
0x000f82de
0x000f82e1
0x000f82e4
0x000f82e7
0x000f82ea
0x000f82ed
0x000f82f0
0x000f82f3
0x000f82ff
0x000f82ff
0x000f8305
0x000f842d
0x000f843a
0x000f8440
0x000f8443
0x000f844e
0x000f8451
0x000f845d
0x000f8463
0x000f846c
0x000f8473
0x000f8483
0x000f8486
0x000f848e
0x000f8496
0x000f84a1
0x000f84b1
0x000f84b4
0x000f84bc
0x000f84bf
0x000f84cb
0x000f84d1
0x000f84da
0x000f84e1
0x000f84f1
0x000f84f4
0x00000000
0x000f84f4
0x000f84e3
0x000f84eb
0x00000000
0x00000000
0x00000000
0x000f84eb
0x000f84a3
0x000f84ab
0x00000000
0x00000000
0x00000000
0x000f84ab
0x000f8475
0x000f847d
0x00000000
0x00000000
0x00000000
0x000f847d
0x000f8432
0x00000000
0x000f830b
0x000f830e
0x000f834a
0x000f8350
0x000f8353
0x000f835e
0x000f8361
0x000f8368
0x000f836e
0x000f8377
0x000f837e
0x000f838e
0x000f8391
0x000f8394
0x000f839f
0x000f83aa
0x000f83b6
0x000f83b9
0x000f83c4
0x000f83c7
0x000f83ca
0x000f83cf
0x000f83d8
0x000f83df
0x000f83eb
0x000f83eb
0x000f83ee
0x000f83ee
0x000f83f1
0x000f83fc
0x000f8407
0x00000000
0x00000000
0x000f8409
0x000f8411
0x000f838a
0x000f838a
0x000f8342
0x000f8344
0x00000000
0x000f8344
0x00000000
0x000f8411
0x000f83e1
0x000f83e9
0x00000000
0x00000000
0x00000000
0x000f83e9
0x000f83ac
0x000f83b4
0x00000000
0x00000000
0x00000000
0x000f83b4
0x000f8380
0x000f8388
0x00000000
0x00000000
0x00000000
0x000f8388
0x000f8313
0x000f8313
0x000f8315
0x000f8315
0x000f833c
0x00000000
0x000f833c
0x000f8317
0x000f8318
0x000f8334
0x00000000
0x000f8334
0x000f831a
0x000f831b
0x000f832c
0x00000000
0x000f832c
0x000f831e
0x00000000
0x00000000
0x000f8324
0x00000000
0x000f8324
0x000f8305
0x000f828b
0x00000000
0x000f828b
0x000f8230
0x00000000
0x00000000
0x000f8247
0x000f824e
0x00000000
0x00000000
0x00000000

APIs

GetParent.USER32(?), ref: 000F8235
GetWindowRect.USER32(?,?), ref: 000F828B
CopyRect.USER32(?,?), ref: 000F82A3
PtInRect.USER32(?,001BD608,?), ref: 000F837A
PtInRect.USER32(?,001BD608,?), ref: 000F83A6
PtInRect.USER32(?,001BD608,?), ref: 000F83DB
PtInRect.USER32(?,001BD608,?), ref: 000F8403
PtInRect.USER32(?,001BD608,?), ref: 000F846F
PtInRect.USER32(?,001BD608,?), ref: 000F849D
PtInRect.USER32(?,001BD608,?), ref: 000F84DD

Strings

, xrefs: 000F81FF

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Rect$CopyParentWindow
String ID:
API String ID: 642869531-2974417871
Opcode ID: 8344ee40af23ce257c3db5883817ee0c99929b39921e27cb2c82c4461c13c54f
Instruction ID: 03bb86f9384757f12e8a558d1f4894e9e578f5f2b144c0a3ca131c378378b6a3
Opcode Fuzzy Hash: 8344ee40af23ce257c3db5883817ee0c99929b39921e27cb2c82c4461c13c54f
Instruction Fuzzy Hash: 40B1D171D0021E9BCF51CFA9C984AEEBBF4BF48740F14816AEA15E7250EB35AA40DF51

Uniqueness

Uniqueness Score: -1.00%

Function 000E9A19 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E000E9A19(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t53;
				void* _t65;
				signed int* _t73;
				unsigned int _t87;
				signed int _t91;
				signed int _t93;
				void* _t94;
				signed int _t100;
				void* _t103;
				signed int _t109;
				void* _t110;

				_t94 = __edx;
				_push(0x4c);
				E00151A19(0x16ed9d, __ebx, __edi, __esi);
				if( *(_t110 + 8) != 0) {
					if(GetObjectW( *(_t110 + 8), 0x18, _t110 - 0x58) == 0 ||  *((intOrPtr*)(_t110 - 0x44)) == 0) {
						goto L1;
					} else {
						 *(_t110 - 0x1c) =  *(_t110 - 0x50);
						 *(_t110 - 0x10) = 0;
						 *(_t110 - 0x20) =  *(_t110 - 0x54);
						 *(_t110 - 0x14) = E000E9034(_t110 - 0x20, _t110 - 0x10);
						 *(_t110 - 0x18) = E00155F20(_t94,  *(_t110 - 0x50));
						if( *(_t110 - 0x14) != 0) {
							_t61 =  *(_t110 - 0x54) *  *(_t110 - 0x18);
							 *(_t110 - 0x1c) =  *(_t110 - 0x54) *  *(_t110 - 0x18);
							if( *((short*)(_t110 - 0x46)) != 0x20) {
								E00065EC1(_t110 - 0x40);
								 *(_t110 - 4) = 0;
								E000664F6(0, _t110 - 0x40, _t94, CreateCompatibleDC, CreateCompatibleDC(0));
								_t65 = SelectObject( *(_t110 - 0x3c),  *(_t110 + 8));
								 *(_t110 + 8) = _t65;
								if(_t65 != 0) {
									E00065EC1(_t110 - 0x30);
									 *(_t110 - 4) = 1;
									E000664F6(0, _t110 - 0x30, _t94, CreateCompatibleDC, CreateCompatibleDC(0));
									_t103 = SelectObject( *(_t110 - 0x2c),  *(_t110 - 0x14));
									BitBlt( *(_t110 - 0x2c), 0, 0,  *(_t110 - 0x54),  *(_t110 - 0x18),  *(_t110 - 0x3c), 0, 0, 0xcc0020);
									if(_t103 != 0) {
										SelectObject( *(_t110 - 0x2c), _t103);
									}
									SelectObject( *(_t110 - 0x3c),  *(_t110 + 8));
									_t87 =  *(_t110 + 0xc);
									_t73 =  *(_t110 - 0x10);
									if(_t87 != 0xffffffff) {
										_t109 =  *(_t110 - 0x1c);
										_t100 = (_t87 >> 0x00000008 & 0x000000ff | (_t87 & 0x000000ff) << 0x00000008) << 0x00000008 | _t87 >> 0x00000010 & 0x000000ff;
										if(_t109 > 0) {
											do {
												_t91 =  *_t73;
												if(_t91 == _t100) {
													 *_t73 = 0;
												} else {
													 *_t73 = _t91 | 0xff000000;
												}
												_t73 =  &(_t73[1]);
												_t109 = _t109 - 1;
											} while (_t109 != 0);
										}
									} else {
										_t93 =  *(_t110 - 0x1c);
										if(_t93 > 0) {
											do {
												 *_t73 =  *_t73 | 0xff000000;
												_t73 =  &(_t73[1]);
												_t93 = _t93 - 1;
											} while (_t93 != 0);
										}
									}
									 *(_t110 - 4) = 0;
									E00066577(_t110 - 0x30);
								}
								 *(_t110 - 4) =  *(_t110 - 4) | 0xffffffff;
								E00066577(_t110 - 0x40);
							} else {
								E00155F30( *(_t110 - 0x10),  *((intOrPtr*)(_t110 - 0x44)), _t61 << 2);
							}
						}
						_t53 =  *(_t110 - 0x14);
					}
				} else {
					L1:
					_t53 = 0;
				}
				return E00151AF1(_t53);
			}

0x000e9a19
0x000e9a19
0x000e9a20
0x000e9a2a
0x000e9a44
0x00000000
0x000e9a4b
0x000e9a53
0x000e9a5e
0x000e9a61
0x000e9a6a
0x000e9a73
0x000e9a79
0x000e9a82
0x000e9a8b
0x000e9a8e
0x000e9aaa
0x000e9ab6
0x000e9abf
0x000e9ad0
0x000e9ad2
0x000e9ad7
0x000e9ae0
0x000e9ae6
0x000e9af0
0x000e9b07
0x000e9b14
0x000e9b1c
0x000e9b22
0x000e9b22
0x000e9b2a
0x000e9b2c
0x000e9b2f
0x000e9b35
0x000e9b5c
0x000e9b68
0x000e9b6c
0x000e9b6e
0x000e9b6e
0x000e9b72
0x000e9b7e
0x000e9b74
0x000e9b7a
0x000e9b7a
0x000e9b80
0x000e9b83
0x000e9b83
0x000e9b6e
0x000e9b37
0x000e9b37
0x000e9b3c
0x000e9b3e
0x000e9b3e
0x000e9b44
0x000e9b47
0x000e9b47
0x000e9b4a
0x000e9b3c
0x000e9b89
0x000e9b8c
0x000e9b8c
0x000e9b91
0x000e9b98
0x000e9a90
0x000e9a9a
0x000e9a9f
0x000e9a8e
0x000e9b9d
0x000e9b9d
0x000e9a2c
0x000e9a2c
0x000e9a2c
0x000e9a2c
0x000e9ba5

APIs

__EH_prolog3.LIBCMT ref: 000E9A20
GetObjectW.GDI32(?,00000018,00184484), ref: 000E9A3C
_memmove.LIBCMT ref: 000E9A9A

Strings

, xrefs: 000E9A86

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: H_prolog3Object_memmove
String ID:
API String ID: 107514201-3916222277
Opcode ID: 158e851b264405c05b78b0724147fc27774ea8ff786089162327bebd1492590c
Instruction ID: 8cb2a53b0f8e48c97b8175fb8a4c6f9eb2f72a5339facd856097cf9c5989f4ee
Opcode Fuzzy Hash: 158e851b264405c05b78b0724147fc27774ea8ff786089162327bebd1492590c
Instruction Fuzzy Hash: F0414671C10159AFCF25DFA5ED818EEBBBAEF54310F50802AE512B72A1DB315E44DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00084B95 Relevance: 18.3, APIs: 12, Instructions: 257
timewindowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00084B95(RECT* __ecx, long __edx, signed short _a4) {
				signed int _v8;
				struct tagPOINT _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t72;
				RECT* _t74;
				RECT* _t76;
				RECT* _t77;
				int _t82;
				RECT* _t91;
				RECT* _t92;
				RECT* _t93;
				RECT* _t97;
				RECT* _t101;
				intOrPtr _t103;
				RECT* _t108;
				RECT* _t109;
				void* _t115;
				RECT* _t116;
				RECT* _t117;
				RECT* _t118;
				RECT* _t119;
				signed short _t124;
				signed int _t126;
				RECT* _t127;
				RECT* _t131;
				RECT* _t137;
				RECT* _t138;
				RECT* _t139;
				RECT* _t141;

				_t136 = __edx;
				_t120 = __ecx;
				_t141 = __ecx;
				_t118 = 0;
				if(__ecx != 0) {
					_t72 =  *(__ecx + 0x20);
				} else {
					_t72 = 0;
				}
				if(IsWindow(_t72) != 0) {
					L5:
					if(_a4 != 0xffffffff) {
						L8:
						_t138 =  *(_t141 + 0xbcc);
						while(1) {
							__eflags = _t138;
							if(_t138 == 0) {
								break;
							}
							_t74 = _t138;
							__eflags = _t138;
							if(_t138 == 0) {
								goto L4;
							}
							_t138 = _t138->left;
							_t116 = E0006EA25(0x1bddfc, _t74->right);
							_pop(_t120);
							_v16.y = _t116;
							__eflags = _t116;
							if(_t116 == 0) {
								continue;
							}
							_t136 = _t116->left;
							_t120 = _t116;
							_t117 =  *((intOrPtr*)(_t116->left + 0x70))();
							__eflags = _t117;
							if(_t117 != 0) {
								_t118 = _v16.y;
								break;
							}
						}
						_v8 = _v8 & 0x00000000;
						__eflags = _a4;
						if(__eflags < 0) {
							L18:
							_t140 = GetParent;
							__eflags = _v8 - _t118;
							if(_v8 == _t118) {
								_t136 = 0;
								__eflags = _v8;
								if(_v8 != 0) {
									_t120 =  *(_t141 + 0xd38);
									__eflags = _v8 - _t120;
									if(_v8 == _t120) {
										 *((intOrPtr*)(_t120 + 0xa4)) = 0;
										 *(_t141 + 0xd38) = 0;
										KillTimer( *(_t141 + 0x20), 2);
									}
								}
								L40:
								__eflags =  *(_t141 + 0xd08);
								_t76 = _a4;
								 *(_t141 + 0xb84) = _t76;
								if( *(_t141 + 0xd08) != 0) {
									_t76 = E0006EA25(0x1bcffc, E0005F82E(_t118, _t120, _t136, GetParent( *(_t141 + 0x20))));
									_pop(_t120);
									__eflags = _t76;
									if(_t76 != 0) {
										_t136 = _t76->left;
										_t120 = _t76;
										_t76 =  *((intOrPtr*)(_t76->left + 0x1fc))( *(_t141 + 0xb84));
									}
								}
								__eflags =  *0x1c48c4;
								if( *0x1c48c4 == 0) {
									L61:
									return _t76;
								} else {
									_t77 =  *0x1c564c; // 0x0
									__eflags = _t77;
									if(_t77 == 0) {
										_t120 = _t141;
										_t77 = E00060DD3(_t141);
									}
									_t119 = _t77;
									__eflags = _t119;
									if(_t119 == 0) {
										_t119 = E0005C4D8();
									}
									_t76 = E0006EA25(0x1bcffc, E0005F82E(_t119, _t120, _t136, GetParent( *(_t141 + 0x20))));
									__eflags = _t76;
									if(_t76 != 0) {
										_t127 =  *(_t76 + 0x124);
										__eflags = _t127;
										if(_t127 != 0) {
											_t119 = _t127;
										}
									}
									__eflags = _t119;
									if(_t119 == 0) {
										goto L61;
									} else {
										__eflags = _t76;
										if(_t76 == 0) {
											goto L61;
										}
										_t137 = _v8;
										_t124 = 0;
										_t142 = 0x80;
										__eflags = _t137;
										if(_t137 != 0) {
											_t126 =  *(_t137 + 0x24);
											__eflags = _t126 & 0x00040000;
											if((_t126 & 0x00040000) != 0) {
												_t142 = 0x82;
												__eflags = 0x80;
											}
											__eflags = _t126 & 0x00010000;
											if((_t126 & 0x00010000) != 0) {
												_t142 = _t142 | 0x00000008;
												__eflags = _t142;
											}
											_t124 =  *(_t137 + 0x20);
											__eflags = _t124 - 0xffffffff;
											if(_t124 == 0xffffffff) {
												_t124 = _a4;
												_t142 = _t142 | 0x00000010;
												__eflags = _t142;
											}
										}
										_t82 = (_t142 & 0x0000ffff) << 0x00000010 | _t124 & 0x0000ffff;
										__eflags = _t82;
										return SendMessageW( *(_t119 + 0x20), 0x11f, _t82,  *(_t76 + 0xea8));
									}
								}
							}
							_v16.y = E0006EA25(0x1bcffc, E0005F82E(_t118, _t120, _t136, GetParent( *(_t141 + 0x20))));
							__eflags = _t118;
							if(__eflags == 0) {
								L28:
								_t131 = _v8;
								__eflags = _t131;
								if(_t131 == 0) {
									L32:
									_t120 = _v16.y;
									__eflags = _v16.y;
									if(_v16.y != 0) {
										_t91 = E0007ED49(_t118, _t120, _t136);
										__eflags = _t91;
										if(_t91 != 0) {
											_t118 = _v16.y;
											_t92 = E0007ED49(_t118, _t118, _t136);
											_t136 = _t92->left;
											_t120 = _t92;
											_t93 =  *((intOrPtr*)(_t92->left + 0x1c0))();
											__eflags = _t93;
											if(_t93 != 0) {
												_t120 =  *(_t93 + 0xd38);
												__eflags =  *(_t93 + 0xd38) -  *((intOrPtr*)(_t118 + 0x148));
												if( *(_t93 + 0xd38) ==  *((intOrPtr*)(_t118 + 0x148))) {
													_t136 = _t93->left;
													_t120 = _t93;
													 *((intOrPtr*)(_t93->left + 0x440))();
												}
											}
										}
									}
									goto L40;
								}
								__eflags =  *((intOrPtr*)(_t131 + 0x20)) - 0xffffffff;
								if( *((intOrPtr*)(_t131 + 0x20)) == 0xffffffff) {
									L31:
									 *((intOrPtr*)(_t131->left + 0x20))(_t141, 1);
									goto L32;
								}
								__eflags =  *(_t131 + 0x90);
								if( *(_t131 + 0x90) == 0) {
									goto L32;
								}
								goto L31;
							}
							_t97 = E0005F74A(_t118, GetParent, __eflags);
							__eflags =  *0x1c3f04;
							if( *0x1c3f04 != 0) {
								L24:
								KillTimer( *(_t141 + 0x20), 2);
								 *(_t141 + 0xd38) =  *(_t141 + 0xd38) & 0x00000000;
								 *((intOrPtr*)(_t118->left + 0x58))();
								__eflags = _v16.y;
								if(_v16.y != 0) {
									_t101 =  *0x1c564c; // 0x0
									__eflags = _t101;
									if(__eflags == 0) {
										_t101 = E00060DD3(_t141);
									}
									_push(_v16.y);
									_push(_t101);
									E0008032A(_t118, _t136, _t140, _t141, __eflags);
								}
								goto L28;
							}
							__eflags = _t97;
							if(_t97 == 0) {
								L23:
								 *(_t141 + 0xd38) = _t118;
								 *(_t118 + 0xa4) = 1;
								_t103 =  *0x1bd084; // 0xffffffff
								SetTimer( *(_t141 + 0x20), 2, _t103 - 1, 0);
								InvalidateRect( *(_t141 + 0x20), _t118, 1);
								UpdateWindow( *(_t141 + 0x20));
								goto L28;
							}
							__eflags = _t97->top - 0x100;
							if(_t97->top == 0x100) {
								goto L24;
							}
							goto L23;
						}
						_t120 = _t141;
						_t108 = E00074F8E(_t141, __eflags, _a4);
						__eflags = _t108;
						if(_t108 == 0) {
							goto L4;
						} else {
							_t109 = E0006EA25(0x1bddfc, _t108);
							_pop(_t120);
							_v8 = _t109;
							goto L18;
						}
					} else {
						_v16.x = _t118;
						_v16.y = _t118;
						GetCursorPos( &_v16);
						ScreenToClient( *(_t141 + 0x20),  &_v16);
						_t139 =  *(_t141 + 0xb84);
						_t120 = _t141;
						_t115 =  *((intOrPtr*)(_t141->left + 0x390))(_v16.x, _v16.y);
						if(_t115 != _t139) {
							goto L8;
						} else {
							 *(_t141 + 0xb7c) = _t139;
							return _t115;
						}
					}
				} else {
					L4:
					E000655E0(_t120);
					goto L5;
				}
			}

0x00084b95
0x00084b95
0x00084b9f
0x00084ba1
0x00084ba6
0x00084bac
0x00084ba8
0x00084ba8
0x00084ba8
0x00084bb8
0x00084bbf
0x00084bc3
0x00084c07
0x00084c07
0x00084c38
0x00084c38
0x00084c3a
0x00084c3c
0x00084c3c
0x00084c0f
0x00084c11
0x00084c13
0x00000000
0x00000000
0x00084c18
0x00084c1f
0x00084c25
0x00084c26
0x00084c29
0x00084c2b
0x00000000
0x00000000
0x00084c2d
0x00084c2f
0x00084c31
0x00084c34
0x00084c36
0x00084c3e
0x00000000
0x00084c3e
0x00084c36
0x00084c41
0x00084c45
0x00084c49
0x00084c6d
0x00084c6d
0x00084c73
0x00084c76
0x00084d90
0x00084d92
0x00084d95
0x00084d97
0x00084d9d
0x00084da0
0x00084da2
0x00084dad
0x00084db3
0x00084db3
0x00084da0
0x00084db9
0x00084db9
0x00084dc0
0x00084dc3
0x00084dc9
0x00084ddc
0x00084de2
0x00084de3
0x00084de5
0x00084ded
0x00084def
0x00084df1
0x00084df1
0x00084de5
0x00084df7
0x00084dfe
0x00084eaa
0x00084eaa
0x00084e04
0x00084e04
0x00084e09
0x00084e0b
0x00084e0d
0x00084e0f
0x00084e0f
0x00084e14
0x00084e16
0x00084e18
0x00084e1f
0x00084e1f
0x00084e32
0x00084e39
0x00084e3b
0x00084e3d
0x00084e43
0x00084e45
0x00084e47
0x00084e47
0x00084e45
0x00084e49
0x00084e4b
0x00000000
0x00084e4d
0x00084e4d
0x00084e4f
0x00000000
0x00000000
0x00084e51
0x00084e54
0x00084e56
0x00084e5b
0x00084e5d
0x00084e5f
0x00084e62
0x00084e68
0x00084e6a
0x00084e6a
0x00084e6a
0x00084e6d
0x00084e73
0x00084e75
0x00084e75
0x00084e75
0x00084e78
0x00084e7b
0x00084e7e
0x00084e80
0x00084e83
0x00084e83
0x00084e83
0x00084e7e
0x00084e95
0x00084e95
0x00000000
0x00084ea0
0x00084e4b
0x00084dfe
0x00084c94
0x00084c97
0x00084c99
0x00084d30
0x00084d30
0x00084d33
0x00084d35
0x00084d4e
0x00084d4e
0x00084d51
0x00084d53
0x00084d55
0x00084d5a
0x00084d5c
0x00084d5e
0x00084d63
0x00084d68
0x00084d6a
0x00084d6c
0x00084d72
0x00084d74
0x00084d76
0x00084d7c
0x00084d82
0x00084d84
0x00084d86
0x00084d88
0x00084d88
0x00084d82
0x00084d74
0x00084d5c
0x00000000
0x00084d53
0x00084d37
0x00084d3b
0x00084d46
0x00084d4b
0x00000000
0x00084d4b
0x00084d3d
0x00084d44
0x00000000
0x00000000
0x00000000
0x00084d44
0x00084c9f
0x00084ca4
0x00084cab
0x00084cf8
0x00084cfd
0x00084d03
0x00084d0e
0x00084d11
0x00084d15
0x00084d17
0x00084d1c
0x00084d1e
0x00084d22
0x00084d22
0x00084d27
0x00084d2a
0x00084d2b
0x00084d2b
0x00000000
0x00084d15
0x00084cad
0x00084caf
0x00084cba
0x00084cba
0x00084cc0
0x00084cca
0x00084cd8
0x00084ce7
0x00084cf0
0x00000000
0x00084cf0
0x00084cb1
0x00084cb8
0x00000000
0x00000000
0x00000000
0x00084cb8
0x00084c4e
0x00084c50
0x00084c55
0x00084c57
0x00000000
0x00084c5d
0x00084c63
0x00084c69
0x00084c6a
0x00000000
0x00084c6a
0x00084bc5
0x00084bc9
0x00084bcc
0x00084bcf
0x00084bdc
0x00084bea
0x00084bf0
0x00084bf2
0x00084bfa
0x00000000
0x00084bfc
0x00084bfc
0x00000000
0x00084bfc
0x00084bfa
0x00084bba
0x00084bba
0x00084bba
0x00000000
0x00084bba

APIs

IsWindow.USER32(?), ref: 00084BB0
GetCursorPos.USER32(?), ref: 00084BCF
ScreenToClient.USER32(?,?), ref: 00084BDC
GetParent.USER32(?), ref: 00084C7F
SetTimer.USER32(?,00000002,FFFFFFFE,00000000), ref: 00084CD8
InvalidateRect.USER32(?,000000AB,00000001), ref: 00084CE7
UpdateWindow.USER32 ref: 00084CF0
KillTimer.USER32 ref: 00084CFD
KillTimer.USER32 ref: 00084DB3
GetParent.USER32(?), ref: 00084DCE
GetParent.USER32(?), ref: 00084E24
SendMessageW.USER32(?,0000011F,00000000,?), ref: 00084EA0

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: ParentTimer$KillWindow$ClientCursorInvalidateMessageRectScreenSendUpdate
String ID:
API String ID: 2010726786-0
Opcode ID: b7f1f30e47fa7f729c91227f0f3fea775822c9963071b5dc98984c70c65f2710
Instruction ID: 620e22de50a62f75718f465d80e06419fbede9cc89276bb8a64d7dac1c0a86c0
Opcode Fuzzy Hash: b7f1f30e47fa7f729c91227f0f3fea775822c9963071b5dc98984c70c65f2710
Instruction Fuzzy Hash: 3591A231600702DFDB64AFA0D848BAA7BF6FF44315F14456DE58A9B2A1DB70ED80CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0008772D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0008772D(void* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				short _v528;
				char _v1048;
				char _v1560;
				char _v2072;
				WCHAR* _v2076;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t42;
				long _t48;
				WCHAR* _t51;
				intOrPtr _t66;
				intOrPtr _t69;
				intOrPtr _t77;
				intOrPtr _t79;
				void* _t82;
				void* _t83;
				void* _t84;
				void* _t91;
				void* _t92;
				void* _t93;
				void* _t95;
				void* _t97;
				void* _t98;
				signed int _t102;
				void* _t103;

				_t92 = __edx;
				_t85 = __ecx;
				_t100 = _t102;
				_t103 = _t102 - 0x818;
				_t42 =  *0x1c0454; // 0x885926af
				_v8 = _t42 ^ _t102;
				_push(_t82);
				_push(_t93);
				_t97 = __ecx;
				_t83 = E0006B628(_t82, _t93, __ecx, __eflags);
				 *(_t83 + 8) =  *(_t97 + 0x44);
				 *(_t83 + 0xc) =  *(_t97 + 0x44);
				_t48 = GetModuleFileNameW( *(_t97 + 0x44),  &_v528, 0x104);
				if(_t48 == 0 || _t48 == 0x104) {
					E00065E60(_t85);
				}
				_t51 = PathFindExtensionW( &_v528);
				_v2076 = _t51;
				if(_t51 == 0) {
					E00065E60(_t85);
				}
				_t86 = _v2076;
				 *_v2076 = 0;
				if(E000876E7( &_v528,  &_v1048, 0x104) != 0) {
					E00065E60(_t86);
				}
				if( *((intOrPtr*)(_t97 + 0x64)) == 0) {
					_t79 = E00154353( &_v1048);
					_pop(_t86);
					 *((intOrPtr*)(_t97 + 0x64)) = _t79;
					if(_t79 == 0) {
						L10:
						E000655A8(_t86);
					}
				}
				if( *((intOrPtr*)(_t97 + 0x50)) == 0) {
					if(E0006A0EE(_t83, _t86, 0x104, _t97, 0xe000,  &_v2072, 0x100) == 0) {
						_push( *((intOrPtr*)(_t97 + 0x64)));
					} else {
						_push( &_v2072);
					}
					_t69 = E00154353();
					 *((intOrPtr*)(_t97 + 0x50)) = _t69;
					_pop(_t86);
					if(_t69 == 0) {
						goto L10;
					}
				}
				if( *((intOrPtr*)(_t97 + 0x54)) == 0) {
					if(E0006A0EE(_t83, _t86, 0x104, _t97, 0xe006,  &_v1560, 0x100) == 0) {
						 *((intOrPtr*)(_t97 + 0x54)) = 0x1a18c0;
					} else {
						_t66 = E00154353( &_v1560);
						_pop(_t86);
						 *((intOrPtr*)(_t97 + 0x54)) = _t66;
					}
					if( *((intOrPtr*)(_t97 + 0x54)) == 0) {
						goto L10;
					}
				}
				_t56 =  *((intOrPtr*)(_t97 + 0x50));
				 *((intOrPtr*)(_t83 + 0x10)) =  *((intOrPtr*)(_t97 + 0x50));
				if( *((intOrPtr*)(_t97 + 0x68)) == 0) {
					_t91 = 0x104 - (_v2076 -  &_v528 >> 1);
					if( *((intOrPtr*)(_t97 + 0x70)) != 1) {
						_push(L".HLP");
					} else {
						_push(L".CHM");
					}
					_push(_t91);
					_push(_v2076);
					_push(E00150E8C());
					E00053DF0();
					_t103 = _t103 + 0x10;
					_t77 = E00154353( &_v528);
					_pop(_t86);
					 *((intOrPtr*)(_t97 + 0x68)) = _t77;
					if(_t77 == 0) {
						goto L10;
					} else {
						_t86 = _v2076;
						_t56 = 0;
						 *_v2076 = 0;
					}
				}
				if( *((intOrPtr*)(_t97 + 0x6c)) == 0) {
					_push(E001542DE( &_v1048, 0x104, L".INI"));
					E00053DF0();
					_t56 = E00154353( &_v1048);
					_t103 = _t103 + 0x14;
					 *((intOrPtr*)(_t97 + 0x6c)) = _t56;
					if(_t56 == 0) {
						goto L10;
					}
				}
				_pop(_t95);
				_pop(_t98);
				_pop(_t84);
				return E00150836(_t56, _t84, _v8 ^ _t100, _t92, _t95, _t98);
			}

0x0008772d
0x0008772d
0x00087730
0x00087732
0x00087738
0x0008773f
0x00087742
0x00087744
0x00087745
0x0008774c
0x00087751
0x00087757
0x0008776a
0x00087772
0x00087778
0x00087778
0x00087784
0x0008778a
0x00087792
0x00087794
0x00087794
0x00087799
0x000877a1
0x000877ba
0x000877bc
0x000877bc
0x000877c5
0x000877ce
0x000877d3
0x000877d4
0x000877d9
0x000877db
0x000877db
0x000877db
0x000877d9
0x000877e4
0x000877fe
0x00087809
0x00087800
0x00087806
0x00087806
0x0008780c
0x00087811
0x00087814
0x00087817
0x00000000
0x00000000
0x00087817
0x0008781d
0x00087837
0x0008784b
0x00087839
0x00087840
0x00087845
0x00087846
0x00087846
0x00087856
0x00000000
0x00000000
0x00087856
0x00087858
0x0008785b
0x00087862
0x00087876
0x0008787c
0x00087885
0x0008787e
0x0008787e
0x0008787e
0x0008788a
0x0008788b
0x00087896
0x00087897
0x000878a2
0x000878a6
0x000878ab
0x000878ac
0x000878b1
0x00000000
0x000878b7
0x000878b7
0x000878bd
0x000878bf
0x000878bf
0x000878b1
0x000878c6
0x000878da
0x000878db
0x000878e7
0x000878ec
0x000878ef
0x000878f4
0x00000000
0x00000000
0x000878f4
0x000878fd
0x000878fe
0x00087901
0x00087908

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 0008776A
PathFindExtensionW.SHLWAPI(?), ref: 00087784
__wcsdup.LIBCMT ref: 000877CE
__wcsdup.LIBCMT ref: 0008780C
__wcsdup.LIBCMT ref: 00087840
__wcsdup.LIBCMT ref: 000878A6
__wcsdup.LIBCMT ref: 000878E7

Strings

.HLP, xrefs: 00087885
.INI, xrefs: 000878C8
.CHM, xrefs: 0008787E

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: __wcsdup$ExtensionFileFindModuleNamePath
String ID: .CHM$.HLP$.INI
API String ID: 2477486372-4017452060
Opcode ID: 7d38b5adac543df9b3cf1a8032604f0771d332bb5a8472f228e5d8aa2c2fa7c5
Instruction ID: 73f25bcea81bb9ee1d16bb84c907c45770cea1a4eb90568ebf651e32d2e4424d
Opcode Fuzzy Hash: 7d38b5adac543df9b3cf1a8032604f0771d332bb5a8472f228e5d8aa2c2fa7c5
Instruction Fuzzy Hash: 3951A071904719DBDB60EB64CC49BDA73FCBF04304F2048A9E59AD6186EF74DA84CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0008269F Relevance: 16.7, APIs: 11, Instructions: 192
timeCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0008269F(intOrPtr* __ecx, void* __fp0, signed int _a4) {
				struct tagPOINT _v12;
				void* __ebx;
				void* __edi;
				void* _t67;
				long _t69;
				int _t71;
				int _t74;
				signed int _t76;
				signed int _t79;
				void* _t81;
				intOrPtr _t84;
				int _t91;
				signed int* _t98;
				intOrPtr* _t116;
				RECT* _t139;
				intOrPtr* _t142;

				_t149 = __fp0;
				_push(__ecx);
				_push(__ecx);
				_t142 = __ecx;
				_push(_t139);
				_t116 =  *((intOrPtr*)( *__ecx + 0x1c0))();
				_t67 = _a4 - 1;
				if(_t67 == 0) {
					_t139 = 0;
					__eflags =  *((intOrPtr*)(__ecx + 0xee8));
					if(__eflags != 0) {
						L33:
						return E0005F788(_t116, _t142, _t139, _t148);
					}
					_t69 = E00156291(__ecx);
					_v12.y = _t69;
					_a4 = _t69 -  *0x1c48cc;
					_t71 =  *0x1bcfec; // 0xf
					asm("fild dword [ebp+0x8]");
					asm("fild dword [0x1bcfec]");
					__eflags = _t71;
					if(_t71 < 0) {
						_t149 = __fp0 +  *0x17be08;
					}
					asm("fdivp st1, st0");
					_a4 = E00155A90(_t71, _t149 +  *0x17bdf8);
					_t74 = E000748C1(_t139) - 1;
					__eflags = _t74;
					if(_t74 == 0) {
						_t76 =  *((intOrPtr*)( *_t116 + 0x358))();
						_t38 = _t142 + 0xed8;
						 *_t38 =  *((intOrPtr*)(_t142 + 0xed8)) + _t76 * _a4;
						__eflags =  *_t38;
						goto L21;
					} else {
						_t91 = _t74 - 1;
						__eflags = _t91;
						if(_t91 == 0) {
							L21:
							_t79 =  *((intOrPtr*)( *_t116 + 0x354))();
							_t42 = _t142 + 0xedc;
							 *_t42 =  *((intOrPtr*)(_t142 + 0xedc)) + _t79 * _a4;
							__eflags =  *_t42;
							L22:
							_t81 = E000748C1(_t139);
							__eflags = _t81 - 3;
							if(_t81 == 3) {
								L24:
								__eflags = _t81 - 1;
								if(_t81 != 1) {
									L26:
									__eflags = _t81 - 3;
									if(__eflags != 0) {
										L32:
										RedrawWindow( *(_t142 + 0x20), _t139, _t139, 0x185);
										 *0x1c48cc = _v12.y;
										goto L33;
									}
									__eflags =  *((intOrPtr*)(_t142 + 0xf24)) - 0x64;
									if(__eflags <= 0) {
										goto L32;
									}
									L28:
									_t84 =  *((intOrPtr*)(_t142 + 0xfc0));
									 *((intOrPtr*)(_t142 + 0xed8)) =  *((intOrPtr*)(_t142 + 0x138)) + _t84;
									 *((intOrPtr*)(_t142 + 0xedc)) =  *((intOrPtr*)(_t142 + 0x13c)) + _t84;
									KillTimer( *(_t142 + 0x20), 1);
									 *((intOrPtr*)( *_t116 + 0x234))(_t139, _t139, _t139, _t139, _t139, 0x5f, _t139);
									ValidateRect( *(_t116 + 0x20), _t139);
									 *(_t142 + 0xee8) = 1;
									__eflags =  *((intOrPtr*)(_t142 + 0xfc0)) - _t139;
									if(__eflags != 0) {
										__eflags = E000748C1(_t139) - 3;
										if(__eflags != 0) {
											__eflags =  *((intOrPtr*)(_t142 + 0xea4)) - 2;
											if(__eflags == 0) {
												E00081607(_t142, _t136, _t139, _t139);
											}
										}
									}
									goto L32;
								}
								__eflags =  *((intOrPtr*)(_t142 + 0xed8)) -  *((intOrPtr*)(_t142 + 0xfc0)) -  *((intOrPtr*)(_t142 + 0x138));
								if( *((intOrPtr*)(_t142 + 0xed8)) -  *((intOrPtr*)(_t142 + 0xfc0)) >=  *((intOrPtr*)(_t142 + 0x138))) {
									goto L28;
								}
								goto L26;
							}
							__eflags =  *((intOrPtr*)(_t142 + 0xedc)) -  *((intOrPtr*)(_t142 + 0xfc0)) -  *((intOrPtr*)(_t142 + 0x13c));
							if( *((intOrPtr*)(_t142 + 0xedc)) -  *((intOrPtr*)(_t142 + 0xfc0)) >=  *((intOrPtr*)(_t142 + 0x13c))) {
								goto L28;
							}
							goto L24;
						}
						__eflags = _t91 == 1;
						if(_t91 == 1) {
							 *((intOrPtr*)(_t142 + 0xf24)) =  *((intOrPtr*)(_t142 + 0xf24)) + 0xa;
							_t136 = (_a4 + 0xa) * 0xa;
							__eflags =  *((intOrPtr*)(_t142 + 0xf24)) - (_a4 + 0xa) * 0xa;
							if( *((intOrPtr*)(_t142 + 0xf24)) > (_a4 + 0xa) * 0xa) {
								 *((intOrPtr*)(_t142 + 0xf24)) = 0x65;
							}
						}
						goto L22;
					}
				}
				if(_t67 != 1) {
					goto L33;
				} else {
					_t139 = 0;
					_v12.x = 0;
					_v12.y = 0;
					GetCursorPos( &_v12);
					ScreenToClient( *(_t142 + 0x20),  &_v12);
					_t98 = E0007EDB5(_t142);
					if(_t98 != 0) {
						_t136 =  *_t98;
						 *((intOrPtr*)( *_t98 + 0x58))();
					}
					_push(_v12.y);
					_a4 =  *((intOrPtr*)(_t116 + 0xcd4));
					if(PtInRect(_t142 + 0xef8, _v12.x) == 0) {
						L7:
						_push(_v12.y);
						__eflags = PtInRect(_t142 + 0xf08, _v12);
						if(__eflags == 0) {
							L11:
							KillTimer( *(_t142 + 0x20), 2);
							 *(_t142 + 0xf18) = _t139;
							_t139 = InvalidateRect;
							InvalidateRect( *(_t142 + 0x20), _t142 + 0xf08, 1);
							InvalidateRect( *(_t142 + 0x20), _t142 + 0xef8, 1);
							goto L33;
						}
						__eflags =  *(_t142 + 0xf18) - _t139;
						if(__eflags <= 0) {
							goto L11;
						} else {
							_t110 = _a4 + 1;
							__eflags = _a4 + 1;
							L10:
							E0007E9D8(_t116, _t110);
							E0008102D(_t142, _t136, _t139);
							goto L33;
						}
					}
					_t148 =  *(_t142 + 0xf18) - _t139;
					if( *(_t142 + 0xf18) >= _t139) {
						goto L7;
					} else {
						_t110 = _a4 - 1;
						goto L10;
					}
				}
			}

0x0008269f
0x000826a4
0x000826a5
0x000826a8
0x000826ac
0x000826b3
0x000826b8
0x000826b9
0x00082795
0x00082797
0x0008279d
0x00082910
0x0008291b
0x0008291b
0x000827a3
0x000827a8
0x000827b1
0x000827b4
0x000827b9
0x000827bc
0x000827c2
0x000827c4
0x000827c6
0x000827c6
0x000827cc
0x000827da
0x000827e2
0x000827e2
0x000827e3
0x00082813
0x0008281d
0x0008281d
0x0008281d
0x00000000
0x000827e5
0x000827e5
0x000827e5
0x000827e6
0x00082823
0x00082827
0x00082831
0x00082831
0x00082831
0x00082837
0x00082838
0x0008283d
0x00082840
0x00082856
0x00082856
0x00082859
0x0008286f
0x0008286f
0x00082872
0x000828f8
0x00082902
0x0008290b
0x00000000
0x0008290b
0x00082878
0x0008287f
0x00000000
0x00000000
0x00082881
0x00082881
0x0008288f
0x000828a2
0x000828a8
0x000828ba
0x000828c4
0x000828ca
0x000828d4
0x000828da
0x000828e2
0x000828e5
0x000828e7
0x000828ee
0x000828f3
0x000828f3
0x000828ee
0x000828e5
0x00000000
0x000828da
0x00082867
0x0008286d
0x00000000
0x00000000
0x00000000
0x0008286d
0x0008284e
0x00082854
0x00000000
0x00000000
0x00000000
0x00082854
0x000827e8
0x000827e9
0x000827ee
0x000827f8
0x000827fb
0x00082801
0x00082803
0x00082803
0x00082801
0x00000000
0x000827e9
0x000827e3
0x000826c0
0x00000000
0x000826c6
0x000826c9
0x000826cc
0x000826cf
0x000826d2
0x000826df
0x000826e7
0x000826ee
0x000826f0
0x000826f4
0x000826f4
0x000826f7
0x00082703
0x00082715
0x00082725
0x00082725
0x00082738
0x0008273a
0x0008275d
0x00082762
0x00082774
0x0008277a
0x00082780
0x0008278e
0x00000000
0x0008278e
0x0008273c
0x00082742
0x00000000
0x00082744
0x00082747
0x00082747
0x00082748
0x0008274b
0x00082753
0x00000000
0x00082753
0x00082742
0x00082717
0x0008271d
0x00000000
0x0008271f
0x00082722
0x00000000
0x00082722
0x0008271d

APIs

GetCursorPos.USER32(?), ref: 000826D2
ScreenToClient.USER32(?,?), ref: 000826DF
PtInRect.USER32(?,?,?), ref: 0008270D
PtInRect.USER32(?,?,?), ref: 00082732
KillTimer.USER32 ref: 00082762
InvalidateRect.USER32(?,?,00000001), ref: 00082780
InvalidateRect.USER32(?,?,00000001), ref: 0008278E
_clock.LIBCMT ref: 000827A3
KillTimer.USER32 ref: 000828A8
ValidateRect.USER32(?,00000000), ref: 000828C4
RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 00082902

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Rect$InvalidateKillTimer$ClientCursorRedrawScreenValidateWindow_clock
String ID:
API String ID: 3482734790-0
Opcode ID: abc32b819c7d468ad0843bbcb7ec9acd544b8f830fa3934d539b533352b5b3cc
Instruction ID: 71b282f555138535dca805f42beafd9584174c684b963ad4ab2ae4bfe1556d35
Opcode Fuzzy Hash: abc32b819c7d468ad0843bbcb7ec9acd544b8f830fa3934d539b533352b5b3cc
Instruction Fuzzy Hash: 6E718C31600A45EFCB65EF65C988EAABBF5FF48300F10486EE49AD6651DF70A981DF40

Uniqueness

Uniqueness Score: -1.00%

Function 000B97A1 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 240
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E000B97A1(void* __ecx, unsigned int __edx, intOrPtr _a4) {
				signed int _v8;
				char _v1032;
				signed int _v1036;
				unsigned int* _v1040;
				signed int _v1044;
				signed int _v1048;
				signed int _v1052;
				intOrPtr _v1056;
				char _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				unsigned int* _v1088;
				intOrPtr _v1096;
				char _v1104;
				void* _v1116;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t116;
				signed int _t118;
				signed int _t126;
				signed int _t133;
				signed int _t135;
				signed int _t144;
				signed int _t151;
				intOrPtr _t160;
				void* _t161;
				intOrPtr _t162;
				signed int _t165;
				unsigned int _t181;
				signed int _t189;
				void* _t190;
				unsigned int _t194;
				unsigned int* _t195;
				signed int _t196;
				void* _t198;
				void* _t199;
				signed int _t200;
				intOrPtr _t201;
				signed int _t202;
				signed int _t203;
				signed int _t204;
				signed int _t206;
				signed int _t208;
				signed int _t209;

				_t184 = __edx;
				_t206 = _t208;
				_t209 = _t208 - 0x44c;
				_t116 =  *0x1c0454; // 0x885926af
				_v8 = _t116 ^ _t206;
				_t160 = _a4;
				_t198 = __ecx;
				_v1056 = _t160;
				_t118 = E000B6737(_t160);
				_v1040 = _v1040 & 0x00000000;
				_t189 = _t118;
				_t165 = 0x20;
				_v1064 = _t189;
				_v1052 = _t165;
				_v1044 = 0x22009;
				if((_t189 & 0x00020000) != 0) {
					_v1052 = _t118 >> 0x00000008 & 0x000000ff;
					_v1044 = _t189;
				}
				_t214 = _t189 & 0x00040000;
				if((_t189 & 0x00040000) != 0) {
					_v1052 = _t165;
					_v1040 = 1;
					_v1044 = 0x26200a;
				}
				_v1048 = E000B6711(_t160);
				if(E0008C939(_t160, _t184, _t214, E000B66EB(_t160), _v1048, _v1052, 0, 0, _v1040) != 0) {
					_v1036 = _v1036 & 0x00000000;
					__eflags = _t189 & 0x00010000;
					if((_t189 & 0x00010000) == 0) {
						L25:
						__eflags = _v1044 - _t189;
						if(_v1044 != _t189) {
							E000B67A5( &_v1080,  *(_t198 + 0xc),  *(_t198 + 0x10),  *((intOrPtr*)(_t198 + 0x14)), _v1044,  *((intOrPtr*)(_t198 + 8)));
							E000B7107( &_v1060,  &_v1080);
							E000B7136( &_v1060, _t160, 0, 0);
							_push(_v1060);
							L00168300();
							_push(_v1076);
							L00168306();
							goto L38;
						} else {
							_v1080 = _v1080 & 0x00000000;
							_v1076 = _v1076 & 0x00000000;
							_v1072 =  *(_t198 + 0xc);
							_v1068 =  *(_t198 + 0x10);
							_push( &_v1104);
							_push(_t189);
							_push(1);
							_t133 =  &_v1080;
							_push(_t133);
							_push( *((intOrPtr*)(_t160 + 4)));
							L00168360();
							__eflags = _t133;
							if(_t133 == 0) {
								_t133 = 0;
								__eflags = 0;
							} else {
								 *(_t160 + 8) = _t133;
							}
							__eflags = _t133;
							if(_t133 == 0) {
								_v1044 = _v1044 & 0x00000000;
								_t162 =  *((intOrPtr*)(_t198 + 8));
								_t194 =  *(_t198 + 0xc) * _v1052 + 7 >> 3;
								__eflags =  *(_t198 + 0x10);
								_v1040 = _v1088;
								if( *(_t198 + 0x10) > 0) {
									do {
										_push(_t194);
										E00053E80(_t162, _t194, _v1040);
										_v1040 = _v1040 + _v1096;
										_t162 = _t162 +  *((intOrPtr*)(_t198 + 0x14));
										_t209 = _t209 + 0x10;
										_v1044 = _v1044 + 1;
										__eflags = _v1044 -  *(_t198 + 0x10);
									} while (_v1044 <  *(_t198 + 0x10));
								}
								_t201 = _v1056;
								_t135 =  &_v1104;
								_push(_t135);
								_push( *((intOrPtr*)(_t201 + 4)));
								L00168366();
								__eflags = _t135;
								if(_t135 != 0) {
									 *(_t201 + 8) = _t135;
								}
								L38:
								__eflags = _v1036;
								if(_v1036 != 0) {
									do {
										_t200 =  *_v1036;
										_v1036 = _t200;
										E00150CB2(_v1036);
										__eflags = _t200;
									} while (_t200 != 0);
								}
								_t126 = 0;
								__eflags = 0;
							} else {
								__eflags = _v1036;
								if(_v1036 != 0) {
									do {
										_t202 =  *_v1036;
										_v1036 = _t202;
										E00150CB2(_v1036);
										__eflags = _t202;
									} while (_t202 != 0);
								}
								goto L15;
							}
						}
					} else {
						_t195 = E000B6759(_t160);
						_v1040 = _t195;
						__eflags = _t195 - 0x400;
						if(__eflags > 0) {
							L11:
							_t196 = E0008C8A6(_t160,  &_v1036, __eflags, _t195);
						} else {
							_push(_t195);
							__eflags = E000B7092(_t160, _t184, _t195, _t198, __eflags);
							if(__eflags == 0) {
								goto L11;
							} else {
								_t142 = E00156820(_t195);
								_t196 = _t209;
							}
						}
						__eflags = _t196;
						if(_t196 != 0) {
							E000B677F(_t142, _t160, _t196, _v1040);
							_t144 =  *(_t196 + 4);
							__eflags = _t144;
							if(_t144 == 0) {
								L18:
								__eflags = _v1036;
								if(_v1036 != 0) {
									do {
										_t203 =  *_v1036;
										_v1036 = _t203;
										E00150CB2(_v1036);
										__eflags = _t203;
									} while (_t203 != 0);
								}
								goto L6;
								L42:
							} else {
								__eflags = _t144 - 0x100;
								if(_t144 <= 0x100) {
									_v1048 = _v1048 & 0x00000000;
									__eflags = _t144;
									if(_t144 != 0) {
										_t38 = _t196 + 8; // 0x8
										_v1040 = _t38;
										do {
											_t181 =  *_v1040;
											_t151 = _v1048;
											_v1040 = _v1040 + 4;
											 *((char*)(_t206 + _t151 * 4 - 0x402)) = _t181 >> 0x10;
											_t184 = _t181 >> 8;
											_v1048 = _v1048 + 1;
											 *((char*)(_t206 + _t151 * 4 - 0x403)) = _t181 >> 8;
											 *(_t206 + _t151 * 4 - 0x404) = _t181;
											 *((char*)(_t206 + _t151 * 4 - 0x401)) = 0;
											__eflags = _v1048 -  *(_t196 + 4);
										} while (_v1048 <  *(_t196 + 4));
									}
									E000B67E0(_t198, 0,  *(_t196 + 4),  &_v1032);
									_t189 = _v1064;
									goto L25;
								} else {
									goto L18;
								}
							}
						} else {
							__eflags = _v1036 - _t196;
							if(_v1036 != _t196) {
								do {
									_t204 =  *_v1036;
									_v1036 = _t204;
									E00150CB2(_v1036);
									__eflags = _t204;
								} while (_t204 != 0);
							}
							L15:
							_t126 = 0x8007000e;
						}
					}
				} else {
					L6:
					_t126 = 0x80004005;
				}
				_pop(_t190);
				_pop(_t199);
				_pop(_t161);
				return E00150836(_t126, _t161, _v8 ^ _t206, _t184, _t190, _t199);
				goto L42;
			}

0x000b97a1
0x000b97a4
0x000b97a6
0x000b97ac
0x000b97b3
0x000b97b7
0x000b97bb
0x000b97c0
0x000b97c6
0x000b97cb
0x000b97d2
0x000b97d6
0x000b97d7
0x000b97dd
0x000b97e3
0x000b97f3
0x000b97fd
0x000b9803
0x000b9803
0x000b9809
0x000b980f
0x000b9811
0x000b9817
0x000b9821
0x000b9821
0x000b9834
0x000b985f
0x000b986b
0x000b9872
0x000b9878
0x000b99a9
0x000b99a9
0x000b99af
0x000b9abb
0x000b9acd
0x000b9add
0x000b9ae2
0x000b9ae8
0x000b9aed
0x000b9af3
0x00000000
0x000b99b5
0x000b99b8
0x000b99bf
0x000b99c6
0x000b99cf
0x000b99db
0x000b99dc
0x000b99dd
0x000b99df
0x000b99e5
0x000b99e6
0x000b99e9
0x000b99ee
0x000b99f0
0x000b99f7
0x000b99f7
0x000b99f2
0x000b99f2
0x000b99f2
0x000b99f9
0x000b99fb
0x000b9a38
0x000b9a3f
0x000b9a45
0x000b9a48
0x000b9a4c
0x000b9a52
0x000b9a54
0x000b9a54
0x000b9a5d
0x000b9a68
0x000b9a6e
0x000b9a71
0x000b9a74
0x000b9a80
0x000b9a80
0x000b9a54
0x000b9a85
0x000b9a8b
0x000b9a91
0x000b9a92
0x000b9a95
0x000b9a9a
0x000b9a9c
0x000b9a9e
0x000b9a9e
0x000b9af8
0x000b9af8
0x000b9aff
0x000b9b01
0x000b9b07
0x000b9b0a
0x000b9b10
0x000b9b16
0x000b9b16
0x000b9b01
0x000b9b1a
0x000b9b1a
0x000b99fd
0x000b99fd
0x000b9a04
0x000b9a0a
0x000b9a10
0x000b9a13
0x000b9a19
0x000b9a1f
0x000b9a1f
0x000b9a23
0x00000000
0x000b9a04
0x000b99fb
0x000b987e
0x000b9885
0x000b9887
0x000b988d
0x000b9893
0x000b98ab
0x000b98b7
0x000b9895
0x000b9895
0x000b989c
0x000b989e
0x00000000
0x000b98a0
0x000b98a2
0x000b98a7
0x000b98a7
0x000b989e
0x000b98b9
0x000b98bb
0x000b98f1
0x000b98f6
0x000b98f9
0x000b98fb
0x000b9904
0x000b9904
0x000b990b
0x000b9911
0x000b9917
0x000b991a
0x000b9920
0x000b9926
0x000b9926
0x000b992a
0x00000000
0x00000000
0x000b98fd
0x000b98fd
0x000b9902
0x000b992f
0x000b9936
0x000b9938
0x000b993a
0x000b993d
0x000b9943
0x000b9949
0x000b994b
0x000b9951
0x000b995d
0x000b9966
0x000b9969
0x000b996f
0x000b9976
0x000b997d
0x000b998b
0x000b998b
0x000b9943
0x000b999e
0x000b99a3
0x00000000
0x00000000
0x00000000
0x00000000
0x000b9902
0x000b98bd
0x000b98bd
0x000b98c3
0x000b98c5
0x000b98cb
0x000b98ce
0x000b98d4
0x000b98da
0x000b98da
0x000b98c5
0x000b98de
0x000b98de
0x000b98de
0x000b98bb
0x000b9861
0x000b9861
0x000b9861
0x000b9861
0x000b9b22
0x000b9b23
0x000b9b24
0x000b9b30
0x00000000

APIs

Part of subcall function 000B6737: GdipGetImagePixelFormat.GDIPLUS(?,001C56A4,00000000,00000000,?,000B97CB,00000000,00000000,001C56A4), ref: 000B6747

_free.LIBCMT ref: 000B98D4
_free.LIBCMT ref: 000B9920
GdipBitmapLockBits.GDIPLUS(?,00000000,00000001,00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,00000000,001C56A4), ref: 000B99E9
_free.LIBCMT ref: 000B9A19

Part of subcall function 000B6759: GdipGetImagePaletteSize.GDIPLUS(?,00000000,00000000,00000000,?,000B9885,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 000B676D

GdipBitmapUnlockBits.GDIPLUS(?,?,?,00000000,00000001,00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,00000000,001C56A4), ref: 000B9A95
_free.LIBCMT ref: 000B9B10

Strings

&, xrefs: 000B9821

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Gdip_free$BitmapBitsImage$FormatLockPalettePixelSizeUnlock
String ID: &
API String ID: 4092590016-3042966939
Opcode ID: 3990f76aba31da42d552cdd77a003b4bae04cb37a2d1b67e57053930ceb0bc07
Instruction ID: f890dfd1621c3a609c3f76f43f33716bf67bde061996e89b6307f600dce3a81d
Opcode Fuzzy Hash: 3990f76aba31da42d552cdd77a003b4bae04cb37a2d1b67e57053930ceb0bc07
Instruction Fuzzy Hash: FAA15CB19002289BDB719F18CD80BD9B7B5AF44314F1081E9EB09B7252DB759EC5CF58

Uniqueness

Uniqueness Score: -1.00%

Function 000672C1 Relevance: 15.2, APIs: 10, Instructions: 158
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E000672C1(intOrPtr __ecx, void* __edx, struct HWND__** _a4) {
				intOrPtr _v8;
				struct tagPOINT _v16;
				void* __ebx;
				struct HWND__* _t36;
				void* _t39;
				int _t40;
				void* _t42;
				intOrPtr _t52;
				intOrPtr _t54;
				intOrPtr _t56;
				void* _t57;
				intOrPtr _t58;
				intOrPtr _t60;
				intOrPtr _t63;
				void* _t67;
				void* _t68;
				struct HWND__** _t83;
				void* _t84;

				_t77 = __edx;
				_t83 = _a4;
				_t36 = _t83[1];
				_v8 = __ecx;
				_t84 = _t36 - 0x105;
				if(_t84 > 0) {
					if(_t36 == 0x200) {
						_v16.x = _t83[3];
						_v16.y = _t83[3];
						_t39 = E0005F82E(_t67, 0x105, __edx,  *_t83);
						if(_t39 != 0) {
							ClientToScreen( *(_t39 + 0x20),  &_v16);
						}
						_t40 = E00067230(_v16.x, _v16.y);
						L22:
						if(_t40 != 0) {
							L16:
							_t42 = 1;
							L24:
							return _t42;
						}
						L23:
						_t42 = 0;
						goto L24;
					}
					if(_t36 == 0x201) {
						L36:
						_v16.x = _t83[3];
						_push(_t67);
						_v16.y = _t83[3];
						_t68 = E0005F82E(_t67, 0x105, _t77,  *_t83);
						if(_t68 != 0 && IsWindow( *_t83) != 0) {
							ClientToScreen( *(_t68 + 0x20),  &_v16);
						}
						if(E00067052(_v8, _t77, _v16.x, _v16.y) == 0) {
							if(IsWindow( *_t83) != 0) {
								goto L23;
							}
						}
						goto L16;
					}
					if(_t36 <= 0x203) {
						goto L23;
					}
					if(_t36 <= 0x205) {
						goto L36;
					}
					if(_t36 <= 0x206) {
						goto L23;
					}
					if(_t36 <= 0x208) {
						goto L36;
					}
					if(_t36 == 0x20a) {
						_t52 =  *0x1c48bc; // 0x0
						if(_t52 != 0 && IsWindow( *(_t52 + 0x20)) != 0) {
							_t54 =  *0x1c48bc; // 0x0
							if( *((intOrPtr*)(_t54 + 0xef0)) != 0) {
								SendMessageW( *(_t54 + 0x20), 0x20a, _t83[2], _t83[3]);
							}
						}
					}
					goto L23;
				}
				if(_t84 == 0) {
					_t56 =  *0x1c48bc; // 0x0
					if(_t56 == 0) {
						goto L23;
					}
					_t40 = IsWindow( *(_t56 + 0x20));
					goto L22;
				}
				if(_t36 > 0xa8) {
					_t57 = _t36 - 0x100;
					if(_t57 == 0) {
						_t58 =  *0x1c48bc; // 0x0
						if(_t58 == 0 || IsWindow( *(_t58 + 0x20)) == 0) {
							goto L23;
						} else {
							_push(0);
							_push(_t83[2]);
							_push(0x100);
							L15:
							_t60 =  *0x1c48bc; // 0x0
							SendMessageW( *(_t60 + 0x20), ??, ??, ??);
							goto L16;
						}
					}
					if(_t57 != 4) {
						goto L23;
					}
					L11:
					_t63 =  *0x1c48bc; // 0x0
					if(_t63 == 0 || IsWindow( *(_t63 + 0x20)) == 0 || _t83[2] != 0x12) {
						goto L23;
					} else {
						_push(0);
						_push(0);
						_push(0x10);
						goto L15;
					}
				}
				if(_t36 >= 0xa7) {
					L8:
					_t40 = E00067052(_v8, _t77, _t83[3], _t83[3]);
					goto L22;
				}
				if(_t36 == 0x7b) {
					goto L11;
				}
				if(_t36 <= 0xa0 || _t36 > 0xa2 && _t36 + 0xffffff5c > 1) {
					goto L23;
				} else {
					goto L8;
				}
			}

0x000672c1
0x000672ca
0x000672cd
0x000672d0
0x000672d9
0x000672db
0x000673b2
0x0006747f
0x00067486
0x00067489
0x00067490
0x00067499
0x00067499
0x000674a8
0x000673a1
0x000673a3
0x0006736c
0x0006736e
0x000673a7
0x000673aa
0x000673aa
0x000673a5
0x000673a5
0x00000000
0x000673a5
0x000673bd
0x0006741a
0x0006741e
0x00067425
0x00067428
0x00067436
0x0006743a
0x0006744b
0x0006744b
0x00067462
0x0006746e
0x00000000
0x00000000
0x00067474
0x00000000
0x00067462
0x000673c4
0x00000000
0x00000000
0x000673cb
0x00000000
0x00000000
0x000673d2
0x00000000
0x00000000
0x000673d9
0x00000000
0x00000000
0x000673e2
0x000673e4
0x000673eb
0x000673fa
0x00067406
0x00067412
0x00067412
0x00067406
0x000673eb
0x00000000
0x000673e2
0x000672e1
0x0006738f
0x00067396
0x00000000
0x00000000
0x0006739b
0x00000000
0x0006739b
0x000672ec
0x00067333
0x00067335
0x00067371
0x00067378
0x00000000
0x00067387
0x00067387
0x00067389
0x0006738c
0x0006735e
0x0006735e
0x00067366
0x00000000
0x00067366
0x00067378
0x0006733a
0x00000000
0x00000000
0x0006733c
0x0006733c
0x00067343
0x00000000
0x00067358
0x00067358
0x0006735a
0x0006735c
0x00000000
0x0006735c
0x00067343
0x000672f3
0x0006731a
0x00067327
0x00000000
0x00067327
0x000672f8
0x00000000
0x00000000
0x000672ff
0x00000000
0x00000000
0x00000000
0x00000000

APIs

IsWindow.USER32(?), ref: 00067348
SendMessageW.USER32(?,00000100,?,00000000), ref: 00067366
IsWindow.USER32(?), ref: 0006737D
IsWindow.USER32(?), ref: 0006739B
IsWindow.USER32(?), ref: 000673F0
SendMessageW.USER32(?,0000020A,?,?), ref: 00067412
IsWindow.USER32(?), ref: 0006743E
ClientToScreen.USER32(?,?), ref: 0006744B
IsWindow.USER32(?), ref: 0006746A
ClientToScreen.USER32(?,?), ref: 00067499

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Window$ClientMessageScreenSend
String ID:
API String ID: 526472501-0
Opcode ID: 7371a3a39256f022bdcfd9a36c2838b18e7252a257da52c261d4b93dec844c52
Instruction ID: 6810f1b359ccc4afbcb61e11516251e3ca4c9b3a08f226e7708025c8e6c2e91a
Opcode Fuzzy Hash: 7371a3a39256f022bdcfd9a36c2838b18e7252a257da52c261d4b93dec844c52
Instruction Fuzzy Hash: A6518071608211EFEF609F64CC49E6E7BF6EB08704F104569E89DD26A1E735DAC0EB10

Uniqueness

Uniqueness Score: -1.00%

Function 00061792 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 69
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00061792(void* __ebx, void* __ecx, void* __edx, signed int _a4, long _a8) {
				struct HWND__* _v8;
				void* __edi;
				void* _t12;
				void* _t14;
				void* _t15;
				void* _t18;
				void* _t19;
				void* _t29;
				struct HWND__* _t30;
				signed int _t34;
				void* _t36;
				void* _t38;
				void* _t42;

				_t36 = __edx;
				_t29 = __ebx;
				_push(__ecx);
				_t38 = __ecx;
				_t12 = E0006176A(__ecx, __ecx);
				_t34 = _a4 & 0x0000fff0;
				_t42 = _t12;
				_t14 = _t34 - 0xf040;
				if(_t14 == 0) {
					L11:
					if(_a8 != 0x75 || _t42 == 0) {
						L15:
						_t15 = 0;
						goto L16;
					} else {
						E00063652(_t29, _t42, _t36);
						L14:
						_t15 = 1;
						L16:
						return _t15;
					}
				}
				_t18 = _t14 - 0x10;
				if(_t18 == 0) {
					goto L11;
				}
				_t19 = _t18 - 0x10;
				if(_t19 == 0 || _t19 == 0xa0) {
					if(_t34 == 0xf060 || _a8 != 0) {
						if(_t42 != 0) {
							_push(_t29);
							_t30 =  *(_t38 + 0x20);
							_v8 = GetFocus();
							E0005F82E(_t30, _t34, _t36, SetActiveWindow( *(_t42 + 0x20)));
							SendMessageW( *(_t42 + 0x20), 0x112, _a4, _a8);
							if(IsWindow(_t30) != 0) {
								SetActiveWindow(_t30);
							}
							if(IsWindow(_v8) != 0) {
								SetFocus(_v8);
							}
						}
					}
					goto L14;
				} else {
					goto L15;
				}
			}

0x00061792
0x00061792
0x00061797
0x0006179a
0x0006179c
0x000617a4
0x000617aa
0x000617ae
0x000617b3
0x00061833
0x00061838
0x0006184a
0x0006184a
0x00000000
0x0006183e
0x00061840
0x00061845
0x00061847
0x0006184c
0x0006184f
0x0006184f
0x00061838
0x000617b5
0x000617b8
0x00000000
0x00000000
0x000617ba
0x000617bd
0x000617d0
0x000617da
0x000617dc
0x000617dd
0x000617ef
0x000617f5
0x00061808
0x00061819
0x0006181c
0x0006181c
0x00061826
0x0006182b
0x0006182b
0x00061826
0x000617da
0x00000000
0x00000000
0x00000000
0x00000000

APIs

GetFocus.USER32 ref: 000617E0
SetActiveWindow.USER32(?), ref: 000617F2
SendMessageW.USER32(?,00000112,?,?), ref: 00061808
IsWindow.USER32(?), ref: 00061815
SetActiveWindow.USER32(?), ref: 0006181C
IsWindow.USER32(?), ref: 00061821
SetFocus.USER32 ref: 0006182B

Strings

u, xrefs: 00061833

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Window$ActiveFocus$MessageSend
String ID: u
API String ID: 1556911595-4067256894
Opcode ID: 70e299b116d35e9f146f936189b1c0dfce2c2f9a641670e2b986980b91f5f88e
Instruction ID: 21ff9bccc15c2ba13aa9c55f19425e9d59b5144bdab2e1b806feb62ca2bc7805
Opcode Fuzzy Hash: 70e299b116d35e9f146f936189b1c0dfce2c2f9a641670e2b986980b91f5f88e
Instruction Fuzzy Hash: 31118E3290430AAFDB686B79CD099EE7AFBEF44750F084034E905975A2DE34DD80DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00073C3A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00073C3A(intOrPtr __ecx, signed int _a4) {
				signed int _v8;
				char _v72;
				void _v100;
				intOrPtr _v104;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t12;
				void* _t14;
				char* _t23;
				void* _t29;
				signed short _t30;
				struct HDC__* _t31;
				signed int _t32;

				_t12 =  *0x1c0454; // 0x885926af
				_v8 = _t12 ^ _t32;
				_t31 = GetStockObject;
				_t30 = 0xa;
				_v104 = __ecx;
				_t23 = L"System";
				_t14 = GetStockObject(0x11);
				if(_t14 != 0) {
					L2:
					if(GetObjectW(_t14, 0x5c,  &_v100) != 0) {
						_t23 =  &_v72;
						_t31 = GetDC(0);
						if(_v100 < 0) {
							_v100 =  ~_v100;
						}
						_t30 = MulDiv(_v100, 0x48, GetDeviceCaps(_t31, 0x5a)) & 0x0000ffff;
						ReleaseDC(0, _t31);
					}
					L6:
					_t16 = _a4;
					if(_a4 == 0) {
						_t16 = _t30 & 0x0000ffff;
					}
					return E00150836(E00073B16(_v104, _t23, _t16), _t23, _v8 ^ _t32, _t29, _t30, _t31);
				}
				_t14 = GetStockObject(0xd);
				if(_t14 == 0) {
					goto L6;
				}
				goto L2;
			}

0x00073c42
0x00073c49
0x00073c4e
0x00073c57
0x00073c5a
0x00073c5d
0x00073c62
0x00073c66
0x00073c70
0x00073c7f
0x00073c83
0x00073c90
0x00073c92
0x00073c94
0x00073c94
0x00073caf
0x00073cb2
0x00073cb2
0x00073cb8
0x00073cb8
0x00073cbe
0x00073cc0
0x00073cc0
0x00073cdb
0x00073cdb
0x00073c6a
0x00073c6e
0x00000000
0x00000000
0x00000000

APIs

GetStockObject.GDI32(00000011), ref: 00073C62
GetStockObject.GDI32(0000000D), ref: 00073C6A
GetObjectW.GDI32(00000000,0000005C,?), ref: 00073C77
GetDC.USER32(00000000), ref: 00073C86
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00073C9A
MulDiv.KERNEL32 ref: 00073CA6
ReleaseDC.USER32(00000000,00000000), ref: 00073CB2

Strings

System, xrefs: 00073C5D, 00073CC7

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: 1b782a5b3d0a20b4e697956dfa7668b21e109b841362cb5191f2a39307242192
Instruction ID: 05ade2a65da018e800c590d9e1327de9ce4452282ec5ccee2617c51127f4aa7c
Opcode Fuzzy Hash: 1b782a5b3d0a20b4e697956dfa7668b21e109b841362cb5191f2a39307242192
Instruction Fuzzy Hash: 5C11C171A00318EBFB109BA0DD09FAE7BB8EB54741F000029FA09AB1C0DB749E84DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00135C04 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00135C04(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				WCHAR* _t18;
				intOrPtr _t24;
				void* _t25;
				void* _t26;
				intOrPtr _t27;

				_t26 = __eflags;
				_push(4);
				E00151A19(0x168841, __ebx, __edi, __esi);
				_t24 = __ecx;
				 *((intOrPtr*)(_t25 - 0x10)) = __ecx;
				E00063AEA(__ecx, _t26);
				 *((intOrPtr*)(__ecx)) = 0x195854;
				 *((intOrPtr*)(__ecx + 0x34)) = 0x1957cc;
				 *((intOrPtr*)(_t25 - 4)) = 0;
				 *((intOrPtr*)(__ecx + 0x20)) = 0;
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				 *((intOrPtr*)(__ecx + 0x28)) = 0xffff;
				E00072399(4);
				_t27 =  *0x1c6acc; // 0x0
				if(_t27 == 0) {
					_t18 = L"windows";
					 *0x1c6ac0 = GetProfileIntW(_t18, L"DragScrollInset", 0xb);
					 *0x1c6ac4 = GetProfileIntW(_t18, L"DragScrollDelay", 0x32);
					 *0x1c6ac8 = GetProfileIntW(_t18, L"DragScrollInterval", 0x32);
					 *0x1c6acc = 1;
				}
				E0007240B(4);
				return E00151AF1(_t24);
			}

0x00135c04
0x00135c04
0x00135c0b
0x00135c10
0x00135c12
0x00135c15
0x00135c1c
0x00135c22
0x00135c2b
0x00135c2e
0x00135c31
0x00135c34
0x00135c3b
0x00135c40
0x00135c46
0x00135c55
0x00135c65
0x00135c74
0x00135c7b
0x00135c80
0x00135c80
0x00135c8c
0x00135c98

APIs

__EH_prolog3.LIBCMT ref: 00135C0B

Part of subcall function 00072399: EnterCriticalSection.KERNEL32(001C3DE0,?,?,00000002,?,000716FF,00000010,00000008,0006B656,0006B5ED,0005E58B,0006A15B,0006918A,?,00000000,00000004), ref: 000723D3
Part of subcall function 00072399: InitializeCriticalSection.KERNEL32(?,?,?,00000002,?,000716FF,00000010,00000008,0006B656,0006B5ED,0005E58B,0006A15B,0006918A,?,00000000,00000004), ref: 000723E5
Part of subcall function 00072399: LeaveCriticalSection.KERNEL32(001C3DE0,?,?,00000002,?,000716FF,00000010,00000008,0006B656,0006B5ED,0005E58B,0006A15B,0006918A,?,00000000,00000004), ref: 000723F2
Part of subcall function 00072399: EnterCriticalSection.KERNEL32(?,?,?,00000002,?,000716FF,00000010,00000008,0006B656,0006B5ED,0005E58B,0006A15B,0006918A,?,00000000,00000004), ref: 00072402

GetProfileIntW.KERNEL32 ref: 00135C5B
GetProfileIntW.KERNEL32 ref: 00135C6A
GetProfileIntW.KERNEL32 ref: 00135C79

Strings

DragScrollDelay, xrefs: 00135C5F
DragScrollInterval, xrefs: 00135C6E
DragScrollInset, xrefs: 00135C50
windows, xrefs: 00135C55, 00135C5A, 00135C64, 00135C73

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: CriticalSection$Profile$Enter$H_prolog3InitializeLeave
String ID: DragScrollDelay$DragScrollInset$DragScrollInterval$windows
API String ID: 4229786687-1024936294
Opcode ID: 245790b492757000ca36de060a709aaa71124f8775b1870fd0b13b7187d9baf2
Instruction ID: 107fd2eb97f28d65ce4e14339d359e3f5fa0ef867f3e66caacfd0534a309d06c
Opcode Fuzzy Hash: 245790b492757000ca36de060a709aaa71124f8775b1870fd0b13b7187d9baf2
Instruction Fuzzy Hash: 8A01A7B0980700EADB22EF668C41B09BAE9BF50B00F44451EF144BBAE2C7F59585CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00065255 Relevance: 13.7, APIs: 9, Instructions: 233
filecomstringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00065255(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t68;
				void* _t69;
				void* _t74;
				void* _t82;
				void* _t83;
				void* _t84;
				void* _t85;
				void* _t87;
				void* _t89;
				void* _t90;
				void* _t91;
				void* _t95;
				void* _t100;
				void* _t103;
				void* _t104;
				WCHAR* _t105;
				void* _t108;
				void* _t111;
				void* _t114;
				void* _t117;
				void* _t118;
				void* _t119;
				struct HMETAFILE__* _t121;
				void _t128;
				signed int _t147;
				void* _t153;
				void* _t161;

				_push(0x5c);
				E00151A82(0x168aa2, __ebx, __edi, __esi);
				_t157 =  *(_t161 + 0xc);
				_t147 =  *(_t161 + 8) & 0x0000ffff;
				_t153 =  *(_t161 + 0x10);
				if( *_t157 != 0) {
					L10:
					_t68 =  *_t153 - 1;
					if(_t68 == 0) {
						_t69 = E00064EBE(_t128,  *(_t157 + 4),  *(_t153 + 4));
						__eflags = _t69;
						if(_t69 == 0) {
							goto L19;
						} else {
							 *(_t157 + 4) = _t69;
							goto L37;
						}
					} else {
						_t74 = _t68 - 1;
						if(_t74 == 0) {
							E00056620(0,  *(_t153 + 4));
							 *((intOrPtr*)(_t161 - 4)) = 0;
							E00056620(0,  *(_t157 + 4));
							asm("sbb esi, esi");
							asm("sbb edi, edi");
							_t157 = CopyFileW(_t153,  ~( *(_t157 + 4)) &  *(_t161 - 0x5c), 0);
							E00051190( *(_t161 - 0x5c) + 0xfffffff0, _t147);
							E00051190( *((intOrPtr*)(_t161 - 0x60)) + 0xfffffff0, _t147);
						} else {
							_t82 = _t74;
							if(_t82 == 0) {
								_t83 =  *(_t153 + 4);
								_t84 =  *((intOrPtr*)( *_t83 + 0x30))(_t83, _t161 - 0x58, 1);
								__eflags = _t84;
								if(_t84 != 0) {
									goto L19;
								} else {
									_t85 =  *(_t157 + 4);
									 *((intOrPtr*)(_t161 - 0x64)) = 0;
									 *((intOrPtr*)( *_t85 + 0x14))(_t85, 0, 0, 0, 0);
									_t87 =  *(_t153 + 4);
									 *((intOrPtr*)( *_t87 + 0x14))(_t87, 0, 0, 0, 0);
									_t89 =  *(_t153 + 4);
									_t90 =  *((intOrPtr*)( *_t89 + 0x1c))(_t89,  *(_t157 + 4),  *((intOrPtr*)(_t161 - 0x50)),  *((intOrPtr*)(_t161 - 0x4c)), 0, 0);
									__eflags = _t90;
									if(_t90 != 0) {
										goto L19;
									} else {
										_t91 =  *(_t157 + 4);
										_t157 = 0;
										 *((intOrPtr*)( *_t91 + 0x14))(_t91, 0, 0, 0, 0);
										_t153 =  *(_t153 + 4);
										 *((intOrPtr*)( *_t153 + 0x14))(_t153, 0, 0, 0, 0);
										goto L37;
									}
								}
							} else {
								_t95 = _t82 - 4;
								if(_t95 == 0) {
									_t153 =  *(_t153 + 4);
									 *((intOrPtr*)( *_t153 + 0x1c))(_t153, 0, 0, 0,  *(_t157 + 4));
									asm("sbb eax, eax");
								} else {
									_t100 = _t95 - 8;
									if(_t100 == 0) {
										L16:
										if( *(_t157 + 4) != 0) {
											goto L19;
										} else {
											__imp__OleDuplicateData( *(_t153 + 4), _t147, 0);
											 *(_t157 + 4) = _t100;
										}
									} else {
										_t100 = _t100 - 0x30;
										if(_t100 != 0) {
											goto L19;
										} else {
											goto L16;
										}
									}
								}
							}
						}
					}
				} else {
					_t128 =  *_t153;
					_t103 = _t128 - 1;
					if(_t103 == 0) {
						L8:
						 *_t157 = _t128;
						goto L9;
					} else {
						_t104 = _t103 - 1;
						if(_t104 == 0) {
							 *_t157 = 2;
							_t105 =  *(_t153 + 4);
							__eflags = _t105;
							if(__eflags == 0) {
								_t105 = E000655E0(_t128);
							}
							 *((intOrPtr*)(_t161 - 0x60)) = lstrlenW(_t105);
							_t108 = E00064DDE(_t128, __eflags, _t106 + 1, 2);
							 *(_t157 + 4) = _t108;
							__eflags = _t108;
							if(_t108 == 0) {
								goto L19;
							} else {
								_push( *((intOrPtr*)(_t161 - 0x60)) +  *((intOrPtr*)(_t161 - 0x60)) + 2);
								E00053E80(_t108,  *((intOrPtr*)(_t161 - 0x60)) +  *((intOrPtr*)(_t161 - 0x60)) + 2,  *(_t153 + 4));
								goto L37;
							}
						} else {
							_t111 = _t104;
							if(_t111 == 0) {
								_t153 =  *(_t153 + 4);
								 *(_t157 + 4) = _t153;
								 *((intOrPtr*)( *_t153 + 4))(_t153);
								 *_t157 = 4;
								goto L37;
							} else {
								_t114 = _t111 - 4;
								if(_t114 == 0) {
									_t153 =  *(_t153 + 4);
									 *(_t157 + 4) = _t153;
									 *((intOrPtr*)( *_t153 + 4))(_t153);
									 *_t157 = 8;
									goto L37;
								} else {
									_t117 = _t114 - 8;
									if(_t117 == 0) {
										 *_t157 = 0x10;
										L9:
										 *(_t157 + 4) = 0;
										goto L10;
									} else {
										_t118 = _t117 - 0x10;
										if(_t118 == 0) {
											_t119 = E00064EBE(_t128, 0,  *(_t153 + 4));
											 *(_t161 - 0x5c) = _t119;
											__eflags = _t119;
											if(_t119 != 0) {
												_t153 = GlobalLock(_t119);
												_t121 = CopyMetaFileW( *(_t153 + 0xc), 0);
												 *(_t153 + 0xc) = _t121;
												__eflags = _t121;
												if(_t121 != 0) {
													_t153 =  *(_t161 - 0x5c);
													GlobalUnlock(_t153);
													 *(_t157 + 4) = _t153;
													 *_t157 = 0x20;
													L37:
													__eflags = 1;
												} else {
													GlobalUnlock( *(_t161 - 0x5c));
													GlobalFree( *(_t161 - 0x5c));
													goto L19;
												}
											} else {
												goto L19;
											}
										} else {
											if(_t118 == 0x20) {
												goto L8;
											}
										}
									}
								}
							}
						}
					}
				}
				return E00151B05(0, _t153, _t157);
			}

0x00065255
0x0006525c
0x00065261
0x00065264
0x00065268
0x0006526f
0x000652a8
0x000652aa
0x000652ab
0x000654bd
0x000654c2
0x000654c4
0x00000000
0x000654ca
0x000654ca
0x00000000
0x000654ca
0x000652b1
0x000652b1
0x000652b2
0x0006546b
0x00065476
0x00065479
0x00065486
0x0006548d
0x000654a1
0x000654a3
0x000654ae
0x000652b8
0x000652b9
0x000652ba
0x000653ef
0x000653fb
0x000653fe
0x00065400
0x00000000
0x00065406
0x00065406
0x00065412
0x00065415
0x00065418
0x00065424
0x00065427
0x00065438
0x0006543b
0x0006543d
0x00000000
0x00065443
0x00065443
0x0006544d
0x00065451
0x00065454
0x00065460
0x00000000
0x00065460
0x0006543d
0x000652c0
0x000652c0
0x000652c3
0x000653d9
0x000653e2
0x000653e7
0x000652c9
0x000652c9
0x000652cc
0x000652d3
0x000652d6
0x00000000
0x000652d8
0x000652dd
0x000652ea
0x000652ed
0x000652ce
0x000652ce
0x000652d1
0x00000000
0x00000000
0x00000000
0x00000000
0x000652d1
0x000652cc
0x000652c3
0x000652ba
0x000652b2
0x00065271
0x00065271
0x00065275
0x00065276
0x000652a3
0x000652a3
0x00000000
0x00065278
0x00065278
0x00065279
0x0006538a
0x00065390
0x00065393
0x00065395
0x00065397
0x00065397
0x000653a3
0x000653aa
0x000653b1
0x000653b4
0x000653b6
0x00000000
0x000653bc
0x000653c3
0x000653c9
0x00000000
0x000653ce
0x0006527f
0x00065280
0x00065281
0x00065373
0x00065376
0x0006537c
0x0006537f
0x00000000
0x00065287
0x00065287
0x0006528a
0x0006535c
0x0006535f
0x00065365
0x00065368
0x00000000
0x00065290
0x00065290
0x00065293
0x00065351
0x000652a5
0x000652a5
0x00000000
0x00065299
0x00065299
0x0006529c
0x000652f8
0x000652fd
0x00065300
0x00065302
0x00065312
0x00065318
0x0006531e
0x00065321
0x00065323
0x00065339
0x0006533d
0x00065343
0x00065346
0x000654cd
0x000654cf
0x00065325
0x00065328
0x00065331
0x00000000
0x00065331
0x00000000
0x00000000
0x00000000
0x0006529e
0x000652a1
0x00000000
0x00000000
0x000652a1
0x0006529c
0x00065293
0x0006528a
0x00065281
0x00065279
0x00065276
0x000654d5

APIs

__EH_prolog3_GS.LIBCMT ref: 0006525C
OleDuplicateData.OLE32(?,?,00000000), ref: 000652DD
GlobalLock.KERNEL32 ref: 0006530C
CopyMetaFileW.GDI32(?,00000000), ref: 00065318
GlobalUnlock.KERNEL32(?), ref: 00065328
GlobalFree.KERNEL32(?), ref: 00065331
GlobalUnlock.KERNEL32(?), ref: 0006533D
lstrlenW.KERNEL32(?,0000005C,0012FBF2,?,?,?), ref: 0006539D
CopyFileW.KERNEL32 ref: 00065495

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Global$CopyFileUnlock$DataDuplicateFreeH_prolog3_LockMetalstrlen
String ID:
API String ID: 3489744035-0
Opcode ID: ab0fff445a0fa4b1f81f845e22fc1d321678dcb236d83e9e2b6194d3a320d33a
Instruction ID: 2b10e4f88105f755c581fa689f74d5062b992ee746ce727f5ef13cf5d0401ac2
Opcode Fuzzy Hash: ab0fff445a0fa4b1f81f845e22fc1d321678dcb236d83e9e2b6194d3a320d33a
Instruction Fuzzy Hash: D381A0B1500A16AFDB249FA4CD8893AFBFAFF44746B108519F45ADB690D770ED40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00067052 Relevance: 13.7, APIs: 9, Instructions: 158
windowCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E00067052(intOrPtr __ecx, void* __edx, long _a4, intOrPtr _a8) {
				intOrPtr _v8;
				struct tagPOINT _v16;
				intOrPtr _v20;
				long _v24;
				void* __ebx;
				void* __edi;
				intOrPtr _t37;
				void* _t42;
				intOrPtr _t43;
				intOrPtr _t48;
				int _t50;
				intOrPtr _t51;
				int _t54;
				int _t55;
				int _t72;
				int _t76;
				intOrPtr _t77;
				int _t79;
				intOrPtr _t81;
				intOrPtr _t82;
				intOrPtr* _t83;
				intOrPtr* _t92;
				void* _t93;
				void* _t94;
				intOrPtr _t95;
				intOrPtr _t97;
				int _t98;
				int _t99;
				void* _t100;

				_t93 = __edx;
				_t79 = 0;
				_t97 = __ecx;
				_v8 = __ecx;
				_t100 =  *0x1c3f04 - _t79; // 0x0
				if(_t100 != 0) {
					L22:
					__eflags = 0;
					return 0;
				}
				_t37 =  *0x1c48bc; // 0x0
				if(_t37 == 0 || IsWindow( *(_t37 + 0x20)) == 0) {
					goto L22;
				} else {
					_t81 =  *0x1c48bc; // 0x0
					_v16.x = _a4;
					_v16.y = _a8;
					_t42 = E000812F4(_t81, _t93, _t94,  &_v16);
					if(_t42 != 4) {
						__eflags = _t42 - 1;
						if(_t42 == 1) {
							L27:
							_t43 =  *0x1c48bc; // 0x0
							SendMessageW( *(_t43 + 0x20), 0x10, _t79, _t79);
							_t82 =  *((intOrPtr*)(_t97 + 4));
							L28:
							E00063652(_t79, _t82, _t93);
							L10:
							return 1;
						}
						__eflags = _t42 - 2;
						if(_t42 != 2) {
							goto L22;
						}
						goto L27;
					}
					_t48 =  *0x1c48bc; // 0x0
					_t95 =  *((intOrPtr*)(_t48 + 0x148));
					if(_t95 == 0) {
						L18:
						_t83 =  *0x1c48bc; // 0x0
						_t50 =  *((intOrPtr*)( *_t83 + 0x1c4))();
						__eflags = _t50;
						if(_t50 == 0) {
							_t51 =  *0x1c48bc; // 0x0
							SendMessageW( *(_t51 + 0x20), 0x10, _t50, _t50);
							_t54 = E0005F82E(_t79, _t83, _t93, GetFocus());
							__eflags = _t54;
							if(_t54 != 0) {
								_t55 = E0006EA07(_t54, 0x1bced8);
								__eflags = _t55;
								if(_t55 != 0) {
									E00063652(_t79,  *((intOrPtr*)(_v8 + 4)), _t93);
								}
							}
						}
						goto L22;
					}
					_t79 =  *(_t95 + 0x6c);
					if(_t79 == 0) {
						goto L18;
					}
					_t98 = E0006EA25(0x1bd08c, _t79);
					_v16.x = _a4;
					_v16.y = _a8;
					ScreenToClient( *(_t79 + 0x20),  &_v16);
					_push(_v16.y);
					_t96 = _t95 + 0x54;
					if(PtInRect(_t95 + 0x54, _v16) == 0) {
						__eflags = _t98;
						if(_t98 == 0) {
							goto L18;
						}
						 *((intOrPtr*)( *_t98 + 0x43c))();
						_t99 = E0006EA25(0x1bcffc, E0005F82E(_t79, _t98, _t93, GetParent( *(_t98 + 0x20))));
						__eflags = _t99;
						if(_t99 == 0) {
							goto L18;
						}
						_v24 = _a4;
						_v20 = _a8;
						_t72 = E000812F4(_t99, _t93, _t96,  &_v24);
						__eflags = _t72;
						if(__eflags == 0) {
							goto L22;
						}
						if(__eflags <= 0) {
							goto L18;
						}
						__eflags = _t72 - 2;
						if(_t72 <= 2) {
							SendMessageW( *(_t99 + 0x20), 0x10, 0, 0);
							_t82 =  *((intOrPtr*)(_v8 + 4));
							goto L28;
						}
						__eflags = _t72 - 3;
						if(_t72 == 3) {
							goto L22;
						}
						__eflags = _t72 - 5;
						if(_t72 == 5) {
							goto L22;
						}
						goto L18;
					}
					if(_t98 == 0) {
						_t92 =  *0x1c48bc; // 0x0
						_t76 =  *((intOrPtr*)( *_t92 + 0x1c4))();
						if(_t76 == 0) {
							_t77 =  *0x1c48bc; // 0x0
							SendMessageW( *(_t77 + 0x20), 0x10, _t76, _t76);
						}
					}
					goto L10;
				}
			}

0x00067052
0x0006705c
0x0006705e
0x00067061
0x00067064
0x0006706a
0x000671e7
0x000671e7
0x00000000
0x000671e7
0x00067070
0x00067077
0x00000000
0x0006708e
0x00067091
0x00067097
0x0006709d
0x000670a4
0x000670ac
0x00067207
0x0006720a
0x00067211
0x00067211
0x0006721d
0x00067223
0x00067226
0x00067226
0x00067134
0x00000000
0x00067136
0x0006720c
0x0006720f
0x00000000
0x00000000
0x00000000
0x0006720f
0x000670b2
0x000670b7
0x000670bf
0x00067198
0x00067198
0x000671a0
0x000671a6
0x000671a8
0x000671ac
0x000671b6
0x000671c3
0x000671c8
0x000671ca
0x000671d3
0x000671d8
0x000671da
0x000671e2
0x000671e2
0x000671da
0x000671ca
0x00000000
0x000671a8
0x000670c5
0x000670ca
0x00000000
0x00000000
0x000670db
0x000670e0
0x000670e8
0x000670f2
0x000670f8
0x000670fb
0x0006710a
0x0006713c
0x0006713e
0x00000000
0x00000000
0x00067144
0x00067164
0x00067168
0x0006716a
0x00000000
0x00000000
0x0006716f
0x00067175
0x0006717e
0x00067183
0x00067185
0x00000000
0x00000000
0x00067187
0x00000000
0x00000000
0x00067189
0x0006718c
0x000671f9
0x00067202
0x00000000
0x00067202
0x0006718e
0x00067191
0x00000000
0x00000000
0x00067193
0x00067196
0x00000000
0x00000000
0x00000000
0x00067196
0x0006710e
0x00067110
0x00067118
0x00067120
0x00067124
0x0006712e
0x0006712e
0x00067120
0x00000000
0x0006710e

APIs

IsWindow.USER32(?), ref: 00067080

Part of subcall function 000812F4: GetClientRect.USER32 ref: 00081325
Part of subcall function 000812F4: PtInRect.USER32(?,?,?), ref: 0008133F

ScreenToClient.USER32(?,?), ref: 000670F2
PtInRect.USER32(?,?,?), ref: 00067102
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 0006712E
GetParent.USER32(?), ref: 0006714D
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 000671B6
GetFocus.USER32 ref: 000671BC
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 000671F9
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 0006721D

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: MessageSend$Rect$Client$FocusParentScreenWindow
String ID:
API String ID: 4216724418-0
Opcode ID: 7f0a4ddcb47609144eb41a6729fe4b139a264e768d3193f0c4ff2a1973458cd7
Instruction ID: 27e9c340153b03137d42ed17ce1a2f395c3c3a8a7405bb4d02187d5681ddd911
Opcode Fuzzy Hash: 7f0a4ddcb47609144eb41a6729fe4b139a264e768d3193f0c4ff2a1973458cd7
Instruction Fuzzy Hash: 58516375608245AFEB609FA8DC94EAD7BF6FB09304F10446AF909DB661DB30ED80CB50

Uniqueness

Uniqueness Score: -1.00%

Function 000782C3 Relevance: 13.6, APIs: 9, Instructions: 129
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E000782C3(intOrPtr* __ecx, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				void* __ebp;
				void* _t34;
				intOrPtr* _t36;
				intOrPtr _t43;
				intOrPtr _t53;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t59;
				intOrPtr _t60;
				intOrPtr _t62;
				void* _t63;
				intOrPtr _t64;
				void* _t66;
				signed int _t70;

				_t55 = _a4;
				_t64 = _a8;
				_v8 = __ecx;
				asm("sbb esi, esi");
				_t70 =  ~( ~( *(__ecx + 0x90) & 0x0000a000));
				_t34 =  *((intOrPtr*)( *_t55 + 0x68))(_t64, _t63, _t66, _t54, __ecx);
				if(_t34 != 0) {
					L24:
					_t36 =  *((intOrPtr*)(_v8 + 0xbcc));
					_t62 = 0;
					while(_t36 != 0) {
						_t59 = _t36;
						if(_t36 == 0) {
							E000655E0(_t59);
							L31:
							if(_t62 != 0) {
								if(( *(_t62 + 0x24) & 0x00000001) != 0) {
									CheckMenuItem( *(_t64 + 4), 0x4215, 8);
								}
							} else {
								EnableMenuItem( *(_t64 + 4), 0x4215, 1);
							}
							L35:
							return 1;
						}
						_t60 =  *((intOrPtr*)(_t59 + 8));
						_t36 =  *_t36;
						if(_t60 == _t55) {
							goto L31;
						}
						_t62 = _t60;
					}
					goto L35;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) == _t34) {
					L6:
					EnableMenuItem( *(_t64 + 4), 0x420f, 1);
					goto L7;
				} else {
					if( *((intOrPtr*)(_t55 + 4)) == _t34) {
						_t53 =  *((intOrPtr*)(_t55 + 0x34));
					} else {
						_t53 =  *((intOrPtr*)(_t55 + 0x38));
					}
					if(_t53 >= 0) {
						L7:
						_t43 =  *((intOrPtr*)(_t55 + 0x20));
						if(_t43 == 0xffffffff || _t43 == 0) {
							EnableMenuItem( *(_t64 + 4), 0x420e, 1);
						}
						if( *(_t55 + 8) != 0 ||  *((intOrPtr*)(_t55 + 0x18)) != 0 && _t70 != 0) {
							_push(8);
							if( *((intOrPtr*)(_t55 + 0xc)) == 0) {
								_push(0x4213);
							} else {
								_push(0x4214);
							}
						} else {
							_push(8);
							_push(0x4212);
						}
						CheckMenuItem( *(_t64 + 4), ??, ??);
						if( *((intOrPtr*)(_t55 + 0x18)) != 0 && _t70 != 0) {
							EnableMenuItem( *(_t64 + 4), 0x4212, 1);
						}
						_push(_t55);
						if( *((intOrPtr*)( *_v8 + 0x408))() != 0) {
							EnableMenuItem( *(_t64 + 4), 0x4212, 1);
							EnableMenuItem( *(_t64 + 4), 0x4213, 1);
							EnableMenuItem( *(_t64 + 4), 0x4214, 1);
							 *(_t55 + 8) = 1;
						}
						goto L24;
					}
					goto L6;
				}
			}

0x000782ca
0x000782dd
0x000782e2
0x000782e5
0x000782ea
0x000782ec
0x000782f1
0x000783d5
0x000783d8
0x000783de
0x000783f3
0x000783e2
0x000783e6
0x000783f9
0x000783fe
0x00078400
0x00078414
0x00078420
0x00078420
0x00078402
0x0007840c
0x0007840c
0x00078426
0x0007842d
0x0007842d
0x000783e8
0x000783eb
0x000783ef
0x00000000
0x00000000
0x000783f1
0x000783f1
0x00000000
0x000783f7
0x000782fa
0x0007830d
0x00078317
0x00000000
0x000782fc
0x000782ff
0x00078306
0x00078301
0x00078301
0x00078301
0x0007830b
0x0007831d
0x0007831d
0x00078323
0x00078333
0x00078333
0x0007833e
0x00078352
0x00078357
0x00078360
0x00078359
0x00078359
0x00078359
0x00078349
0x00078349
0x0007834b
0x0007834b
0x00078368
0x00078372
0x00078388
0x00078388
0x00078397
0x000783a0
0x000783ac
0x000783b8
0x000783c4
0x000783c6
0x000783c6
0x00000000
0x000783a0
0x00000000
0x0007830b

APIs

EnableMenuItem.USER32 ref: 00078317
EnableMenuItem.USER32 ref: 00078333
CheckMenuItem.USER32 ref: 00078368
EnableMenuItem.USER32 ref: 00078388
EnableMenuItem.USER32 ref: 000783AC
EnableMenuItem.USER32 ref: 000783B8
EnableMenuItem.USER32 ref: 000783C4
EnableMenuItem.USER32 ref: 0007840C
CheckMenuItem.USER32 ref: 00078420

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: ItemMenu$Enable$Check
String ID:
API String ID: 1852492618-0
Opcode ID: 8a61c574a8427bd64e4a1e107629510f817bd0a6fb613e313d8d5e4cec30f6a6
Instruction ID: 27b24cb2e5bec8f3003f189ad6301b429592aff8380071b85d36753580dcaa3e
Opcode Fuzzy Hash: 8a61c574a8427bd64e4a1e107629510f817bd0a6fb613e313d8d5e4cec30f6a6
Instruction Fuzzy Hash: C5419370B84601EBEB608B18CC89F6977A5BB10B10F14C165BA0DEB1E5DBB5DD90CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00051800 Relevance: 13.6, APIs: 9, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00051800(signed int __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				char _v8;
				char _v16;
				void* __esi;
				void* __ebp;
				signed int _t38;
				signed int** _t45;
				signed int** _t47;
				intOrPtr* _t49;
				void* _t57;
				void* _t64;
				signed int _t86;
				signed int _t88;
				intOrPtr _t93;
				signed int _t95;

				_t91 = __edi;
				_push(0xffffffff);
				_push(0x173d61);
				_push( *[fs:0x0]);
				_t38 =  *0x1c0454; // 0x885926af
				_push(_t38 ^ _t95);
				 *[fs:0x0] =  &_v16;
				_t93 = _a4;
				_v8 = 0xc;
				E0005C8A2(_t93 + 0x52c, __edx, __edi, _t93, __eflags);
				_v8 = 0xb;
				E0005C8A2(_t93 + 0x4b8, __edx, __edi, _t93, __eflags);
				_v8 = 0xa;
				E0005C8A2(_t93 + 0x444, __edx, __edi, _t93, __eflags);
				_v8 = 9;
				_t45 =  *((intOrPtr*)(_t93 + 0x420)) - 0x10;
				asm("lock xadd [ecx], edx");
				_t86 = (__edx | 0xffffffff) - 1;
				if(_t86 <= 0) {
					_t86 =  *( *_t45);
					 *((intOrPtr*)( *((intOrPtr*)(_t86 + 4))))(_t45);
				}
				_v8 = 8;
				_t47 =  *((intOrPtr*)(_t93 + 0x41c)) - 0x10;
				asm("lock xadd [ecx], edx");
				_t88 = (_t86 | 0xffffffff) - 1;
				if(_t88 <= 0) {
					_t88 =  *( *_t47);
					 *((intOrPtr*)( *((intOrPtr*)(_t88 + 4))))(_t47);
				}
				_v8 = 7;
				_t49 =  *((intOrPtr*)(_t93 + 0x418)) - 0x10;
				asm("lock xadd [ecx], edx");
				_t90 = (_t88 | 0xffffffff) - 1;
				_t99 = (_t88 | 0xffffffff) - 1;
				if((_t88 | 0xffffffff) - 1 <= 0) {
					_t90 =  *((intOrPtr*)( *_t49));
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t49)) + 4))))(_t49);
				}
				_v8 = 6;
				E00067B1B(_t93 + 0x3a4, _t90, _t91, _t93, _t99);
				_v8 = 5;
				E0005C8A2(_t93 + 0x330, _t90, _t91, _t93, _t99);
				_v8 = 4;
				E000679F8(_t93 + 0x2bc, _t90, _t91, _t93, _t99);
				_v8 = 3;
				E0005C8A2(_t93 + 0x248, _t90, _t91, _t93, _t99);
				_v8 = 2;
				E0005C8A2(_t93 + 0x1d4, _t90, _t91, _t93, _t99);
				_v8 = 1;
				E0005C8A2(_t93 + 0x160, _t90, _t91, _t93, _t99);
				_v8 = 0;
				E00054720(_t64, _t93 + 0x98, _t90, _t99, _t93 + 0x98);
				_v8 = 0xffffffff;
				_t57 = E00063E97(_t93, _t90, _t91, _t93, _t99);
				 *[fs:0x0] = _v16;
				return _t57;
			}

0x00051800
0x00051803
0x00051805
0x00051810
0x00051812
0x00051819
0x0005181d
0x00051823
0x0005182c
0x00051833
0x0005183e
0x00051842
0x0005184d
0x00051851
0x00051856
0x00051860
0x00051869
0x0005186d
0x00051870
0x00051874
0x0005187a
0x0005187a
0x0005187c
0x00051886
0x0005188f
0x00051893
0x00051896
0x0005189a
0x000518a0
0x000518a0
0x000518a2
0x000518ac
0x000518b5
0x000518b9
0x000518ba
0x000518bc
0x000518c0
0x000518c6
0x000518c6
0x000518ce
0x000518d2
0x000518dd
0x000518e1
0x000518ec
0x000518f0
0x000518fb
0x000518ff
0x0005190a
0x0005190e
0x00051919
0x0005191d
0x00051929
0x0005192d
0x00051934
0x0005193b
0x00051943
0x0005194f

APIs

~_Task_impl.LIBCPMT ref: 00051833

Part of subcall function 0005C8A2: __EH_prolog3.LIBCMT ref: 0005C8A9

~_Task_impl.LIBCPMT ref: 00051842
~_Task_impl.LIBCPMT ref: 00051851
~_Task_impl.LIBCPMT ref: 000518D2
~_Task_impl.LIBCPMT ref: 000518E1
~_Task_impl.LIBCPMT ref: 000518F0
~_Task_impl.LIBCPMT ref: 000518FF
~_Task_impl.LIBCPMT ref: 0005190E
~_Task_impl.LIBCPMT ref: 0005191D

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Task_impl$H_prolog3
String ID:
API String ID: 1204490572-0
Opcode ID: 91632f39d7fa2e59be2a3313d92ad254f0889780750eea7564f66bc1bfdd4d6a
Instruction ID: a76a773d90f50f8e292423d36e1a3ab5cde754781050e0746aa1a9c785550cf1
Opcode Fuzzy Hash: 91632f39d7fa2e59be2a3313d92ad254f0889780750eea7564f66bc1bfdd4d6a
Instruction Fuzzy Hash: 8C419D30505B44DFE315DBBCC944BEABBE4AF5A324F14868DD46A47292CF306A09DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00071995 Relevance: 13.6, APIs: 9, Instructions: 96
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E00071995(void* __ebx, long* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t36;
				void* _t39;
				long _t41;
				void* _t42;
				long _t47;
				void* _t53;
				signed int _t55;
				long* _t62;
				struct _CRITICAL_SECTION* _t64;
				void* _t65;
				void* _t66;

				_push(0x10);
				E00151A4C(0x16981e, __ebx, __edi, __esi);
				_t62 = __ecx;
				 *((intOrPtr*)(_t66 - 0x18)) = __ecx;
				_t64 = __ecx + 0x1c;
				 *(_t66 - 0x14) = _t64;
				EnterCriticalSection(_t64);
				_t36 =  *(_t66 + 8);
				if(_t36 <= 0 || _t36 >= _t62[3]) {
					LeaveCriticalSection(_t64);
				} else {
					_t65 = TlsGetValue( *_t62);
					if(_t65 == 0) {
						 *(_t66 - 4) = 0;
						_t39 = E00071645(0x10);
						__eflags = _t39;
						if(_t39 == 0) {
							_t65 = 0;
							__eflags = 0;
						} else {
							 *_t39 = 0x17bd6c;
							_t65 = _t39;
						}
						 *(_t66 - 4) =  *(_t66 - 4) | 0xffffffff;
						_t51 =  &(_t62[5]);
						 *(_t65 + 8) = 0;
						 *(_t65 + 0xc) = 0;
						E0007175D( &(_t62[5]), _t65);
						goto L5;
					} else {
						_t55 =  *(_t66 + 8);
						if(_t55 >=  *(_t65 + 8) &&  *((intOrPtr*)(_t66 + 0xc)) != 0) {
							L5:
							_t75 =  *(_t65 + 0xc);
							if( *(_t65 + 0xc) != 0) {
								_t41 = E000657F3(0, _t51, _t62, _t65, __eflags, _t62[3], 4);
								_t53 = 2;
								_t42 = LocalReAlloc( *(_t65 + 0xc), _t41, ??);
							} else {
								_t47 = E000657F3(0, _t51, _t62, _t65, _t75, _t62[3], 4);
								_pop(_t53);
								_t42 = LocalAlloc(0, _t47);
							}
							if(_t42 == 0) {
								LeaveCriticalSection( *(_t66 - 0x14));
								_t42 = E000655A8(_t53);
							}
							 *(_t65 + 0xc) = _t42;
							E00151B30(_t42 +  *(_t65 + 8) * 4, 0, _t62[3] -  *(_t65 + 8) << 2);
							 *(_t65 + 8) = _t62[3];
							TlsSetValue( *_t62, _t65);
							_t55 =  *(_t66 + 8);
						}
					}
					_t36 =  *(_t65 + 0xc);
					if(_t36 != 0 && _t55 <  *(_t65 + 8)) {
						 *((intOrPtr*)(_t36 + _t55 * 4)) =  *((intOrPtr*)(_t66 + 0xc));
					}
					LeaveCriticalSection( *(_t66 - 0x14));
				}
				return E00151AF1(_t36);
			}

0x00071995
0x0007199c
0x000719a1
0x000719a3
0x000719a6
0x000719aa
0x000719ad
0x000719b3
0x000719ba
0x00071abc
0x000719c9
0x000719d1
0x000719d5
0x00071a09
0x00071a0c
0x00071a11
0x00071a13
0x00071a1f
0x00071a1f
0x00071a15
0x00071a15
0x00071a1b
0x00071a1b
0x00071a21
0x00071a26
0x00071a29
0x00071a2c
0x00071a2f
0x00000000
0x000719d7
0x000719d7
0x000719dd
0x000719ec
0x000719ec
0x000719ef
0x00071a53
0x00071a59
0x00071a5e
0x000719f1
0x000719f6
0x000719fc
0x000719ff
0x000719ff
0x00071a66
0x00071a6b
0x00071a71
0x00071a71
0x00071a79
0x00071a8a
0x00071a96
0x00071a9b
0x00071aa1
0x00071aa1
0x000719dd
0x00071aa4
0x00071aa9
0x00071ab3
0x00071ab3
0x00071abc
0x00071abc
0x00071ac7

APIs

__EH_prolog3_catch.LIBCMT ref: 0007199C
EnterCriticalSection.KERNEL32(?,00000010,00071C58,?,00000000,?,00000004,0006B637,0005E58B,0006A15B,0006918A,?,00000000,00000004,000691DE,?), ref: 000719AD
TlsGetValue.KERNEL32 ref: 000719CB
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,0006B637,0005E58B,0006A15B,0006918A,?,00000000,00000004), ref: 000719FF
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,0006B637,0005E58B,0006A15B,0006918A,?,00000000,00000004,000691DE,?,?), ref: 00071A6B
_memset.LIBCMT ref: 00071A8A
TlsSetValue.KERNEL32(?,00000000), ref: 00071A9B
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,0006B637,0005E58B,0006A15B,0006918A,?,00000000,00000004,000691DE,?,?,?), ref: 00071ABC

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: 941ceb28684710942d4dd72fb1ffc4e4937e8071e24aecad79f3251a22d65eaa
Instruction ID: c7ad9cace257e4a8fc43db227ab7db952d0c9b495a7ec0c607ff4feb0854c015
Opcode Fuzzy Hash: 941ceb28684710942d4dd72fb1ffc4e4937e8071e24aecad79f3251a22d65eaa
Instruction Fuzzy Hash: 96316070805605FFCB20EF58D885DAABBB5FF04310B10C529E92E979A1CB34AD90CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00064A48 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00064A48(void* __ecx, void* __edx, void* __eflags, signed int _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				signed int _v8;
				short _v10;
				char _v528;
				struct HWND__* _v532;
				signed int _v536;
				long _v540;
				struct HWND__* _v544;
				intOrPtr _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t36;
				signed int _t55;
				intOrPtr _t58;
				long _t61;
				struct HWND__* _t64;
				WCHAR* _t65;
				void* _t66;
				void* _t68;
				void* _t72;
				void* _t73;
				signed int _t74;
				void* _t76;
				void* _t77;
				signed int _t79;
				void* _t80;
				signed int _t84;

				_t72 = __edx;
				_t82 = _t84;
				_t36 =  *0x1c0454; // 0x885926af
				_v8 = _t36 ^ _t84;
				_t74 = _a4;
				_t79 = 0;
				_v548 = _a8;
				E0006495B(0);
				_t68 = _t73;
				_t64 = E00064996(0,  &_v532);
				_v544 = _t64;
				if(_t64 != _v532) {
					EnableWindow(_t64, 1);
				}
				_v540 = _v540 & _t79;
				GetWindowThreadProcessId(_t64,  &_v540);
				if(_t64 == 0 || _v540 != GetCurrentProcessId()) {
					L7:
					__eflags = _t74;
					if(__eflags != 0) {
						_t79 = _t74 + 0x7c;
					}
					goto L9;
				} else {
					_t61 = SendMessageW(_t64, 0x376, 0, 0);
					if(_t61 == 0) {
						goto L7;
					} else {
						_t79 = _t61;
						L9:
						_v536 = _v536 & 0x00000000;
						if(_t79 != 0) {
							_v536 =  *_t79;
							_t58 = _a16;
							if(_t58 != 0) {
								 *_t79 = _t58 + 0x30000;
							}
						}
						if((_a12 & 0x000000f0) == 0) {
							_t55 = _a12 & 0x0000000f;
							if(_t55 <= 1) {
								_t23 =  &_a12;
								 *_t23 = _a12 | 0x00000030;
								__eflags =  *_t23;
							} else {
								if(_t55 + 0xfffffffd <= 1) {
									_a12 = _a12 | 0x00000020;
								}
							}
						}
						_v528 = 0;
						_t99 = _t74;
						if(_t74 == 0) {
							_t65 =  &_v528;
							__eflags = GetModuleFileNameW(0, _t65, 0x104) - 0x104;
							if(__eflags == 0) {
								__eflags = 0;
								_v10 = 0;
							}
						} else {
							_t65 =  *(_t74 + 0x50);
						}
						_push(_a12);
						_push(_t65);
						_push(_v548);
						_push(_v544);
						_t76 = E0005E804(_t68, _t79, _t99);
						if(_t79 != 0) {
							 *_t79 = _v536;
						}
						if(_v532 != 0) {
							EnableWindow(_v532, 1);
						}
						E0006495B(1);
						_pop(_t77);
						_pop(_t80);
						_pop(_t66);
						return E00150836(_t76, _t66, _v8 ^ _t82, _t72, _t77, _t80);
					}
				}
			}

0x00064a48
0x00064a4b
0x00064a53
0x00064a5a
0x00064a63
0x00064a66
0x00064a69
0x00064a6f
0x00064a74
0x00064a82
0x00064a84
0x00064a90
0x00064a95
0x00064a95
0x00064a9b
0x00064aa9
0x00064ab1
0x00064ad9
0x00064ad9
0x00064adb
0x00064add
0x00064add
0x00000000
0x00064ac1
0x00064acb
0x00064ad3
0x00000000
0x00064ad5
0x00064ad5
0x00064ae0
0x00064ae0
0x00064ae9
0x00064aed
0x00064af3
0x00064af8
0x00064aff
0x00064aff
0x00064af8
0x00064b05
0x00064b0a
0x00064b10
0x00064b20
0x00064b20
0x00064b20
0x00064b12
0x00064b18
0x00064b1a
0x00064b1a
0x00064b18
0x00064b10
0x00064b26
0x00064b2d
0x00064b2f
0x00064b36
0x00064b4d
0x00064b4f
0x00064b51
0x00064b53
0x00064b53
0x00064b31
0x00064b31
0x00064b31
0x00064b57
0x00064b5a
0x00064b5b
0x00064b61
0x00064b6f
0x00064b73
0x00064b7b
0x00064b7b
0x00064b84
0x00064b8e
0x00064b8e
0x00064b96
0x00064ba1
0x00064ba2
0x00064ba5
0x00064bac
0x00064bac
0x00064ad3

APIs

Part of subcall function 00064996: GetParent.USER32(?), ref: 000649EA
Part of subcall function 00064996: GetLastActivePopup.USER32(?), ref: 000649FB
Part of subcall function 00064996: IsWindowEnabled.USER32(?), ref: 00064A0F
Part of subcall function 00064996: EnableWindow.USER32(?,00000000), ref: 00064A22

EnableWindow.USER32(?,00000001), ref: 00064A95
GetWindowThreadProcessId.USER32(?,?), ref: 00064AA9
GetCurrentProcessId.KERNEL32(?,00000000), ref: 00064AB3
SendMessageW.USER32(?,00000376,00000000,00000000), ref: 00064ACB
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000000), ref: 00064B47
EnableWindow.USER32(00000000,00000001), ref: 00064B8E

Strings

0, xrefs: 00064B20

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID: 0
API String ID: 1877664794-4108050209
Opcode ID: 22d8d1c66f4503979320dc06d362f9281cca5cf899635fc81811dd0c36109f9f
Instruction ID: ca067b3662cbcee696c6d6398ca376d59fb4510c78e3793d845f9e8c5a4c68aa
Opcode Fuzzy Hash: 22d8d1c66f4503979320dc06d362f9281cca5cf899635fc81811dd0c36109f9f
Instruction Fuzzy Hash: 7341DF71A40319ABDB61DF68DC89BEAB7FAFF14700F140598F919E6191D770DE808B90

Uniqueness

Uniqueness Score: -1.00%

Function 00079BD2 Relevance: 12.3, APIs: 8, Instructions: 309
timewindowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00079BD2(void* __ebx, signed int __ecx, void* __edx, signed int __edi, void* __esi, void* __eflags) {
				signed int _t114;
				intOrPtr _t115;
				signed int _t116;
				signed int _t117;
				signed int _t122;
				signed int _t128;
				intOrPtr _t130;
				intOrPtr _t133;
				intOrPtr _t135;
				signed int _t136;
				signed int _t138;
				intOrPtr _t144;
				intOrPtr _t149;
				signed int _t151;
				signed int _t153;
				signed int _t154;
				void* _t156;
				void* _t159;
				void* _t162;
				intOrPtr _t165;
				signed int _t172;
				signed int _t173;
				intOrPtr _t176;
				signed int _t177;
				signed int _t178;
				intOrPtr _t187;
				signed int _t189;
				signed int _t198;
				void* _t210;
				void* _t213;

				_t205 = __edi;
				_t201 = __edx;
				_t173 = __ecx;
				_push(0x40);
				E00151A82(0x171b24, __ebx, __edi, __esi);
				_t172 = __ecx;
				_t208 = 0;
				if( *((intOrPtr*)(__ecx + 0x164)) != 0) {
					L73:
					_push( *((intOrPtr*)(_t210 + 0x10)));
					_push( *((intOrPtr*)(_t210 + 0xc)));
					E000C069C(_t173,  *((intOrPtr*)(_t210 + 8)));
					L74:
					return E00151B05(_t172, _t205, _t208);
				}
				_t213 =  *0x1c3f04 - _t208; // 0x0
				if(_t213 == 0 ||  *((intOrPtr*)(__ecx + 0xb04)) != 0) {
					_t114 = E0007465B(_t172 + 0xc88, _t173 | 0xffffffff, _t173 | 0xffffffff);
					__eflags = _t114;
					if(_t114 == 0) {
						L11:
						_t176 =  *((intOrPtr*)(_t210 + 0x10));
						_t115 =  *((intOrPtr*)(_t210 + 0xc));
						_t208 =  *(_t172 + 0xb7c);
						_t202 =  *_t172;
						 *((intOrPtr*)(_t172 + 0xc8c)) = _t176;
						_t177 = _t172;
						 *((intOrPtr*)(_t172 + 0xc88)) = _t115;
						 *(_t210 - 0x24) = _t208;
						_t116 =  *((intOrPtr*)( *_t172 + 0x390))(_t115, _t176);
						__eflags =  *(_t172 + 0xb20);
						_t205 = _t116;
						 *(_t172 + 0xb7c) = _t205;
						if( *(_t172 + 0xb20) == 0) {
							L15:
							_t178 = _t172;
							_t117 = E00075AF1(_t178, 0);
							__eflags = _t117;
							if(_t117 == 0) {
								L17:
								_t118 =  *(_t172 + 0xb7c);
								__eflags =  *(_t172 + 0xb7c) - 0xffffffff;
								if(__eflags != 0) {
									_t178 = _t172;
									_t208 = E00074F8E(_t178, __eflags, _t118);
									__eflags = _t208;
									if(_t208 == 0) {
										goto L24;
									}
									_t151 =  *(_t208 + 0x24);
									__eflags = _t151 & 0x00000001;
									if((_t151 & 0x00000001) != 0) {
										L23:
										_t45 = _t172 + 0xb7c;
										 *_t45 =  *(_t172 + 0xb7c) | 0xffffffff;
										__eflags =  *_t45;
										goto L24;
									}
									__eflags = _t151 & 0x00040000;
									if((_t151 & 0x00040000) == 0) {
										goto L24;
									}
									_t178 = _t172;
									_t153 =  *((intOrPtr*)( *_t172 + 0x3e8))();
									__eflags = _t153;
									if(_t153 != 0) {
										goto L24;
									}
									goto L23;
								} else {
									_t208 = 0;
									L24:
									__eflags =  *(_t172 + 0xb38);
									if( *(_t172 + 0xb38) != 0) {
										__eflags =  *(_t172 + 0xb7c) - 0xffffffff;
										if( *(_t172 + 0xb7c) == 0xffffffff) {
											__eflags =  *0x1c3b34;
											if( *0x1c3b34 != 0) {
												_t178 = _t172;
												_t149 =  *((intOrPtr*)( *_t172 + 0x390))( *((intOrPtr*)(_t210 + 0xc)),  *((intOrPtr*)(_t210 + 0x10)));
												__eflags = _t149 - 0xffffffff;
												if(_t149 != 0xffffffff) {
													__eflags = _t149 -  *((intOrPtr*)(_t172 + 0xb98));
													if(_t149 !=  *((intOrPtr*)(_t172 + 0xb98))) {
														 *((intOrPtr*)(_t172 + 0xb98)) = _t149;
														SetTimer( *(_t172 + 0x20), 0x14, 0x1f4, 0);
													}
												}
											}
										}
									}
									__eflags =  *(_t172 + 0xb34);
									if( *(_t172 + 0xb34) == 0) {
										_t57 = _t210 - 0x2c;
										 *_t57 =  *(_t210 - 0x2c) | 0xffffffff;
										__eflags =  *_t57;
										 *(_t210 - 0x30) =  *(_t172 + 0x20);
										 *(_t172 + 0xb34) = 1;
										 *((intOrPtr*)(_t210 - 0x38)) = 0x10;
										 *((intOrPtr*)(_t210 - 0x34)) = 2;
										E000DF388(_t210 - 0x38);
										_pop(_t178);
									}
									__eflags =  *(_t210 - 0x24) - _t205;
									if( *(_t210 - 0x24) == _t205) {
										L44:
										__eflags =  *(_t210 - 0x24) -  *(_t172 + 0xb7c);
										if( *(_t210 - 0x24) ==  *(_t172 + 0xb7c)) {
											L72:
											_t173 = _t172;
											goto L73;
										}
										_t121 =  *((intOrPtr*)(_t172 + 0xb78));
										 *(_t210 - 0x28) =  *(_t210 - 0x28) & 0x00000000;
										__eflags =  *((intOrPtr*)(_t172 + 0xb78)) - 0xffffffff;
										if(__eflags != 0) {
											_t186 = _t172;
											_t136 = E00074F8E(_t172, __eflags, _t121);
											__eflags = _t136;
											if(_t136 == 0) {
												_t136 = E000655E0(_t186);
											}
											_t202 =  *(_t136 + 0x24);
											_t187 =  *((intOrPtr*)(_t172 + 0xb78));
											_t138 = _t202 & 0xfffdffff;
											__eflags =  *(_t172 + 0xb7c) - _t187;
											if( *(_t172 + 0xb7c) == _t187) {
												_t138 = _t138 | 0x00020000;
												__eflags = _t138;
											}
											__eflags = _t138 - _t202;
											if(_t138 != _t202) {
												_t202 =  *_t172;
												 *((intOrPtr*)( *_t172 + 0x374))(_t187, _t138);
												 *(_t210 - 0x28) = 1;
											}
										}
										__eflags =  *(_t172 + 0xb38);
										if( *(_t172 + 0xb38) != 0) {
											L55:
											__eflags =  *(_t210 - 0x24) - 0xffffffff;
											if( *(_t210 - 0x24) != 0xffffffff) {
												E00076CF9(_t172, _t202,  *(_t210 - 0x24));
												 *(_t210 - 0x28) = 1;
											}
											goto L57;
										} else {
											_t135 =  *((intOrPtr*)(_t172 + 0xb78));
											__eflags = _t135 - 0xffffffff;
											if(_t135 == 0xffffffff) {
												goto L55;
											}
											__eflags =  *(_t210 - 0x24) - _t135;
											if( *(_t210 - 0x24) != _t135) {
												L57:
												__eflags =  *(_t172 + 0xb38);
												if( *(_t172 + 0xb38) != 0) {
													L60:
													_t122 =  *(_t172 + 0xb7c);
													__eflags = _t122 - 0xffffffff;
													if(_t122 != 0xffffffff) {
														E00076CF9(_t172, _t202, _t122);
														__eflags =  *0x1c3b34;
														 *(_t210 - 0x28) = 1;
														if(__eflags != 0) {
															_t208 = 0;
															_t128 = E0006EA25(0x1bddfc, E00074F8E(_t172, __eflags,  *(_t172 + 0xb7c)));
															__eflags = _t128;
															if(_t128 != 0) {
																__eflags =  *(_t128 + 0x90);
																if( *(_t128 + 0x90) != 0) {
																	_t208 = 1;
																	__eflags = 1;
																}
															}
															_t130 =  *((intOrPtr*)( *_t172 + 0x390))( *((intOrPtr*)(_t210 + 0xc)),  *((intOrPtr*)(_t210 + 0x10)));
															__eflags = _t130 -  *((intOrPtr*)(_t172 + 0xb98));
															if(_t130 !=  *((intOrPtr*)(_t172 + 0xb98))) {
																 *((intOrPtr*)(_t172 + 0xb98)) = _t130;
																KillTimer( *(_t172 + 0x20), 0x14);
																_push(0);
																__eflags = _t208;
																if(_t208 == 0) {
																	_push(0x1f4);
																} else {
																	_push(0x514);
																}
																SetTimer( *(_t172 + 0x20), 0x14, ??, ??);
															}
														}
													}
													L70:
													 *((intOrPtr*)( *_t172 + 0x3b0))( *(_t172 + 0xb7c));
													__eflags =  *(_t210 - 0x28);
													if( *(_t210 - 0x28) != 0) {
														UpdateWindow( *(_t172 + 0x20));
													}
													goto L72;
												}
												_t133 =  *((intOrPtr*)(_t172 + 0xb78));
												__eflags = _t133 - 0xffffffff;
												if(_t133 == 0xffffffff) {
													goto L60;
												}
												__eflags =  *(_t172 + 0xb7c) - _t133;
												if( *(_t172 + 0xb7c) != _t133) {
													goto L70;
												}
												goto L60;
											}
											goto L55;
										}
									} else {
										_t189 = _t178 | 0xffffffff;
										__eflags = _t205 - _t189;
										if(_t205 == _t189) {
											L39:
											__eflags =  *((intOrPtr*)(_t172 + 0xb78)) - _t189;
											if( *((intOrPtr*)(_t172 + 0xb78)) == _t189) {
												L42:
												__eflags =  *0x1c3f28;
												if( *0x1c3f28 == 0) {
													SendMessageW( *(E00061441(_t172) + 0x20), 0x362, 0xe001, 0);
												}
												goto L44;
											}
											__eflags =  *(_t172 + 0xb38);
											if( *(_t172 + 0xb38) == 0) {
												goto L44;
											}
											__eflags = _t205 - _t189;
											if(_t205 != _t189) {
												goto L44;
											}
											goto L42;
										}
										__eflags =  *(_t172 + 0xb38);
										if( *(_t172 + 0xb38) != 0) {
											L37:
											__eflags = _t208;
											if(_t208 != 0) {
												 *((intOrPtr*)( *_t172 + 0x414))( *((intOrPtr*)(_t208 + 0x20)));
											}
											goto L44;
										}
										_t144 =  *((intOrPtr*)(_t172 + 0xb78));
										__eflags = _t205 - _t144;
										if(_t205 == _t144) {
											goto L37;
										}
										__eflags = _t144 - _t189;
										if(_t144 != _t189) {
											goto L39;
										}
										goto L37;
									}
								}
							}
							_t202 =  *_t117;
							_t178 = _t117;
							_t154 =  *((intOrPtr*)( *_t117 + 0xe8))();
							__eflags = _t154;
							if(_t154 != 0) {
								L14:
								 *(_t172 + 0xb7c) = _t208;
								goto L74;
							}
							goto L17;
						}
						__eflags = _t205 - 0xffffffff;
						if(_t205 != 0xffffffff) {
							goto L15;
						}
						_t156 = E0005F82E(_t172, _t177, _t202, GetFocus());
						__eflags = _t156 - _t172;
						if(_t156 != _t172) {
							goto L15;
						}
						goto L14;
					}
					_t159 = E00155F20(_t201,  *((intOrPtr*)(_t172 + 0xc88)) -  *((intOrPtr*)(_t210 + 0xc)));
					__eflags = _t159 - 1;
					if(_t159 >= 1) {
						goto L11;
					}
					_t162 = E00155F20(_t201,  *((intOrPtr*)(_t172 + 0xc8c)) -  *((intOrPtr*)(_t210 + 0x10)));
					__eflags = _t162 - 1;
					if(_t162 >= 1) {
						goto L11;
					} else {
						 *((intOrPtr*)(_t172 + 0xc88)) =  *((intOrPtr*)(_t210 + 0xc));
						 *((intOrPtr*)(_t172 + 0xc8c)) =  *((intOrPtr*)(_t210 + 0x10));
						goto L74;
					}
				} else {
					if( *((intOrPtr*)(__ecx + 0xb30)) != 0) {
						_t165 =  *((intOrPtr*)(__ecx + 0xc98));
						_t216 =  *((intOrPtr*)(_t210 + 0xc)) -  *((intOrPtr*)(_t165 + 0x54)) - 5;
						if( *((intOrPtr*)(_t210 + 0xc)) -  *((intOrPtr*)(_t165 + 0x54)) >= 5) {
							_push(__ecx);
							E00066590(__ecx, _t210 - 0x4c, __edx, __edi, 0, _t216);
							 *(_t210 - 4) = 0;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							 *((intOrPtr*)(_t172 + 0xc70)) =  *((intOrPtr*)(_t210 + 0xc));
							_t198 = 2;
							_t208 = _t198;
							_t205 = _t198;
							E00074321(_t172, _t210 - 0x4c, _t210 - 0x20, _t198, _t198, _t216, _t172 + 0xc68, _t198, _t198, _t210 - 0x20, _t198, _t198, 0, 0);
							 *(_t210 - 4) =  *(_t210 - 4) | 0xffffffff;
							E000665E4(_t172, _t210 - 0x4c, _t210 - 0x20, _t198, _t198,  *(_t210 - 4));
						}
						SetCursor( *0x1c3a80);
					}
					goto L74;
				}
			}

0x00079bd2
0x00079bd2
0x00079bd2
0x00079bd2
0x00079bd9
0x00079bde
0x00079be0
0x00079be8
0x00079fe7
0x00079fe7
0x00079fea
0x00079ff0
0x00079ff5
0x00079ffa
0x00079ffa
0x00079bee
0x00079bf4
0x00079c8b
0x00079c90
0x00079c92
0x00079cd5
0x00079cd5
0x00079cd8
0x00079cdb
0x00079ce1
0x00079ce4
0x00079ceb
0x00079ced
0x00079cf3
0x00079cf6
0x00079cfc
0x00079d03
0x00079d05
0x00079d0b
0x00079d2d
0x00079d2f
0x00079d31
0x00079d36
0x00079d38
0x00079d48
0x00079d48
0x00079d4e
0x00079d51
0x00079d58
0x00079d5f
0x00079d61
0x00079d63
0x00000000
0x00000000
0x00079d65
0x00079d68
0x00079d6a
0x00079d81
0x00079d81
0x00079d81
0x00079d81
0x00000000
0x00079d81
0x00079d6c
0x00079d71
0x00000000
0x00000000
0x00079d75
0x00079d77
0x00079d7d
0x00079d7f
0x00000000
0x00000000
0x00000000
0x00079d53
0x00079d53
0x00079d88
0x00079d88
0x00079d8f
0x00079d91
0x00079d98
0x00079d9a
0x00079da1
0x00079dab
0x00079dad
0x00079db3
0x00079db6
0x00079db8
0x00079dbe
0x00079dcc
0x00079dd2
0x00079dd2
0x00079dbe
0x00079db6
0x00079da1
0x00079d98
0x00079dd8
0x00079ddf
0x00079de4
0x00079de4
0x00079de4
0x00079de8
0x00079def
0x00079df9
0x00079e00
0x00079e07
0x00079e0c
0x00079e0c
0x00079e0d
0x00079e10
0x00079e7d
0x00079e80
0x00079e86
0x00079fe5
0x00079fe5
0x00000000
0x00079fe5
0x00079e8c
0x00079e92
0x00079e96
0x00079e99
0x00079e9c
0x00079e9e
0x00079ea3
0x00079ea5
0x00079ea7
0x00079ea7
0x00079eac
0x00079eaf
0x00079eb7
0x00079ebc
0x00079ec2
0x00079ec4
0x00079ec4
0x00079ec4
0x00079ec9
0x00079ecb
0x00079ecd
0x00079ed3
0x00079ed9
0x00079ed9
0x00079ecb
0x00079ee0
0x00079ee7
0x00079ef9
0x00079ef9
0x00079efd
0x00079f04
0x00079f09
0x00079f09
0x00000000
0x00079ee9
0x00079ee9
0x00079eef
0x00079ef2
0x00000000
0x00000000
0x00079ef4
0x00079ef7
0x00079f10
0x00079f10
0x00079f17
0x00079f30
0x00079f30
0x00079f36
0x00079f39
0x00079f42
0x00079f47
0x00079f4e
0x00079f55
0x00079f5f
0x00079f6c
0x00079f73
0x00079f75
0x00079f77
0x00079f7d
0x00079f7f
0x00079f7f
0x00079f7f
0x00079f7d
0x00079f8a
0x00079f90
0x00079f96
0x00079f9d
0x00079fa3
0x00079fa9
0x00079fab
0x00079fad
0x00079fb6
0x00079faf
0x00079faf
0x00079faf
0x00079fc0
0x00079fc0
0x00079f96
0x00079f55
0x00079fc6
0x00079fd0
0x00079fd6
0x00079fda
0x00079fdf
0x00079fdf
0x00000000
0x00079fda
0x00079f19
0x00079f1f
0x00079f22
0x00000000
0x00000000
0x00079f24
0x00079f2a
0x00000000
0x00000000
0x00000000
0x00079f2a
0x00000000
0x00079ef7
0x00079e12
0x00079e12
0x00079e15
0x00079e17
0x00079e43
0x00079e43
0x00079e49
0x00079e58
0x00079e58
0x00079e5f
0x00079e77
0x00079e77
0x00000000
0x00079e5f
0x00079e4b
0x00079e52
0x00000000
0x00000000
0x00079e54
0x00079e56
0x00000000
0x00000000
0x00000000
0x00079e56
0x00079e19
0x00079e20
0x00079e30
0x00079e30
0x00079e32
0x00079e3b
0x00079e3b
0x00000000
0x00079e32
0x00079e22
0x00079e28
0x00079e2a
0x00000000
0x00000000
0x00079e2c
0x00079e2e
0x00000000
0x00000000
0x00000000
0x00079e2e
0x00079e10
0x00079d51
0x00079d3a
0x00079d3c
0x00079d3e
0x00079d44
0x00079d46
0x00079d22
0x00079d22
0x00000000
0x00079d22
0x00000000
0x00079d46
0x00079d0d
0x00079d10
0x00000000
0x00000000
0x00079d19
0x00079d1e
0x00079d20
0x00000000
0x00000000
0x00000000
0x00079d20
0x00079c9e
0x00079ca4
0x00079ca7
0x00000000
0x00000000
0x00079cb3
0x00079cb9
0x00079cbc
0x00000000
0x00079cbe
0x00079cc1
0x00079cca
0x00000000
0x00079cca
0x00079c02
0x00079c08
0x00079c0e
0x00079c1a
0x00079c1d
0x00079c1f
0x00079c23
0x00079c2b
0x00079c39
0x00079c3a
0x00079c3b
0x00079c3e
0x00079c3f
0x00079c45
0x00079c4a
0x00079c55
0x00079c5c
0x00079c61
0x00079c68
0x00079c68
0x00079c73
0x00079c73
0x00000000
0x00079c08

APIs

__EH_prolog3_GS.LIBCMT ref: 00079BD9
SetCursor.USER32(00000040), ref: 00079C73

Part of subcall function 00066590: __EH_prolog3.LIBCMT ref: 00066597
Part of subcall function 00066590: GetDC.USER32(00000000), ref: 000665C3

Part of subcall function 00074321: __EH_prolog3_GS.LIBCMT ref: 00074328
Part of subcall function 00074321: CreateRectRgnIndirect.GDI32(?), ref: 00074365
Part of subcall function 00074321: CopyRect.USER32(?,?), ref: 0007437B
Part of subcall function 00074321: InflateRect.USER32 ref: 00074391
Part of subcall function 00074321: IntersectRect.USER32(?,?,?), ref: 0007439F
Part of subcall function 00074321: CreateRectRgnIndirect.GDI32(?), ref: 000743A9
Part of subcall function 00074321: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 000743BE
Part of subcall function 00074321: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00074426

Part of subcall function 000665E4: __EH_prolog3.LIBCMT ref: 000665EB
Part of subcall function 000665E4: ReleaseDC.USER32(?,00000000), ref: 00066608

GetFocus.USER32 ref: 00079D12
SetTimer.USER32(?,00000014,000001F4,00000000), ref: 00079DD2
SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 00079E77
KillTimer.USER32 ref: 00079FA3
SetTimer.USER32(?,00000014,000001F4,00000000), ref: 00079FC0
UpdateWindow.USER32 ref: 00079FDF

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Rect$Create$Timer$H_prolog3H_prolog3_Indirect$CopyCursorFocusInflateIntersectKillMessageReleaseSendUpdateWindow
String ID:
API String ID: 2399994607-0
Opcode ID: a9ec0b1d83e419843cb2567b8a5d26d72264bc27746903f54d4721517c6bfaf4
Instruction ID: 2518f80eee621ca9ba4ef90311706df0c5b55cde1cc594411269cba739fdcad1
Opcode Fuzzy Hash: a9ec0b1d83e419843cb2567b8a5d26d72264bc27746903f54d4721517c6bfaf4
Instruction Fuzzy Hash: 67C16C71A002049FDF659F64C8C4BE977A1AF44324F188679FC1E9E2D6DB789D80CB68

Uniqueness

Uniqueness Score: -1.00%

Function 000BF454 Relevance: 12.1, APIs: 8, Instructions: 149
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E000BF454(intOrPtr* __ecx, void* __edx, int _a4, struct tagPOINT _a8, signed short _a12) {
				signed int _v8;
				struct tagRECT _v24;
				signed int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				int _t52;
				void* _t63;
				intOrPtr _t66;
				struct HWND__* _t77;
				intOrPtr* _t80;
				void* _t98;
				int _t99;
				RECT* _t100;
				signed int _t102;
				void* _t103;

				_t98 = __edx;
				_t45 =  *0x1c0454; // 0x885926af
				_v8 = _t45 ^ _t102;
				_t80 = __ecx;
				_push(0);
				_t99 =  *((intOrPtr*)( *__ecx + 0x224))();
				if( *((char*)(__ecx + 0x160)) == 0) {
					__eflags = _t99;
					if(_t99 == 0) {
						L23:
						_t82 =  *(_t80 + 0xb0);
						 *((char*)(_t80 + 0x162)) = 0;
						__eflags =  *(_t80 + 0xb0);
						if(__eflags != 0) {
							_push(0);
							E000CC876(_t80, _t82, _t98, _t99, _t100, 0);
						}
						_t49 = E0005F788(_t80, _t80, _t99, __eflags);
						L26:
						return E00150836(_t49, _t80, _v8 ^ _t102, _t98, _t99, _t100);
					}
					__eflags =  *((char*)(__ecx + 0x162));
					if( *((char*)(__ecx + 0x162)) != 0) {
						goto L23;
					}
					_t52 = IsWindowVisible( *(_t99 + 0x20));
					__eflags = _t52;
					if(_t52 == 0) {
						goto L23;
					}
					MapWindowPoints( *(_t80 + 0x20),  *(_t99 + 0x20),  &_a8, 1);
					_t49 = SendMessageW( *(_t99 + 0x20), 0x202, _a4, (_a12 & 0x0000ffff) << 0x00000010 | _a8.x & 0x0000ffff);
					goto L26;
				}
				ReleaseCapture();
				 *((char*)(_t80 + 0x160)) = 0;
				if(_a4 == 0xffff) {
					L6:
					 *((intOrPtr*)( *_t80 + 0x30c))(0);
					_t63 = E000F7EDC(0x1bea58, _t98, E0005F82E(_t80, _t80, _t98, GetParent( *(_t80 + 0x20))));
					if(_t63 != 0) {
						_t75 =  *((intOrPtr*)(_t63 + 0x1b8));
						if( *((intOrPtr*)(_t63 + 0x1b8)) != 0) {
							E000FE1AE(_t75);
						}
					}
					if(( *((intOrPtr*)( *_t80 + 0x1b4))() & 0x00000002) == 0) {
						goto L23;
					} else {
						_t66 =  *((intOrPtr*)(_t80 + 0x1ac));
						if(_t66 != 0 ||  *((intOrPtr*)(_t80 + 0x1b0)) >= _t66) {
							_t99 =  &_v24;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							if(_t66 != 0 && ( *((intOrPtr*)( *_t80 + 0x1b4))() & 0x00000002) != 0) {
								E00120185(_t80 + 0x17c, _t98, 1);
							}
							_v28 = _v28 & 0x00000000;
							 *((intOrPtr*)( *_t80 + 0x31c))();
							_t100 =  *((intOrPtr*)( *_t80 + 0x2b0))( &_v28);
							if(_v28 == 0 && IsRectEmpty( &_v24) == 0 && _t100 != _t80) {
								_t99 = _t103 - 0x10;
								_t100 =  &_v24;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t49 =  *((intOrPtr*)( *_t80 + 0x1f8))(5, 1);
							}
							goto L26;
						} else {
							goto L23;
						}
					}
				}
				_t77 =  *(_t80 + 0x174);
				if(_t77 != 0 && IsWindow(_t77) != 0) {
					DestroyWindow( *(_t80 + 0x174));
				}
				 *(_t80 + 0x174) =  *(_t80 + 0x174) & 0x00000000;
				goto L6;
			}

0x000bf454
0x000bf45c
0x000bf463
0x000bf469
0x000bf46d
0x000bf47c
0x000bf47e
0x000bf5af
0x000bf5b1
0x000bf5fd
0x000bf5fd
0x000bf603
0x000bf60a
0x000bf60c
0x000bf60e
0x000bf612
0x000bf612
0x000bf619
0x000bf61e
0x000bf62c
0x000bf62c
0x000bf5b3
0x000bf5ba
0x00000000
0x00000000
0x000bf5bf
0x000bf5c5
0x000bf5c7
0x00000000
0x00000000
0x000bf5d6
0x000bf5f5
0x00000000
0x000bf5f5
0x000bf484
0x000bf491
0x000bf498
0x000bf4c2
0x000bf4c8
0x000bf4e3
0x000bf4ea
0x000bf4ec
0x000bf4f4
0x000bf4f8
0x000bf4f8
0x000bf4f4
0x000bf509
0x00000000
0x000bf50f
0x000bf50f
0x000bf517
0x000bf52b
0x000bf52e
0x000bf52f
0x000bf530
0x000bf531
0x000bf534
0x000bf54c
0x000bf54c
0x000bf553
0x000bf559
0x000bf571
0x000bf573
0x000bf59c
0x000bf59e
0x000bf5a1
0x000bf5a2
0x000bf5a3
0x000bf5a6
0x000bf5a7
0x000bf5a7
0x00000000
0x00000000
0x00000000
0x00000000
0x000bf517
0x000bf509
0x000bf49a
0x000bf4a2
0x000bf4b5
0x000bf4b5
0x000bf4bb
0x00000000

APIs

ReleaseCapture.USER32 ref: 000BF484
IsWindow.USER32(?), ref: 000BF4A5
DestroyWindow.USER32 ref: 000BF4B5
GetParent.USER32(?), ref: 000BF4D1
IsRectEmpty.USER32 ref: 000BF57D
IsWindowVisible.USER32(?), ref: 000BF5BF
MapWindowPoints.USER32 ref: 000BF5D6
SendMessageW.USER32(?,00000202,?,?), ref: 000BF5F5

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Window$CaptureDestroyEmptyMessageParentPointsRectReleaseSendVisible
String ID:
API String ID: 3509494761-0
Opcode ID: ba3bcc9fad0366287c7ce01f0f5e4674d8402b1cf2bf331756036b86f5833fbd
Instruction ID: b4c5d87e575120d928a25389d4db1e470d7a84f87ee426a02596a7db7334503c
Opcode Fuzzy Hash: ba3bcc9fad0366287c7ce01f0f5e4674d8402b1cf2bf331756036b86f5833fbd
Instruction Fuzzy Hash: E65145312006469BEF259F68CC99BFA37B6AF45301F1801B8ED0A9F1A6DB71D944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0013FA3A Relevance: 12.1, APIs: 8, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 30%

			E0013FA3A(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				struct HRGN__* _t65;
				void* _t81;
				void* _t87;
				void* _t99;
				void* _t121;
				intOrPtr _t126;
				intOrPtr _t127;
				intOrPtr _t128;

				_push(0x10);
				E00151A19(0x172a82, __ebx, __edi, __esi);
				_t87 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x9c)) == 0 || EqualRect(__ecx + 0x7c, _t121 + 8) == 0 || EqualRect(_t87 + 0x8c, _t121 + 0x18) == 0) {
					E0013F952(_t87);
					 *(_t121 - 0x10) = 0;
					 *((intOrPtr*)(_t121 - 0x14)) = 0x17ad2c;
					 *(_t121 - 4) = 0;
					_t126 =  *0x1c65b8; // 0x0
					if(_t126 == 0) {
						_push( *((intOrPtr*)(_t121 + 0x14)) -  *((intOrPtr*)(_t121 + 0xc)));
						_push( *((intOrPtr*)(_t121 + 0x10)) -  *(_t121 + 8));
						_push(0);
					} else {
						_t81 =  *((intOrPtr*)(_t121 + 0x24)) -  *((intOrPtr*)(_t121 + 0x1c));
						_t108 =  *((intOrPtr*)(_t121 + 0x10)) -  *(_t121 + 8);
						_push( *((intOrPtr*)(_t121 + 0x14)) -  *((intOrPtr*)(_t121 + 0xc)) + _t81);
						_push( *((intOrPtr*)(_t121 + 0x10)) -  *(_t121 + 8));
						_push(_t81);
					}
					E000667CA(_t87, _t121 - 0x14, _t108, 0x17ad2c, CreateRectRgn(0, ??, ??, ??));
					 *((intOrPtr*)(_t121 - 0x18)) = 0;
					 *((intOrPtr*)(_t121 - 0x1c)) = 0x17ad2c;
					 *(_t121 - 4) = 1;
					_t127 =  *0x1c65b8; // 0x0
					if(_t127 == 0) {
						_t65 = CreateRectRgnIndirect(_t121 + 0x18);
					} else {
						_t65 = CreateRectRgn( *(_t121 + 0x18), 0,  *((intOrPtr*)(_t121 + 0x20)) -  *(_t121 + 0x18),  *((intOrPtr*)(_t121 + 0x24)) -  *((intOrPtr*)(_t121 + 0x1c)));
					}
					E000667CA(_t87, _t121 - 0x1c, _t108, 0x17ad2c, _t65);
					E00074154(_t121 - 0x14, _t121 - 0x14, _t121 - 0x1c, 2);
					SetWindowRgn( *(_t87 + 0x20),  *(_t121 - 0x10), 0);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t87 + 0x9c)) = 1;
					_push(0x58);
					_push( *((intOrPtr*)(_t87 + 0x98)) -  *((intOrPtr*)(_t87 + 0x90)) -  *((intOrPtr*)(_t121 + 0xc)) +  *((intOrPtr*)(_t121 + 0x14)));
					_push( *((intOrPtr*)(_t121 + 0x10)) -  *(_t121 + 8));
					_t99 = _t87;
					_t128 =  *0x1c65b8; // 0x0
					if(_t128 == 0) {
						_push( *((intOrPtr*)(_t121 + 0xc)));
					} else {
						_push( *((intOrPtr*)(_t121 + 0x1c)));
					}
					_push( *(_t121 + 8));
					_push(0x1c3428);
					E00063614(_t99);
					 *((intOrPtr*)(_t87 + 0xa0)) = 1;
					RedrawWindow( *(_t87 + 0x20), 0, 0, 0x105);
					 *(_t121 - 4) = 0;
					 *((intOrPtr*)(_t121 - 0x1c)) = 0x17ad2c;
					E00051420(_t121 - 0x1c, _t108);
					 *(_t121 - 4) =  *(_t121 - 4) | 0xffffffff;
					 *((intOrPtr*)(_t121 - 0x14)) = 0x17ad2c;
					_t76 = E00051420(_t121 - 0x14, _t108);
				}
				return E00151AF1(_t76);
			}

0x0013fa3a
0x0013fa41
0x0013fa46
0x0013fa50
0x0013fa7d
0x0013fa87
0x0013fa8a
0x0013fa8d
0x0013fa90
0x0013fa96
0x0013fabd
0x0013fabe
0x0013fabf
0x0013fa98
0x0013fa9e
0x0013faa7
0x0013faac
0x0013faad
0x0013faae
0x0013faae
0x0013facb
0x0013fad0
0x0013fad3
0x0013fad6
0x0013fada
0x0013fae0
0x0013fb00
0x0013fae2
0x0013faf4
0x0013faf4
0x0013fb0a
0x0013fb1b
0x0013fb27
0x0013fb33
0x0013fb34
0x0013fb35
0x0013fb36
0x0013fb46
0x0013fb47
0x0013fb48
0x0013fb49
0x0013fb4a
0x0013fb60
0x0013fb6a
0x0013fb6b
0x0013fb6c
0x0013fb6e
0x0013fb74
0x0013fb7b
0x0013fb76
0x0013fb76
0x0013fb76
0x0013fb7e
0x0013fb81
0x0013fb86
0x0013fb95
0x0013fb9f
0x0013fbad
0x0013fbb1
0x0013fbb4
0x0013fbb9
0x0013fbc0
0x0013fbc3
0x0013fbc3
0x0013fbcd

APIs

__EH_prolog3.LIBCMT ref: 0013FA41
EqualRect.USER32 ref: 0013FA60
EqualRect.USER32 ref: 0013FA71
CreateRectRgn.GDI32(00000000,00000000,?,?), ref: 0013FAC1
CreateRectRgn.GDI32(?,00000000,?,?), ref: 0013FAF4
CreateRectRgnIndirect.GDI32(?), ref: 0013FB00
SetWindowRgn.USER32(?,?,00000000), ref: 0013FB27
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 0013FB9F

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Rect$Create$EqualWindow$H_prolog3IndirectRedraw
String ID:
API String ID: 1234839666-0
Opcode ID: 2a3e029e5f27c801381e130e622a0b41dd7eb47b9581feb7a63927dad90d80de
Instruction ID: ab580c5641fa3bd817fa90228936435f6deac2065280a2f8d3f6cea7e74f6394
Opcode Fuzzy Hash: 2a3e029e5f27c801381e130e622a0b41dd7eb47b9581feb7a63927dad90d80de
Instruction Fuzzy Hash: 9051167190010AEFCB05DFA4C995EEF7BB9AF44344F108129BC1AAB255D770AA46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0005FF68 Relevance: 12.1, APIs: 8, Instructions: 134
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0005FF68(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, struct tagRECT* _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				intOrPtr _v12;
				long _v16;
				long _v20;
				struct tagRECT _v36;
				void* _v40;
				struct HWND__* _v44;
				signed int _v48;
				intOrPtr _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t59;
				signed int _t65;
				signed int _t75;
				struct tagRECT* _t79;
				intOrPtr _t80;
				long _t90;
				int _t91;
				struct HWND__* _t94;
				signed int _t95;

				_t80 = __ecx;
				_t59 =  *0x1c0454; // 0x885926af
				_v8 = _t59 ^ _t95;
				_t89 = _a28;
				_t79 = _a20;
				_v52 = __ecx;
				_v44 = 0;
				_v12 = _a28;
				_v16 = 0;
				_v20 = 0;
				if(_a24 == 0) {
					GetClientRect( *(__ecx + 0x20),  &_v36);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				_t65 = _a16 & 0xffff7fff;
				_v48 = _t65;
				if(_t65 == 1) {
					_t16 =  &_v40;
					 *_t16 = _v40 & 0x00000000;
					__eflags =  *_t16;
				} else {
					_v40 = BeginDeferWindowPos(8);
				}
				_t94 = GetTopWindow( *(_v52 + 0x20));
				_t90 = 0;
				_t98 = _t94;
				if(_t94 == 0) {
					L15:
					if(_v48 != 1) {
						__eflags = _a12 - _t90;
						if(_a12 != _t90) {
							__eflags = _v44 - _t90;
							if(_v44 != _t90) {
								_t67 = E0005F82E(_t79, _t80, _t89, _v44);
								__eflags = _v48 - 2;
								if(_v48 == 2) {
									_v36.left = _v36.left + _t79->left;
									_v36.top = _v36.top + _t79->top;
									_v36.right = _v36.right - _t79->right;
									_t46 =  &(_v36.bottom);
									 *_t46 = _v36.bottom - _t79->bottom;
									__eflags =  *_t46;
								}
								__eflags = _a16 & 0x00008000;
								if((_a16 & 0x00008000) == 0) {
									_t89 =  *_t67;
									 *((intOrPtr*)( *_t67 + 0x68))( &_v36, _t90);
									_t67 = E0005D772( &_v40, _v44,  &_v36);
								}
							}
						}
						__eflags = _v40 - _t90;
						if(_v40 != _t90) {
							_t67 = EndDeferWindowPos(_v40);
						}
					} else {
						if(_a28 == _t90) {
							_t79->right = _v20;
							_t67 = _v16;
							_t79->top = _t90;
							_t79->left = _t90;
							_t79->bottom = _v16;
						} else {
							_t67 = CopyRect(_t79,  &_v36);
						}
					}
					return E00150836(_t67, _t79, _v8 ^ _t95, _t89, _t90, _t94);
				} else {
					do {
						_t91 = GetDlgCtrlID(_t94);
						_t75 = E0005F85A(_t79, _t80, _t89, _t91, _t94, _t98, _t94);
						if(_t91 != _a12) {
							__eflags = _t91 - _a4;
							if(__eflags >= 0) {
								__eflags = _t91 - _a8;
								if(__eflags <= 0) {
									__eflags = _t75;
									if(__eflags != 0) {
										SendMessageW(_t94, 0x361, 0,  &_v40);
									}
								}
							}
						} else {
							_v44 = _t94;
						}
						_t94 = GetWindow(_t94, 2);
					} while (_t94 != 0);
					_t90 = 0;
					goto L15;
				}
			}

0x0005ff68
0x0005ff70
0x0005ff77
0x0005ff7a
0x0005ff7e
0x0005ff88
0x0005ff8b
0x0005ff8e
0x0005ff91
0x0005ff94
0x0005ff99
0x0005ffab
0x0005ff9b
0x0005ff9e
0x0005ff9f
0x0005ffa0
0x0005ffa1
0x0005ffa1
0x0005ffb4
0x0005ffb9
0x0005ffbf
0x0005ffce
0x0005ffce
0x0005ffce
0x0005ffc1
0x0005ffc9
0x0005ffc9
0x0005ffde
0x0005ffe0
0x0005ffe2
0x0005ffe4
0x00060030
0x00060034
0x0006005b
0x0006005e
0x00060060
0x00060063
0x00060068
0x0006006d
0x00060071
0x00060075
0x0006007b
0x00060081
0x00060087
0x00060087
0x00060087
0x00060087
0x0006008a
0x00060091
0x00060093
0x0006009c
0x000600aa
0x000600aa
0x00060091
0x00060063
0x000600af
0x000600b2
0x000600b7
0x000600b7
0x00060036
0x00060039
0x0006004b
0x0006004e
0x00060051
0x00060054
0x00060056
0x0006003b
0x00060040
0x00060040
0x00060039
0x000600cb
0x0005ffe6
0x0005ffe6
0x0005ffee
0x0005fff0
0x0005fff8
0x0005ffff
0x00060002
0x00060004
0x00060007
0x00060009
0x0006000b
0x00060019
0x00060019
0x0006000b
0x00060007
0x0005fffa
0x0005fffa
0x0005fffa
0x00060028
0x0006002a
0x0006002e
0x00000000
0x0006002e

APIs

GetClientRect.USER32 ref: 0005FFAB
BeginDeferWindowPos.USER32 ref: 0005FFC3
GetTopWindow.USER32(?), ref: 0005FFD8
GetDlgCtrlID.USER32 ref: 0005FFE7
SendMessageW.USER32(00000000,00000361,00000000,00000000), ref: 00060019
GetWindow.USER32(00000000,00000002), ref: 00060022
CopyRect.USER32(?,?), ref: 00060040
EndDeferWindowPos.USER32(00000000), ref: 000600B7

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Window$DeferRect$BeginClientCopyCtrlMessageSend
String ID:
API String ID: 1228040700-0
Opcode ID: 9f3096e79337103b1c795e801d0c0a163d4fa85aae591bd0ddb203ed7a143cf9
Instruction ID: 5684f4674d6e5a7371c991b41452bcb52a1382ed59cf0bce61bea773b2efcfc8
Opcode Fuzzy Hash: 9f3096e79337103b1c795e801d0c0a163d4fa85aae591bd0ddb203ed7a143cf9
Instruction Fuzzy Hash: A1516731900219DFDF21DFA8C884AEEB7FAFF48301F14816AE805AB251D7359984CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00076DE5 Relevance: 12.1, APIs: 8, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00076DE5(void* __ebx, RECT* __ecx, void* __edx, void* __edi, void* __eflags) {
				signed int _v8;
				void* __esi;
				signed int _t32;
				void* _t33;
				RECT* _t36;
				signed int _t51;
				signed int _t57;
				RECT* _t64;
				void* _t70;
				RECT* _t73;
				signed int _t76;
				RECT* _t78;
				RECT* _t79;

				_t70 = __edx;
				_push(__ecx);
				_push(__ebx);
				_push(__edi);
				_t78 = __ecx;
				E000C03F1(__ebx, __ecx, __edi, __eflags);
				_t61 = ReleaseCapture;
				_t64 = 0;
				if( *((intOrPtr*)(_t78 + 0xb30)) != 0) {
					 *((intOrPtr*)(_t78 + 0xc98)) = 0;
					 *((intOrPtr*)(_t78 + 0xb30)) = 0;
					SetRectEmpty(_t78 + 0xc68);
					ReleaseCapture();
					_t57 =  *(_t78 + 0xc90);
					if(_t57 != 0) {
						E0005F82E(ReleaseCapture, 0, _t70, SetCapture( *(_t57 + 0x20)));
						 *(_t78 + 0xc90) =  *(_t78 + 0xc90) & 0x00000000;
					}
				}
				_t32 =  *(_t78 + 0xb78);
				if(_t32 >= 0) {
					L6:
					_t65 = _t78;
					_t33 = E00074F8E(_t78, _t93, _t32);
					if(_t33 != 0) {
						_t76 =  *(_t33 + 0x24) & 0xfffdffff;
						_v8 = _t76;
						if(E0005F82E(_t61, _t65, _t70, GetCapture()) == _t78) {
							ReleaseCapture();
							_t51 =  *(_t78 + 0xc90);
							if(_t51 != 0) {
								E0005F82E(_t61, _t65, _t70, SetCapture( *(_t51 + 0x20)));
								 *(_t78 + 0xc90) =  *(_t78 + 0xc90) & 0x00000000;
							}
							_t76 = _v8;
						}
						 *((intOrPtr*)(_t78->left + 0x374))( *(_t78 + 0xb78), _t76);
					}
					goto L12;
				} else {
					if( *(_t78 + 0xb7c) >= 0) {
						_t93 = _t32;
						if(_t32 >= 0) {
							goto L6;
						}
						L12:
						 *(_t78 + 0xb78) =  *(_t78 + 0xb78) | 0xffffffff;
						 *(_t78 + 0xb7c) =  *(_t78 + 0xb7c) | 0xffffffff;
						_t64 = _t78;
						 *((intOrPtr*)( *_t78 + 0x3b0))(0xffffffff);
					}
				}
				_t73 =  *(_t78 + 0xbcc);
				while(_t73 != 0) {
					_t36 = _t73;
					__eflags = _t73;
					if(__eflags == 0) {
						L19:
						E000655E0(_t64);
						asm("int3");
						_push(_t78);
						_t79 = _t64;
						E0006FD0F(_t61, 0x1c3998, _t70, _t73, _t79, __eflags);
						 *((intOrPtr*)( *((intOrPtr*)(E00074709(_t61, _t73, _t79, __eflags))) + 0x30))();
						E0007500F(_t61, _t79,  *((intOrPtr*)(E00074709(_t61, _t73, _t79, __eflags))), _t73, _t79, __eflags);
						return RedrawWindow( *(_t79 + 0x20), 0, 0, 0x505);
					} else {
						_t64 = _t36->right;
						_t73 = _t73->left;
						__eflags = _t64;
						if(__eflags == 0) {
							goto L19;
						} else {
							 *((intOrPtr*)(_t64->left + 0x58))();
							continue;
						}
					}
					L20:
				}
				return RedrawWindow( *(_t78 + 0x20), _t73, _t73, 0x505);
				goto L20;
			}

0x00076de5
0x00076dea
0x00076deb
0x00076ded
0x00076dee
0x00076df0
0x00076df5
0x00076dfb
0x00076e03
0x00076e0c
0x00076e12
0x00076e18
0x00076e1e
0x00076e20
0x00076e28
0x00076e34
0x00076e39
0x00076e39
0x00076e28
0x00076e40
0x00076e48
0x00076e57
0x00076e58
0x00076e5a
0x00076e61
0x00076e66
0x00076e6c
0x00076e7d
0x00076e7f
0x00076e81
0x00076e89
0x00076e95
0x00076e9a
0x00076e9a
0x00076ea1
0x00076ea1
0x00076eaf
0x00076eaf
0x00000000
0x00076e4a
0x00076e51
0x00076e53
0x00076e55
0x00000000
0x00000000
0x00076eb5
0x00076eb7
0x00076ebe
0x00076ec7
0x00076ec9
0x00076ec9
0x00076e51
0x00076ecf
0x00076eeb
0x00076ed7
0x00076ed9
0x00076edb
0x00076f04
0x00076f04
0x00076f09
0x00076f0c
0x00076f0d
0x00076f14
0x00076f22
0x00076f27
0x00076f3f
0x00076edd
0x00076edd
0x00076ee0
0x00076ee2
0x00076ee4
0x00000000
0x00076ee6
0x00076ee8
0x00000000
0x00076ee8
0x00076ee4
0x00000000
0x00076edb
0x00076f03
0x00000000

APIs

Part of subcall function 000C03F1: ReleaseCapture.USER32 ref: 000C041F
Part of subcall function 000C03F1: IsWindow.USER32(?), ref: 000C0443
Part of subcall function 000C03F1: DestroyWindow.USER32 ref: 000C0453

SetRectEmpty.USER32 ref: 00076E18
ReleaseCapture.USER32 ref: 00076E1E
SetCapture.USER32(?), ref: 00076E2D
GetCapture.USER32 ref: 00076E6F
ReleaseCapture.USER32 ref: 00076E7F
SetCapture.USER32(?), ref: 00076E8E
RedrawWindow.USER32(?,?,?,00000505), ref: 00076EF9
RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 00076F38

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Capture$Window$Release$Redraw$DestroyEmptyRect
String ID:
API String ID: 2209428161-0
Opcode ID: 04a6f104fb3cb62549a51d9b8d30f55d0d9388b3c8624b2f5a1c9b16860303bd
Instruction ID: 90ebcd1be4e820104282aba73441b21fba40ec9e1f48c5e05aa83cf2083f419a
Opcode Fuzzy Hash: 04a6f104fb3cb62549a51d9b8d30f55d0d9388b3c8624b2f5a1c9b16860303bd
Instruction Fuzzy Hash: A4416C75600A009FDB25AB74C849FAB7BE5BF84711F25462CF46F872A1DB35E840CB64

Uniqueness

Uniqueness Score: -1.00%

Function 000851E9 Relevance: 12.1, APIs: 8, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E000851E9(void* __ebx, struct HWND__* __ecx, void* __edx, void* __eflags, struct tagPOINT _a4, intOrPtr _a8) {
				signed int _v8;
				struct tagRECT _v24;
				void* __edi;
				void* __esi;
				signed int _t27;
				intOrPtr* _t33;
				intOrPtr* _t43;
				intOrPtr* _t53;
				intOrPtr* _t54;
				intOrPtr* _t58;
				void* _t64;
				intOrPtr* _t65;
				struct HWND__* _t66;
				signed int _t67;

				_t64 = __edx;
				_t55 = __ecx;
				_t52 = __ebx;
				_t27 =  *0x1c0454; // 0x885926af
				_v8 = _t27 ^ _t67;
				_t66 = __ecx;
				ScreenToClient( *(__ecx + 0x20),  &_a4);
				_t65 = 0;
				_v24.left = 0;
				_v24.top = 0;
				_v24.right = 0;
				_v24.bottom = 0;
				_t33 = E0006EA25(0x1bcffc, E0005F82E(__ebx, _t55, _t64, GetParent( *(_t66 + 0x20))));
				if(_t33 != 0) {
					_push(__ebx);
					_t53 = _t33;
					_t58 = _t33;
					while(1) {
						_t65 = E0007ED49(_t53, _t58, _t64);
						if(_t65 == 0) {
							break;
						}
						_t54 =  *((intOrPtr*)( *_t65 + 0x1c0))();
						GetClientRect( *(_t54 + 0x20),  &_v24);
						MapWindowPoints( *(_t54 + 0x20),  *(_t66 + 0x20),  &_v24, 2);
						_push(_a8);
						if(PtInRect( &_v24, _a4.x) != 0) {
							_t43 = _t54;
						} else {
							_t53 = _t65;
							_t58 = _t65;
							continue;
						}
						L11:
						_pop(_t52);
						goto L12;
					}
					_t65 = E0007ED9A(_t53);
					if(_t65 == 0) {
						L10:
						_t43 = 0;
					} else {
						GetClientRect( *(_t65 + 0x20),  &_v24);
						MapWindowPoints( *(_t65 + 0x20), _t66,  &_v24, 2);
						_push(_a8);
						if(PtInRect( &_v24, _a4) == 0) {
							goto L10;
						} else {
							_t43 = _t65;
						}
					}
					goto L11;
				} else {
					_t43 = 0;
				}
				L12:
				return E00150836(_t43, _t52, _v8 ^ _t67, _t64, _t65, _t66);
			}

0x000851e9
0x000851e9
0x000851e9
0x000851f1
0x000851f8
0x00085200
0x00085206
0x0008520f
0x00085211
0x00085214
0x00085217
0x0008521a
0x0008522f
0x00085238
0x00085241
0x00085242
0x00085244
0x0008528c
0x00085291
0x00085295
0x00000000
0x00000000
0x00085252
0x0008525b
0x0008526e
0x00085274
0x00085286
0x000852dc
0x00085288
0x00085288
0x0008528a
0x00000000
0x0008528a
0x000852e2
0x000852e2
0x00000000
0x000852e2
0x0008529e
0x000852a2
0x000852e0
0x000852e0
0x000852a4
0x000852ab
0x000852be
0x000852c4
0x000852d6
0x00000000
0x000852d8
0x000852d8
0x000852d8
0x000852d6
0x00000000
0x0008523a
0x0008523a
0x0008523a
0x000852e3
0x000852f0

APIs

ScreenToClient.USER32(?,?), ref: 00085206
GetParent.USER32(?), ref: 0008521D
GetClientRect.USER32 ref: 000852AB
MapWindowPoints.USER32 ref: 000852BE
PtInRect.USER32(?,?,?), ref: 000852CE

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: ClientRect$ParentPointsScreenWindow
String ID:
API String ID: 1402249346-0
Opcode ID: 89f54818c9b13fe8c4839c968274ea6c551872f9b274786c3bc91c2a01ecbb16
Instruction ID: 4b4f4b04adb272b66a34f370e801f1b932c26fd41948f26b5f65869b3ebfd3cd
Opcode Fuzzy Hash: 89f54818c9b13fe8c4839c968274ea6c551872f9b274786c3bc91c2a01ecbb16
Instruction Fuzzy Hash: 45316B32600609AFCB11EFA4CC498BEBBF9FF48311B244429F94AD7661EB30DA40DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0006C5F2 Relevance: 12.1, APIs: 8, Instructions: 96
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 97%

			E0006C5F2(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				int _t37;
				int _t38;
				void* _t39;
				intOrPtr* _t66;
				intOrPtr* _t67;
				intOrPtr* _t68;
				intOrPtr* _t69;
				intOrPtr* _t72;
				intOrPtr* _t73;
				intOrPtr _t76;
				void* _t77;

				_t74 = __edi;
				_push(0x414);
				E00151AB8(0x168efc, __ebx, __edi, __esi);
				_t76 = __ecx;
				 *((intOrPtr*)(_t77 - 0x41c)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x17b574;
				_t66 =  *((intOrPtr*)(__ecx + 0x5c));
				 *(_t77 - 4) = 0;
				 *(_t77 - 4) = 1;
				if(_t66 != 0) {
					 *((intOrPtr*)( *_t66 + 4))(1);
				}
				_t67 =  *((intOrPtr*)(_t76 + 0x8c));
				if(_t67 != 0) {
					 *((intOrPtr*)( *_t67 + 0x1c))(1);
				}
				_t68 =  *((intOrPtr*)(_t76 + 0x90));
				_t83 = _t68;
				if(_t68 != 0) {
					 *((intOrPtr*)( *_t68 + 4))(1);
				}
				if( *((intOrPtr*)(E0006B628(0, _t74, _t76, _t83) + 0x14)) == 0) {
					_t72 =  *0x1c391c; // 0x0
					if(_t72 != 0) {
						 *((intOrPtr*)( *_t72 + 4))(1);
						 *0x1c391c = 0;
					}
					_t73 =  *0x1c3918; // 0x0
					if(_t73 != 0) {
						 *((intOrPtr*)( *_t73 + 4))(1);
						 *0x1c3918 = 0;
					}
				}
				_t35 =  *((intOrPtr*)(_t76 + 0x74));
				if( *((intOrPtr*)(_t76 + 0x74)) != 0) {
					E00071DDC(_t35);
				}
				_t36 =  *((intOrPtr*)(_t76 + 0x78));
				if( *((intOrPtr*)(_t76 + 0x78)) != 0) {
					E00071DDC(_t36);
				}
				_t37 =  *(_t76 + 0x98) & 0x0000ffff;
				if(_t37 != 0) {
					GlobalDeleteAtom(_t37);
				}
				_t38 =  *(_t76 + 0x9a) & 0x0000ffff;
				if(_t38 != 0) {
					GlobalDeleteAtom(_t38);
				}
				_t69 =  *((intOrPtr*)(_t76 + 0x94));
				_t91 = _t69;
				if(_t69 != 0) {
					 *((intOrPtr*)( *_t69 + 4))(1);
				}
				_t39 = E0006B628(0, _t74, _t76, _t91);
				if( *((intOrPtr*)(_t39 + 0x10)) ==  *((intOrPtr*)(_t76 + 0x50))) {
					 *((intOrPtr*)(_t39 + 0x10)) = 0;
				}
				if( *((intOrPtr*)(_t39 + 4)) == _t76) {
					 *((intOrPtr*)(_t39 + 4)) = 0;
				}
				E00150CB2( *((intOrPtr*)(_t76 + 0x50)));
				E00150CB2( *((intOrPtr*)(_t76 + 0x58)));
				E00150CB2( *((intOrPtr*)(_t76 + 0x64)));
				E00150CB2( *((intOrPtr*)(_t76 + 0x68)));
				E00150CB2( *((intOrPtr*)(_t76 + 0x6c)));
				 *((intOrPtr*)(_t76 + 0x2c)) = 0;
				 *(_t77 - 4) =  *(_t77 - 4) | 0xffffffff;
				E000696EE(0, _t76, _t74, _t76,  *(_t77 - 4));
				return E00151B14(0, _t74, _t76);
			}

0x0006c5f2
0x0006c5f2
0x0006c5fc
0x0006c601
0x0006c603
0x0006c609
0x0006c60f
0x0006c614
0x0006c617
0x0006c61d
0x0006c623
0x0006c623
0x0006c626
0x0006c62e
0x0006c634
0x0006c634
0x0006c637
0x0006c63d
0x0006c63f
0x0006c645
0x0006c645
0x0006c650
0x0006c652
0x0006c65a
0x0006c660
0x0006c663
0x0006c663
0x0006c669
0x0006c671
0x0006c677
0x0006c67a
0x0006c67a
0x0006c671
0x0006c680
0x0006c685
0x0006c688
0x0006c688
0x0006c68d
0x0006c692
0x0006c695
0x0006c695
0x0006c69a
0x0006c6a4
0x0006c6a7
0x0006c6a7
0x0006c6ad
0x0006c6b7
0x0006c6ba
0x0006c6ba
0x0006c6c0
0x0006c6c6
0x0006c6c8
0x0006c6ce
0x0006c6ce
0x0006c6d1
0x0006c6dc
0x0006c6de
0x0006c6de
0x0006c6e4
0x0006c6e6
0x0006c6e6
0x0006c6ec
0x0006c6f4
0x0006c6fc
0x0006c704
0x0006c70c
0x0006c714
0x0006c7cf
0x0006c7d5
0x0006c7df

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 0006C5FC
GlobalDeleteAtom.KERNEL32(?), ref: 0006C6A7
GlobalDeleteAtom.KERNEL32(?), ref: 0006C6BA
_free.LIBCMT ref: 0006C6EC
_free.LIBCMT ref: 0006C6F4
_free.LIBCMT ref: 0006C6FC
_free.LIBCMT ref: 0006C704
_free.LIBCMT ref: 0006C70C

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: _free$AtomDeleteGlobal$H_prolog3_catch_
String ID:
API String ID: 1844215989-0
Opcode ID: 084dbb003db279e637ec888169125c8d2da3095b2d2061e2b2d383616dc6433a
Instruction ID: e7c70ac91642d2af4d5e4404384e771a903d33fb82ecbb8c64a421455c0faf26
Opcode Fuzzy Hash: 084dbb003db279e637ec888169125c8d2da3095b2d2061e2b2d383616dc6433a
Instruction Fuzzy Hash: 77318E30600740DFDB25AFA4C885E69BBE2BF04300F90846DF59A9B6A2CB70ED80DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0009932D Relevance: 12.1, APIs: 8, Instructions: 75
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0009932D(void* __edx, int _a4) {
				signed int _v8;
				char _v264;
				short _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t17;
				struct HKL__* _t25;
				signed int _t32;
				void* _t40;
				void* _t41;
				void* _t45;
				int _t47;
				void* _t48;
				void* _t51;
				signed int _t55;

				_t45 = __edx;
				_t53 = _t55;
				_t17 =  *0x1c0454; // 0x885926af
				_v8 = _t17 ^ _t55;
				_t47 = _a4;
				if(_t47 - 0x60 > 9 || (0x00008000 & GetAsyncKeyState(0x12)) != 0) {
					if( *0x1c3f24 != 0) {
						goto L8;
					} else {
						if(_t47 - 0x41 <= 0x19 || (0x00008000 & GetAsyncKeyState(0x12)) != 0) {
							_t32 = _t47;
						} else {
							_t32 = E001567E6(_t47);
						}
					}
				} else {
					L8:
					E00151B30( &_v268, 0, 4);
					if(GetKeyboardState( &_v264) == 0) {
						E000655E0(_t41);
					}
					_t25 = GetKeyboardLayout( *(E000695BD() + 0x30));
					ToUnicodeEx(_t47, MapVirtualKeyW(_t47, 0),  &_v264,  &_v268, 2, 1, _t25);
					CharUpperW( &_v268);
					_t32 = _v268 & 0x0000ffff;
				}
				_pop(_t48);
				_pop(_t51);
				_pop(_t40);
				return E00150836(_t32, _t40, _v8 ^ _t53, _t45, _t48, _t51);
			}

0x0009932d
0x00099330
0x00099338
0x0009933f
0x0009934b
0x00099359
0x0009936b
0x00000000
0x0009936d
0x00099373
0x0009937e
0x00099382
0x00099383
0x00099388
0x00099373
0x0009938b
0x0009938b
0x00099396
0x000993ad
0x000993af
0x000993af
0x000993bc
0x000993e0
0x000993ed
0x000993f3
0x000993f3
0x000993fd
0x000993fe
0x00099401
0x00099408

APIs

GetAsyncKeyState.USER32 ref: 0009935D
GetAsyncKeyState.USER32 ref: 00099377
_memset.LIBCMT ref: 00099396
GetKeyboardState.USER32(?), ref: 000993A5
GetKeyboardLayout.USER32 ref: 000993BC
MapVirtualKeyW.USER32(?,00000000), ref: 000993D8
ToUnicodeEx.USER32 ref: 000993E0
CharUpperW.USER32 ref: 000993ED

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: State$AsyncKeyboard$CharLayoutUnicodeUpperVirtual_memset
String ID:
API String ID: 3224171628-0
Opcode ID: 53ab1f5dd8523a5398e7e88d1e2e42d4b80b634125b9fe6505477fd7d2a8fea0
Instruction ID: 072617a59a20e25068f78a0b99f0070a6e890bd6b0e459c1918efa32d7760944
Opcode Fuzzy Hash: 53ab1f5dd8523a5398e7e88d1e2e42d4b80b634125b9fe6505477fd7d2a8fea0
Instruction Fuzzy Hash: 2B21D171904209EBEB20AB649C85FED77BCAB58741F40406AFA45D60D1DB709AC49BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00064CB1 Relevance: 12.1, APIs: 8, Instructions: 74
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00064CB1(struct HMENU__* _a4, struct HMENU__* _a8, signed int _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				signed int _v20;
				int _t34;
				int _t36;
				struct HMENU__* _t40;

				_v16 = GetMenuItemCount(_a8);
				_t34 = GetMenuItemCount(_a4) - 1;
				_v12 = _t34;
				if(_t34 >= 0) {
					while(1) {
						_t40 = GetSubMenu(_a4, _t34);
						_t36 = 0;
						if(_t40 == 0) {
							goto L15;
						}
						if(_a12 == 0) {
							_v8 = 0;
							if(_v16 <= 0) {
								goto L15;
							}
							while(GetSubMenu(_a8, _v8) != _t40) {
								_v8 = _v8 + 1;
								_t36 = _v8;
								if(_t36 < _v16) {
									continue;
								}
								goto L15;
							}
							_t36 = RemoveMenu(_a4, _v12, 0x400);
							goto L15;
						}
						_t36 = GetMenuItemCount(_t40);
						_v8 = _v8 & 0x00000000;
						_v20 = 0;
						if(0 <= 0) {
							goto L15;
						}
						while(GetSubMenu(_t40, _v8) != _a12) {
							_v8 = _v8 + 1;
							_t36 = _v8;
							if(_t36 < _v20) {
								continue;
							}
							goto L15;
						}
						_t36 = RemoveMenu(_t40, _v8, 0x400);
						_a12 = _a12 & 0x00000000;
						L15:
						_t30 =  &_v12;
						 *_t30 = _v12 - 1;
						if( *_t30 >= 0) {
							_t34 = _v12;
							continue;
						}
						return _t36;
					}
				}
				return _t34;
			}

0x00064cc8
0x00064ccd
0x00064cce
0x00064cd1
0x00064ce4
0x00064cea
0x00064cec
0x00064cf0
0x00000000
0x00000000
0x00064cf5
0x00064d32
0x00064d38
0x00000000
0x00000000
0x00064d3a
0x00064d46
0x00064d49
0x00064d4f
0x00000000
0x00000000
0x00000000
0x00064d51
0x00064d5e
0x00000000
0x00064d5e
0x00064cf8
0x00064cfa
0x00064cfe
0x00064d03
0x00000000
0x00000000
0x00064d05
0x00064d10
0x00064d13
0x00064d19
0x00000000
0x00000000
0x00000000
0x00064d1b
0x00064d26
0x00064d2c
0x00064d64
0x00064d64
0x00064d64
0x00064d67
0x00064ce1
0x00000000
0x00064ce1
0x00000000
0x00064d6e
0x00064ce4
0x00064d71

APIs

GetMenuItemCount.USER32(?), ref: 00064CC3
GetMenuItemCount.USER32(?), ref: 00064CCB
GetSubMenu.USER32 ref: 00064CE8
GetMenuItemCount.USER32(00000000), ref: 00064CF8
GetSubMenu.USER32 ref: 00064D09
RemoveMenu.USER32(00000000,00000000,00000400), ref: 00064D26
GetSubMenu.USER32 ref: 00064D40
RemoveMenu.USER32(?,?,00000400), ref: 00064D5E

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Menu$CountItem$Remove
String ID:
API String ID: 3494307843-0
Opcode ID: 99572635149ce57ac13daa2ea45fe0fd88a5c6240a2523ed496764de587d4991
Instruction ID: 484e706a48d7493348293830cad44a6e1f190eff0e0c099f70ceacd7f04ec61c
Opcode Fuzzy Hash: 99572635149ce57ac13daa2ea45fe0fd88a5c6240a2523ed496764de587d4991
Instruction Fuzzy Hash: 8C212771D00209FBCF21DFA4CD44A9DBBB6FB44314F2184A2E911A2251D7719A91EF54

Uniqueness

Uniqueness Score: -1.00%

Function 0006C016 Relevance: 12.1, APIs: 8, Instructions: 66
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0006C016(void* __ecx, short* _a4) {
				void* _v8;
				void* _t17;
				void* _t23;
				void* _t37;

				_push(__ecx);
				_t37 = __ecx;
				_t17 =  *(__ecx + 0x78);
				if(_t17 != 0) {
					_t17 = lstrcmpW(GlobalLock(_t17) + ( *(_t18 + 2) & 0x0000ffff) * 2, _a4);
					if(_t17 == 0) {
						_t17 = OpenPrinterW(_a4,  &_v8, 0);
						if(_t17 != 0) {
							_t21 =  *(_t37 + 0x74);
							if( *(_t37 + 0x74) != 0) {
								E00071DDC(_t21);
							}
							_t23 = GlobalAlloc(0x42, DocumentPropertiesW(0, _v8, _a4, 0, 0, 0));
							 *(_t37 + 0x74) = _t23;
							if(DocumentPropertiesW(0, _v8, _a4, GlobalLock(_t23), 0, 2) != 1) {
								E00071DDC( *(_t37 + 0x74));
								 *(_t37 + 0x74) = 0;
							}
							_t17 = ClosePrinter(_v8);
						}
					}
				}
				return _t17;
			}

0x0006c01b
0x0006c01d
0x0006c01f
0x0006c027
0x0006c042
0x0006c04a
0x0006c054
0x0006c05b
0x0006c05d
0x0006c062
0x0006c065
0x0006c065
0x0006c07c
0x0006c083
0x0006c09b
0x0006c0a0
0x0006c0a5
0x0006c0a5
0x0006c0ab
0x0006c0ab
0x0006c05b
0x0006c0b0
0x0006c0b4

APIs

GlobalLock.KERNEL32 ref: 0006C035
lstrcmpW.KERNEL32(00000000,?,?,?,?,?,?,000618BD,?), ref: 0006C042
OpenPrinterW.WINSPOOL.DRV(?,?,00000000,?,?,?,?,?,000618BD,?), ref: 0006C054
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,?,?,000618BD,?), ref: 0006C074
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0006C07C
GlobalLock.KERNEL32 ref: 0006C086
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002,?,?,?,?,?,000618BD,?), ref: 0006C093
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002,?,?,?,?,?,000618BD,?), ref: 0006C0AB

Part of subcall function 00071DDC: GlobalFlags.KERNEL32(?), ref: 00071DEB
Part of subcall function 00071DDC: GlobalUnlock.KERNEL32(?,?,?,?,0006C69A,?,00000414,0005802B), ref: 00071DFC
Part of subcall function 00071DDC: GlobalFree.KERNEL32(?), ref: 00071E06

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: fb5cdf9a7a8dfbb6239f0a80beca0c3ada8ab4d8ca9c731855d437f80dcf425d
Instruction ID: ac35a15d3eb02f21ef4f6245e22367792ca4c8a36474acfee72ab871cc9cfe3e
Opcode Fuzzy Hash: fb5cdf9a7a8dfbb6239f0a80beca0c3ada8ab4d8ca9c731855d437f80dcf425d
Instruction Fuzzy Hash: 94118C71500604BEEB22ABA6CC49DBB7AFEEB85B40B00051AFA49D2061CB35DD51EB60

Uniqueness

Uniqueness Score: -1.00%

Function 0006EB16 Relevance: 12.1, APIs: 8, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0006EB16(void* __ecx) {
				int _t18;
				void* _t21;
				intOrPtr _t24;
				long _t33;
				void* _t35;

				_t35 = __ecx;
				 *((intOrPtr*)(__ecx + 4)) = 1;
				 *((intOrPtr*)(_t35 + 0x10c)) = GetSystemMetrics(0x31);
				_t18 = GetSystemMetrics(0x32);
				_t3 = _t35 + 0x164; // 0x1c3afc
				_t33 = _t3;
				 *(_t35 + 0x110) = _t18;
				SetRectEmpty(_t33);
				if(EnumDisplayMonitors(0, 0, E0006EA91, _t33) == 0) {
					_t5 = _t35 + 0x164; // 0x1c3afc
					SystemParametersInfoW(0x30, 0, _t5, 0);
				}
				_t6 = _t35 + 0x190; // 0x1c3b28
				_t21 = _t6;
				 *_t21 = 0;
				 *(_t35 + 0x194) = 0;
				if( *((intOrPtr*)(_t35 + 0x180)) == 0) {
					SystemParametersInfoW(0x1002, 0, _t21, 0);
					if( *(_t35 + 0x190) != 0) {
						_t10 = _t35 + 0x194; // 0x1c3b2c
						SystemParametersInfoW(0x1012, 0, _t10, 0);
					}
				}
				_t11 = _t35 + 0x1a4; // 0x1c3b3c
				 *((intOrPtr*)(_t35 + 0x1c8)) = 0;
				 *((intOrPtr*)(_t35 + 0x1a8)) = 1;
				SystemParametersInfoW(0x100a, 0, _t11, 0);
				_t14 = _t35 + 0x1a4; // 0x0
				_t24 =  *_t14;
				 *((intOrPtr*)(_t35 + 4)) = 0;
				 *((intOrPtr*)(_t35 + 0x1a0)) = _t24;
				return _t24;
			}

0x0006eb21
0x0006eb25
0x0006eb30
0x0006eb36
0x0006eb38
0x0006eb38
0x0006eb3f
0x0006eb45
0x0006eb63
0x0006eb66
0x0006eb70
0x0006eb70
0x0006eb72
0x0006eb72
0x0006eb78
0x0006eb7a
0x0006eb86
0x0006eb90
0x0006eb98
0x0006eb9b
0x0006eba8
0x0006eba8
0x0006eb98
0x0006ebab
0x0006ebb8
0x0006ebbe
0x0006ebc8
0x0006ebca
0x0006ebca
0x0006ebd0
0x0006ebd4
0x0006ebdc

APIs

GetSystemMetrics.USER32 ref: 0006EB2C
GetSystemMetrics.USER32 ref: 0006EB36
SetRectEmpty.USER32 ref: 0006EB45
EnumDisplayMonitors.USER32(00000000,00000000,0006EA91,001C3AFC), ref: 0006EB55
SystemParametersInfoW.USER32 ref: 0006EB70
SystemParametersInfoW.USER32 ref: 0006EB90
SystemParametersInfoW.USER32 ref: 0006EBA8
SystemParametersInfoW.USER32 ref: 0006EBC8

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: System$InfoParameters$Metrics$DisplayEmptyEnumMonitorsRect
String ID:
API String ID: 2614369430-0
Opcode ID: 5d958426e98eaa64ed46b0d92f4e5775d7ce75cdbdcfe9a725b7e280db463f01
Instruction ID: 4ec732bdf9015f60eea6a6fc18f797e869e7515bc32537a8b527b73a53c3fd82
Opcode Fuzzy Hash: 5d958426e98eaa64ed46b0d92f4e5775d7ce75cdbdcfe9a725b7e280db463f01
Instruction Fuzzy Hash: 40110AB5501B40AFE3319B66CC49EE3BAFCFFC9B00F00091EE59A86140D7B06481CB21

Uniqueness

Uniqueness Score: -1.00%

Function 00064EBE Relevance: 12.1, APIs: 8, Instructions: 52
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00064EBE(void* __ecx, void* _a4, void* _a8) {
				long _v8;
				void* __ebp;
				long _t10;
				void* _t12;
				void* _t14;
				void* _t21;

				_t10 = GlobalSize(_a8);
				_t21 = _a4;
				_v8 = _t10;
				if(_t21 != 0) {
					if(_v8 > GlobalSize(_t21)) {
						goto L2;
					} else {
						goto L4;
					}
				} else {
					_t21 = GlobalAlloc(0x2002, _t10);
					if(_t21 != 0) {
						L4:
						_a4 = GlobalLock(_a8);
						_t14 = GlobalLock(_t21);
						_push(_v8);
						E00053E80(_t14, GlobalSize(_t21), _a4);
						GlobalUnlock(_t21);
						GlobalUnlock(_a8);
						_t12 = _t21;
					} else {
						L2:
						_t12 = 0;
					}
				}
				return _t12;
			}

0x00064ecf
0x00064ed1
0x00064ed4
0x00064ed9
0x00064ef7
0x00000000
0x00000000
0x00000000
0x00000000
0x00064edb
0x00064ee7
0x00064eeb
0x00064ef9
0x00064f06
0x00064f09
0x00064f0b
0x00064f18
0x00064f27
0x00064f2c
0x00064f2e
0x00064eed
0x00064eed
0x00064eed
0x00064eed
0x00064eeb
0x00064f34

APIs

GlobalSize.KERNEL32(?), ref: 00064ECF
GlobalAlloc.KERNEL32(00002002,00000000), ref: 00064EE1
GlobalSize.KERNEL32(?), ref: 00064EF2
GlobalLock.KERNEL32 ref: 00064F03
GlobalLock.KERNEL32 ref: 00064F09
GlobalSize.KERNEL32(?), ref: 00064F14
GlobalUnlock.KERNEL32(?), ref: 00064F27
GlobalUnlock.KERNEL32(?), ref: 00064F2C

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Global$Size$LockUnlock$Alloc
String ID:
API String ID: 2344174106-0
Opcode ID: eb5ee15a9af26ffcf82aff0a43f01f280b9096da8750bb675a07a319dfcfa32e
Instruction ID: 6a6d675fdfadde31d29dc329cdcc8bfcd3ba60868760d2dbd29cdf0e2f79131c
Opcode Fuzzy Hash: eb5ee15a9af26ffcf82aff0a43f01f280b9096da8750bb675a07a319dfcfa32e
Instruction Fuzzy Hash: CE018F71900219BFDB116F66DC84CAFBFADFF443A0B108026FC0897261DA71DE50DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00072D73 Relevance: 12.0, APIs: 8, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00072D73(void* __ecx) {
				struct HDC__* _t15;
				void* _t17;

				_t17 = __ecx;
				 *((intOrPtr*)(_t17 + 8)) = GetSystemMetrics(0xb);
				 *((intOrPtr*)(_t17 + 0xc)) = GetSystemMetrics(0xc);
				 *0x1c3e40 = GetSystemMetrics(2) + 1;
				 *0x1c3e44 = GetSystemMetrics(3) + 1;
				_t15 = GetDC(0);
				 *((intOrPtr*)(_t17 + 0x18)) = GetDeviceCaps(_t15, 0x58);
				 *((intOrPtr*)(_t17 + 0x1c)) = GetDeviceCaps(_t15, 0x5a);
				return ReleaseDC(0, _t15);
			}

0x00072d80
0x00072d86
0x00072d8d
0x00072d95
0x00072d9f
0x00072db0
0x00072dba
0x00072dc2
0x00072dce

APIs

GetSystemMetrics.USER32 ref: 00072D82
GetSystemMetrics.USER32 ref: 00072D89
GetSystemMetrics.USER32 ref: 00072D90
GetSystemMetrics.USER32 ref: 00072D9A
GetDC.USER32(00000000), ref: 00072DA4
GetDeviceCaps.GDI32(00000000,00000058), ref: 00072DB5
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00072DBD
ReleaseDC.USER32(00000000,00000000), ref: 00072DC5

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: 7382bd9041fa0c45ca20785beab94db693a6c5957c7329b20e91d3ba2165cbfe
Instruction ID: 370968d26eb943c1af689f83d5e0872dd18f75387ea16c47f48c9d33e1d5e3e0
Opcode Fuzzy Hash: 7382bd9041fa0c45ca20785beab94db693a6c5957c7329b20e91d3ba2165cbfe
Instruction Fuzzy Hash: ECF067B1E40714ABE7205BB29C4DF167F68FB44B61F004426F6088BAC0CBB598808FC0

Uniqueness

Uniqueness Score: -1.00%

Function 000DDBBE Relevance: 10.8, APIs: 7, Instructions: 325
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E000DDBBE(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				int _t152;
				void* _t161;
				void* _t163;
				signed int _t167;
				intOrPtr _t182;
				intOrPtr* _t192;
				void* _t202;
				WCHAR* _t209;
				int _t210;
				void* _t215;
				int _t219;
				intOrPtr _t223;
				intOrPtr _t229;
				signed int _t230;
				void* _t231;
				void* _t235;
				intOrPtr _t240;
				signed int _t244;
				void* _t284;
				intOrPtr _t286;
				intOrPtr _t287;
				signed int _t288;
				WCHAR* _t291;
				void* _t294;
				void* _t295;

				_t284 = __edx;
				_push(0x19c);
				E00151A82(0x16e27e, __ebx, __edi, __esi);
				_t229 =  *((intOrPtr*)(_t294 + 8));
				 *(_t294 - 0x170) =  *(_t294 + 0x10);
				_t290 = 0;
				 *(_t294 - 0x184) =  *(_t294 + 0x14);
				_t286 = __ecx;
				 *((intOrPtr*)(_t294 - 0x180)) = __ecx;
				 *((intOrPtr*)(_t294 - 0x194)) = _t229;
				 *(_t294 - 0x16c) = 0;
				if((0 | _t229 != 0x00000000) == 0) {
					E000655E0(__ecx);
				}
				 *(_t294 - 0x190) = _t290;
				_t152 = GetMenuItemCount( *(_t229 + 4));
				 *(_t294 - 0x1a4) = _t152;
				 *(_t294 - 0x178) = _t290;
				if(_t152 <= _t290) {
					L50:
					return E00151B05(_t229, _t286, _t290);
				} else {
					goto L3;
				}
				do {
					L3:
					_t291 = GetMenuItemID( *(_t229 + 4),  *(_t294 - 0x178));
					E00051110(_t294 - 0x174, E00065761());
					 *(_t294 - 4) =  *(_t294 - 4) & 0x00000000;
					E00070F12(_t229, _t229,  *(_t294 - 0x178), _t294 - 0x174, 0x400);
					_t235 = 0;
					if( *((intOrPtr*)(_t286 + 0x14c)) == 0) {
						E0007C08E(_t229, _t294 - 0x174, 0x26);
						_t235 = 0;
					}
					if(_t291 == _t235) {
						goto L43;
					}
					if(_t291 == 0xffffffff) {
						_t167 = E00070E3E(_t229, _t235, _t284, _t286, _t291, __eflags, GetSubMenu( *(_t229 + 4),  *(_t294 - 0x178)));
						_t244 =  *0x1c5d78; // 0x0
						_t292 = 0;
						_t230 = _t167;
						__eflags = _t244;
						if(__eflags != 0) {
							_push(_t294 - 0x174);
							_t292 = E000EDB72(_t230, _t284, _t286, 0, __eflags);
						}
						 *((intOrPtr*)(_t294 - 0x18c)) = E000541F0( *((intOrPtr*)(_t294 - 0x174)) + 0xfffffff0) + 0x10;
						 *(_t294 - 4) = 1;
						E0007C08E(_t230, _t294 - 0x18c, 0x26);
						__eflags =  *(_t294 - 0x170);
						if( *(_t294 - 0x170) != 0) {
							E00056590(_t286,  *(_t294 - 0x170));
						}
						__eflags =  *(_t286 + 0x144);
						_t287 =  *((intOrPtr*)(_t294 - 0x18c));
						if(__eflags == 0) {
							E000DDBBE(_t230,  *((intOrPtr*)(_t294 - 0x180)), _t284, _t287, _t292, __eflags, _t230,  *(_t294 + 0xc), 0, 0);
						} else {
							__eflags =  *(_t294 + 0xc);
							if( *(_t294 + 0xc) != 0) {
								__eflags = _t230;
								if(__eflags != 0) {
									_t182 =  *((intOrPtr*)(_t230 + 4));
								} else {
									_t182 = 0;
								}
								_push(0);
								_push( *((intOrPtr*)(_t294 - 0x174)));
								_push(0xffffffff);
								_push(_t182);
								_push(0xffffffff);
								E000C3EAA(_t230, _t294 - 0x168, _t287, _t292, __eflags);
								 *(_t294 - 4) = 2;
								E000C2F22(_t294 - 0x168, _t292);
								_push(0xffffffff);
								_push(_t294 - 0x168);
								_push(_t287);
								E000DD81F(_t230,  *((intOrPtr*)(_t294 - 0x180)), _t284, _t287, _t292, __eflags);
								 *(_t294 - 4) = 1;
								E000C2BFD(_t230, _t294 - 0x168, _t284, _t287, _t292, __eflags);
							}
							E00051110(_t294 - 0x188, E00065761());
							__eflags =  *(_t294 - 0x184);
							 *(_t294 - 4) = 3;
							if( *(_t294 - 0x184) != 0) {
								E00056590(_t287,  *(_t294 - 0x184));
							}
							E0005BFE0(_t294 - 0x188,  *((intOrPtr*)(_t294 - 0x174)),  *((intOrPtr*)( *((intOrPtr*)(_t294 - 0x174)) - 0xc)));
							E000DDBBE(_t230,  *((intOrPtr*)(_t294 - 0x180)), _t284, _t287,  *((intOrPtr*)(_t294 - 0x188)), __eflags, _t230,  *(_t294 + 0xc), _t287,  *((intOrPtr*)(_t294 - 0x188)));
							E00051190( *((intOrPtr*)(_t294 - 0x188)) - 0x10, _t284);
						}
						E00051190(_t287 - 0x10, _t284);
						_t229 =  *((intOrPtr*)(_t294 - 0x194));
						_t286 =  *((intOrPtr*)(_t294 - 0x180));
					} else {
						if( *(_t294 + 0xc) != _t235) {
							_t25 = _t291 - 0xe130; // -57648
							if(_t25 <= 0xf) {
								 *(_t294 - 0x190) = 1;
							}
						}
						if( *(_t294 - 0x170) == _t235) {
							L14:
							_push(_t235);
							_push(_t235);
							_push( *((intOrPtr*)(_t294 - 0x174)));
							_push(0xffffffff);
							_push(_t291);
							E000BE6E2(_t229, _t294 - 0x80, _t284, _t286, _t291, __eflags);
							__eflags =  *(_t294 - 0x184);
							 *(_t294 - 4) = 4;
							if( *(_t294 - 0x184) == 0) {
								L20:
								__eflags =  *(_t294 - 0x170);
								if( *(_t294 - 0x170) != 0) {
									_t192 = E00056620(_t229,  *(_t294 - 0x170));
									_t69 = _t294 - 0x16c;
									 *_t69 =  *(_t294 - 0x16c) | 0x00000002;
									__eflags =  *_t69;
									 *(_t294 - 4) = 0xa;
								} else {
									 *((intOrPtr*)(_t294 - 0x198)) = E000541F0( *((intOrPtr*)(_t286 + 0x13c)) - 0x10) + 0x10;
									 *(_t294 - 0x16c) =  *(_t294 - 0x16c) | 0x00000001;
									_t192 = _t294 - 0x198;
									 *(_t294 - 4) = 9;
								}
								_push(0xffffffff);
								_push(_t294 - 0x80);
								_push( *_t192);
								E000DD81F(_t229, _t286, _t284, _t286, _t291, __eflags);
								__eflags =  *(_t294 - 0x16c) & 0x00000002;
								if(( *(_t294 - 0x16c) & 0x00000002) != 0) {
									 *(_t294 - 0x16c) =  *(_t294 - 0x16c) & 0xfffffffd;
									__eflags =  *((intOrPtr*)(_t294 - 0x1a8)) + 0xfffffff0;
									E00051190( *((intOrPtr*)(_t294 - 0x1a8)) + 0xfffffff0, _t284);
								}
								__eflags =  *(_t294 - 0x16c) & 0x00000001;
								 *(_t294 - 4) = 4;
								if(( *(_t294 - 0x16c) & 0x00000001) != 0) {
									 *(_t294 - 0x16c) =  *(_t294 - 0x16c) & 0xfffffffe;
									__eflags =  *((intOrPtr*)(_t294 - 0x198)) + 0xfffffff0;
									E00051190( *((intOrPtr*)(_t294 - 0x198)) + 0xfffffff0, _t284);
								}
								 *(_t294 - 4) = 0;
								E000BD18C(_t294 - 0x80, _t284);
								goto L43;
							}
							_t202 = E00056620(_t229,  *(_t294 - 0x184));
							 *(_t294 - 4) = 5;
							E0005B6D0(_t229, _t294 - 0x17c, _t202, _t294 - 0x54);
							_t295 = _t295 + 0xc;
							 *(_t294 - 4) = 7;
							E00051190( *((intOrPtr*)(_t294 - 0x1a0)) + 0xfffffff0, _t284);
							_t209 = E000512F0(_t294 - 0x17c,  *((intOrPtr*)( *((intOrPtr*)(_t294 - 0x17c)) - 0xc)) + 1);
							_t231 = lstrlenW;
							_t291 = _t209;
							_t288 = 0;
							_t210 = lstrlenW(_t291);
							__eflags = _t210 - 1;
							if(_t210 - 1 <= 0) {
								L19:
								E000561B0(_t231, _t294 - 0x17c, _t288, 0xffffffff);
								E0007C08E(_t231, _t294 - 0x17c, 0x20);
								_t215 = E0007BADF(_t294 - 0x17c, _t294 - 0x19c, 0x17bc18);
								 *(_t294 - 4) = 8;
								E00054260(_t294 - 0x50, _t215);
								E00051190( *((intOrPtr*)(_t294 - 0x19c)) + 0xfffffff0, _t284);
								__eflags =  *((intOrPtr*)(_t294 - 0x17c)) + 0xfffffff0;
								 *(_t294 - 4) = 4;
								E00051190( *((intOrPtr*)(_t294 - 0x17c)) + 0xfffffff0, _t284);
								_t229 =  *((intOrPtr*)(_t294 - 0x194));
								_t286 =  *((intOrPtr*)(_t294 - 0x180));
								goto L20;
							} else {
								goto L16;
							}
							do {
								L16:
								__eflags = _t291[_t288] - 0x20;
								if(_t291[_t288] == 0x20) {
									_t47 = _t288 * 2; // 0x2
									CharUpperBuffW(_t291 + _t47 + 2, 1);
								}
								_t288 = _t288 + 1;
								_t219 = lstrlenW(_t291);
								__eflags = _t288 - _t219 - 1;
							} while (_t288 < _t219 - 1);
							goto L19;
						}
						_t223 =  *0x1c4948; // 0x0
						if(_t223 == _t235) {
							goto L14;
						}
						_t308 =  *((intOrPtr*)(_t223 + 0x20)) - _t291;
						if( *((intOrPtr*)(_t223 + 0x20)) != _t291) {
							goto L14;
						}
						_push( *(_t294 - 0x170));
						E000DDB43(_t229, _t286, _t284, _t286, _t291, _t308);
					}
					L43:
					 *(_t294 - 4) =  *(_t294 - 4) | 0xffffffff;
					E00051190( *((intOrPtr*)(_t294 - 0x174)) + 0xfffffff0, _t284);
					 *(_t294 - 0x178) =  *(_t294 - 0x178) + 1;
				} while ( *(_t294 - 0x178) <  *(_t294 - 0x1a4));
				_t290 = 0;
				if( *(_t294 - 0x190) != 0 &&  *(_t294 - 0x170) != 0) {
					_t161 = E0006EA25(0x17e958,  *((intOrPtr*)(_t286 + 0x140)));
					if(_t161 != 0) {
						_t240 =  *((intOrPtr*)(_t161 + 0x11c));
						if(_t240 != 0) {
							_t314 =  *((intOrPtr*)(_t161 + 0x12c));
							if( *((intOrPtr*)(_t161 + 0x12c)) != 0) {
								_push(0);
								_push(0);
								_push( *((intOrPtr*)(_t161 + 0x114)));
								_push(0xffffffff);
								_push(_t240);
								_t163 = E000BE6E2(_t229, _t294 - 0x80, _t284, _t286, 0, _t314);
								_push(0xffffffff);
								_push(_t163);
								_push( *(_t294 - 0x170));
								 *(_t294 - 4) = 0xb;
								E000DD81F(_t229, _t286, _t284, _t286, 0, _t314);
								 *(_t294 - 4) =  *(_t294 - 4) | 0xffffffff;
								E000BD18C(_t294 - 0x80, _t284);
							}
						}
					}
				}
				goto L50;
			}

0x000ddbbe
0x000ddbbe
0x000ddbc8
0x000ddbd0
0x000ddbd3
0x000ddbdc
0x000ddbde
0x000ddbeb
0x000ddbed
0x000ddbf3
0x000ddbf9
0x000ddc01
0x000ddc03
0x000ddc03
0x000ddc0b
0x000ddc11
0x000ddc17
0x000ddc1d
0x000ddc25
0x000de0a8
0x000de0ad
0x00000000
0x00000000
0x00000000
0x000ddc2b
0x000ddc2b
0x000ddc3a
0x000ddc48
0x000ddc4d
0x000ddc65
0x000ddc6a
0x000ddc72
0x000ddc7c
0x000ddc81
0x000ddc81
0x000ddc85
0x00000000
0x00000000
0x000ddc8e
0x000ddeac
0x000ddeb1
0x000ddeb7
0x000ddeb9
0x000ddebb
0x000ddebd
0x000ddec5
0x000ddecb
0x000ddecb
0x000ddee0
0x000ddeee
0x000ddef2
0x000ddef7
0x000ddefe
0x000ddf0c
0x000ddf0c
0x000ddf11
0x000ddf18
0x000ddf1e
0x000ddff4
0x000ddf24
0x000ddf24
0x000ddf28
0x000ddf2a
0x000ddf2c
0x000ddf32
0x000ddf2e
0x000ddf2e
0x000ddf2e
0x000ddf35
0x000ddf37
0x000ddf43
0x000ddf45
0x000ddf46
0x000ddf48
0x000ddf54
0x000ddf58
0x000ddf63
0x000ddf6b
0x000ddf6c
0x000ddf6d
0x000ddf78
0x000ddf7c
0x000ddf7c
0x000ddf8d
0x000ddf92
0x000ddf99
0x000ddf9d
0x000ddfab
0x000ddfab
0x000ddfc0
0x000ddfd7
0x000ddfdf
0x000ddfdf
0x000ddffc
0x000de001
0x000de007
0x000ddc94
0x000ddc97
0x000ddc99
0x000ddca2
0x000ddca4
0x000ddca4
0x000ddca2
0x000ddcb4
0x000ddcd6
0x000ddcd6
0x000ddcd7
0x000ddcd8
0x000ddce1
0x000ddce3
0x000ddce4
0x000ddce9
0x000ddcf0
0x000ddcf4
0x000ddde4
0x000ddde4
0x000dddeb
0x000dde25
0x000dde2a
0x000dde2a
0x000dde2a
0x000dde31
0x000ddded
0x000dde00
0x000dde06
0x000dde0d
0x000dde13
0x000dde13
0x000dde3a
0x000dde3f
0x000dde40
0x000dde43
0x000dde48
0x000dde4f
0x000dde57
0x000dde5e
0x000dde61
0x000dde61
0x000dde66
0x000dde6d
0x000dde74
0x000dde7c
0x000dde83
0x000dde86
0x000dde86
0x000dde8e
0x000dde92
0x00000000
0x000dde92
0x000ddd06
0x000ddd17
0x000ddd1b
0x000ddd20
0x000ddd2c
0x000ddd30
0x000ddd46
0x000ddd4b
0x000ddd51
0x000ddd54
0x000ddd56
0x000ddd59
0x000ddd5b
0x000ddd7a
0x000ddd82
0x000ddd8f
0x000ddda6
0x000dddaf
0x000dddb3
0x000dddc1
0x000dddcc
0x000dddcf
0x000dddd3
0x000dddd8
0x000dddde
0x00000000
0x00000000
0x00000000
0x00000000
0x000ddd5d
0x000ddd5d
0x000ddd5d
0x000ddd62
0x000ddd66
0x000ddd6b
0x000ddd6b
0x000ddd72
0x000ddd73
0x000ddd76
0x000ddd76
0x00000000
0x000ddd5d
0x000ddcb6
0x000ddcbd
0x00000000
0x00000000
0x000ddcbf
0x000ddcc2
0x00000000
0x00000000
0x000ddcc4
0x000ddccc
0x000ddccc
0x000de00d
0x000de013
0x000de01a
0x000de01f
0x000de02b
0x000de037
0x000de03f
0x000de054
0x000de05d
0x000de05f
0x000de067
0x000de069
0x000de06f
0x000de077
0x000de078
0x000de079
0x000de07a
0x000de07c
0x000de080
0x000de085
0x000de087
0x000de088
0x000de090
0x000de097
0x000de09c
0x000de0a3
0x000de0a3
0x000de06f
0x000de067
0x000de05d
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 000DDBC8
GetMenuItemCount.USER32(0000000D), ref: 000DDC11
GetMenuItemID.USER32(0000000D,?), ref: 000DDC34

Part of subcall function 000655E0: __CxxThrowException@8.LIBCMT ref: 000655F6

Part of subcall function 000BE6E2: __EH_prolog3.LIBCMT ref: 000BE6E9

lstrlenW.KERNEL32(00000000,?), ref: 000DDD56
CharUpperBuffW.USER32(00000002,00000001), ref: 000DDD6B
lstrlenW.KERNEL32(00000000), ref: 000DDD73
GetSubMenu.USER32 ref: 000DDEA5

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Menu$Itemlstrlen$BuffCharCountException@8H_prolog3H_prolog3_ThrowUpper
String ID:
API String ID: 2841834857-0
Opcode ID: ea9e08250cb6d3a784ea5df8186e111a982b3e1ae8c88c3b6420b39c4709fddc
Instruction ID: fe455eefa766848242ce4c6706a843a156a738899f42bd5ae0446bb9a521ef8b
Opcode Fuzzy Hash: ea9e08250cb6d3a784ea5df8186e111a982b3e1ae8c88c3b6420b39c4709fddc
Instruction Fuzzy Hash: BAD18A31904228EBDF25EB64CC55BEEB7B4AF05320F1042DAE519672D2DB705E88CF61

Uniqueness

Uniqueness Score: -1.00%

Function 000EA4B1 Relevance: 10.7, APIs: 7, Instructions: 242
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E000EA4B1(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags, signed long long __fp0) {
				void* _t97;
				struct HDC__* _t100;
				signed int _t102;
				signed int _t105;
				signed int _t106;
				void* _t110;
				struct HDC__* _t114;
				unsigned int _t116;
				signed int _t118;
				signed int _t121;
				void* _t127;
				void* _t128;
				unsigned int _t129;
				signed int _t131;
				signed char _t138;
				signed char _t147;
				signed char _t152;
				signed char _t158;
				int _t166;
				unsigned int _t181;
				signed int _t192;
				signed int _t193;
				int _t197;
				intOrPtr _t201;
				void* _t203;
				signed long long* _t204;
				signed long long _t210;

				_t210 = __fp0;
				_t193 = __edx;
				_push(0x54);
				E00151A19(0x16ee4b, __ebx, __edi, __esi);
				_t197 =  *((intOrPtr*)(_t203 + 0x14)) -  *(_t203 + 0xc);
				_t201 = __ecx;
				 *((intOrPtr*)(_t203 - 0x40)) = __ecx;
				 *(_t203 - 0x50) = _t197;
				if(_t197 <= 0) {
					L38:
					_t97 = 1;
				} else {
					_t166 =  *((intOrPtr*)(_t203 + 0x10)) -  *(_t203 + 8);
					 *(_t203 - 0x1c) = _t166;
					if(_t166 <= 0) {
						goto L38;
					} else {
						if( *0x1c3b44 > 8) {
							E00065EC1(_t203 - 0x34);
							_t100 =  *(__ecx + 4);
							 *(_t203 - 4) =  *(_t203 - 4) & 0x00000000;
							__eflags = _t100;
							if(_t100 != 0) {
								_t100 =  *(_t100 + 4);
							}
							_t102 = E000664F6(_t166, _t203 - 0x34, _t193, _t197, CreateCompatibleDC(_t100));
							__eflags = _t102;
							if(_t102 != 0) {
								 *(_t203 - 0x14) =  *(_t203 - 0x14) & 0x00000000;
								 *((intOrPtr*)(_t203 - 0x18)) = 0x179fa0;
								 *(_t203 - 4) = 1;
								_t105 = E000667CA(_t166, _t203 - 0x18, _t193, _t197, CreateCompatibleBitmap( *( *(_t201 + 4) + 4), _t166, _t197));
								__eflags = _t105;
								if(_t105 != 0) {
									_t106 = E00066881( *(_t203 - 0x30),  *(_t203 - 0x14));
									__eflags = _t106;
									_t173 = 0 | __eflags != 0x00000000;
									 *(_t203 - 0x4c) = _t106;
									if(__eflags == 0) {
										E000655E0(_t173);
									}
									 *(_t203 - 0x3c) = _t166;
									 *(_t203 - 0x38) = _t197;
									_t110 = E000E9034(_t203 - 0x3c, _t203 - 0x10);
									 *(_t203 - 0x38) = _t110;
									__eflags = _t110;
									if(_t110 == 0) {
										goto L9;
									} else {
										__eflags =  *(_t203 - 0x10);
										if( *(_t203 - 0x10) == 0) {
											goto L9;
										} else {
											SelectObject( *(_t203 - 0x30), _t110);
											_t114 =  *(_t201 + 4);
											__eflags = _t114;
											if(_t114 != 0) {
												_t114 =  *(_t114 + 4);
											}
											BitBlt( *(_t203 - 0x30), 0, 0, _t166, _t197, _t114,  *(_t203 + 8),  *(_t203 + 0xc), 0xcc0020);
											_t116 =  *(_t203 + 0x1c);
											__eflags = _t116 - 0xffffffff;
											if(_t116 != 0xffffffff) {
												_t193 = (_t116 & 0x000000ff) << 8;
												_t192 = (_t116 >> 0x00000008 & 0x000000ff | _t193) << 0x00000008 | _t116 >> 0x00000010 & 0x000000ff;
												__eflags = _t192;
												 *(_t203 + 0x1c) = _t192;
											}
											__eflags =  *(_t203 + 0x20) - 0xffffffff;
											if( *(_t203 + 0x20) == 0xffffffff) {
												_t158 =  *0x1c39b4; // 0xffffff
												 *(_t203 + 0x20) = _t158;
											}
											_t118 = _t197 *  *(_t203 - 0x1c);
											__eflags = _t118;
											if(_t118 > 0) {
												 *(_t203 - 0x24) = _t118;
												do {
													_t127 =  *( *(_t203 - 0x10));
													__eflags = _t127 -  *(_t203 + 0x1c);
													if(_t127 !=  *(_t203 + 0x1c)) {
														_t128 = E000E9611(_t127, _t203 - 0x60, _t203 - 0x48, _t203 - 0x58);
														asm("fldz");
														_t204 = _t204 - 0x18;
														_t204[2] = _t210;
														_t204[1] =  *(_t203 - 0x58);
														_t210 =  *(_t203 - 0x60);
														 *_t204 = _t210;
														_t129 = E000E93E5(_t128);
														__eflags =  *((intOrPtr*)(_t203 + 0x18)) - 0xffffffff;
														_t181 = _t129;
														if( *((intOrPtr*)(_t203 + 0x18)) != 0xffffffff) {
															asm("fild dword [ebp+0x18]");
															_t204 = _t204 - 0x18;
															_t210 = _t210 *  *0x184450;
															asm("fst qword [esp+0x10]");
															asm("fst qword [esp+0x8]");
															 *_t204 = _t210;
															_push(_t181);
															_t131 = E000E91C4(_t181) | 0xff000000;
															__eflags = _t131;
														} else {
															asm("cdq");
															_t138 = (( *(_t203 + 0x20) >> 0x00000010 & 0x000000ff) - (_t181 & 0x000000ff) - _t193 >> 1) + (_t181 & 0x000000ff);
															 *(_t203 - 0x44) = 0xff;
															__eflags = _t138 - 0xff;
															if(_t138 <= 0xff) {
																 *(_t203 - 0x44) = _t138;
															}
															asm("cdq");
															_t147 = (( *(_t203 + 0x20) >> 0x00000008 & 0x000000ff) - (_t181 >> 0x00000008 & 0x000000ff) - _t193 >> 1) + (_t181 >> 0x00000008 & 0x000000ff);
															 *(_t203 - 0x20) = 0xff;
															__eflags = _t147 - 0xff;
															if(_t147 <= 0xff) {
																 *(_t203 - 0x20) = _t147;
															}
															asm("cdq");
															_t152 = (( *(_t203 + 0x20) & 0x000000ff) - (_t181 >> 0x00000010 & 0x000000ff) - _t193 >> 1) + (_t181 >> 0x00000010 & 0x000000ff);
															__eflags = _t152 - 0xff;
															if(_t152 > 0xff) {
																_t152 = 0xff;
															}
															_t197 =  *(_t203 - 0x50);
															_t131 = ((_t152 & 0x000000ff | 0xffffff00) << 0x00000008 |  *(_t203 - 0x20) & 0x000000ff) << 0x00000008 |  *(_t203 - 0x44) & 0x000000ff;
														}
														 *( *(_t203 - 0x10)) = _t131;
													}
													 *(_t203 - 0x10) =  *(_t203 - 0x10) + 4;
													_t75 = _t203 - 0x24;
													 *_t75 =  *(_t203 - 0x24) - 1;
													__eflags =  *_t75;
												} while ( *_t75 != 0);
												_t201 =  *((intOrPtr*)(_t203 - 0x40));
											}
											BitBlt( *( *(_t201 + 4) + 4),  *(_t203 + 8),  *(_t203 + 0xc),  *(_t203 - 0x1c), _t197,  *(_t203 - 0x30), 0, 0, 0xcc0020);
											_t121 =  *(_t203 - 0x4c);
											__eflags = _t121;
											if(_t121 != 0) {
												_t121 =  *(_t121 + 4);
											}
											E00066881( *(_t203 - 0x30), _t121);
											DeleteObject( *(_t203 - 0x38));
											 *(_t203 - 4) = 0;
											 *((intOrPtr*)(_t203 - 0x18)) = 0x179fa0;
											E00051420(_t203 - 0x18, _t193);
											_t91 = _t203 - 4;
											 *_t91 =  *(_t203 - 4) | 0xffffffff;
											__eflags =  *_t91;
											E00066577(_t203 - 0x34);
											goto L38;
										}
									}
								} else {
									L9:
									 *(_t203 - 4) = 0;
									 *((intOrPtr*)(_t203 - 0x18)) = 0x179fa0;
									E00051420(_t203 - 0x18, _t193);
									goto L7;
								}
							} else {
								L7:
								 *(_t203 - 4) =  *(_t203 - 4) | 0xffffffff;
								E00066577(_t203 - 0x34);
								_t97 = 0;
							}
						} else {
							E000B755D( *(__ecx + 4), _t203 + 8);
							goto L38;
						}
					}
				}
				return E00151AF1(_t97);
			}

0x000ea4b1
0x000ea4b1
0x000ea4b1
0x000ea4b8
0x000ea4c0
0x000ea4c3
0x000ea4c5
0x000ea4c8
0x000ea4cd
0x000ea783
0x000ea785
0x000ea4d3
0x000ea4d6
0x000ea4d9
0x000ea4de
0x00000000
0x000ea4e4
0x000ea4eb
0x000ea501
0x000ea506
0x000ea509
0x000ea50d
0x000ea50f
0x000ea511
0x000ea511
0x000ea51f
0x000ea524
0x000ea526
0x000ea53b
0x000ea53f
0x000ea54e
0x000ea55c
0x000ea561
0x000ea563
0x000ea580
0x000ea587
0x000ea589
0x000ea58c
0x000ea593
0x000ea595
0x000ea595
0x000ea5a2
0x000ea5a5
0x000ea5a8
0x000ea5ad
0x000ea5b0
0x000ea5b2
0x00000000
0x000ea5b4
0x000ea5b4
0x000ea5b8
0x00000000
0x000ea5ba
0x000ea5be
0x000ea5c4
0x000ea5c7
0x000ea5c9
0x000ea5cb
0x000ea5cb
0x000ea5e9
0x000ea5eb
0x000ea5ee
0x000ea5f1
0x000ea5fe
0x000ea60c
0x000ea60c
0x000ea60e
0x000ea60e
0x000ea611
0x000ea615
0x000ea617
0x000ea61c
0x000ea61c
0x000ea621
0x000ea625
0x000ea627
0x000ea62d
0x000ea635
0x000ea638
0x000ea63a
0x000ea63d
0x000ea650
0x000ea655
0x000ea657
0x000ea65a
0x000ea661
0x000ea665
0x000ea668
0x000ea66b
0x000ea670
0x000ea674
0x000ea676
0x000ea6f3
0x000ea6f6
0x000ea6f9
0x000ea6ff
0x000ea703
0x000ea707
0x000ea70a
0x000ea710
0x000ea710
0x000ea678
0x000ea686
0x000ea68b
0x000ea68d
0x000ea690
0x000ea692
0x000ea694
0x000ea694
0x000ea6aa
0x000ea6af
0x000ea6b1
0x000ea6b4
0x000ea6b6
0x000ea6b8
0x000ea6b8
0x000ea6c7
0x000ea6cc
0x000ea6ce
0x000ea6d0
0x000ea6d2
0x000ea6d2
0x000ea6d8
0x000ea6ef
0x000ea6ef
0x000ea718
0x000ea718
0x000ea71a
0x000ea71e
0x000ea71e
0x000ea71e
0x000ea71e
0x000ea727
0x000ea727
0x000ea746
0x000ea748
0x000ea74b
0x000ea74d
0x000ea74f
0x000ea74f
0x000ea756
0x000ea75e
0x000ea767
0x000ea76b
0x000ea772
0x000ea777
0x000ea777
0x000ea777
0x000ea77e
0x00000000
0x000ea77e
0x000ea5b8
0x000ea565
0x000ea565
0x000ea568
0x000ea56c
0x000ea573
0x00000000
0x000ea573
0x000ea528
0x000ea528
0x000ea528
0x000ea52f
0x000ea534
0x000ea534
0x000ea4ed
0x000ea4f4
0x00000000
0x000ea4f4
0x000ea4eb
0x000ea4de
0x000ea78b

APIs

__EH_prolog3.LIBCMT ref: 000EA4B8
CreateCompatibleDC.GDI32(?), ref: 000EA515

Part of subcall function 000B755D: FillRect.USER32 ref: 000B7571

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: CompatibleCreateFillH_prolog3Rect
String ID:
API String ID: 2215992850-0
Opcode ID: 85dd04abfa8969b8477a547601f6ff804dafe01e0389b7011eb6574740e503b1
Instruction ID: 548d1959086898c2d062714044290a53c01337911f8884d6276b7197268bb7a4
Opcode Fuzzy Hash: 85dd04abfa8969b8477a547601f6ff804dafe01e0389b7011eb6574740e503b1
Instruction Fuzzy Hash: AD919971A0025A9FCB14DFA9CC85AEEBBF5FF49300F444119F465E6291DB34E905CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00085805 Relevance: 10.7, APIs: 7, Instructions: 225
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00085805(int __ecx, void* __edx, void* __eflags, int _a4, intOrPtr _a8) {
				signed int _v8;
				struct tagRECT _v24;
				intOrPtr _v28;
				long _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t49;
				intOrPtr _t55;
				intOrPtr* _t58;
				void* _t65;
				int _t80;
				int _t85;
				void* _t87;
				int _t91;
				int _t92;
				int _t93;
				int _t101;
				int _t129;
				int* _t131;
				signed int* _t134;
				int _t135;
				signed int _t136;

				_t126 = __edx;
				_t102 = __ecx;
				_t49 =  *0x1c0454; // 0x885926af
				_v8 = _t49 ^ _t136;
				_t101 = __ecx;
				_v28 = _a8;
				_t127 = E0006EA25(0x1bcffc, E0005F82E(_t101, _t102, _t126, GetParent( *(__ecx + 0x20))));
				if(_t127 == 0) {
					L2:
					_t105 = _t101;
					_t55 = E00061441(_t101);
					L3:
					SendMessageW( *(_t55 + 0x20), 0x362, 0xe001, 0);
					if(_t127 == 0) {
						L9:
						_t129 = _a4;
						_t144 = _t129;
						if(_t129 == 0) {
							L25:
							if(_v28 != 0) {
								_t105 = _t101;
								 *0x1bd088 = E00074E38(_t101, _v28);
							} else {
								 *0x1bd088 =  *0x1bd088 | 0xffffffff;
							}
							if( *((intOrPtr*)(_t101 + 0xd00)) != 0) {
								_t65 = E0006EA25(0x1bcffc, E0005F82E(_t101, _t105, _t126, GetParent( *(_t101 + 0x20))));
								if(_t65 != 0) {
									_t131 =  *(_t65 + 0x148);
									if(_t131 != 0 && _t131[0x1b] != 0) {
										_t127 =  *_t131;
										_t131[8] = _a4;
										 *((intOrPtr*)( *_t131 + 0xbc))(E0009999D(E00099851(), _a4, 0));
										_v24.left = 0;
										_v24.top = 0;
										_v24.right = 0;
										_v24.bottom = 0;
										E000C2ED1(_t131, 0,  &_v24);
										InvalidateRect( *(_t131[0x1b] + 0x20),  &_v24, 1);
										UpdateWindow( *(_t131[0x1b] + 0x20));
									}
								}
							}
							_t58 = E0006F25D(_t101, _t126, _t101);
							E000855FD(_t101, _t101, _t126, 0, 0);
							return E00150836( *((intOrPtr*)( *_t58 + 0x60))(), _t101, _v8 ^ _t136, _t126, _t127, _t58);
						}
						E000855FD(_t101, _t101, _t126, _t144, 1);
						E000DF533(_t101, _t127, _t129, _t144);
						_t105 = 1;
						if( *((intOrPtr*)(_t101 + 0xd08)) == 0) {
							__eflags =  *(_t101 + 0xcf8);
							if( *(_t101 + 0xcf8) != 0) {
								_t80 =  *0x1c5db0; // 0x0
								__eflags = _t80;
								if(_t80 != 0) {
									 *((intOrPtr*)(_t80 + 0x58)) = _t129;
								}
								goto L25;
							}
							_t127 = E0006EA25(0x1bcffc, E0005F82E(_t101, _t105, _t126, GetParent( *(_t101 + 0x20))));
							_pop(_t105);
							__eflags = _t127;
							if(_t127 == 0) {
								L17:
								E00075EAB(_t126, _t129);
								__eflags = _t127;
								if(_t127 == 0) {
									goto L25;
								}
								_t105 = _t127;
								_t85 = E00080FE9(_t127, _t129);
								__eflags = _t85;
								if(_t85 != 0) {
									goto L25;
								}
								_t105 =  *0x1c4948; // 0x0
								__eflags = _t105;
								if(_t105 == 0) {
									L21:
									__eflags = 0x1ef - _t129 + 0xffff1000;
									asm("sbb esi, esi");
									_t87 = E00061441(_t101);
									_t105 = (__eflags != 0) + 0x111;
									PostMessageW( *(_t87 + 0x20), (__eflags != 0) + 0x111, _a4, 0);
									_t25 = _t127 + 0x10bc; // 0x10bc
									_t134 = _t25;
									_t127 =  *_t134;
									__eflags = _t127;
									if(_t127 != 0) {
										E000E797D(_t101, _t127, 0);
										 *_t134 =  *_t134 & 0x00000000;
										_t105 = _t127;
										E000E7BA2(_t127, _a4);
									}
									goto L25;
								}
								_t91 = E000872F7(_t105, _t129);
								__eflags = _t91;
								if(_t91 != 0) {
									goto L25;
								}
								goto L21;
							}
							_t92 = E0006EA25(0x1be428,  *((intOrPtr*)(_t127 + 0x148)));
							_pop(_t105);
							__eflags = _t92;
							if(_t92 == 0) {
								goto L17;
							}
							_t126 =  *_t92;
							_t105 = _t92;
							_t93 =  *((intOrPtr*)( *_t92 + 0xf8))(_t101, _v28);
							__eflags = _t93;
							if(_t93 != 0) {
								goto L25;
							}
							goto L17;
						}
						if(_t127 != 0) {
							_t105 = _t127;
							 *((intOrPtr*)( *_t127 + 0x1f8))(_t129);
						}
						goto L25;
					} else {
						_v32 = 0;
						_t135 = _t127;
						while(1) {
							_t96 =  *((intOrPtr*)(_t135 + 0x148));
							if( *((intOrPtr*)(_t135 + 0x148)) == 0) {
								break;
							}
							_v32 = E0006EA25(0x1bced8,  *((intOrPtr*)(_t96 + 0x6c)));
							_t135 = E0007ED49(_t101, _t135, _t126);
							if(_t135 != 0) {
								continue;
							}
							break;
						}
						_t105 = _v32;
						if(_t105 != 0) {
							 *((intOrPtr*)( *_t105 + 0x360))();
						}
						goto L9;
					}
				}
				_t55 =  *((intOrPtr*)(_t127 + 0x124));
				if(_t55 != 0) {
					goto L3;
				}
				goto L2;
			}

0x00085805
0x00085805
0x0008580d
0x00085814
0x0008581d
0x00085822
0x0008583c
0x00085844
0x00085850
0x00085850
0x00085852
0x00085857
0x00085865
0x0008586d
0x000858ac
0x000858ac
0x000858af
0x000858b1
0x000859d3
0x000859d7
0x000859e5
0x000859ec
0x000859d9
0x000859d9
0x000859d9
0x000859f8
0x00085a13
0x00085a1c
0x00085a1e
0x00085a26
0x00085a31
0x00085a36
0x00085a48
0x00085a50
0x00085a53
0x00085a56
0x00085a59
0x00085a62
0x00085a73
0x00085a7f
0x00085a7f
0x00085a26
0x00085a1c
0x00085a86
0x00085a92
0x00085aac
0x00085aac
0x000858bb
0x000858c2
0x000858ce
0x000858cf
0x000858e9
0x000858f0
0x000859c7
0x000859cc
0x000859ce
0x000859d0
0x000859d0
0x00000000
0x000859ce
0x00085910
0x00085913
0x00085914
0x00085916
0x00085944
0x00085945
0x0008594a
0x0008594c
0x00000000
0x00000000
0x00085953
0x00085955
0x0008595a
0x0008595c
0x00000000
0x00000000
0x0008595e
0x00085964
0x00085966
0x00085972
0x0008597d
0x00085981
0x00085983
0x00085993
0x0008599d
0x000859a3
0x000859a3
0x000859a9
0x000859ab
0x000859ad
0x000859b3
0x000859bb
0x000859be
0x000859c0
0x000859c0
0x00000000
0x000859ad
0x00085969
0x0008596e
0x00085970
0x00000000
0x00000000
0x00000000
0x00085970
0x00085923
0x00085929
0x0008592a
0x0008592c
0x00000000
0x00000000
0x00085931
0x00085934
0x00085936
0x0008593c
0x0008593e
0x00000000
0x00000000
0x00000000
0x0008593e
0x000858d3
0x000858dc
0x000858de
0x000858de
0x00000000
0x0008586f
0x0008586f
0x00085872
0x00085874
0x00085874
0x0008587c
0x00000000
0x00000000
0x0008588f
0x00085897
0x0008589b
0x00000000
0x00000000
0x00000000
0x0008589b
0x0008589d
0x000858a2
0x000858a6
0x000858a6
0x00000000
0x000858a2
0x0008586d
0x00085846
0x0008584e
0x00000000
0x00000000
0x00000000

APIs

GetParent.USER32(?), ref: 00085825
SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 00085865
GetParent.USER32(?), ref: 000858F9
PostMessageW.USER32 ref: 0008599D
GetParent.USER32(?), ref: 00085A01
InvalidateRect.USER32(?,?,00000001), ref: 00085A73
UpdateWindow.USER32 ref: 00085A7F

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Parent$Message$InvalidatePostRectSendUpdateWindow
String ID:
API String ID: 896913059-0
Opcode ID: 6e0b3ebe535c1b0ef44195830b0a1191e5ee214fd95e763928bfad4600905c22
Instruction ID: 7c8c10f498c029558189c54b82b0cf9e33bc84e7c0b8d24d1a4adde2bfc81d45
Opcode Fuzzy Hash: 6e0b3ebe535c1b0ef44195830b0a1191e5ee214fd95e763928bfad4600905c22
Instruction Fuzzy Hash: 9E71B231A006119FDB15AF64CC45BAE77F6FF48712F14016EF889AB292DF70AC808B91

Uniqueness

Uniqueness Score: -1.00%

Function 0009032A Relevance: 10.7, APIs: 7, Instructions: 176
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0009032A(int __ebx, int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HMENU__* _t84;
				int _t86;
				int _t89;
				int _t92;
				void* _t93;
				int _t96;
				int _t131;
				intOrPtr _t133;
				void* _t134;
				void* _t135;
				void* _t136;
				void* _t137;
				void* _t139;
				void* _t158;
				void* _t162;

				_t137 = __eflags;
				_t129 = __edx;
				_t111 = __ebx;
				_push(0x1f4);
				E00151A82(0x16ade7, __ebx, __edi, __esi);
				_t133 =  *((intOrPtr*)(_t136 + 8));
				_t131 = __ecx;
				_push(__ecx);
				_push(_t133);
				_t113 = __ecx + 0x33c;
				 *(_t136 - 0x1e8) = __ecx;
				 *((intOrPtr*)(_t136 - 0x1ec)) = _t133;
				if(E000CB88C(__ebx, __ecx + 0x33c, __edx, __ecx, _t133, _t137, _t162) == 0) {
					L35:
					return E00151B05(_t111, _t131, _t133);
				}
				_t111 = 0;
				_t139 =  *0x1c3f04 - _t111; // 0x0
				if(_t139 != 0 ||  *((intOrPtr*)(_t131 + 0x118)) == 0) {
					L30:
					if(_t133 == _t111 ||  *((intOrPtr*)(_t133 + 0xebc)) == _t111) {
						_t131 =  *(_t136 - 0x1e8);
						goto L34;
					} else {
						goto L35;
					}
				} else {
					if(_t133 == 0) {
						L34:
						 *((intOrPtr*)( *_t131 + 0x1dc))(_t133);
						goto L35;
					}
					_t84 =  *(_t133 + 0xea8);
					 *(_t136 - 0x1f0) = _t84;
					if(_t84 == 0) {
						goto L30;
					} else {
						_t131 = GetMenuItemCount;
						_t134 = 0;
						 *(_t136 - 0x1f4) = GetMenuItemCount(_t84);
						 *(_t136 - 0x1e4) = 0;
						while(1) {
							_t86 =  *(_t136 - 0x1e4);
							if(_t86 >=  *(_t136 - 0x1f4)) {
								break;
							}
							GetMenuItemID( *(_t136 - 0x1f0), _t86);
							_t113 = 0xf;
							asm("sbb esi, esi");
							_t134 = _t134 + 1;
							 *(_t136 - 0x1e4) = 1 +  *(_t136 - 0x1e4);
							if(_t134 == _t111) {
								continue;
							}
							break;
						}
						_t147 = _t134 - _t111;
						if(_t134 == _t111) {
							L29:
							_t133 =  *((intOrPtr*)(_t136 - 0x1ec));
							goto L30;
						}
						_t135 = E00070E3E(_t111, _t113, _t129, _t131, _t134, _t147,  *((intOrPtr*)( *(_t136 - 0x1e8) + 0x118)));
						if(_t135 == _t111) {
							goto L29;
						}
						_t89 = GetMenuItemCount( *(_t135 + 4));
						 *(_t136 - 0x1fc) = _t89;
						 *(_t136 - 0x1f0) = 1;
						 *(_t136 - 0x1f4) = _t111;
						 *(_t136 - 0x1e4) = _t111;
						if(_t89 <= _t111) {
							L23:
							_t91 =  *((intOrPtr*)( *(_t136 - 0x1e8) + 0x11c));
							if( *((intOrPtr*)( *(_t136 - 0x1e8) + 0x11c)) != _t111 && ( *(_t136 - 0x1f4) != _t111 ||  *((intOrPtr*)( *(_t136 - 0x1e8) + 0x12c)) != _t111)) {
								_t158 =  *0x1bcec8 - _t111; // 0x0
								if(_t158 != 0) {
									E0007A93A(_t91);
								}
								_t92 =  *(_t136 - 0x1e8);
								_push(_t111);
								_push( *((intOrPtr*)(_t92 + 0x114)));
								_push(0xffffffff);
								_push(_t111);
								_push( *((intOrPtr*)(_t92 + 0x11c)));
								_t93 = E000C3EAA(_t111, _t136 - 0x1e0, _t131, _t135, _t158);
								_push(0xffffffff);
								_push(_t93);
								 *(_t136 - 4) = 2;
								E0007EDD2();
								 *(_t136 - 4) =  *(_t136 - 4) | 0xffffffff;
								E000C2BFD(_t111, _t136 - 0x1e0, _t129, _t131, _t135,  *(_t136 - 4));
							}
							goto L29;
						}
						_t131 = 0x400;
						do {
							_t96 = GetMenuItemID( *(_t135 + 4),  *(_t136 - 0x1e4));
							 *(_t136 - 0x200) = _t96;
							if(_t96 >= 0xff00 && _t96 != 0xffffffff) {
								if( *((intOrPtr*)( *(_t136 - 0x1e8) + 0x11c)) == _t111 || _t96 != 0xff09) {
									__eflags =  *(_t136 - 0x1f0) - _t111;
									if( *(_t136 - 0x1f0) != _t111) {
										_push(0xffffffff);
										E0007EDEA();
										 *(_t136 - 0x1f0) = _t111;
										SendMessageW( *( *(_t136 - 0x1e8) + 0x110), 0x234, _t111, _t111);
									}
									E00051110(_t136 - 0x1f8, E00065761());
									 *(_t136 - 4) = _t111;
									E00070F12(_t111, _t135,  *(_t136 - 0x1e4), _t136 - 0x1f8, _t131);
									_push(_t111);
									_push( *((intOrPtr*)(_t136 - 0x1f8)));
									_push(0xffffffff);
									_push(_t111);
									_push( *(_t136 - 0x200));
									E000C3EAA(_t111, _t136 - 0xf8, _t131, _t135, __eflags);
									 *(_t136 - 4) = 1;
									__eflags = GetMenuState( *(_t135 + 4),  *(_t136 - 0x1e4), _t131) & 0x00000008;
									if(__eflags != 0) {
										_t45 = _t136 - 0xd4;
										 *_t45 =  *(_t136 - 0xd4) | 0x00010000;
										__eflags =  *_t45;
									}
									_push(0xffffffff);
									_push(_t136 - 0xf8);
									E0007EDD2();
									 *(_t136 - 4) = _t111;
									E000C2BFD(_t111, _t136 - 0xf8, _t129, _t131, _t135, __eflags);
									 *(_t136 - 4) =  *(_t136 - 4) | 0xffffffff;
									__eflags =  *((intOrPtr*)(_t136 - 0x1f8)) + 0xfffffff0;
									E00051190( *((intOrPtr*)(_t136 - 0x1f8)) + 0xfffffff0, _t129);
								} else {
									 *(_t136 - 0x1f4) = 1;
								}
							}
							 *(_t136 - 0x1e4) = 1 +  *(_t136 - 0x1e4);
						} while ( *(_t136 - 0x1e4) <  *(_t136 - 0x1fc));
						goto L23;
					}
				}
			}

0x0009032a
0x0009032a
0x0009032a
0x0009032a
0x00090334
0x00090339
0x0009033c
0x0009033e
0x0009033f
0x00090340
0x00090346
0x0009034c
0x00090359
0x00090604
0x00090609
0x00090609
0x0009035f
0x00090361
0x00090367
0x000905e2
0x000905e4
0x000905f3
0x00000000
0x000905ee
0x00000000
0x000905f0
0x00090379
0x0009037b
0x000905f9
0x000905fe
0x00000000
0x000905fe
0x00090381
0x00090387
0x0009038f
0x00000000
0x00090395
0x00090395
0x0009039c
0x000903a0
0x000903a6
0x000903ac
0x000903ac
0x000903b8
0x00000000
0x00000000
0x000903c1
0x000903ce
0x000903d1
0x000903d3
0x000903d4
0x000903dc
0x00000000
0x00000000
0x00000000
0x000903dc
0x000903de
0x000903e0
0x000905dc
0x000905dc
0x00000000
0x000905dc
0x000903f7
0x000903fb
0x00000000
0x00000000
0x00090404
0x00090406
0x0009040c
0x00090416
0x0009041c
0x00090424
0x00090562
0x00090568
0x00090570
0x00090588
0x0009058e
0x00090591
0x00090591
0x00090596
0x000905a2
0x000905a3
0x000905a4
0x000905a6
0x000905a7
0x000905b3
0x000905be
0x000905c0
0x000905c1
0x000905c8
0x000905cd
0x000905d7
0x000905d7
0x00000000
0x00090570
0x0009042a
0x0009042f
0x00090438
0x0009043e
0x00090449
0x00090464
0x0009047c
0x00090482
0x0009048a
0x0009048c
0x000904a4
0x000904aa
0x000904aa
0x000904bc
0x000904d1
0x000904d4
0x000904d9
0x000904da
0x000904e6
0x000904e8
0x000904e9
0x000904ef
0x000904fb
0x00090508
0x0009050a
0x0009050c
0x0009050c
0x0009050c
0x0009050c
0x0009051c
0x00090524
0x00090525
0x00090530
0x00090533
0x0009053e
0x00090542
0x00090545
0x0009046d
0x0009046d
0x0009046d
0x00090464
0x0009054a
0x00090556
0x00000000
0x0009042f
0x0009038f

APIs

__EH_prolog3_GS.LIBCMT ref: 00090334

Part of subcall function 000CB88C: __EH_prolog3.LIBCMT ref: 000CB893

GetMenuItemCount.USER32(?), ref: 0009039E
GetMenuItemID.USER32(?,?), ref: 000903C1
GetMenuItemCount.USER32(?), ref: 00090404
GetMenuItemID.USER32(?,?), ref: 00090438
SendMessageW.USER32(?,00000234,00000000,00000000), ref: 000904AA
GetMenuState.USER32(?,?,00000400), ref: 00090502

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Menu$Item$Count$H_prolog3H_prolog3_MessageSendState
String ID:
API String ID: 999183886-0
Opcode ID: 003bdc081554427bee0edce858158e9f5aefab4fbf5b88844944829d711694c0
Instruction ID: d9506e29adf8eb15adaffd02f3b3acc7dc78c019691375f7a9082927bde090ed
Opcode Fuzzy Hash: 003bdc081554427bee0edce858158e9f5aefab4fbf5b88844944829d711694c0
Instruction Fuzzy Hash: CD71387190026A9FCF649F64CD84BEEB7B5AB05314F1542EAE929A3292DB305FC1DF40

Uniqueness

Uniqueness Score: -1.00%

Function 0012FB7E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0012FB7E(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t50;
				intOrPtr* _t51;
				signed short* _t52;
				signed short* _t53;
				signed short* _t58;
				signed short* _t59;
				signed short* _t63;
				signed short* _t65;
				signed short* _t67;
				signed short* _t72;
				signed short* _t73;
				signed short* _t74;
				signed short* _t81;
				signed short* _t89;
				signed short* _t102;
				intOrPtr* _t104;
				signed short* _t105;
				void* _t106;

				_t85 = __ecx;
				_push(0x38);
				E00151A4C(0x1718d9, __ebx, __edi, __esi);
				_t104 = __ecx;
				E0012FAF6(__ecx);
				if( *_t104 != 0) {
					__eflags =  *(_t106 + 8);
					if( *(_t106 + 8) != 0) {
						L4:
						_t50 = E00064D74(_t85,  *(_t106 + 0xc),  *(_t106 + 8), _t106 - 0x44);
						_t100 = _t106 - 0x24;
						_t102 = _t50;
						_t51 =  *_t104;
						 *((intOrPtr*)(_t106 - 0x34)) = 0x27;
						_t52 =  *((intOrPtr*)( *_t51 + 0xc))(_t51, _t102, _t106 - 0x24);
						__eflags = _t52;
						if(_t52 < 0) {
							goto L1;
						}
						__eflags =  *(_t106 - 0x1c);
						if( *(_t106 - 0x1c) == 0) {
							L9:
							E00051110(_t106 + 0xc, E00065761());
							_t58 =  *(_t106 - 0x24) - 1;
							__eflags = _t58;
							 *((intOrPtr*)(_t106 - 4)) = 0;
							 *(_t106 + 8) = 0;
							 *((char*)(_t106 - 4)) = 1;
							if(__eflags == 0) {
								L27:
								_t59 = E0005C37C(__eflags, 0x38);
								 *(_t106 - 0x14) = _t59;
								 *((char*)(_t106 - 4)) = 3;
								__eflags = _t59;
								if(__eflags == 0) {
									_t89 = 0;
									__eflags = 0;
								} else {
									_t89 = E0012FD54(_t59, __eflags, 2, 0x1000);
								}
								 *((char*)(_t106 - 4)) = 1;
								 *(_t106 + 8) = _t89;
								E0012FDB9(_t89,  *((intOrPtr*)(_t106 - 0x20)), 1);
								L14:
								__eflags =  &(( *(_t106 + 0xc))[0xfffffffffffffff8]);
								E00051190( &(( *(_t106 + 0xc))[0xfffffffffffffff8]), _t100);
								_t53 =  *(_t106 + 8);
								L15:
								return E00151AF1(_t53);
							}
							_t63 = _t58 - 1;
							__eflags = _t63;
							if(_t63 == 0) {
								E00056590(_t102,  *((intOrPtr*)(_t106 - 0x20)));
								_t65 = E0005C37C(__eflags, 0x14);
								 *(_t106 - 0x14) = _t65;
								 *((char*)(_t106 - 4)) = 2;
								__eflags = _t65;
								if(__eflags == 0) {
									_t105 = 0;
									__eflags = 0;
								} else {
									_t105 = E0006A523(_t65, __eflags);
								}
								 *((char*)(_t106 - 4)) = 1;
								 *(_t106 + 8) = _t105;
								_t67 =  *((intOrPtr*)( *_t105 + 0x24))( *(_t106 + 0xc), 0x12, 0);
								__eflags = _t67;
								if(_t67 != 0) {
									__imp__CoTaskMemFree( *((intOrPtr*)(_t106 - 0x20)));
								} else {
									 *((intOrPtr*)( *_t105 + 4))(1);
									 *(_t106 + 8) = 0;
								}
								goto L14;
							}
							_t72 = _t63;
							__eflags = _t72;
							if(__eflags == 0) {
								_t73 = E0005C37C(__eflags, 0x1c);
								 *(_t106 - 0x14) = _t73;
								 *((char*)(_t106 - 4)) = 4;
								__eflags = _t73;
								if(__eflags == 0) {
									_t74 = 0;
									__eflags = 0;
								} else {
									_push( *((intOrPtr*)(_t106 - 0x20)));
									_t74 = E0013B627(0, _t73, _t102, _t104, __eflags);
								}
								 *(_t106 + 8) = _t74;
								goto L14;
							}
							__eflags = _t72 - 0x1c;
							if(__eflags == 0) {
								goto L27;
							}
							__imp__ReleaseStgMedium(_t106 - 0x24);
							goto L14;
						}
						 *((intOrPtr*)(_t106 - 0x30)) = 0;
						 *((intOrPtr*)(_t106 - 0x28)) = 0;
						__eflags = _t102;
						if(__eflags == 0) {
							L16:
							__imp__ReleaseStgMedium(_t106 - 0x24);
							goto L1;
						}
						_t81 = E00065255(0, _t102, _t104, __eflags,  *_t102 & 0x0000ffff, _t106 - 0x30, _t106 - 0x24);
						__eflags = _t81;
						if(_t81 == 0) {
							goto L16;
						}
						__imp__ReleaseStgMedium(_t106 - 0x24);
						_t104 = _t106 - 0x30;
						_t102 = _t106 - 0x24;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						goto L9;
					}
					__eflags =  *(_t106 + 0xc);
					if( *(_t106 + 0xc) == 0) {
						goto L1;
					}
					goto L4;
				}
				L1:
				_t53 = 0;
				goto L15;
			}

0x0012fb7e
0x0012fb7e
0x0012fb85
0x0012fb8a
0x0012fb8c
0x0012fb95
0x0012fb9e
0x0012fba2
0x0012fba9
0x0012fbb3
0x0012fbb8
0x0012fbbb
0x0012fbbd
0x0012fbc1
0x0012fbcb
0x0012fbce
0x0012fbd0
0x00000000
0x00000000
0x0012fbd2
0x0012fbd5
0x0012fc09
0x0012fc12
0x0012fc1a
0x0012fc1a
0x0012fc1b
0x0012fc1e
0x0012fc21
0x0012fc25
0x0012fcf2
0x0012fcf4
0x0012fcfa
0x0012fcfd
0x0012fd01
0x0012fd03
0x0012fd17
0x0012fd17
0x0012fd05
0x0012fd13
0x0012fd13
0x0012fd1e
0x0012fd22
0x0012fd25
0x0012fc45
0x0012fc48
0x0012fc4b
0x0012fc50
0x0012fc53
0x0012fc58
0x0012fc58
0x0012fc2b
0x0012fc2b
0x0012fc2c
0x0012fc96
0x0012fc9d
0x0012fca3
0x0012fca6
0x0012fcaa
0x0012fcac
0x0012fcb9
0x0012fcb9
0x0012fcae
0x0012fcb5
0x0012fcb5
0x0012fcc5
0x0012fcc9
0x0012fccc
0x0012fccf
0x0012fcd1
0x0012fce7
0x0012fcd3
0x0012fcd9
0x0012fcdc
0x0012fcdc
0x00000000
0x0012fcd1
0x0012fc2f
0x0012fc2f
0x0012fc30
0x0012fc6c
0x0012fc72
0x0012fc75
0x0012fc79
0x0012fc7b
0x0012fc89
0x0012fc89
0x0012fc7d
0x0012fc7d
0x0012fc82
0x0012fc82
0x0012fc8b
0x00000000
0x0012fc8b
0x0012fc32
0x0012fc35
0x00000000
0x00000000
0x0012fc3f
0x00000000
0x0012fc3f
0x0012fbd7
0x0012fbda
0x0012fbdd
0x0012fbdf
0x0012fc5b
0x0012fc5f
0x00000000
0x0012fc5f
0x0012fbed
0x0012fbf2
0x0012fbf4
0x00000000
0x00000000
0x0012fbfa
0x0012fc00
0x0012fc03
0x0012fc06
0x0012fc07
0x0012fc08
0x00000000
0x0012fc08
0x0012fba4
0x0012fba7
0x00000000
0x00000000
0x00000000
0x0012fba7
0x0012fb97
0x0012fb97
0x00000000

APIs

__EH_prolog3_catch.LIBCMT ref: 0012FB85

Part of subcall function 0012FAF6: OleGetClipboard.OLE32(?), ref: 0012FB0E

ReleaseStgMedium.OLE32(?), ref: 0012FBFA
ReleaseStgMedium.OLE32(?), ref: 0012FC3F
CoTaskMemFree.OLE32(?), ref: 0012FCE7
ReleaseStgMedium.OLE32(?), ref: 0012FC5F

Part of subcall function 0005C37C: _malloc.LIBCMT ref: 0005C39A

Strings

', xrefs: 0012FBC1

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: MediumRelease$ClipboardFreeH_prolog3_catchTask_malloc
String ID: '
API String ID: 3930503942-1997036262
Opcode ID: 5ebe1f2ddae77c4b3104223e75bb151837bd6aadcdac49208ef8c729acc93336
Instruction ID: 6a5b0f5f31ef809abb6e2a6c3b42cebbd6c7dd3a4188c726faced26ba04230bf
Opcode Fuzzy Hash: 5ebe1f2ddae77c4b3104223e75bb151837bd6aadcdac49208ef8c729acc93336
Instruction Fuzzy Hash: CF516E7190021DEECF15DFA4E994AEDBBF4AF08300F20447DF905AB291D7719AA6CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0007712B Relevance: 10.6, APIs: 7, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0007712B(intOrPtr* __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				struct tagRECT _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t43;
				intOrPtr _t45;
				void* _t46;
				intOrPtr _t50;
				signed int _t54;
				intOrPtr _t60;
				intOrPtr* _t74;
				intOrPtr _t88;
				signed int _t92;

				_t85 = __edx;
				_t43 =  *0x1c0454; // 0x885926af
				_v8 = _t43 ^ _t92;
				_t45 = _a4;
				_t74 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xb04)) != 0) {
					L13:
					_t46 = 0;
					__eflags = 0;
					L14:
					return E00150836(_t46, _t74, _v8 ^ _t92, _t85, _t86, _t90);
				}
				_t94 =  *((intOrPtr*)(__ecx + 0xb44));
				if( *((intOrPtr*)(__ecx + 0xb44)) != 0) {
					goto L13;
				}
				_push(_t45);
				_t90 = E000BD631(__ecx, __ecx, __edx, _t86, _t90, _t94);
				if(_t90 == 0) {
					goto L13;
				}
				_t50 =  *((intOrPtr*)(_t90->left + 0x10))(_t74);
				_t86 = _t50;
				 *((intOrPtr*)(_t90->left + 4))(1);
				if(_t50 == 0) {
					goto L13;
				}
				_t54 = _a8 & 0x00000008;
				_v28 = _t54;
				 *(_t74 + 0xb2c) = _t54;
				if( *((intOrPtr*)(_t74 + 0xc98)) == 0) {
					_t83 =  *(_t74 + 0xb80);
					 *(_t74 + 0xb80) =  *(_t74 + 0xb80) | 0xffffffff;
					if( *(_t74 + 0xb80) != 0xffffffff) {
						E00076CF9(_t74, __edx, _t83);
						UpdateWindow( *(_t74 + 0x20));
					}
				}
				_t85 =  *_t74;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t88 =  *((intOrPtr*)( *_t74 + 0x3dc))(_a12, _a16, _t74 + 0xc58);
				_t90 = _t74 + 0xc58;
				_v32 = _t88;
				if(EqualRect( &_v24, _t74 + 0xc58) == 0) {
					 *((intOrPtr*)(_t74 + 0xb8c)) = _t88;
					InflateRect( &_v24, 2, 2);
					InvalidateRect( *(_t74 + 0x20),  &_v24, 1);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					InflateRect( &_v24, 2, 2);
					InvalidateRect( *(_t74 + 0x20), _t74 + 0xc58, 1);
					UpdateWindow( *(_t74 + 0x20));
				}
				_t86 =  *((intOrPtr*)(_t74 + 0xb7c));
				_t60 =  *((intOrPtr*)( *_t74 + 0x390))(_a12, _a16);
				 *((intOrPtr*)(_t74 + 0xb7c)) = _t60;
				if( *((intOrPtr*)(_t74 + 0xb7c)) != _t60) {
					_t85 =  *_t74;
					 *((intOrPtr*)( *_t74 + 0x3b0))(_t60);
				}
				_t46 = 0;
				if(_v32 != 0xffffffff) {
					_t46 = (0 | _v28 == 0x00000000) + 1;
				}
				goto L14;
			}

0x0007712b
0x00077133
0x0007713a
0x0007713d
0x00077141
0x0007714c
0x0007728e
0x0007728e
0x0007728e
0x00077290
0x0007729e
0x0007729e
0x00077152
0x00077159
0x00000000
0x00000000
0x0007715f
0x00077165
0x00077169
0x00000000
0x00000000
0x00077174
0x00077177
0x0007717f
0x00077184
0x00000000
0x00000000
0x0007718d
0x00077197
0x0007719a
0x000771a0
0x000771a2
0x000771a8
0x000771b2
0x000771b7
0x000771bf
0x000771bf
0x000771b2
0x000771c5
0x000771d2
0x000771d3
0x000771d8
0x000771de
0x000771e5
0x000771e7
0x000771f2
0x000771fd
0x00077207
0x0007720d
0x0007721c
0x00077225
0x00077226
0x00077229
0x00077230
0x00077231
0x00077243
0x0007724c
0x0007724c
0x0007725a
0x00077262
0x00077268
0x00077270
0x00077272
0x00077277
0x00077277
0x0007727d
0x00077283
0x0007728b
0x0007728b
0x00000000

APIs

Part of subcall function 000BD631: __EH_prolog3_catch.LIBCMT ref: 000BD638

UpdateWindow.USER32 ref: 000771BF
EqualRect.USER32 ref: 000771F5
InflateRect.USER32 ref: 0007720D
InvalidateRect.USER32(?,?,00000001), ref: 0007721C
InflateRect.USER32 ref: 00077231
InvalidateRect.USER32(?,?,00000001), ref: 00077243
UpdateWindow.USER32 ref: 0007724C

Part of subcall function 00076CF9: InvalidateRect.USER32(?,?,00000001), ref: 00076D6E
Part of subcall function 00076CF9: InflateRect.USER32 ref: 00076DB4
Part of subcall function 00076CF9: RedrawWindow.USER32(?,?,00000000,00000401), ref: 00076DC7

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Rect$InflateInvalidateWindow$Update$EqualH_prolog3_catchRedraw
String ID:
API String ID: 1041772997-0
Opcode ID: b8769c1a308c0f9b63a4b5023f09d64c7cd0e841ed76f03f10105e4cac01741b
Instruction ID: 7c941204039af398c5b218f431690827eebc5458f305172c156da380e16936f7
Opcode Fuzzy Hash: b8769c1a308c0f9b63a4b5023f09d64c7cd0e841ed76f03f10105e4cac01741b
Instruction Fuzzy Hash: 3E41AB71A002059FCB11DF68C888BAA77B9BF48350F144279FD1DEF296CB349985CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0009A276 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
fileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0009A276(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t47;
				long _t48;
				void* _t108;
				void* _t115;
				void* _t116;

				_t108 = __edx;
				_t81 = __ebx;
				_push(0x80);
				E00151A4C(0x16b56d, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t116 - 0x1c)) = __ecx;
				_t47 = E00075658( *((intOrPtr*)(_t116 + 0xc)));
				_t118 = _t47;
				if(_t47 == 0) {
					L6:
					_t48 = 0;
					__eflags = 0;
				} else {
					 *(_t116 - 0x20) = 0;
					 *((intOrPtr*)(_t116 - 0x24)) = __ecx + 4;
					if(E0009A01A(__ecx + 4, _t118, _t116 + 8, _t116 - 0x20) != 0) {
						CloseHandle( *(_t116 - 0x20));
					}
					E00051110(_t116 - 0x18, E00065761());
					 *((intOrPtr*)(_t116 - 4)) = 0;
					GetTempPathW(0x104, E000512F0(_t116 - 0x18, 0x104));
					E000561B0(_t81, _t116 - 0x18, 0, 0xffffffff);
					E00051110(_t116 - 0x14, E00065761());
					 *((char*)(_t116 - 4)) = 1;
					GetTempFileNameW( *(_t116 - 0x18), "AFX", 0, E000512F0(_t116 - 0x14, 0x104));
					E000561B0(1, _t116 - 0x14, 0, 0xffffffff);
					_t115 = CreateFileW( *(_t116 - 0x14), 0xc0000000, 0, 0, 2, 0x4000100, 0);
					 *(_t116 - 0x20) = _t115;
					_t120 = _t115 - 0xffffffff;
					if(_t115 == 0xffffffff) {
						E00051190( &(( *(_t116 - 0x14))[0xfffffffffffffff8]), _t108);
						__eflags =  &(( *(_t116 - 0x18))[0xfffffffffffffff8]);
						E00051190( &(( *(_t116 - 0x18))[0xfffffffffffffff8]), _t108);
						goto L6;
					} else {
						 *((char*)(_t116 - 4)) = 2;
						E0006A54C(_t116 - 0x44, _t120, _t115);
						 *((char*)(_t116 - 4)) = 3;
						E0006D953(1, _t116 - 0x8c, _t108, 0, _t115, _t120);
						_t109 = _t116 - 0x8c;
						 *((intOrPtr*)( *((intOrPtr*)(_t116 - 0x1c)) + 0x20)) = 1;
						 *((char*)(_t116 - 4)) = 4;
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t116 + 0xc)))) + 8))(_t116 - 0x8c, _t116 - 0x44, 0, 0x1000, 0);
						E0006D288(_t116 - 0x8c);
						 *((intOrPtr*)( *((intOrPtr*)(_t116 - 0x1c)) + 0x20)) = 0;
						 *((char*)(_t116 - 4)) = 3;
						E0006D911(1, _t116 - 0x8c, _t116 - 0x8c, 0, _t115, _t120);
						 *((char*)(_t116 - 4)) = 2;
						E0006A691(1, _t116 - 0x44, _t116 - 0x8c, 0, _t115, _t120);
						 *((intOrPtr*)(_t116 - 4)) = 1;
						 *(E0009A171( *((intOrPtr*)(_t116 - 0x24)), _t109, _t120, _t116 + 8)) = _t115;
						E00051190( &(( *(_t116 - 0x14))[0xfffffffffffffff8]), _t109);
						E00051190( &(( *(_t116 - 0x18))[0xfffffffffffffff8]), _t109);
						_t48 = 1;
					}
				}
				return E00151AF1(_t48);
			}

0x0009a276
0x0009a276
0x0009a276
0x0009a280
0x0009a287
0x0009a28d
0x0009a292
0x0009a294
0x0009a418
0x0009a418
0x0009a418
0x0009a29a
0x0009a2a7
0x0009a2aa
0x0009a2b4
0x0009a2b9
0x0009a2b9
0x0009a2c8
0x0009a2d6
0x0009a2e0
0x0009a2eb
0x0009a2f9
0x0009a305
0x0009a317
0x0009a322
0x0009a33f
0x0009a341
0x0009a344
0x0009a347
0x0009a408
0x0009a410
0x0009a413
0x00000000
0x0009a34d
0x0009a351
0x0009a355
0x0009a36b
0x0009a36f
0x0009a37a
0x0009a380
0x0009a386
0x0009a38a
0x0009a393
0x0009a3a1
0x0009a3a4
0x0009a3a8
0x0009a3b0
0x0009a3b4
0x0009a3c0
0x0009a3ce
0x0009a3d0
0x0009a3db
0x0009a3e0
0x0009a3e0
0x0009a347
0x0009a41f

APIs

__EH_prolog3_catch.LIBCMT ref: 0009A280
CloseHandle.KERNEL32(000EC8D0), ref: 0009A2B9
GetTempPathW.KERNEL32(00000104,00000000), ref: 0009A2E0
GetTempFileNameW.KERNEL32(000000FF,AFX,00000000,00000000,00000104,00000000,000000FF,?,00000000), ref: 0009A317
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,04000100,00000000), ref: 0009A339

Strings

AFX, xrefs: 0009A30F

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: FileTemp$CloseCreateH_prolog3_catchHandleNamePath
String ID: AFX
API String ID: 1737446630-1300893600
Opcode ID: 45b2275486e40548f490d8a2610fcc4142b36153137b70b2b7a3e9e932f5330b
Instruction ID: 3d5b67d1b16f08008b78379607a6df69f99b89bd6439880a4645d52d167da934
Opcode Fuzzy Hash: 45b2275486e40548f490d8a2610fcc4142b36153137b70b2b7a3e9e932f5330b
Instruction Fuzzy Hash: 3E418E70900109AFCB01EBA4CD56EEFBBB8AF55310F104299B925B72E2DB305A49CB65

Uniqueness

Uniqueness Score: -1.00%

Function 000C13F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E000C13F9(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t58;
				signed int _t59;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t66;
				void* _t72;
				intOrPtr* _t76;
				void* _t91;
				intOrPtr _t96;
				signed int _t97;
				void* _t99;

				_t91 = __edx;
				_push(0x24);
				E00151A82(0x16d21d, __ebx, __edi, __esi);
				_t96 =  *((intOrPtr*)(_t99 + 0xc));
				_t93 =  *(_t99 + 0x14);
				 *(_t99 - 0x28) =  *(_t99 + 0x18);
				_t76 = __ecx;
				 *((intOrPtr*)(_t99 - 0x30)) =  *((intOrPtr*)(_t99 + 0x24));
				E00051110(_t99 - 0x24, E00065761());
				 *(_t99 - 4) =  *(_t99 - 4) & 0x00000000;
				_t101 = _t96;
				if(_t96 != 0) {
					E00056590(_t93, _t96);
				} else {
					_push(L"Afx:ControlBar");
					_push(_t99 - 0x2c);
					_t72 = E0006F828(__ecx, 0x1c3998, _t93, _t96, _t101);
					 *(_t99 - 4) = 1;
					E00054260(_t99 - 0x24, _t72);
					 *(_t99 - 4) = 0;
					E00051190( *((intOrPtr*)(_t99 - 0x2c)) + 0xfffffff0, _t91);
				}
				 *((intOrPtr*)(_t76 + 0x170)) =  *((intOrPtr*)(_t99 + 0x1c));
				_t97 = 0;
				if(E000C7735(_t76, _t91,  *((intOrPtr*)(_t99 + 8)),  *((intOrPtr*)(_t99 - 0x24)), 0,  *(_t99 + 0x10) | 0x06000000, _t93,  *(_t99 - 0x28),  *((intOrPtr*)(_t99 + 0x1c)),  *((intOrPtr*)(_t99 + 0x20)),  *((intOrPtr*)(_t99 - 0x30))) != 0) {
					CopyRect(_t99 - 0x20, _t93);
					E0006636C( *(_t99 - 0x28), _t99 - 0x20);
					_t58 = IsRectEmpty(_t76 + 0x248);
					__eflags = _t58;
					if(_t58 != 0) {
						_t97 = _t99 - 0x20;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					_t93 = _t76 + 0x208;
					_t59 = IsRectEmpty(_t76 + 0x208);
					__eflags = _t59;
					if(_t59 != 0) {
						_t97 = _t99 - 0x20;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					_t61 = IsRectEmpty(_t99 - 0x20);
					__eflags = _t61;
					if(_t61 == 0) {
						_t93 = _t76 + 0x1d8;
						_t97 = _t99 - 0x20;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					_t62 =  *(_t99 - 0x28);
					__eflags = _t62;
					if(_t62 == 0) {
						_t63 = 0;
						__eflags = 0;
					} else {
						_t63 =  *((intOrPtr*)(_t62 + 0x20));
					}
					 *((intOrPtr*)(_t76 + 0x54)) = _t63;
					E000C0102(_t76, _t91);
					_t66 =  *((intOrPtr*)( *_t76 + 0x1c8))();
					__eflags =  *(_t76 + 0x94) & _t66;
					if(( *(_t76 + 0x94) & _t66) != 0) {
						E0011FD3C(_t76, _t76 + 0x17c, _t91, _t93, _t97, _t76);
					}
					_t97 = 1;
					goto L4;
				} else {
					L4:
					E00051190( *((intOrPtr*)(_t99 - 0x24)) + 0xfffffff0, _t91);
					return E00151B05(_t76, _t93, _t97);
				}
			}

0x000c13f9
0x000c13f9
0x000c1400
0x000c1408
0x000c140b
0x000c140e
0x000c1414
0x000c1416
0x000c1422
0x000c1427
0x000c142b
0x000c142d
0x000c1464
0x000c142f
0x000c142f
0x000c1437
0x000c143d
0x000c1446
0x000c144a
0x000c1455
0x000c1459
0x000c1459
0x000c1472
0x000c1486
0x000c1498
0x000c14b4
0x000c14c1
0x000c14cd
0x000c14d3
0x000c14d5
0x000c14d7
0x000c14da
0x000c14db
0x000c14dc
0x000c14dd
0x000c14dd
0x000c14de
0x000c14e5
0x000c14eb
0x000c14ed
0x000c14ef
0x000c14f2
0x000c14f3
0x000c14f4
0x000c14f5
0x000c14f5
0x000c14fa
0x000c1500
0x000c1502
0x000c1504
0x000c150a
0x000c150d
0x000c150e
0x000c150f
0x000c1510
0x000c1510
0x000c1511
0x000c1514
0x000c1516
0x000c151d
0x000c151d
0x000c1518
0x000c1518
0x000c1518
0x000c1521
0x000c1524
0x000c152d
0x000c1533
0x000c1539
0x000c1542
0x000c1542
0x000c1549
0x00000000
0x000c149a
0x000c149a
0x000c14a0
0x000c14ac
0x000c14ac

APIs

__EH_prolog3_GS.LIBCMT ref: 000C1400

Part of subcall function 0006F828: __EH_prolog3.LIBCMT ref: 0006F82F
Part of subcall function 0006F828: LoadCursorW.USER32 ref: 0006F85B
Part of subcall function 0006F828: GetClassInfoW.USER32 ref: 0006F89F

CopyRect.USER32(?,?), ref: 000C14B4

Part of subcall function 0006636C: ClientToScreen.USER32(?,00081336), ref: 0006637D
Part of subcall function 0006636C: ClientToScreen.USER32(?,0008133E), ref: 0006638A

IsRectEmpty.USER32 ref: 000C14CD
IsRectEmpty.USER32 ref: 000C14E5
IsRectEmpty.USER32 ref: 000C14FA

Strings

Afx:ControlBar, xrefs: 000C142F

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Rect$Empty$ClientScreen$ClassCopyCursorH_prolog3H_prolog3_InfoLoad
String ID: Afx:ControlBar
API String ID: 2202805320-4244778371
Opcode ID: eadd12f8d9099663ae430242e476a32acf344770d0dda4a3b00c93b2b9255b2b
Instruction ID: fb74631f85c2bc82f9352ec684145c30706aa83bc44b16c4e2bb4c81cd7cc50e
Opcode Fuzzy Hash: eadd12f8d9099663ae430242e476a32acf344770d0dda4a3b00c93b2b9255b2b
Instruction Fuzzy Hash: E2412631A04619ABCF15DFA4CC84FEE77BAAF4A311F040168FD05BB252DB75AA45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 000AE723 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E000AE723(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t94;
				signed int _t95;
				struct tagRECT* _t99;
				intOrPtr _t118;
				void* _t119;
				void* _t120;

				_t120 = __eflags;
				_t114 = __edx;
				_push(4);
				E00151A19(0x16c258, __ebx, __edi, __esi);
				_t118 = __ecx;
				 *((intOrPtr*)(_t119 - 0x10)) = __ecx;
				E0005E98A(__ecx, __edx, _t120);
				 *((intOrPtr*)(_t119 - 4)) = 0;
				 *((intOrPtr*)(__ecx)) = 0x181bdc;
				E000DF601(__ebx, __ecx + 0x74, __edx, 0, __ecx, _t120);
				 *((char*)(_t119 - 4)) = 1;
				E0012C2AC(_t118 + 0x104, __edx, _t120);
				 *((char*)(_t119 - 4)) = 2;
				E0012BA11(_t118 + 0x1b0, _t120);
				 *((char*)(_t119 - 4)) = 3;
				E0005E98A(_t118 + 0x244, _t114, _t120);
				 *((intOrPtr*)(_t118 + 0x244)) = 0x1788c4;
				 *((char*)(_t119 - 4)) = 4;
				E00051110(_t118 + 0x2d0, E00065761());
				 *((char*)(_t119 - 4)) = 5;
				E00051110(_t118 + 0x2d4, E00065761());
				 *((intOrPtr*)(_t118 + 0x2e4)) = 0;
				 *((intOrPtr*)(_t118 + 0x2e0)) = 0x17bba0;
				_t99 = _t118 + 0x2e8;
				_t99->left = 0;
				_t99->top = 0;
				_t99->right = 0;
				_t99->bottom = 0;
				 *(_t118 + 0x328) = 0;
				 *((intOrPtr*)(_t118 + 0x32c)) = 0;
				 *((intOrPtr*)(_t118 + 0x330)) = 0;
				 *((intOrPtr*)(_t118 + 0x334)) = 0;
				 *(_t118 + 0x338) = 0;
				 *((intOrPtr*)(_t118 + 0x33c)) = 0;
				 *((intOrPtr*)(_t118 + 0x340)) = 0;
				 *((intOrPtr*)(_t118 + 0x344)) = 0;
				E000A9EAE(_t118 + 0x360, 0xa);
				E000A9EAE(_t118 + 0x37c, 0xa);
				 *((intOrPtr*)(_t118 + 0x3c0)) = 0;
				 *((intOrPtr*)(_t118 + 0x3bc)) = 0x177dac;
				 *(_t118 + 0x2f8) =  *(_t118 + 0x2f8) | 0xffffffff;
				 *((char*)(_t119 - 4)) = 0xa;
				 *((intOrPtr*)(_t118 + 0x2dc)) = 0;
				 *((intOrPtr*)(_t118 + 0x304)) = 0;
				 *((intOrPtr*)(_t118 + 0x308)) = 0;
				 *((intOrPtr*)(_t118 + 0x2b8)) = 1;
				 *((intOrPtr*)(_t118 + 0x2bc)) = 0;
				 *((intOrPtr*)(_t118 + 0x2fc)) = 3;
				 *((intOrPtr*)(_t118 + 0x2c4)) = 0;
				 *((intOrPtr*)(_t118 + 0x2c8)) = 0;
				SetRectEmpty(_t99);
				 *((intOrPtr*)(_t118 + 0x318)) = 0;
				SetRectEmpty(_t118 + 0x328);
				SetRectEmpty(_t118 + 0x338);
				 *((intOrPtr*)(_t118 + 0x314)) = 0;
				 *((intOrPtr*)(_t118 + 0x310)) = 0;
				 *((intOrPtr*)(_t118 + 0x31c)) = 0;
				 *((intOrPtr*)(_t118 + 0x320)) = 0;
				 *((intOrPtr*)(_t118 + 0x324)) = 0;
				 *((intOrPtr*)(_t118 + 0x398)) = 0;
				 *((intOrPtr*)(_t118 + 0x350)) = 0;
				 *((intOrPtr*)(_t118 + 0x300)) = 0;
				 *((intOrPtr*)(_t118 + 0x2c0)) = 1;
				 *((intOrPtr*)(_t118 + 0x348)) = 0;
				 *((intOrPtr*)(_t118 + 0x34c)) = 0;
				E00056590(0, L"True");
				E00056590(0, L"False");
				_t94 = 0x2c;
				 *(_t118 + 0x2d8) = _t94;
				_t95 = _t94 | 0xffffffff;
				 *(_t118 + 0x3a0) = _t95;
				 *(_t118 + 0x3a4) = _t95;
				 *(_t118 + 0x3a8) = _t95;
				 *(_t118 + 0x3ac) = _t95;
				 *(_t118 + 0x3b0) = _t95;
				 *(_t118 + 0x3b4) = _t95;
				 *(_t118 + 0x3b8) = _t95;
				 *((intOrPtr*)(_t118 + 0x354)) = 0;
				 *((intOrPtr*)(_t118 + 0x358)) = 1;
				 *((intOrPtr*)(_t118 + 0x35c)) = 1;
				 *((intOrPtr*)(_t118 + 0x2cc)) = 0;
				 *((intOrPtr*)(_t118 + 0x3c4)) = 0;
				 *((char*)(_t118 + 0x24)) = 1;
				return E00151AF1(_t118);
			}

0x000ae723
0x000ae723
0x000ae723
0x000ae72a
0x000ae72f
0x000ae731
0x000ae734
0x000ae73e
0x000ae741
0x000ae747
0x000ae752
0x000ae756
0x000ae761
0x000ae765
0x000ae770
0x000ae774
0x000ae779
0x000ae783
0x000ae793
0x000ae798
0x000ae7a8
0x000ae7ad
0x000ae7b3
0x000ae7bd
0x000ae7c3
0x000ae7c5
0x000ae7c8
0x000ae7cb
0x000ae7ce
0x000ae7d4
0x000ae7da
0x000ae7e0
0x000ae7ee
0x000ae7f4
0x000ae7fa
0x000ae800
0x000ae806
0x000ae813
0x000ae818
0x000ae81e
0x000ae828
0x000ae836
0x000ae83a
0x000ae840
0x000ae846
0x000ae84c
0x000ae856
0x000ae85c
0x000ae866
0x000ae86c
0x000ae872
0x000ae87b
0x000ae881
0x000ae88a
0x000ae88c
0x000ae8a0
0x000ae8a6
0x000ae8ac
0x000ae8b2
0x000ae8b8
0x000ae8be
0x000ae8c4
0x000ae8ca
0x000ae8d0
0x000ae8d6
0x000ae8dc
0x000ae8ec
0x000ae8f3
0x000ae8f4
0x000ae8fb
0x000ae8fe
0x000ae904
0x000ae90a
0x000ae910
0x000ae916
0x000ae91c
0x000ae922
0x000ae928
0x000ae92e
0x000ae934
0x000ae93a
0x000ae940
0x000ae946
0x000ae950

APIs

__EH_prolog3.LIBCMT ref: 000AE72A

Part of subcall function 000DF601: __EH_prolog3.LIBCMT ref: 000DF608

Part of subcall function 0012BA11: SetRectEmpty.USER32 ref: 0012BA41

SetRectEmpty.USER32 ref: 000AE872
SetRectEmpty.USER32 ref: 000AE881
SetRectEmpty.USER32 ref: 000AE88A

Strings

False, xrefs: 000AE8E1
True, xrefs: 000AE895

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: EmptyRect$H_prolog3
String ID: False$True
API String ID: 3752103406-1895882422
Opcode ID: 506f61caf8be17cf46ab10b6ab841fb6b8799f03073f400a778221ea1843b5f5
Instruction ID: f8e50c6fb2c09998828638fea21af3b22b026d9acc3e84c152589fd2b94ccb94
Opcode Fuzzy Hash: 506f61caf8be17cf46ab10b6ab841fb6b8799f03073f400a778221ea1843b5f5
Instruction Fuzzy Hash: 7A51ADB0805B409FC366EF7AC5957DAFAE8BF64300F50494EE4AE97262DBB02644CB11

Uniqueness

Uniqueness Score: -1.00%

Function 0008C939 Relevance: 10.6, APIs: 7, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0008C939(void* __ebx, void* __edx, void* __eflags, long _a4, signed int _a8, long _a12, long _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				void* __ecx;
				void* __ebp;
				long _t32;
				signed int _t34;
				void* _t41;
				struct tagBITMAPINFOHEADER _t50;
				signed int _t51;
				void* _t53;
				long _t55;
				void* _t61;
				void* _t63;
				BITMAPINFO* _t66;
				signed int _t67;
				signed int _t69;
				signed int _t70;

				_t61 = __edx;
				_push(_t53);
				_v8 = _v8 & 0x00000000;
				_t63 = _t53;
				_t66 = E0008C8A6(__ebx,  &_v8, __eflags, 0x428);
				if(_t66 != 0) {
					_push(__ebx);
					_t50 = 0x28;
					E00151B30(_t66, 0, _t50);
					_t55 = _a16;
					_t66->bmiHeader.biWidth = _a4;
					_t66->bmiHeader.biPlanes = 1;
					_t32 = _a12;
					_t66->bmiHeader = _t50;
					_t51 = _a8;
					_t66->bmiHeader.biHeight = _t51;
					_t66->bmiHeader.biBitCount = _t32;
					_t66->bmiHeader.biCompression = _t55;
					__eflags = _t32 - 8;
					if(_t32 > 8) {
						__eflags = _t55 - 3;
						if(_t55 == 3) {
							_t16 =  &(_t66->bmiColors); // 0x28
							_push(E00150B32(_t16, 0xc, _a20, 0xc));
							E00053DF0();
						}
					} else {
						_t14 =  &(_t66->bmiColors); // 0x28
						E00151B30(_t14, 0, 0x400);
					}
					_t17 = _t63 + 8; // 0x8
					_t34 = CreateDIBSection(0, _t66, 0, _t17, 0, 0);
					__eflags = _t34;
					if(_t34 != 0) {
						 *(_t63 + 4) = _t34;
						__eflags = _t51;
						E0008AB63(_t63, _t61, (0 | _t51 > 0x00000000) + 1);
						__eflags = _a24 & 0x00000001;
						if((_a24 & 0x00000001) != 0) {
							 *((char*)(_t63 + 0x1d)) = 1;
						}
						_t67 = _v8;
						while(1) {
							__eflags = _t67;
							if(_t67 == 0) {
								break;
							}
							_t67 =  *_t67;
							E00150CB2(_t67);
						}
						_t41 = 1;
						__eflags = 1;
						goto L20;
					} else {
						_t69 = _v8;
						while(1) {
							__eflags = _t69;
							if(_t69 == 0) {
								break;
							}
							_t69 =  *_t69;
							E00150CB2(_t69);
						}
						_t41 = 0;
						L20:
						L21:
						return _t41;
					}
				}
				_t70 = _v8;
				while(_t70 != 0) {
					_t70 =  *_t70;
					E00150CB2(_t70);
				}
				_t41 = 0;
				goto L21;
			}

0x0008c939
0x0008c93e
0x0008c93f
0x0008c945
0x0008c954
0x0008c958
0x0008c973
0x0008c976
0x0008c97b
0x0008c983
0x0008c986
0x0008c98c
0x0008c990
0x0008c993
0x0008c995
0x0008c99b
0x0008c99e
0x0008c9a2
0x0008c9a5
0x0008c9a8
0x0008c9bf
0x0008c9c2
0x0008c9c9
0x0008c9d4
0x0008c9d5
0x0008c9da
0x0008c9aa
0x0008c9af
0x0008c9b5
0x0008c9ba
0x0008c9e1
0x0008c9e8
0x0008c9ee
0x0008c9f0
0x0008ca08
0x0008ca0d
0x0008ca16
0x0008ca1b
0x0008ca1f
0x0008ca21
0x0008ca21
0x0008ca25
0x0008ca33
0x0008ca33
0x0008ca35
0x00000000
0x00000000
0x0008ca2b
0x0008ca2d
0x0008ca32
0x0008ca39
0x0008ca39
0x00000000
0x0008c9f2
0x0008c9f2
0x0008ca00
0x0008ca00
0x0008ca02
0x00000000
0x00000000
0x0008c9f8
0x0008c9fa
0x0008c9ff
0x0008ca04
0x0008ca3a
0x0008ca3b
0x0008ca3e
0x0008ca3e
0x0008c9f0
0x0008c95a
0x0008c968
0x0008c960
0x0008c962
0x0008c967
0x0008c96c
0x00000000

APIs

Part of subcall function 0008C8A6: _malloc.LIBCMT ref: 0008C8B9

_free.LIBCMT ref: 0008C962
_memset.LIBCMT ref: 0008C97B
_memset.LIBCMT ref: 0008C9B5
_memcpy_s.LIBCMT ref: 0008C9CF
CreateDIBSection.GDI32(00000000,00000000,00000000,00000008,00000000,00000000), ref: 0008C9E8
_free.LIBCMT ref: 0008C9FA
_free.LIBCMT ref: 0008CA2D

Part of subcall function 00150CB2: HeapFree.KERNEL32(00000000,00000000), ref: 00150CC8
Part of subcall function 00150CB2: GetLastError.KERNEL32(00000000,?,00157EF9,00000000,?,0015A71D,?,00000001,?,?,0015EDB7,00000018,001B7030,0000000C,0015EE47,?), ref: 00150CDA

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: _free$_memset$CreateErrorFreeHeapLastSection_malloc_memcpy_s
String ID:
API String ID: 2204576675-0
Opcode ID: b4dbce9fa66706485543561da8ed28252b537ddc22300f313067fc40d57b933e
Instruction ID: 96e926e42f141a25b0688339bdf223bf1e8d2452edf2dc575507896018ada2d8
Opcode Fuzzy Hash: b4dbce9fa66706485543561da8ed28252b537ddc22300f313067fc40d57b933e
Instruction Fuzzy Hash: F131CD72910615EBEB25EF64C845FAB73B8BF15364F108559EC86E7241EB70EE0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 0005F936 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0005F936(intOrPtr* __ecx, void* __edx) {
				signed int _v8;
				struct HWND__* _v44;
				struct HWND__* _v48;
				intOrPtr _v52;
				void* _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t34;
				long _t48;
				struct HWND__* _t53;
				long _t66;
				intOrPtr* _t68;
				signed int _t69;
				void* _t76;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				signed int _t81;

				_t76 = __edx;
				_t34 =  *0x1c0454; // 0x885926af
				_v8 = _t34 ^ _t81;
				_t80 = __ecx;
				_t77 = E000695BD();
				if(_t77 != 0) {
					if( *((intOrPtr*)(_t77 + 0x20)) == __ecx) {
						 *((intOrPtr*)(_t77 + 0x20)) = 0;
					}
					if( *((intOrPtr*)(_t77 + 0x24)) == _t80) {
						 *((intOrPtr*)(_t77 + 0x24)) = 0;
					}
				}
				_t68 =  *((intOrPtr*)(_t80 + 0x64));
				if(_t68 != 0) {
					 *((intOrPtr*)( *_t68 + 0x50))();
					 *((intOrPtr*)(_t80 + 0x64)) = 0;
				}
				_t69 =  *(_t80 + 0x68);
				if(_t69 != 0) {
					 *((intOrPtr*)( *_t69 + 4))(1);
				}
				 *(_t80 + 0x68) =  *(_t80 + 0x68) & 0x00000000;
				_t92 =  *(_t80 + 0x58) & 1;
				if(( *(_t80 + 0x58) & 1) != 0) {
					_t79 =  *((intOrPtr*)(E0006B65B(1, _t69, _t77, _t80, _t92) + 0x3c));
					if(_t79 != 0) {
						_t94 =  *(_t79 + 0x20);
						if( *(_t79 + 0x20) != 0) {
							E00151B30( &_v56, 0, 0x30);
							_t53 =  *(_t80 + 0x20);
							_v48 = _t53;
							_v44 = _t53;
							_v56 = 0x2c;
							_v52 = 1;
							SendMessageW( *(_t79 + 0x20), 0x433, 0,  &_v56);
						}
					}
				}
				_t78 = GetWindowLongW;
				_t66 = GetWindowLongW( *(_t80 + 0x20), 0xfffffffc);
				E0005F788(_t66, _t80, GetWindowLongW, _t94);
				if(GetWindowLongW( *(_t80 + 0x20), 0xfffffffc) == _t66) {
					_t48 =  *( *((intOrPtr*)( *_t80 + 0xfc))());
					if(_t48 != 0) {
						SetWindowLongW( *(_t80 + 0x20), 0xfffffffc, _t48);
					}
				}
				E0005F8B9(_t66, _t80, _t76);
				return E00150836( *((intOrPtr*)( *_t80 + 0x120))(), _t66, _v8 ^ _t81, _t76, _t78, _t80);
			}

0x0005f936
0x0005f93e
0x0005f945
0x0005f94b
0x0005f952
0x0005f958
0x0005f95d
0x0005f982
0x0005f982
0x0005f988
0x0005f98a
0x0005f98a
0x0005f988
0x0005f98d
0x0005f992
0x0005f996
0x0005f999
0x0005f999
0x0005f99c
0x0005f9a4
0x0005f9a9
0x0005f9a9
0x0005f9ac
0x0005f9b0
0x0005f9b3
0x0005f9ba
0x0005f9bf
0x0005f9c1
0x0005f9c5
0x0005f9cf
0x0005f9d4
0x0005f9da
0x0005f9dd
0x0005f9ee
0x0005f9f5
0x0005f9f8
0x0005f9f8
0x0005f9c5
0x0005f9bf
0x0005fa01
0x0005fa0e
0x0005fa10
0x0005fa1f
0x0005fa2b
0x0005fa2f
0x0005fa37
0x0005fa37
0x0005fa2f
0x0005fa3f
0x0005fa5c

APIs

_memset.LIBCMT ref: 0005F9CF
SendMessageW.USER32(00000000,00000433,00000000,?), ref: 0005F9F8
GetWindowLongW.USER32(?,000000FC), ref: 0005FA0A
GetWindowLongW.USER32(?,000000FC), ref: 0005FA1B
SetWindowLongW.USER32 ref: 0005FA37

Strings

,, xrefs: 0005F9EE

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: LongWindow$MessageSend_memset
String ID: ,
API String ID: 2997958587-3772416878
Opcode ID: 583f9955d625717afd91995240c97eb164627df32e9d6109c5a35dda2ec9a6bd
Instruction ID: e79808e911db9c412d0afb313124d8355f3648851ebb26c3d3fa7c2a6822914a
Opcode Fuzzy Hash: 583f9955d625717afd91995240c97eb164627df32e9d6109c5a35dda2ec9a6bd
Instruction Fuzzy Hash: 64419E71600706ABDB21AF74C884B6AB7E9BF48311F14063DE98697692DB34E948CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0014CC34 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109
memoryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0014CC34(void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4, signed int* _a8, signed int _a12) {
				struct HINSTANCE__* _v8;
				void* __ebx;
				void* __ebp;
				signed int _t25;
				signed short _t29;
				long _t33;
				void* _t34;
				struct HRSRC__* _t39;
				void* _t40;
				void* _t48;
				void* _t49;
				void* _t58;
				void* _t62;
				void* _t65;
				void* _t66;
				void* _t67;
				signed int _t70;
				void* _t74;

				_t67 = __esi;
				_t65 = __edi;
				_t62 = __edx;
				_push(__ecx);
				_push(_t48);
				_push(0x14cc15);
				_t49 = E000716E4(_t48, 0x1c70ac, __edi, __esi, __eflags);
				if(_t49 == 0) {
					E000655E0(0x1c70ac);
				}
				_t78 =  *(_t49 + 8);
				if( *(_t49 + 8) != 0) {
					L14:
					E00056590(_t65,  *(_t49 + 4));
					_t25 =  *(_t49 + 8) & 0x0000ffff;
					 *_a8 = _t25;
					return 0 | _t25 != 0x0000ffff;
				} else {
					_push(_t67);
					_t56 =  *( *(E0006B628(_t49, _t65, _t67, _t78) + 0x78));
					_t29 = E0005F4D4( *( *(E0006B628(_t49, _t65, _t67, _t78) + 0x78)));
					_v8 = _t29;
					if(_t29 == 0) {
						L11:
						_t33 = E000657F3(_t49, _t56, _t65, _a4, _t84,  *((intOrPtr*)( *_a4 - 0xc)) + 1, 2);
						_pop(_t58);
						_t34 = GlobalAlloc(0x40, _t33);
						 *(_t49 + 4) = _t34;
						if(_t34 == 0) {
							_t34 = E000655A8(_t58);
						}
						E00069019(_t34,  *((intOrPtr*)( *_t68 - 0xc)) + 1,  *_t68);
						 *(_t49 + 8) =  *_a8;
						goto L14;
					}
					__imp__GetUserDefaultUILanguage(_t65);
					_t70 = _a12;
					_t66 = 0x3ee;
					_t80 = (_t29 & 0x000003ff) - 0x11;
					if((_t29 & 0x000003ff) != 0x11) {
						L7:
						asm("sbb esi, esi");
						_t39 = FindResourceW(_v8, ( ~_t70 & 0x0000000e) + _t66, 5);
						if(_t39 == 0) {
							L10:
							_pop(_t65);
							goto L11;
						}
						L8:
						_t40 = LoadResource(_v8, _t39);
						_t84 = _t40;
						if(_t40 != 0) {
							E00073D1A(_t66, _t84, _t40, _a4, _a8);
							_t74 = _t74 + 0xc;
						}
						goto L10;
					}
					_t56 = L"MS UI Gothic";
					if(E0014CB84(_t49, L"MS UI Gothic", _t62, _t80) == 0) {
						goto L7;
					}
					asm("sbb eax, eax");
					_t39 = FindResourceExW(_v8, 5, ( ~_t70 & 0x0000000e) + _t66, 0xfc11);
					if(_t39 != 0) {
						goto L8;
					}
					goto L7;
				}
			}

0x0014cc34
0x0014cc34
0x0014cc34
0x0014cc39
0x0014cc3a
0x0014cc3b
0x0014cc4a
0x0014cc4e
0x0014cc50
0x0014cc50
0x0014cc55
0x0014cc5a
0x0014cd3f
0x0014cd45
0x0014cd4a
0x0014cd51
0x0014cd65
0x0014cc60
0x0014cc60
0x0014cc69
0x0014cc6b
0x0014cc70
0x0014cc75
0x0014ccfb
0x0014cd07
0x0014cd0d
0x0014cd11
0x0014cd17
0x0014cd1c
0x0014cd1e
0x0014cd1e
0x0014cd2c
0x0014cd3a
0x00000000
0x0014cd3e
0x0014cc7c
0x0014cc82
0x0014cc8d
0x0014cc90
0x0014cc94
0x0014ccc4
0x0014ccc6
0x0014ccd3
0x0014ccdb
0x0014ccfa
0x0014ccfa
0x00000000
0x0014ccfa
0x0014ccdd
0x0014cce1
0x0014cce7
0x0014cce9
0x0014ccf2
0x0014ccf7
0x0014ccf7
0x00000000
0x0014cce9
0x0014cc96
0x0014cca2
0x00000000
0x00000000
0x0014cca8
0x0014ccba
0x0014ccc2
0x00000000
0x00000000
0x00000000
0x0014ccc2

APIs

Part of subcall function 000716E4: __EH_prolog3_catch.LIBCMT ref: 000716EB

GetUserDefaultUILanguage.KERNEL32(00000000,00000005,0014CC15,00000000,?,?,00136F81,00000000,?,0013731C,00000000,0000001C,001370AF,00000000,0013731C), ref: 0014CC7C
FindResourceExW.KERNEL32(00000000,00000005,?,0000FC11,?,?,00136F81,00000000,?,0013731C,00000000,0000001C,001370AF,00000000,0013731C), ref: 0014CCBA
FindResourceW.KERNEL32(00000000,?,00000005,?,?,00136F81,00000000,?,0013731C,00000000,0000001C,001370AF,00000000,0013731C), ref: 0014CCD3
LoadResource.KERNEL32(00000000,00000000,?,?,00136F81,00000000,?,0013731C,00000000,0000001C,001370AF,00000000,0013731C), ref: 0014CCE1
GlobalAlloc.KERNEL32(00000040,00000000,00000005,0014CC15,00000000,?,?,00136F81,00000000,?,0013731C,00000000,0000001C,001370AF,00000000,0013731C), ref: 0014CD11

Part of subcall function 000655E0: __CxxThrowException@8.LIBCMT ref: 000655F6

Strings

MS UI Gothic, xrefs: 0014CC96

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Resource$Find$AllocDefaultException@8GlobalH_prolog3_catchLanguageLoadThrowUser
String ID: MS UI Gothic
API String ID: 1445142397-1905310704
Opcode ID: be9c82d1f4f4326c8bbc6f8b5a2e5735e33eab57d4215b1547f7c11ed6a6ca01
Instruction ID: 9884cf44879dada388920849ed6a31f418a4368cc84a5d49d3bd742d0a2dee78
Opcode Fuzzy Hash: be9c82d1f4f4326c8bbc6f8b5a2e5735e33eab57d4215b1547f7c11ed6a6ca01
Instruction Fuzzy Hash: 2E31B675A00205AFEB14AF65DC96DBA7769EF50310F048065FD0ADB2E1EF30DD80D6A0

Uniqueness

Uniqueness Score: -1.00%

Function 000E1F9B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E000E1F9B(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t42;
				signed int _t52;
				void* _t93;
				void* _t101;

				_t96 = __esi;
				_t94 = __edi;
				_t93 = __edx;
				_t71 = __ecx;
				_push(8);
				E00151A19(0x16d0de, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t101 - 0x14)) = 0;
				if((0 |  *((intOrPtr*)(_t101 + 0xc)) != 0x00000000) == 0) {
					L1:
					E000655E0(_t71);
				}
				E00051110(_t101 - 0x10, E00065761());
				_t42 =  *((intOrPtr*)(_t101 + 0x10));
				 *((intOrPtr*)(_t101 - 4)) = 0;
				if(_t42 == 0 ||  *_t42 == 0) {
					__eflags =  *( *((intOrPtr*)(E0006B628(0,  *((intOrPtr*)(E0006B628(0, _t94, _t96, __eflags) + 4)), _t96, __eflags) + 4)) + 0x58);
					_t71 = 0 | __eflags != 0x00000000;
					__eflags = __eflags != 0;
					if(__eflags == 0) {
						goto L1;
					} else {
						__eflags =  *( *((intOrPtr*)(E0006B628(0, _t94, _t96, __eflags) + 4)) + 0x6c);
						_t71 = 0 | __eflags != 0x00000000;
						if(__eflags == 0) {
							goto L1;
						} else {
							E00054140(_t101 - 0x10, L"SOFTWARE\\", E0015161A(L"SOFTWARE\\"));
							E00056620(0,  *((intOrPtr*)(_t94 + 0x58)));
							_t78 =  *((intOrPtr*)(_t101 - 0x14));
							_t52 =  *( *((intOrPtr*)(_t101 - 0x14)) - 0xc);
							 *((char*)(_t101 - 4)) = 1;
							__eflags = _t52;
							if(_t52 != 0) {
								E0005BFE0(_t101 - 0x10, _t78, _t52);
								E0005BFE0(_t101 - 0x10, 0x1a18bc, E0015161A(0x1a18bc));
							}
							E0005BF50(_t94,  *((intOrPtr*)(_t94 + 0x6c)));
							E0005BFE0(_t101 - 0x10, 0x1a18bc, E0015161A(0x1a18bc));
							E0005BF50(_t94,  *((intOrPtr*)(_t101 + 0xc)));
							E0005BFE0(_t101 - 0x10, 0x1a18bc, E0015161A(0x1a18bc));
							__eflags =  *((intOrPtr*)(_t101 - 0x14)) + 0xfffffff0;
							 *((char*)(_t101 - 4)) = 0;
							E00051190( *((intOrPtr*)(_t101 - 0x14)) + 0xfffffff0, _t93);
						}
					}
				} else {
					E00056590(_t94, _t42);
				}
				 *((intOrPtr*)( *((intOrPtr*)(_t101 + 8)))) = E000541F0( *((intOrPtr*)(_t101 - 0x10)) + 0xfffffff0) + 0x10;
				E00051190( *((intOrPtr*)(_t101 - 0x10)) + 0xfffffff0, _t93);
				return E00151AF1( *((intOrPtr*)(_t101 + 8)));
			}

0x000e1f9b
0x000e1f9b
0x000e1f9b
0x000e1f9b
0x000e1f9b
0x000e1fa2
0x000e1fae
0x000e1fb6
0x000e1fb8
0x000e1fb8
0x000e1fb8
0x000e1fc6
0x000e1fcb
0x000e1fce
0x000e1fd3
0x000e1ffa
0x000e1ffd
0x000e2000
0x000e2002
0x00000000
0x000e2004
0x000e200e
0x000e2011
0x000e2016
0x00000000
0x000e2018
0x000e2029
0x000e2034
0x000e2039
0x000e203c
0x000e203f
0x000e2048
0x000e204a
0x000e2051
0x000e2062
0x000e2062
0x000e206d
0x000e207e
0x000e2089
0x000e209a
0x000e20a2
0x000e20a5
0x000e20a8
0x000e20a8
0x000e2016
0x000e1fda
0x000e1fde
0x000e1fde
0x000e20c2
0x000e20c4
0x000e20d0

APIs

__EH_prolog3.LIBCMT ref: 000E1FA2

Part of subcall function 000655E0: __CxxThrowException@8.LIBCMT ref: 000655F6

_wcslen.LIBCMT ref: 000E201E
_wcslen.LIBCMT ref: 000E2057
_wcslen.LIBCMT ref: 000E2073
_wcslen.LIBCMT ref: 000E208F

Strings

SOFTWARE\, xrefs: 000E2018, 000E201D, 000E2025

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: _wcslen$Exception@8H_prolog3Throw
String ID: SOFTWARE\
API String ID: 1362065666-3302998844
Opcode ID: 44582a72f8a37fa477d2e35c022fd8c4914257f6a9f571439e9a399fad0ff9b2
Instruction ID: 5d8927dc9090d002a13e07442287743144a522c1a42859022528df90e7e6a232
Opcode Fuzzy Hash: 44582a72f8a37fa477d2e35c022fd8c4914257f6a9f571439e9a399fad0ff9b2
Instruction Fuzzy Hash: 52315D71901156AFCB05BBA0CC929FFB368AF10315B144439F811BB1E3DB34AE48CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0007E3AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0007E3AD(intOrPtr* __ecx, void* __edx, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v20;
				char _v56;
				struct tagPOINT _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t27;
				intOrPtr _t29;
				void* _t30;
				intOrPtr _t32;
				intOrPtr _t43;
				int _t59;
				void* _t62;
				intOrPtr* _t63;
				intOrPtr* _t64;
				signed int _t65;

				_t62 = __edx;
				_t27 =  *0x1c0454; // 0x885926af
				_v8 = _t27 ^ _t65;
				_t63 = _a8;
				_t64 = __ecx;
				if(( *0x1c4880 & 0x00000001) == 0) {
					 *0x1c4880 =  *0x1c4880 | 0x00000001;
					E00051110(0x1c487c, E00065761());
					E001511CA( *0x1c4880, 0x176137);
				}
				_t29 =  *((intOrPtr*)(_t64 + 0xc94));
				if(_t29 == 0 ||  *((intOrPtr*)(_t29 + 0x20)) == 0) {
					L12:
					_t30 = 0;
					__eflags = 0;
				} else {
					if(_t29 != 0) {
						_t32 =  *((intOrPtr*)(_t29 + 0x20));
					} else {
						_t32 = 0;
					}
					if( *_t63 != _t32) {
						goto L12;
					} else {
						_v64.x = 0;
						_v64.y = 0;
						GetCursorPos( &_v64);
						ScreenToClient( *(_t64 + 0x20),  &_v64);
						E00151B30( &_v56, 0, 0x30);
						_push( &_v56);
						_push(_v64.y);
						_push(_v64.x);
						_v56 = 0x2c;
						if( *((intOrPtr*)( *_t64 + 0x74))() < 0 || _v20 == 0 || _v20 == 0xffffffff) {
							goto L12;
						} else {
							E00056590(_t63, _v20);
							E00150CB2(_v20);
							_t43 =  *0x1c487c; // 0x0
							 *((intOrPtr*)(_t63 + 0xc)) = _t43;
							_t59 =  *0x1c3ab0; // 0x0
							SendMessageW( *( *((intOrPtr*)(_t64 + 0xc94)) + 0x20), 0x30, _t59, 0);
							_t30 = 1;
						}
					}
				}
				return E00150836(_t30, 0x1c487c, _v8 ^ _t65, _t62, _t63, _t64);
			}

0x0007e3ad
0x0007e3b5
0x0007e3bc
0x0007e3c9
0x0007e3cc
0x0007e3d3
0x0007e3d5
0x0007e3e4
0x0007e3ee
0x0007e3f3
0x0007e3f4
0x0007e3fe
0x0007e4af
0x0007e4af
0x0007e4af
0x0007e40d
0x0007e40f
0x0007e415
0x0007e411
0x0007e411
0x0007e411
0x0007e41a
0x00000000
0x0007e420
0x0007e424
0x0007e427
0x0007e42a
0x0007e437
0x0007e445
0x0007e452
0x0007e453
0x0007e458
0x0007e45b
0x0007e467
0x00000000
0x0007e475
0x0007e47a
0x0007e482
0x0007e487
0x0007e48d
0x0007e490
0x0007e4a4
0x0007e4ac
0x0007e4ac
0x0007e467
0x0007e41a
0x0007e4bf

APIs

GetCursorPos.USER32(?), ref: 0007E42A
ScreenToClient.USER32(?,?), ref: 0007E437
_memset.LIBCMT ref: 0007E445
_free.LIBCMT ref: 0007E482
SendMessageW.USER32(?,00000030,00000000,00000000), ref: 0007E4A4

Strings

,, xrefs: 0007E45B

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: ClientCursorMessageScreenSend_free_memset
String ID: ,
API String ID: 628317799-3772416878
Opcode ID: 082e1123ff87fa53fb3b14f4d321b5e4e098d899b6240a11762c9ff8cc9df3fd
Instruction ID: f357eddb5f34501659009f0ee2bca52f1ebd6f20b9b67bbc8e25929388d932c8
Opcode Fuzzy Hash: 082e1123ff87fa53fb3b14f4d321b5e4e098d899b6240a11762c9ff8cc9df3fd
Instruction Fuzzy Hash: D2318E30A01244EFDB18DBA4EC85F9EBBF5AF0C321F10856EF519D62A1DB349954CB54

Uniqueness

Uniqueness Score: -1.00%

Function 000A2233 Relevance: 10.6, APIs: 7, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E000A2233(intOrPtr _a4) {
				intOrPtr* _v8;
				void* __ecx;
				void* __ebp;
				int _t22;
				intOrPtr* _t23;
				intOrPtr* _t27;
				intOrPtr* _t28;
				intOrPtr* _t36;
				intOrPtr _t37;
				intOrPtr* _t40;
				intOrPtr* _t43;
				intOrPtr _t44;

				_push(_t36);
				_t40 = _t36;
				_t37 = _a4;
				_v8 = _t40;
				if(_t37 == 0) {
					L4:
					 *((intOrPtr*)(_t40 + 8)) = _t37;
					if(_t37 == 0) {
						_t22 = LockWindowUpdate(0);
					} else {
						_t22 = LockWindowUpdate( *( *((intOrPtr*)(_t40 + 0xe4)) + 0x20));
					}
					_t43 =  *((intOrPtr*)(_t40 + 0xcc));
					if(_t43 == 0) {
						L14:
						_t40 =  *((intOrPtr*)(_t40 + 0x24));
					} else {
						while(1) {
							_t27 = _t43;
							if(_t43 == 0) {
								break;
							}
							_t43 =  *_t43;
							_t28 = E0006EA25(0x1bd608,  *((intOrPtr*)(_t27 + 8)));
							_pop(_t37);
							_t40 = _t28;
							ValidateRect( *(_t40 + 0x20), 0);
							UpdateWindow( *(_t40 + 0x20));
							if(_a4 == 0) {
								_t22 = LockWindowUpdate(0);
							} else {
								_t22 = LockWindowUpdate( *(_t40 + 0x20));
							}
							if(_t43 != 0) {
								continue;
							} else {
								_t40 = _v8;
								goto L14;
							}
							goto L21;
						}
						L15:
						E000655E0(_t37);
						L16:
						_t23 = _t40;
						if(_t40 == 0) {
							goto L15;
						}
						_t44 =  *((intOrPtr*)(_t23 + 8));
						_t40 =  *_t40;
						ValidateRect( *(_t44 + 0x20), 0);
						UpdateWindow( *(_t44 + 0x20));
						if(_a4 == 0) {
							_t22 = LockWindowUpdate(0);
						} else {
							_t22 = LockWindowUpdate( *(_t44 + 0x20));
						}
					}
					L21:
					if(_t40 != 0) {
						goto L16;
					}
				} else {
					_t22 =  *(_t40 + 0x1b8);
					if(_t22 == 0 ||  *((intOrPtr*)(_t22 + 8)) == 0 ||  *((intOrPtr*)(_t22 + 4)) == 0) {
						goto L4;
					}
				}
				return _t22;
			}

0x000a2238
0x000a223b
0x000a223d
0x000a2242
0x000a2247
0x000a2261
0x000a2261
0x000a2266
0x000a2274
0x000a2268
0x000a2274
0x000a2274
0x000a227b
0x000a2289
0x000a22ce
0x000a22ce
0x000a228b
0x000a228b
0x000a228b
0x000a228f
0x00000000
0x00000000
0x000a2294
0x000a229b
0x000a22a1
0x000a22a2
0x000a22a9
0x000a22ae
0x000a22b8
0x000a22c1
0x000a22ba
0x000a22c1
0x000a22c1
0x000a22c9
0x00000000
0x000a22cb
0x000a22cb
0x00000000
0x000a22cb
0x00000000
0x000a22c9
0x000a22d3
0x000a22d3
0x000a22d8
0x000a22d8
0x000a22dc
0x00000000
0x00000000
0x000a22de
0x000a22e1
0x000a22e8
0x000a22ed
0x000a22f7
0x000a2300
0x000a22f9
0x000a2300
0x000a2300
0x000a2300
0x000a2306
0x000a2308
0x00000000
0x00000000
0x000a2249
0x000a2249
0x000a2251
0x00000000
0x00000000
0x000a2251
0x000a230e

APIs

LockWindowUpdate.USER32(00000000), ref: 000A2274
ValidateRect.USER32(?,00000000), ref: 000A22A9
UpdateWindow.USER32 ref: 000A22AE
LockWindowUpdate.USER32(00000000), ref: 000A22C1
ValidateRect.USER32(?,00000000), ref: 000A22E8
UpdateWindow.USER32 ref: 000A22ED
LockWindowUpdate.USER32(00000000), ref: 000A2300

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: UpdateWindow$Lock$RectValidate
String ID:
API String ID: 797752328-0
Opcode ID: 6dbb035809a9f886a70fc2041e13d7a9f1cafd947eeef16f9859f9d5c44778c0
Instruction ID: 6b51b4c0c61a424b880b49e4d107f1d6375d5eb067565ef9d86d23ca05ff3d6f
Opcode Fuzzy Hash: 6dbb035809a9f886a70fc2041e13d7a9f1cafd947eeef16f9859f9d5c44778c0
Instruction Fuzzy Hash: A8218B32608601FFDB659F98D884B69B7F2FF49750F294139F909A76A0D770AC90CB90

Uniqueness

Uniqueness Score: -1.00%

Function 000DF215 Relevance: 10.6, APIs: 7, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E000DF215(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				int _t36;
				intOrPtr _t39;
				void* _t40;
				int _t44;
				RECT* _t48;
				struct tagRECT* _t58;
				intOrPtr* _t61;
				signed int _t62;
				void* _t63;
				void* _t64;

				_t64 = __eflags;
				_push(0x54);
				E00151A82(0x16e487, __ebx, __edi, __esi);
				_t48 =  *(_t63 + 0xc);
				_t61 =  *((intOrPtr*)(_t63 + 0x10));
				 *((intOrPtr*)(_t63 - 0x60)) = __ecx;
				E000DF163(_t48, _t63 - 0x50, __edi, _t61, _t64);
				 *(_t63 - 4) = 0;
				if(_t61 == 0) {
					_t61 = _t63 - 0x50;
				}
				 *((intOrPtr*)(_t61 + 0x34)) = 0;
				if(_t48 == 0) {
					 *(_t63 - 0x58) = 0;
					 *(_t63 - 0x54) = 0;
					GetCursorPos(_t63 - 0x58);
					_t58 = _t61 + 0x24;
					SetRect(_t58,  *(_t63 - 0x58),  *(_t63 - 0x54),  *(_t63 - 0x58),  *(_t63 - 0x54));
				} else {
					_t58 = _t61 + 0x24;
					CopyRect(_t58, _t48);
				}
				if(E0008A96E(_t58) == 0) {
					_t36 = IsRectEmpty(_t58);
					__eflags = _t36;
					if(_t36 != 0) {
						_t44 =  *0x1c5a44; // 0x2
						InflateRect(_t58, _t44, _t44);
					}
				} else {
					 *((intOrPtr*)(_t61 + 0x34)) = 1;
				}
				_t59 =  *_t61;
				_push(E0005C4D8());
				if( *((intOrPtr*)( *_t61 + 0x58))() != 0) {
					_t39 = E00072135( *((intOrPtr*)(_t63 - 0x60)), 0x1a0a40);
					_t59 = _t39;
					_t40 = E00072135(_t61, 0x1a0a00);
					 *(_t63 - 0x5c) =  *(_t63 - 0x5c) & 0x00000000;
					__imp__DoDragDrop(_t39, _t40,  *((intOrPtr*)(_t63 + 8)), _t63 - 0x5c);
					_t62 =  *(_t63 - 0x5c);
				} else {
					_t62 = 0;
				}
				 *(_t63 - 4) =  *(_t63 - 4) | 0xffffffff;
				E00063B12(_t63 - 0x50);
				return E00151B05(_t48, _t59, _t62);
			}

0x000df215
0x000df215
0x000df21c
0x000df221
0x000df224
0x000df227
0x000df22d
0x000df234
0x000df239
0x000df23b
0x000df23b
0x000df23e
0x000df243
0x000df252
0x000df255
0x000df25c
0x000df265
0x000df272
0x000df245
0x000df246
0x000df24a
0x000df24a
0x000df281
0x000df28d
0x000df293
0x000df295
0x000df297
0x000df29f
0x000df29f
0x000df283
0x000df283
0x000df283
0x000df2a5
0x000df2ac
0x000df2b4
0x000df2d6
0x000df2e2
0x000df2e4
0x000df2e9
0x000df2f6
0x000df2fc
0x000df2b6
0x000df2b6
0x000df2b6
0x000df2b8
0x000df2bf
0x000df2cb

APIs

__EH_prolog3_GS.LIBCMT ref: 000DF21C

Part of subcall function 000DF163: __EH_prolog3.LIBCMT ref: 000DF16A
Part of subcall function 000DF163: GetProfileIntW.KERNEL32 ref: 000DF1C2
Part of subcall function 000DF163: GetProfileIntW.KERNEL32 ref: 000DF1D4

CopyRect.USER32(?,?), ref: 000DF24A
GetCursorPos.USER32(?), ref: 000DF25C
SetRect.USER32 ref: 000DF272
IsRectEmpty.USER32 ref: 000DF28D
InflateRect.USER32 ref: 000DF29F
DoDragDrop.OLE32(00000000,00000000,?,00000000), ref: 000DF2F6

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Rect$Profile$CopyCursorDragDropEmptyH_prolog3H_prolog3_Inflate
String ID:
API String ID: 1837043813-0
Opcode ID: e3b9def6bba5387d9cbbb14f9f798255d38a90426c02e26c96a4c35e3ac9882c
Instruction ID: aa3d0ba64c4c7472589983fc6c9f68342d2d6a8f7d9be2b64394ac7b27f8c408
Opcode Fuzzy Hash: e3b9def6bba5387d9cbbb14f9f798255d38a90426c02e26c96a4c35e3ac9882c
Instruction Fuzzy Hash: 50217175900305EFDB01EFE0CC489FEBBB5BF48701F108429E906AB695DB34A985DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0006DD25 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 0006DD60
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 0006DD8B
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 0006DDB6
RegCloseKey.ADVAPI32(?), ref: 0006DDCA
RegCloseKey.ADVAPI32(?), ref: 0006DDD4

Part of subcall function 0006DC4A: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 0006DC5C
Part of subcall function 0006DC4A: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 0006DC6C

Strings

software, xrefs: 0006DD42

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: CloseCreate$AddressHandleModuleOpenProc
String ID: software
API String ID: 550756860-2010147023
Opcode ID: 3e85c137793ae27ddcadd5ae7492677d53abbd1a5b1e5757d211a7b292569330
Instruction ID: 57f98b2b737cb37ff6665050aec261e6ff2eddf7359b9c4d308f713486744e67
Opcode Fuzzy Hash: 3e85c137793ae27ddcadd5ae7492677d53abbd1a5b1e5757d211a7b292569330
Instruction Fuzzy Hash: BD21F975E00058FA8B22AB99CC84CEFBFBEEFC6754B24405BF505A6151D7715A80DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00072CC8 Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00072CC8(intOrPtr* __ecx, void* __edx, void* __fp0, intOrPtr _a4) {
				void* __edi;
				void* _t18;
				intOrPtr* _t19;
				struct HBRUSH__* _t27;
				intOrPtr* _t28;
				intOrPtr* _t33;
				intOrPtr* _t39;
				intOrPtr* _t45;
				intOrPtr* _t46;

				_t39 = __ecx;
				_t1 = _t39 + 0x28; // 0x28
				_t15 = _t1;
				if( *_t1 != 0) {
					E00072B54(_t15);
					 *(_t39 + 4) =  *(_t39 + 4) & 0x00000000;
					_t33 = _t39;
					if(E00072BE1(_t33, __edx, _t39, __fp0, _a4) == 0) {
						goto L1;
					} else {
						_t45 =  *((intOrPtr*)(_t39 + 0xc));
						while(_t45 != 0) {
							_t19 = _t45;
							if(_t45 == 0) {
								E000655E0(_t33);
								asm("int3");
								_push(_t45);
								_push(_t39);
								_t46 = _t33;
								 *((intOrPtr*)(_t46 + 0x28)) = GetSysColor(0xf);
								 *((intOrPtr*)(_t46 + 0x2c)) = GetSysColor(0x10);
								 *((intOrPtr*)(_t46 + 0x30)) = GetSysColor(0x14);
								 *((intOrPtr*)(_t46 + 0x34)) = GetSysColor(0x12);
								 *((intOrPtr*)(_t46 + 0x38)) = GetSysColor(6);
								 *((intOrPtr*)(_t46 + 0x24)) = GetSysColorBrush(0xf);
								_t27 = GetSysColorBrush(6);
								 *(_t46 + 0x20) = _t27;
								return _t27;
							} else {
								_t45 =  *_t45;
								_t28 = E0006EA25(0x17bdd8,  *((intOrPtr*)(_t19 + 8)));
								_t33 = _t28;
								 *((intOrPtr*)( *_t28 + 0xc))(_t39);
								continue;
							}
							goto L10;
						}
						_t18 = 1;
						goto L8;
					}
				} else {
					L1:
					_t18 = 0;
					L8:
					return _t18;
				}
				L10:
			}

0x00072cce
0x00072cd0
0x00072cd0
0x00072cd6
0x00072cdd
0x00072ce2
0x00072cea
0x00072cf3
0x00000000
0x00072cf5
0x00072cf6
0x00072d1a
0x00072cfb
0x00072cff
0x00072d27
0x00072d2c
0x00072d2f
0x00072d30
0x00072d39
0x00072d3f
0x00072d46
0x00072d4d
0x00072d54
0x00072d61
0x00072d68
0x00072d6b
0x00072d6e
0x00072d72
0x00072d01
0x00072d04
0x00072d0b
0x00072d15
0x00072d17
0x00000000
0x00072d17
0x00000000
0x00072cff
0x00072d20
0x00000000
0x00072d21
0x00072cd8
0x00072cd8
0x00072cd8
0x00072d22
0x00072d24
0x00072d24
0x00000000

APIs

Part of subcall function 000655E0: __CxxThrowException@8.LIBCMT ref: 000655F6

GetSysColor.USER32 ref: 00072D3B
GetSysColor.USER32 ref: 00072D42
GetSysColor.USER32 ref: 00072D49
GetSysColor.USER32 ref: 00072D50
GetSysColor.USER32 ref: 00072D57
GetSysColorBrush.USER32 ref: 00072D64
GetSysColorBrush.USER32 ref: 00072D6B

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Color$Brush$Exception@8Throw
String ID:
API String ID: 1628126211-0
Opcode ID: 08d60693bfad5f67270b7f7fa2b34f5088e4f731db873019313d93409a57fbc6
Instruction ID: 386a458c8f3fdcde71630b5519c661cc2df1b92178307fa815591918c7280397
Opcode Fuzzy Hash: 08d60693bfad5f67270b7f7fa2b34f5088e4f731db873019313d93409a57fbc6
Instruction Fuzzy Hash: 4011A532E00704ABD7306F76DC09B5AB7E5FFD4720F11852AE5498BA90DBB5EC41CA94

Uniqueness

Uniqueness Score: -1.00%

Function 000814D3 Relevance: 10.6, APIs: 7, Instructions: 73
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E000814D3(void* __ecx, long _a4) {
				struct tagPOINT _v12;
				void* __ebx;
				void* _t26;
				void* _t28;
				RECT* _t45;
				void* _t54;

				_push(__ecx);
				_push(__ecx);
				_t54 = __ecx;
				_t26 = __ecx + 0xff0;
				if(_t26 != 0 &&  *((intOrPtr*)(_t26 + 0x20)) != 0) {
					SendMessageW( *(__ecx + 0x1010), 0x407, 0, _a4);
				}
				if( *((intOrPtr*)(_a4 + 4)) != 0x200) {
					L9:
					_t28 = E000D5461(_t54, _a4);
				} else {
					_t45 = _t54 + 0xef8;
					if(IsRectEmpty(_t45) == 0 || IsRectEmpty(_t54 + 0xf08) == 0) {
						_v12.x = _v12.x & 0x00000000;
						_v12.y = _v12.y & 0x00000000;
						GetCursorPos( &_v12);
						ScreenToClient( *(_t54 + 0x20),  &_v12);
						_push(_v12.y);
						if(PtInRect(_t45, _v12.x) != 0) {
							L8:
							E000804D0(_t45, _t54,  *((intOrPtr*)(_a4 + 8)), _v12.x, _v12.y);
							_t28 = 1;
						} else {
							_push(_v12.y);
							if(PtInRect(_t54 + 0xf08, _v12) == 0) {
								goto L9;
							} else {
								goto L8;
							}
						}
					} else {
						goto L9;
					}
				}
				return _t28;
			}

0x000814d8
0x000814d9
0x000814dc
0x000814de
0x000814e7
0x000814ff
0x000814ff
0x0008150f
0x0008158e
0x00081593
0x00081511
0x00081517
0x00081522
0x00081531
0x00081535
0x0008153d
0x0008154a
0x00081550
0x00081561
0x00081576
0x00081584
0x0008158b
0x00081563
0x00081563
0x00081574
0x00000000
0x00000000
0x00000000
0x00000000
0x00081574
0x00000000
0x00000000
0x00000000
0x00081522
0x0008159c

APIs

SendMessageW.USER32(00000000,00000407,00000000,?), ref: 000814FF
IsRectEmpty.USER32 ref: 0008151E
IsRectEmpty.USER32 ref: 0008152B
GetCursorPos.USER32(00000000), ref: 0008153D
ScreenToClient.USER32(?,00000000), ref: 0008154A
PtInRect.USER32(?,00000000,00000000), ref: 0008155D
PtInRect.USER32(?,00000000,00000000), ref: 00081570

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Rect$Empty$ClientCursorMessageScreenSend
String ID:
API String ID: 703117857-0
Opcode ID: 85ea680eb905734e593a6e66031068f855387f04695ce82e2b631caed884b464
Instruction ID: f038ec710e911f0b31cbb0983ead8ac0a86f1416756d7d96e0b69382647eff10
Opcode Fuzzy Hash: 85ea680eb905734e593a6e66031068f855387f04695ce82e2b631caed884b464
Instruction Fuzzy Hash: AB216D7250060AFFDF20ABA0CC44EEE7BBDFF48385F044465E58692161D731EA82DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0005D772 Relevance: 10.6, APIs: 7, Instructions: 73COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0005D794
GetWindowRect.USER32(?,?), ref: 0005D7B8
ScreenToClient.USER32(?,?), ref: 0005D7CB
ScreenToClient.USER32(?,?), ref: 0005D7D4
EqualRect.USER32 ref: 0005D7DB
DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000014), ref: 0005D805
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 0005D80F

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Window$ClientRectScreen$DeferEqualParent
String ID:
API String ID: 443303494-0
Opcode ID: 2c74bc3720fa27832681833e23e13c11e264aeef1a968172302cfde580aae142
Instruction ID: 2e8a440fd4278f568c25b5ce0746763e8c4b6736a0f4c7c2460a0ade842e04be
Opcode Fuzzy Hash: 2c74bc3720fa27832681833e23e13c11e264aeef1a968172302cfde580aae142
Instruction Fuzzy Hash: C621ED75900209EFDB11DFA8DD88DBFBBF9EF48301B14856AE915E3250EB30A945CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00071FB0 Relevance: 10.6, APIs: 7, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00071FB0(void* __edi, struct HWND__* _a4, struct tagPOINT _a8, intOrPtr _a12) {
				signed int _v8;
				struct tagRECT _v24;
				signed int _v28;
				struct tagPOINT _v36;
				void* __esi;
				signed int _t26;
				struct tagPOINT _t28;
				signed int _t29;
				signed int _t39;
				void* _t43;
				intOrPtr _t44;
				signed int _t45;
				void* _t48;
				struct HWND__* _t51;
				signed int _t52;

				_t49 = __edi;
				_t26 =  *0x1c0454; // 0x885926af
				_v8 = _t26 ^ _t52;
				_t44 = _a12;
				_t28 = _a8;
				_t51 = _a4;
				_push(_t44);
				_v36.x = _t28;
				_v36.y = _t44;
				_t29 = RealChildWindowFromPoint(_t51, _t28);
				_t45 = _t29;
				_v28 = _t45;
				if(_t45 == 0) {
					_push(__edi);
					ClientToScreen(_t51,  &_v36);
					_push(5);
					while(1) {
						_t51 = GetWindow(_t51, ??);
						if(_t51 == 0) {
							break;
						}
						if(GetDlgCtrlID(_t51) != 0xffff && (GetWindowLongW(_t51, 0xfffffff0) & 0x10000000) != 0) {
							_v24.left = _v24.left & 0x00000000;
							_v24.top = _v24.top & 0x00000000;
							_v24.right = _v24.right & 0x00000000;
							_v24.bottom = _v24.bottom & 0x00000000;
							GetWindowRect(_t51,  &_v24);
							_push(_v36.y);
							if(PtInRect( &_v24, _v36) != 0) {
								_v28 = _t51;
							}
						}
						_push(2);
					}
					_t39 = _v28;
					_pop(_t49);
					L10:
					return E00150836(_t39, _t43, _v8 ^ _t52, _t48, _t49, _t51);
				}
				asm("sbb eax, eax");
				_t39 =  ~(_t29 - _t51) & _t45;
				goto L10;
			}

0x00071fb0
0x00071fb8
0x00071fbf
0x00071fc2
0x00071fc5
0x00071fc9
0x00071fcc
0x00071fcf
0x00071fd2
0x00071fd5
0x00071fdb
0x00071fdd
0x00071fe2
0x00071fee
0x00071ff4
0x00072000
0x00072056
0x00072059
0x0007205d
0x00000000
0x00000000
0x00072010
0x00072022
0x00072026
0x0007202a
0x0007202e
0x00072037
0x0007203d
0x0007204f
0x00072051
0x00072051
0x0007204f
0x00072054
0x00072054
0x0007205f
0x00072062
0x00072063
0x0007206f
0x0007206f
0x00071fe8
0x00071fea
0x00000000

APIs

RealChildWindowFromPoint.USER32 ref: 00071FD5
ClientToScreen.USER32(?,?), ref: 00071FF4
GetWindow.USER32(?,00000005), ref: 00072057

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Window$ChildClientFromPointRealScreen
String ID:
API String ID: 2518355518-0
Opcode ID: 0e16456410b1216a6fb5bd554f65fc7b457e9d27e1efeb636a0cf4b3964e9b9d
Instruction ID: bc8e265733c6a5fa9e56e4ac0b88896e0835cf252a3c2d3aec6774b8f6adbef5
Opcode Fuzzy Hash: 0e16456410b1216a6fb5bd554f65fc7b457e9d27e1efeb636a0cf4b3964e9b9d
Instruction Fuzzy Hash: C2217F72D0061AABDB15CFA9DC48FFEB7F8EF08311F108129E515E2190C7389A85CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0014CB84 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0014CB84(void* __ebx, void* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				struct tagLOGFONTW _v100;
				void* _v104;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t27;
				void* _t31;
				void* _t32;
				struct HDC__* _t33;
				signed int _t35;

				_t31 = __edx;
				_t28 = __ecx;
				_t27 = __ebx;
				_t11 =  *0x1c0454; // 0x885926af
				_v8 = _t11 ^ _t35;
				_t32 = __ecx;
				_v104 = 0;
				E00151B30( &_v100, 0, 0x5c);
				if(E0015161A(_t32) >= 0x20) {
					E000655E0(_t28);
				}
				_push(E00150E8C( &(_v100.lfFaceName), 0x20, _t32));
				E00053DF0();
				_v100.lfCharSet = 1;
				_v104 = 0;
				_t33 = GetDC(0);
				if(_t33 != 0) {
					EnumFontFamiliesExW(_t33,  &_v100, 0x14cb42,  &_v104, 0);
					ReleaseDC(0, _t33);
				}
				return E00150836(_v104, _t27, _v8 ^ _t35, _t31, _t33, 0);
			}

0x0014cb84
0x0014cb84
0x0014cb84
0x0014cb8c
0x0014cb93
0x0014cba1
0x0014cba3
0x0014cba6
0x0014cbb7
0x0014cbb9
0x0014cbb9
0x0014cbca
0x0014cbcb
0x0014cbd4
0x0014cbd8
0x0014cbe1
0x0014cbe5
0x0014cbf6
0x0014cbfe
0x0014cbfe
0x0014cc14

APIs

_memset.LIBCMT ref: 0014CBA6
_wcslen.LIBCMT ref: 0014CBAC
GetDC.USER32(00000000), ref: 0014CBDB
EnumFontFamiliesExW.GDI32(00000000,?,0014CB42,?,00000000), ref: 0014CBF6
ReleaseDC.USER32(00000000,00000000), ref: 0014CBFE

Part of subcall function 000655E0: __CxxThrowException@8.LIBCMT ref: 000655F6

Strings

MS UI Gothic, xrefs: 0014CBAB, 0014CBBE

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: EnumException@8FamiliesFontReleaseThrow_memset_wcslen
String ID: MS UI Gothic
API String ID: 60564628-1905310704
Opcode ID: b56015b9c4ca5bd0960490cab4941bbb23d3c8cff9c228021fd41a9e9a9787e5
Instruction ID: 2344cce01d943df79647565e4fabf667471f79015296b886da7aeeb9ec6d5f06
Opcode Fuzzy Hash: b56015b9c4ca5bd0960490cab4941bbb23d3c8cff9c228021fd41a9e9a9787e5
Instruction Fuzzy Hash: 33010871901318ABDB11EBA89D4ADEF7BBDEF49700F000015F805E7252DB309A45C6A5

Uniqueness

Uniqueness Score: -1.00%

Function 0005EBEC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 53
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0005EBEC(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t20;
				intOrPtr* _t23;
				struct HINSTANCE__* _t27;
				intOrPtr* _t30;
				void* _t32;
				void* _t35;

				_t29 = __ecx;
				_push(0);
				E00151A19(0x168765, __ebx, __edi, __esi);
				_t32 = __ecx;
				 *(__ecx + 0x38) =  *(__ecx + 0x38) & 0x00000000;
				_t37 =  *0x1c3630 & 0x00000001;
				if(( *0x1c3630 & 0x00000001) == 0) {
					 *0x1c3630 =  *0x1c3630 | 0x00000001;
					 *(_t35 - 4) =  *(_t35 - 4) & 0x00000000;
					_push(L"user32.dll");
					_t27 = E0005E893(__ecx, __esi, _t37);
					 *(_t35 - 4) =  *(_t35 - 4) | 0xffffffff;
					_pop(_t29);
					 *0x1c362c = _t27;
				}
				_t20 =  *0x1c362c; // 0x0
				if(_t20 == 0) {
					_t20 = E000655E0(_t29);
				}
				if(( *0x1c3630 & 0x00000002) == 0) {
					 *0x1c3630 =  *0x1c3630 | 0x00000002;
					 *0x1c3628 = GetProcAddress(_t20, "RegisterTouchWindow");
				}
				if(( *0x1c3630 & 0x00000004) == 0) {
					 *0x1c3630 =  *0x1c3630 | 0x00000004;
					 *0x1c3624 = GetProcAddress( *0x1c362c, "UnregisterTouchWindow");
				}
				_t30 =  *0x1c3628; // 0x0
				if(_t30 == 0) {
					L13:
					_t21 = 0;
					__eflags = 0;
					goto L14;
				} else {
					_t23 =  *0x1c3624; // 0x0
					if(_t23 == 0) {
						goto L13;
					}
					if( *((intOrPtr*)(_t35 + 8)) != 0) {
						 *((intOrPtr*)(_t32 + 0x38)) =  *_t30( *((intOrPtr*)(_t32 + 0x20)),  *((intOrPtr*)(_t35 + 0xc)));
					} else {
						_t21 =  *_t23( *((intOrPtr*)(_t32 + 0x20)));
					}
					L14:
					return E00151AF1(_t21);
				}
			}

0x0005ebec
0x0005ebec
0x0005ebf3
0x0005ebf8
0x0005ebfa
0x0005ebfe
0x0005ec05
0x0005ec07
0x0005ec0e
0x0005ec12
0x0005ec17
0x0005ec1c
0x0005ec20
0x0005ec21
0x0005ec21
0x0005ec26
0x0005ec2d
0x0005ec2f
0x0005ec2f
0x0005ec41
0x0005ec43
0x0005ec52
0x0005ec52
0x0005ec5e
0x0005ec60
0x0005ec74
0x0005ec74
0x0005ec79
0x0005ec81
0x0005eca7
0x0005eca7
0x0005eca7
0x00000000
0x0005ec83
0x0005ec83
0x0005ec8a
0x00000000
0x00000000
0x0005ec90
0x0005eca2
0x0005ec92
0x0005ec95
0x0005ec95
0x0005eca9
0x0005ecae
0x0005ecae

APIs

__EH_prolog3.LIBCMT ref: 0005EBF3
GetProcAddress.KERNEL32(00000000,RegisterTouchWindow,?,?,?,?,?,?,00000000,00060C91,00000000,00000000), ref: 0005EC50
GetProcAddress.KERNEL32(UnregisterTouchWindow,?,?,?,?,?,?,00000000,00060C91,00000000,00000000), ref: 0005EC72

Part of subcall function 0005E893: ActivateActCtx.KERNEL32(?,00064351), ref: 0005E8B3

Strings

UnregisterTouchWindow, xrefs: 0005EC67
RegisterTouchWindow, xrefs: 0005EC4A
user32.dll, xrefs: 0005EC12

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: AddressProc$ActivateH_prolog3
String ID: RegisterTouchWindow$UnregisterTouchWindow$user32.dll
API String ID: 1001276555-2470269259
Opcode ID: 34ca3a6715db4753da65eda40468f0e734da3e7c797fc69b668ffb4b3d92fd3a
Instruction ID: 23876032f6e135f929055cd3a7f1e87f5997d9adb7d4cc1c752e9052953b1950
Opcode Fuzzy Hash: 34ca3a6715db4753da65eda40468f0e734da3e7c797fc69b668ffb4b3d92fd3a
Instruction Fuzzy Hash: 3E11B2706107A4BBD7999F30ED45F563FE4BB08729F10C119ECA5D6AA1DB71DB888B00

Uniqueness

Uniqueness Score: -1.00%

Function 0006BE9A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 53
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E0006BE9A(intOrPtr* __ecx) {
				signed int _v8;
				intOrPtr* _v12;
				void* __ebp;
				intOrPtr* _t16;
				intOrPtr* _t21;
				struct HINSTANCE__* _t28;
				intOrPtr* _t29;
				void* _t35;

				_t23 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_v12 = __ecx;
				_t28 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t28 == 0) {
					E000655E0(_t23);
				}
				_t21 = GetProcAddress(_t28, "ApplicationRecoveryInProgress");
				_t29 = GetProcAddress(_t28, "ApplicationRecoveryFinished");
				if(_t21 != 0 && _t29 != 0) {
					_v8 = _v8 & 0x00000000;
					 *_t21( &_v8);
					if(_v8 == 0) {
						_t35 = 1;
						_t16 =  *((intOrPtr*)( *_v12 + 0xfc))();
						if(_t16 != 0) {
							_t35 =  *((intOrPtr*)( *_t16 + 0x38))();
						}
						 *_t29(_t35);
					}
				}
				return 0;
			}

0x0006be9a
0x0006be9f
0x0006bea0
0x0006bea9
0x0006beb2
0x0006beb6
0x0006beb8
0x0006beb8
0x0006bed1
0x0006bed5
0x0006bed9
0x0006bedf
0x0006bee7
0x0006beed
0x0006bef6
0x0006bef7
0x0006beff
0x0006bf08
0x0006bf08
0x0006bf0b
0x0006bf0b
0x0006beed
0x0006bf13

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 0006BEAC
GetProcAddress.KERNEL32(00000000,ApplicationRecoveryInProgress), ref: 0006BEC9
GetProcAddress.KERNEL32(00000000,ApplicationRecoveryFinished), ref: 0006BED3

Part of subcall function 000655E0: __CxxThrowException@8.LIBCMT ref: 000655F6

Strings

ApplicationRecoveryFinished, xrefs: 0006BECB
ApplicationRecoveryInProgress, xrefs: 0006BEC3
KERNEL32.DLL, xrefs: 0006BEA4

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: AddressProc$Exception@8HandleModuleThrow
String ID: ApplicationRecoveryFinished$ApplicationRecoveryInProgress$KERNEL32.DLL
API String ID: 2144170044-4287352451
Opcode ID: ea94093c5e8538ae8bc27773cc1326cc9b6cfcbf44030d8df932eea7ebda2690
Instruction ID: c3fc84b3b4ce8abf4f35ca0fcb0ded3499fa77149f3609a91994fb994670a8bf
Opcode Fuzzy Hash: ea94093c5e8538ae8bc27773cc1326cc9b6cfcbf44030d8df932eea7ebda2690
Instruction Fuzzy Hash: D601D8766402196FC720A7B18C59B6F7AF9DF84360F154079E906D3261DF70CD40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0006BE2E Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0006BE2E(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* __ebp;
				void* _t12;
				intOrPtr* _t14;
				void* _t15;
				struct HINSTANCE__* _t16;
				intOrPtr* _t18;

				_t16 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t16 == 0) {
					E000655E0(_t15);
				}
				_t14 = GetProcAddress(_t16, "RegisterApplicationRestart");
				_t18 = GetProcAddress(_t16, "RegisterApplicationRecoveryCallback");
				if(_t14 == 0 || _t18 == 0) {
					L7:
					return 0;
				}
				_t12 =  *_t14(_a4, _a8);
				if(_t12 == 0) {
					if(_a12 == _t12) {
						goto L7;
					}
					_t12 =  *_t18(_a12, _a16, _a20, _a24);
					if(_t12 == 0) {
						goto L7;
					}
				}
				return _t12;
			}

0x0006be41
0x0006be45
0x0006be47
0x0006be47
0x0006be60
0x0006be64
0x0006be68
0x0006be91
0x00000000
0x0006be91
0x0006be74
0x0006be78
0x0006be7d
0x00000000
0x00000000
0x0006be8b
0x0006be8f
0x00000000
0x00000000
0x0006be8f
0x0006be97

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 0006BE3B
GetProcAddress.KERNEL32(00000000,RegisterApplicationRestart), ref: 0006BE58
GetProcAddress.KERNEL32(00000000,RegisterApplicationRecoveryCallback), ref: 0006BE62

Part of subcall function 000655E0: __CxxThrowException@8.LIBCMT ref: 000655F6

Strings

RegisterApplicationRestart, xrefs: 0006BE52
KERNEL32.DLL, xrefs: 0006BE36
RegisterApplicationRecoveryCallback, xrefs: 0006BE5A

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: AddressProc$Exception@8HandleModuleThrow
String ID: KERNEL32.DLL$RegisterApplicationRecoveryCallback$RegisterApplicationRestart
API String ID: 2144170044-723216104
Opcode ID: 347826baa0bc06406ccf8c887e26370f212776ce1af48529001df476b1c17918
Instruction ID: d4f60c57a00534a1078967bd6913c3e1227a8af1cc74130daa3a3942ba8b0c6b
Opcode Fuzzy Hash: 347826baa0bc06406ccf8c887e26370f212776ce1af48529001df476b1c17918
Instruction Fuzzy Hash: 49F0683250431A778F612EE59C45D9F3EEAEF847A4B044022FE09D2151DB72CC659B91

Uniqueness

Uniqueness Score: -1.00%

Function 000B917C Relevance: 9.5, APIs: 6, Instructions: 472
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E000B917C(void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed char _t299;
				signed int _t300;
				signed int _t303;
				signed int _t304;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				signed int _t312;
				signed char _t315;
				intOrPtr _t329;
				signed int _t350;
				signed int _t353;
				signed char _t354;
				void* _t355;
				intOrPtr* _t360;
				signed int* _t362;
				signed long long* _t363;
				signed char* _t367;
				signed int _t369;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				signed long long* _t374;
				void* _t378;
				signed int _t381;
				signed int _t386;
				signed int _t402;
				signed int _t413;
				signed int _t415;
				signed int* _t418;
				signed int _t419;
				signed int _t423;
				intOrPtr* _t425;
				signed long long* _t428;
				signed int _t430;
				signed int _t431;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				void* _t440;
				void* _t445;
				void* _t446;
				signed long long _t450;
				signed long long _t451;
				signed long long _t458;
				signed long long _t460;

				_t431 = __edx;
				_push(0x104);
				_t299 = E00151A19(0x16cc42, __ebx, __edi, __esi);
				_t440 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x88)) != 0) {
					__eflags =  *((intOrPtr*)(__ecx + 8)) - 0x18;
					if( *((intOrPtr*)(__ecx + 8)) < 0x18) {
						goto L1;
					}
					_t450 = st0;
					asm("fldz");
					asm("fucompp");
					asm("fnstsw ax");
					__eflags = _t299 & 0x00000044;
					if((_t299 & 0x00000044) != 0) {
						_t451 = st0;
						asm("fld1");
						asm("fucompp");
						asm("fnstsw ax");
						__eflags = _t299 & 0x00000044;
						if((_t299 & 0x00000044) != 0) {
							 *(_t445 - 0x20) =  *(__ecx + 0x54);
							asm("fild dword [ebp-0x20]");
							asm("fxch st0, st1");
							_t303 = E00155A90( *(__ecx + 0x54),  *0x17bdf8 + st0);
							_t371 =  *(_t440 + 0x50);
							 *(_t445 - 0x24) = _t371;
							asm("fild dword [ebp-0x24]");
							 *(_t445 - 0x14) = _t303;
							asm("fmulp st2, st0");
							asm("faddp st1, st0");
							_t304 = E00155A90(_t303,  *0x17bdf8 + st0);
							_t381 =  *(_t440 + 0x54);
							 *(_t445 - 0x6c) = _t304;
							__eflags = _t304 - _t371;
							if(_t304 != _t371) {
								L11:
								__eflags = _t371;
								if(_t371 <= 0) {
									L7:
									_t300 = 1;
									__eflags = 1;
									L8:
									return E00151AF1(_t300);
								}
								__eflags =  *(_t445 - 0x20);
								if( *(_t445 - 0x20) <= 0) {
									goto L7;
								}
								__eflags =  *(_t445 - 0x6c);
								if( *(_t445 - 0x6c) <= 0) {
									goto L7;
								}
								__eflags =  *(_t445 - 0x14);
								if( *(_t445 - 0x14) <= 0) {
									goto L7;
								}
								_t372 =  *(_t440 + 4);
								 *(_t445 - 0x10) = _t372;
								__eflags = _t372;
								if(_t372 == 0) {
									goto L7;
								}
								_t307 = GetObjectW( *(_t440 + 0x88), 0x18, _t445 - 0xdc);
								__eflags = _t307;
								if(_t307 == 0) {
									goto L1;
								}
								_t308 = E00155F20(_t431,  *(_t445 - 0xd4));
								_t456 =  *(_t440 + 0xb0) *  *(_t445 + 8);
								__eflags =  *(_t445 - 0xd4);
								 *(_t440 + 0xb0) =  *(_t440 + 0xb0) *  *(_t445 + 8);
								 *(_t445 - 0x70) = 0;
								 *(_t445 - 0x5c) = 0;
								 *(_t445 - 0x58) = 0;
								 *(_t445 - 0x24) = 0 |  *(_t445 - 0xd4) < 0x00000000;
								 *(_t445 - 0x74) =  *(_t440 + 0x50);
								__eflags = _t372 - 1;
								if(__eflags == 0) {
									_t430 =  *(_t440 + 0x54);
									__eflags = _t308 - _t430;
									if(__eflags > 0) {
										asm("cdq");
										_t38 = _t308 % _t430;
										__eflags = _t38;
										_t369 = _t308 / _t430;
										_t431 = _t38;
										 *(_t445 - 0x74) = 0;
										 *(_t445 - 0x70) = _t430;
										 *(_t445 - 0x10) = _t369;
										_t372 = _t369;
									}
								}
								_t309 = E000E9A19(_t372, _t431, _t440, 0, __eflags,  *(_t440 + 0x88),  *(_t440 + 0xa4));
								 *(_t445 - 0x60) = _t309;
								__eflags = _t309;
								if(_t309 == 0) {
									goto L1;
								} else {
									_t310 =  *(_t445 - 0x6c);
									_t386 =  *(_t445 - 0x14);
									 *(_t445 - 0x38) = _t310;
									 *(_t445 - 0x34) = _t386;
									__eflags =  *(_t445 - 0x74);
									if( *(_t445 - 0x74) <= 0) {
										_t312 = _t386 * _t372;
										__eflags = _t312;
										 *(_t445 - 0x34) = _t312;
										 *(_t445 - 0x58) = _t386;
									} else {
										 *(_t445 - 0x38) = _t372 * _t310;
										 *(_t445 - 0x5c) = _t310;
									}
									__eflags =  *(_t445 - 0x24);
									if( *(_t445 - 0x24) != 0) {
										 *(_t445 - 0x34) =  ~( *(_t445 - 0x34));
									}
									 *(_t445 - 0x20) = E000E9034(_t445 - 0x38, 0);
									_t315 = E00155F20(_t431,  *(_t445 - 0x34));
									 *(_t445 - 0x34) = _t315;
									__eflags =  *(_t445 - 0x20);
									if( *(_t445 - 0x20) != 0) {
										asm("fld1");
										asm("fcomp qword [ebp+0x8]");
										 *(_t445 + 0xc) = 5;
										asm("fnstsw ax");
										__eflags = _t315 & 0x00000041;
										if((_t315 & 0x00000041) != 0) {
											 *(_t445 + 0xc) = 6;
										}
										 *((intOrPtr*)(_t445 - 0xc4)) = 0;
										 *((intOrPtr*)(_t445 - 0xb8)) = 0;
										 *((intOrPtr*)(_t445 - 0xb4)) = 0;
										 *((intOrPtr*)(_t445 - 0xb0)) = 0;
										 *((intOrPtr*)(_t445 - 0xac)) = 0;
										 *((intOrPtr*)(_t445 - 0xa8)) = 0;
										 *(_t445 - 0xa4) = 0;
										 *((intOrPtr*)(_t445 - 0x9c)) = 0;
										 *((intOrPtr*)(_t445 - 0xc0)) = 0;
										 *((intOrPtr*)(_t445 - 0xbc)) = 0;
										 *((intOrPtr*)(_t445 - 4)) = 0;
										 *((intOrPtr*)(_t445 - 0x1c)) = 0;
										 *((intOrPtr*)(_t445 - 0x18)) = 0;
										E000B8C37(_t445 - 0xc4, _t431,  *(_t445 - 0x60), _t445 - 0x1c);
										 *((intOrPtr*)(_t445 - 0x108)) = 0;
										 *((intOrPtr*)(_t445 - 0xfc)) = 0;
										 *((intOrPtr*)(_t445 - 0xf8)) = 0;
										 *((intOrPtr*)(_t445 - 0xf4)) = 0;
										 *((intOrPtr*)(_t445 - 0xf0)) = 0;
										 *((intOrPtr*)(_t445 - 0xec)) = 0;
										 *(_t445 - 0xe8) = 0;
										 *((intOrPtr*)(_t445 - 0xe0)) = 0;
										 *(_t445 - 0x104) = 0;
										 *((intOrPtr*)(_t445 - 0x100)) = 0;
										 *((intOrPtr*)(_t445 - 0x1c)) = 0;
										 *((intOrPtr*)(_t445 - 0x18)) = 0;
										E000B8C37(_t445 - 0x108, _t431,  *(_t445 - 0x20), _t445 - 0x1c);
										_t373 =  *(_t445 - 0xa0) & 0x000000ff;
										 *((intOrPtr*)(_t445 - 0xd0)) = 0x1843d4;
										 *((intOrPtr*)(_t445 - 0xcc)) = 0;
										 *(_t445 - 0xc8) = 0;
										 *((char*)(_t445 - 4)) = 2;
										E000B7175(_t445 - 0xd0, _t456,  *(_t440 + 0x50),  *(_t445 - 0x6c), 0,  *(_t440 + 0x50),  *(_t445 + 0xc));
										 *((intOrPtr*)(_t445 - 0x88)) = 0x1843d4;
										 *((intOrPtr*)(_t445 - 0x84)) = 0;
										 *(_t445 - 0x80) = 0;
										 *((char*)(_t445 - 4)) = 3;
										E000B7175(_t445 - 0x88, _t456,  *(_t440 + 0x54),  *(_t445 - 0x14), 0,  *(_t440 + 0x54),  *(_t445 + 0xc));
										_t432 = 8;
										 *(_t445 - 0x2c) = E0005C37C(__eflags,  ~(0 | __eflags > 0x00000000) | _t373 * _t432);
										_t434 = 8;
										_t435 = _t373 * _t434 >> 0x20;
										_t329 = E0005C37C(__eflags,  ~(0 | __eflags > 0x00000000) | _t373 * _t434);
										_t402 =  *(_t445 - 0x10);
										 *((intOrPtr*)(_t445 - 0x28)) = _t329;
										 *((intOrPtr*)(_t445 - 0x1c)) = 0;
										 *((intOrPtr*)(_t445 - 0x18)) = 0;
										__eflags = _t402;
										if(_t402 <= 0) {
											L71:
											_push( *(_t445 - 0x2c));
											E0005C3AB();
											_push( *((intOrPtr*)(_t445 - 0x28)));
											E0005C3AB();
											DeleteObject( *(_t445 - 0x60));
											__eflags = E0007463C(_t440 + 0x58, 0, 0);
											if(__eflags != 0) {
												 *(_t440 + 0x58) =  *(_t440 + 0x50);
												 *(_t440 + 0x5c) =  *(_t440 + 0x54);
											}
											 *(_t440 + 0x50) =  *(_t445 - 0x6c);
											 *(_t440 + 0x54) =  *(_t445 - 0x14);
											 *(_t440 + 0xa4) =  *(_t440 + 0xa4) | 0xffffffff;
											 *(_t440 + 0xa8) =  *(_t440 + 0xa4);
											 *(_t440 + 0x88) =  *(_t445 - 0x20);
											 *((intOrPtr*)(_t440 + 8)) = 0x20;
											E000B790E(_t373, _t440, _t435, _t440, 0, __eflags, _t456, 0);
											E000B790E(_t373, _t440, _t435, _t440, 0, __eflags, _t456, 1);
											__eflags =  *(_t440 + 0x88);
											 *((char*)(_t445 - 4)) = 2;
											 *((intOrPtr*)(_t445 - 0x88)) = 0x1843d4;
											E000B6B05(_t445 - 0x88);
											 *((char*)(_t445 - 4)) = 1;
											 *((intOrPtr*)(_t445 - 0xd0)) = 0x1843d4;
											E000B6B05(_t445 - 0xd0);
											_t300 = 0 |  *(_t440 + 0x88) != 0x00000000;
											goto L8;
										} else {
											_t435 =  *(_t445 - 0x104);
											 *(_t445 - 0x78) = _t373 << 3;
											_t350 =  *(_t445 - 0xe8) *  *(_t445 - 0x58);
											_t373 = _t373 *  *(_t445 - 0x5c);
											__eflags = _t373;
											 *((intOrPtr*)(_t445 - 0x48)) = 0;
											 *(_t445 - 0x8c) = _t350;
											 *(_t445 - 0x58) = _t373;
											 *(_t445 - 0x4c) =  *(_t445 - 0x104);
											 *(_t445 - 0x24) = _t402;
											do {
												 *(_t445 - 0x10) = 0;
												__eflags =  *(_t445 - 0x14);
												if( *(_t445 - 0x14) <= 0) {
													goto L70;
												}
												_t413 =  *(_t445 - 0x4c) +  *((intOrPtr*)(_t445 - 0x48));
												__eflags = _t413;
												 *(_t445 - 0x3c) = _t413;
												do {
													 *(_t445 - 0x54) =  *(_t445 - 0x3c);
													_t415 =  *(_t445 - 0x6c);
													__eflags = _t415;
													if(_t415 <= 0) {
														goto L69;
													}
													 *(_t445 - 0x30) =  *(_t445 - 0xc8);
													 *(_t445 - 0x7c) = _t415;
													do {
														_t374 =  *(_t445 - 0x2c);
														E00151B30(_t374, 0,  *(_t445 - 0x78));
														_t353 =  *(_t445 - 0x10);
														_t435 =  *(_t445 - 0x80);
														_t418 = _t435 + _t353 * 8;
														_t446 = _t446 + 0xc;
														 *((intOrPtr*)(_t445 - 0x64)) = 0;
														 *(_t445 - 0x94) = _t418;
														__eflags =  *_t418;
														if( *_t418 <= 0) {
															L48:
															_t419 =  *(_t445 - 0xa0) & 0x000000ff;
															__eflags = _t419 - 4;
															if(_t419 == 4) {
																asm("fcomp qword [ebx]");
																asm("fnstsw ax");
																__eflags = _t353 & 0x00000041;
																if((_t353 & 0x00000041) != 0) {
																	_t458 = _t374[3];
																} else {
																	_t458 =  *_t374;
																}
																 *_t374 = _t458;
																asm("fcomp qword [ebx+0x8]");
																asm("fnstsw ax");
																__eflags = _t353 & 0x00000041;
																if((_t353 & 0x00000041) != 0) {
																	_t460 = _t374[3];
																} else {
																	_t460 = _t374[1];
																}
																_t374[1] = _t460;
																asm("fcomp qword [ebx+0x10]");
																asm("fnstsw ax");
																__eflags = _t353 & 0x00000041;
																if((_t353 & 0x00000041) != 0) {
																	_t456 = _t374[3];
																} else {
																	_t456 = _t374[2];
																}
																_t374[2] = _t456;
															}
															 *(_t445 + 0xc) = 0;
															__eflags = _t419;
															if(_t419 > 0) {
																asm("fldz");
																do {
																	_t354 =  *(_t445 + 0xc);
																	_t456 = _t374[_t354];
																	asm("fcom st0, st1");
																	asm("fnstsw ax");
																	__eflags = _t354 & 0x00000005;
																	if((_t354 & 0x00000005) != 0) {
																		asm("fcom st0, st2");
																		asm("fnstsw ax");
																		__eflags = _t354 & 0x00000041;
																		if((_t354 & 0x00000041) == 0) {
																			st0 = _t456;
																			_t456 = st1;
																		}
																	} else {
																		st0 = _t456;
																		_t456 = st0;
																	}
																	_t355 = E00155AC6();
																	 *(_t445 - 0x54) =  *(_t445 - 0x54) + 1;
																	 *(_t445 + 0xc) =  *(_t445 + 0xc) + 1;
																	 *( *(_t445 - 0x54)) = _t355;
																	__eflags =  *(_t445 + 0xc) - ( *(_t445 - 0xa0) & 0x000000ff);
																} while ( *(_t445 + 0xc) < ( *(_t445 - 0xa0) & 0x000000ff));
																st1 = _t456;
																st0 = _t456;
															}
															goto L67;
														}
														 *((intOrPtr*)(_t445 - 0x98)) = _t435 + 4 + _t353 * 8;
														 *((intOrPtr*)(_t445 - 0x50)) = 0;
														do {
															_t360 =  *((intOrPtr*)( *((intOrPtr*)(_t445 - 0x98)))) +  *((intOrPtr*)(_t445 - 0x50));
															_t456 =  *(_t360 + 4);
															 *(_t445 - 0x110) =  *(_t360 + 4);
															_t378 = ( *_t360 +  *((intOrPtr*)(_t445 - 0x18))) *  *(_t445 - 0xa4) +  *((intOrPtr*)(_t445 - 0xc0));
															E00151B30( *((intOrPtr*)(_t445 - 0x28)), 0,  *(_t445 - 0x78));
															_t362 =  *(_t445 - 0x30);
															_t446 = _t446 + 0xc;
															 *((intOrPtr*)(_t445 - 0x40)) = 0;
															__eflags =  *_t362;
															if( *_t362 <= 0) {
																L43:
																_t435 =  *(_t445 - 0xa0) & 0x000000ff;
																__eflags = _t435;
																if(_t435 <= 0) {
																	goto L46;
																}
																_t363 =  *(_t445 - 0x2c);
																_t423 =  *((intOrPtr*)(_t445 - 0x28)) - _t363;
																__eflags = _t423;
																do {
																	_t456 =  *(_t363 + _t423) *  *(_t445 - 0x110) +  *_t363;
																	 *_t363 =  *(_t363 + _t423) *  *(_t445 - 0x110) +  *_t363;
																	_t363 =  &(_t363[1]);
																	_t435 = _t435 - 1;
																	__eflags = _t435;
																} while (_t435 != 0);
																goto L46;
															}
															 *((intOrPtr*)(_t445 - 0x44)) = 0;
															do {
																_t425 = _t362[1] +  *((intOrPtr*)(_t445 - 0x44));
																_t436 =  *(_t445 - 0xa0) & 0x000000ff;
																_t456 =  *(_t425 + 4);
																 *(_t445 + 0xc) = 0;
																_t367 = ( *_t425 +  *((intOrPtr*)(_t445 - 0x1c))) * _t436 + _t378;
																__eflags = _t436;
																if(_t436 <= 0) {
																	goto L42;
																} else {
																	goto L41;
																}
																do {
																	L41:
																	_t428 =  *((intOrPtr*)(_t445 - 0x28)) +  *(_t445 + 0xc) * 8;
																	 *(_t445 - 0x90) =  *_t367 & 0x000000ff;
																	_t367 =  &(_t367[1]);
																	 *(_t445 + 0xc) =  *(_t445 + 0xc) + 1;
																	asm("fild dword [ebp-0x90]");
																	_t456 = _t456 * st1 +  *_t428;
																	 *_t428 = _t456;
																	__eflags =  *(_t445 + 0xc) - ( *(_t445 - 0xa0) & 0x000000ff);
																} while ( *(_t445 + 0xc) < ( *(_t445 - 0xa0) & 0x000000ff));
																L42:
																 *((intOrPtr*)(_t445 - 0x40)) =  *((intOrPtr*)(_t445 - 0x40)) + 1;
																st0 = _t456;
																_t362 =  *(_t445 - 0x30);
																 *((intOrPtr*)(_t445 - 0x44)) =  *((intOrPtr*)(_t445 - 0x44)) + 0xc;
																__eflags =  *((intOrPtr*)(_t445 - 0x40)) -  *_t362;
															} while ( *((intOrPtr*)(_t445 - 0x40)) <  *_t362);
															goto L43;
															L46:
															 *((intOrPtr*)(_t445 - 0x64)) =  *((intOrPtr*)(_t445 - 0x64)) + 1;
															_t353 =  *(_t445 - 0x94);
															 *((intOrPtr*)(_t445 - 0x50)) =  *((intOrPtr*)(_t445 - 0x50)) + 0xc;
															__eflags =  *((intOrPtr*)(_t445 - 0x64)) -  *_t353;
														} while ( *((intOrPtr*)(_t445 - 0x64)) <  *_t353);
														_t374 =  *(_t445 - 0x2c);
														goto L48;
														L67:
														 *(_t445 - 0x30) =  &(( *(_t445 - 0x30))[2]);
														_t247 = _t445 - 0x7c;
														 *_t247 =  *(_t445 - 0x7c) - 1;
														__eflags =  *_t247;
													} while ( *_t247 != 0);
													_t350 =  *(_t445 - 0x8c);
													_t373 =  *(_t445 - 0x58);
													L69:
													 *(_t445 - 0x10) =  *(_t445 - 0x10) + 1;
													 *(_t445 - 0x3c) =  *(_t445 - 0x3c) +  *(_t445 - 0xe8);
													__eflags =  *(_t445 - 0x10) -  *(_t445 - 0x14);
												} while ( *(_t445 - 0x10) <  *(_t445 - 0x14));
												L70:
												 *((intOrPtr*)(_t445 - 0x1c)) =  *((intOrPtr*)(_t445 - 0x1c)) +  *(_t445 - 0x74);
												 *((intOrPtr*)(_t445 - 0x18)) =  *((intOrPtr*)(_t445 - 0x18)) +  *(_t445 - 0x70);
												 *((intOrPtr*)(_t445 - 0x48)) =  *((intOrPtr*)(_t445 - 0x48)) + _t373;
												 *(_t445 - 0x4c) =  *(_t445 - 0x4c) + _t350;
												_t268 = _t445 - 0x24;
												 *_t268 =  *(_t445 - 0x24) - 1;
												__eflags =  *_t268;
											} while ( *_t268 != 0);
											goto L71;
										}
									} else {
										DeleteObject( *(_t445 - 0x60));
										goto L1;
									}
								}
							}
							__eflags =  *(_t445 - 0x14) - _t381;
							if( *(_t445 - 0x14) == _t381) {
								goto L7;
							}
							goto L11;
						}
						st0 = _t451;
						goto L7;
					} else {
						st0 = _t450;
						goto L1;
					}
				}
				L1:
				_t300 = 0;
				goto L8;
			}

0x000b917c
0x000b917c
0x000b9186
0x000b918b
0x000b9195
0x000b919b
0x000b919f
0x00000000
0x00000000
0x000b91a4
0x000b91a6
0x000b91a8
0x000b91aa
0x000b91ac
0x000b91af
0x000b91b5
0x000b91b7
0x000b91b9
0x000b91bb
0x000b91bd
0x000b91c0
0x000b91d2
0x000b91d5
0x000b91e2
0x000b91e4
0x000b91e9
0x000b91ec
0x000b91ef
0x000b91f2
0x000b91f5
0x000b91f7
0x000b91f9
0x000b91fe
0x000b9201
0x000b9204
0x000b9206
0x000b920d
0x000b920d
0x000b920f
0x000b91c4
0x000b91c6
0x000b91c6
0x000b91c7
0x000b91cc
0x000b91cc
0x000b9211
0x000b9214
0x00000000
0x00000000
0x000b9216
0x000b9219
0x00000000
0x00000000
0x000b921b
0x000b921e
0x00000000
0x00000000
0x000b9220
0x000b9223
0x000b9226
0x000b9228
0x00000000
0x00000000
0x000b9239
0x000b923f
0x000b9241
0x00000000
0x00000000
0x000b924d
0x000b9258
0x000b925e
0x000b9264
0x000b926a
0x000b9270
0x000b9273
0x000b9276
0x000b927c
0x000b927f
0x000b9282
0x000b9284
0x000b9287
0x000b9289
0x000b928b
0x000b928c
0x000b928c
0x000b928c
0x000b928c
0x000b928e
0x000b9291
0x000b9294
0x000b9297
0x000b9297
0x000b9289
0x000b92a5
0x000b92aa
0x000b92ad
0x000b92af
0x00000000
0x000b92b5
0x000b92b5
0x000b92b8
0x000b92bb
0x000b92be
0x000b92c1
0x000b92c4
0x000b92d3
0x000b92d3
0x000b92d6
0x000b92d9
0x000b92c6
0x000b92c9
0x000b92cc
0x000b92cc
0x000b92dc
0x000b92df
0x000b92e1
0x000b92e1
0x000b92f1
0x000b92f4
0x000b92fa
0x000b92fd
0x000b9300
0x000b9310
0x000b9312
0x000b9315
0x000b931c
0x000b931e
0x000b9321
0x000b9323
0x000b9323
0x000b932a
0x000b9330
0x000b9336
0x000b933c
0x000b9342
0x000b9348
0x000b934e
0x000b9354
0x000b935a
0x000b9360
0x000b9373
0x000b9376
0x000b9379
0x000b937c
0x000b9381
0x000b9387
0x000b938d
0x000b9393
0x000b9399
0x000b939f
0x000b93a5
0x000b93ab
0x000b93b1
0x000b93b7
0x000b93ca
0x000b93cd
0x000b93d0
0x000b93d5
0x000b93dc
0x000b93e6
0x000b93ec
0x000b9404
0x000b9408
0x000b940d
0x000b9417
0x000b941d
0x000b9432
0x000b9436
0x000b943f
0x000b9451
0x000b945a
0x000b945b
0x000b9465
0x000b946c
0x000b946f
0x000b9472
0x000b9475
0x000b9478
0x000b947a
0x000b96e7
0x000b96e7
0x000b96ea
0x000b96ef
0x000b96f2
0x000b96fc
0x000b970e
0x000b9710
0x000b9715
0x000b971b
0x000b971b
0x000b9721
0x000b9727
0x000b9730
0x000b9737
0x000b9743
0x000b9749
0x000b9750
0x000b9759
0x000b9760
0x000b9774
0x000b9778
0x000b9780
0x000b978b
0x000b978f
0x000b9795
0x000b979a
0x00000000
0x000b9480
0x000b9480
0x000b948b
0x000b9494
0x000b9498
0x000b9498
0x000b949c
0x000b949f
0x000b94a5
0x000b94a8
0x000b94ab
0x000b94ae
0x000b94ae
0x000b94b1
0x000b94b4
0x00000000
0x00000000
0x000b94bd
0x000b94bd
0x000b94c0
0x000b94c3
0x000b94c6
0x000b94c9
0x000b94cc
0x000b94ce
0x00000000
0x00000000
0x000b94da
0x000b94dd
0x000b94e0
0x000b94e3
0x000b94e8
0x000b94ed
0x000b94f0
0x000b94f3
0x000b94f6
0x000b94f9
0x000b94fc
0x000b9502
0x000b9504
0x000b95fc
0x000b95fc
0x000b9603
0x000b9606
0x000b960b
0x000b960d
0x000b960f
0x000b9612
0x000b9618
0x000b9614
0x000b9614
0x000b9614
0x000b961b
0x000b9620
0x000b9623
0x000b9625
0x000b9628
0x000b962f
0x000b962a
0x000b962a
0x000b962a
0x000b9632
0x000b9638
0x000b963b
0x000b963d
0x000b9640
0x000b9647
0x000b9642
0x000b9642
0x000b9642
0x000b964a
0x000b964a
0x000b964d
0x000b9650
0x000b9652
0x000b965a
0x000b965c
0x000b965c
0x000b965f
0x000b9662
0x000b9664
0x000b9666
0x000b9669
0x000b9671
0x000b9673
0x000b9675
0x000b9678
0x000b967a
0x000b967c
0x000b967c
0x000b966b
0x000b966b
0x000b966d
0x000b966d
0x000b967e
0x000b9686
0x000b9689
0x000b968c
0x000b9695
0x000b9695
0x000b969a
0x000b969c
0x000b969c
0x00000000
0x000b9652
0x000b950e
0x000b9514
0x000b9517
0x000b951f
0x000b9527
0x000b952d
0x000b953e
0x000b9544
0x000b9549
0x000b954c
0x000b954f
0x000b9552
0x000b9554
0x000b95bb
0x000b95bb
0x000b95c2
0x000b95c4
0x00000000
0x00000000
0x000b95c6
0x000b95cc
0x000b95cc
0x000b95ce
0x000b95d7
0x000b95d9
0x000b95db
0x000b95de
0x000b95de
0x000b95de
0x00000000
0x000b95ce
0x000b9556
0x000b9559
0x000b955c
0x000b955f
0x000b9568
0x000b956e
0x000b9574
0x000b9576
0x000b9578
0x00000000
0x00000000
0x00000000
0x00000000
0x000b957a
0x000b957a
0x000b9580
0x000b9586
0x000b958c
0x000b958d
0x000b9590
0x000b9598
0x000b959a
0x000b95a3
0x000b95a3
0x000b95a8
0x000b95a8
0x000b95ab
0x000b95ad
0x000b95b3
0x000b95b7
0x000b95b7
0x00000000
0x000b95e1
0x000b95e1
0x000b95e4
0x000b95ed
0x000b95f1
0x000b95f1
0x000b95f9
0x00000000
0x000b969e
0x000b969e
0x000b96a2
0x000b96a2
0x000b96a2
0x000b96a2
0x000b96ab
0x000b96b1
0x000b96b4
0x000b96ba
0x000b96bd
0x000b96c3
0x000b96c3
0x000b96cc
0x000b96cf
0x000b96d5
0x000b96d8
0x000b96db
0x000b96de
0x000b96de
0x000b96de
0x000b96de
0x00000000
0x000b94ae
0x000b9302
0x000b9305
0x00000000
0x000b9305
0x000b9300
0x000b92af
0x000b9208
0x000b920b
0x00000000
0x00000000
0x00000000
0x000b920b
0x000b91c2
0x00000000
0x000b91b1
0x000b91b1
0x00000000
0x000b91b1
0x000b91af
0x000b9197
0x000b9197
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 000B9186
GetObjectW.GDI32(?,00000018,?), ref: 000B9239
DeleteObject.GDI32(?), ref: 000B9305
_memset.LIBCMT ref: 000B94E8
_memset.LIBCMT ref: 000B9544
DeleteObject.GDI32(?), ref: 000B96FC

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Object$Delete_memset$H_prolog3
String ID:
API String ID: 1235337548-0
Opcode ID: aa1f903cae8900299755fa1c6deab507798645e68e1f14212148aa6529924578
Instruction ID: 34034e82f1a6cbbf57590e30b9acba411b5c6a50e5501d0cabc908341912077d
Opcode Fuzzy Hash: aa1f903cae8900299755fa1c6deab507798645e68e1f14212148aa6529924578
Instruction Fuzzy Hash: C22239B0D00629DFCF65DFA8C985AEDBBB4FF09700F10809AE559AB251DB305A95CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00078EA7 Relevance: 9.3, APIs: 6, Instructions: 299
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00078EA7(intOrPtr* __ecx, intOrPtr __edx) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				intOrPtr _v44;
				void* _v48;
				int _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t110;
				int _t112;
				intOrPtr _t123;
				void* _t130;
				void* _t139;
				RECT* _t148;
				long _t149;
				int _t153;
				intOrPtr _t154;
				RECT* _t161;
				int _t165;
				int _t173;
				intOrPtr _t177;
				intOrPtr* _t178;
				intOrPtr* _t184;
				intOrPtr* _t189;
				intOrPtr _t196;
				RECT* _t205;
				void* _t220;
				intOrPtr _t221;
				intOrPtr* _t223;
				void* _t224;
				RECT* _t226;
				signed int _t228;
				void* _t245;

				_t217 = __edx;
				_t110 =  *0x1c0454; // 0x885926af
				_v8 = _t110 ^ _t228;
				_t178 = __ecx;
				_t112 = E0006F25D(__ecx, __edx, __ecx);
				_t226 = 0;
				_v52 = _t112;
				if(_t112 == 0 ||  *((intOrPtr*)(_t112 + 0x20)) == 0) {
					L54:
					return E00150836(_t112, _t178, _v8 ^ _t228, _t217, _t220, _t226);
				} else {
					_t221 =  *_t178;
					_v24.bottom = 0 |  *((intOrPtr*)(_t178 + 0xac)) == 0x00000000;
					_t184 = _t178;
					 *((intOrPtr*)(_t221 + 0x25c))( &_v48, _v24.bottom,  *((intOrPtr*)(_t221 + 0x160))(_t220));
					if(_v48 == 0x7fff || _v44 == 0x7fff) {
						_v24.left = _t226;
						_v24.top = _t226;
						_v24.right = _t226;
						_v24.bottom = _t226;
						GetClientRect( *(E0005F82E(_t178, _t184, _t217, GetParent( *(_t178 + 0x20))) + 0x20),  &_v24);
						_t184 =  *((intOrPtr*)(_t178 + 0xb94));
						if(_v48 != 0x7fff) {
							_t123 = _v24.bottom - _v24.top;
							_v44 = _t123;
							__eflags = _t184 - _t226;
							if(_t184 != _t226) {
								__eflags = _t123 - _t184;
								if(_t123 >= _t184) {
									_v44 = _t184;
								}
							}
						} else {
							_t177 = _v24.right - _v24.left;
							_v48 = _t177;
							if(_t184 != _t226 && _t177 >= _t184) {
								_v48 = _t184;
							}
						}
					}
					_v40.left = _t226;
					_v40.top = _t226;
					_v40.right = _t226;
					_v40.bottom = _t226;
					GetWindowRect( *(_t178 + 0x20),  &_v40);
					if(E0006EA25(0x1860b8, E0005F82E(_t178, _t184, _t217, GetParent( *(_t178 + 0x20)))) == _t226) {
						_t130 = _v40.bottom - _v40.top;
						__eflags =  *0x1c3f04 - _t226; // 0x0
						if(__eflags == 0) {
							__eflags = _t130 - _v44;
							if(_t130 == _v44) {
								L24:
								__eflags = _v40.right - _v40.left - _v48;
								if(__eflags == 0) {
									L33:
									if( *((intOrPtr*)( *_t178 + 0x16c))() != 0 ||  *((intOrPtr*)( *_t178 + 0x178))() == 0 ||  *((intOrPtr*)(_t178 + 0xac)) == _t226) {
										L48:
										_t189 = _t178;
										_t223 =  *((intOrPtr*)( *_t178 + 0x224))(_t226);
										__eflags = _t223 - _t226;
										if(_t223 == _t226) {
											L51:
											_t112 = E0006EA07(_t178, 0x1bde64);
											__eflags = _t112;
											if(_t112 != 0) {
												goto L53;
											}
											goto L52;
										}
										_t139 = E0005F82E(_t178, _t189, _t217, GetParent( *(_t178 + 0x20)));
										__eflags = _t139 - _t223;
										if(_t139 != _t223) {
											goto L51;
										}
										 *((intOrPtr*)( *_t223 + 0x1b0))();
										_t112 = RedrawWindow( *(_t223 + 0x20), _t226, _t226, 0x105);
										goto L53;
									} else {
										_t241 =  *((intOrPtr*)(_t178 + 0xb0)) - _t226;
										if( *((intOrPtr*)(_t178 + 0xb0)) == _t226) {
											goto L48;
										}
										_v24.left = _t226;
										_v24.top = _t226;
										_v24.right = _t226;
										_v24.bottom = _t226;
										_t224 =  *((intOrPtr*)( *_t178 + 0x160))();
										E000CBFE2( *((intOrPtr*)(_t178 + 0xb0)), _t241,  &_v24);
										_t148 = _v24.top;
										_t196 = _v44;
										_t217 = _v48;
										if(_v24.bottom - _t148 == _t196 || _t224 == _t226) {
											_t149 = _v24.left;
											__eflags = _v24.right - _t149 - _t217;
											if(_v24.right - _t149 == _t217) {
												goto L46;
											}
											__eflags = _t224 - _t226;
											if(_t224 != _t226) {
												goto L46;
											}
											_t153 = _t149 + _t217;
											__eflags = _t153;
											_v24.right = _t153;
											goto L43;
										} else {
											_v24.bottom = _t148 + _t196;
											L43:
											_t154 = _v44;
											if(_t224 == _t226) {
												_t154 = _t217;
											}
											E000CF891( *((intOrPtr*)(_t178 + 0xac)),  *((intOrPtr*)(_t178 + 0xb0)), _t154, 1);
											L46:
											_t245 =  *0x1c3f04 - _t226; // 0x0
											if(_t245 != 0) {
												E000C01CC(_t178, _t217, _v48, _v44);
												 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0xb0)))) + 0x28))(_t178);
											}
											L52:
											_t112 =  *((intOrPtr*)( *_v52 + 0x174))(1);
											L53:
											_pop(_t220);
											goto L54;
										}
									}
								}
								__eflags = _v48 - 0x7fff;
								if(__eflags == 0) {
									goto L33;
								}
								__eflags =  *((intOrPtr*)( *_t178 + 0x160))();
								if(__eflags != 0) {
									goto L33;
								}
								L27:
								_v24.right = _t226;
								_v24.bottom = _t226;
								 *((intOrPtr*)( *_t178 + 0x26c))( &(_v24.right));
								_t205 = _v48;
								__eflags = _v24.right - _t205;
								if(_v24.right > _t205) {
									_t205 = _v24.right;
								}
								_t161 = _v24.bottom;
								__eflags = _t161 - _v44;
								if(_t161 <= _v44) {
									_t161 = _v44;
								}
								_t217 =  *_t178;
								 *((intOrPtr*)( *_t178 + 0x234))(_t226, _t226, _t226, _t205, _t161, 0x16, _t226);
								L32:
								E000C0102(_t178, _t217);
								goto L33;
							}
							__eflags = _v44 - 0x7fff;
							if(_v44 == 0x7fff) {
								goto L24;
							}
							_t165 =  *((intOrPtr*)( *_t178 + 0x160))();
							__eflags = _t165;
							if(_t165 != 0) {
								goto L27;
							}
							goto L24;
						}
						__eflags = _t130 - _v44;
						if(_t130 == _v44) {
							L17:
							__eflags = _v40.right - _v40.left - _v48;
							if(__eflags == 0) {
								goto L33;
							}
							__eflags = _v48 - 0x7fff;
							if(__eflags == 0) {
								goto L33;
							}
							__eflags =  *((intOrPtr*)( *_t178 + 0x160))();
							if(__eflags != 0) {
								goto L33;
							}
							L20:
							 *((intOrPtr*)( *_t178 + 0x234))(_t226, _t226, _t226, _v48, _v44, 0x16, _t226);
							goto L32;
						}
						__eflags = _v44 - 0x7fff;
						if(_v44 == 0x7fff) {
							goto L17;
						}
						_t173 =  *((intOrPtr*)( *_t178 + 0x160))();
						__eflags = _t173;
						if(_t173 != 0) {
							goto L20;
						}
						goto L17;
					}
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)( *_t178 + 0x234))(0, 0xffffffff, 0xffffffff, _v24.right - _v24.left, _v24.bottom - _v24.top, 0x16, 0);
					_t226 = 0;
					goto L33;
				}
			}

0x00078ea7
0x00078eaf
0x00078eb6
0x00078eba
0x00078ebe
0x00078ec3
0x00078ec6
0x00078ecb
0x000791f2
0x000791ff
0x00078eda
0x00078ee3
0x00078eea
0x00078efb
0x00078efd
0x00078f0b
0x00078f15
0x00078f18
0x00078f1b
0x00078f1e
0x00078f34
0x00078f3a
0x00078f43
0x00078f5e
0x00078f61
0x00078f64
0x00078f66
0x00078f68
0x00078f6a
0x00078f6c
0x00078f6c
0x00078f6a
0x00078f45
0x00078f48
0x00078f4b
0x00078f50
0x00078f56
0x00078f56
0x00078f50
0x00078f43
0x00078f76
0x00078f79
0x00078f7c
0x00078f7f
0x00078f82
0x00078fa6
0x00078fe1
0x00078fe4
0x00078fea
0x00079046
0x00079049
0x0007905e
0x00079064
0x00079067
0x000790bf
0x000790cb
0x00079194
0x00079197
0x0007919f
0x000791a1
0x000791a3
0x000791d4
0x000791db
0x000791e0
0x000791e2
0x00000000
0x00000000
0x00000000
0x000791e2
0x000791af
0x000791b4
0x000791b6
0x00000000
0x00000000
0x000791bc
0x000791cc
0x00000000
0x000790ef
0x000790ef
0x000790f5
0x00000000
0x00000000
0x000790ff
0x00079102
0x00079105
0x00079108
0x00079117
0x0007911d
0x00079125
0x00079128
0x0007912f
0x00079132
0x00079142
0x00079147
0x00079149
0x00000000
0x00000000
0x0007914b
0x0007914d
0x00000000
0x00000000
0x0007914f
0x0007914f
0x00079151
0x00000000
0x00079138
0x0007913a
0x00079154
0x00079154
0x00079159
0x0007915b
0x0007915b
0x0007916c
0x00079171
0x00079171
0x00079177
0x00079181
0x0007918f
0x0007918f
0x000791e4
0x000791eb
0x000791f1
0x000791f1
0x00000000
0x000791f1
0x00079132
0x000790cb
0x00079069
0x0007906c
0x00000000
0x00000000
0x00079078
0x0007907a
0x00000000
0x00000000
0x0007907c
0x00079084
0x00079087
0x0007908a
0x00079090
0x00079093
0x00079096
0x00079098
0x00079098
0x0007909b
0x0007909e
0x000790a1
0x000790a3
0x000790a3
0x000790a6
0x000790b2
0x000790b8
0x000790ba
0x00000000
0x000790ba
0x0007904b
0x0007904e
0x00000000
0x00000000
0x00079054
0x0007905a
0x0007905c
0x00000000
0x00000000
0x00000000
0x0007905c
0x00078fec
0x00078fef
0x00079004
0x0007900a
0x0007900d
0x00000000
0x00000000
0x00079013
0x00079016
0x00000000
0x00000000
0x00079026
0x00079028
0x00000000
0x00000000
0x0007902e
0x0007903e
0x00000000
0x0007903e
0x00078ff1
0x00078ff4
0x00000000
0x00000000
0x00078ffa
0x00079000
0x00079002
0x00000000
0x00000000
0x00000000
0x00079002
0x00078fb1
0x00078fb2
0x00078fb5
0x00078fb6
0x00078fd1
0x00078fd7
0x00000000
0x00078fd7

APIs

GetParent.USER32(?), ref: 00078F21
GetClientRect.USER32 ref: 00078F34
GetWindowRect.USER32(?,?), ref: 00078F82
GetParent.USER32(?), ref: 00078F8B
GetParent.USER32(?), ref: 000791A8
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 000791CC

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Parent$RectWindow$ClientRedraw
String ID:
API String ID: 443302174-0
Opcode ID: 633827715ec7f2e2a5e84b4a5bfcb6855fdfe59316b8973b7a8a357733b14f9d
Instruction ID: 86441e813746d386765b057534b7cd889efc915413730fe04db1fd08bc0f36c3
Opcode Fuzzy Hash: 633827715ec7f2e2a5e84b4a5bfcb6855fdfe59316b8973b7a8a357733b14f9d
Instruction Fuzzy Hash: DBB11A71E002199FCF15DFA8C8889EEBBB6FF48710F148179E40AAB255DB359940CF95

Uniqueness

Uniqueness Score: -1.00%

Function 000823BA Relevance: 9.2, APIs: 6, Instructions: 246
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E000823BA(intOrPtr* __ecx, intOrPtr __edx, void* __fp0) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagPOINT _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t53;
				intOrPtr _t58;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t63;
				intOrPtr* _t64;
				intOrPtr _t72;
				intOrPtr* _t74;
				void* _t83;
				void* _t97;
				void* _t105;
				intOrPtr* _t107;
				intOrPtr* _t122;
				int _t146;
				intOrPtr* _t153;
				signed int _t154;
				intOrPtr _t167;
				intOrPtr _t173;
				void* _t178;
				intOrPtr _t179;
				intOrPtr _t181;

				_t151 = __edx;
				_t53 =  *0x1c0454; // 0x885926af
				_v8 = _t53 ^ _t154;
				_t153 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x10b0)) != 0) {
					E000E22D9( *0x1c5c64);
					_t146 = E00061441(__ecx);
					_v32.y = _t146;
					if(_t146 != 0 && E0006EA07(_t146, 0x1bd608) != 0) {
						_t110 = E0006EA25(0x1bd608, _v32.y);
						_t105 = E0009A789(_t104, 0x19);
						_t158 = _t105;
						if(_t105 != 0) {
							 *((intOrPtr*)(_t105 + 4)) = 0;
							E0009EE0A(_t110, _t110, __edx, 0, _t153, _t158, __fp0);
						}
					}
				}
				_t107 =  *((intOrPtr*)( *_t153 + 0x1c0))();
				_t57 =  *((intOrPtr*)(_t107 + 0xc98));
				if( *((intOrPtr*)(_t107 + 0xc98)) != 0 &&  *((intOrPtr*)(_t107 + 0xb2c)) == 0) {
					_v32.y =  *_t107;
					 *((intOrPtr*)(_v32.y + 0x34c))(E00074E38(_t107, _t57));
					 *((intOrPtr*)(_t107 + 0xc98)) = 0;
				}
				_t58 =  *((intOrPtr*)(_t153 + 0x10bc));
				if(_t58 == 0) {
					L19:
					if( *((intOrPtr*)(_t153 + 0x148)) == 0) {
						E000E22C8(0);
					} else {
						 *((intOrPtr*)( *_t153 + 0x1d8))();
						 *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x148)) + 0x8c)) = 0;
						 *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x148)) + 0x9c)) = 0;
						_t83 = E0007ED49(_t107, _t153, _t151);
						if(_t83 != 0 &&  *((intOrPtr*)(_t153 + 0x120)) != 0) {
							_t173 =  *0x1c3f04; // 0x0
							if(_t173 == 0) {
								SendMessageW( *(_t83 + 0x20), 0x10, 0, 0);
								 *((intOrPtr*)(_t153 + 0x148)) = 0;
							}
						}
					}
					_t113 =  *((intOrPtr*)(_t153 + 0x144));
					_t174 =  *((intOrPtr*)(_t153 + 0x144));
					if( *((intOrPtr*)(_t153 + 0x144)) != 0) {
						E000ECB07(_t113, _t153);
					}
					E0007EF64(_t153, _t174, 0);
					_t61 =  *0x1c564c; // 0x0
					if(_t61 == 0) {
						_t61 = E00060DD3(_t153);
					}
					_t108 = _t61;
					_t62 = E0006EA25(0x17e958, _t108);
					if(_t62 == 0) {
						_t63 = E0006EA25(0x17ef7c, _t108);
						__eflags = _t63;
						if(__eflags == 0) {
							_t64 = E0006EA25(0x17e5ac, _t108);
							__eflags = _t64;
							if(__eflags != 0) {
								L35:
								_t151 =  *_t64;
								 *((intOrPtr*)( *_t64 + 0x1ec))(_t153);
								goto L36;
							}
							_t64 = E0006EA25(0x17e1f8, _t108);
							__eflags = _t64;
							if(__eflags == 0) {
								goto L36;
							}
							goto L35;
						}
						_t151 =  *_t63;
						 *((intOrPtr*)( *_t63 + 0x1d0))(_t153);
						goto L36;
					} else {
						_t151 =  *_t62;
						 *((intOrPtr*)( *_t62 + 0x1e4))(_t153);
						L36:
						if( *((intOrPtr*)(_t153 + 0xeb0)) != 0) {
							_t178 =  *0x1c48bc - _t153; // 0x0
							if(_t178 == 0) {
								 *0x1c48bc = 0;
							}
						}
						_t179 =  *0x1c3f04; // 0x0
						if(_t179 == 0 && _t108 != 0) {
							_t181 =  *0x1c48bc; // 0x0
							if(_t181 == 0) {
								_t126 = _t153;
								if(E0007ED9A(_t153) != 0) {
									_t72 = E0005F82E(_t108, _t126, _t151, GetFocus());
									_t108 = _t72;
									if(E0007ED9A(_t153) != _t72) {
										_t74 = E0007ED9A(_t153);
										_t151 =  *_t74;
										 *((intOrPtr*)( *_t74 + 0x360))();
									}
								}
							}
						}
						_t122 =  *((intOrPtr*)(_t153 + 0xfd4));
						if(_t122 != 0) {
							_t185 =  *((intOrPtr*)(_t122 + 0x20));
							if( *((intOrPtr*)(_t122 + 0x20)) != 0) {
								 *((intOrPtr*)( *_t122 + 0x60))();
							}
						}
						return E00150836(E000D78E7(_t108, _t153, _t151, 0, _t185), _t108, _v8 ^ _t154, _t151, 0, _t153);
					}
				}
				 *((intOrPtr*)(_t58 + 0x40)) = 0;
				_t107 = E0007ED49(_t107, _t153, _t151);
				if(_t107 == 0) {
					goto L19;
				}
				if( *((intOrPtr*)( *_t107 + 0x200))() != 0) {
					_t97 = E0006EA25(0x1895c0, _t107);
					if(_t97 != 0 &&  *((intOrPtr*)(_t97 + 0x1f00)) == 0) {
						 *((intOrPtr*)(_t153 + 0x120)) = 0;
					}
				}
				if( *((intOrPtr*)(_t153 + 0x120)) == 0) {
					goto L19;
				}
				_t167 =  *0x1c3f04; // 0x0
				if(_t167 != 0) {
					goto L19;
				}
				_v32.x = 0;
				_v32.y = 0;
				GetCursorPos( &_v32);
				_v24.left = 0;
				_v24.top = 0;
				_v24.right = 0;
				_v24.bottom = 0;
				GetWindowRect( *(_t107 + 0x20),  &_v24);
				if( *((intOrPtr*)( *_t107 + 0x1d0))() != 0) {
					L18:
					SendMessageW( *(_t107 + 0x20), 0x10, 0, 0);
					 *((intOrPtr*)(_t153 + 0x10bc)) = 0;
					goto L19;
				}
				_push(_v32.y);
				if(PtInRect( &_v24, _v32) != 0) {
					goto L19;
				}
				goto L18;
			}

0x000823ba
0x000823c2
0x000823c9
0x000823cf
0x000823d9
0x000823e1
0x000823ed
0x000823ef
0x000823f4
0x00082410
0x00082416
0x0008241b
0x0008241d
0x00082421
0x00082424
0x00082424
0x0008241d
0x000823f4
0x00082433
0x00082435
0x0008243d
0x00082449
0x0008245a
0x00082460
0x00082460
0x00082466
0x0008246e
0x00082523
0x00082529
0x0008257e
0x0008252b
0x0008252f
0x0008253b
0x00082549
0x0008254f
0x00082556
0x00082560
0x00082566
0x0008256f
0x00082575
0x00082575
0x00082566
0x00082556
0x00082583
0x00082589
0x0008258b
0x0008258e
0x0008258e
0x00082596
0x0008259b
0x000825a2
0x000825a6
0x000825a6
0x000825ab
0x000825b3
0x000825bc
0x000825d1
0x000825d8
0x000825da
0x000825ef
0x000825f6
0x000825f8
0x0008260b
0x0008260b
0x00082610
0x00000000
0x00082610
0x00082600
0x00082607
0x00082609
0x00000000
0x00000000
0x00000000
0x00082609
0x000825dc
0x000825e1
0x00000000
0x000825be
0x000825be
0x000825c3
0x00082616
0x0008261c
0x0008261e
0x00082624
0x00082626
0x00082626
0x00082624
0x0008262c
0x00082632
0x00082638
0x0008263e
0x00082640
0x00082649
0x00082652
0x00082659
0x00082662
0x00082666
0x0008266b
0x0008266f
0x0008266f
0x00082662
0x00082649
0x0008263e
0x00082675
0x0008267d
0x0008267f
0x00082682
0x00082686
0x00082686
0x00082682
0x0008269e
0x0008269e
0x000825bc
0x00082476
0x0008247e
0x00082482
0x00000000
0x00000000
0x00082494
0x0008249c
0x000824a5
0x000824af
0x000824af
0x000824a5
0x000824bb
0x00000000
0x00000000
0x000824bd
0x000824c3
0x00000000
0x00000000
0x000824c9
0x000824cc
0x000824cf
0x000824dc
0x000824df
0x000824e2
0x000824e5
0x000824e8
0x000824fa
0x00082510
0x00082517
0x0008251d
0x00000000
0x0008251d
0x000824fc
0x0008250e
0x00000000
0x00000000
0x00000000

APIs

GetCursorPos.USER32(?), ref: 000824CF
GetWindowRect.USER32(?,?), ref: 000824E8
PtInRect.USER32(?,?,?), ref: 00082506
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00082517
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 0008256F

Part of subcall function 00061441: GetParent.USER32(?), ref: 0006144B

GetFocus.USER32 ref: 0008264B

Part of subcall function 0009EE0A: __EH_prolog3_GS.LIBCMT ref: 0009EE14
Part of subcall function 0009EE0A: GetWindowRect.USER32(?,?), ref: 0009EEAD
Part of subcall function 0009EE0A: SetRect.USER32 ref: 0009EECF
Part of subcall function 0009EE0A: CreateCompatibleDC.GDI32(?), ref: 0009EEDB
Part of subcall function 0009EE0A: CreateCompatibleBitmap.GDI32(?,00000019,001BD608), ref: 0009EF05
Part of subcall function 0009EE0A: GetWindowRect.USER32(?,?), ref: 0009EF67
Part of subcall function 0009EE0A: GetClientRect.USER32 ref: 0009EF70

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Rect$Window$CompatibleCreateMessageSend$BitmapClientCursorFocusH_prolog3_Parent
String ID:
API String ID: 2914356772-0
Opcode ID: 84da321aee4356643359ce53c3fc6bd05a8ecc2d3e54ab7226ae6ad1212e2c34
Instruction ID: 27d9683c0662e1cc7eeaf887b17fe31685803d9205b4cc146ef73ab531f379d2
Opcode Fuzzy Hash: 84da321aee4356643359ce53c3fc6bd05a8ecc2d3e54ab7226ae6ad1212e2c34
Instruction Fuzzy Hash: CD81A430A00700DFCB26AFA4D8959BEB7F6FF88700F24456EE48697252EB759D81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 000772A1 Relevance: 9.2, APIs: 6, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E000772A1(intOrPtr* __ecx, void* __edx, signed int _a4, intOrPtr _a8, char _a12, intOrPtr _a16) {
				signed int _v8;
				void* __ebx;
				signed int _t45;
				signed int _t46;
				signed int _t53;
				void* _t55;
				signed int _t60;
				signed int _t64;
				signed int _t73;
				signed int _t83;
				void* _t86;
				void* _t87;
				signed int _t88;
				void* _t91;
				signed int _t108;
				signed int _t113;
				intOrPtr* _t117;
				signed int _t119;

				_t111 = __edx;
				_push(__ecx);
				_t117 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xb44)) == 0) {
					_t45 =  *(__ecx + 0xb8c);
					_v8 = _t45;
					__eflags = _t45;
					if(_t45 < 0) {
						goto L1;
					}
					_t113 =  *(__ecx + 0xc98);
					 *(__ecx + 0xc98) =  *(__ecx + 0xc98) & 0x00000000;
					 *((intOrPtr*)( *__ecx + 0x3d0))();
					_push(_a16);
					_push(_a12);
					__eflags =  *((intOrPtr*)( *__ecx + 0x390))();
					if(__eflags < 0) {
						L6:
						_t46 =  *((intOrPtr*)( *_t117 + 0x3f8))(_a4, _t87);
						_t88 = _t46;
						_a4 = _t88;
						__eflags = _t88;
						if(_t88 == 0) {
							L30:
							L31:
							L32:
							return _t46;
						}
						_t53 =  *((intOrPtr*)( *_t88 + 0x78))(_t117);
						__eflags = _t53;
						if(_t53 != 0) {
							 *(_t88 + 0x1c) =  *(_t88 + 0x1c) & 0x00000000;
							__eflags = _t113;
							if(_t113 == 0) {
								L18:
								_t55 =  *((intOrPtr*)( *_t117 + 0x340))(_t88, _v8);
								__eflags = _t55 - 0xffffffff;
								if(_t55 != 0xffffffff) {
									 *((intOrPtr*)( *_t117 + 0x208))();
									_t98 = E0005F82E(_t88, _t117, _t111, GetParent( *(_t117 + 0x20)));
									_t60 = E0006EA07(_t59, 0x1860b8);
									__eflags = _t60;
									if(_t60 != 0) {
										_t73 = E0006EA25(0x1bced8, E0005F82E(_t88, _t98, _t111, GetParent( *(E0005F82E(_t88, _t98, _t111, GetParent( *(_t117 + 0x20))) + 0x20))));
										_pop(_t98);
										__eflags = _t73;
										if(_t73 != 0) {
											_t111 =  *_t73;
											_t98 = _t73;
											 *((intOrPtr*)( *_t73 + 0x20c))();
										}
									}
									__eflags =  *0x1c3f08;
									if( *0x1c3f08 != 0) {
										_t98 = _t88;
										 *((intOrPtr*)( *_t88 + 0x80))();
									}
									 *(_t117 + 0xb80) =  *(_t117 + 0xb80) | 0xffffffff;
									RedrawWindow( *(_t117 + 0x20), 0, 0, 0x505);
									_t64 = E0006EA25(0x1bcffc, E0005F82E(RedrawWindow, _t98, _t111, GetParent( *(_t117 + 0x20))));
									__eflags = _t64;
									if(_t64 != 0) {
										RedrawWindow( *(_t64 + 0x20), 0, 0, 0x505);
									}
									L29:
									_t46 = 1;
									__eflags = 1;
									goto L30;
								}
								_t119 = 0;
								L21:
								 *((intOrPtr*)( *_t88 + 4))(1);
								_t46 = _t119;
								goto L30;
							}
							__eflags = _a8 - 1;
							if(_a8 == 1) {
								goto L18;
							}
							_t91 = E00074E38(_t117, _t113);
							__eflags = _v8 - _t91;
							if(_v8 == _t91) {
								L20:
								 *((intOrPtr*)( *_t117 + 0x410))(_t113, _t117 + 0xc80,  &_a12);
								_t88 = _a4;
								_t119 = 1;
								__eflags = 1;
								goto L21;
							}
							_t20 = _t91 + 1; // 0x1
							__eflags = _v8 - _t20;
							if(_v8 == _t20) {
								goto L20;
							}
							 *((intOrPtr*)( *_t117 + 0x34c))(_t91);
							_t108 = _v8;
							__eflags = _t108 - _t91;
							if(_t108 > _t91) {
								_t108 = _t108 - 1;
								__eflags = _t108;
							}
							_t83 =  *(_t117 + 0xbd4);
							__eflags = _t108 - _t83;
							if(_t108 < _t83) {
								_t83 = _t108;
							}
							_t88 = _a4;
							_v8 = _t83;
							goto L18;
						}
						 *((intOrPtr*)( *_t88 + 4))(1);
						goto L29;
					}
					_t86 = E00074F8E(__ecx, __eflags, _t50);
					__eflags = _t113 - _t86;
					if(_t113 != _t86) {
						goto L6;
					} else {
						_t46 = 0;
						goto L31;
					}
				}
				L1:
				_t46 = 0;
				goto L32;
			}

0x000772a1
0x000772a6
0x000772a8
0x000772b1
0x000772ba
0x000772c0
0x000772c3
0x000772c5
0x00000000
0x00000000
0x000772ca
0x000772d0
0x000772d7
0x000772dd
0x000772e2
0x000772ed
0x000772ef
0x00077304
0x0007730c
0x00077312
0x00077314
0x00077317
0x00077319
0x0007747d
0x0007747e
0x0007747f
0x00077481
0x00077481
0x00077324
0x00077327
0x00077329
0x00077339
0x0007733d
0x0007733f
0x00077383
0x0007738b
0x00077391
0x00077394
0x000773ca
0x000773e6
0x000773e8
0x000773ed
0x000773ef
0x0007740d
0x00077413
0x00077414
0x00077416
0x00077418
0x0007741a
0x0007741c
0x0007741c
0x00077416
0x00077422
0x00077429
0x0007742d
0x0007742f
0x0007742f
0x0007743b
0x0007744e
0x00077461
0x00077468
0x0007746a
0x00077478
0x00077478
0x0007747a
0x0007747c
0x0007747c
0x00000000
0x0007747c
0x00077396
0x000773b6
0x000773bc
0x000773bf
0x00000000
0x000773bf
0x00077341
0x00077345
0x00000000
0x00000000
0x0007734f
0x00077351
0x00077354
0x0007739a
0x000773aa
0x000773b0
0x000773b5
0x000773b5
0x00000000
0x000773b5
0x00077356
0x00077359
0x0007735c
0x00000000
0x00000000
0x00077363
0x00077369
0x0007736c
0x0007736e
0x00077370
0x00077370
0x00077370
0x00077371
0x00077377
0x00077379
0x0007737b
0x0007737b
0x0007737d
0x00077380
0x00000000
0x00077380
0x00077331
0x00000000
0x00077331
0x000772f4
0x000772f9
0x000772fb
0x00000000
0x000772fd
0x000772fd
0x00000000
0x000772fd
0x000772fb
0x000772b3
0x000772b3
0x00000000

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa8e7c3340018a3c2b5cbe804b3b0b52d677281f8566bbd5c4c75acf4e615f4d
Instruction ID: 8999984604355b95016723bdc1e844b3f362a96763598fda93438228fa1193f4
Opcode Fuzzy Hash: fa8e7c3340018a3c2b5cbe804b3b0b52d677281f8566bbd5c4c75acf4e615f4d
Instruction Fuzzy Hash: 1751AF317046009FDB259F64C888BAE77E9FF48350F108568F94E9B2A2DB78EE40DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0007A964 Relevance: 9.2, APIs: 6, Instructions: 155
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0007A964(intOrPtr* __ecx, intOrPtr* __edx) {
				signed int _v8;
				struct tagRECT _v24;
				intOrPtr _v56;
				long _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				signed int _v120;
				void* _v124;
				signed int _v128;
				long _v132;
				void* _v136;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t67;
				signed int _t71;
				signed int _t74;
				long _t83;
				intOrPtr _t86;
				intOrPtr _t99;
				void* _t108;
				void* _t109;
				intOrPtr* _t113;
				signed int _t118;
				intOrPtr* _t125;
				void* _t126;
				long _t127;
				intOrPtr* _t130;
				void* _t131;
				signed int _t133;
				signed int _t135;

				_t125 = __edx;
				_t133 = _t135;
				_t67 =  *0x1c0454; // 0x885926af
				_t68 = _t67 ^ _t133;
				_v8 = _t67 ^ _t133;
				_t130 = __ecx;
				if(__ecx != 0 &&  *((intOrPtr*)(__ecx + 0x20)) != 0) {
					_push(_t108);
					_push(_t126);
					_t71 =  *((intOrPtr*)( *__ecx + 0x190))();
					_t113 =  *((intOrPtr*)(__ecx + 0xbcc));
					asm("sbb eax, eax");
					_t74 =  ~( ~(_t71 & 0x0000a000));
					while(_t113 != 0) {
						_t127 = 0;
						_t125 = _t113;
						if(_t113 == 0) {
							E000655E0(_t113);
							L23:
							E00078EA7(_t130, _t125);
						} else {
							_t125 =  *((intOrPtr*)(_t125 + 8));
							_t113 =  *_t113;
							if(_t125 == 0) {
								break;
							} else {
								if(( *(_t125 + 0x24) & 0x00000001) == 0 &&  *((intOrPtr*)(_t130 + 0xb14)) != 0 && _t74 != 0) {
									_t127 = 1;
								}
								 *((intOrPtr*)(_t125 + 0x18)) = _t127;
								continue;
							}
						}
						L24:
						 *((intOrPtr*)( *_t130 + 0x3e0))();
						_t68 = RedrawWindow( *(_t130 + 0x20), 0, 0, 0x505);
						_pop(_t126);
						_pop(_t108);
						goto L25;
					}
					_t118 = E0006EA25(0x1876d0, E0005F82E(_t108, _t113, _t125, GetParent( *(_t130 + 0x20))));
					_v128 = _t118;
					if(_t118 == 0) {
						goto L23;
					} else {
						_t109 = E000DC9F8(_t118);
						_t83 = SendMessageW( *(_t109 + 0x20), 0x40c, 0, 0);
						_v128 = _v128 & 0x00000000;
						_v132 = _t83;
						_v124 =  *((intOrPtr*)(_v128 + 0x2ac));
						_v120 = 0x230;
						if(_t83 != 0) {
							while(1) {
								SendMessageW( *(_t109 + 0x20), 0x41c, _v128,  &_v124);
								if(_v92 ==  *(_t130 + 0x20)) {
									goto L16;
								}
								_v128 = _v128 + 1;
								if(_v128 < _v132) {
									continue;
								}
								goto L16;
							}
						}
						L16:
						_v120 = _v120 ^ 0x00000010;
						if(_v128 < _v132) {
							_t86 =  *((intOrPtr*)( *_t130 + 0x418))();
							 *((intOrPtr*)(_t130 + 0xb74)) = _t86;
							 *((intOrPtr*)( *_t130 + 0x2a4))( &_v136, 0);
							_v24.left = 0;
							_v24.top = 0;
							_v24.right = 0;
							_v24.bottom = 0;
							SetRectEmpty( &_v24);
							E000BEF4B(_t130,  &_v24, 1);
							_v132 = _v132 + _v24.top - _v24.bottom;
							_v136 = _v136 + _v24.left - _v24.right;
							if(_v136 <= 0) {
								_v136 = 0;
							}
							if(_v132 <= 0) {
								_v132 = 0;
							}
							_t99 =  *0x1bce54; // 0x17
							_v88 = _t99;
							_v84 = _v132;
							_v56 = _v136;
							SendMessageW( *(_t109 + 0x20), 0x40b, _v128,  &_v124);
						}
					}
					goto L24;
				}
				L25:
				_pop(_t131);
				return E00150836(_t68, _t108, _v8 ^ _t133, _t125, _t126, _t131);
			}

0x0007a964
0x0007a967
0x0007a96f
0x0007a974
0x0007a976
0x0007a97a
0x0007a97e
0x0007a990
0x0007a991
0x0007a992
0x0007a998
0x0007a9a5
0x0007a9a7
0x0007a9d6
0x0007a9ab
0x0007a9ad
0x0007a9b1
0x0007ab0f
0x0007ab14
0x0007ab16
0x0007a9b7
0x0007a9b7
0x0007a9ba
0x0007a9be
0x00000000
0x0007a9c0
0x0007a9c4
0x0007a9d2
0x0007a9d2
0x0007a9d3
0x00000000
0x0007a9d3
0x0007a9be
0x0007ab1b
0x0007ab1f
0x0007ab31
0x0007ab37
0x0007ab38
0x00000000
0x0007ab38
0x0007a9f6
0x0007a9f8
0x0007a9fd
0x00000000
0x0007aa03
0x0007aa12
0x0007aa1c
0x0007aa27
0x0007aa2b
0x0007aa2e
0x0007aa31
0x0007aa3a
0x0007aa3c
0x0007aa4b
0x0007aa53
0x00000000
0x00000000
0x0007aa55
0x0007aa5e
0x00000000
0x00000000
0x00000000
0x0007aa5e
0x0007aa3c
0x0007aa60
0x0007aa63
0x0007aa6a
0x0007aa74
0x0007aa82
0x0007aa8d
0x0007aa95
0x0007aa98
0x0007aa9b
0x0007aa9e
0x0007aaa5
0x0007aab3
0x0007aabe
0x0007aac7
0x0007aad5
0x0007aad7
0x0007aad7
0x0007aae0
0x0007aae2
0x0007aae2
0x0007aae5
0x0007aaea
0x0007aaf0
0x0007aaf9
0x0007ab0b
0x0007ab0b
0x0007aa6a
0x00000000
0x0007a9fd
0x0007ab39
0x0007ab3e
0x0007ab45

APIs

GetParent.USER32(00000000), ref: 0007A9DD
SendMessageW.USER32(00000000,0000040C,00000000,00000000), ref: 0007AA1C
SendMessageW.USER32(00000000,0000041C,00000000,?), ref: 0007AA4B
SetRectEmpty.USER32 ref: 0007AAA5
SendMessageW.USER32(00000000,0000040B,00000000,?), ref: 0007AB0B
RedrawWindow.USER32(00000000,00000000,00000000,00000505), ref: 0007AB31

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: MessageSend$EmptyParentRectRedrawWindow
String ID:
API String ID: 3879113052-0
Opcode ID: 16dd9e66b3ac86f76800c5ed4a246ed36c42c62a900a67fab91bc997d2b4399b
Instruction ID: 3090a5ad0eb89ebc1765c79808e2094939e37303027a742f4b05ffab4feccdce
Opcode Fuzzy Hash: 16dd9e66b3ac86f76800c5ed4a246ed36c42c62a900a67fab91bc997d2b4399b
Instruction Fuzzy Hash: B8514D31E006099FDB20DFA8C894BAEBBF5FF48300F20416AE549E7291EB749980CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0007F1ED Relevance: 9.1, APIs: 6, Instructions: 95
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0007F1ED(void* __ecx, void* __edx, void* __edi) {
				signed int _v8;
				struct tagRECT _v24;
				void* __ebx;
				void* __esi;
				signed int _t30;
				int _t35;
				int _t39;
				int _t58;
				void* _t59;
				void* _t64;
				void* _t65;
				void* _t67;
				signed int _t68;

				_t65 = __edi;
				_t64 = __edx;
				_t30 =  *0x1c0454; // 0x885926af
				_v8 = _t30 ^ _t68;
				_t67 = __ecx;
				_v24.left = 0;
				_v24.top = 0;
				_v24.right = 0;
				_v24.bottom = 0;
				GetWindowRect( *( *((intOrPtr*)(__ecx + 0x120)) + 0x20),  &_v24);
				_t35 =  *(_t67 + 0x124);
				_t58 = _t35;
				if( *((intOrPtr*)(_t67 + 0x290)) != 0) {
					_t58 =  ~_t58;
				}
				OffsetRect( &_v24, _t58, _t35);
				SendMessageW( *(_t67 + 0x20), 0xb, 0, 0);
				_t39 = IsWindowVisible( *(_t67 + 0x20));
				_t59 = _t67;
				if(_t39 != 0) {
					E00063614(_t59, 0, _v24.left, _v24.top, _v24.right - _v24.left, _v24.bottom - _v24.top, 0x14);
				} else {
					E00063582(_t59, 4);
					E00063614( *((intOrPtr*)(_t67 + 0x120)), 0x1c3428, E00063614(_t67, 0x1c3428, _v24.left, _v24.top, _v24.right - _v24.left, _v24.bottom - _v24.top, 0x10) | 0xffffffff, E00063614(_t67, 0x1c3428, _v24.left, _v24.top, _v24.right - _v24.left, _v24.bottom - _v24.top, 0x10) | 0xffffffff, E00063614(_t67, 0x1c3428, _v24.left, _v24.top, _v24.right - _v24.left, _v24.bottom - _v24.top, 0x10) | 0xffffffff, _t54, 0x53);
					_t65 = _t65;
				}
				SendMessageW( *(_t67 + 0x20), 0xb, 1, 0);
				return E00150836(RedrawWindow( *(_t67 + 0x20), 0, 0, 0x105), 0, _v8 ^ _t68, _t64, _t65, _t67);
			}

0x0007f1ed
0x0007f1ed
0x0007f1f5
0x0007f1fc
0x0007f206
0x0007f20f
0x0007f212
0x0007f215
0x0007f218
0x0007f21e
0x0007f224
0x0007f22a
0x0007f232
0x0007f234
0x0007f234
0x0007f23c
0x0007f249
0x0007f252
0x0007f258
0x0007f25c
0x0007f2b8
0x0007f25e
0x0007f261
0x0007f299
0x0007f29e
0x0007f29e
0x0007f2c5
0x0007f2e8

APIs

GetWindowRect.USER32(?,?), ref: 0007F21E
OffsetRect.USER32 ref: 0007F23C
SendMessageW.USER32(00000000,0000000B,00000000,00000000), ref: 0007F249
IsWindowVisible.USER32(?), ref: 0007F252
SendMessageW.USER32(00000014,0000000B,00000001,00000000), ref: 0007F2C5
RedrawWindow.USER32(00000105,00000000,00000000,00000105), ref: 0007F2D5

Part of subcall function 00063614: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,0005F2B6), ref: 0006363C

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Window$MessageRectSend$OffsetRedrawVisible
String ID:
API String ID: 2707749077-0
Opcode ID: 2d8a2685ec279005c6ad8049aebf63020e8650b1e2b0173875be3815b727caa6
Instruction ID: 7c018d72a27c7331a18bb76c7e59f5c135fa77ae66a70df61fca89b75f00dc97
Opcode Fuzzy Hash: 2d8a2685ec279005c6ad8049aebf63020e8650b1e2b0173875be3815b727caa6
Instruction Fuzzy Hash: DC310DB2A00609BFDB11DFA8CD85EBFBBB9FB48304F004518B55AA7291D770AD40DB60

Uniqueness

Uniqueness Score: -1.00%

Function 000568F0 Relevance: 9.1, APIs: 6, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E000568F0(void* __ebx, signed int __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				char _v8;
				char _v16;
				void* __esi;
				void* __ebp;
				signed int _t36;
				signed int** _t43;
				signed int** _t45;
				intOrPtr* _t47;
				void* _t51;
				void* _t54;
				void* _t61;
				signed int _t82;
				signed int _t84;
				intOrPtr _t89;
				signed int _t91;

				_t87 = __edi;
				_t61 = __ebx;
				_push(0xffffffff);
				_push(0x17465d);
				_push( *[fs:0x0]);
				_t36 =  *0x1c0454; // 0x885926af
				_push(_t36 ^ _t91);
				 *[fs:0x0] =  &_v16;
				_t89 = _a4;
				_v8 = 9;
				E0005C8A2(_t89 + 0x3ec, __edx, __edi, _t89, __eflags);
				_v8 = 8;
				E0005C8A2(_t89 + 0x378, __edx, __edi, _t89, __eflags);
				_v8 = 7;
				E0005C8A2(_t89 + 0x304, __edx, __edi, _t89, __eflags);
				_v8 = 6;
				_t43 =  *((intOrPtr*)(_t89 + 0x2e4)) - 0x10;
				asm("lock xadd [ecx], edx");
				_t82 = (__edx | 0xffffffff) - 1;
				if(_t82 <= 0) {
					_t82 =  *( *_t43);
					 *((intOrPtr*)( *((intOrPtr*)(_t82 + 4))))(_t43);
				}
				_v8 = 5;
				_t45 =  *((intOrPtr*)(_t89 + 0x2e0)) - 0x10;
				asm("lock xadd [ecx], edx");
				_t84 = (_t82 | 0xffffffff) - 1;
				if(_t84 <= 0) {
					_t84 =  *( *_t45);
					 *((intOrPtr*)( *((intOrPtr*)(_t84 + 4))))(_t45);
				}
				_v8 = 4;
				_t47 =  *((intOrPtr*)(_t89 + 0x2dc)) - 0x10;
				asm("lock xadd [ecx], edx");
				_t86 = (_t84 | 0xffffffff) - 1;
				_t95 = (_t84 | 0xffffffff) - 1;
				if((_t84 | 0xffffffff) - 1 <= 0) {
					_t86 =  *((intOrPtr*)( *_t47));
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t47)) + 4))))(_t47);
				}
				_v8 = 3;
				E00067B1B(_t89 + 0x268, _t86, _t87, _t89, _t95);
				_v8 = 2;
				E0005C8A2(_t89 + 0x1f4, _t86, _t87, _t89, _t95);
				_v8 = 1;
				E000679F8(_t89 + 0x180, _t86, _t87, _t89, _t95);
				_v8 = 0;
				_t51 = E00054720(_t61, _t89 + 0xb8, _t86, _t95, _t89 + 0xb8);
				_v8 = 0xb;
				E00066FFE(_t51, _t89 + 0xac);
				_v8 = 0xa;
				 *((intOrPtr*)(_t89 + 0xa0)) = 0x177dac;
				E00051420(_t89 + 0xa0, _t86);
				_v8 = 0xffffffff;
				_t54 = E00063E97(_t89, _t86, _t87, _t89, _t95);
				 *[fs:0x0] = _v16;
				return _t54;
			}

0x000568f0
0x000568f0
0x000568f3
0x000568f5
0x00056900
0x00056902
0x00056909
0x0005690d
0x00056913
0x0005691c
0x00056923
0x0005692e
0x00056932
0x0005693d
0x00056941
0x00056946
0x00056950
0x00056959
0x0005695d
0x00056960
0x00056964
0x0005696a
0x0005696a
0x0005696c
0x00056976
0x0005697f
0x00056983
0x00056986
0x0005698a
0x00056990
0x00056990
0x00056992
0x0005699c
0x000569a5
0x000569a9
0x000569aa
0x000569ac
0x000569b0
0x000569b6
0x000569b6
0x000569be
0x000569c2
0x000569cd
0x000569d1
0x000569dc
0x000569e0
0x000569ec
0x000569f0
0x000569fb
0x00056a02
0x00056a0d
0x00056a11
0x00056a17
0x00056a1e
0x00056a25
0x00056a2d
0x00056a39

APIs

~_Task_impl.LIBCPMT ref: 00056923

Part of subcall function 0005C8A2: __EH_prolog3.LIBCMT ref: 0005C8A9

~_Task_impl.LIBCPMT ref: 00056932
~_Task_impl.LIBCPMT ref: 00056941
~_Task_impl.LIBCPMT ref: 000569C2
~_Task_impl.LIBCPMT ref: 000569D1
~_Task_impl.LIBCPMT ref: 000569E0

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Task_impl$H_prolog3
String ID:
API String ID: 1204490572-0
Opcode ID: 1cf5daf8c21a00b2e65431a641ff0244dc70b8e2f4eccfdcd1a2fd7f8d2311a7
Instruction ID: 21eeb958d00ff8759c797361f633287209d027be94046c57f0d0e2b648491ee2
Opcode Fuzzy Hash: 1cf5daf8c21a00b2e65431a641ff0244dc70b8e2f4eccfdcd1a2fd7f8d2311a7
Instruction Fuzzy Hash: 5B41BC30105B84DFE315DBACC944BDABBE4AF5A324F14868CD4AA472D2DB316A09CB61

Uniqueness

Uniqueness Score: -1.00%

Function 000804D0 Relevance: 9.1, APIs: 6, Instructions: 79
timeCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E000804D0(void* __ebx, intOrPtr* __ecx, struct tagPOINT _a8, intOrPtr _a12) {
				void* __edi;
				int _t27;
				int _t28;
				int _t34;
				RECT* _t40;
				intOrPtr* _t48;

				_t48 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xfd8)) == 0) {
					_t27 = E0005F788(__ebx, __ecx, 0, __eflags);
					__eflags =  *(_t48 + 0xef0);
					if( *(_t48 + 0xef0) != 0) {
						__eflags =  *(_t48 + 0xf18);
						if( *(_t48 + 0xf18) == 0) {
							_push(__ebx);
							_push(_a12);
							_t40 = _t48 + 0xef8;
							_t28 = PtInRect(_t40, _a8.x);
							__eflags = _t28;
							if(_t28 == 0) {
								L8:
								_push(_a12);
								_t40 = _t48 + 0xf08;
								_t27 = PtInRect(_t40, _a8.x);
								__eflags = _t27;
								if(_t27 == 0) {
									L12:
									_t23 = _t48 + 0xf18;
									 *_t23 =  *(_t48 + 0xf18) & 0x00000000;
									__eflags =  *_t23;
								} else {
									_t27 =  *((intOrPtr*)( *_t48 + 0x1e0))();
									__eflags = _t27;
									if(_t27 == 0) {
										goto L12;
									} else {
										__eflags = 1;
										 *(_t48 + 0xf18) = 1;
										_push(1);
										goto L11;
									}
								}
							} else {
								_t34 =  *((intOrPtr*)( *_t48 + 0x1dc))();
								__eflags = _t34;
								if(_t34 == 0) {
									goto L8;
								} else {
									 *(_t48 + 0xf18) =  *(_t48 + 0xf18) | 0xffffffff;
									_push(1);
									L11:
									_t27 = InvalidateRect( *(_t48 + 0x20), _t40, ??);
								}
							}
							__eflags =  *(_t48 + 0xf18);
							if( *(_t48 + 0xf18) != 0) {
								return SetTimer( *(_t48 + 0x20), 2, 0x50, 0);
							}
						}
					}
				} else {
					_push(_a12);
					_t27 = PtInRect(__ecx + 0xfe0, _a8.x);
					if(_t27 == 0) {
						ReleaseCapture();
						 *((intOrPtr*)(_t48 + 0xfd8)) = 0;
						return  *((intOrPtr*)( *_t48 + 0x1f0))(_a8, _a12);
					}
				}
				return _t27;
			}

0x000804d7
0x000804e1
0x0008051f
0x00080524
0x0008052a
0x00080530
0x00080536
0x00080542
0x00080543
0x00080546
0x00080550
0x00080552
0x00080554
0x0008056f
0x0008056f
0x00080572
0x0008057c
0x0008057e
0x00080580
0x000805a6
0x000805a6
0x000805a6
0x000805a6
0x00080582
0x00080586
0x0008058c
0x0008058e
0x00000000
0x00080590
0x00080592
0x00080593
0x00080599
0x00000000
0x00080599
0x0008058e
0x00080556
0x0008055a
0x00080560
0x00080562
0x00000000
0x00080564
0x00080564
0x0008056b
0x0008059a
0x0008059e
0x0008059e
0x00080562
0x000805ad
0x000805b5
0x00000000
0x000805c0
0x000805b5
0x00080536
0x000804e3
0x000804e3
0x000804f0
0x000804f8
0x000804fe
0x0008050e
0x00000000
0x00080514
0x000804f8
0x000805c9

APIs

PtInRect.USER32(?,?,?), ref: 000804F0
ReleaseCapture.USER32 ref: 000804FE
PtInRect.USER32(?,?,?), ref: 00080550
InvalidateRect.USER32(?,?,00000001), ref: 0008059E
SetTimer.USER32(?,00000002,00000050,00000000), ref: 000805C0

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Rect$CaptureInvalidateReleaseTimer
String ID:
API String ID: 2903485716-0
Opcode ID: 9c12b17c7140a69d2b1667a625f5598fae1bd93bf3017f6658108fc5f90c0dc3
Instruction ID: 6c2a340597c7de0ab8047cbab14a604030c94625d420c9a2f1ec5f2c790dbc6b
Opcode Fuzzy Hash: 9c12b17c7140a69d2b1667a625f5598fae1bd93bf3017f6658108fc5f90c0dc3
Instruction Fuzzy Hash: 24216F31104B06EBDBB1AF20CC48BBB77E5FF44391F144829F5AA825A0DB319985DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 000B9B9C Relevance: 9.1, APIs: 6, Instructions: 74
memoryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E000B9B9C(intOrPtr __ecx, void* __edx, void* __edi, intOrPtr _a4, long _a8) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __ebp;
				signed int* _t15;
				void* _t16;
				intOrPtr _t17;
				signed int _t19;
				void* _t22;
				intOrPtr _t23;
				intOrPtr _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t38;

				_t34 = __edi;
				_t33 = __edx;
				_push(__ecx);
				_push(__ecx);
				_v12 = __ecx;
				_t36 = GlobalAlloc(2, _a8);
				if(_t36 != 0) {
					_v8 = _v8 & 0x00000000;
					E00155F30(GlobalLock(_t36), _a4, _a8);
					_t15 =  &_v8;
					__imp__CreateStreamOnHGlobal(_t36, 1, _t15);
					__eflags = _t15;
					if(_t15 != 0) {
						goto L1;
					}
					__eflags =  *0x1c5688 - _t15;
					if( *0x1c5688 != _t15) {
						EnterCriticalSection(0x1c56a4);
					}
					_t17 =  *0x1c5650; // 0x0
					__eflags = _t17;
					if(__eflags == 0) {
						_t23 = E0005C37C(__eflags, 0x34);
						_pop(_t32);
						__eflags = _t23;
						if(_t23 == 0) {
							_t17 = 0;
							__eflags = 0;
						} else {
							_t32 = _t23;
							_t17 = E0008AAA9(_t23);
						}
						 *0x1c5650 = _t17;
						__eflags = _t17;
						if(_t17 == 0) {
							_t17 = E000655E0(_t32);
						}
					}
					E000B9B33(_t17, _t33, _v8);
					_t19 = _v8;
					 *((intOrPtr*)( *_t19 + 8))(_t19);
					_t30 =  *0x1c5650; // 0x0
					_t22 = E000667CA(0x1c56a4, _v12, _t33, _t34, E0008AAE9(_t30));
					__eflags =  *0x1c5688;
					_t38 = _t22;
					if( *0x1c5688 != 0) {
						LeaveCriticalSection(0x1c56a4);
					}
					_t16 = _t38;
					L14:
					return _t16;
				}
				L1:
				_t16 = 0;
				goto L14;
			}

0x000b9b9c
0x000b9b9c
0x000b9ba1
0x000b9ba2
0x000b9ba7
0x000b9bb2
0x000b9bb6
0x000b9bbf
0x000b9bd1
0x000b9bd9
0x000b9be0
0x000b9be6
0x000b9be8
0x00000000
0x00000000
0x000b9bf0
0x000b9bf6
0x000b9bf9
0x000b9bf9
0x000b9bff
0x000b9c04
0x000b9c06
0x000b9c0a
0x000b9c0f
0x000b9c10
0x000b9c12
0x000b9c1d
0x000b9c1d
0x000b9c14
0x000b9c14
0x000b9c16
0x000b9c16
0x000b9c1f
0x000b9c24
0x000b9c26
0x000b9c28
0x000b9c28
0x000b9c26
0x000b9c32
0x000b9c37
0x000b9c3d
0x000b9c40
0x000b9c4f
0x000b9c54
0x000b9c5b
0x000b9c5d
0x000b9c60
0x000b9c60
0x000b9c66
0x000b9c69
0x000b9c6b
0x000b9c6b
0x000b9bb8
0x000b9bb8
0x00000000

APIs

GlobalAlloc.KERNEL32(00000002,?,?,?,?,?,000B9CE5,00000000,00000000,?,?,000BBB20,?,?,?,00000084), ref: 000B9BAC
GlobalLock.KERNEL32 ref: 000B9BC4
_memmove.LIBCMT ref: 000B9BD1
CreateStreamOnHGlobal.OLE32(00000000,00000001,00000000), ref: 000B9BE0
EnterCriticalSection.KERNEL32(001C56A4,00000000), ref: 000B9BF9
LeaveCriticalSection.KERNEL32(001C56A4,00000000), ref: 000B9C60

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Global$CriticalSection$AllocCreateEnterLeaveLockStream_memmove
String ID:
API String ID: 861836607-0
Opcode ID: 9b873e3520ce30262170ad9d1e18389a4a1f8136fb0f58053449e7a5d755abeb
Instruction ID: b94315360e7166339a3f92a8766badffc6aad97bb57096218c66750da86a612f
Opcode Fuzzy Hash: 9b873e3520ce30262170ad9d1e18389a4a1f8136fb0f58053449e7a5d755abeb
Instruction Fuzzy Hash: 1A21C371A00615ABDB10ABB0DD49EEE7BEDEF04355F500055FA06D7692EB30EE80DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00064996 Relevance: 9.1, APIs: 6, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00064996(struct HWND__* _a4, struct HWND__** _a8) {
				struct HWND__* _t8;
				void* _t14;
				struct HWND__** _t16;
				struct HWND__* _t17;
				struct HWND__* _t18;

				_t18 = _a4;
				if(_t18 != 0) {
					L5:
					if((GetWindowLongW(_t18, 0xfffffff0) & 0x40000000) == 0) {
						L8:
						_t17 = _t18;
						_t8 = _t18;
						if(_t18 == 0) {
							L10:
							if(_a4 == 0 && _t18 != 0) {
								_t18 = GetLastActivePopup(_t18);
							}
							_t16 = _a8;
							if(_t16 != 0) {
								if(_t17 == 0 || IsWindowEnabled(_t17) == 0 || _t17 == _t18) {
									 *_t16 =  *_t16 & 0x00000000;
								} else {
									 *_t16 = _t17;
									EnableWindow(_t17, 0);
								}
							}
							return _t18;
						} else {
							goto L9;
						}
						do {
							L9:
							_t17 = _t8;
							_t8 = GetParent(_t8);
						} while (_t8 != 0);
						goto L10;
					}
					_t18 = GetParent(_t18);
					L7:
					if(_t18 != 0) {
						goto L5;
					}
					goto L8;
				}
				_t14 = E0006494F();
				if(_t14 != 0) {
					L4:
					_t18 =  *(_t14 + 0x20);
					goto L7;
				}
				_t14 = E0005C4D8();
				if(_t14 != 0) {
					goto L4;
				}
				_t18 = 0;
				goto L8;
			}

0x000649a3
0x000649a9
0x000649c6
0x000649d4
0x000649df
0x000649df
0x000649e1
0x000649e5
0x000649f0
0x000649f4
0x00064a01
0x00064a01
0x00064a03
0x00064a08
0x00064a0c
0x00064a2a
0x00064a1d
0x00064a20
0x00064a22
0x00064a22
0x00064a0c
0x00064a33
0x00000000
0x00000000
0x00000000
0x000649e7
0x000649e7
0x000649e8
0x000649ea
0x000649ec
0x00000000
0x000649e7
0x000649d9
0x000649db
0x000649dd
0x00000000
0x00000000
0x00000000
0x000649dd
0x000649ab
0x000649b2
0x000649c1
0x000649c1
0x00000000
0x000649c1
0x000649b4
0x000649bb
0x00000000
0x00000000
0x000649bd
0x00000000

APIs

GetWindowLongW.USER32(?,000000F0), ref: 000649C9
GetParent.USER32(?), ref: 000649D7
GetParent.USER32(?), ref: 000649EA
GetLastActivePopup.USER32(?), ref: 000649FB
IsWindowEnabled.USER32(?), ref: 00064A0F
EnableWindow.USER32(?,00000000), ref: 00064A22

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: ed31041089bc9b4454f816f78a8bd200916338972e67799e0eb18a051783172d
Instruction ID: 52ecbeb544b3ab25c553d9c93f05732e09f59f8a23d342977b44b562167ed2dd
Opcode Fuzzy Hash: ed31041089bc9b4454f816f78a8bd200916338972e67799e0eb18a051783172d
Instruction Fuzzy Hash: 14113632985621ABDBB25A998C84B6F76EFAF14B65F090211EC04E7248D760CD8082F6

Uniqueness

Uniqueness Score: -1.00%

Function 0006DF32 Relevance: 9.1, APIs: 6, Instructions: 62
registryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0006DF32(void* __ecx, WCHAR* _a4, short* _a8, char* _a12) {
				long _t23;
				void* _t31;

				if( *((intOrPtr*)(__ecx + 0x58)) == 0) {
					return WritePrivateProfileStringW(_a4, _a8, _a12,  *(__ecx + 0x6c));
				}
				_push(0);
				if(_a8 != 0) {
					_push(_a4);
					_t31 = E0006DDE0(__ecx);
					if(_a12 != 0) {
						if(_t31 == 0) {
							L3:
							return 0;
						}
						_t23 = RegSetValueExW(_t31, _a8, 0, 1, _a12, lstrlenW(_a12) + _t21 + 2);
						L10:
						RegCloseKey(_t31);
						return 0 | _t23 == 0x00000000;
					}
					if(_t31 == 0) {
						goto L3;
					}
					_t23 = RegDeleteValueW(_t31, _a8);
					goto L10;
				}
				_t31 = E0006DD25(__ecx);
				if(_t31 != 0) {
					_t23 = RegDeleteKeyW(_t31, _a4);
					goto L10;
				}
				goto L3;
			}

0x0006df3f
0x00000000
0x0006dfc1
0x0006df41
0x0006df45
0x0006df62
0x0006df6a
0x0006df6f
0x0006df83
0x0006df52
0x00000000
0x0006df52
0x0006df9d
0x0006dfa3
0x0006dfa6
0x00000000
0x0006dfb0
0x0006df73
0x00000000
0x00000000
0x0006df79
0x00000000
0x0006df79
0x0006df4c
0x0006df50
0x0006df5a
0x00000000
0x0006df5a
0x00000000

APIs

RegDeleteKeyW.ADVAPI32(00000000,?), ref: 0006DF5A
RegDeleteValueW.ADVAPI32 ref: 0006DF79
RegCloseKey.ADVAPI32(00000000), ref: 0006DFA6

Part of subcall function 0006DD25: RegCloseKey.ADVAPI32(?), ref: 0006DDCA
Part of subcall function 0006DD25: RegCloseKey.ADVAPI32(?), ref: 0006DDD4

WritePrivateProfileStringW.KERNEL32 ref: 0006DFC1

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Close$Delete$PrivateProfileStringValueWrite
String ID:
API String ID: 1330817964-0
Opcode ID: d69061b2853daf8b25ba7865a6f97928a3a202d92cf01d42686e9220d9b85a8a
Instruction ID: e60c050f4a1db079046d5f9071cc46233e96232000bdc68e82f60639afebb11e
Opcode Fuzzy Hash: d69061b2853daf8b25ba7865a6f97928a3a202d92cf01d42686e9220d9b85a8a
Instruction Fuzzy Hash: 49112432908159FFCF212FA0DC48CAE7BBAFF05355B05443AF61A95050D7368991DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00071F18 Relevance: 9.1, APIs: 6, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00071F18(struct HWND__* _a4, struct tagPOINT _a8, intOrPtr _a12) {
				signed int _v8;
				struct tagRECT _v24;
				void* __edi;
				void* __esi;
				signed int _t19;
				void* _t31;
				void* _t34;
				void* _t35;
				struct HWND__* _t36;
				signed int _t37;

				_t19 =  *0x1c0454; // 0x885926af
				_v8 = _t19 ^ _t37;
				_t36 = _a4;
				ClientToScreen(_t36,  &_a8);
				_t35 = GetWindow;
				_push(5);
				while(1) {
					_t36 = GetWindow(_t36, ??);
					if(_t36 == 0) {
						break;
					}
					if(GetDlgCtrlID(_t36) == 0xffff || (GetWindowLongW(_t36, 0xfffffff0) & 0x10000000) == 0) {
						L4:
						_push(2);
						continue;
					} else {
						_v24.left = _v24.left & 0x00000000;
						_v24.top = _v24.top & 0x00000000;
						_v24.right = _v24.right & 0x00000000;
						_v24.bottom = _v24.bottom & 0x00000000;
						GetWindowRect(_t36,  &_v24);
						_push(_a12);
						if(PtInRect( &_v24, _a8) != 0) {
							_t23 = _t36;
						} else {
							goto L4;
						}
					}
					break;
				}
				return E00150836(_t23, _t31, _v8 ^ _t37, _t34, _t35, _t36);
			}

0x00071f20
0x00071f27
0x00071f2b
0x00071f34
0x00071f3a
0x00071f40
0x00071f93
0x00071f96
0x00071f9a
0x00000000
0x00000000
0x00071f50
0x00071f91
0x00071f91
0x00000000
0x00071f62
0x00071f62
0x00071f66
0x00071f6a
0x00071f6e
0x00071f77
0x00071f7d
0x00071f8f
0x00071fac
0x00000000
0x00000000
0x00000000
0x00071f8f
0x00000000
0x00071f50
0x00071fa9

APIs

ClientToScreen.USER32(?,?), ref: 00071F34
GetDlgCtrlID.USER32 ref: 00071F45
GetWindowLongW.USER32(00000000,000000F0), ref: 00071F55
GetWindowRect.USER32(00000000,00000000), ref: 00071F77
PtInRect.USER32(00000000,00000000,00000000), ref: 00071F87
GetWindow.USER32(?,00000005), ref: 00071F94

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 0b7454ccbb71071b057479af7a8119a273510ae0cad0211aa76eb8dc1e5ea899
Instruction ID: b21c0faca645e6c4615d5787cf3c66d6496f97dc6190cfae90322577c81ca820
Opcode Fuzzy Hash: 0b7454ccbb71071b057479af7a8119a273510ae0cad0211aa76eb8dc1e5ea899
Instruction Fuzzy Hash: FB119E32904619AFDB12EF58DC08FEE77B8EF05322F118125F809E61D0C738AA85CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0005B240 Relevance: 9.1, APIs: 6, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 18%

			E0005B240(void* __ebx, void* __edx, void* __edi) {
				signed int _v8;
				intOrPtr _v24;
				signed int _v72;
				intOrPtr _v292;
				intOrPtr _v296;
				char _v300;
				struct _OSVERSIONINFOEXW _v364;
				void* __esi;
				signed int _t9;
				void* _t13;
				void* _t14;
				void* _t15;
				longlong _t16;
				int _t18;
				void* _t24;
				void* _t26;
				intOrPtr* _t27;
				void* _t28;
				signed int _t29;

				_t24 = __edx;
				_t31 = (_t29 & 0xfffffff8) - 0x12c;
				_t9 =  *0x1c0454; // 0x885926af
				_v8 = _t9 ^ (_t29 & 0xfffffff8) - 0x0000012c;
				E00151B30( &_v300, 0, 0x11c);
				_t27 = __imp__VerSetConditionMask;
				_v300 = 0x11c;
				_v296 = 6;
				_v292 = 0;
				_v24 = 0;
				_t13 =  *_t27(0, 0, 2, 3, _t26);
				_t14 =  *_t27(_t13, _t24, 1, 3);
				_t15 =  *_t27(_t14, _t24, 0x20, 3);
				_t16 =  *_t27(_t15, _t24, 0x10, 3);
				_t18 = VerifyVersionInfoW( &_v364, 0x33, _t16);
				_t28 = _t24;
				return E00150836(_t18, __ebx, _v72 ^ _t31 + 0x0000000c, _t24, __edi, _t28);
			}

0x0005b240
0x0005b246
0x0005b24c
0x0005b253
0x0005b267
0x0005b26c
0x0005b27d
0x0005b285
0x0005b28d
0x0005b295
0x0005b29c
0x0005b2a4
0x0005b2ac
0x0005b2b4
0x0005b2bf
0x0005b2cc
0x0005b2d7

APIs

_memset.LIBCMT ref: 0005B267
VerSetConditionMask.KERNEL32 ref: 0005B29C
VerSetConditionMask.KERNEL32(00000000,?,00000001,00000003), ref: 0005B2A4
VerSetConditionMask.KERNEL32(00000000,?,00000020,00000003,?,00000001,00000003), ref: 0005B2AC
VerSetConditionMask.KERNEL32(00000000,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 0005B2B4
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 0005B2BF

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion_memset
String ID:
API String ID: 3299124433-0
Opcode ID: f6d9edb03dc6362851623122ab289d5dd3d4e71487bc79715094564c9dc95250
Instruction ID: a099a6466c008df040ea6f7b2889b54d50826f86ac7b45a2080cbba7318405e7
Opcode Fuzzy Hash: f6d9edb03dc6362851623122ab289d5dd3d4e71487bc79715094564c9dc95250
Instruction Fuzzy Hash: 8601D8B0A443047AF6309B30DC0FFAB7FACDB84B10F00490DB6485B1C1D6B49614CAD6

Uniqueness

Uniqueness Score: -1.00%

Function 00072072 Relevance: 9.1, APIs: 6, Instructions: 52
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00072072(struct HWND__* _a4) {
				struct HWND__* _t3;
				struct HWND__* _t6;
				struct HWND__* _t8;
				struct HWND__* _t10;

				_t3 = GetFocus();
				_t10 = _t3;
				if(_t10 != 0) {
					_t8 = _a4;
					if(_t10 == _t8) {
						L10:
						return _t3;
					}
					if(E00071E65(_t10, 3) != 0) {
						L5:
						if(_t8 == 0 || (GetWindowLongW(_t8, 0xfffffff0) & 0x40000000) == 0) {
							L8:
							_t3 = SendMessageW(_t10, 0x14f, 0, 0);
							goto L9;
						} else {
							_t6 = GetParent(_t8);
							_t3 = GetDesktopWindow();
							if(_t6 == _t3) {
								L9:
								goto L10;
							}
							goto L8;
						}
					}
					_t3 = GetParent(_t10);
					_t10 = _t3;
					if(_t10 == _t8) {
						goto L9;
					}
					_t3 = E00071E65(_t10, 2);
					if(_t3 == 0) {
						goto L9;
					}
					goto L5;
				}
				return _t3;
			}

0x00072078
0x0007207e
0x00072082
0x00072085
0x0007208a
0x000720e8
0x00000000
0x000720e8
0x0007209d
0x000720b4
0x000720b6
0x000720d7
0x000720e1
0x00000000
0x000720c8
0x000720c9
0x000720cd
0x000720d5
0x000720e7
0x00000000
0x000720e7
0x00000000
0x000720d5
0x000720b6
0x000720a0
0x000720a2
0x000720a6
0x00000000
0x00000000
0x000720ab
0x000720b2
0x00000000
0x00000000
0x00000000
0x000720b2
0x000720eb

APIs

GetFocus.USER32 ref: 00072078
GetParent.USER32(00000000), ref: 000720A0

Part of subcall function 00071E65: GetWindowLongW.USER32(?,000000F0), ref: 00071E86
Part of subcall function 00071E65: GetClassNameW.USER32(?,?,0000000A), ref: 00071E9B
Part of subcall function 00071E65: CompareStringW.KERNEL32(00000409,00000001,?,000000FF,combobox,000000FF,?,0005E4A6,?,?), ref: 00071EB5

GetWindowLongW.USER32(?,000000F0), ref: 000720BB
GetParent.USER32(?), ref: 000720C9
GetDesktopWindow.USER32 ref: 000720CD
SendMessageW.USER32(00000000,0000014F,00000000,00000000), ref: 000720E1

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Window$LongParent$ClassCompareDesktopFocusMessageNameSendString
String ID:
API String ID: 1233893325-0
Opcode ID: bcaba61276958637886b638f523dbbba034bf605b47818a82a6dbc590e72cd0d
Instruction ID: e832f39ff3054fce6a6636b94c93a60d08201cf9efbf2db8dc30e8570a19c117
Opcode Fuzzy Hash: bcaba61276958637886b638f523dbbba034bf605b47818a82a6dbc590e72cd0d
Instruction Fuzzy Hash: 11018632E0421127E77126695CCDF7A66ED8B80B50F158525FA0CA25D2DE689CC1C5B8

Uniqueness

Uniqueness Score: -1.00%

Function 0015AA60 Relevance: 9.0, APIs: 6, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 68%

			E0015AA60(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x1b6db8);
				E00151BC0(__ebx, __edi, __esi);
				_t31 = E00157F08(__ebx, __edx, _t35);
				_t15 =  *0x1c0b90; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E0015EE2C(_t25, _t31, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x1c0a98; // 0x1fa2b98
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0x1c0670;
								if(__eflags != 0) {
									E00150CB2(_t33);
								}
							}
						}
						_t21 =  *0x1c0a98; // 0x1fa2b98
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x1c0a98; // 0x1fa2b98
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E0015AAFB();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					_push(0x20);
					E001540CA(_t29, _t38);
				}
				return E00151C05(_t33);
			}

0x0015aa60
0x0015aa60
0x0015aa60
0x0015aa60
0x0015aa62
0x0015aa67
0x0015aa71
0x0015aa73
0x0015aa7b
0x0015aa9c
0x0015aaa2
0x0015aaa6
0x0015aaa9
0x0015aaac
0x0015aab2
0x0015aab4
0x0015aab6
0x0015aabf
0x0015aac1
0x0015aac3
0x0015aac9
0x0015aacc
0x0015aad1
0x0015aac9
0x0015aac1
0x0015aad2
0x0015aad7
0x0015aada
0x0015aae0
0x0015aae4
0x0015aae4
0x0015aaea
0x0015aaf1
0x0015aa83
0x0015aa83
0x0015aa83
0x0015aa86
0x0015aa88
0x0015aa8a
0x0015aa8c
0x0015aa91
0x0015aa99

APIs

__getptd.LIBCMT ref: 0015AA6C

Part of subcall function 00157F08: __getptd_noexit.LIBCMT ref: 00157F0B
Part of subcall function 00157F08: __amsg_exit.LIBCMT ref: 00157F18

__amsg_exit.LIBCMT ref: 0015AA8C
__lock.LIBCMT ref: 0015AA9C
InterlockedDecrement.KERNEL32(?), ref: 0015AAB9
_free.LIBCMT ref: 0015AACC
InterlockedIncrement.KERNEL32(01FA2B98), ref: 0015AAE4

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 9d9dec9188fd0727a7df29cf94c80367f01d09d8f2a03815e54f255f5f5a09da
Instruction ID: 6658a84ba244a067c933108808e51da2935a5610c7530dbd59c8a97534f89a44
Opcode Fuzzy Hash: 9d9dec9188fd0727a7df29cf94c80367f01d09d8f2a03815e54f255f5f5a09da
Instruction Fuzzy Hash: B601C435A40722DFC726AF649905B5D77A0BF14712F448205FC346FA90D7349D99CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 00082A5C Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 294
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00082A5C(intOrPtr* __ecx, signed int __edx, signed short _a4) {
				signed int _v8;
				struct tagRECT _v24;
				signed int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t93;
				signed int _t96;
				signed int _t111;
				signed int _t113;
				void* _t116;
				signed int _t117;
				signed int _t122;
				void* _t125;
				signed int _t126;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				void* _t137;
				signed int _t140;
				signed int _t148;
				signed short _t151;
				signed int _t157;
				signed int _t160;
				void* _t164;
				signed int _t166;
				signed int _t186;
				intOrPtr* _t193;
				signed int _t194;
				signed int _t195;

				_t190 = __edx;
				_t93 =  *0x1c0454; // 0x885926af
				_v8 = _t93 ^ _t195;
				_t193 = __ecx;
				_t96 =  *((intOrPtr*)( *__ecx + 0x1c0))();
				_v28 = _v28 & 0x00000000;
				_t194 = _t96;
				_t148 = E00063445(__ecx) & 0x00400000;
				_t98 = 0x25;
				if(_t148 == 0) {
					L10:
					_t151 = _a4;
					__eflags = _t151 - _t98;
					if(__eflags > 0) {
						L3:
						_t151 = _a4;
						_t98 = _t151 - 0x26;
						if(_t98 == 0) {
							L17:
							_t151 = _a4;
							_v28 = 1;
							L18:
							__eflags =  *0x1c3f04;
							if( *0x1c3f04 == 0) {
								_t98 =  *((intOrPtr*)( *_t194 + 0x3fc))(_t151);
							}
							__eflags = _v28;
							if(_v28 == 0) {
								L71:
								return E00150836(_t98, _t148, _v8 ^ _t195, _t190, _t193, _t194);
							}
							L21:
							__eflags =  *(_t193 + 0xef0);
							if( *(_t193 + 0xef0) == 0) {
								L69:
								__eflags =  *(_t194 + 0xd08);
								if( *(_t194 + 0xd08) != 0) {
									_t98 =  *((intOrPtr*)( *_t193 + 0x1fc))( *(_t194 + 0xb7c));
								}
								goto L71;
							}
							_t98 =  *(_t194 + 0xb7c);
							__eflags =  *(_t194 + 0xb7c);
							if(__eflags < 0) {
								goto L69;
							}
							_t148 = E00074F8E(_t194, __eflags, _t98);
							__eflags = _t148;
							if(_t148 != 0) {
								L25:
								_v24.left = 0;
								_v24.top = 0;
								_v24.right = 0;
								_v24.bottom = 0;
								GetClientRect( *(_t194 + 0x20),  &_v24);
								_v28 =  *((intOrPtr*)(_t194 + 0xcd4));
								__eflags =  *((intOrPtr*)(_t148 + 0x58)) - _v24.top;
								if( *((intOrPtr*)(_t148 + 0x58)) >= _v24.top) {
									_t98 =  *(_t148 + 0x60);
									__eflags =  *(_t148 + 0x60) - _v24.bottom;
									if( *(_t148 + 0x60) <= _v24.bottom) {
										goto L69;
									}
									_t157 =  *((intOrPtr*)( *_t194 + 0x354))();
									_t111 =  *(_t148 + 0x60) - _v24.bottom;
									asm("cdq");
									_t65 = _t111 % _t157;
									__eflags = _t65;
									_t98 = _t111 / _t157;
									_t190 = _t65;
									_t148 = _t111 / _t157 + 1;
									L55:
									__eflags = _t148;
									if(_t148 == 0) {
										goto L69;
									}
									_t113 =  *((intOrPtr*)( *_t194 + 0x354))();
									asm("cdq");
									_t116 =  *(_t193 + 0x13c) / _t113 - 2;
									_t75 =  &_v28;
									 *_t75 = _v28 + _t148;
									__eflags =  *_t75;
									if( *_t75 >= 0) {
										_t160 = _v28;
										_t148 = 0;
										__eflags = 0;
									} else {
										_t148 = 0;
										_t160 = 0;
									}
									_t190 =  *((intOrPtr*)(_t194 + 0xbd4)) - _t116;
									_t117 =  *((intOrPtr*)(_t194 + 0xbd4)) - _t116 - 1;
									__eflags = _t160 - _t117;
									if(_t160 >= _t117) {
										_v28 = _t117;
									} else {
										__eflags = _v28 - _t148;
										if(_v28 < _t148) {
											_v28 = _t148;
										}
									}
									E0007E9D8(_t194, _v28);
									_t98 = E0008102D(_t193, _t190, _t148);
									__eflags =  *(_t193 + 0xef4) - _t148;
									if( *(_t193 + 0xef4) == _t148) {
										L67:
										__eflags = _t98 - _t148;
										if(_t98 != _t148) {
											_t98 = E0008102D(_t193, _t190, 0);
										}
									} else {
										_t164 = _t193 + 0xf28;
										__eflags = _t164 - _t148;
										if(_t164 == _t148) {
											goto L67;
										}
										__eflags =  *((intOrPtr*)(_t164 + 0x20)) - _t148;
										if( *((intOrPtr*)(_t164 + 0x20)) == _t148) {
											goto L67;
										}
										_t98 = SetScrollPos( *(_t193 + 0xf48), 2, _v28, 1);
									}
									goto L69;
								}
								_t166 =  *((intOrPtr*)( *_t194 + 0x354))();
								_t122 =  *((intOrPtr*)(_t148 + 0x58)) - _v24.top;
								asm("cdq");
								_t98 = _t122 / _t166;
								_t190 = _t122 % _t166;
								_t148 = _t122 / _t166 - 1;
								goto L55;
							}
							_t98 =  *((intOrPtr*)( *_t194 + 0x354))();
							__eflags = _t98;
							if(_t98 == 0) {
								goto L69;
							}
							goto L25;
						}
						_t125 = _t98 - 1;
						if(_t125 == 0) {
							_t126 = E000748C1(0);
							 *0x1c48b8 =  *0x1c48b8 & 0x00000000;
							_v28 = _t126;
							_t194 = E0007EDB5(_t193);
							__eflags = _t194;
							if(_t194 == 0) {
								L47:
								_t194 = E0007ED9A(_t193);
								__eflags = _t194;
								if(_t194 == 0) {
									L50:
									_t129 = E0007ED49(_t148, _t193, _t190);
									__eflags = _t129;
									if(_t129 != 0) {
										__eflags = _t148;
										_t54 = _t148 == 0;
										__eflags = _t54;
										SendMessageW( *(_t129 + 0x20), 0x100, (0 | _t54) + (0 | _t54) + 0x25, 0);
									}
									L52:
									_t98 = _v28;
									 *0x1c48b8 = _v28;
									goto L71;
								}
								_t131 = E0006EA07(_t194, 0x1bd08c);
								__eflags = _t131;
								if(_t131 != 0) {
									goto L50;
								}
								 *((intOrPtr*)( *_t194 + 0x39c))();
								goto L52;
							}
							_t134 =  *(_t194 + 0x20);
							__eflags = _t134 - 0xffffffff;
							if(_t134 == 0xffffffff) {
								L43:
								_t136 =  *((intOrPtr*)( *_t194 + 0xc8))(0);
								__eflags = _t136;
								if(_t136 == 0) {
									goto L47;
								}
								__eflags =  *(_t194 + 0x8c);
								if( *(_t194 + 0x8c) != 0) {
									_t137 = E0007EDB5(_t193);
									__eflags = _t137 - _t194;
									if(_t137 == _t194) {
										E00082A5C( *(_t194 + 0x8c), _t190, 0x24, 0, 0);
									}
								}
								goto L52;
							}
							__eflags = _t134;
							if(_t134 == 0) {
								goto L43;
							}
							_t140 =  *((intOrPtr*)( *_t194 + 0xdc))();
							__eflags = _t140;
							if(_t140 == 0) {
								goto L47;
							}
							goto L43;
						}
						if(_t125 == 1) {
							_t98 = GetAsyncKeyState(0x11);
							__eflags = 0x00008000 & _t98;
							if((0x00008000 & _t98) == 0) {
								goto L17;
							}
							__eflags =  *(_t194 + 0xcf0);
							if(__eflags != 0) {
								goto L17;
							}
							_t98 = E0008291E(_t193, _t190, __eflags);
							goto L71;
						}
						L6:
						_t98 =  *((intOrPtr*)( *_t194 + 0x3fc))(_t151);
						_t201 = _t98;
						if(_t98 == 0) {
							_t98 = E0005F788(_t148, _t193, _t193, _t201);
						}
						goto L71;
					}
					if(__eflags == 0) {
						_t98 = E0007ED9A(_t193);
						__eflags = _t98;
						if(_t98 == 0) {
							_t186 =  *(_t193 + 0x148);
							__eflags = _t186;
							if(_t186 == 0) {
								goto L71;
							}
							_t98 =  *((intOrPtr*)( *_t186 + 0x70))();
							__eflags = _t98;
							if(_t98 == 0) {
								goto L71;
							}
							_push(0);
							L35:
							_t98 = E00080297(_t193, _t190);
							goto L71;
						}
						_t190 =  *_t98;
						_t98 =  *((intOrPtr*)( *_t98 + 0x398))();
						goto L71;
					}
					__eflags = _t151 - 0xd;
					if(_t151 == 0xd) {
						goto L18;
					}
					__eflags = _t151 - 0x1b;
					if(_t151 == 0x1b) {
						 *((intOrPtr*)(_t193 + 0x10b4)) = 1;
						_push(1);
						goto L35;
					}
					__eflags = _t151 - 0x20;
					if(__eflags <= 0) {
						goto L6;
					}
					__eflags = _t151 - 0x22;
					if(_t151 <= 0x22) {
						__eflags =  *(_t193 + 0xef4);
						if(__eflags == 0) {
							goto L6;
						}
						_t98 =  *((intOrPtr*)( *_t194 + 0x3fc))(_t151);
						goto L21;
					}
					__eflags = _t151 - 0x24;
					if(__eflags > 0) {
						goto L6;
					}
					goto L17;
				}
				if(_a4 != _t98) {
					__eflags = _a4 - 0x27;
					if(_a4 == 0x27) {
						_a4 = _t98;
					}
					goto L10;
				} else {
					_a4 = 0x27;
					goto L3;
				}
			}

0x00082a5c
0x00082a64
0x00082a6b
0x00082a71
0x00082a75
0x00082a7b
0x00082a81
0x00082a8a
0x00082a92
0x00082a93
0x00082ae1
0x00082ae1
0x00082ae4
0x00082ae6
0x00082aa1
0x00082aa1
0x00082aa6
0x00082aa9
0x00082b0f
0x00082b0f
0x00082b12
0x00082b19
0x00082b19
0x00082b20
0x00082b27
0x00082b27
0x00082b2d
0x00082b31
0x00082dfa
0x00082e08
0x00082e08
0x00082b37
0x00082b37
0x00082b3e
0x00082de1
0x00082de1
0x00082de8
0x00082df4
0x00082df4
0x00000000
0x00082de8
0x00082b44
0x00082b4a
0x00082b4c
0x00000000
0x00000000
0x00082b5a
0x00082b5c
0x00082b5e
0x00082b72
0x00082b74
0x00082b77
0x00082b7a
0x00082b7d
0x00082b87
0x00082b93
0x00082b99
0x00082b9c
0x00082d26
0x00082d29
0x00082d2c
0x00000000
0x00000000
0x00082d3c
0x00082d41
0x00082d44
0x00082d45
0x00082d45
0x00082d45
0x00082d45
0x00082d47
0x00082d4a
0x00082d4a
0x00082d4c
0x00000000
0x00000000
0x00082d56
0x00082d64
0x00082d67
0x00082d6a
0x00082d6a
0x00082d6a
0x00082d6d
0x00082d75
0x00082d78
0x00082d78
0x00082d6f
0x00082d6f
0x00082d71
0x00082d71
0x00082d80
0x00082d82
0x00082d85
0x00082d87
0x00082d93
0x00082d89
0x00082d89
0x00082d8c
0x00082d8e
0x00082d8e
0x00082d8c
0x00082d9b
0x00082da3
0x00082da8
0x00082dae
0x00082dd4
0x00082dd4
0x00082dd6
0x00082ddc
0x00082ddc
0x00082db0
0x00082db0
0x00082db6
0x00082db8
0x00000000
0x00000000
0x00082dba
0x00082dbd
0x00000000
0x00000000
0x00082dcc
0x00082dcc
0x00000000
0x00082dae
0x00082bac
0x00082bb1
0x00082bb4
0x00082bb5
0x00082bb5
0x00082bb7
0x00000000
0x00082bb7
0x00082b64
0x00082b6a
0x00082b6c
0x00000000
0x00000000
0x00000000
0x00082b6c
0x00082aab
0x00082aac
0x00082c5c
0x00082c61
0x00082c6a
0x00082c72
0x00082c74
0x00082c76
0x00082cc9
0x00082cd0
0x00082cd2
0x00082cd4
0x00082cf2
0x00082cf4
0x00082cf9
0x00082cfb
0x00082cff
0x00082d01
0x00082d01
0x00082d13
0x00082d13
0x00082d19
0x00082d19
0x00082d1c
0x00000000
0x00082d1c
0x00082cdd
0x00082ce2
0x00082ce4
0x00000000
0x00000000
0x00082cea
0x00000000
0x00082cea
0x00082c78
0x00082c7b
0x00082c7e
0x00082c92
0x00082c98
0x00082c9e
0x00082ca0
0x00000000
0x00000000
0x00082ca2
0x00082ca9
0x00082cad
0x00082cb2
0x00082cb4
0x00082cc2
0x00082cc2
0x00082cb4
0x00000000
0x00082ca9
0x00082c80
0x00082c82
0x00000000
0x00000000
0x00082c88
0x00082c8e
0x00082c90
0x00000000
0x00000000
0x00000000
0x00082c90
0x00082ab3
0x00082c2d
0x00082c38
0x00082c3b
0x00000000
0x00000000
0x00082c41
0x00082c48
0x00000000
0x00000000
0x00082c50
0x00000000
0x00082c50
0x00082ab9
0x00082abe
0x00082ac4
0x00082ac6
0x00082ace
0x00082ace
0x00000000
0x00082ac6
0x00082ae8
0x00082bea
0x00082bef
0x00082bf1
0x00082c02
0x00082c08
0x00082c0a
0x00000000
0x00000000
0x00082c12
0x00082c15
0x00082c17
0x00000000
0x00000000
0x00082c1d
0x00082c1f
0x00082c21
0x00000000
0x00082c21
0x00082bf3
0x00082bf7
0x00000000
0x00082bf7
0x00082aee
0x00082af1
0x00000000
0x00000000
0x00082af3
0x00082af6
0x00082bdf
0x00082be5
0x00000000
0x00082be5
0x00082afc
0x00082aff
0x00000000
0x00000000
0x00082b01
0x00082b04
0x00082bbf
0x00082bc6
0x00000000
0x00000000
0x00082bd1
0x00000000
0x00082bd1
0x00082b0a
0x00082b0d
0x00000000
0x00000000
0x00000000
0x00082b0d
0x00082a98
0x00082ad8
0x00082adc
0x00082ade
0x00082ade
0x00000000
0x00082a9a
0x00082a9a
0x00000000
0x00082a9a

APIs

Part of subcall function 00063445: GetWindowLongW.USER32(?,000000EC), ref: 00063450

GetClientRect.USER32 ref: 00082B87
GetAsyncKeyState.USER32 ref: 00082C2D

Strings

', xrefs: 00082AD8

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: AsyncClientLongRectStateWindow
String ID: '
API String ID: 304971295-1997036262
Opcode ID: 046ce0070c5dce2037a1d5d326f9b96a682d1e48616471aebf4b803a20855576
Instruction ID: 240aa42fac548d28a0f849533e9becc936b5f2f262058ad8f0da0c5201c5ca2b
Opcode Fuzzy Hash: 046ce0070c5dce2037a1d5d326f9b96a682d1e48616471aebf4b803a20855576
Instruction Fuzzy Hash: 6CB15D30700606DFDB69AF68C899BBDBBE1BF48304F14416DE9869B291DF749D81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00062F94 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 243
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00062F94(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				char* _v20;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr _v52;
				signed int _v56;
				void* __ebp;
				intOrPtr _t127;
				void* _t133;
				intOrPtr _t135;
				signed int _t145;
				signed int _t146;
				signed int _t178;
				signed int _t180;
				signed int _t182;
				signed int _t184;
				signed int _t186;
				signed int _t190;
				void* _t193;
				intOrPtr _t194;
				signed int _t204;

				_t193 = __ecx;
				_t127 = E0006B628(__ebx, __edi, __esi, __eflags);
				_v8 = _t127;
				_t3 =  &_a4;
				 *_t3 = _a4 &  !( *(_t127 + 0x18));
				if( *_t3 == 0) {
					return 1;
				}
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t204 = 0;
				E00151B30( &_v56, 0, 0x28);
				_v52 = DefWindowProcW;
				_t133 = E0006B628(__ebx, 0, 0, __eflags);
				__eflags = _a4 & 0x00000001;
				_v40 =  *((intOrPtr*)(_t133 + 8));
				_t135 =  *0x1c3e80; // 0x10003
				_t190 = 8;
				_v32 = _t135;
				_v16 = _t190;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0xb;
					_v20 = L"AfxWnd100su";
					_t186 = E00062C2E(_t190, _t193, 0, 0, __eflags);
					__eflags = _t186;
					if(_t186 != 0) {
						_t204 = 1;
						__eflags = 1;
					}
				}
				__eflags = _a4 & 0x00000020;
				if(__eflags != 0) {
					_v56 = _v56 | 0x0000008b;
					_push( &_v56);
					_v20 = L"AfxOleControl100su";
					_t184 = E00062C2E(_t190, _t193, 0, _t204, __eflags);
					__eflags = _t184;
					if(_t184 != 0) {
						_t204 = _t204 | 0x00000020;
						__eflags = _t204;
					}
				}
				__eflags = _a4 & 0x00000002;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0;
					_v20 = L"AfxControlBar100su";
					_v28 = 0x10;
					_t182 = E00062C2E(_t190, _t193, 0, _t204, __eflags);
					__eflags = _t182;
					if(_t182 != 0) {
						_t204 = _t204 | 0x00000002;
						__eflags = _t204;
					}
				}
				__eflags = _a4 & 0x00000004;
				if(__eflags != 0) {
					_v56 = _t190;
					_v28 = 0;
					_t180 = E00062F50(_t193, __eflags,  &_v56, L"AfxMDIFrame100su", 0x7a01);
					__eflags = _t180;
					if(_t180 != 0) {
						_t204 = _t204 | 0x00000004;
						__eflags = _t204;
					}
				}
				__eflags = _a4 & _t190;
				if(__eflags != 0) {
					_v56 = 0xb;
					_v28 = 6;
					_t178 = E00062F50(_t193, __eflags,  &_v56, L"AfxFrameOrView100su", 0x7a02);
					__eflags = _t178;
					if(_t178 != 0) {
						_t204 = _t204 | _t190;
						__eflags = _t204;
					}
				}
				__eflags = _a4 & 0x00000010;
				if(__eflags != 0) {
					_v12 = 0xff;
					_t204 = _t204 | E000602F8(_t190, _t193, _t204, __eflags,  &_v16, 0x3fc0);
					_t48 =  &_a4;
					 *_t48 = _a4 & 0xffffc03f;
					__eflags =  *_t48;
				}
				__eflags = _a4 & 0x00000040;
				if(__eflags != 0) {
					_v12 = 0x10;
					_t204 = _t204 | E000602F8(_t190, _t193, _t204, __eflags,  &_v16, 0x40);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00000080;
				if(__eflags != 0) {
					_v12 = 2;
					_t204 = _t204 | E000602F8(_t190, _t193, _t204, __eflags,  &_v16, 0x80);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00000100;
				if(__eflags != 0) {
					_v12 = _t190;
					_t204 = _t204 | E000602F8(_t190, _t193, _t204, __eflags,  &_v16, 0x100);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00000200;
				if(__eflags != 0) {
					_v12 = 0x20;
					_t204 = _t204 | E000602F8(_t190, _t193, _t204, __eflags,  &_v16, 0x200);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00000400;
				if(__eflags != 0) {
					_v12 = 1;
					_t204 = _t204 | E000602F8(0x400, _t193, _t204, __eflags,  &_v16, 0x400);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00000800;
				if(__eflags != 0) {
					_v12 = 0x40;
					_t204 = _t204 | E000602F8(0x400, _t193, _t204, __eflags,  &_v16, 0x800);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00001000;
				if(__eflags != 0) {
					_v12 = 4;
					_t204 = _t204 | E000602F8(0x400, _t193, _t204, __eflags,  &_v16, 0x1000);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00002000;
				if(__eflags != 0) {
					_v12 = 0x80;
					_t204 = _t204 | E000602F8(0x400, _t193, _t204, __eflags,  &_v16, 0x2000);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00004000;
				if(__eflags != 0) {
					_v12 = 0x800;
					_t204 = _t204 | E000602F8(0x400, _t193, _t204, __eflags,  &_v16, 0x4000);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00008000;
				if(__eflags != 0) {
					_v12 = 0x400;
					_t204 = _t204 | E000602F8(0x400, _t193, _t204, __eflags,  &_v16, 0x8000);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00010000;
				if(__eflags != 0) {
					_v12 = 0x200;
					_t204 = _t204 | E000602F8(0x400, _t193, _t204, __eflags,  &_v16, 0x10000);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00020000;
				if(__eflags != 0) {
					_v12 = 0x100;
					_t204 = _t204 | E000602F8(0x400, _t193, _t204, __eflags,  &_v16, 0x20000);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00040000;
				if(__eflags != 0) {
					_v12 = 0x8000;
					_t204 = _t204 | E000602F8(0x400, _t193, _t204, __eflags,  &_v16, 0x40000);
					__eflags = _t204;
				}
				__eflags = _a4 & 0x00080000;
				if(__eflags != 0) {
					_v12 = 0x1000;
					_t204 = _t204 | E000602F8(0x400, _t193, _t204, __eflags,  &_v16, 0x80000);
					__eflags = _t204;
				}
				_t194 = _v8;
				 *(_t194 + 0x18) =  *(_t194 + 0x18) | _t204;
				_t145 =  *(_t194 + 0x18);
				__eflags = (_t145 & 0x00003fc0) - 0x3fc0;
				if((_t145 & 0x00003fc0) == 0x3fc0) {
					_t145 = _t145 | 0x00000010;
					 *(_t194 + 0x18) = _t145;
					__eflags = _t204;
				}
				asm("sbb eax, eax");
				_t146 = _t145 + 1;
				__eflags = _t146;
				return _t146;
			}

0x00062f94
0x00062f9c
0x00062fa1
0x00062fa9
0x00062fa9
0x00062fac
0x00000000
0x00062fb0
0x00062fb6
0x00062fb7
0x00062fb8
0x00062fc2
0x00062fc4
0x00062fd1
0x00062fd4
0x00062fd9
0x00062fe2
0x00062fe5
0x00062fea
0x00062feb
0x00062fee
0x00062ff1
0x00062ff6
0x00062ff7
0x00062ffe
0x00063005
0x0006300a
0x0006300c
0x0006300e
0x0006300e
0x0006300e
0x0006300c
0x0006300f
0x00063013
0x00063015
0x0006301f
0x00063020
0x00063027
0x0006302c
0x0006302e
0x00063030
0x00063030
0x00063030
0x0006302e
0x00063033
0x00063037
0x0006303c
0x0006303d
0x00063040
0x00063047
0x0006304e
0x00063053
0x00063055
0x00063057
0x00063057
0x00063057
0x00063055
0x0006305a
0x0006305e
0x0006306e
0x00063071
0x00063074
0x00063079
0x0006307b
0x0006307d
0x0006307d
0x0006307d
0x0006307b
0x00063080
0x00063083
0x00063093
0x0006309a
0x000630a1
0x000630a6
0x000630a8
0x000630aa
0x000630aa
0x000630aa
0x000630a8
0x000630ac
0x000630b0
0x000630bb
0x000630c7
0x000630c9
0x000630c9
0x000630c9
0x000630c9
0x000630d0
0x000630d4
0x000630dc
0x000630e8
0x000630e8
0x000630e8
0x000630ea
0x000630ee
0x000630f9
0x00063105
0x00063105
0x00063105
0x0006310c
0x0006310f
0x00063116
0x0006311e
0x0006311e
0x0006311e
0x00063125
0x00063128
0x0006312f
0x0006313b
0x0006313b
0x0006313b
0x00063142
0x00063145
0x0006314c
0x00063158
0x00063158
0x00063158
0x0006315f
0x00063162
0x00063169
0x00063175
0x00063175
0x00063175
0x0006317c
0x0006317f
0x00063186
0x00063192
0x00063192
0x00063192
0x00063199
0x0006319c
0x000631a3
0x000631af
0x000631af
0x000631af
0x000631b6
0x000631b9
0x000631c0
0x000631c8
0x000631c8
0x000631c8
0x000631cf
0x000631d2
0x000631d9
0x000631e1
0x000631e1
0x000631e1
0x000631e8
0x000631eb
0x000631f2
0x000631fe
0x000631fe
0x000631fe
0x00063205
0x00063208
0x0006320f
0x0006321b
0x0006321b
0x0006321b
0x00063222
0x00063225
0x0006322c
0x00063234
0x00063234
0x00063234
0x0006323b
0x0006323e
0x00063245
0x00063251
0x00063251
0x00063251
0x00063253
0x00063256
0x00063259
0x00063265
0x00063267
0x00063269
0x0006326c
0x0006326f
0x0006326f
0x0006327b
0x0006327e
0x0006327e
0x00000000

APIs

_memset.LIBCMT ref: 00062FC4

Strings

AfxFrameOrView100su, xrefs: 0006308A
@, xrefs: 00063169
AfxMDIFrame100su, xrefs: 00063065
@, xrefs: 000630D0

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: _memset
String ID: @$@$AfxFrameOrView100su$AfxMDIFrame100su
API String ID: 2102423945-2639805938
Opcode ID: 279576b216b5717335b8f1b06952b810b2a28139a4bd11a8f878544bb11c5332
Instruction ID: 481dbe62a3ef9cc12dfe5f6fd4a40d0881b40c2474c12dde6bf935e3c952d8f6
Opcode Fuzzy Hash: 279576b216b5717335b8f1b06952b810b2a28139a4bd11a8f878544bb11c5332
Instruction Fuzzy Hash: C3912272D4020AAADB91DFE4C585BDEBFF9AF04384F148165F918E6181E7B49B44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00073B16 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110
stringCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00073B16(void** __ecx, WCHAR* _a4, short _a8) {
				signed int _v8;
				signed int* _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v24;
				void* __ebp;
				signed int _t56;
				signed int _t57;
				intOrPtr _t58;
				short* _t59;
				signed int _t61;
				signed int* _t73;
				short* _t75;
				void* _t82;
				void* _t86;
				signed int* _t89;
				signed int _t90;
				void* _t91;
				void** _t92;
				intOrPtr _t94;
				signed int _t97;
				void* _t99;

				_t92 = __ecx;
				if(__ecx[1] != 0) {
					_t73 = GlobalLock( *__ecx);
					__eflags = _t73[0] - 0xffff;
					_v12 = _t73;
					_v8 = 0 | _t73[0] == 0x0000ffff;
					_v20 = E00073960(_t73);
					__eflags = _v8;
					_t54 = 0 | _v8 != 0x00000000;
					__eflags = _v8;
					_t94 = (_v8 != 0) + _t54 + 1 + (_v8 != 0) + _t54 + 1;
					_v24 = _t94;
					if(_v8 == 0) {
						 *_t73 =  *_t73 | 0x00000040;
						__eflags =  *_t73;
					} else {
						_t73[3] = _t73[3] | 0x00000040;
					}
					_t56 = lstrlenW(_a4);
					__eflags = _t56 - 0x20;
					if(_t56 >= 0x20) {
						L15:
						_t57 = 0;
						goto L18;
					} else {
						_t20 = _t56 * 2; // 0x77474eba
						_t58 = _t94 + _t20 + 2;
						_v16 = _t58;
						__eflags = _t58 - _t94;
						if(_t58 < _t94) {
							goto L15;
						}
						_t59 = E00073993(_t73);
						_t82 = 0;
						_t75 = _t59;
						__eflags = _v20;
						if(_v20 != 0) {
							_t26 = E0015161A(_t75 + _t94) * 2; // 0x77474eba
							_t82 = _t94 + _t26 + 2;
						}
						_t30 = _v16 + 3; // 0x3
						_t89 = _v12;
						_t33 = _t75 + 3; // 0x77474ebd
						_t61 = _t82 + _t33 & 0xfffffffc;
						_t97 = _t75 + _t30 & 0xfffffffc;
						__eflags = _v8;
						_v20 = _t61;
						if(_v8 == 0) {
							_t90 =  *(_t89 + 8) & 0x0000ffff;
						} else {
							_t90 =  *(_t89 + 0x10) & 0x0000ffff;
						}
						__eflags = _v16 - _t82;
						if(__eflags == 0) {
							L17:
							_t83 = _v24;
							 *_t75 = _a8;
							_t64 = _v16 - _v24;
							_push(_v16 - _v24);
							E00053CA0(__eflags, _t75 + _t83, _t64, _a4);
							_t92[1] = _t92[1] + _t97 - _v20;
							GlobalUnlock( *_t92);
							_t92[2] = _t92[2] & 0x00000000;
							_t57 = 1;
							__eflags = 1;
							L18:
							return _t57;
						} else {
							__eflags = _t90;
							if(__eflags == 0) {
								goto L17;
							}
							_t91 = _t92[1];
							_t86 = _t91 - _t61 + _v12;
							__eflags = _t86 - _t91;
							if(__eflags <= 0) {
								_push(_t86);
								E00053CA0(__eflags, _t97, _t86, _t61);
								_t99 = _t99 + 0x10;
								goto L17;
							}
							goto L15;
						}
					}
				}
				return 0;
			}

0x00073b1f
0x00073b25
0x00073b38
0x00073b41
0x00073b49
0x00073b4c
0x00073b54
0x00073b59
0x00073b5d
0x00073b60
0x00073b68
0x00073b6b
0x00073b6e
0x00073b76
0x00073b76
0x00073b70
0x00073b70
0x00073b70
0x00073b7c
0x00073b82
0x00073b85
0x00073bef
0x00073bef
0x00000000
0x00073b87
0x00073b87
0x00073b87
0x00073b8b
0x00073b8e
0x00073b90
0x00000000
0x00000000
0x00073b93
0x00073b99
0x00073b9b
0x00073b9d
0x00073ba0
0x00073bac
0x00073bac
0x00073bac
0x00073bb3
0x00073bb7
0x00073bba
0x00073bbe
0x00073bc1
0x00073bc4
0x00073bc8
0x00073bcb
0x00073bd3
0x00073bcd
0x00073bcd
0x00073bcd
0x00073bd7
0x00073bda
0x00073bff
0x00073c03
0x00073c06
0x00073c0c
0x00073c0e
0x00073c16
0x00073c23
0x00073c26
0x00073c2c
0x00073c32
0x00073c32
0x00073c33
0x00000000
0x00073bdc
0x00073bdc
0x00073bdf
0x00000000
0x00000000
0x00073be1
0x00073be8
0x00073beb
0x00073bed
0x00073bf3
0x00073bf7
0x00073bfc
0x00000000
0x00073bfc
0x00000000
0x00073bed
0x00073bda
0x00073b85
0x00000000

APIs

GlobalLock.KERNEL32 ref: 00073B32
lstrlenW.KERNEL32(?), ref: 00073B7C
_wcslen.LIBCMT ref: 00073BA6

Strings

System, xrefs: 00073B2E

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: GlobalLock_wcslenlstrlen
String ID: System
API String ID: 2647411976-3470857405
Opcode ID: d9fb73af3b949dc678ccb31408fd0f36dcfa6ac09bd209468b4942af43edc10a
Instruction ID: e38879515dfc10dbeb90f5fe29a364f73dd55f36700215eea335b084cb540588
Opcode Fuzzy Hash: d9fb73af3b949dc678ccb31408fd0f36dcfa6ac09bd209468b4942af43edc10a
Instruction Fuzzy Hash: 9241E371D0021AEFEB14DF64C8459BEB7B8FF04304F10C56AE91AA7281D778AB84DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00055EA0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107
windowCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00055EA0(intOrPtr* __ebx, void* __esi, signed int* _a4, void* _a8) {
				DWORD* _v8;
				char _v16;
				short _v20;
				DWORD* _v24;
				struct HINSTANCE__* _v28;
				long _v36;
				void* __edi;
				void* __ebp;
				signed int _t33;
				intOrPtr* _t37;
				signed int _t40;
				void* _t46;
				signed int _t49;
				void* _t92;
				intOrPtr* _t98;
				signed int _t106;
				void* _t114;
				void* _t116;
				signed int _t117;
				signed int* _t122;
				void* _t127;
				void* _t128;
				intOrPtr* _t129;

				_t98 = __ebx;
				_push(0xffffffff);
				_push(0x174049);
				_push( *[fs:0x0]);
				_t128 = _t127 - 0xc;
				_push(__esi);
				_push(_t116);
				_t33 =  *0x1c0454; // 0x885926af
				_push(_t33 ^ _t125);
				 *[fs:0x0] =  &_v16;
				_t122 = _a4;
				_v8 = 0;
				_v24 = 0;
				_v28 = GetModuleHandleW(L"WININET.DLL");
				_t37 = E00065761();
				_t129 = _t37;
				_t100 = 0 | _t129 == 0x00000000;
				if(_t129 == 0) {
					_push(0x80004005);
					_t37 = E00051330(__ebx, _t100, _t116, _t122);
				}
				_t40 =  *((intOrPtr*)( *((intOrPtr*)( *_t37 + 0xc))))() + 0x10;
				 *_t122 = _t40;
				_v8 = 0;
				_v24 = 1;
				if(( *((intOrPtr*)(_t40 - 8)) - 0x00001000 | 0x00000001 -  *((intOrPtr*)(_t40 - 4))) < 0) {
					E00051290(_t122, 0x1000);
				}
				_t114 = _a8;
				_t117 =  *_t122;
				_t104 =  &_v20;
				if(FormatMessageW(0x1b00, _v28, _t114, 0x800,  &_v20, 0, 0) != 0) {
					_t114 = _v20;
					_t46 = E00150EEF(_t117, 0x1000, _t114, 0xffffffff);
					_t128 = _t128 + 0x10;
					if(_t46 > 0x50) {
						L9:
						E000655E0(_t104);
					} else {
						_t17 = _t46 + 0x55ff8; // 0x3030300
						switch( *((intOrPtr*)(( *_t17 & 0x000000ff) * 4 +  &M00055FE8))) {
							case 0:
								goto L10;
							case 1:
								E000655A8( &_v20);
								goto L9;
							case 2:
								goto L9;
						}
					}
					L10:
					LocalFree(_v20);
				} else {
					 *_t117 = 0;
				}
				_t49 =  *_t122;
				_t106 =  *(_t49 - 8);
				if(_t49 == 0) {
					L13:
					_t106 =  *_t122;
					if(_t49 >  *((intOrPtr*)(_t106 - 8))) {
						goto L15;
					} else {
						 *(_t106 - 0xc) = _t49;
						 *((short*)( *_t122 + _t49 * 2)) = 0;
						 *[fs:0x0] = _v16;
						return _t122;
					}
				} else {
					_t49 = E00150FBC(_t49, _t106);
					_t128 = _t128 + 8;
					if(_t49 < 0) {
						L15:
						_push(0x80070057);
						E00051330(_t98, _t106, _t117, _t122);
						 *((intOrPtr*)(_t106 - 0x6efffaa1)) =  *((intOrPtr*)(_t106 - 0x6efffaa1)) + _t114;
						_t92 =  &(_t122[0x218a300]) +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t106 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t114 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t114 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *((intOrPtr*)( &(_t122[0x218a300]) +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t106 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t114 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t114 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98 +  *_t98));
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(_t106);
						 *_t92 = 0;
						_v36 = 4;
						return HttpQueryInfoW(_t114, 0x20000013, _t92,  &_v36, 0);
					} else {
						goto L13;
					}
				}
			}

0x00055ea0
0x00055ea3
0x00055ea5
0x00055eb0
0x00055eb1
0x00055eb4
0x00055eb5
0x00055eb6
0x00055ebd
0x00055ec1
0x00055ec7
0x00055eca
0x00055ed6
0x00055ee3
0x00055ee6
0x00055eed
0x00055eef
0x00055ef4
0x00055ef6
0x00055efb
0x00055efb
0x00055f09
0x00055f0c
0x00055f0e
0x00055f1a
0x00055f2a
0x00055f33
0x00055f33
0x00055f38
0x00055f3e
0x00055f44
0x00055f5c
0x00055f65
0x00055f71
0x00055f76
0x00055f7c
0x00055f91
0x00055f91
0x00055f7e
0x00055f7e
0x00055f85
0x00000000
0x00000000
0x00000000
0x00055f8c
0x00000000
0x00000000
0x00000000
0x00000000
0x00055f85
0x00055f96
0x00055f9a
0x00055f5e
0x00055f60
0x00055f60
0x00055fa0
0x00055fa2
0x00055fa7
0x00055fb7
0x00055fb7
0x00055fbc
0x00000000
0x00055fbe
0x00055fbe
0x00055fc5
0x00055fce
0x00055fdb
0x00055fdb
0x00055fa9
0x00055fab
0x00055fb0
0x00055fb5
0x00055fdc
0x00055fdc
0x00055fe1
0x00055fef
0x00056047
0x00056049
0x0005604a
0x0005604b
0x0005604c
0x0005604d
0x0005604e
0x0005604f
0x00056053
0x00056061
0x00056067
0x00056077
0x00000000
0x00000000
0x00000000
0x00055fb5

APIs

GetModuleHandleW.KERNEL32(WININET.DLL,885926AF), ref: 00055EDD
FormatMessageW.KERNEL32(00001B00,?,?,00000800,?,00000000,00000000), ref: 00055F54
LocalFree.KERNEL32(?), ref: 00055F9A
_wcsnlen.LIBCMT ref: 00055FAB

Strings

WININET.DLL, xrefs: 00055ED1

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: FormatFreeHandleLocalMessageModule_wcsnlen
String ID: WININET.DLL
API String ID: 3920911148-3938801697
Opcode ID: 533921744ce48f70fc0e5d0f43318a0b16e4fba2ab4cc71027962a6ba0d6b29b
Instruction ID: f8b7784636c626d4bb0c18d3aa79b807830b8bca91644b7bf5b3658c73099941
Opcode Fuzzy Hash: 533921744ce48f70fc0e5d0f43318a0b16e4fba2ab4cc71027962a6ba0d6b29b
Instruction Fuzzy Hash: 0931DE70604605EFEB14DF68DC16BAFB7B8EF48712F20456DF815DB291DB34A9448B90

Uniqueness

Uniqueness Score: -1.00%

Function 00063CD0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00063CD0(void* __edx) {
				signed int _v8;
				void _v136;
				int _v140;
				int _v144;
				char _v148;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t21;
				unsigned int _t23;
				char* _t35;
				struct HBITMAP__* _t37;
				unsigned int _t40;
				signed short _t42;
				void* _t46;
				int _t47;
				unsigned int _t49;
				void* _t52;
				signed char* _t53;
				signed int _t58;
				void* _t59;
				signed int _t62;
				void* _t63;
				void* _t64;
				signed int _t66;
				signed int _t68;

				_t52 = __edx;
				_t66 = _t68;
				_t21 =  *0x1c0454; // 0x885926af
				_v8 = _t21 ^ _t66;
				_t23 = GetMenuCheckMarkDimensions();
				_t47 = _t23;
				_t40 = _t23 >> 0x10;
				_v144 = _t47;
				_v140 = _t40;
				if(_t47 <= 4 || _t40 <= 5) {
					E000655E0(_t47);
				}
				if(_t47 > 0x20) {
					_t47 = 0x20;
					_v144 = _t47;
				}
				asm("cdq");
				_t62 = _t47 + 0xf >> 4;
				_t58 = (_t47 - 4 - _t52 >> 1) + (_t62 << 4) - _t47;
				if(_t58 > 0xc) {
					_t58 = 0xc;
				}
				if(_t40 > 0x20) {
					_t40 = 0x20;
					_v140 = _t40;
				}
				E00151B30( &_v136, 0xff, 0x80);
				_t35 = _t66 + (_t40 - 6 >> 1) * _t62 * 2 - 0x84;
				_t53 = 0x1796b8;
				_t63 = _t62 + _t62;
				_v148 = 5;
				do {
					_t42 = ( *_t53 & 0x000000ff) << _t58;
					_t53 =  &(_t53[1]);
					_t49 =  !_t42 & 0x0000ffff;
					 *_t35 = _t49 >> 8;
					 *(_t35 + 1) = _t49;
					_t35 = _t35 + _t63;
					_t15 =  &_v148;
					 *_t15 = _v148 - 1;
				} while ( *_t15 != 0);
				_t37 = CreateBitmap(_v144, _v140, 1, 1,  &_v136);
				_pop(_t59);
				_pop(_t64);
				 *0x1c3e90 = _t37;
				_pop(_t46);
				if(_t37 == 0) {
					 *0x1c3e90 = _t37;
				}
				return E00150836(_t37, _t46, _v8 ^ _t66, _t53, _t59, _t64);
			}

0x00063cd0
0x00063cd3
0x00063cdb
0x00063ce2
0x00063ce8
0x00063cee
0x00063cf4
0x00063cf7
0x00063cfd
0x00063d06
0x00063d0d
0x00063d0d
0x00063d15
0x00063d19
0x00063d1a
0x00063d1a
0x00063d23
0x00063d29
0x00063d37
0x00063d3c
0x00063d40
0x00063d40
0x00063d44
0x00063d48
0x00063d49
0x00063d49
0x00063d60
0x00063d70
0x00063d77
0x00063d7c
0x00063d7e
0x00063d88
0x00063d8d
0x00063d90
0x00063d94
0x00063d9c
0x00063d9e
0x00063da1
0x00063da3
0x00063da3
0x00063da3
0x00063dc2
0x00063dc8
0x00063dc9
0x00063dca
0x00063dcf
0x00063dd2
0x00063de0
0x00063de0
0x00063df0

APIs

GetMenuCheckMarkDimensions.USER32 ref: 00063CE8
_memset.LIBCMT ref: 00063D60
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 00063DC2
LoadBitmapW.USER32 ref: 00063DDA

Strings

, xrefs: 00063D41

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
String ID:
API String ID: 4271682439-3916222277
Opcode ID: 4d53fc585550277a176497ebde5a7e3422199299a13bcf0b4a8ae6e96bddbec0
Instruction ID: b34989f7d4f4327af5d126c98ecde3b4edcbcc33c9452e1028b7bb0f6dc9d627
Opcode Fuzzy Hash: 4d53fc585550277a176497ebde5a7e3422199299a13bcf0b4a8ae6e96bddbec0
Instruction Fuzzy Hash: 0F313971A002149FEB248F28DC85BED7BF6FF44704F4540AAE549DB282DB71DE848B90

Uniqueness

Uniqueness Score: -1.00%

Function 00064029 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00064029(void* __ebx, void* __ecx, void* __edx, void* __eflags, struct HWND__** _a4) {
				void* __edi;
				struct HWND__* _t10;
				struct HWND__* _t12;
				struct HWND__* _t14;
				struct HWND__* _t15;
				int _t19;
				void* _t21;
				void* _t25;
				struct HWND__** _t26;
				void* _t27;

				_t25 = __edx;
				_t21 = __ebx;
				_t26 = _a4;
				_t27 = __ecx;
				if(E0005D521(__ecx, __eflags, _t26) == 0) {
					_t10 = E00060DD3(__ecx);
					__eflags = _t10;
					if(_t10 == 0) {
						L5:
						__eflags = _t26[1] - 0x100;
						if(_t26[1] != 0x100) {
							L13:
							return E0005E4F0(_t26);
						}
						_t12 = _t26[2];
						__eflags = _t12 - 0x1b;
						if(_t12 == 0x1b) {
							L8:
							__eflags = GetWindowLongW( *_t26, 0xfffffff0) & 0x00000004;
							if(__eflags == 0) {
								goto L13;
							}
							_t14 = E00071ED2(_t21, _t25, _t26, __eflags,  *_t26, L"Edit");
							__eflags = _t14;
							if(_t14 == 0) {
								goto L13;
							}
							_t15 = GetDlgItem( *(_t27 + 0x20), 2);
							__eflags = _t15;
							if(_t15 == 0) {
								L12:
								SendMessageW( *(_t27 + 0x20), 0x111, 2, 0);
								goto L1;
							}
							_t19 = IsWindowEnabled(_t15);
							__eflags = _t19;
							if(_t19 == 0) {
								goto L13;
							}
							goto L12;
						}
						__eflags = _t12 - 3;
						if(_t12 != 3) {
							goto L13;
						}
						goto L8;
					}
					__eflags =  *(_t10 + 0x88);
					if( *(_t10 + 0x88) == 0) {
						goto L5;
					}
					return 0;
				}
				L1:
				return 1;
			}

0x00064029
0x00064029
0x00064030
0x00064034
0x0006403d
0x00064049
0x0006404e
0x00064050
0x0006405f
0x0006405f
0x00064066
0x000640c4
0x00000000
0x000640c7
0x00064068
0x0006406b
0x0006406e
0x00064075
0x0006407f
0x00064081
0x00000000
0x00000000
0x0006408a
0x0006408f
0x00064091
0x00000000
0x00000000
0x00064098
0x0006409e
0x000640a0
0x000640ad
0x000640b9
0x00000000
0x000640b9
0x000640a3
0x000640a9
0x000640ab
0x00000000
0x00000000
0x00000000
0x000640ab
0x00064070
0x00064073
0x00000000
0x00000000
0x00000000
0x00064073
0x00064052
0x00064059
0x00000000
0x00000000
0x00000000
0x0006405b
0x0006403f
0x00000000

Strings

Edit, xrefs: 00064083

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: 699e1736ac5dc23eeaf296e55fc4fd669fa1fac5a8874ec4229ff23247609246
Instruction ID: 3ecc96d69576a56a11e6065ee653f43934bae5c4d6a59bd38eb6dcfabdca4a1e
Opcode Fuzzy Hash: 699e1736ac5dc23eeaf296e55fc4fd669fa1fac5a8874ec4229ff23247609246
Instruction Fuzzy Hash: 05118B30204222FAFA752A25CC49BAAB6EBAF40754F144625FB4AE30E2CF71DC90C650

Uniqueness

Uniqueness Score: -1.00%

Function 000688A4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46
libraryfileloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000688A4(intOrPtr* __ecx, WCHAR* _a4, long _a8, long _a12, struct _SECURITY_ATTRIBUTES* _a16, long _a20, long _a24, intOrPtr _a28) {
				struct HINSTANCE__* _t15;
				intOrPtr* _t21;

				_t21 = __ecx;
				if( *__ecx == 0) {
					if( *((intOrPtr*)(__ecx + 4)) == 0) {
						L6:
						return _t15 | 0xffffffff;
					}
					return CreateFileW(_a4, _a8, _a12, _a16, _a20, _a24, 0);
				}
				_t15 = GetModuleHandleW(L"kernel32.dll");
				if(_t15 == 0) {
					goto L6;
				}
				_t15 = GetProcAddress(_t15, "CreateFileTransactedW");
				if(_t15 == 0) {
					goto L6;
				}
				return _t15->i(_a4, _a8, _a12, _a16, _a20, _a24, _a28,  *_t21, 0, 0);
			}

0x000688ab
0x000688b1
0x000688f2
0x0006890f
0x00000000
0x0006890f
0x00000000
0x00068907
0x000688b8
0x000688c0
0x00000000
0x00000000
0x000688c8
0x000688d0
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,?,0006AC2E,00000000,80000000,00000000,0000000C,00000003,00000080,00000000,?,?,00000000,?), ref: 000688B8
GetProcAddress.KERNEL32(00000000,CreateFileTransactedW,?,0006AC2E,00000000,80000000,00000000,0000000C,00000003,00000080,00000000,?,?,00000000,?,00004000), ref: 000688C8
CreateFileW.KERNEL32(?,00004000,?,00000000,?,?,00000000), ref: 00068907

Strings

CreateFileTransactedW, xrefs: 000688C2
kernel32.dll, xrefs: 000688B3

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: AddressCreateFileHandleModuleProc
String ID: CreateFileTransactedW$kernel32.dll
API String ID: 2580138172-2053874626
Opcode ID: e64ca7d86f831bca6cfc2f918ff205eb4fd7dbf2066c01bb259202307e119f1c
Instruction ID: 3a64e13393b3bd6c3781df60d3aaacef46a7b659ebc271ac13fe221b3998acee
Opcode Fuzzy Hash: e64ca7d86f831bca6cfc2f918ff205eb4fd7dbf2066c01bb259202307e119f1c
Instruction Fuzzy Hash: 0901DA32004109BBCF225F95DC08CAA7F77FF89751B188619FA6955064CB7289B1EB61

Uniqueness

Uniqueness Score: -1.00%

Function 000882F9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E000882F9(void** __ecx, short* _a4) {
				intOrPtr* _t6;
				struct HINSTANCE__* _t9;

				_t14 = __ecx;
				_t13 =  *((intOrPtr*)(__ecx + 8));
				if( *((intOrPtr*)(__ecx + 8)) == 0) {
					if( *0x1c4958 == 0) {
						_t9 = GetModuleHandleW(L"Advapi32.dll");
						if(_t9 != 0) {
							 *0x1c4954 = GetProcAddress(_t9, "RegDeleteKeyExW");
						}
						 *0x1c4958 = 1;
					}
					_t6 =  *0x1c4954; // 0x0
					if(_t6 == 0) {
						return RegDeleteKeyW( *_t14, _a4);
					} else {
						return  *_t6( *_t14, _a4, _t14[1], 0);
					}
				}
				return E0006E3B6(_t13,  *((intOrPtr*)(__ecx)), _a4);
			}

0x000882ff
0x00088301
0x00088306
0x0008831b
0x00088322
0x0008832a
0x00088338
0x00088338
0x0008833d
0x0008833d
0x00088344
0x0008834b
0x00000000
0x0008834d
0x00000000
0x00088357
0x0008834b
0x00000000

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00088322
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00088332

Part of subcall function 0006E3B6: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 0006E3CA
Part of subcall function 0006E3B6: GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 0006E3DA

Strings

RegDeleteKeyExW, xrefs: 0008832C
Advapi32.dll, xrefs: 0008831D

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyExW
API String ID: 1646373207-2191092095
Opcode ID: a1a65bf5bfb0c8955db4b9e21c620cb72aa692691a3172f28a43875b65200afc
Instruction ID: 8f4b2dbd21dc31d3c0c27ba8b81d572b2ff09adf21ad012c54bb64b6da0df077
Opcode Fuzzy Hash: a1a65bf5bfb0c8955db4b9e21c620cb72aa692691a3172f28a43875b65200afc
Instruction Fuzzy Hash: E6F0F435108340FFDB20AF55DC04F563FB5BB18B80F248418F58A915A1CB72D6D0E750

Uniqueness

Uniqueness Score: -1.00%

Function 000775C3 Relevance: 7.8, APIs: 5, Instructions: 338
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E000775C3(signed int __ecx, intOrPtr _a4, signed int _a8, struct tagRECT* _a12) {
				signed int _v8;
				struct tagRECT _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				long _v48;
				long _v52;
				char _v56;
				signed int _v60;
				intOrPtr _v64;
				signed int _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t152;
				signed int _t160;
				intOrPtr _t161;
				long _t170;
				long _t171;
				long _t173;
				long _t174;
				intOrPtr _t175;
				signed int _t176;
				long _t177;
				signed int _t181;
				long _t183;
				signed int _t188;
				long _t197;
				struct tagRECT* _t198;
				signed int _t201;
				long _t204;
				long _t205;
				long _t206;
				long _t208;
				long _t209;
				signed int _t212;
				intOrPtr _t222;
				long _t226;
				struct tagRECT* _t228;
				signed int _t233;
				intOrPtr _t238;
				signed int _t246;

				_t152 =  *0x1c0454; // 0x885926af
				_v8 = _t152 ^ _t246;
				_v28 = _v28 | 0xffffffff;
				_t198 = _a12;
				_t228 = SetRectEmpty;
				_t233 = __ecx;
				_v36 = __ecx;
				SetRectEmpty(_t198);
				 *((intOrPtr*)( *_t233 + 0x190))();
				asm("sbb ecx, ecx");
				_v64 = _a4;
				_t160 = _a8;
				_t201 =  ~_t233;
				_t225 = 0;
				_v68 = _t201;
				_v60 = _t160;
				if(_t160 < 0) {
					_v60 = 0;
				}
				_t161 =  *((intOrPtr*)(_t233 + 0xbd4));
				if(_t161 == _t225 || _t161 == 1 &&  *((intOrPtr*)(_t233 + 0xca0)) != _t225) {
					GetClientRect( *(_t233 + 0x20), _t198);
					_t117 =  &_v28;
					 *_t117 = _v28 & 0x00000000;
					__eflags =  *_t117;
					goto L56;
				} else {
					if(_t201 == _t225) {
						_t177 =  *(_t233 + 0xbcc);
						_v32 = _t225;
						__eflags = _t177 - _t225;
						if(_t177 == _t225) {
							goto L70;
						} else {
							goto L44;
						}
						while(1) {
							L44:
							_t208 = _t177;
							__eflags = _t177;
							if(_t177 == 0) {
								goto L17;
							}
							_t208 =  *(_t208 + 8);
							_t177 =  *_t177;
							__eflags = _t208;
							if(_t208 == 0) {
								goto L17;
							}
							_t225 = _v60;
							_t228 =  &_v56;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							__eflags = _t225 - _v52;
							if(_t225 < _v52) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_v28 = _v32;
								_t198->bottom = _t198->top;
								goto L51;
							}
							_t222 = _v44;
							__eflags = _t225 - _t222;
							if(_t225 <= _t222) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t233 = _v36;
								__eflags = _t225 - _v52 - _t222 - _t225;
								_t188 = _v32;
								if(_t225 - _v52 <= _t222 - _t225) {
									_v28 = _t188;
									_t198->bottom = _t198->top;
								} else {
									_v28 = _t188 + 1;
									_t198->top = _t198->bottom;
								}
								goto L56;
							}
							_v32 = _v32 + 1;
							__eflags = _t177;
							if(_t177 != 0) {
								continue;
							}
							_t233 = _v36;
							goto L70;
						}
						goto L17;
					} else {
						_v40 =  *((intOrPtr*)( *_t233 + 0x354))();
						_v32 = 0;
						_v24.left = 0;
						_v24.top = 0;
						_v24.right = 0;
						_v24.bottom = 0;
						SetRectEmpty( &_v24);
						_t197 =  *(_t233 + 0xbcc);
						while(_t197 != 0) {
							_t208 = _t197;
							__eflags = _t197;
							if(_t197 == 0) {
								L17:
								E000655E0(_t208);
								L18:
								_t209 = _t208 - _v24.bottom;
								__eflags = _t209;
								_t233 = _v36;
								_v40 = _t209;
								break;
							}
							_t208 =  *(_t208 + 8);
							_t197 =  *_t197;
							__eflags = _t208;
							if(_t208 == 0) {
								goto L17;
							}
							__eflags =  *(_t208 + 0x40);
							if( *(_t208 + 0x40) != 0) {
								L14:
								_t35 =  &_v32;
								 *_t35 = _v32 + 1;
								__eflags =  *_t35;
								continue;
							}
							__eflags =  *(_t208 + 0x50);
							if( *(_t208 + 0x50) == 0) {
								goto L14;
							}
							__eflags = _v32;
							_t228 =  &_v56;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							if(_v32 <= 0) {
								L13:
								_t228 =  &_v24;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t233 = _v36;
								goto L14;
							}
							_t208 = _v52;
							__eflags = _t208 - _v24.bottom;
							if(_t208 > _v24.bottom) {
								goto L18;
							}
							goto L13;
						}
						_t212 =  *((intOrPtr*)( *_t233 + 0x354))() + _v40;
						_t181 = _v60;
						asm("cdq");
						_t225 = _t181 % _t212;
						_v32 = _v32 & 0x00000000;
						_t208 =  *(_t233 + 0xbcc);
						_v40 = _t181 / _t212;
						_t183 = 0;
						while(_t208 != 0) {
							_t226 = _t208;
							__eflags = _t208;
							if(_t208 == 0) {
								goto L17;
							}
							_t225 =  *(_t226 + 8);
							_t208 =  *_t208;
							__eflags = _t225;
							if(_t225 == 0) {
								goto L17;
							}
							__eflags =  *(_t225 + 0x40);
							if( *(_t225 + 0x40) != 0) {
								L32:
								_t183 = _t183 + 1;
								__eflags = _t183;
								continue;
							}
							__eflags =  *(_t225 + 0x50);
							if( *(_t225 + 0x50) == 0) {
								goto L32;
							} else {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								__eflags = _t183;
								if(_t183 > 0) {
									__eflags = _v52 - _v24.bottom;
									if(_v52 >= _v24.bottom) {
										_t58 =  &_v32;
										 *_t58 = _v32 + 1;
										__eflags =  *_t58;
									}
								}
								_t225 = _v40;
								__eflags = _v32 - _v40;
								if(__eflags > 0) {
									_t228 = _t198;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									_t198->left = _t198->right;
									_t70 = _t183 - 1; // -1
									_v28 = _t70;
									L38:
									__eflags = _v28 - 0xffffffff;
									_t233 = _v36;
									if(_v28 != 0xffffffff) {
										L56:
										_t228 = 0;
										if(_v28 >= 0) {
											_v24.left = 0;
											_v24.top = 0;
											_v24.right = 0;
											_v24.bottom = 0;
											GetClientRect( *(_t233 + 0x20),  &_v24);
											if( *((intOrPtr*)(_t233 + 0xca0)) != 0) {
												_t175 =  *((intOrPtr*)(_t233 + 0xbd4));
												if(_v28 == _t175) {
													_t176 = _t175 - 1;
													_v28 = 0;
													if(_t176 >= 0) {
														_v28 = _t176;
													}
												}
											}
											if(_v68 == _t228) {
												_t170 = _t198->top + 0xfffffffd;
												__eflags = _v24.top - _t170;
												if(_v24.top > _t170) {
													_t170 = _v24.top;
												}
												_t204 = _v24.bottom;
												_t198->top = _t170;
												_t171 = _t170 + 6;
												_t198->bottom = _t171;
												__eflags = _t171 - _t204;
												if(_t171 > _t204) {
													_t198->bottom = _t204;
													_t205 = _t204 + 0xfffffffa;
													__eflags = _t205;
													_t198->top = _t205;
												}
											} else {
												_t173 = _t198->left + 0xfffffffd;
												if(_v24.left > _t173) {
													_t173 = _v24.left;
												}
												_t206 = _v24.right;
												_t198->left = _t173;
												_t174 = _t173 + 6;
												_t198->right = _t174;
												if(_t174 > _t206) {
													_t198->right = _t206;
													_t198->left = _t206 + 0xfffffffa;
												}
											}
										}
										L70:
										if( *((intOrPtr*)(_t233 + 0xca0)) != 0 && _v28 ==  *((intOrPtr*)(_t233 + 0xbd4))) {
											_v28 = _v28 | 0xffffffff;
											SetRectEmpty(_t198);
										}
										return E00150836(_v28, _t198, _v8 ^ _t246, _t225, _t228, _t233);
									}
									L39:
									if(_v32 != _v40) {
										goto L70;
									}
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									_t198->left = _t198->right;
									_v28 = _t183;
									L51:
									_t233 = _v36;
									goto L56;
								}
								if(__eflags != 0) {
									L31:
									_t228 =  &_v24;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									_t233 = _v36;
									goto L32;
								}
								_t238 = _v64;
								__eflags = _t238 - _v56;
								if(_t238 < _v56) {
									_t228 = _t198;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									L37:
									_t198->right = _t198->left;
									_v28 = _t183;
									goto L38;
								}
								_t225 = _v48;
								__eflags = _t238 - _t225;
								if(_t238 <= _t225) {
									_t225 = _t225 - _v64;
									_t228 = _t198;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									__eflags = _v64 - _v56 - _t225;
									if(_v64 - _v56 <= _t225) {
										goto L37;
									}
									_t86 = _t183 + 1; // 0x1
									_v28 = _t86;
									_t198->left = _t198->right;
									goto L38;
								}
								goto L31;
							}
						}
						goto L39;
					}
				}
			}

0x000775cb
0x000775d2
0x000775d5
0x000775da
0x000775df
0x000775e5
0x000775e8
0x000775eb
0x000775f1
0x000775fe
0x00077603
0x00077606
0x00077609
0x0007760b
0x0007760d
0x00077610
0x00077615
0x00077617
0x00077617
0x0007761a
0x00077622
0x00077863
0x00077869
0x00077869
0x00077869
0x00000000
0x00077639
0x0007763b
0x000777c4
0x000777ca
0x000777cd
0x000777cf
0x00000000
0x00000000
0x00000000
0x00000000
0x000777d5
0x000777d5
0x000777d5
0x000777d7
0x000777d9
0x00000000
0x00000000
0x000777df
0x000777e2
0x000777e4
0x000777e6
0x00000000
0x00000000
0x000777ec
0x000777f2
0x000777f5
0x000777f6
0x000777f7
0x000777f8
0x000777f9
0x000777fc
0x0007781c
0x0007781d
0x0007781e
0x0007781f
0x00077820
0x00077826
0x00000000
0x00077826
0x000777fe
0x00077801
0x00077803
0x00077833
0x00077834
0x00077835
0x0007783d
0x0007783e
0x00077841
0x00077843
0x00077846
0x00077854
0x0007785a
0x00077848
0x00077849
0x0007784f
0x0007784f
0x00000000
0x00077846
0x00077805
0x00077808
0x0007780a
0x00000000
0x00000000
0x0007780c
0x00000000
0x0007780c
0x00000000
0x00077641
0x0007764b
0x00077650
0x00077653
0x00077656
0x00077659
0x0007765c
0x00077663
0x00077665
0x000776b0
0x0007766d
0x0007766f
0x00077671
0x000776b6
0x000776b6
0x000776bb
0x000776bb
0x000776bb
0x000776be
0x000776c1
0x00000000
0x000776c1
0x00077673
0x00077676
0x00077678
0x0007767a
0x00000000
0x00000000
0x0007767c
0x00077680
0x000776ad
0x000776ad
0x000776ad
0x000776ad
0x00000000
0x000776ad
0x00077682
0x00077686
0x00000000
0x00000000
0x00077688
0x0007768f
0x00077692
0x00077693
0x00077694
0x00077695
0x00077696
0x000776a0
0x000776a3
0x000776a6
0x000776a7
0x000776a8
0x000776a9
0x000776aa
0x00000000
0x000776aa
0x00077698
0x0007769b
0x0007769e
0x00000000
0x00000000
0x00000000
0x0007769e
0x000776d0
0x000776d3
0x000776d6
0x000776d7
0x000776d9
0x000776dd
0x000776e3
0x000776e6
0x00077745
0x000776ea
0x000776ec
0x000776ee
0x00000000
0x00000000
0x000776f0
0x000776f3
0x000776f5
0x000776f7
0x00000000
0x00000000
0x000776f9
0x000776fd
0x00077744
0x00077744
0x00077744
0x00000000
0x00077744
0x000776ff
0x00077703
0x00000000
0x00077705
0x0007770b
0x0007770c
0x0007770d
0x0007770e
0x0007770f
0x00077711
0x00077716
0x00077719
0x0007771b
0x0007771b
0x0007771b
0x0007771b
0x00077719
0x0007771e
0x00077721
0x00077724
0x0007774e
0x00077750
0x00077751
0x00077752
0x00077753
0x00077757
0x00077759
0x0007775c
0x00077772
0x00077772
0x00077776
0x00077779
0x0007786d
0x0007786d
0x00077872
0x0007787f
0x00077882
0x00077885
0x00077888
0x0007788b
0x00077897
0x00077899
0x000778a2
0x000778a4
0x000778a5
0x000778aa
0x000778ac
0x000778ac
0x000778aa
0x000778a2
0x000778b2
0x000778dd
0x000778e0
0x000778e3
0x000778e5
0x000778e5
0x000778e8
0x000778eb
0x000778ee
0x000778f1
0x000778f4
0x000778f6
0x000778f8
0x000778fb
0x000778fb
0x000778fe
0x000778fe
0x000778b4
0x000778b6
0x000778bc
0x000778be
0x000778be
0x000778c1
0x000778c4
0x000778c6
0x000778c9
0x000778ce
0x000778d0
0x000778d6
0x000778d6
0x000778ce
0x000778b2
0x00077901
0x00077908
0x00077915
0x0007791a
0x0007791a
0x00077931
0x00077931
0x0007777f
0x00077785
0x00000000
0x00000000
0x00077790
0x00077791
0x00077792
0x00077793
0x00077797
0x00077799
0x00077829
0x00077829
0x00000000
0x00077829
0x00077726
0x00077737
0x0007773a
0x0007773d
0x0007773e
0x0007773f
0x00077740
0x00077741
0x00000000
0x00077741
0x00077728
0x0007772b
0x0007772e
0x00077764
0x00077766
0x00077767
0x00077768
0x00077769
0x0007776a
0x0007776c
0x0007776f
0x00000000
0x0007776f
0x00077730
0x00077733
0x00077735
0x000777a7
0x000777ad
0x000777af
0x000777b0
0x000777b1
0x000777b2
0x000777b3
0x000777b5
0x00000000
0x00000000
0x000777b7
0x000777ba
0x000777c0
0x00000000
0x000777c0
0x00000000
0x00077735
0x00077703
0x00000000
0x00077749
0x0007763b

APIs

SetRectEmpty.USER32 ref: 000775EB
SetRectEmpty.USER32 ref: 00077663
GetClientRect.USER32 ref: 00077863
GetClientRect.USER32 ref: 0007788B
SetRectEmpty.USER32 ref: 0007791A

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Rect$Empty$Client
String ID:
API String ID: 1457177775-0
Opcode ID: e60fdd05511082383bb188e7daec1c7589d9aabf79a0466661f5ee0d393dadc1
Instruction ID: 80b5019c46125951863d0c9d10efcecbf2704c43030e2fe8fc0a4d151615bda3
Opcode Fuzzy Hash: e60fdd05511082383bb188e7daec1c7589d9aabf79a0466661f5ee0d393dadc1
Instruction Fuzzy Hash: B4D14730E0460ACFCF59CFA8C5805AEBBF2BF49350F248169E819AB245D779AD41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00081AEF Relevance: 7.7, APIs: 5, Instructions: 182
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00081AEF(intOrPtr* __ecx, void* __edi) {
				signed int _v8;
				struct tagRECT _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __esi;
				signed int _t90;
				void* _t103;
				int _t109;
				signed int _t116;
				signed int _t125;
				void* _t136;
				void* _t138;
				intOrPtr _t142;
				intOrPtr* _t143;
				char _t149;
				signed int _t156;
				signed int _t159;
				void* _t161;
				intOrPtr* _t164;
				intOrPtr* _t165;
				char _t167;
				signed int _t168;
				void* _t173;

				_t161 = __edi;
				_t90 =  *0x1c0454; // 0x885926af
				_t91 = _t90 ^ _t168;
				_v8 = _t90 ^ _t168;
				_t143 = __ecx;
				_t165 = 0;
				if( *((intOrPtr*)(__ecx + 0xef4)) == 0 ||  *((intOrPtr*)(__ecx + 0xef0)) == 0) {
					L26:
					return E00150836(_t91, _t143, _v8 ^ _t168, _t159, _t161, _t165);
				} else {
					_v72 =  *((intOrPtr*)( *__ecx + 0x1c0))();
					_v24.left = 0;
					_v24.top = 0;
					_v24.right = 0;
					_v24.bottom = 0;
					GetClientRect( *(__ecx + 0x20),  &_v24);
					_t173 =  *0x1c3f04 - _t165; // 0x0
					if(_t173 == 0) {
						_t142 =  *((intOrPtr*)(_t143 + 0xfc0));
						_v24.right = _v24.right - _t142;
						_v24.bottom = _v24.bottom - _t142;
					}
					InflateRect( &_v24,  ~( *((intOrPtr*)( *_t143 + 0x204))()),  ~( *((intOrPtr*)( *_t143 + 0x204))()));
					_t103 =  *((intOrPtr*)(_t143 + 0xed4)) - _t165;
					if(_t103 == 0) {
						_v24.left = _v24.left +  *((intOrPtr*)(_t143 + 0xecc));
					} else {
						_t136 = _t103 - 1;
						if(_t136 == 0) {
							_v24.right = _v24.right -  *((intOrPtr*)(_t143 + 0xecc));
						} else {
							_t138 = _t136 - 1;
							if(_t138 == 0) {
								_v24.top = _v24.top +  *((intOrPtr*)(_t143 + 0xecc));
							} else {
								if(_t138 == 1) {
									_v24.bottom = _v24.bottom -  *((intOrPtr*)(_t143 + 0xecc));
								}
							}
						}
					}
					_v24.top = _v24.top +  *((intOrPtr*)(_t143 + 0xfec)) -  *((intOrPtr*)(_t143 + 0xfe4));
					if( *((intOrPtr*)(_t143 + 0x1088)) == _t165) {
						_v24.bottom = _v24.bottom +  *((intOrPtr*)(_t143 + 0x10a4)) -  *((intOrPtr*)(_t143 + 0x10ac));
					} else {
						_v24.top = _v24.top +  *((intOrPtr*)(_t143 + 0x10ac)) -  *((intOrPtr*)(_t143 + 0x10a4));
					}
					_push(_t161);
					_t109 = GetSystemMetrics(2);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t167 = 0x1c;
					_t149 = _v24.right - _t109;
					_v40 = _t149;
					_v24.right = _t149;
					E00151B30( &_v68, 0, _t167);
					_v68 = _t167;
					_t165 = _t143 + 0xf28;
					_v64 = 7;
					if(_t165 == 0 ||  *((intOrPtr*)(_t165 + 0x20)) == 0) {
						 *((intOrPtr*)( *_t165 + 0x160))(0x50000001,  &_v40, _t143, 1);
					} else {
						E00063614(_t165, 0, _v40, _v36, _v32 - _v40, _v28 - _v36, 0x14);
						E0005D732(_t165, 2,  &_v68, 0x17);
					}
					_v60 = 0;
					_v56 = 0;
					_v52 = 0;
					_t164 = _v72;
					_v72 =  *((intOrPtr*)( *_t164 + 0x354))();
					_t116 = E00075658(_t164);
					if(_t116 <= 0) {
						L22:
						 *(_t164 + 0xd0c) =  *(_t164 + 0xd0c) & 0x00000000;
						goto L23;
					} else {
						_t156 = _v72;
						if(_t156 <= 0) {
							goto L22;
						}
						_v52 = 1;
						asm("cdq");
						_v56 = (_t116 * _t156 -  *(_t143 + 0xec4)) / _t156 + 1;
						_t125 =  *(_t143 + 0xec4);
						asm("cdq");
						_t159 = _t125 % _t156;
						 *(_t164 + 0xd0c) = _t125 / _t156;
						L23:
						E0005D6F2(_t165, 2,  &_v68, 1);
						_pop(_t161);
						if(_v56 <= 0) {
							_push(3);
							_pop(0);
						}
						EnableScrollBar( *(_t143 + 0xf48), 2, 0);
						_t91 = E000635C4(_t165, 1);
						goto L26;
					}
				}
			}

0x00081aef
0x00081af7
0x00081afc
0x00081afe
0x00081b03
0x00081b05
0x00081b0d
0x00081cfe
0x00081d0b
0x00081b1f
0x00081b27
0x00081b31
0x00081b34
0x00081b37
0x00081b3a
0x00081b3d
0x00081b43
0x00081b49
0x00081b4b
0x00081b51
0x00081b54
0x00081b54
0x00081b69
0x00081b75
0x00081b77
0x00081ba9
0x00081b79
0x00081b79
0x00081b7a
0x00081b9e
0x00081b7c
0x00081b7c
0x00081b7d
0x00081b93
0x00081b7f
0x00081b80
0x00081b88
0x00081b88
0x00081b80
0x00081b7d
0x00081b7a
0x00081bb8
0x00081bc1
0x00081be0
0x00081bc3
0x00081bcf
0x00081bcf
0x00081be3
0x00081be6
0x00081bf5
0x00081bf6
0x00081bf7
0x00081bf8
0x00081bfb
0x00081bfc
0x00081c06
0x00081c09
0x00081c0c
0x00081c11
0x00081c14
0x00081c1d
0x00081c26
0x00081c3d
0x00081c45
0x00081c5e
0x00081c6d
0x00081c6d
0x00081c72
0x00081c75
0x00081c78
0x00081c7b
0x00081c8a
0x00081c8d
0x00081c94
0x00081cc5
0x00081cc5
0x00000000
0x00081c96
0x00081c96
0x00081c9b
0x00000000
0x00000000
0x00081ca6
0x00081cad
0x00081cb1
0x00081cb4
0x00081cba
0x00081cbb
0x00081cbd
0x00081ccc
0x00081cd6
0x00081cdd
0x00081ce1
0x00081ce3
0x00081ce5
0x00081ce5
0x00081cef
0x00081cf9
0x00000000
0x00081cf9
0x00081c94

APIs

GetClientRect.USER32 ref: 00081B3D
InflateRect.USER32 ref: 00081B69
GetSystemMetrics.USER32 ref: 00081BE6
_memset.LIBCMT ref: 00081C0C

Part of subcall function 00063614: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,0005F2B6), ref: 0006363C

Part of subcall function 0005D732: GetScrollInfo.USER32(?,?,?), ref: 0005D766

Part of subcall function 0005D6F2: SetScrollInfo.USER32(?,?,?,?), ref: 0005D723

EnableScrollBar.USER32 ref: 00081CEF

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Scroll$InfoRect$ClientEnableInflateMetricsSystemWindow_memset
String ID:
API String ID: 4263531605-0
Opcode ID: aeb32276ba4212896e912fb76bf6ac9d5ab64370f70b1791e54da266fb83815e
Instruction ID: fb58b7aaf92d4cf00cb62dcb7c905409b7efaac1dc70611d1709de44aa118218
Opcode Fuzzy Hash: aeb32276ba4212896e912fb76bf6ac9d5ab64370f70b1791e54da266fb83815e
Instruction Fuzzy Hash: E9612871A01219EFDB10DFA8C984AEDB7F9FF48700F14006AE849EB285D7B09D42CB64

Uniqueness

Uniqueness Score: -1.00%

Function 000CC876 Relevance: 7.7, APIs: 5, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E000CC876(intOrPtr* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, char _a4, intOrPtr _a8) {
				signed int _v0;
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				int _v44;
				char _v48;
				struct HDWP__* _v52;
				signed int _v72;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				intOrPtr _v108;
				void* __ebp;
				signed int _t69;
				int _t71;
				signed int _t73;
				signed int _t77;
				signed int _t84;
				signed int _t89;
				struct HDWP__* _t101;
				intOrPtr* _t104;
				void* _t105;
				intOrPtr* _t106;
				void* _t107;
				void* _t114;
				long _t116;
				signed int _t117;
				void* _t118;
				void* _t121;
				intOrPtr* _t122;
				void* _t123;
				signed int _t125;
				signed int _t126;
				signed int _t127;

				_t114 = __edx;
				_t108 = __ecx;
				_t104 = __ebx;
				_t69 =  *0x1c0454; // 0x885926af
				_v8 = _t69 ^ _t125;
				_push(__ebx);
				_push(__esi);
				_t121 = __ecx;
				_t71 =  *(__ecx + 0x28);
				_push(__edi);
				_t116 = 0;
				_v48 = __ecx;
				if(_t71 != 0) {
					while(1) {
						__eflags = _t71 - _t116;
						if(__eflags == 0) {
							break;
						}
						_t104 =  *((intOrPtr*)(_t71 + 8));
						_v44 =  *_t71;
						_t108 = _t104;
						_t71 =  *((intOrPtr*)( *_t104 + 0x178))();
						__eflags = _t71;
						if(_t71 != 0) {
							L6:
							__eflags = _t104 - _a8;
							if(_t104 != _a8) {
								_v40.left = _t116;
								_v40.top = _t116;
								_v40.right = _t116;
								_v40.bottom = _t116;
								GetWindowRect( *(_t104 + 0x20),  &_v40);
								__eflags = _a4;
								_t108 = _t104;
								if(_a4 == 0) {
									_t71 = E000C0102(_t108, _t114);
								} else {
									_v24.left = _t116;
									_v24.top = _t116;
									_v24.right = _t116;
									_v24.bottom = _t116;
									E000C022F(_t104, _t108, _t114,  &_v24);
									_t71 = EqualRect( &_v24,  &_v40);
									__eflags = _t71;
									if(_t71 == 0) {
										_t101 = BeginDeferWindowPos( *(_t121 + 0x30));
										_t108 = _v48;
										_v52 = _t101;
										_push( &_v52);
										_t127 = _t127 - 0x10;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_push(_t104);
										asm("movsd");
										E000CC2F6(_t108, _t114);
										_t71 = EndDeferWindowPos(_v52);
										_t121 = _v48;
										_t116 = 0;
									}
								}
							}
						} else {
							__eflags =  *((intOrPtr*)(_t121 + 4)) - _t116;
							if( *((intOrPtr*)(_t121 + 4)) != _t116) {
								goto L6;
							}
						}
						__eflags = _v44 - _t116;
						if(_v44 != _t116) {
							_t71 = _v44;
							continue;
						} else {
							goto L1;
						}
						goto L32;
					}
					E000655E0(_t108);
					asm("int3");
					_push(_t125);
					_t126 = _t127;
					_t73 =  *0x1c0454; // 0x885926af
					_v72 = _t73 ^ _t126;
					_push(_t104);
					_push(_t121);
					_t105 = 0;
					_push(_t116);
					_t122 = _t108;
					_v104 = 0;
					_v100 = 0;
					_v96 = 0;
					_v92 = 0;
					E000CBFE2(_t108, __eflags,  &_v104);
					_t117 =  *(_t122 + 0x28);
					_v108 = 0;
					__eflags = _t117;
					if(_t117 != 0) {
						while(1) {
							_t77 = _t117;
							__eflags = _t117 - _t105;
							if(_t117 == _t105) {
								break;
							}
							_t106 =  *((intOrPtr*)(_t77 + 8));
							_t117 =  *_t117;
							_t108 = _t106;
							_t84 =  *((intOrPtr*)( *_t106 + 0x178))();
							__eflags = _t84;
							if(_t84 != 0) {
								L20:
								__eflags = _v0;
								_v40.bottom = 0;
								_v24.left = 0;
								_v24.top = 0;
								_v24.right = 0;
								_push( &(_v40.bottom));
								if(_v0 == 0) {
									GetWindowRect( *(_t106 + 0x20), ??);
								} else {
									_t108 = _t106;
									E000C022F(_t106, _t106, _t114);
								}
								__eflags =  *(_t122 + 0x40) & 0x0000a000;
								if(( *(_t122 + 0x40) & 0x0000a000) == 0) {
									_t89 = _v24.right - _v24.left;
									__eflags = _t89;
								} else {
									_t89 = _v24.top - _v40.bottom;
								}
								_t63 =  &_v48;
								 *_t63 = _v48 + _t89;
								__eflags =  *_t63;
							} else {
								__eflags =  *((intOrPtr*)(_t122 + 4)) - _t84;
								if( *((intOrPtr*)(_t122 + 4)) != _t84) {
									goto L20;
								}
							}
							__eflags = _t117;
							if(_t117 != 0) {
								_t105 = 0;
								__eflags = 0;
								continue;
							} else {
								goto L14;
							}
							goto L31;
						}
						E000655E0(_t108);
						goto L30;
					} else {
						L14:
						__eflags =  *(_t122 + 0x40) & 0x0000a000;
						_pop(_t117);
						_pop(_t122);
						_pop(_t105);
						if(( *(_t122 + 0x40) & 0x0000a000) == 0) {
							L30:
							_t80 = _v40.right - _v40.left;
							__eflags = _v40.right - _v40.left;
						} else {
							_t80 = _v40.top - _v44;
						}
					}
					L31:
					__eflags = _v24.bottom ^ _t126;
					return E00150836(_t80 - _v48, _t105, _v24.bottom ^ _t126, _t114, _t117, _t122);
				} else {
					L1:
					_pop(_t118);
					_pop(_t123);
					_pop(_t107);
					return E00150836(_t71, _t107, _v8 ^ _t125, _t114, _t118, _t123);
				}
				L32:
			}

0x000cc876
0x000cc876
0x000cc876
0x000cc87e
0x000cc885
0x000cc888
0x000cc889
0x000cc88a
0x000cc88c
0x000cc88f
0x000cc890
0x000cc892
0x000cc897
0x000cc8ad
0x000cc8ad
0x000cc8af
0x00000000
0x00000000
0x000cc8b7
0x000cc8bc
0x000cc8bf
0x000cc8c1
0x000cc8c7
0x000cc8c9
0x000cc8d4
0x000cc8d4
0x000cc8d7
0x000cc8e1
0x000cc8e4
0x000cc8e7
0x000cc8ea
0x000cc8f0
0x000cc8f6
0x000cc8fa
0x000cc8fc
0x000cc95a
0x000cc8fe
0x000cc902
0x000cc905
0x000cc908
0x000cc90b
0x000cc90e
0x000cc91b
0x000cc921
0x000cc923
0x000cc928
0x000cc92e
0x000cc931
0x000cc937
0x000cc938
0x000cc940
0x000cc941
0x000cc942
0x000cc943
0x000cc944
0x000cc945
0x000cc94d
0x000cc953
0x000cc956
0x000cc956
0x000cc923
0x000cc8fc
0x000cc8cb
0x000cc8cb
0x000cc8ce
0x00000000
0x00000000
0x000cc8ce
0x000cc95f
0x000cc962
0x000cc8aa
0x00000000
0x000cc968
0x00000000
0x000cc968
0x00000000
0x000cc962
0x000cc96d
0x000cc972
0x000cc975
0x000cc976
0x000cc97b
0x000cc982
0x000cc985
0x000cc986
0x000cc987
0x000cc989
0x000cc98e
0x000cc990
0x000cc993
0x000cc996
0x000cc999
0x000cc99c
0x000cc9a1
0x000cc9a4
0x000cc9a7
0x000cc9a9
0x000cc9c1
0x000cc9c1
0x000cc9c3
0x000cc9c5
0x00000000
0x00000000
0x000cc9c7
0x000cc9cc
0x000cc9ce
0x000cc9d0
0x000cc9d6
0x000cc9d8
0x000cc9df
0x000cc9e1
0x000cc9e4
0x000cc9e7
0x000cc9ea
0x000cc9ed
0x000cc9f3
0x000cc9f4
0x000cca02
0x000cc9f6
0x000cc9f6
0x000cc9f8
0x000cc9f8
0x000cca08
0x000cca0f
0x000cca1c
0x000cca1c
0x000cca11
0x000cca14
0x000cca14
0x000cca1f
0x000cca1f
0x000cca1f
0x000cc9da
0x000cc9da
0x000cc9dd
0x00000000
0x00000000
0x000cc9dd
0x000cca22
0x000cca24
0x000cc9bf
0x000cc9bf
0x00000000
0x000cca26
0x00000000
0x000cca26
0x00000000
0x000cca24
0x000cca28
0x00000000
0x000cc9ab
0x000cc9ab
0x000cc9ab
0x000cc9b2
0x000cc9b3
0x000cc9b4
0x000cc9b5
0x000cca2d
0x000cca30
0x000cca30
0x000cc9b7
0x000cc9ba
0x000cc9ba
0x000cc9b5
0x000cca33
0x000cca39
0x000cca41
0x000cc899
0x000cc899
0x000cc89c
0x000cc89d
0x000cc8a0
0x000cc8a7
0x000cc8a7
0x00000000

APIs

GetWindowRect.USER32(?,?), ref: 000CC8F0
EqualRect.USER32 ref: 000CC91B
BeginDeferWindowPos.USER32 ref: 000CC928
EndDeferWindowPos.USER32(?), ref: 000CC94D

Part of subcall function 000C0102: GetWindowRect.USER32(?,?), ref: 000C0118
Part of subcall function 000C0102: GetParent.USER32(?), ref: 000C015A
Part of subcall function 000C0102: GetParent.USER32(?), ref: 000C016A

Part of subcall function 000655E0: __CxxThrowException@8.LIBCMT ref: 000655F6

GetWindowRect.USER32(?,?), ref: 000CCA02

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Window$Rect$DeferParent$BeginEqualException@8Throw
String ID:
API String ID: 3220162355-0
Opcode ID: 7905b5265da1d05dfe11726c4122978ac04cef4115b701fb74a0f3390adcdbc1
Instruction ID: 4f1bffa12185cef07684783ff8925e43b9661f7ad65ef8754538c7d55ee932ee
Opcode Fuzzy Hash: 7905b5265da1d05dfe11726c4122978ac04cef4115b701fb74a0f3390adcdbc1
Instruction Fuzzy Hash: D3510771E00209DFDB51DFA9C988EEEBBF5FF48314B24416EE50AA7211DB30A944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00154CE0 Relevance: 7.7, APIs: 5, Instructions: 160
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 97%

			E00154CE0(char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				signed int _v8;
				char* _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t82;
				char _t89;
				signed int _t96;
				signed int _t98;
				signed int _t101;
				signed int _t104;
				signed int _t108;
				signed int _t109;
				char* _t110;
				signed int _t120;
				signed int _t123;
				signed int _t124;
				signed int _t125;
				signed int _t126;
				void* _t127;

				_t110 = _a4;
				_t108 = _a8;
				_t123 = _a12;
				_v12 = _t110;
				_v8 = _t108;
				if(_t123 == 0 || _a16 == 0) {
					L5:
					return 0;
				} else {
					_t131 = _t110;
					if(_t110 != 0) {
						_t126 = _a20;
						__eflags = _t126;
						if(_t126 == 0) {
							L9:
							__eflags = _t108 - 0xffffffff;
							if(_t108 != 0xffffffff) {
								_t82 = E00151B30(_t110, 0, _t108);
								_t127 = _t127 + 0xc;
							}
							__eflags = _t126;
							if(__eflags == 0) {
								goto L3;
							} else {
								__eflags = _a16 - (_t82 | 0xffffffff) / _t123;
								if(__eflags > 0) {
									goto L3;
								}
								L13:
								_t124 = _t123 * _a16;
								__eflags =  *(_t126 + 0xc) & 0x0000010c;
								_v20 = _t124;
								_t109 = _t124;
								if(( *(_t126 + 0xc) & 0x0000010c) == 0) {
									_v16 = 0x1000;
								} else {
									_v16 =  *((intOrPtr*)(_t126 + 0x18));
								}
								__eflags = _t124;
								if(_t124 == 0) {
									L40:
									return _a16;
								} else {
									do {
										__eflags =  *(_t126 + 0xc) & 0x0000010c;
										if(( *(_t126 + 0xc) & 0x0000010c) == 0) {
											L24:
											__eflags = _t109 - _v16;
											if(_t109 < _v16) {
												_t89 = E0015F88A(_t109, _t124, _t126);
												__eflags = _t89 - 0xffffffff;
												if(_t89 == 0xffffffff) {
													L45:
													return (_t124 - _t109) / _a12;
												}
												__eflags = _v8;
												if(_v8 == 0) {
													L41:
													__eflags = _a8 - 0xffffffff;
													if(__eflags != 0) {
														E00151B30(_a4, 0, _a8);
													}
													 *((intOrPtr*)(E00151F1F(__eflags))) = 0x22;
													L4:
													E00159345();
													goto L5;
												}
												_v12 = _v12 + 1;
												 *_v12 = _t89;
												_t109 = _t109 - 1;
												_t65 =  &_v8;
												 *_t65 = _v8 - 1;
												__eflags =  *_t65;
												_v16 =  *((intOrPtr*)(_t126 + 0x18));
												goto L39;
											}
											__eflags = _v16;
											if(_v16 == 0) {
												_t96 = 0x7fffffff;
												__eflags = _t109 - 0x7fffffff;
												if(_t109 <= 0x7fffffff) {
													_t96 = _t109;
												}
											} else {
												__eflags = _t109 - 0x7fffffff;
												if(_t109 <= 0x7fffffff) {
													_t50 = _t109 % _v16;
													__eflags = _t50;
													_t120 = _t50;
													_t101 = _t109;
												} else {
													_t120 = 0x7fffffff % _v16;
													_t101 = 0x7fffffff;
												}
												_t96 = _t101 - _t120;
											}
											__eflags = _t96 - _v8;
											if(_t96 > _v8) {
												goto L41;
											} else {
												_push(_t96);
												_push(_v12);
												_push(E0015496F(_t126));
												_t98 = E0015FF63(_t109, _t124, _t126, __eflags);
												_t127 = _t127 + 0xc;
												__eflags = _t98;
												if(_t98 == 0) {
													 *(_t126 + 0xc) =  *(_t126 + 0xc) | 0x00000010;
													goto L45;
												}
												__eflags = _t98 - 0xffffffff;
												if(_t98 == 0xffffffff) {
													L44:
													_t72 = _t126 + 0xc;
													 *_t72 =  *(_t126 + 0xc) | 0x00000020;
													__eflags =  *_t72;
													goto L45;
												}
												_v12 = _v12 + _t98;
												_t109 = _t109 - _t98;
												_v8 = _v8 - _t98;
												goto L39;
											}
										}
										_t104 =  *(_t126 + 4);
										__eflags = _t104;
										if(__eflags == 0) {
											goto L24;
										}
										if(__eflags < 0) {
											goto L44;
										}
										_t125 = _t109;
										__eflags = _t109 - _t104;
										if(_t109 >= _t104) {
											_t125 = _t104;
										}
										__eflags = _t125 - _v8;
										if(_t125 > _v8) {
											goto L41;
										} else {
											E00150B32(_v12, _v8,  *_t126, _t125);
											 *(_t126 + 4) =  *(_t126 + 4) - _t125;
											 *_t126 =  *_t126 + _t125;
											_v12 = _v12 + _t125;
											_t109 = _t109 - _t125;
											_t127 = _t127 + 0x10;
											_v8 = _v8 - _t125;
											_t124 = _v20;
										}
										L39:
										__eflags = _t109;
									} while (_t109 != 0);
									goto L40;
								}
							}
						}
						_t82 = (_t82 | 0xffffffff) / _t123;
						__eflags = _a16 - _t82;
						if(_a16 <= _t82) {
							goto L13;
						}
						goto L9;
					}
					L3:
					 *((intOrPtr*)(E00151F1F(_t131))) = 0x16;
					goto L4;
				}
			}

0x00154ce8
0x00154cec
0x00154cf1
0x00154cf4
0x00154cf7
0x00154cfc
0x00154d18
0x00000000
0x00154d04
0x00154d04
0x00154d06
0x00154d1f
0x00154d22
0x00154d24
0x00154d32
0x00154d32
0x00154d35
0x00154d3b
0x00154d40
0x00154d40
0x00154d43
0x00154d45
0x00000000
0x00154d47
0x00154d4e
0x00154d51
0x00000000
0x00000000
0x00154d53
0x00154d53
0x00154d57
0x00154d5e
0x00154d61
0x00154d63
0x00154d6d
0x00154d65
0x00154d68
0x00154d68
0x00154d74
0x00154d76
0x00154e56
0x00000000
0x00154d7c
0x00154d7c
0x00154d7c
0x00154d83
0x00154dc9
0x00154dc9
0x00154dcc
0x00154e2b
0x00154e31
0x00154e34
0x00154e88
0x00000000
0x00154e8e
0x00154e36
0x00154e3a
0x00154e5e
0x00154e5e
0x00154e62
0x00154e6c
0x00154e71
0x00154e79
0x00154d13
0x00154d13
0x00000000
0x00154d13
0x00154e3f
0x00154e42
0x00154e47
0x00154e48
0x00154e48
0x00154e48
0x00154e4b
0x00000000
0x00154e4b
0x00154dce
0x00154dd2
0x00154df3
0x00154df8
0x00154dfa
0x00154dfc
0x00154dfc
0x00154dd4
0x00154ddb
0x00154ddd
0x00154dea
0x00154dea
0x00154dea
0x00154ded
0x00154ddf
0x00154de1
0x00154de4
0x00154de4
0x00154def
0x00154def
0x00154dfe
0x00154e01
0x00000000
0x00154e03
0x00154e03
0x00154e04
0x00154e0e
0x00154e0f
0x00154e14
0x00154e17
0x00154e19
0x00154e96
0x00000000
0x00154e96
0x00154e1b
0x00154e1e
0x00154e84
0x00154e84
0x00154e84
0x00154e84
0x00000000
0x00154e84
0x00154e20
0x00154e23
0x00154e25
0x00000000
0x00154e25
0x00154e01
0x00154d85
0x00154d88
0x00154d8a
0x00000000
0x00000000
0x00154d8c
0x00000000
0x00000000
0x00154d92
0x00154d94
0x00154d96
0x00154d98
0x00154d98
0x00154d9a
0x00154d9d
0x00000000
0x00154da3
0x00154dac
0x00154db1
0x00154db4
0x00154db6
0x00154db9
0x00154dbb
0x00154dbe
0x00154dc1
0x00154dc1
0x00154e4e
0x00154e4e
0x00154e4e
0x00000000
0x00154d7c
0x00154d76
0x00154d45
0x00154d2b
0x00154d2d
0x00154d30
0x00000000
0x00000000
0x00000000
0x00154d30
0x00154d08
0x00154d0d
0x00000000
0x00154d0d

APIs

_memset.LIBCMT ref: 00154D3B
_memcpy_s.LIBCMT ref: 00154DAC
__read.LIBCMT ref: 00154E0F
__filbuf.LIBCMT ref: 00154E2B

Part of subcall function 00151F1F: __getptd_noexit.LIBCMT ref: 00151F1F

_memset.LIBCMT ref: 00154E6C

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_memcpy_s
String ID:
API String ID: 4048096073-0
Opcode ID: b039300343d95fcc01f1efe28c0e526eaf622803458c2e986fc16eb7a9ca7757
Instruction ID: f20a09668db31b8c307a140acc2007a7c54049ae6cc4726b1c32c8f8877b50f4
Opcode Fuzzy Hash: b039300343d95fcc01f1efe28c0e526eaf622803458c2e986fc16eb7a9ca7757
Instruction Fuzzy Hash: D251B331A00305EBDF249FA8C84569EB7B1FF6032AF258269EC349F194D7749E98DB50

Uniqueness

Uniqueness Score: -1.00%

Function 000812F4 Relevance: 7.6, APIs: 5, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E000812F4(RECT* __ecx, void* __edx, void* __edi, struct tagPOINT* _a4) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				RECT* _v60;
				void* __ebx;
				void* __esi;
				signed int _t41;
				intOrPtr _t51;
				intOrPtr _t56;
				void* _t58;
				void* _t65;
				void* _t68;
				struct tagPOINT* _t74;
				void* _t84;
				RECT* _t88;
				RECT* _t90;
				signed int _t91;

				_t85 = __edi;
				_t84 = __edx;
				_t41 =  *0x1c0454; // 0x885926af
				_v8 = _t41 ^ _t91;
				_t74 = _a4;
				_v24.left = 0;
				_v24.top = 0;
				_v24.right = 0;
				_v24.bottom = 0;
				_t88 = __ecx;
				_v60 = __ecx;
				GetClientRect( *(__ecx + 0x20),  &_v24);
				E0006636C(_t88,  &_v24);
				_push(_t74->y);
				if(PtInRect( &_v24, _t74->x) != 0) {
					_push(__edi);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t90 = _v60;
					_t51 =  *((intOrPtr*)(_t90 + 0xed4));
					if(_t51 == 0) {
						_v40.right =  *((intOrPtr*)(_t90 + 0xecc)) + _v24.left;
					} else {
						_t65 = _t51 - 1;
						if(_t65 == 0) {
							_v40.left = _v24.right -  *((intOrPtr*)(_t90 + 0xecc));
						} else {
							_t68 = _t65 - 1;
							if(_t68 == 0) {
								_v40.bottom =  *((intOrPtr*)(_t90 + 0xecc)) + _v24.top;
							} else {
								if(_t68 == 1) {
									_v40.top = _v24.bottom -  *((intOrPtr*)(_t90 + 0xecc));
								}
							}
						}
					}
					_push(_t74->y);
					if(PtInRect( &_v40, _t74->x) == 0) {
						_t56 =  *((intOrPtr*)(_t90 + 0xfc0));
						if(_t74->x <= _v24.right - _t56) {
							if(_t74->y <= _v24.bottom - _t56) {
								if(IsRectEmpty(_t90) != 0) {
									L20:
									_t58 = 0;
									goto L21;
								}
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								E0006636C(_v60,  &_v56);
								_push(_t74->y);
								if(PtInRect( &_v56,  *_t74) == 0) {
									goto L20;
								}
								_push(5);
								goto L19;
							}
							_push(2);
							goto L19;
						}
						_t58 = 1;
						goto L21;
					} else {
						_push(3);
						L19:
						_pop(_t58);
						L21:
						_pop(_t85);
						goto L22;
					}
				} else {
					_t58 = 4;
					L22:
					return E00150836(_t58, _t74, _v8 ^ _t91, _t84, _t85, _t90);
				}
			}

0x000812f4
0x000812f4
0x000812fc
0x00081303
0x00081309
0x0008130d
0x00081310
0x00081313
0x00081316
0x0008131c
0x00081322
0x00081325
0x00081331
0x00081336
0x00081347
0x00081351
0x00081358
0x00081359
0x0008135a
0x0008135b
0x0008135c
0x00081365
0x00081368
0x000813a6
0x0008136a
0x0008136a
0x0008136b
0x00081398
0x0008136d
0x0008136d
0x0008136e
0x0008138a
0x00081370
0x00081371
0x0008137c
0x0008137c
0x00081371
0x0008136e
0x0008136b
0x000813a9
0x000813ba
0x000813c0
0x000813cd
0x000813dc
0x000813f1
0x0008141e
0x0008141e
0x00000000
0x0008141e
0x000813f9
0x000813fa
0x000813fb
0x00081400
0x00081401
0x00081406
0x00081417
0x00000000
0x00000000
0x00081419
0x00000000
0x00081419
0x000813de
0x00000000
0x000813de
0x000813d1
0x00000000
0x000813bc
0x000813bc
0x0008141b
0x0008141b
0x00081420
0x00081420
0x00000000
0x00081420
0x00081349
0x0008134b
0x00081421
0x0008142e
0x0008142e

APIs

GetClientRect.USER32 ref: 00081325

Part of subcall function 0006636C: ClientToScreen.USER32(?,00081336), ref: 0006637D
Part of subcall function 0006636C: ClientToScreen.USER32(?,0008133E), ref: 0006638A

PtInRect.USER32(?,?,?), ref: 0008133F
PtInRect.USER32(?,?,?), ref: 000813B2

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: ClientRect$Screen
String ID:
API String ID: 3187875807-0
Opcode ID: b4c95668b7d395281789ef8e9c1a34ca47980a5da65ef4083e7c005afe89bd5c
Instruction ID: af6a4f880115b97bceea2f81cd8d09a6130dc901aa5d4ce2eb6cce377b1910f0
Opcode Fuzzy Hash: b4c95668b7d395281789ef8e9c1a34ca47980a5da65ef4083e7c005afe89bd5c
Instruction Fuzzy Hash: B0411F7190061AEFCF11EFA4D984AEEBBF9FF48300F104429E446FB641D671AA42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 000E5210 Relevance: 7.6, APIs: 5, Instructions: 111
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E000E5210(void* __ecx, void* __edx, void* __eflags, intOrPtr _a8) {
				signed int _v8;
				struct tagRECT _v24;
				signed int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t40;
				void* _t49;
				signed int _t54;
				signed int _t57;
				signed int _t60;
				signed int _t64;
				int _t71;
				void* _t80;
				void* _t81;
				void* _t82;
				int _t84;
				signed int _t85;
				void* _t86;

				_t86 = __eflags;
				_t80 = __edx;
				_t40 =  *0x1c0454; // 0x885926af
				_v8 = _t40 ^ _t85;
				_t81 = __ecx;
				_v28 = E0006342B(__ecx);
				_v24.left = 0;
				_v24.top = 0;
				_v24.right = 0;
				_v24.bottom = 0;
				GetWindowRect( *(__ecx + 0x20),  &_v24);
				_t71 = GetSystemMetrics(0x21);
				_t84 = GetSystemMetrics(0x20);
				_t82 = E0005F788(_t71, _t81, _t81, _t86);
				if((_v28 & 0x00001000) == 0) {
					L5:
					__eflags = _t82 - 0xa;
					if(_t82 < 0xa) {
						L7:
						__eflags = _t82 - 4;
						if(_t82 != 4) {
							goto L16;
						} else {
							goto L8;
						}
					} else {
						__eflags = _t82 - 0x11;
						if(_t82 <= 0x11) {
							L8:
							__eflags = _v28 & 0x00000800;
							if((_v28 & 0x00000800) == 0) {
								_t71 =  ~_t71;
								InflateRect( &_v24, _t84, _t71);
								__eflags = _v28 & 0x00000200;
								if((_v28 & 0x00000200) == 0) {
									L16:
									_t49 = _t82;
								} else {
									_t54 = _t82 - 4;
									__eflags = _t54;
									if(_t54 == 0) {
										L21:
										__eflags = _a8 - _v24.bottom;
										_t49 = 0xb + (0 | _a8 - _v24.bottom > 0x00000000) * 4;
									} else {
										_t57 = _t54 - 9;
										__eflags = _t57;
										if(_t57 == 0) {
											__eflags = _a8 - _v24.top;
											_t49 = (0 | _a8 - _v24.top < 0x00000000) + (0 | _a8 - _v24.top < 0x00000000) + 0xa;
										} else {
											_t60 = _t57 - 1;
											__eflags = _t60;
											if(_t60 == 0) {
												__eflags = _a8 - _v24.top;
												_t49 = (0 | _a8 - _v24.top < 0x00000000) + 0xb;
											} else {
												_t64 = _t60;
												__eflags = _t64;
												if(_t64 == 0) {
													__eflags = _a8 - _v24.bottom;
													_t49 = ((0 | _a8 - _v24.bottom <= 0x00000000) - 0x00000001 & 0x00000005) + 0xa;
												} else {
													__eflags = _t64 == 1;
													if(_t64 == 1) {
														goto L21;
													} else {
														goto L16;
													}
												}
											}
										}
									}
								}
							} else {
								_t49 = 2;
							}
						} else {
							goto L7;
						}
					}
				} else {
					if(_t82 == 3) {
						_t82 = 2;
					}
					if(GetKeyState(2) >= 0) {
						goto L5;
					} else {
						_t49 = 0;
					}
				}
				return E00150836(_t49, _t71, _v8 ^ _t85, _t80, _t82, _t84);
			}

0x000e5210
0x000e5210
0x000e5218
0x000e521f
0x000e5225
0x000e522c
0x000e5231
0x000e5234
0x000e5237
0x000e523a
0x000e5244
0x000e5256
0x000e525c
0x000e526a
0x000e526c
0x000e5287
0x000e5287
0x000e528a
0x000e5291
0x000e5291
0x000e5294
0x00000000
0x00000000
0x00000000
0x00000000
0x000e528c
0x000e528c
0x000e528f
0x000e5296
0x000e5296
0x000e529d
0x000e52a4
0x000e52ae
0x000e52b4
0x000e52bb
0x000e52d3
0x000e52d3
0x000e52bd
0x000e52bf
0x000e52bf
0x000e52c2
0x000e531b
0x000e5320
0x000e5326
0x000e52c4
0x000e52c4
0x000e52c4
0x000e52c7
0x000e530f
0x000e5315
0x000e52c9
0x000e52c9
0x000e52c9
0x000e52ca
0x000e52ff
0x000e5305
0x000e52cc
0x000e52cd
0x000e52cd
0x000e52ce
0x000e52eb
0x000e52f5
0x000e52d0
0x000e52d0
0x000e52d1
0x00000000
0x00000000
0x00000000
0x00000000
0x000e52d1
0x000e52ce
0x000e52ca
0x000e52c7
0x000e52c2
0x000e529f
0x000e52a1
0x000e52a1
0x00000000
0x00000000
0x00000000
0x000e528f
0x000e526e
0x000e5271
0x000e5275
0x000e5275
0x000e5281
0x00000000
0x000e5283
0x000e5283
0x000e5283
0x000e5281
0x000e52e3

APIs

Part of subcall function 0006342B: GetWindowLongW.USER32(?,000000F0), ref: 00063436

GetWindowRect.USER32(?,0007F14E), ref: 000E5244
GetSystemMetrics.USER32 ref: 000E5252
GetSystemMetrics.USER32 ref: 000E5258
GetKeyState.USER32(00000002), ref: 000E5278
InflateRect.USER32 ref: 000E52AE

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: MetricsRectSystemWindow$InflateLongState
String ID:
API String ID: 2406722796-0
Opcode ID: 54ae66544e40b512af439deb576febd676b6d4c553603f6e005f1f32fb85e756
Instruction ID: f63de6e3313ce6667eeeee0f7f1661c6ba867e588c65f7c5ba5829487e23fc5c
Opcode Fuzzy Hash: 54ae66544e40b512af439deb576febd676b6d4c553603f6e005f1f32fb85e756
Instruction Fuzzy Hash: 1F31D231B005499FDB24DFB9CC89AEEB7F4EB4A399F14481DD102FB181DA709A40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0007A624 Relevance: 7.6, APIs: 5, Instructions: 108
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0007A624(void* __ebx, signed int __ecx, void* __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t29;
				intOrPtr _t45;
				void* _t47;
				void* _t49;
				signed int _t52;
				signed int _t53;
				intOrPtr _t56;
				void* _t65;
				signed int _t69;
				intOrPtr* _t71;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr _t80;
				void* _t85;

				_t65 = __edx;
				_t52 = __ecx;
				_t49 = __ebx;
				_push(__ecx);
				_push(__ecx);
				_t76 = __ecx;
				_t78 =  *0x1c3f28; // 0x0
				if(_t78 != 0) {
					L15:
					return 0;
				}
				if( *((intOrPtr*)(__ecx + 0xb38)) == 0) {
					L4:
					_t53 = _t52 | 0xffffffff;
					_push(_t49);
					 *((intOrPtr*)(_t76 + 0xb34)) = 0;
					 *(_t76 + 0xc88) = _t53;
					 *(_t76 + 0xc8c) = _t53;
					_t29 = E0005F82E(_t49, _t53, _t65, GetFocus());
					_v8 = _t29;
					_t69 = 0 | _t29 == _t76;
					_t56 = E0005F82E(GetParent, _t29 == _t76, _t65, GetParent( *(_t76 + 0x20)));
					_v12 = _t56;
					if(_t56 != 0 && E0006EA07(_t56, 0x1860b8) != 0) {
						_t45 = _v12;
						_t85 = _t45 - _v8;
						_t64 = 0 | _t85 == 0x00000000;
						_t69 = _t85 == 0;
						if(_t69 == 0) {
							_t47 = E0005F82E(GetParent, _t64, _t65, GetParent( *(_t45 + 0x20)));
							asm("sbb edi, edi");
							_t69 =  ~(_t47 - _v8) + 1;
						}
					}
					if( *(_t76 + 0xb7c) >= 0) {
						if(_t69 == 0 &&  *((intOrPtr*)( *_t76 + 0x3f0))() == 0) {
							 *(_t76 + 0xb7c) =  *(_t76 + 0xb7c) | 0xffffffff;
							 *((intOrPtr*)( *_t76 + 0x3b0))(0xffffffff);
							_t71 = E00076CF9(_t76, _t65,  *(_t76 + 0xb7c));
							UpdateWindow( *(_t76 + 0x20));
							if(_t71 == 0 ||  *((intOrPtr*)( *_t71 + 0x70))() == 0) {
								SendMessageW( *(E00061441(_t76) + 0x20), 0x362, 0xe001, 0);
							}
						}
					} else {
						 *((intOrPtr*)( *_t76 + 0x414))(0xffffffff);
					}
					goto L15;
				}
				_t80 =  *0x1c3f04; // 0x0
				if(_t80 != 0 || E00075AF1(__ecx, 0) == 0) {
					goto L4;
				} else {
					goto L15;
				}
			}

0x0007a624
0x0007a624
0x0007a624
0x0007a629
0x0007a62a
0x0007a62f
0x0007a631
0x0007a637
0x0007a75a
0x0007a75f
0x0007a75f
0x0007a643
0x0007a65b
0x0007a65b
0x0007a660
0x0007a661
0x0007a667
0x0007a66d
0x0007a67a
0x0007a68f
0x0007a692
0x0007a69c
0x0007a69e
0x0007a6a3
0x0007a6b3
0x0007a6b8
0x0007a6bb
0x0007a6be
0x0007a6c2
0x0007a6ca
0x0007a6d6
0x0007a6d8
0x0007a6d8
0x0007a6c2
0x0007a6e1
0x0007a6f3
0x0007a70b
0x0007a716
0x0007a727
0x0007a729
0x0007a731
0x0007a754
0x0007a754
0x0007a731
0x0007a6e3
0x0007a6e9
0x0007a6e9
0x00000000
0x0007a6e1
0x0007a645
0x0007a64b
0x00000000
0x00000000
0x00000000
0x00000000

APIs

GetFocus.USER32 ref: 0007A673
GetParent.USER32(?), ref: 0007A694
GetParent.USER32(?), ref: 0007A6C7
UpdateWindow.USER32 ref: 0007A729
SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 0007A754

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Parent$FocusMessageSendUpdateWindow
String ID:
API String ID: 2438739141-0
Opcode ID: 5abf9b939d7b9c03dd1b071d9b5f35a7ff1ced2a3e9868b6368f7f7ed260c6a4
Instruction ID: 2e0b2a38641b57648ca016e29752374f40c1c5b760b4983929e45f5ac5b0ed1c
Opcode Fuzzy Hash: 5abf9b939d7b9c03dd1b071d9b5f35a7ff1ced2a3e9868b6368f7f7ed260c6a4
Instruction Fuzzy Hash: 7831A375B006009FCB259B38CC48A6E76F5EFC5760F25862DF46A872D1EF349941CB49

Uniqueness

Uniqueness Score: -1.00%

Function 0005BBF0 Relevance: 7.6, APIs: 5, Instructions: 103
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0005BBF0(intOrPtr* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				signed int _v8;
				char _v12;
				intOrPtr* _t27;
				intOrPtr* _t29;
				intOrPtr* _t30;
				void* _t32;
				intOrPtr _t33;
				intOrPtr* _t35;
				intOrPtr _t43;
				intOrPtr _t45;
				signed int _t48;
				intOrPtr* _t52;
				signed int _t59;
				intOrPtr* _t68;
				void* _t70;
				void* _t71;
				void* _t72;
				void* _t73;

				_t27 = _a4;
				_t72 = _t71 - 8;
				_t48 = 0;
				 *((intOrPtr*)(_t27 + 4)) = 0;
				 *((intOrPtr*)(_t27 + 8)) = 1;
				_t29 =  *_a8;
				_t68 = __imp__#7;
				_push(_t64);
				if(_t29 == 0) {
					L3:
					_v8 = _t48;
					L4:
					_t30 =  *_a12;
					if(_t30 != _t48) {
						_t43 =  *_t30;
						if(_t43 != _t48) {
							_t48 =  *_t68(_t43);
						}
					}
					_t59 = _v8;
					_t32 = E0005BBA0(_t59, _t48,  &_v12);
					_t73 = _t72 + 4;
					if(_t32 < 0) {
						L11:
						_t33 = E00168380(0x8007000e);
						L12:
						_t52 =  *_a8;
						if(_t52 != 0) {
							_t56 =  *_t52;
							if( *_t52 != 0) {
								E00150B32(_t33, _t64 + 2, _t56, _v8 + _v8 + 2);
								_t73 = _t73 + 0x10;
							}
						}
						_t35 =  *_a12;
						if(_t35 != 0) {
							_t53 =  *_t35;
							if( *_t35 != 0) {
								_t21 = _t48 + 2; // 0x2
								E00150B32( *_a4 + _v8 * 2, _t48 + _t21, _t53, _t48 + _t21);
							}
						}
						L18:
						return _a4;
					}
					_t33 = E0005BBC0(_v12,  &_v12);
					_t73 = _t73 + 4;
					if(_t33 < 0) {
						goto L11;
					}
					_t70 = _t48 + _t59;
					_t64 = _t70 + _t70;
					__imp__#150(0, _t70 + _t70);
					 *_a4 = _t33;
					if(_t33 != 0) {
						goto L12;
					}
					if(_t70 == 0) {
						goto L18;
					}
					goto L11;
				}
				_t45 =  *_t29;
				if(_t45 == 0) {
					goto L3;
				} else {
					_v8 =  *_t68(_t45);
					goto L4;
				}
			}

0x0005bbf3
0x0005bbf6
0x0005bbfa
0x0005bbfc
0x0005bbff
0x0005bc09
0x0005bc0c
0x0005bc12
0x0005bc15
0x0005bc25
0x0005bc25
0x0005bc28
0x0005bc2b
0x0005bc2f
0x0005bc31
0x0005bc35
0x0005bc3a
0x0005bc3a
0x0005bc35
0x0005bc40
0x0005bc47
0x0005bc4c
0x0005bc51
0x0005bc82
0x0005bc87
0x0005bc8c
0x0005bc8f
0x0005bc93
0x0005bc95
0x0005bc99
0x0005bca9
0x0005bcae
0x0005bcae
0x0005bc99
0x0005bcb4
0x0005bcb8
0x0005bcba
0x0005bcbe
0x0005bcc0
0x0005bcd3
0x0005bcd8
0x0005bcbe
0x0005bcdb
0x0005bce4
0x0005bce4
0x0005bc5a
0x0005bc5f
0x0005bc64
0x00000000
0x00000000
0x0005bc66
0x0005bc69
0x0005bc6f
0x0005bc78
0x0005bc7c
0x00000000
0x00000000
0x0005bc80
0x00000000
0x00000000
0x00000000
0x0005bc80
0x0005bc17
0x0005bc1b
0x00000000
0x0005bc1d
0x0005bc20
0x00000000
0x0005bc20

APIs

SysStringLen.OLEAUT32(?), ref: 0005BC1E
SysStringLen.OLEAUT32(?), ref: 0005BC38
SysAllocStringByteLen.OLEAUT32(00000000,?), ref: 0005BC6F
_memcpy_s.LIBCMT ref: 0005BCA9
_memcpy_s.LIBCMT ref: 0005BCD3

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: String$_memcpy_s$AllocByte
String ID:
API String ID: 3263500483-0
Opcode ID: 182dd20a2c75670ce11a876904ff349582036a739c617c79302c499a7af46d70
Instruction ID: ad07b22c546e4683870c4e4af845a85b1044c0e76b30f6ed760874ac6029cd70
Opcode Fuzzy Hash: 182dd20a2c75670ce11a876904ff349582036a739c617c79302c499a7af46d70
Instruction Fuzzy Hash: AB312F75A01209ABDB14DF98C8819ABBBE9AF48305B548569ED05DB211DB30FD48CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0007A762 Relevance: 7.6, APIs: 5, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0007A762(void* __ebx, void* __ecx, void* __edx, int _a4, int _a8, long _a12) {
				struct tagPOINT _v12;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t30;
				signed int _t32;
				signed int _t33;
				signed int _t37;
				signed int _t41;
				void* _t42;
				void* _t50;
				signed int _t53;
				signed int _t54;
				signed int _t55;
				signed int _t56;
				void* _t60;
				signed int _t61;
				signed int _t63;
				struct tagPOINT* _t66;
				signed int _t68;

				_t60 = __edx;
				_t51 = __ecx;
				_t50 = __ebx;
				_push(__ecx);
				_push(__ecx);
				if(_a4 == 0) {
					_t66 = _a12;
					__eflags = _t66;
					if(_t66 == 0) {
						E000655E0(__ecx);
					}
					__eflags = _a8 - 0x200;
					if(_a8 != 0x200) {
						L17:
						__eflags = 0;
						return 0;
					} else {
						_push(_t66->y);
						_t63 = E0006EA25(0x1bced8, E0005F82E(_t50, _t51, _t60, WindowFromPoint(_t66->x)));
						_pop(_t53);
						__eflags = _t63;
						if(__eflags != 0) {
							_v12.x =  *_t66;
							_v12.y = _t66->y;
							ScreenToClient( *(_t63 + 0x20),  &_v12);
							_t53 = _t63;
							E00079BD2(_t50, _t53, _t60, _t63, _t66, __eflags, 0, _v12.x, _v12.y);
						}
						_t30 =  *0x1c3f2c; // 0x0
						__eflags = _t30;
						if(_t30 == 0) {
							L16:
							 *0x1c3f2c = _t63;
							goto L17;
						} else {
							__eflags = _t30 - _t63;
							if(_t30 == _t63) {
								goto L16;
							}
							 *(_t30 + 0xb34) =  *(_t30 + 0xb34) & 0x00000000;
							_t61 =  *0x1c3f2c; // 0x0
							_t54 = _t53 | 0xffffffff;
							 *(_t61 + 0xc88) = _t54;
							_t32 =  *0x1c3f2c; // 0x0
							 *(_t32 + 0xc8c) = _t54;
							_t33 =  *0x1c3f2c; // 0x0
							__eflags =  *(_t33 + 0xb7c);
							if( *(_t33 + 0xb7c) < 0) {
								goto L16;
							}
							_t68 =  *(_t33 + 0xb7c);
							 *(_t33 + 0xb7c) = _t54;
							__eflags = _t63;
							if(_t63 == 0) {
								L14:
								_t55 =  *0x1c3f2c; // 0x0
								L15:
								 *((intOrPtr*)( *_t55 + 0x3b0))( *((intOrPtr*)(_t55 + 0xb7c)));
								_t56 =  *0x1c3f2c; // 0x0
								E00076CF9(_t56, _t61, _t68);
								_t37 =  *0x1c3f2c; // 0x0
								UpdateWindow( *(_t37 + 0x20));
								goto L16;
							}
							_t41 = E0006EA25(0x1bcffc, E0005F82E(_t50, _t54, _t61, GetParent( *(_t63 + 0x20))));
							__eflags = _t41;
							if(_t41 == 0) {
								goto L14;
							}
							_t42 = E0007ED9A(_t41);
							_t55 =  *0x1c3f2c; // 0x0
							__eflags = _t42 - _t55;
							if(_t42 == _t55) {
								goto L16;
							}
							goto L15;
						}
					}
				}
				return CallNextHookEx( *0x1c3f28, _a4, _a8, _a12);
			}

0x0007a762
0x0007a762
0x0007a762
0x0007a767
0x0007a768
0x0007a76d
0x0007a78a
0x0007a78d
0x0007a78f
0x0007a791
0x0007a791
0x0007a796
0x0007a79d
0x0007a8ad
0x0007a8ad
0x00000000
0x0007a7a3
0x0007a7a4
0x0007a7c0
0x0007a7c3
0x0007a7c4
0x0007a7c6
0x0007a7ca
0x0007a7d0
0x0007a7da
0x0007a7e3
0x0007a7ea
0x0007a7ea
0x0007a7ef
0x0007a7f4
0x0007a7f6
0x0007a8a6
0x0007a8a6
0x00000000
0x0007a7fc
0x0007a7fc
0x0007a7fe
0x00000000
0x00000000
0x0007a804
0x0007a80b
0x0007a811
0x0007a816
0x0007a81c
0x0007a821
0x0007a827
0x0007a82c
0x0007a833
0x00000000
0x00000000
0x0007a835
0x0007a83b
0x0007a841
0x0007a843
0x0007a878
0x0007a878
0x0007a87e
0x0007a886
0x0007a88c
0x0007a893
0x0007a898
0x0007a8a0
0x00000000
0x0007a8a0
0x0007a85a
0x0007a861
0x0007a863
0x00000000
0x00000000
0x0007a867
0x0007a86c
0x0007a872
0x0007a874
0x00000000
0x00000000
0x00000000
0x0007a876
0x0007a7f6
0x0007a79d
0x00000000

APIs

CallNextHookEx.USER32 ref: 0007A77E
WindowFromPoint.USER32 ref: 0007A7A9
ScreenToClient.USER32(?,00000000), ref: 0007A7DA
GetParent.USER32(?), ref: 0007A848
UpdateWindow.USER32 ref: 0007A8A0

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Window$CallClientFromHookNextParentPointScreenUpdate
String ID:
API String ID: 160110263-0
Opcode ID: ebf292a6266c7f17dbb24221eccacc97c54b6bca7f559e1b89361361303e8ae8
Instruction ID: c3406a4f3d2859e8b8e1871e915ae54a637a728fe534e9df854a779d719c5786
Opcode Fuzzy Hash: ebf292a6266c7f17dbb24221eccacc97c54b6bca7f559e1b89361361303e8ae8
Instruction Fuzzy Hash: 4B318D36A04100EFCB15AFA4DC08EAD3BB6FB89310F14C56DF418876A1DB36E980CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00077C10 Relevance: 7.6, APIs: 5, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00077C10(intOrPtr* __ecx, void* __edx) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagPOINT _v32;
				struct tagPOINT _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t39;
				void* _t52;
				long _t53;
				intOrPtr _t60;
				void* _t70;
				intOrPtr _t71;
				intOrPtr* _t72;
				signed int _t73;
				void* _t75;

				_t70 = __edx;
				_t33 =  *0x1c0454; // 0x885926af
				_v8 = _t33 ^ _t73;
				_t72 = __ecx;
				_t71 =  *((intOrPtr*)(__ecx + 0xb30));
				_t59 = 0;
				_v32.x = 0;
				_v32.y = 0;
				GetCursorPos( &_v32);
				if(_t71 != 0) {
					L7:
					SetCursor( *0x1c3a80);
					goto L8;
				} else {
					_t71 = ScreenToClient;
					_t75 =  *0x1c3f04 - _t59; // 0x0
					if(_t75 == 0) {
						L10:
						_v40.x = _v32.x;
						_v40.y = _v32.y;
						ScreenToClient( *(_t72 + 0x20),  &_v40);
						_v24.left = _t59;
						_v24.top = _t59;
						_v24.right = _t59;
						_v24.bottom = _t59;
						E000B637C(_t72 + 0xb6c, _t70, _t72,  &_v24, 1);
						_push(_v40.y);
						__eflags = PtInRect( &_v24, _v40);
						if(__eflags == 0) {
							L13:
							_t39 = E0005F788(_t59, _t72, _t71, __eflags);
						} else {
							__eflags =  *0x1c48bc - _t59; // 0x0
							if(__eflags != 0) {
								goto L13;
							} else {
								SetCursor( *0x1c3a8c);
								L8:
								_t39 = 1;
							}
						}
					} else {
						if( *((intOrPtr*)(_t72 + 0xb80)) == 0xffffffff ||  *((intOrPtr*)(_t72 + 0xb04)) != 0) {
							L9:
							_t59 = 0;
							__eflags = 0;
							goto L10;
						} else {
							ScreenToClient( *(_t72 + 0x20),  &_v32);
							_t60 =  *((intOrPtr*)(_t72 + 0xb80));
							_t52 =  *((intOrPtr*)( *_t72 + 0x390))(_v32.x, _v32.y);
							_t78 = _t52 - _t60;
							if(_t52 != _t60) {
								goto L9;
							} else {
								_t53 = E00074F8E(_t72, _t78, _t60);
								_t59 = _t53;
								if( *((intOrPtr*)( *_t53 + 0x3c))() == 0 || E00155F20(_t70, _v32.x -  *((intOrPtr*)(_t59 + 0x5c))) > 6) {
									goto L9;
								} else {
									goto L7;
								}
							}
						}
					}
				}
				return E00150836(_t39, _t59, _v8 ^ _t73, _t70, _t71, _t72);
			}

0x00077c10
0x00077c18
0x00077c1f
0x00077c28
0x00077c2a
0x00077c30
0x00077c33
0x00077c36
0x00077c39
0x00077c41
0x00077cac
0x00077cb2
0x00000000
0x00077c43
0x00077c43
0x00077c49
0x00077c4f
0x00077cbf
0x00077cc2
0x00077cc8
0x00077cd2
0x00077ce0
0x00077ce3
0x00077ce6
0x00077ce9
0x00077cec
0x00077cf1
0x00077d01
0x00077d03
0x00077d15
0x00077d17
0x00077d05
0x00077d05
0x00077d0b
0x00000000
0x00077d0d
0x00077cb2
0x00077cb2
0x00077cba
0x00077cba
0x00077d0b
0x00077c51
0x00077c58
0x00077cbd
0x00077cbd
0x00077cbd
0x00000000
0x00077c62
0x00077c69
0x00077c73
0x00077c7b
0x00077c81
0x00077c83
0x00000000
0x00077c85
0x00077c88
0x00077c8d
0x00077c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00077c98
0x00077c83
0x00077c58
0x00077c4f
0x00077d2a

APIs

GetCursorPos.USER32(?), ref: 00077C39
ScreenToClient.USER32(?,?), ref: 00077C69
SetCursor.USER32 ref: 00077CB2
ScreenToClient.USER32(?,?), ref: 00077CD2
PtInRect.USER32(?,?,?), ref: 00077CFB

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: ClientCursorScreen$Rect
String ID:
API String ID: 1082406499-0
Opcode ID: ba03de79840da9e338c89589d5b63f888353d6b1e1554b11a8b44d4835c56975
Instruction ID: bdda68733683f2353f5f7b8b155255965e0b8ce33944a05386b4d75ee8d05b7a
Opcode Fuzzy Hash: ba03de79840da9e338c89589d5b63f888353d6b1e1554b11a8b44d4835c56975
Instruction Fuzzy Hash: 47313DB1E042099FCB21DFA5CC859AEBBF9FB4C344B50842EE51AA3261D7389D45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 000805CC Relevance: 7.6, APIs: 5, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E000805CC(void* __ecx, void* __edi, intOrPtr _a4) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				int _v60;
				void* __ebx;
				void* __esi;
				signed int _t41;
				signed int _t48;
				intOrPtr _t71;
				long _t72;
				intOrPtr _t74;
				void* _t76;
				signed int _t77;
				intOrPtr _t80;

				_t73 = __edi;
				_t41 =  *0x1c0454; // 0x885926af
				_v8 = _t41 ^ _t77;
				_t76 = __ecx;
				_t43 = E0006176A(__ecx, __edi);
				_v60 = _t43;
				if(_t43 == 0) {
					L11:
					return E00150836(_t43, 0, _v8 ^ _t77, _t70, _t73, _t76);
				}
				if( *((intOrPtr*)(__ecx + 0xfc0)) == 0) {
					L9:
					_t43 = UpdateWindow( *(_t43 + 0x20));
					L10:
					goto L11;
				}
				_t80 =  *0x1bcff0; // 0x1
				if(_t80 != 0) {
					goto L9;
				}
				_push(__edi);
				_v24.left = 0;
				_v24.top = 0;
				_v24.right = 0;
				_v24.bottom = 0;
				GetWindowRect( *(_t43 + 0x20),  &_v24);
				_t71 =  *((intOrPtr*)(_t76 + 0xfc0));
				_t74 =  *((intOrPtr*)(_t76 + 0x12c));
				_t72 =  *(_t76 + 0x128);
				_v40.left = _t72;
				_v40.top = _t74;
				_t70 = _t72 +  *((intOrPtr*)(_t76 + 0x138)) + _t71;
				_v40.right = _t72 +  *((intOrPtr*)(_t76 + 0x138)) + _t71;
				_v40.bottom = _t74 +  *((intOrPtr*)(_t76 + 0x13c)) + _t71;
				_t48 = E00063445(_t76);
				_pop(_t73);
				if((_t48 & 0x00400000) != 0) {
					OffsetRect( &_v40,  ~( *((intOrPtr*)(_t76 + 0xfc0)) +  *((intOrPtr*)(_t76 + 0x138))), 0);
				}
				_v56.left = 0;
				_v56.top = 0;
				_v56.right = 0;
				_v56.bottom = 0;
				UnionRect( &_v56,  &_v40,  &_v24);
				if(EqualRect( &_v56,  &_v24) != 0) {
					_t43 = UpdateWindow( *(_v60 + 0x20));
					goto L10;
				} else {
					 *((intOrPtr*)(_t76 + 0xfc0)) = 0;
					if(_a4 == 0) {
						_t43 = E00063614(_t76, 0, 0xffffffff, 0xffffffff,  *((intOrPtr*)(_t76 + 0x138)),  *((intOrPtr*)(_t76 + 0x13c)), 0x16);
					}
					goto L11;
				}
			}

0x000805cc
0x000805d4
0x000805db
0x000805e0
0x000805e2
0x000805e9
0x000805ee
0x000806e9
0x000806f6
0x000806f6
0x000805fa
0x000806e0
0x000806e3
0x000806e3
0x00000000
0x000806e3
0x00080600
0x00080606
0x00000000
0x00000000
0x0008060c
0x00080611
0x00080614
0x00080617
0x0008061a
0x00080620
0x00080626
0x00080638
0x00080642
0x00080648
0x0008064b
0x00080650
0x00080654
0x00080657
0x0008065a
0x0008065f
0x00080665
0x0008067b
0x0008067b
0x0008068d
0x00080690
0x00080693
0x00080696
0x00080699
0x000806af
0x000806e3
0x00000000
0x000806b1
0x000806b1
0x000806ba
0x000806d1
0x000806d1
0x00000000
0x000806ba

APIs

GetWindowRect.USER32(?,?), ref: 00080620

Part of subcall function 00063445: GetWindowLongW.USER32(?,000000EC), ref: 00063450

OffsetRect.USER32 ref: 0008067B
UnionRect.USER32(?,?,?), ref: 00080699
EqualRect.USER32 ref: 000806A7
UpdateWindow.USER32 ref: 000806E3

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Rect$Window$EqualLongOffsetUnionUpdate
String ID:
API String ID: 4261707372-0
Opcode ID: 852c0d25d6bb959873f8cb30f0d08f21c806400370abcd36a91d9fc28543703c
Instruction ID: 1fd608a8fd4bbf7b506bc4457d8114f14af6f42fbae0c81b6a5495569ec85077
Opcode Fuzzy Hash: 852c0d25d6bb959873f8cb30f0d08f21c806400370abcd36a91d9fc28543703c
Instruction Fuzzy Hash: EA313071901209DFCB50EFA9D9849EEBBF9FF48314F20462EE556A3250DB30A954CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00085D28 Relevance: 7.6, APIs: 5, Instructions: 92
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00085D28(signed int __ecx, long __edx, void* __esi, int _a4, struct tagPOINT _a8, signed short _a12) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagPOINT _v32;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t36;
				int _t39;
				long _t62;
				long _t63;
				signed int _t64;
				int _t66;
				signed int _t67;

				_t65 = __esi;
				_t63 = __edx;
				_t36 =  *0x1c0454; // 0x885926af
				_t37 = _t36 ^ _t67;
				_v8 = _t36 ^ _t67;
				_t64 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xcec)) == 0) {
					_push(__esi);
					_t39 = E0007465B(__ecx + 0xd18, __ecx | 0xffffffff, __ecx | 0xffffffff);
					__eflags = _t39;
					if(_t39 == 0) {
						L6:
						_v24.left = 0;
						_v24.top = 0;
						_v24.right = 0;
						_v24.bottom = 0;
						GetClientRect( *(_t64 + 0x20),  &_v24);
						__eflags =  *0x1c3f04; // 0x0
						if(__eflags != 0) {
							L10:
							_t37 = E00079BD2(0, _t64, _t63, _t64, _t65, __eflags, _a4, _a8.x, _a12);
							L11:
							_pop(_t65);
							L12:
							return E00150836(_t37, 0, _v8 ^ _t67, _t63, _t64, _t65);
						}
						_push(_a12);
						__eflags = PtInRect( &_v24, _a8.x);
						if(__eflags != 0) {
							goto L10;
						}
						_t66 = E000851E9(0, _t64, _t63, __eflags, _a8.x, _a12);
						__eflags = _t66;
						if(_t66 != 0) {
							MapWindowPoints( *(_t64 + 0x20),  *(_t66 + 0x20),  &_a8, 1);
							_t37 = SendMessageW( *(_t66 + 0x20), 0x200, _a4, (_a12 & 0x0000ffff) << 0x00000010 | _a8 & 0x0000ffff);
						}
						goto L11;
					}
					_v32.x = 0;
					_v32.y = 0;
					GetCursorPos( &_v32);
					_t63 = _v32.x;
					_t62 =  *(_t64 + 0xd1c);
					_t37 = _v32.y;
					__eflags = _t63 -  *(_t64 + 0xd18);
					if(_t63 !=  *(_t64 + 0xd18)) {
						L5:
						 *(_t64 + 0xd18) = _t63;
						 *(_t64 + 0xd1c) = _t37;
						goto L6;
					}
					__eflags = _t37 - _t62;
					if(_t37 == _t62) {
						goto L11;
					}
					goto L5;
				}
				 *((intOrPtr*)(__ecx + 0xcec)) = 0;
				goto L12;
			}

0x00085d28
0x00085d28
0x00085d30
0x00085d35
0x00085d37
0x00085d3c
0x00085d46
0x00085d56
0x00085d61
0x00085d66
0x00085d68
0x00085da2
0x00085da9
0x00085dac
0x00085daf
0x00085db2
0x00085db5
0x00085dbb
0x00085dc1
0x00085e1e
0x00085e29
0x00085e2e
0x00085e2e
0x00085e2f
0x00085e3c
0x00085e3c
0x00085dc3
0x00085dd3
0x00085dd5
0x00000000
0x00000000
0x00085de4
0x00085de6
0x00085de8
0x00085df7
0x00085e16
0x00085e16
0x00000000
0x00085de8
0x00085d6e
0x00085d71
0x00085d74
0x00085d7a
0x00085d7d
0x00085d83
0x00085d86
0x00085d8c
0x00085d96
0x00085d96
0x00085d9c
0x00000000
0x00085d9c
0x00085d8e
0x00085d90
0x00000000
0x00000000
0x00000000
0x00085d90
0x00085d48
0x00000000

APIs

GetCursorPos.USER32(?), ref: 00085D74
GetClientRect.USER32 ref: 00085DB5
PtInRect.USER32(?,?,?), ref: 00085DCD
MapWindowPoints.USER32 ref: 00085DF7
SendMessageW.USER32(?,00000200,?,?), ref: 00085E16

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Rect$ClientCursorMessagePointsSendWindow
String ID:
API String ID: 1257894355-0
Opcode ID: ab1f3d66be91042b0662574cf5b57f92335abe61f8234b24f9314ae9b790a53a
Instruction ID: 7e115be86d83f82ac45350ae773de307f5d535d9303470e1821c81cb76c907ca
Opcode Fuzzy Hash: ab1f3d66be91042b0662574cf5b57f92335abe61f8234b24f9314ae9b790a53a
Instruction Fuzzy Hash: 15312171A00609EFDB18DFA5CC859EEBBB9FF44301F10852AF96996150DB70AA50DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0005EF49 Relevance: 7.6, APIs: 5, Instructions: 81
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0005EF49(intOrPtr* __ecx, void* __edx, int _a4, int _a8, RECT* _a12, struct HWND__* _a16) {
				signed int _v8;
				struct tagRECT _v24;
				RECT* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				struct HWND__* _t45;
				void* _t51;
				intOrPtr* _t53;
				signed int _t54;

				_t51 = __edx;
				_t29 =  *0x1c0454; // 0x885926af
				_v8 = _t29 ^ _t54;
				_t45 = _a16;
				_t53 = __ecx;
				_v28 = _a12;
				if(IsWindowVisible( *(__ecx + 0x20)) != 0 || _v28 != 0 || _t45 != 0) {
					_t33 = ScrollWindow( *(_t53 + 0x20), _a4, _a8, _v28, _t45);
				} else {
					_t45 = GetWindow( *(_t53 + 0x20), 5);
					while(_t45 != 0) {
						_v24.left = 0;
						_v24.top = 0;
						_v24.right = 0;
						_v24.bottom = 0;
						GetWindowRect(_t45,  &_v24);
						E0006632B(_t53,  &_v24);
						SetWindowPos(_t45, 0, _v24.left + _a4, _v24.top + _a8, 0, 0, 0x15);
						_t45 = GetWindow(_t45, 2);
					}
				}
				if( *((intOrPtr*)(_t53 + 0x68)) != 0 && _v28 == 0) {
					_t53 =  *((intOrPtr*)(_t53 + 0x68));
					_t33 =  *((intOrPtr*)( *_t53 + 0x5c))(_a4, _a8);
				}
				return E00150836(_t33, _t45, _v8 ^ _t54, _t51, 0, _t53);
			}

0x0005ef49
0x0005ef51
0x0005ef58
0x0005ef5f
0x0005ef64
0x0005ef69
0x0005ef76
0x0005efe2
0x0005ef81
0x0005efcd
0x0005efc7
0x0005ef8d
0x0005ef90
0x0005ef93
0x0005ef96
0x0005ef99
0x0005efa5
0x0005efbe
0x0005efcd
0x0005efcd
0x0005efd3
0x0005efeb
0x0005eff5
0x0005efff
0x0005efff
0x0005f010

APIs

IsWindowVisible.USER32(?), ref: 0005EF6C
GetWindowRect.USER32(00000000,?), ref: 0005EF99
SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000015), ref: 0005EFBE
GetWindow.USER32(?,00000005), ref: 0005EFC7
ScrollWindow.USER32(?,?,?,?,?), ref: 0005EFE2

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Window$RectScrollVisible
String ID:
API String ID: 2639402888-0
Opcode ID: 86de8ca4feea1e87d9e41e29060141ef25f99969d5d7e6c3f0265ca774462771
Instruction ID: 5ca4de8e5d604efc659b150abcbe3618d24a94f110d89816659f5c476838700b
Opcode Fuzzy Hash: 86de8ca4feea1e87d9e41e29060141ef25f99969d5d7e6c3f0265ca774462771
Instruction Fuzzy Hash: FC213E71900209EBCF11DF95CC89DAFBBF9FF88311F10442AF945A6251D7319A84CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00060F8F Relevance: 7.6, APIs: 5, Instructions: 80
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00060F8F(signed int __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HWND__* _t29;
				signed int _t32;
				signed int _t36;
				signed int _t38;
				struct HWND__* _t54;
				void* _t55;
				void* _t56;

				_t56 = __eflags;
				_t49 = __edx;
				_t42 = __ebx;
				_push(0xa0);
				E00151A19(0x16888d, __ebx, __edi, __esi);
				 *(_t55 - 0x10) = __ecx;
				E00063A4E(_t55 - 0x38);
				_t45 = _t55 - 0xac;
				E0005E98A(_t55 - 0xac, __edx, _t56);
				 *(_t55 - 4) = 0;
				_t29 = GetTopWindow( *(__ecx + 0x20));
				while(1) {
					_t54 = _t29;
					if(_t54 == 0) {
						break;
					}
					 *(_t55 - 0x8c) = _t54;
					 *((intOrPtr*)(_t55 - 0x34)) = GetDlgCtrlID(_t54);
					 *((intOrPtr*)(_t55 - 0x24)) = _t55 - 0xac;
					_t32 = E0005F85A(_t42, _t45, _t49, 0, _t54, __eflags, _t54);
					__eflags = _t32;
					if(_t32 == 0) {
						L3:
						_t45 =  *(_t55 - 0x10);
						__eflags = E000638D4( *(_t55 - 0x10), 0, _t54,  *((intOrPtr*)(_t55 - 0x34)), 0xffffffff, _t55 - 0x38, 0);
						if(__eflags == 0) {
							_t42 =  *(_t55 + 0xc);
							__eflags = _t42;
							if(_t42 != 0) {
								_t36 = SendMessageW( *(_t55 - 0x8c), 0x87, 0, 0);
								__eflags = _t36 & 0x00002000;
								if((_t36 & 0x00002000) == 0) {
									L10:
									_t42 = 0;
									__eflags = 0;
								} else {
									_t38 = E0006342B(_t55 - 0xac) & 0x0000000f;
									__eflags = _t38 - 3;
									if(_t38 == 3) {
										goto L10;
									} else {
										__eflags = _t38 - 6;
										if(_t38 == 6) {
											goto L10;
										} else {
											__eflags = _t38 - 7;
											if(_t38 == 7) {
												goto L10;
											} else {
												__eflags = _t38 - 9;
												if(_t38 == 9) {
													goto L10;
												}
											}
										}
									}
								}
							}
							_t45 = _t55 - 0x38;
							E00063A74(_t55 - 0x38,  *((intOrPtr*)(_t55 + 8)), _t42);
						}
					} else {
						_t45 = _t32;
						__eflags = E000638D4(_t32, 0, _t54, 0, 0xbd11ffff, _t55 - 0x38, 0);
						if(__eflags == 0) {
							goto L3;
						}
					}
					_t29 = GetWindow(_t54, 2);
				}
				_t21 = _t55 - 4;
				 *(_t55 - 4) =  *(_t55 - 4) | 0xffffffff;
				 *(_t55 - 0x8c) = 0;
				return E00151AF1(E00060BB8(_t42, _t55 - 0xac, _t49, 0, _t54,  *_t21));
			}

0x00060f8f
0x00060f8f
0x00060f8f
0x00060f8f
0x00060f99
0x00060fa0
0x00060fa6
0x00060fab
0x00060fb1
0x00060fbb
0x00060fbe
0x00061072
0x00061072
0x00061076
0x00000000
0x00000000
0x00060fca
0x00060fd6
0x00060fe0
0x00060fe3
0x00060fe8
0x00060fea
0x00061002
0x00061002
0x00061014
0x00061016
0x00061018
0x0006101b
0x0006101d
0x0006102c
0x00061032
0x00061037
0x0006105b
0x0006105b
0x0006105b
0x00061039
0x00061044
0x00061047
0x0006104a
0x00000000
0x0006104c
0x0006104c
0x0006104f
0x00000000
0x00061051
0x00061051
0x00061054
0x00000000
0x00061056
0x00061056
0x00061059
0x00000000
0x00000000
0x00061059
0x00061054
0x0006104f
0x0006104a
0x00061037
0x00061061
0x00061064
0x00061064
0x00060fec
0x00060ff7
0x00060ffe
0x00061000
0x00000000
0x00000000
0x00061000
0x0006106c
0x0006106c
0x0006107c
0x0006107c
0x00061086
0x00061096

APIs

__EH_prolog3.LIBCMT ref: 00060F99
GetTopWindow.USER32(00000000), ref: 00060FBE
GetDlgCtrlID.USER32 ref: 00060FD0
SendMessageW.USER32(?,00000087,00000000,00000000), ref: 0006102C
GetWindow.USER32(00000000,00000002), ref: 0006106C

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Window$CtrlH_prolog3MessageSend
String ID:
API String ID: 849854284-0
Opcode ID: 710596794ee6e454bb9554619a8ae9f4843e2c5d018d804c6d548bb6be9cc946
Instruction ID: 76fb90f5ff2de457ac8fd45dd19f545ce6e5f6594550a694b0db7b302c6de2b2
Opcode Fuzzy Hash: 710596794ee6e454bb9554619a8ae9f4843e2c5d018d804c6d548bb6be9cc946
Instruction Fuzzy Hash: 5421A231900258EEEF25EBA4DC85EEEB6BAEF55300F148156F455A3092DF705E84CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0007E28C Relevance: 7.6, APIs: 5, Instructions: 73
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0007E28C(intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t17;
				int _t20;
				intOrPtr* _t28;
				intOrPtr* _t31;
				void* _t36;
				int _t37;
				void* _t39;
				intOrPtr _t45;

				_t36 = __edi;
				_t35 = __edx;
				_t28 = __ecx;
				E0007DCF1(__ecx, __ecx, __edx, __edi, _t39, __eflags);
				E000C7BED(__ecx, __eflags, _a4, _a8, _a12);
				_t45 =  *0x1c3f04; // 0x0
				if(_t45 != 0) {
					_t46 =  *((intOrPtr*)(__ecx + 0xb04));
					if( *((intOrPtr*)(__ecx + 0xb04)) == 0) {
						E00076DE5(__ecx, __ecx, __edx, __edi, _t46);
					}
				}
				if( *((intOrPtr*)(_t28 + 0xb68)) == 0) {
					 *((intOrPtr*)( *_t28 + 0x3e0))();
				}
				_t31 = _t28;
				_t17 =  *((intOrPtr*)( *_t28 + 0x16c))();
				if(_t17 == 0) {
					L11:
					return _t17;
				} else {
					_t17 = E0006EA25(0x1888dc, E0006F25D(_t28, _t35, _t28));
					_t49 = _t17;
					if(_t17 == 0) {
						goto L11;
					}
					_push(_t36);
					_t20 = E00070E3E(_t28, _t31, _t35, _t36, 0, _t49, GetSystemMenu( *(_t17 + 0x20), 0));
					_t37 = _t20;
					if(_t37 != 0) {
						DeleteMenu( *(_t37 + 4), 0xf120, 0);
						DeleteMenu( *(_t37 + 4), 0xf020, 0);
						DeleteMenu( *(_t37 + 4), 0xf030, 0);
						_t20 =  *((intOrPtr*)( *_t28 + 0x1c4))();
						if(_t20 == 0) {
							_t20 = EnableMenuItem( *(_t37 + 4), 0xf060, 1);
						}
					}
					return _t20;
				}
			}

0x0007e28c
0x0007e28c
0x0007e293
0x0007e295
0x0007e2a5
0x0007e2ac
0x0007e2b2
0x0007e2b4
0x0007e2ba
0x0007e2be
0x0007e2be
0x0007e2ba
0x0007e2c9
0x0007e2cf
0x0007e2cf
0x0007e2d7
0x0007e2d9
0x0007e2e1
0x0007e35d
0x0007e35d
0x0007e2e3
0x0007e2ef
0x0007e2f7
0x0007e2f9
0x00000000
0x00000000
0x0007e2fb
0x0007e307
0x0007e30c
0x0007e310
0x0007e321
0x0007e32d
0x0007e339
0x0007e33f
0x0007e347
0x0007e353
0x0007e353
0x0007e347
0x00000000
0x0007e359

APIs

Part of subcall function 0007DCF1: __EH_prolog3_GS.LIBCMT ref: 0007DCF8
Part of subcall function 0007DCF1: GetWindowRect.USER32(?,?), ref: 0007DD39
Part of subcall function 0007DCF1: CreateRoundRectRgn.GDI32(00000000,00000000,?,?,00000004,00000004), ref: 0007DD63
Part of subcall function 0007DCF1: SetWindowRgn.USER32(?,?,00000000), ref: 0007DD79

GetSystemMenu.USER32 ref: 0007E300
DeleteMenu.USER32 ref: 0007E321
DeleteMenu.USER32 ref: 0007E32D
DeleteMenu.USER32 ref: 0007E339
EnableMenuItem.USER32 ref: 0007E353

Part of subcall function 00076DE5: SetRectEmpty.USER32 ref: 00076E18
Part of subcall function 00076DE5: ReleaseCapture.USER32 ref: 00076E1E
Part of subcall function 00076DE5: SetCapture.USER32(?), ref: 00076E2D
Part of subcall function 00076DE5: GetCapture.USER32 ref: 00076E6F
Part of subcall function 00076DE5: ReleaseCapture.USER32 ref: 00076E7F
Part of subcall function 00076DE5: SetCapture.USER32(?), ref: 00076E8E
Part of subcall function 00076DE5: RedrawWindow.USER32(?,?,?,00000505), ref: 00076EF9

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: CaptureMenu$DeleteRectWindow$Release$CreateEmptyEnableH_prolog3_ItemRedrawRoundSystem
String ID:
API String ID: 2818640433-0
Opcode ID: 4f9e317aa30f2ade63709112eef95f03656136963f1682f04f2f545ce578c883
Instruction ID: 51a19541f8fbef185e23c26fc3c6983596d7d299e0107406fd20c3b23a147564
Opcode Fuzzy Hash: 4f9e317aa30f2ade63709112eef95f03656136963f1682f04f2f545ce578c883
Instruction Fuzzy Hash: 9221A231B01211AFDB212F60CC89FAD7B69FF48750F0484B5F6199B2A2CB759C60DA94

Uniqueness

Uniqueness Score: -1.00%

Function 00083962 Relevance: 7.6, APIs: 5, Instructions: 70
windowCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 97%

			E00083962(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HWND__* _t29;
				int _t41;
				struct HMENU__* _t43;
				void* _t60;
				intOrPtr _t65;
				void* _t66;

				_t60 = __edx;
				_t46 = __ebx;
				_push(4);
				E00151A19(0x16a326, __ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t66 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x17cf7c;
				_t48 =  *((intOrPtr*)(__ecx + 0x10bc));
				 *(_t66 - 4) = 9;
				if( *((intOrPtr*)(__ecx + 0x10bc)) != 0) {
					E000E797D(__ebx, _t48, 0);
				}
				if( *((intOrPtr*)(_t65 + 0xeac)) != 0) {
					_t43 =  *(_t65 + 0xea8);
					if(_t43 != 0) {
						DestroyMenu(_t43);
					}
				}
				_t29 =  *(_t65 + 0x10c0);
				if(_t29 != 0) {
					_t41 = IsWindow(_t29);
					_t72 = _t41;
					if(_t41 != 0) {
						SendMessageW( *(_t65 + 0x10c0), 0x10, 0, 0);
					}
				}
				 *(_t66 - 4) = 8;
				E000DF66B(_t46, _t65 + 0xff0, _t60, 0, _t65, _t72);
				 *(_t66 - 4) = 7;
				 *((intOrPtr*)(_t65 + 0xfcc)) = 0x179fa0;
				E00051420(_t65 + 0xfcc, _t60);
				 *(_t66 - 4) = 6;
				 *((intOrPtr*)(_t65 + 0xfc4)) = 0x179fa0;
				E00051420(_t65 + 0xfc4, _t60);
				 *(_t66 - 4) = 5;
				 *((intOrPtr*)(_t65 + 0xfac)) = 0x179fa0;
				E00051420(_t65 + 0xfac, _t60);
				 *(_t66 - 4) = 4;
				 *((intOrPtr*)(_t65 + 0xfa4)) = 0x179fa0;
				E00051420(_t65 + 0xfa4, _t60);
				 *(_t66 - 4) = 3;
				 *((intOrPtr*)(_t65 + 0xf9c)) = 0x179fa0;
				E00051420(_t65 + 0xf9c, _t60);
				 *(_t66 - 4) = 2;
				E0005CB5C(_t65 + 0xf28, _t60, 0x179fa0, _t65, _t72);
				 *(_t66 - 4) = 1;
				E000847D7(_t46, _t65 + 0x14c, _t60, 0x179fa0, _t65, _t72);
				E00051190( *((intOrPtr*)(_t65 + 0x140)) - 0x10, _t60);
				 *(_t66 - 4) =  *(_t66 - 4) | 0xffffffff;
				return E00151AF1(E000E5361(_t46, _t65, _t60, 0x179fa0, _t65,  *(_t66 - 4)));
			}

0x00083962
0x00083962
0x00083962
0x00083969
0x0008396e
0x00083970
0x00083973
0x00083979
0x00083981
0x0008398a
0x0008398d
0x0008398d
0x00083998
0x0008399a
0x000839a2
0x000839a5
0x000839a5
0x000839a2
0x000839ab
0x000839b3
0x000839b6
0x000839bc
0x000839be
0x000839ca
0x000839ca
0x000839be
0x000839d6
0x000839da
0x000839ea
0x000839ee
0x000839f0
0x000839fb
0x000839ff
0x00083a01
0x00083a0c
0x00083a10
0x00083a12
0x00083a1d
0x00083a21
0x00083a23
0x00083a2e
0x00083a32
0x00083a34
0x00083a3f
0x00083a43
0x00083a4e
0x00083a52
0x00083a60
0x00083a65
0x00083a75

APIs

__EH_prolog3.LIBCMT ref: 00083969
DestroyMenu.USER32 ref: 000839A5
IsWindow.USER32(?), ref: 000839B6
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 000839CA
~_Task_impl.LIBCPMT ref: 00083A43

Part of subcall function 000E797D: GetParent.USER32(?), ref: 000E79E3

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: DestroyH_prolog3MenuMessageParentSendTask_implWindow
String ID:
API String ID: 1857064102-0
Opcode ID: 34133e73b2ef4ef12790fba3dbea4430bbecceb7e16f91094b8094bca7b97018
Instruction ID: aa3ba5b591879669875faa49134a85b7ceb355664dad027e891bd27b35ed74f2
Opcode Fuzzy Hash: 34133e73b2ef4ef12790fba3dbea4430bbecceb7e16f91094b8094bca7b97018
Instruction Fuzzy Hash: B431BC30501680DFD722EB78C545BFEBAF4AF85304F14488CE4EA57682CBB42644DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0015354B Relevance: 7.6, APIs: 5, Instructions: 68
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E0015354B(void* __edx, void* __edi, void* __esi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t27;
				long _t30;

				if(_a4 != 0) {
					_push(__esi);
					_t30 = _a8;
					__eflags = _t30;
					if(_t30 != 0) {
						_push(__edi);
						while(1) {
							__eflags = _t30 - 0xffffffe0;
							if(_t30 > 0xffffffe0) {
								break;
							}
							__eflags = _t30;
							if(_t30 == 0) {
								_t30 = _t30 + 1;
								__eflags = _t30;
							}
							_t7 = HeapReAlloc( *0x1c7b24, 0, _a4, _t30);
							_t27 = _t7;
							__eflags = _t27;
							if(_t27 != 0) {
								L17:
								_t8 = _t27;
							} else {
								__eflags =  *0x1c7e5c - _t7;
								if(__eflags == 0) {
									_t9 = E00151F1F(__eflags);
									 *_t9 = E00151EDD(GetLastError());
									goto L17;
								} else {
									__eflags = E0015A6E4(_t7, _t30);
									if(__eflags == 0) {
										_t12 = E00151F1F(__eflags);
										 *_t12 = E00151EDD(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E0015A6E4(_t6, _t30);
						 *((intOrPtr*)(E00151F1F(__eflags))) = 0xc;
						goto L12;
					} else {
						E00150CB2(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E00151013(__edx, __edi, __esi, _a8);
				}
			}

0x00153554
0x00153561
0x00153562
0x00153565
0x00153567
0x00153576
0x001535a9
0x001535a9
0x001535ac
0x00000000
0x00000000
0x00153579
0x0015357b
0x0015357d
0x0015357d
0x0015357d
0x0015358a
0x00153590
0x00153592
0x00153594
0x001535f4
0x001535f4
0x00153596
0x00153596
0x0015359c
0x001535de
0x001535f2
0x00000000
0x0015359e
0x001535a5
0x001535a7
0x001535c6
0x001535da
0x001535c0
0x001535c0
0x001535c0
0x00000000
0x00000000
0x00000000
0x001535a7
0x0015359c
0x00000000
0x001535c2
0x001535af
0x001535ba
0x00000000
0x00153569
0x0015356c
0x00153572
0x00153572
0x001535c3
0x001535c5
0x00153556
0x00153560
0x00153560

APIs

_malloc.LIBCMT ref: 00153559

Part of subcall function 00151013: __FF_MSGBANNER.LIBCMT ref: 0015102C
Part of subcall function 00151013: __NMSG_WRITE.LIBCMT ref: 00151033
Part of subcall function 00151013: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0015A71D,?,00000001,?,?,0015EDB7,00000018,001B7030,0000000C,0015EE47), ref: 00151058

_free.LIBCMT ref: 0015356C

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 423828ed7235ef6434dd9b1ce05c7fd16b3ffb87f193c8593d81765b5e63505a
Instruction ID: 23b2b92f4c7dd4f6d20bbbd58ad480c0ec97b553288d597406d722208a549e02
Opcode Fuzzy Hash: 423828ed7235ef6434dd9b1ce05c7fd16b3ffb87f193c8593d81765b5e63505a
Instruction Fuzzy Hash: 1C110832414614FBCB222B74EC05B5A3B959F503E3B205526FD398F590EF348A8C8A90

Uniqueness

Uniqueness Score: -1.00%

Function 00085C75 Relevance: 7.6, APIs: 5, Instructions: 68
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00085C75(intOrPtr* __ecx, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _t19;
				intOrPtr _t22;
				intOrPtr* _t31;
				intOrPtr _t44;

				if( *0x1c3f04 != 0) {
					_t31 = _a4;
					_t44 = _a8;
					 *((intOrPtr*)(_t31 + 8)) = 1;
					E000782C3(__ecx, _t31, _t44);
					EnableMenuItem( *(_t44 + 4), 0x4212, 1);
					EnableMenuItem( *(_t44 + 4), 0x4213, 0);
					__eflags =  *((intOrPtr*)(_t31 + 4));
					if( *((intOrPtr*)(_t31 + 4)) == 0) {
						_t19 =  *((intOrPtr*)(_t31 + 0x34));
					} else {
						_t19 =  *((intOrPtr*)(_t31 + 0x38));
					}
					__eflags = _t19;
					if(_t19 >= 0) {
						_push(0);
					} else {
						__eflags =  *0x1c3f1c; // 0x0
						_push(0 | __eflags == 0x00000000);
					}
					EnableMenuItem( *(_t44 + 4), 0x4214, ??);
					_t13 = E00099851() + 0x58; // 0x58
					_t22 = E0007939D(_t13,  *((intOrPtr*)(_t31 + 0x20)), 0);
					__eflags = _t22;
					if(_t22 != 0) {
						CheckMenuItem( *(_t44 + 4), 0x4213, 8);
						CheckMenuItem( *(_t44 + 4), 0x4214, 0);
					}
					__eflags = 1;
					return 1;
				}
				return 0;
			}

0x00085c81
0x00085c8b
0x00085c8f
0x00085c98
0x00085c9b
0x00085caf
0x00085cbb
0x00085cbf
0x00085cc2
0x00085cc9
0x00085cc4
0x00085cc4
0x00085cc4
0x00085ccc
0x00085cce
0x00085cde
0x00085cd0
0x00085cd2
0x00085cdb
0x00085cdb
0x00085ce7
0x00085cf4
0x00085cf7
0x00085cfc
0x00085cfe
0x00085d10
0x00085d1c
0x00085d1c
0x00085d22
0x00000000
0x00085d23
0x00000000

APIs

EnableMenuItem.USER32 ref: 00085CAF
EnableMenuItem.USER32 ref: 00085CBB
EnableMenuItem.USER32 ref: 00085CE7
CheckMenuItem.USER32 ref: 00085D10
CheckMenuItem.USER32 ref: 00085D1C

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: ItemMenu$Enable$Check
String ID:
API String ID: 1852492618-0
Opcode ID: a37302a48d1840ee9dff15795b7e5aa8099e08f673c08bf01a73d0f6b24ad78b
Instruction ID: acb6911239bb96c912b07f74cecd065c7c1c1b2e4eb80aeef4ec2096218435aa
Opcode Fuzzy Hash: a37302a48d1840ee9dff15795b7e5aa8099e08f673c08bf01a73d0f6b24ad78b
Instruction Fuzzy Hash: 5211E731240B04AEDB20BF25DC46F567BA9FB84711F508429FA5ADB4B2C670EC80CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0007DCF1 Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0007DCF1(intOrPtr __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t47;
				intOrPtr* _t51;
				void* _t52;

				_t47 = __edx;
				_t40 = __ebx;
				_push(0x1c);
				E00151A82(0x16a074, __ebx, __edi, __esi);
				_t51 = __ecx;
				if(__ecx != 0 &&  *(__ecx + 0x20) != 0) {
					if( *((intOrPtr*)(__ecx + 0xb64)) == 0 ||  *((intOrPtr*)( *__ecx + 0x19c))() == 0) {
						SetWindowRgn( *(_t51 + 0x20), 0, 0);
					} else {
						 *(_t52 - 0x20) = 0;
						 *((intOrPtr*)(_t52 - 0x1c)) = 0;
						 *((intOrPtr*)(_t52 - 0x18)) = 0;
						 *((intOrPtr*)(_t52 - 0x14)) = 0;
						GetWindowRect( *(__ecx + 0x20), _t52 - 0x20);
						_t40 = 0x17ad2c;
						 *(_t52 - 0x24) = 0;
						 *((intOrPtr*)(_t52 - 0x28)) = 0x17ad2c;
						 *(_t52 - 4) = 0;
						E000667CA(0x17ad2c, _t52 - 0x28, _t47, 0, CreateRoundRectRgn(0, 0,  *((intOrPtr*)(_t52 - 0x18)) -  *(_t52 - 0x20) + 1,  *((intOrPtr*)(_t52 - 0x14)) -  *((intOrPtr*)(_t52 - 0x1c)) + 1, 4, 4));
						SetWindowRgn( *(_t51 + 0x20),  *(_t52 - 0x24), 0);
						 *(_t52 - 4) =  *(_t52 - 4) | 0xffffffff;
						 *((intOrPtr*)(_t52 - 0x28)) = 0x17ad2c;
						E00051420(_t52 - 0x28, _t47);
					}
				}
				return E00151B05(_t40, 0, _t51);
			}

0x0007dcf1
0x0007dcf1
0x0007dcf1
0x0007dcf8
0x0007dcfd
0x0007dd03
0x0007dd18
0x0007dd95
0x0007dd26
0x0007dd2d
0x0007dd30
0x0007dd33
0x0007dd36
0x0007dd39
0x0007dd3f
0x0007dd44
0x0007dd47
0x0007dd60
0x0007dd6d
0x0007dd79
0x0007dd7f
0x0007dd86
0x0007dd89
0x0007dd89
0x0007dd18
0x0007dda0

APIs

__EH_prolog3_GS.LIBCMT ref: 0007DCF8
GetWindowRect.USER32(?,?), ref: 0007DD39
CreateRoundRectRgn.GDI32(00000000,00000000,?,?,00000004,00000004), ref: 0007DD63
SetWindowRgn.USER32(?,?,00000000), ref: 0007DD79
SetWindowRgn.USER32(?,00000000,00000000), ref: 0007DD95

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Window$Rect$CreateH_prolog3_Round
String ID:
API String ID: 2502471913-0
Opcode ID: 63d2c39aa8b0decec54f2778cde5070ba67f5695ff3e1990324f8224ecada9c1
Instruction ID: 59c9c0a029384a4f47333cd0f9c276cc2bac021abecde8930fc16cf9059c4335
Opcode Fuzzy Hash: 63d2c39aa8b0decec54f2778cde5070ba67f5695ff3e1990324f8224ecada9c1
Instruction Fuzzy Hash: F6110671C00209EFDB21DFA5C9899EEFBF8FF88711F14021AE55AB2260D7356940CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00071D1C Relevance: 7.6, APIs: 5, Instructions: 55
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00071D1C(void* __ecx, void* __edx, struct HWND__* _a4, WCHAR* _a8) {
				signed int _v8;
				char _v518;
				short _v520;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t9;
				struct HWND__* _t23;
				void* _t24;
				void* _t25;
				void* _t28;
				int _t30;
				void* _t31;
				WCHAR* _t33;
				void* _t34;
				signed int _t38;

				_t28 = __edx;
				_t25 = __ecx;
				_t36 = _t38;
				_t9 =  *0x1c0454; // 0x885926af
				_v8 = _t9 ^ _t38;
				_t23 = _a4;
				_t33 = _a8;
				if(_t23 == 0) {
					L2:
					E000655E0(_t25);
				}
				if(_t33 == 0) {
					goto L2;
				}
				_t30 = lstrlenW(_t33);
				_v520 = 0;
				E00151B30( &_v518, 0, 0x1fe);
				if(_t30 > 0x100 || GetWindowTextW(_t23,  &_v520, 0x100) != _t30 || lstrcmpW( &_v520, _t33) != 0) {
					_t17 = SetWindowTextW(_t23, _t33);
				}
				_pop(_t31);
				_pop(_t34);
				_pop(_t24);
				return E00150836(_t17, _t24, _v8 ^ _t36, _t28, _t31, _t34);
			}

0x00071d1c
0x00071d1c
0x00071d1f
0x00071d27
0x00071d2e
0x00071d32
0x00071d36
0x00071d3c
0x00071d3e
0x00071d3e
0x00071d3e
0x00071d45
0x00000000
0x00000000
0x00071d4e
0x00071d58
0x00071d66
0x00071d75
0x00071d9e
0x00071d9e
0x00071da7
0x00071da8
0x00071dab
0x00071db2

APIs

lstrlenW.KERNEL32(?,?,?), ref: 00071D48
_memset.LIBCMT ref: 00071D66
GetWindowTextW.USER32 ref: 00071D80
lstrcmpW.KERNEL32(?,?,?,?), ref: 00071D92
SetWindowTextW.USER32 ref: 00071D9E

Part of subcall function 000655E0: __CxxThrowException@8.LIBCMT ref: 000655F6

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: TextWindow$Exception@8Throw_memsetlstrcmplstrlen
String ID:
API String ID: 289641511-0
Opcode ID: c654b1a2dfe1d39c471549c69ba42a8bd23b8f6f216d7d00bba9afbae360082e
Instruction ID: c0c337f05e26ea248fca396bf3f1170c76a6abbeb594627f14b579d49669595a
Opcode Fuzzy Hash: c654b1a2dfe1d39c471549c69ba42a8bd23b8f6f216d7d00bba9afbae360082e
Instruction Fuzzy Hash: 870165B6900319A7DB21AB68DC49DDB77BDEF58350F008061FD19D7182EA34DD448A64

Uniqueness

Uniqueness Score: -1.00%

Function 000DF533 Relevance: 7.6, APIs: 5, Instructions: 53
threadCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E000DF533(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t18;
				void* _t20;
				void* _t24;
				intOrPtr _t28;
				void* _t33;

				_push(0);
				_t10 = E00151A19(0x16e4ba, __ebx, __edi, __esi);
				_t28 =  *0x1bcff8; // 0x1
				if(_t28 != 0) {
					if( *0x1be408 != 0xfffffffe) {
						_t10 =  *(_t24 + 8);
						 *0x1be408 = _t10;
						__eflags = _t10 - 0xffffffff;
						if(_t10 == 0xffffffff) {
							 *0x1c5a84 = 0;
						}
					} else {
						if( *(_t24 + 8) != 0xffffffff) {
							_t31 =  *0x1c5aa8 & 0x00000001;
							if(( *0x1c5aa8 & 0x00000001) == 0) {
								 *0x1c5aa8 =  *0x1c5aa8 | 0x00000001;
								 *(_t24 - 4) = 0;
								E000562B0(__ebx, __edi, _t31);
								E001511CA(_t31, 0x1763d3);
								 *(_t24 - 4) =  *(_t24 - 4) | 0xffffffff;
								_pop(_t18);
							}
							EnterCriticalSection(0x1c5a90);
							_t33 =  *0x1c5a84; // 0x0
							if(_t33 != 0) {
								E000655E0(_t18);
							}
							_t10 = E00157028(_t20, 0xdf4db, 0, 0);
							 *0x1c5a84 = _t10;
							if(_t10 <= 0 || _t10 == 0xffffffff) {
								 *0x1c5a84 = 0;
							} else {
								SetThreadPriority(_t10, 0xffffffff);
								_t10 =  *(_t24 + 8);
								 *0x1be408 =  *(_t24 + 8);
							}
							LeaveCriticalSection(0x1c5a90);
						}
					}
				}
				return E00151AF1(_t10);
			}

0x000df533
0x000df53a
0x000df541
0x000df547
0x000df554
0x000df5e8
0x000df5eb
0x000df5f0
0x000df5f3
0x000df5f5
0x000df5f5
0x000df55a
0x000df55e
0x000df564
0x000df56b
0x000df56d
0x000df579
0x000df57c
0x000df586
0x000df58b
0x000df58f
0x000df58f
0x000df596
0x000df59c
0x000df5a2
0x000df5a4
0x000df5a4
0x000df5b0
0x000df5b8
0x000df5bf
0x000df5d9
0x000df5c6
0x000df5c9
0x000df5cf
0x000df5d2
0x000df5d2
0x000df5e0
0x000df5e0
0x000df55e
0x000df554
0x000df600

APIs

__EH_prolog3.LIBCMT ref: 000DF53A
EnterCriticalSection.KERNEL32(001C5A90,00000000,0007AB65,00000001), ref: 000DF596
__beginthread.LIBCMT ref: 000DF5B0
SetThreadPriority.KERNEL32(00000000,000000FF), ref: 000DF5C9
LeaveCriticalSection.KERNEL32(001C5A90), ref: 000DF5E0

Part of subcall function 000562B0: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,00000000,885926AF,?,?,?,00173B58,000000FF), ref: 000562F3
Part of subcall function 000562B0: GetLastError.KERNEL32(?,?,?,00173B58,000000FF), ref: 000562FD

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: CriticalSection$CountEnterErrorH_prolog3InitializeLastLeavePrioritySpinThread__beginthread
String ID:
API String ID: 4077887634-0
Opcode ID: 405ffba833b11d5c49dd876a2928b66da06add5824ac3fb197c08a216e9f1fc3
Instruction ID: cb36b7c662dce1f6df714e3a159f9b1b7f219d52c9b50d008e5cb5d89eb26ba6
Opcode Fuzzy Hash: 405ffba833b11d5c49dd876a2928b66da06add5824ac3fb197c08a216e9f1fc3
Instruction Fuzzy Hash: B711B670401F12EFC7119F34AD895693FA1AB05335B208366F93B9BAE1C730D5C29761

Uniqueness

Uniqueness Score: -1.00%

Function 000B9C6E Relevance: 7.6, APIs: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E000B9C6E(void* __ebx, intOrPtr __ecx, void* __edx, WCHAR* _a4, void* _a8) {
				intOrPtr _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t9;
				void* _t10;
				void* _t16;
				void* _t17;
				void* _t21;
				void* _t22;
				struct HRSRC__* _t23;
				struct HINSTANCE__* _t26;
				void* _t28;

				_t21 = __edx;
				_t16 = __ebx;
				_push(__ecx);
				_t26 = _a8;
				_push(_t22);
				_v8 = __ecx;
				_t29 = _t26;
				if(_t26 == 0) {
					_t26 =  *(E0006B628(__ebx, _t22, _t26, _t29) + 0xc);
				}
				_t23 = FindResourceW(_t26, _a4,  *0x1c56bc);
				if(_t23 != 0) {
					_t9 = LoadResource(_t26, _t23);
					_a8 = _t9;
					__eflags = _t9;
					if(_t9 == 0) {
						goto L3;
					}
					_push(_t16);
					_t17 = LockResource(_t9);
					__eflags = _t17;
					if(_t17 != 0) {
						_t28 = E000B9B9C(_v8, _t21, _t23, _t17, SizeofResource(_t26, _t23));
					} else {
						_t28 = 0;
						__eflags = 0;
					}
					FreeResource(_a8);
					_t10 = _t28;
					goto L4;
				} else {
					L3:
					_t10 = 0;
					L4:
					return _t10;
				}
			}

0x000b9c6e
0x000b9c6e
0x000b9c73
0x000b9c75
0x000b9c78
0x000b9c79
0x000b9c7c
0x000b9c7e
0x000b9c85
0x000b9c85
0x000b9c98
0x000b9c9c
0x000b9ca8
0x000b9cae
0x000b9cb1
0x000b9cb3
0x00000000
0x00000000
0x000b9cb5
0x000b9cbd
0x000b9cbf
0x000b9cc1
0x000b9ce5
0x000b9cc3
0x000b9cc3
0x000b9cc3
0x000b9cc3
0x000b9cc8
0x000b9cce
0x00000000
0x000b9c9e
0x000b9c9e
0x000b9c9e
0x000b9ca0
0x000b9ca3
0x000b9ca3

APIs

FindResourceW.KERNEL32(?,?,77474F70,00000000,00184484,?,000BBB20,?,?,?,00000084,000BBEF4,0000000A,0000000A,0000000A,00000000), ref: 000B9C92
LoadResource.KERNEL32(?,00000000,?,000BBB20,?,?,?,00000084,000BBEF4,0000000A,0000000A,0000000A,00000000,00000014,000B431B,00000004), ref: 000B9CA8
LockResource.KERNEL32(00000000,?,?,000BBB20,?,?,?,00000084,000BBEF4,0000000A,0000000A,0000000A,00000000,00000014,000B431B,00000004), ref: 000B9CB7
FreeResource.KERNEL32(?,00000000,00000000,?,?,000BBB20,?,?,?,00000084,000BBEF4,0000000A,0000000A,0000000A,00000000,00000014), ref: 000B9CC8
SizeofResource.KERNEL32(?,00000000,?,?,000BBB20,?,?,?,00000084,000BBEF4,0000000A,0000000A,0000000A,00000000,00000014,000B431B), ref: 000B9CD5

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Resource$FindFreeLoadLockSizeof
String ID:
API String ID: 4159136517-0
Opcode ID: 428b608648ae054c7099a688ff5bc4fd7cd020c63d43b26a5f70c8749210616e
Instruction ID: 0558772c85e2ca973700eae92cb52ca7fd442ac4f0114f7a570cea2cec2136fe
Opcode Fuzzy Hash: 428b608648ae054c7099a688ff5bc4fd7cd020c63d43b26a5f70c8749210616e
Instruction Fuzzy Hash: F8017C76504615BB8B615BA59C08CDF7FBDEF953617104024FA0A93650DB30EE808BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00081A6E Relevance: 7.5, APIs: 5, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00081A6E(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct tagPOINT _v12;
				void* __esi;
				void* __ebp;
				void* _t20;
				struct HICON__* _t21;
				void* _t25;
				void* _t28;
				void* _t30;

				_push(__ecx);
				_push(__ecx);
				_v12.x = _v12.x & 0x00000000;
				_v12.y = _v12.y & 0x00000000;
				_t30 = __ecx;
				GetCursorPos( &_v12);
				ScreenToClient( *(_t30 + 0x20),  &_v12);
				_push(_v12.y);
				if(PtInRect(_t30 + 0xfe0, _v12) == 0) {
					_t20 = E000D5C5C(_t25, _t30, _t28, _a4, _a8, _a12);
				} else {
					_t21 =  *0x1c3a8c; // 0x0
					_t33 = _t21;
					if(_t21 == 0) {
						E0006B628(_t25, _t28, _t30, _t33);
						_t21 = LoadCursorW(0, 0x7f86);
						 *0x1c3a8c = _t21;
					}
					SetCursor(_t21);
					_t20 = 1;
				}
				return _t20;
			}

0x00081a73
0x00081a74
0x00081a75
0x00081a79
0x00081a82
0x00081a84
0x00081a91
0x00081a97
0x00081aac
0x00081ae5
0x00081aae
0x00081aae
0x00081ab3
0x00081ab5
0x00081ab7
0x00081ac3
0x00081ac9
0x00081ac9
0x00081acf
0x00081ad7
0x00081ad7
0x00081aec

APIs

GetCursorPos.USER32(00000000), ref: 00081A84
ScreenToClient.USER32(?,00000000), ref: 00081A91
PtInRect.USER32(?,00000000,00000000), ref: 00081AA4
LoadCursorW.USER32 ref: 00081AC3
SetCursor.USER32(00000000), ref: 00081ACF

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Cursor$ClientLoadRectScreen
String ID:
API String ID: 2747913190-0
Opcode ID: 5bfb5c748dee57843870f0704fd36f75965489f962b6d5c45cbb0c465668903a
Instruction ID: 90876a045e45643828906f2331e6ffc6fc24f3f79960acb219d4636e00d12034
Opcode Fuzzy Hash: 5bfb5c748dee57843870f0704fd36f75965489f962b6d5c45cbb0c465668903a
Instruction Fuzzy Hash: D0014872504209BFDB10AFA0DC08EEE7BB8FF08316F104468F40AD2460D674DA91DB21

Uniqueness

Uniqueness Score: -1.00%

Function 0015B1E1 Relevance: 7.5, APIs: 5, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 66%

			E0015B1E1(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t12;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t20 = __ebx;
				_push(0xc);
				_push(0x1b6df8);
				E00151BC0(__ebx, __edi, __esi);
				_t28 = E00157F08(__ebx, __edx, _t31);
				_t12 =  *0x1c0b90; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t12) == 0) {
					L6:
					E0015EE2C(_t20, _t26, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t29 = _t28 + 0x6c;
					 *((intOrPtr*)(_t30 - 0x1c)) = E0015B194(_t29,  *0x1c0dd8);
					 *(_t30 - 4) = 0xfffffffe;
					E0015B24E();
				} else {
					_t33 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E00157F08(_t20, __edx, _t33) + 0x6c));
					}
				}
				_t34 = _t29;
				if(_t29 == 0) {
					_push(0x20);
					E001540CA(_t25, _t34);
				}
				return E00151C05(_t29);
			}

0x0015b1e1
0x0015b1e1
0x0015b1e1
0x0015b1e1
0x0015b1e1
0x0015b1e3
0x0015b1e8
0x0015b1f2
0x0015b1f4
0x0015b1fc
0x0015b220
0x0015b222
0x0015b228
0x0015b232
0x0015b23d
0x0015b240
0x0015b247
0x0015b1fe
0x0015b1fe
0x0015b202
0x00000000
0x0015b204
0x0015b209
0x0015b209
0x0015b202
0x0015b20c
0x0015b20e
0x0015b210
0x0015b212
0x0015b217
0x0015b21f

APIs

__getptd.LIBCMT ref: 0015B1ED

Part of subcall function 00157F08: __getptd_noexit.LIBCMT ref: 00157F0B
Part of subcall function 00157F08: __amsg_exit.LIBCMT ref: 00157F18

__getptd.LIBCMT ref: 0015B204
__amsg_exit.LIBCMT ref: 0015B212
__lock.LIBCMT ref: 0015B222
__updatetlocinfoEx_nolock.LIBCMT ref: 0015B236

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 067311c1b88f1d9e9a35f526c1999d33aa77e1f95a9c72fbbf5b727cfc88d4bd
Instruction ID: 9af9649d42d6dc74cf299bb6fd64ce5698f2a337ce38b72adf92bfe0fdb42f9d
Opcode Fuzzy Hash: 067311c1b88f1d9e9a35f526c1999d33aa77e1f95a9c72fbbf5b727cfc88d4bd
Instruction Fuzzy Hash: D6F0B432948714DBD726BBB4A843B5E77E0AF10727F110109FC35AF6D2CB246988CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0005B4DE Relevance: 7.5, APIs: 5, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0005B4DE(void* __ebx, void* __edi, void* __esi) {
				void* _t4;
				void* _t5;
				void* _t6;
				void* _t13;
				void* _t14;
				void* _t15;

				_t14 = __esi;
				_t13 = __edi;
				if(__ebx != __edi) {
					LocalFree(__ebx);
				}
				if(_t14 != _t13) {
					LocalFree(_t14);
				}
				_t4 =  *(_t15 - 0x4c);
				if(_t4 != _t13) {
					FreeSid(_t4);
				}
				_t5 =  *(_t15 - 0x58);
				if(_t5 != _t13) {
					CloseHandle(_t5);
				}
				_t6 =  *(_t15 - 0x50);
				if(_t6 != _t13) {
					return CloseHandle(_t6);
				}
				return _t6;
			}

0x0005b4de
0x0005b4de
0x0005b4e0
0x0005b4e3
0x0005b4e3
0x0005b4eb
0x0005b4ee
0x0005b4ee
0x0005b4f4
0x0005b4f9
0x0005b4fc
0x0005b4fc
0x0005b502
0x0005b507
0x0005b50a
0x0005b50a
0x0005b510
0x0005b515
0x00000000
0x0005b518
0x0005b51e

APIs

LocalFree.KERNEL32(00000000,0005B4B7), ref: 0005B4E3
LocalFree.KERNEL32(00000000,0005B4B7), ref: 0005B4EE
FreeSid.ADVAPI32(?,0005B4B7), ref: 0005B4FC
CloseHandle.KERNEL32(?), ref: 0005B50A
CloseHandle.KERNEL32(?), ref: 0005B518

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Free$CloseHandleLocal
String ID:
API String ID: 705109652-0
Opcode ID: f3655d6bd582a3a6ca2ac8fd78829c4e680a0ade6ce00e89aa84fd39b833a175
Instruction ID: cf26eabc91a74313ff2bf632b120e086267f6b33d464af414fcbf0bf93d67c17
Opcode Fuzzy Hash: f3655d6bd582a3a6ca2ac8fd78829c4e680a0ade6ce00e89aa84fd39b833a175
Instruction Fuzzy Hash: CEE0BF74904A049BCB625BB89C8C95EBBBEBB40702F784900F857E3555E736EDC5CA50

Uniqueness

Uniqueness Score: -1.00%

Function 0007CC90 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0007CC90(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, char _a4) {
				short _v6;
				short _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v20;
				short _v24;
				void* _v28;
				intOrPtr* _t45;
				intOrPtr* _t56;
				intOrPtr* _t58;
				short _t60;
				signed int _t69;
				intOrPtr* _t77;
				intOrPtr* _t86;
				intOrPtr* _t90;
				intOrPtr _t91;
				void* _t93;
				short _t95;
				intOrPtr _t98;
				intOrPtr* _t100;
				short _t101;

				_t94 = __edi;
				_t93 = __edx;
				_push(__ebx);
				_push(__esi);
				_t98 = __ecx;
				_t81 = __ecx + 0xcac;
				_v16 = __ecx + 0xcac;
				_t45 = E000D0797(__ecx + 0xcac, __edi);
				_t77 =  *((intOrPtr*)(_t98 + 0xbcc));
				if(_t77 == 0) {
					L13:
					return _t45;
				} else {
					_push(__edi);
					while(1) {
						_t45 = _t77;
						if(_t77 == 0) {
							break;
						}
						_t98 =  *((intOrPtr*)(_t45 + 8));
						_t77 =  *_t77;
						if(_t98 == 0) {
							L12:
							goto L13;
						} else {
							if(( *(_t98 + 0x24) & 0x00000001) != 0 ||  *((intOrPtr*)(_t98 + 8)) == 0) {
								L11:
								if(_t77 != 0) {
									continue;
								} else {
									goto L12;
								}
							} else {
								_t81 = _t98 + 0x2c;
								_t45 = E0007ACD2(_t98 + 0x2c, 0x26, 0);
								if(_t45 < 0) {
									goto L11;
								} else {
									_t91 =  *((intOrPtr*)(_t98 + 0x2c));
									_t81 =  *((intOrPtr*)(_t91 - 0xc)) - 1;
									if(_t45 >=  *((intOrPtr*)(_t91 - 0xc)) - 1) {
										goto L11;
									} else {
										_t69 = _t45 + 1;
										if(_t69 < 0) {
											L15:
											E00051330(_t77, _t81, _t94, _t98);
											asm("int3");
											E00151A19(0x169db4, _t77, _t94, _t98);
											E000E1F9B(_t77, _t81, _t93, _t94, _t98, __eflags);
											_t95 = 0;
											_v8 = 0;
											E00051110( &_a4, E00065761());
											_v8 = 1;
											E00051400( &_a4, L"%sMFCToolBarParameters", _v20);
											_v28 = 0;
											_v24 = 0;
											_v8 = 2;
											_t56 = E000E1CBE(_t77,  &_v28, 0, _t98, __eflags);
											_t79 = _a4;
											_t100 = _t56;
											_t58 =  *((intOrPtr*)( *_t100 + 0x10))(_a4, 0, 1,  &_v20,  *0x1c3f3c, _a4, 0xc, 0x80070057);
											__eflags = _t58;
											if(_t58 != 0) {
												_t60 =  *((intOrPtr*)( *_t100 + 0x54))(L"LargeIcons", 0x1c3f0c);
												_t86 = _v28;
												_t101 = _t60;
												_v8 = 1;
												__eflags = _t86;
												if(_t86 != 0) {
													 *((intOrPtr*)( *_t86 + 4))(1);
												}
												_t95 = _t101;
											} else {
												_t90 = _v28;
												_v8 = 1;
												__eflags = _t90;
												if(_t90 != 0) {
													 *((intOrPtr*)( *_t90 + 4))(1);
												}
											}
											E00051190(_t79 - 0x10, _t93);
											__eflags = _v20 + 0xfffffff0;
											E00051190(_v20 + 0xfffffff0, _t93);
											return E00151AF1(_t95);
										} else {
											_t81 =  *((intOrPtr*)(_t98 + 0x2c));
											if(_t69 >  *((intOrPtr*)(_t81 - 0xc))) {
												goto L15;
											} else {
												_v8 =  *((intOrPtr*)(_t81 + _t69 * 2));
												_v6 = 0;
												CharUpperW( &_v8);
												_t81 = _v16;
												_v12 = _v8 & 0x0000ffff;
												_t45 = E0009A171(_v16, _t93, 0,  &_v12);
												 *_t45 = _t98;
												goto L11;
											}
										}
									}
								}
							}
						}
						goto L22;
					}
					E000655E0(_t81);
					goto L15;
				}
				L22:
			}

0x0007cc90
0x0007cc90
0x0007cc98
0x0007cc99
0x0007cc9a
0x0007cc9c
0x0007cca2
0x0007cca5
0x0007ccaa
0x0007ccb2
0x0007cd28
0x0007cd2b
0x0007ccb4
0x0007ccb4
0x0007ccb5
0x0007ccb5
0x0007ccb9
0x00000000
0x00000000
0x0007ccbb
0x0007ccbe
0x0007ccc2
0x0007cd27
0x00000000
0x0007ccc4
0x0007ccc8
0x0007cd23
0x0007cd25
0x00000000
0x00000000
0x00000000
0x00000000
0x0007ccd0
0x0007ccd4
0x0007ccd7
0x0007ccde
0x00000000
0x0007cce0
0x0007cce0
0x0007cce6
0x0007cce9
0x00000000
0x0007cceb
0x0007cceb
0x0007ccec
0x0007cd31
0x0007cd36
0x0007cd3b
0x0007cd43
0x0007cd55
0x0007cd5d
0x0007cd5f
0x0007cd6b
0x0007cd7c
0x0007cd80
0x0007cd88
0x0007cd8b
0x0007cd94
0x0007cd98
0x0007cd9d
0x0007cda0
0x0007cda7
0x0007cdaa
0x0007cdac
0x0007cdeb
0x0007cdee
0x0007cdf1
0x0007cdf3
0x0007cdf7
0x0007cdf9
0x0007cdff
0x0007cdff
0x0007ce02
0x0007cdae
0x0007cdae
0x0007cdb1
0x0007cdb5
0x0007cdb7
0x0007cdbd
0x0007cdbd
0x0007cdb7
0x0007cdc3
0x0007cdcb
0x0007cdce
0x0007cdda
0x0007ccee
0x0007ccee
0x0007ccf4
0x00000000
0x0007ccf6
0x0007ccfa
0x0007cd00
0x0007cd08
0x0007cd12
0x0007cd15
0x0007cd1c
0x0007cd21
0x00000000
0x0007cd21
0x0007ccf4
0x0007ccec
0x0007cce9
0x0007ccde
0x0007ccc8
0x00000000
0x0007ccc2
0x0007cd2c
0x00000000
0x0007cd2c
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 0007CD43

Part of subcall function 0007ACD2: _wcschr.LIBCMT ref: 0007ACEF

CharUpperW.USER32 ref: 0007CD08

Strings

%sMFCToolBarParameters, xrefs: 0007CD76
LargeIcons, xrefs: 0007CDE4

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: CharH_prolog3Upper_wcschr
String ID: %sMFCToolBarParameters$LargeIcons
API String ID: 4292683032-2076908790
Opcode ID: cf21e221285fd806c7b2b5c64a4a2c239834c18e920df53647d8eb53b71c6aba
Instruction ID: 5e041ca5cce48bca182829098495d1b27a15e03373c49407727c33073f495c34
Opcode Fuzzy Hash: cf21e221285fd806c7b2b5c64a4a2c239834c18e920df53647d8eb53b71c6aba
Instruction Fuzzy Hash: 1141D531E00205DFDB21EBA4C885FEEBBF4AF44704F10846DE9199B282DB749E45CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00062CBC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00062CBC(void* __ecx, void* __eflags, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t34;
				intOrPtr* _t36;
				intOrPtr* _t37;
				void* _t39;
				intOrPtr* _t53;
				void* _t55;
				intOrPtr _t56;
				void* _t59;
				void* _t61;
				intOrPtr _t62;

				_t1 = E0006B059(_t55, _t59, _t61, __eflags) + 0x7c; // 0x7c
				_t62 = _t1;
				_t56 =  *((intOrPtr*)(E0006B628(_t55, _t59, _t62, __eflags) + 8));
				if(_a8 != 0 || _a12 != 0) {
					L4:
					_v8 =  *((intOrPtr*)(E00151F1F(__eflags)));
					_t34 = E00151F1F(__eflags);
					_push(_a16);
					 *_t34 = 0;
					_push(_a12);
					_push(_a8);
					_push(_a4);
					E00151EBC(_t62, 0x60, 0x5f, L"Afx:%p:%x:%p:%p:%p", _t56);
					goto L5;
				} else {
					_t69 = _a16;
					if(_a16 != 0) {
						goto L4;
					}
					_v8 =  *((intOrPtr*)(E00151F1F(_t69)));
					_t53 = E00151F1F(_t69);
					_push(_a4);
					 *_t53 = 0;
					E00151EBC(_t62, 0x60, 0x5f, L"Afx:%p:%x", _t56);
					L5:
					_t36 = E00151F1F(_t69);
					_t70 =  *_t36;
					if( *_t36 == 0) {
						_t37 = E00151F1F(__eflags);
						_t58 = _v8;
						 *_t37 = _v8;
					} else {
						E0005CD3F( *((intOrPtr*)(E00151F1F(_t70))));
						_pop(_t58);
					}
					_push( &_v48);
					_push(_t62);
					_push(_t56);
					_t39 = E0005E645(_t58, _t62, _t70);
					_t71 = _t39;
					if(_t39 == 0) {
						_v48 = _a4;
						_v44 = DefWindowProcW;
						_v28 = _a16;
						_v24 = _a8;
						_v20 = _a12;
						_push( &_v48);
						_v36 = 0;
						_v40 = 0;
						_v32 = _t56;
						_v16 = 0;
						_v12 = _t62;
						if(E00062C2E(_t56, _t58, 0, _t62, _t71) == 0) {
							E00065E44(_t58);
						}
					}
					return _t62;
				}
			}

0x00062ccc
0x00062ccc
0x00062cd4
0x00062cdc
0x00062d11
0x00062d18
0x00062d1b
0x00062d20
0x00062d23
0x00062d25
0x00062d28
0x00062d2b
0x00062d39
0x00000000
0x00062ce3
0x00062ce3
0x00062ce6
0x00000000
0x00000000
0x00062cef
0x00062cf2
0x00062cf7
0x00062cfa
0x00062d07
0x00062d41
0x00062d41
0x00062d46
0x00062d48
0x00062d59
0x00062d5e
0x00062d61
0x00062d4a
0x00062d51
0x00062d56
0x00062d56
0x00062d66
0x00062d67
0x00062d68
0x00062d69
0x00062d71
0x00062d73
0x00062d78
0x00062d80
0x00062d86
0x00062d8c
0x00062d92
0x00062d98
0x00062d99
0x00062d9c
0x00062d9f
0x00062da2
0x00062da5
0x00062daf
0x00062db1
0x00062db1
0x00062daf
0x00062dbc
0x00062dbc

APIs

__snwprintf_s.LIBCMT ref: 00062D07
__snwprintf_s.LIBCMT ref: 00062D39

Part of subcall function 00151F1F: __getptd_noexit.LIBCMT ref: 00151F1F

Strings

Afx:%p:%x:%p:%p:%p, xrefs: 00062D2F
Afx:%p:%x, xrefs: 00062CFD

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: __snwprintf_s$__getptd_noexit
String ID: Afx:%p:%x$Afx:%p:%x:%p:%p:%p
API String ID: 101746997-2801496823
Opcode ID: 51c11f37d0d198e53705e449a550bf6cb761f71303fa0e66b26267ce21790220
Instruction ID: b4b806880be68112e13dba942861b17d1f42f72b3a516435b74523a03ce99bb8
Opcode Fuzzy Hash: 51c11f37d0d198e53705e449a550bf6cb761f71303fa0e66b26267ce21790220
Instruction Fuzzy Hash: 70316EB5900609FFCB12EFA5C841ADE7BF6EF59351F104016F914AB252D7348A58CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0006EBDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72
windowCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 79%

			E0006EBDD(intOrPtr __ebx, struct HDC__* _a4) {
				signed int _v8;
				void _v40;
				unsigned int _v98;
				char _v99;
				char _v100;
				unsigned int _v102;
				char _v103;
				char _v104;
				struct tagBITMAPINFOHEADER _v144;
				void* __edi;
				void* __esi;
				signed int _t24;
				unsigned int _t30;
				unsigned int _t31;
				signed int _t32;
				struct HBITMAP__* _t36;
				intOrPtr _t55;
				struct HDC__* _t57;
				intOrPtr _t58;
				intOrPtr _t60;
				intOrPtr _t61;
				signed int _t63;
				signed int _t65;

				_t63 = _t65;
				_t24 =  *0x1c0454; // 0x885926af
				_v8 = _t24 ^ _t63;
				_t57 = _a4;
				E00151B30( &_v144, 0, 0x68);
				_v144.biCompression = _v144.biCompression & 0x00000000;
				_v144.biPlanes = 1;
				_v144.biBitCount = 1;
				_t30 =  *0x1c39ac; // 0xf0f0f0
				_v104 = _t30 >> 0x10;
				_t60 = 8;
				_v144.biSize = 0x28;
				_v144.biWidth = _t60;
				_v144.biHeight = _t60;
				_v103 = _t30 >> 8;
				_v102 = _t30;
				_t31 = GetSysColor(0x14);
				_v100 = _t31 >> 0x10;
				_v98 = _t31;
				_v99 = _t31 >> 8;
				_t32 = 0;
				do {
					asm("sbb ecx, ecx");
					 *((intOrPtr*)(_t63 + _t32 * 4 - 0x24)) = ( ~(_t32 & 0x00000001) & 0x5554aaab) + 0x5555aaaa;
					_t32 = _t32 + 1;
				} while (_t32 < _t60);
				_t36 = CreateDIBitmap(_t57,  &_v144, 4,  &_v40,  &_v144, 0);
				_pop(_t58);
				_pop(_t61);
				return E00150836(_t36, __ebx, _v8 ^ _t63, _t55, _t58, _t61);
			}

0x0006ebe0
0x0006ebe8
0x0006ebef
0x0006ebf4
0x0006ec02
0x0006ec07
0x0006ec0e
0x0006ec12
0x0006ec16
0x0006ec25
0x0006ec28
0x0006ec30
0x0006ec3a
0x0006ec40
0x0006ec46
0x0006ec49
0x0006ec4c
0x0006ec57
0x0006ec5f
0x0006ec62
0x0006ec65
0x0006ec67
0x0006ec71
0x0006ec7f
0x0006ec83
0x0006ec84
0x0006ec9f
0x0006eca8
0x0006ecab
0x0006ecb2

APIs

_memset.LIBCMT ref: 0006EC02
GetSysColor.USER32 ref: 0006EC4C
CreateDIBitmap.GDI32(?,00000028,00000004,?,00000028,00000000), ref: 0006EC9F

Strings

(, xrefs: 0006EC30

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: BitmapColorCreate_memset
String ID: (
API String ID: 3930187609-3887548279
Opcode ID: 2bf08e036a7374d3eac1df681874071b3451c6d19e6fc84fabc47260f51f750d
Instruction ID: 99759294bfbe47fee7512d3ae38fa994ac39f4d8e6bb8f1f2220025434760a88
Opcode Fuzzy Hash: 2bf08e036a7374d3eac1df681874071b3451c6d19e6fc84fabc47260f51f750d
Instruction Fuzzy Hash: 7C210A31A11258DFDB04CBB8CC55BEDBBF8AF54700F00846EE546EB281DA355948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0006F828 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0006F828(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t32;
				int _t36;
				struct HINSTANCE__* _t52;
				WCHAR** _t54;
				void* _t55;
				intOrPtr _t59;

				_t53 = __esi;
				_t51 = __edi;
				_push(0x30);
				E00151A19(0x1691db, __ebx, __edi, __esi);
				_t59 =  *((intOrPtr*)(_t55 + 0xc));
				 *((intOrPtr*)(_t55 - 4)) = 0;
				 *((intOrPtr*)(_t55 - 0x14)) = 0;
				_t60 = _t59 == 0;
				if(_t59 == 0) {
					E000655E0(__ecx);
				}
				_t52 =  *(E0006B628(0, _t51, _t53, _t60) + 8);
				 *((intOrPtr*)(_t55 - 0x10)) = LoadCursorW(0, 0x7f00);
				_t32 = E00065761();
				_t54 =  *(_t55 + 8);
				E00051110(_t54, _t32);
				_push(0x10);
				_push( *((intOrPtr*)(_t55 - 0x10)));
				 *((intOrPtr*)(_t55 - 4)) = 0;
				_push(8);
				_push(_t52);
				 *((intOrPtr*)(_t55 - 0x14)) = 1;
				E00051400(_t54, L"%s:%x:%x:%x:%x",  *((intOrPtr*)(_t55 + 0xc)));
				_t50 = _t55 - 0x3c;
				_t36 = GetClassInfoW(_t52,  *_t54, _t55 - 0x3c);
				_t61 = _t36;
				if(_t36 == 0) {
					 *((intOrPtr*)(_t55 - 0x38)) = DefWindowProcW;
					 *((intOrPtr*)(_t55 - 0x24)) =  *((intOrPtr*)(_t55 - 0x10));
					 *(_t55 - 0x18) =  *_t54;
					_push(_t55 - 0x3c);
					 *(_t55 - 0x3c) = 8;
					 *((intOrPtr*)(_t55 - 0x30)) = 0;
					 *((intOrPtr*)(_t55 - 0x34)) = 0;
					 *(_t55 - 0x2c) = _t52;
					 *((intOrPtr*)(_t55 - 0x28)) = 0;
					 *((intOrPtr*)(_t55 - 0x20)) = 0x10;
					 *((intOrPtr*)(_t55 - 0x1c)) = 0;
					if(E00062C2E(0, _t50, _t52, _t54, _t61) == 0) {
						E00065E44(_t50);
					}
				}
				return E00151AF1(_t54);
			}

0x0006f828
0x0006f828
0x0006f828
0x0006f82f
0x0006f838
0x0006f83b
0x0006f841
0x0006f844
0x0006f846
0x0006f848
0x0006f848
0x0006f852
0x0006f861
0x0006f864
0x0006f869
0x0006f86f
0x0006f874
0x0006f876
0x0006f879
0x0006f87c
0x0006f87e
0x0006f882
0x0006f88f
0x0006f899
0x0006f89f
0x0006f8a5
0x0006f8a7
0x0006f8ae
0x0006f8b4
0x0006f8b9
0x0006f8bf
0x0006f8c0
0x0006f8c7
0x0006f8ca
0x0006f8cd
0x0006f8d0
0x0006f8d3
0x0006f8da
0x0006f8e4
0x0006f8e6
0x0006f8e6
0x0006f8e4
0x0006f8f2

APIs

__EH_prolog3.LIBCMT ref: 0006F82F
LoadCursorW.USER32 ref: 0006F85B
GetClassInfoW.USER32 ref: 0006F89F

Part of subcall function 000655E0: __CxxThrowException@8.LIBCMT ref: 000655F6

Strings

%s:%x:%x:%x:%x, xrefs: 0006F889

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: ClassCursorException@8H_prolog3InfoLoadThrow
String ID: %s:%x:%x:%x:%x
API String ID: 3514338993-1000192757
Opcode ID: 8dae6e2c043b53460e432151e4755c8b312cba07ad57aadb18d9657820d56a2f
Instruction ID: 2892a632a302749453f6de2bb3b0fb326ee237dc91a5601d64b3b30b75425924
Opcode Fuzzy Hash: 8dae6e2c043b53460e432151e4755c8b312cba07ad57aadb18d9657820d56a2f
Instruction Fuzzy Hash: C22118B0D01209AFDB01EFA5D885AEEBBF5BF08301F104429F904B7242DB745A44CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00061585 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00061585(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				void* __esi;
				void* __ebp;
				struct HINSTANCE__* _t16;
				_Unknown_base(*)()* _t17;
				void* _t25;
				void* _t26;
				void* _t27;

				_t27 = __eflags;
				E00072399(0xc);
				_push(0x609b0);
				_t26 = E000716E4(__ebx, 0x1c3658, __edi, _t25, _t27);
				if(_t26 == 0) {
					E000655E0(0x1c3658);
				}
				_t29 =  *(_t26 + 8);
				if( *(_t26 + 8) != 0) {
					L7:
					E0007240B(0xc);
					return  *(_t26 + 8)(_a4, _a8, _a12, _a16);
				} else {
					_push(L"hhctrl.ocx");
					_t16 = E0005E893(0x1c3658, _t26, _t29);
					 *(_t26 + 4) = _t16;
					if(_t16 != 0) {
						_t17 = GetProcAddress(_t16, "HtmlHelpW");
						 *(_t26 + 8) = _t17;
						__eflags = _t17;
						if(_t17 != 0) {
							goto L7;
						}
						FreeLibrary( *(_t26 + 4));
						 *(_t26 + 4) =  *(_t26 + 4) & 0x00000000;
					}
					return 0;
				}
			}

0x00061585
0x0006158d
0x00061592
0x000615a1
0x000615a5
0x000615a7
0x000615a7
0x000615ac
0x000615b0
0x000615ea
0x000615ec
0x00000000
0x000615b2
0x000615b2
0x000615b7
0x000615bd
0x000615c2
0x000615ce
0x000615d4
0x000615d7
0x000615d9
0x00000000
0x00000000
0x000615de
0x000615e4
0x000615e4
0x00000000
0x000615c4

APIs

Part of subcall function 00072399: EnterCriticalSection.KERNEL32(001C3DE0,?,?,00000002,?,000716FF,00000010,00000008,0006B656,0006B5ED,0005E58B,0006A15B,0006918A,?,00000000,00000004), ref: 000723D3
Part of subcall function 00072399: InitializeCriticalSection.KERNEL32(?,?,?,00000002,?,000716FF,00000010,00000008,0006B656,0006B5ED,0005E58B,0006A15B,0006918A,?,00000000,00000004), ref: 000723E5
Part of subcall function 00072399: LeaveCriticalSection.KERNEL32(001C3DE0,?,?,00000002,?,000716FF,00000010,00000008,0006B656,0006B5ED,0005E58B,0006A15B,0006918A,?,00000000,00000004), ref: 000723F2
Part of subcall function 00072399: EnterCriticalSection.KERNEL32(?,?,?,00000002,?,000716FF,00000010,00000008,0006B656,0006B5ED,0005E58B,0006A15B,0006918A,?,00000000,00000004), ref: 00072402

Part of subcall function 000716E4: __EH_prolog3_catch.LIBCMT ref: 000716EB

Part of subcall function 000655E0: __CxxThrowException@8.LIBCMT ref: 000655F6

GetProcAddress.KERNEL32(00000000,HtmlHelpW,000609B0,0000000C), ref: 000615CE
FreeLibrary.KERNEL32(?), ref: 000615DE

Strings

HtmlHelpW, xrefs: 000615C8
hhctrl.ocx, xrefs: 000615B2

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpW$hhctrl.ocx
API String ID: 3274081130-3773518134
Opcode ID: 56991bd44916bcfb35003ff5e9ee0e2840aa1adf3bc1b9d6bbde61a356335995
Instruction ID: 7e2be3a77d51bc0e3f0ff7e7d4220be5788f6d64c11494c843d301becb47f7dc
Opcode Fuzzy Hash: 56991bd44916bcfb35003ff5e9ee0e2840aa1adf3bc1b9d6bbde61a356335995
Instruction Fuzzy Hash: FF01F231500B02E7CB212FB0CC06FDB7BE2AF407A1F048429F95F955A2CB70C6909650

Uniqueness

Uniqueness Score: -1.00%

Function 00071E65 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00071E65(struct HWND__* _a4, intOrPtr _a8) {
				signed int _v8;
				short _v28;
				void* __esi;
				signed int _t7;
				int _t16;
				intOrPtr _t19;
				intOrPtr _t22;
				intOrPtr _t23;
				struct HWND__* _t24;
				signed int _t25;

				_t7 =  *0x1c0454; // 0x885926af
				_v8 = _t7 ^ _t25;
				_t24 = _a4;
				if(_t24 != 0) {
					if((GetWindowLongW(_t24, 0xfffffff0) & 0x0000000f) != _a8) {
						goto L1;
					} else {
						GetClassNameW(_t24,  &_v28, 0xa);
						_t16 = CompareStringW(0x409, 1,  &_v28, 0xffffffff, L"combobox", 0xffffffff);
						asm("sbb eax, eax");
						_t11 =  ~(_t16 - 2) + 1;
					}
				} else {
					L1:
					_t11 = 0;
				}
				return E00150836(_t11, _t19, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x00071e6d
0x00071e74
0x00071e78
0x00071e7d
0x00071e92
0x00000000
0x00071e94
0x00071e9b
0x00071eb5
0x00071ec0
0x00071ec2
0x00071ec2
0x00071e7f
0x00071e7f
0x00071e7f
0x00071e7f
0x00071ecf

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00071E86
GetClassNameW.USER32(?,?,0000000A), ref: 00071E9B
CompareStringW.KERNEL32(00000409,00000001,?,000000FF,combobox,000000FF,?,0005E4A6,?,?), ref: 00071EB5

Strings

combobox, xrefs: 00071EA3

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: ClassCompareLongNameStringWindow
String ID: combobox
API String ID: 1414938635-2240613097
Opcode ID: b394fdffd9e4fe6705f4317ef7c7f6894ed5a2f6dd6be089f0d569867278d0f4
Instruction ID: 45f84fe0274a12ae92bb0b26fc4ccf653ed4d7fe88eb021806f977a1aeba7715
Opcode Fuzzy Hash: b394fdffd9e4fe6705f4317ef7c7f6894ed5a2f6dd6be089f0d569867278d0f4
Instruction Fuzzy Hash: CBF0FF32A44118ABCB10EB78CC46EEF37A8DB09720F104310F926EB0C0CB30A9818798

Uniqueness

Uniqueness Score: -1.00%

Function 0006DCA3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 0006DCB5
GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 0006DCC5

Strings

RegCreateKeyTransactedW, xrefs: 0006DCBF
Advapi32.dll, xrefs: 0006DCB0

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW
API String ID: 1646373207-2994018265
Opcode ID: 0cbe87e1a4d340d310efb65330c7088fc557aa122509471c018fea71e0605f2e
Instruction ID: 8a783be36563a3e42642142c4ab476dc16c6f3c559424191dc7e9c7f5a46ae11
Opcode Fuzzy Hash: 0cbe87e1a4d340d310efb65330c7088fc557aa122509471c018fea71e0605f2e
Instruction Fuzzy Hash: 32F0FF32604209FBCF221F95DC04FEA7BB6FF88795F148416FA59950A0D772D8A0EB50

Uniqueness

Uniqueness Score: -1.00%

Function 0006E3B6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 18%

			E0006E3B6(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				struct HINSTANCE__* _t7;
				_Unknown_base(*)()* _t8;
				intOrPtr* _t12;

				_t12 = __ecx;
				if( *__ecx == 0) {
					if( *((intOrPtr*)(__ecx + 4)) == 0) {
						L6:
						return 1;
					}
					return RegDeleteKeyW();
				}
				_t7 = GetModuleHandleW(L"Advapi32.dll");
				if(_t7 == 0) {
					goto L6;
				}
				_t8 = GetProcAddress(_t7, "RegDeleteKeyTransactedW");
				if(_t8 == 0) {
					goto L6;
				}
				return  *_t8(_a4, _a8, 0, 0,  *_t12, 0);
			}

0x0006e3bd
0x0006e3c3
0x0006e3f6
0x0006e401
0x00000000
0x0006e403
0x0006e3fb
0x0006e3fb
0x0006e3ca
0x0006e3d2
0x00000000
0x00000000
0x0006e3da
0x0006e3e2
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 0006E3CA
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 0006E3DA

Strings

Advapi32.dll, xrefs: 0006E3C5
RegDeleteKeyTransactedW, xrefs: 0006E3D4

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyTransactedW
API String ID: 1646373207-2168864297
Opcode ID: b2acb28f72f67b2f8e303dac8ae1370391d1f7673ba87673f1095bc52ffa7008
Instruction ID: 0cd22b8929da7d2475d4a4c467e63909f2a562c928a7f2a6f4af7c8085bba254
Opcode Fuzzy Hash: b2acb28f72f67b2f8e303dac8ae1370391d1f7673ba87673f1095bc52ffa7008
Instruction Fuzzy Hash: ADF08236208254BBC7711B6AEC4CC57BBBBEBC5B617248436F259D1010DB328896D660

Uniqueness

Uniqueness Score: -1.00%

Function 0006DC4A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 0006DC5C
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 0006DC6C

Strings

Advapi32.dll, xrefs: 0006DC57
RegOpenKeyTransactedW, xrefs: 0006DC66

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 1646373207-3913318428
Opcode ID: 5d1d7a2ad85f68b724960bedb260d47e0f8dd619da858bb5b9df8239e5c2b6f2
Instruction ID: e09995f3cd0c678970eeaa1eec29f7c3e6993e6444f1bfe820a04ca16edc1ab3
Opcode Fuzzy Hash: 5d1d7a2ad85f68b724960bedb260d47e0f8dd619da858bb5b9df8239e5c2b6f2
Instruction Fuzzy Hash: F2F05E3260430AFBCB211FA5DD19F963BAEEB49761F044826FA19994A0C7B1C4A0EB54

Uniqueness

Uniqueness Score: -1.00%

Function 00068918 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00068BDE,?,00000000,?,?,?,00000000), ref: 0006892A
GetProcAddress.KERNEL32(00000000,GetFileAttributesTransactedW,?,00068BDE,?,00000000,?,?,?,00000000), ref: 0006893A

Strings

GetFileAttributesTransactedW, xrefs: 00068934
kernel32.dll, xrefs: 00068925

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetFileAttributesTransactedW$kernel32.dll
API String ID: 1646373207-1378992308
Opcode ID: 1a7e98d84429685eac0ab37edf62c46000c1a341d8d05e2a500cf1224f57db15
Instruction ID: 487ce37bf7e6fc4bbb525fe4d36afe9b10438c8d10bf43f31d885fd022a06971
Opcode Fuzzy Hash: 1a7e98d84429685eac0ab37edf62c46000c1a341d8d05e2a500cf1224f57db15
Instruction Fuzzy Hash: E2F03031108205EFDB311FA5DC08BAA7BEAFF45751F08C529F949954A0EB71C5D0EB62

Uniqueness

Uniqueness Score: -1.00%

Function 00053B50 Relevance: 6.3, APIs: 5, Instructions: 76
stringCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00053B50(void* __eax, short** __ebx, void* __ecx, char* _a4, int _a8) {
				void* __edi;
				void* __esi;
				signed int _t15;
				void* _t22;
				void* _t24;
				int _t28;
				char* _t30;
				void* _t33;
				int _t34;

				_t22 = __ecx;
				_t21 = __ebx;
				_t30 = _a4;
				if(_t30 != 0) {
					_t2 = lstrlenA(_t30) + 1; // 0x1
					_t28 = _t2;
					E00053D60(__ebx, _t22, _t24, __ebx, _t28,  &(__ebx[1]), 0x80);
					_t23 = _a8;
					_t15 = MultiByteToWideChar(_a8, 0, _t30, _t28,  *__ebx, _t28);
					asm("sbb esi, esi");
					_t33 =  ~_t15 + 1;
					if(_t33 != 0) {
						_t15 = GetLastError();
						if(_t15 == 0x7a) {
							_t34 = MultiByteToWideChar(_a8, 0, _a4, _t28, 0, 0);
							E00053D60(__ebx, _t23, _a4, __ebx, _t34,  &(__ebx[1]), 0x80);
							_t23 =  *__ebx;
							_t15 = MultiByteToWideChar(_a8, 0, _a4, _t28,  *__ebx, _t34);
							asm("sbb esi, esi");
							_t33 =  ~_t15 + 1;
						}
						if(_t33 != 0) {
							_t15 = E00053C00(_t21, _t23, _t28, _t33);
						}
					}
					return _t15;
				} else {
					 *__ebx = _t30;
					return __eax;
				}
			}

0x00053b50
0x00053b50
0x00053b54
0x00053b59
0x00053b6a
0x00053b6a
0x00053b78
0x00053b7f
0x00053b8c
0x00053b96
0x00053b98
0x00053b99
0x00053b9b
0x00053ba4
0x00053bbb
0x00053bc8
0x00053bcd
0x00053bdf
0x00053be9
0x00053beb
0x00053beb
0x00053bee
0x00053bf0
0x00053bf0
0x00053bee
0x00053bf8
0x00053b5b
0x00053b5b
0x00053b5f
0x00053b5f

APIs

lstrlenA.KERNEL32(?,?,?,?,00052FAF,?,00000003,?,?), ref: 00053B64
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 00053B8C
GetLastError.KERNEL32 ref: 00053B9B
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00053BB5
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,?,00000000), ref: 00053BDF

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: be69cbb3bd127b26f7a9003676dd7014d1041bd9ea66342fada4cc0487db9ec8
Instruction ID: 7895668a880d8c39eba195adb3ae4bafd88bceb2fd2018189db4d7a68c5cf1af
Opcode Fuzzy Hash: be69cbb3bd127b26f7a9003676dd7014d1041bd9ea66342fada4cc0487db9ec8
Instruction Fuzzy Hash: 77114F35500224BBD7209B54DC49FA73B7CEB85BA1F008145FE499F281C630AA4887F4

Uniqueness

Uniqueness Score: -1.00%

Function 000A0C76 Relevance: 6.3, APIs: 4, Instructions: 258
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E000A0C76(signed int* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, struct tagRECT* _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				struct tagRECT _v24;
				RECT* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t91;
				struct tagRECT* _t93;
				signed int* _t100;
				signed int _t101;
				long _t102;
				signed int _t107;
				signed int _t108;
				signed int _t109;
				signed int _t112;
				signed int _t113;
				signed int* _t114;
				RECT* _t117;
				RECT* _t118;
				signed int* _t119;
				signed int* _t120;
				signed int _t122;
				signed int* _t125;
				void* _t126;
				signed int* _t130;
				signed int _t142;
				signed int _t147;
				intOrPtr _t182;
				intOrPtr _t183;
				intOrPtr _t185;
				long _t188;
				signed int _t191;

				_t91 =  *0x1c0454; // 0x885926af
				_v8 = _t91 ^ _t191;
				_t93 = _a16;
				_t130 = __ecx;
				_t182 = _a4;
				_v44 = _a20;
				_v28 = _t93;
				_v36 = _a24;
				SetRectEmpty(_t93);
				if(GetKeyState(0x11) < 0) {
					L36:
					_pop(_t183);
					return E00150836(_t95, _t130, _v8 ^ _t191, _t171, _t183, _t185);
				}
				_v48 = _v48 & 0x00000000;
				_v40 = _v40 & 0x00000000;
				_v32 =  *_t130;
				_t100 =  *((intOrPtr*)(_v32 + 0x14))(_a8, _a12, E0006EA25(0x1bd608, _t182), 1, _t185);
				if(_t100 == 0) {
					L3:
					_t101 = _t130[0x6e];
					if(_t101 == 0 ||  *((intOrPtr*)(_t101 + 8)) == 0 ||  *((intOrPtr*)(_t101 + 4)) == 0) {
						_t102 = 0;
						__eflags = 0;
					} else {
						_t102 = E0006EA25(0x1857c0,  *((intOrPtr*)( *((intOrPtr*)(E0006EA25(0x1bd608, _t182))) + 0x1a4))());
					}
					_t171 =  *_t130;
					_t142 = E0006EA25(0x1bec6c,  *((intOrPtr*)( *_t130 + 0x10))(_a8, _a12,  *0x1bd678, 1, 0, 1, _t102));
					_v32 = _t142;
					if(_t142 == 0 || E000FEFB1(_t130, _t142, _t171, _t182, 0x1bd608) == 0) {
						_t107 = E0009FD9A(_t130, _t171, __eflags, _a8, _a12,  &_v40,  &_v48);
						__eflags = _t107;
						_t95 = _v36;
						if(_t107 == 0) {
							 *_t95 =  *_t95 & 0x00000000;
							__eflags =  *_t95;
							goto L35;
						}
						 *_t95 =  *_t95 & 0x00000000;
						_t108 = E0006EA07(_t182, 0x1bd608);
						__eflags = _t108;
						if(_t108 == 0) {
							_t109 = E0006EA07(_t182, 0x1bec6c);
							__eflags = _t109;
							if(_t109 == 0) {
								L20:
								_t188 = 0;
								__eflags = 0;
								L21:
								_v24.left = _t188;
								_v24.top = _t188;
								_v24.right = _t188;
								_v24.bottom = _t188;
								GetWindowRect( *(_t182 + 0x20),  &_v24);
								__eflags = _v48 - _t188;
								if(_v48 == _t188) {
								}
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t112 = E00063445(_t130[0x39]);
								_t147 = _v40;
								_t113 = _t112 & 0x00400000;
								__eflags = _t147 - 0x1000;
								if(_t147 == 0x1000) {
									__eflags = _t113;
									_t114 = _v28;
									if(_t113 == 0) {
										goto L29;
									}
									goto L33;
								} else {
									__eflags = _t147 - 0x2000;
									if(_t147 == 0x2000) {
										_t117 = _v28;
										_t171 = _t117->top - _v24.top + _v24.bottom;
										 *(_t117 + 0xc) = _t117->top - _v24.top + _v24.bottom;
										L30:
										 *((intOrPtr*)( *_t130 + 0x5c))(_v28, _t147);
										_t95 = E0006636C(_t130[0x39], _v28);
										goto L35;
									}
									__eflags = _t147 - 0x4000;
									if(_t147 == 0x4000) {
										__eflags = _t113;
										_t114 = _v28;
										if(_t113 == 0) {
											L33:
											_t171 = _t114[2] - _v24.right + _v24.left;
											 *_t114 = _t114[2] - _v24.right + _v24.left;
											goto L30;
										}
										L29:
										_t171 =  *_t114 - _v24.left + _v24.right;
										__eflags = _t171;
										_t114[2] = _t171;
										goto L30;
									}
									__eflags = _t147 - 0x8000;
									if(_t147 == 0x8000) {
										_t118 = _v28;
										_t171 = _t118->bottom - _v24.bottom + _v24.top;
										 *(_t118 + 4) = _t118->bottom - _v24.bottom + _v24.top;
									}
									goto L30;
								}
							}
							_t119 = E0006EA25(0x1bec6c, _t182);
							_t171 =  *_t119;
							_t95 =  *((intOrPtr*)( *_t119 + 0x194))();
							__eflags = _v40 & _t95;
							if((_v40 & _t95) == 0) {
								goto L35;
							}
							goto L20;
						}
						_t120 = E0006EA25(0x1bd608, _t182);
						_t171 =  *_t120;
						_t122 = E0006EA25(0x1845c0,  *((intOrPtr*)( *_t120 + 0x1a4))());
						_t188 = 0;
						__eflags = _t122;
						if(_t122 == 0) {
							goto L21;
						}
						_t171 =  *_t122;
						_t95 =  *((intOrPtr*)( *_t122 + 0x194))();
						__eflags = _v40 & _t95;
						if((_v40 & _t95) == 0) {
							goto L35;
						}
						goto L21;
					} else {
						if(E0006EA07(_t182, 0x1bd608) == 0) {
							L12:
							_t125 = E000FEFB1(_t130, _v32, _t171, _t182, 0x1bd608);
							_t171 =  *_t125;
							_t95 =  *((intOrPtr*)( *_t125 + 0x298))(_t182, _a8, _a12, _v28, _v44, _v36);
							L35:
							_pop(_t185);
							goto L36;
						}
						_t126 = E0006EA25(0x1bd608, _t182);
						_t171 =  *_v32;
						_push(_t126);
						if( *((intOrPtr*)( *_v32 + 0x338))() == 0) {
							goto L35;
						}
						goto L12;
					}
				}
				_t171 =  *_t100;
				 *((intOrPtr*)( *_t100 + 0x1bc))(_t182, _a8, _a12, _v28, _v44, _v36);
				if(IsRectEmpty(_v28) == 0) {
					goto L35;
				}
				goto L3;
			}

0x000a0c7e
0x000a0c85
0x000a0c88
0x000a0c8c
0x000a0c92
0x000a0c95
0x000a0c9c
0x000a0c9f
0x000a0ca2
0x000a0cb3
0x000a0f3c
0x000a0f3f
0x000a0f49
0x000a0f49
0x000a0cbb
0x000a0cbf
0x000a0ccd
0x000a0ce3
0x000a0ce8
0x000a0d15
0x000a0d15
0x000a0d1d
0x000a0d4d
0x000a0d4d
0x000a0d2b
0x000a0d44
0x000a0d4a
0x000a0d4f
0x000a0d76
0x000a0d78
0x000a0d7d
0x000a0de8
0x000a0ded
0x000a0def
0x000a0df2
0x000a0f38
0x000a0f38
0x00000000
0x000a0f38
0x000a0df8
0x000a0dfe
0x000a0e03
0x000a0e05
0x000a0e4a
0x000a0e4f
0x000a0e51
0x000a0e6f
0x000a0e6f
0x000a0e6f
0x000a0e71
0x000a0e78
0x000a0e7b
0x000a0e7e
0x000a0e81
0x000a0e84
0x000a0e8a
0x000a0e93
0x000a0e93
0x000a0e9e
0x000a0e9f
0x000a0ea0
0x000a0ea1
0x000a0ea8
0x000a0ead
0x000a0eb0
0x000a0eb5
0x000a0ebb
0x000a0f24
0x000a0f26
0x000a0f29
0x00000000
0x00000000
0x00000000
0x000a0ebd
0x000a0ebd
0x000a0ec3
0x000a0f13
0x000a0f1c
0x000a0f1f
0x000a0ef8
0x000a0f00
0x000a0f0c
0x00000000
0x000a0f0c
0x000a0ec5
0x000a0ecb
0x000a0ee6
0x000a0ee8
0x000a0eeb
0x000a0f2b
0x000a0f31
0x000a0f34
0x00000000
0x000a0f34
0x000a0eed
0x000a0ef2
0x000a0ef2
0x000a0ef5
0x00000000
0x000a0ef5
0x000a0ecd
0x000a0ed3
0x000a0ed5
0x000a0ede
0x000a0ee1
0x000a0ee1
0x00000000
0x000a0ed3
0x000a0ebb
0x000a0e55
0x000a0e5a
0x000a0e60
0x000a0e66
0x000a0e69
0x00000000
0x00000000
0x00000000
0x000a0e69
0x000a0e09
0x000a0e0e
0x000a0e20
0x000a0e25
0x000a0e29
0x000a0e2b
0x00000000
0x00000000
0x000a0e2d
0x000a0e31
0x000a0e37
0x000a0e3a
0x00000000
0x00000000
0x00000000
0x000a0d88
0x000a0d92
0x000a0db1
0x000a0db4
0x000a0dbc
0x000a0dcd
0x000a0f3b
0x000a0f3b
0x00000000
0x000a0f3b
0x000a0d96
0x000a0da0
0x000a0da2
0x000a0dab
0x00000000
0x00000000
0x00000000
0x000a0dab
0x000a0d7d
0x000a0ced
0x000a0cfe
0x000a0d0f
0x00000000
0x00000000
0x00000000

APIs

SetRectEmpty.USER32 ref: 000A0CA2
GetKeyState.USER32(00000011), ref: 000A0CAA
IsRectEmpty.USER32 ref: 000A0D07
GetWindowRect.USER32(?,?), ref: 000A0E84

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Rect$Empty$StateWindow
String ID:
API String ID: 2684165152-0
Opcode ID: e51a087dc3e3bea93cc23e6c5d44bd58a20b2e1c9fea0438ed574eb70f11ff7b
Instruction ID: b232b51fb0265000f06d5b12831976007c7fcf95c39bde8e0f39c60de90002ef
Opcode Fuzzy Hash: e51a087dc3e3bea93cc23e6c5d44bd58a20b2e1c9fea0438ed574eb70f11ff7b
Instruction Fuzzy Hash: 55918031A002099FDF55DFE4C885AEEBBB6FF89310F148169F905AB291CB31A941DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0008535E Relevance: 6.2, APIs: 4, Instructions: 187
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0008535E(RECT* __ecx, intOrPtr __edx, signed int _a4) {
				int _v8;
				signed int _v12;
				struct tagRECT _v28;
				intOrPtr _v36;
				signed int _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t54;
				signed int _t58;
				intOrPtr _t65;
				intOrPtr _t67;
				signed int _t73;
				intOrPtr* _t74;
				intOrPtr _t77;
				intOrPtr* _t82;
				signed int _t83;
				int _t96;
				signed int _t97;
				RECT* _t100;
				intOrPtr _t101;
				signed int _t104;
				signed int _t105;
				void* _t107;
				void* _t108;

				_t95 = __edx;
				_t79 = __ecx;
				_t96 = 0;
				_t100 = __ecx;
				_t107 =  *0x1c3f04 - _t96; // 0x0
				if(_t107 != 0) {
					L6:
					return _t54;
				} else {
					_t108 =  *0x1be4d8 - _t96; // 0x1
					if(_t108 == 0 ||  *((intOrPtr*)(__ecx + 0xd00)) != 0) {
						goto L6;
					} else {
						_t54 = E0006EA25(0x1bcffc, E0005F82E(_t77, _t79, _t95, GetParent( *(__ecx + 0x20))));
						if(_t54 == 0) {
							goto L6;
						} else {
							_t82 = _t54;
							_t54 = E0007EF1A(_t82);
							if(_t54 == 0) {
								goto L6;
							} else {
								_t54 =  *((intOrPtr*)(_t100 + 0xbcc));
								_v8 = 1;
								_v28.left = 0;
								_v28.top = 0;
								_v28.right = 0;
								_v28.bottom = 0;
								if(_t54 != 0) {
									while(1) {
										__eflags = _t54 - _t96;
										if(__eflags == 0) {
											break;
										}
										_t77 =  *((intOrPtr*)(_t54 + 8));
										_t82 =  *_t54;
										_v12 = _t82;
										__eflags = _t77 - _t96;
										if(__eflags != 0) {
											__eflags =  *(_t77 + 0x24) & 0x00000001;
											if(( *(_t77 + 0x24) & 0x00000001) == 0) {
												L13:
												_t100 = 0;
												_t73 = E0007ABF8(_t95,  *((intOrPtr*)(_t77 + 0x20)));
												__eflags = _t73;
												if(_t73 == 0) {
													__eflags = _v8 - _t96;
													if(_v8 == _t96) {
														_t73 =  *(_t77 + 0x58);
														_v28.bottom = _t73;
														_t100 = 1;
														__eflags = 1;
													}
													_v8 = 1;
													__eflags = _t100 - _t96;
													if(__eflags != 0) {
														goto L21;
													}
													goto L22;
												} else {
													__eflags = _v8 - _t96;
													if(_v8 != _t96) {
														_v8 = _t96;
														_t100 = _t77 + 0x54;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t96 = 0;
														__eflags = 0;
													}
													__eflags = _v12 - _t96;
													if(__eflags != 0) {
														goto L7;
													} else {
														_v28.bottom =  *((intOrPtr*)(_t77 + 0x60));
														L21:
														_t74 = E00074709(_t77, _t96, _t100, __eflags);
														_t95 =  *_t74;
														_t105 = _t105 - 0x10;
														_t100 =  &_v28;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t82 = _t74;
														asm("movsd");
														_t73 =  *((intOrPtr*)( *_t74 + 0xa0))(_a4);
														_t96 = 0;
														__eflags = 0;
														goto L22;
													}
												}
											} else {
												__eflags = _t82 - _t96;
												if(_t82 == _t96) {
													goto L13;
												} else {
													_t73 = E0007ABF8(_t95,  *((intOrPtr*)( *((intOrPtr*)(_t82 + 8)) + 0x20)));
													__eflags = _t73;
													if(_t73 != 0) {
														L22:
														__eflags = _v12 - _t96;
														if(_v12 != _t96) {
															L7:
															_t54 = _v12;
															continue;
														} else {
															return _t73;
														}
													} else {
														goto L13;
													}
												}
											}
										}
										break;
									}
									E000655E0(_t82);
									asm("int3");
									_t104 = _t105;
									_t58 =  *0x1c0454; // 0x885926af
									_v48 = _t58 ^ _t104;
									_push(_t77);
									_t78 = _v36;
									_push(_t100);
									_push(_t96);
									_t101 = _t82;
									_t60 = E00074F8E(_t82, __eflags, _v36);
									__eflags = _t60;
									if(_t60 == 0) {
										_t60 = E000655E0(_t82);
									}
									_t97 =  *(_t60 + 0x24);
									_t83 = _a4;
									__eflags = _t97 - _t83;
									if(_t97 != _t83) {
										 *(_t60 + 0x24) = _t83;
										_t60 = _t97 & _t83;
										__eflags = _t97 & _t83 & 0x00020000;
										if(__eflags == 0) {
											_t60 = E0006EA25(0x1bddfc, E00074F8E(_t101, __eflags, _t78));
											__eflags = _t60;
											if(_t60 == 0) {
												L31:
												_t97 = _t97 ^ _a4;
												__eflags = _t97 - 2;
												if(_t97 != 2) {
													_t60 = E00076CF9(_t101, _t95, _t78);
												}
											} else {
												__eflags = (_t97 ^ _a4) & 0x00010000;
												if(__eflags == 0) {
													goto L31;
												} else {
													_v28.left = 0;
													_v28.top = 0;
													_v28.right = 0;
													_v28.bottom = 0;
													E000C2ED1(_t60, __eflags,  &_v28);
													_t65 =  *0x1c3e54; // 0x2
													_t67 =  *0x1c3e50; // 0x2
													InflateRect( &_v28, _t67 + _t67, _t65 + _t65);
													InvalidateRect( *(_t101 + 0x20),  &_v28, 1);
													_t60 = UpdateWindow( *(_t101 + 0x20));
												}
											}
										}
									}
									__eflags = _v12 ^ _t104;
									return E00150836(_t60, _t78, _v12 ^ _t104, _t95, _t97, _t101);
								} else {
									goto L6;
								}
							}
						}
					}
				}
			}

0x0008535e
0x0008535e
0x00085369
0x0008536b
0x0008536d
0x00085373
0x000853d1
0x000853d1
0x00085375
0x00085375
0x0008537b
0x00000000
0x00085385
0x0008539a
0x000853a3
0x00000000
0x000853a5
0x000853a5
0x000853a7
0x000853ae
0x00000000
0x000853b0
0x000853b0
0x000853b6
0x000853bd
0x000853c0
0x000853c3
0x000853c6
0x000853cb
0x000853d7
0x000853d7
0x000853d9
0x00000000
0x00000000
0x000853df
0x000853e2
0x000853e4
0x000853e7
0x000853e9
0x000853ef
0x000853f3
0x00085408
0x0008540b
0x0008540d
0x00085412
0x00085414
0x00085437
0x0008543a
0x0008543c
0x00085441
0x00085444
0x00085444
0x00085444
0x00085445
0x0008544c
0x0008544e
0x00000000
0x00000000
0x00000000
0x00085416
0x00085416
0x00085419
0x0008541b
0x0008541e
0x00085424
0x00085425
0x00085426
0x00085427
0x00085428
0x00085428
0x00085428
0x0008542a
0x0008542d
0x00000000
0x0008542f
0x00085432
0x00085450
0x00085450
0x00085455
0x00085457
0x0008545f
0x00085462
0x00085463
0x00085464
0x00085465
0x00085467
0x00085468
0x0008546e
0x0008546e
0x00000000
0x0008546e
0x0008542d
0x000853f5
0x000853f5
0x000853f7
0x00000000
0x000853f9
0x000853ff
0x00085404
0x00085406
0x00085470
0x00085470
0x00085473
0x000853d4
0x000853d4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00085406
0x000853f7
0x000853f3
0x00000000
0x000853e9
0x0008547e
0x00085483
0x00085487
0x0008548c
0x00085493
0x00085496
0x00085497
0x0008549a
0x0008549b
0x0008549d
0x0008549f
0x000854a4
0x000854a6
0x000854a8
0x000854a8
0x000854ad
0x000854b0
0x000854b3
0x000854b5
0x000854bb
0x000854c0
0x000854c2
0x000854c7
0x000854db
0x000854e2
0x000854e4
0x00085540
0x00085540
0x00085543
0x00085546
0x0008554b
0x0008554b
0x000854e6
0x000854eb
0x000854f1
0x00000000
0x000854f3
0x000854f5
0x000854f8
0x000854fb
0x000854fe
0x00085507
0x0008550c
0x00085514
0x00085520
0x0008552f
0x00085538
0x00085538
0x000854f1
0x000854e4
0x000854c7
0x00085555
0x0008555e
0x00000000
0x00000000
0x00000000
0x000853cb
0x000853ae
0x000853a3
0x0008537b

APIs

GetParent.USER32(?), ref: 00085388
InflateRect.USER32 ref: 00085520
InvalidateRect.USER32(?,?,00000001), ref: 0008552F
UpdateWindow.USER32 ref: 00085538

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Rect$InflateInvalidateParentUpdateWindow
String ID:
API String ID: 4005937429-0
Opcode ID: 78eb39f21a6352f1c51e903291be13aec8c20e4d849dbab8a776a4bf22bfa93a
Instruction ID: 35301ff74177516baaa3247880106ac0867d946638bee6253a73817450c25158
Opcode Fuzzy Hash: 78eb39f21a6352f1c51e903291be13aec8c20e4d849dbab8a776a4bf22bfa93a
Instruction Fuzzy Hash: CF51D671A00A04DFCB15EFA8CC419AEBBF6FF88316F20416AE885A7151E771DE80CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0007C4D7 Relevance: 6.2, APIs: 4, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0007C4D7(void* __ebx, signed int* __ecx, signed int _a4, signed int _a8, signed int _a12) {
				signed short* _v8;
				signed int _v12;
				void* _v16;
				signed char _v20;
				intOrPtr _v24;
				intOrPtr _v32;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HRSRC__* _t69;
				void* _t70;
				signed int _t75;
				signed char _t79;
				signed int _t80;
				signed int _t81;
				signed int _t86;
				signed int _t92;
				signed int* _t94;
				signed int _t95;
				intOrPtr _t98;
				void* _t99;
				signed int _t102;
				signed int _t103;
				signed int _t110;
				signed int _t122;
				signed int* _t124;
				signed int _t125;
				struct HINSTANCE__* _t126;
				void* _t131;

				_t105 = __ecx;
				_t99 = __ebx;
				_t127 = _a4;
				_t124 = __ecx;
				if(_a4 != 0) {
					L2:
					_t126 =  *(E0006B628(_t99, _t124, _t125, _t127) + 0xc);
					_t69 = FindResourceW(_t126, _a4 & 0x0000ffff, 0xf1);
					if(_t69 != 0) {
						_t70 = LoadResource(_t126, _t69);
						_v16 = _t70;
						__eflags = _t70;
						if(_t70 == 0) {
							goto L3;
						}
						_t125 = LockResource(_t70);
						__eflags = _t125;
						if(__eflags == 0) {
							goto L3;
						}
						_t122 = 4;
						_t123 = ( *(_t125 + 6) & 0x0000ffff) * _t122 >> 0x20;
						_t75 = E0005C37C(__eflags,  ~(0 | __eflags > 0x00000000) | ( *(_t125 + 6) & 0x0000ffff) * _t122);
						_pop(_t105);
						_v12 = _t75;
						__eflags = _t75;
						if(__eflags == 0) {
							goto L1;
						} else {
							__eflags = _a12;
							_t110 =  *(_t125 + 4) & 0x0000ffff;
							_push(_t99);
							_t100 =  *(_t125 + 2) & 0x0000ffff;
							_v24 = ( *(_t125 + 2) & 0x0000ffff) + 6;
							_v8 = _t110;
							_v20 = _t110 + 6;
							if(_a12 == 0) {
								_t79 =  *0x1c3f20; // 0x0
							} else {
								_t79 = _t124[0x2ef];
							}
							__eflags = _t79;
							if(_t79 == 0) {
								_t123 =  *0x1c3b7c; // 0x1
								asm("fld1");
								__eflags = _t123;
								if(_t123 == 0) {
								}
								_t131 = st2;
								asm("fucompp");
								asm("fnstsw ax");
								__eflags = _t79 & 0x00000044;
								if((_t79 & 0x00000044) != 0) {
									st1 = _t131;
									st0 = _t131;
								} else {
									__eflags = _t123;
									if(_t123 == 0) {
										st0 = _t131;
									} else {
										st1 = _t131;
									}
									asm("fild dword [ebp-0x14]");
									asm("fxch st0, st1");
									_t98 = E00155A90(_t79,  *0x17bdf8 + st0);
									asm("fild dword [ebp-0x10]");
									_v32 = _t98;
									asm("fmulp st2, st0");
									asm("faddp st1, st0");
									_t79 = E00155A90(_t98,  *0x17bdf8 + st0);
									_v24 = _v32;
									_t110 = _v8;
									_v20 = _t79;
								}
							}
							__eflags = _a12;
							if(_a12 == 0) {
								_t80 = E000746CF(_t79, 0x1c3fe0);
								__eflags = _t80;
								if(_t80 == 0) {
									E00074948(_t123, _v24, _v20, _t100, _v8);
								}
							} else {
								E00074AC4(_t124, _v24, _v20, _t100, _t110, 0);
							}
							_t81 = _a8;
							_t102 = 1;
							__eflags =  *(_t81 + 4);
							if( *(_t81 + 4) == 0) {
								 *(_t81 + 4) = _a4;
							}
							__eflags = _t124[0x329];
							if(_t124[0x329] != 0) {
								L28:
								_a8 = _t124[0x2e4];
								_t103 = 0;
								__eflags = 0 -  *(_t125 + 6);
								if(0 >=  *(_t125 + 6)) {
									L34:
									_t124[0x329] = _a4;
									_t86 =  *((intOrPtr*)( *_t124 + 0x33c))(_v12,  *(_t125 + 6) & 0x0000ffff, 1);
									_t102 = _t86;
									__eflags = _t102;
									if(_t102 == 0) {
										_t63 =  &(_t124[0x329]);
										 *_t63 = _t124[0x329] & _t86;
										__eflags =  *_t63;
									}
									goto L36;
								}
								_t45 = _t125 + 8; // 0x8
								_v8 = _t45;
								do {
									__eflags = _a12;
									_t92 =  *_v8 & 0x0000ffff;
									 *(_v12 + _t103 * 4) = _t92;
									if(_a12 == 0) {
										__eflags = _t92;
										if(__eflags != 0) {
											_t94 = E0010A1D7(0x1bce84, _t123, __eflags, _t92);
											_t53 =  &_a8;
											 *_t53 = _a8 + 1;
											__eflags =  *_t53;
											 *_t94 = _a8;
										}
									}
									_v8 =  &(_v8[1]);
									_t103 = _t103 + 1;
									__eflags = _t103 - ( *(_t125 + 6) & 0x0000ffff);
								} while (_t103 < ( *(_t125 + 6) & 0x0000ffff));
								goto L34;
							} else {
								_t123 =  *_t124;
								_t95 =  *((intOrPtr*)( *_t124 + 0x334))(_t81, _a12);
								__eflags = _t95;
								if(_t95 == 0) {
									L36:
									_push(_v12);
									E0005C3AB();
									FreeResource(_v16);
									return _t102;
								}
								goto L28;
							}
						}
					}
					L3:
					return 0;
				}
				L1:
				E000655E0(_t105);
				goto L2;
			}

0x0007c4d7
0x0007c4d7
0x0007c4df
0x0007c4e5
0x0007c4e7
0x0007c4ee
0x0007c4f3
0x0007c501
0x0007c509
0x0007c514
0x0007c51a
0x0007c51d
0x0007c51f
0x00000000
0x00000000
0x0007c528
0x0007c52a
0x0007c52c
0x00000000
0x00000000
0x0007c536
0x0007c537
0x0007c541
0x0007c546
0x0007c547
0x0007c54a
0x0007c54c
0x00000000
0x0007c54e
0x0007c54e
0x0007c552
0x0007c556
0x0007c557
0x0007c55e
0x0007c564
0x0007c567
0x0007c56a
0x0007c574
0x0007c56c
0x0007c56c
0x0007c56c
0x0007c579
0x0007c57b
0x0007c57d
0x0007c583
0x0007c58b
0x0007c58d
0x0007c58d
0x0007c595
0x0007c597
0x0007c599
0x0007c59b
0x0007c59e
0x0007c5db
0x0007c5dd
0x0007c5a0
0x0007c5a0
0x0007c5a2
0x0007c5a8
0x0007c5a4
0x0007c5a4
0x0007c5a4
0x0007c5aa
0x0007c5b7
0x0007c5b9
0x0007c5be
0x0007c5c1
0x0007c5c4
0x0007c5c6
0x0007c5c8
0x0007c5d0
0x0007c5d3
0x0007c5d6
0x0007c5d6
0x0007c59e
0x0007c5df
0x0007c5e3
0x0007c5fd
0x0007c602
0x0007c604
0x0007c610
0x0007c610
0x0007c5e5
0x0007c5f1
0x0007c5f1
0x0007c615
0x0007c61a
0x0007c61b
0x0007c61f
0x0007c624
0x0007c624
0x0007c627
0x0007c62e
0x0007c642
0x0007c648
0x0007c64d
0x0007c64f
0x0007c653
0x0007c691
0x0007c694
0x0007c6a8
0x0007c6ae
0x0007c6b0
0x0007c6b2
0x0007c6b4
0x0007c6b4
0x0007c6b4
0x0007c6b4
0x00000000
0x0007c6b2
0x0007c655
0x0007c658
0x0007c65b
0x0007c65b
0x0007c662
0x0007c668
0x0007c66b
0x0007c66d
0x0007c66f
0x0007c677
0x0007c67f
0x0007c67f
0x0007c67f
0x0007c682
0x0007c682
0x0007c66f
0x0007c688
0x0007c68c
0x0007c68d
0x0007c68d
0x00000000
0x0007c630
0x0007c633
0x0007c638
0x0007c63e
0x0007c640
0x0007c6ba
0x0007c6ba
0x0007c6bd
0x0007c6c6
0x00000000
0x0007c6ce
0x00000000
0x0007c640
0x0007c62e
0x0007c54c
0x0007c50b
0x00000000
0x0007c50b
0x0007c4e9
0x0007c4e9
0x00000000

APIs

FindResourceW.KERNEL32(?,00000000,000000F1), ref: 0007C501

Part of subcall function 000655E0: __CxxThrowException@8.LIBCMT ref: 000655F6

LoadResource.KERNEL32(?,00000000), ref: 0007C514
LockResource.KERNEL32(00000000), ref: 0007C522
FreeResource.KERNEL32(?), ref: 0007C6C6

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Resource$Exception@8FindFreeLoadLockThrow
String ID:
API String ID: 3726238965-0
Opcode ID: 677d77ee585095159afb42818ef7daec718fceeae7ea33e7e223eb4ad57429cc
Instruction ID: 9d05c8e84ff3479fd4cd3bac0dedf53abc736b62d54ecef3edca7c75050c9a87
Opcode Fuzzy Hash: 677d77ee585095159afb42818ef7daec718fceeae7ea33e7e223eb4ad57429cc
Instruction Fuzzy Hash: FE61B270E00606EFDB159F60C894ABEBBF5FF04344F10C52DE85A96291EB35EE80CA54

Uniqueness

Uniqueness Score: -1.00%

Function 000C7735 Relevance: 6.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E000C7735(intOrPtr* __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, long _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				struct tagRECT _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t69;
				intOrPtr _t77;
				signed int _t78;
				intOrPtr _t83;
				intOrPtr _t84;
				intOrPtr _t86;
				intOrPtr _t88;
				void* _t95;
				intOrPtr _t100;
				intOrPtr* _t110;
				intOrPtr _t112;
				intOrPtr* _t138;
				signed int _t139;
				void* _t140;

				_t134 = __edx;
				_t69 =  *0x1c0454; // 0x885926af
				_v8 = _t69 ^ _t139;
				_v28 = _a8;
				_v36 = _a12;
				_t112 = _a24;
				_v48 = _a20;
				_v32 = _a28;
				_t138 = __ecx;
				_v44 = _a36;
				 *((intOrPtr*)(__ecx + 0x80)) = E0006EA07(_t112, 0x179700);
				if( *((intOrPtr*)(__ecx + 0x88)) != 0 && E000F7EDC(0x1bea58, __edx, _t112) == 0) {
					_t110 = E000F7EDC(0x1bea58, __edx, E0006F25D(_t112, __edx, _t112));
					if(_t110 != 0) {
						_t134 =  *_t110;
						 *((intOrPtr*)( *_t110 + 0x24))(_v32, 1);
					}
				}
				_t77 =  *_t138;
				 *(_t138 + 0x74) =  *(_t138 + 0x74) & 0x10000000;
				_v40 = _t77;
				_t78 =  *((intOrPtr*)(_t77 + 0x1bc))();
				_t135 = _a16;
				 *((intOrPtr*)(_v40 + 0x1e0))(_t78 | _t135);
				_t145 =  *((intOrPtr*)(_t138 + 0xb8));
				 *((intOrPtr*)(_t138 + 0x94)) = _a32;
				if( *((intOrPtr*)(_t138 + 0xb8)) == 0) {
					_t83 = E0005EA2F(_t138, _a4, _v28, _v36, _t135, _v48, _t112, _v32, _v44);
					_v28 = _t83;
					__eflags = _t83;
					if(_t83 == 0) {
						goto L17;
					}
					goto L13;
				} else {
					E00151B30( &_v96, 0, 0x30);
					_v56 = _v28;
					_v60 = _v36;
					_t140 = _t140 + 0xc;
					_v64 = _t135 | 0x40000000;
					_v88 = _v32;
					_t95 = E0006B628(_t112, _t135 | 0x40000000, _t138, _t145);
					_t135 = 0;
					_v92 =  *((intOrPtr*)(_t95 + 8));
					if(_t112 != 0) {
						_v84 =  *((intOrPtr*)(_t112 + 0x20));
					} else {
						_v84 = 0;
					}
					_push( &_v96);
					if( *((intOrPtr*)( *_t138 + 0x64))() != 0) {
						_t100 = E00064844(_t138, _t134, __eflags,  *((intOrPtr*)(_t138 + 0xb8)), _t112);
						__eflags = _t100;
						if(_t100 == 0) {
							goto L9;
						}
						SetClassLongW( *(_t138 + 0x20), 0xfffffff6, GetSysColorBrush(0xf));
						E00063519(_t138, _v32);
						_v24.left = _t135;
						_v24.top = _t135;
						_v24.right = _t135;
						_v24.bottom = _t135;
						GetWindowRect( *(_t138 + 0x20),  &_v24);
						 *((intOrPtr*)(_t138 + 0xbc)) = _v24.right - _v24.left;
						 *((intOrPtr*)(_t138 + 0xc0)) = _v24.bottom - _v24.top;
						_v28 = 1;
						L13:
						_t135 = 0x18689c;
						_t86 = E0006EA07(_t112, 0x18689c);
						_push(_t112);
						__eflags = _t86;
						if(_t86 == 0) {
							_t88 = E0006EA25(0x18689c, E0006F25D(_t112, _t134));
						} else {
							_push(0x18689c);
							_t88 = E0006EA25();
						}
						 *((intOrPtr*)(_t138 + 0x98)) = _t88;
						 *((intOrPtr*)(_t138 + 0x80)) = E0006EA07(_t112, 0x179700);
						L17:
						_t84 = _v28;
						goto L18;
					} else {
						L9:
						_t84 = 0;
						L18:
						return E00150836(_t84, _t112, _v8 ^ _t139, _t134, _t135, _t138);
					}
				}
			}

0x000c7735
0x000c773d
0x000c7744
0x000c774a
0x000c7750
0x000c7757
0x000c775b
0x000c7762
0x000c7768
0x000c7771
0x000c7780
0x000c7786
0x000c77a3
0x000c77aa
0x000c77ac
0x000c77b5
0x000c77b5
0x000c77aa
0x000c77b8
0x000c77ba
0x000c77c3
0x000c77c6
0x000c77cc
0x000c77d7
0x000c77dd
0x000c77e7
0x000c77ed
0x000c78d0
0x000c78d5
0x000c78d8
0x000c78da
0x00000000
0x00000000
0x00000000
0x000c77f3
0x000c77fb
0x000c7803
0x000c7809
0x000c7815
0x000c7818
0x000c781b
0x000c781e
0x000c7826
0x000c7828
0x000c782d
0x000c7837
0x000c782f
0x000c782f
0x000c782f
0x000c783f
0x000c7847
0x000c7859
0x000c785e
0x000c7860
0x00000000
0x00000000
0x000c7870
0x000c787b
0x000c7887
0x000c788a
0x000c788d
0x000c7890
0x000c7893
0x000c78a5
0x000c78ab
0x000c78b1
0x000c78dc
0x000c78dc
0x000c78e4
0x000c78e9
0x000c78ea
0x000c78ec
0x000c78ff
0x000c78ee
0x000c78ee
0x000c78ef
0x000c78f5
0x000c790e
0x000c7919
0x000c791f
0x000c791f
0x00000000
0x000c7849
0x000c7849
0x000c7849
0x000c7922
0x000c7930
0x000c7930
0x000c7847

APIs

_memset.LIBCMT ref: 000C77FB
GetSysColorBrush.USER32 ref: 000C7864
SetClassLongW.USER32(?,000000F6,00000000), ref: 000C7870
GetWindowRect.USER32(?,?), ref: 000C7893

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: BrushClassColorLongRectWindow_memset
String ID:
API String ID: 2638262843-0
Opcode ID: 9ee8415209b0da03d1774d3bb6dfacd8b03d42f399edcfb8aa5878005ba10a70
Instruction ID: cbdb298ce2f5b60db3651f8af2236efbf7fd18828a9252b82d5161b678c80188
Opcode Fuzzy Hash: 9ee8415209b0da03d1774d3bb6dfacd8b03d42f399edcfb8aa5878005ba10a70
Instruction Fuzzy Hash: 05612674A042099FDB11DFA8C885BEEBBFABF48300F104029E91AE7251DB34A945CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0011FEEB Relevance: 6.2, APIs: 4, Instructions: 157
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E0011FEEB(int __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				struct tagRECT _v72;
				long _v76;
				long _v80;
				int _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr _t75;
				intOrPtr _t78;
				intOrPtr _t90;
				intOrPtr _t97;
				intOrPtr _t98;
				intOrPtr _t102;
				intOrPtr _t103;
				int _t105;
				int _t119;
				long _t121;
				int _t126;
				signed int _t127;
				void* _t128;
				void* _t134;
				void* _t137;

				_t68 =  *0x1c0454; // 0x885926af
				_v8 = _t68 ^ _t127;
				_t119 = __ecx;
				_v84 = __ecx;
				_v40.left = 0;
				_v40.top = 0;
				_v40.right = 0;
				_v40.bottom = 0;
				GetWindowRect( *(_a4 + 0x20),  &_v40);
				_t72 =  *((intOrPtr*)(_t119 + 0x48));
				_v76 = 0;
				_v80 = 0;
				if(_t72 != 0) {
					_t97 =  *((intOrPtr*)(_t72 + 0x1b8));
					_v76 = _t97;
					if(_t97 != 0 &&  *((intOrPtr*)(_t97 + 8)) != 0 &&  *((intOrPtr*)(_t97 + 4)) != 0) {
						_v80 = 1;
					}
				}
				_t98 =  *0x1c3b4c; // 0x3
				_t73 =  *0x1c3b64; // 0xf
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v24 = _v24 + 0xa;
				_t121 = 0;
				_t134 =  *0x1c65b8 - _t121; // 0x0
				if(_t134 == 0) {
					_v40.bottom = _v40.bottom - _t73;
					_t102 = _v12 - _t73;
					__eflags = _t102;
					_v20 = _t102;
				} else {
					_v40.top = _v40.top + _t73;
					_v12 = _t73 + _v20;
				}
				_t103 = _v40.right;
				_t75 = _v24 + 0x28;
				_v16 = _t75;
				if(_t75 >= _t103) {
					_v16 = _t103 - _t98 - 4;
				}
				_v56.left = _t121;
				_v56.top = _t121;
				_v56.right = _t121;
				_v56.bottom = _t121;
				SetRectEmpty( &_v56);
				_t78 = _v12;
				_t105 = _v16 - _t98;
				_t126 = _v24 + _t98;
				_v72.left = _t121;
				_v72.top = _t121;
				_v72.right = _t121;
				_v72.bottom = _t121;
				_t137 =  *0x1c65b8 - _t121; // 0x0
				if(_t137 == 0) {
					_t78 = _v20;
				}
				_t118 = _t78 + _t98;
				SetRect( &_v72, _t126, _t78 - _t98, _t105, _t78 + _t98);
				if(_a8 == _t121) {
					__eflags = _v80 - _t121;
					if(_v80 == _t121) {
						_t121 = 1;
						__eflags = 1;
						goto L18;
					}
					_push(_v12 - _v20);
					_push(_v16 - _v24);
					_push(0xa);
					CopyRect(_t128 - 0x10,  &_v40);
					_t90 = E000FE3D7(_v76);
				} else {
					if(_v80 == _t121) {
						L18:
						_t126 = _v84;
						_push(_t98);
						_push(_t98);
						_push(_t121);
						_push( &_v24);
						_push( &_v56);
						E0011FE57(_t98, _t126, _t118, _t121, _t126, __eflags);
						_push(_t98);
						_push(_t98);
						_push(_t121);
						_push( &_v40);
						_push( &_v56);
						E0011FE57(_t98, _t126, _t118, _t121, _t126, __eflags);
						_push(_t98);
						_push(_t98);
						_push(_t121);
						_push( &_v72);
						_push( &_v56);
						_t90 = E0011FE57(_t98, _t126, _t118, _t121, _t126, __eflags);
						 *(_t126 + 0x54) = _t121;
						L19:
						return E00150836(_t90, _t98, _v8 ^ _t127, _t118, _t121, _t126);
					}
					_t90 = E000FE3C8(_v76);
				}
			}

0x0011fef3
0x0011fefa
0x0011ff03
0x0011ff0e
0x0011ff11
0x0011ff14
0x0011ff17
0x0011ff1a
0x0011ff1d
0x0011ff23
0x0011ff26
0x0011ff29
0x0011ff2e
0x0011ff30
0x0011ff36
0x0011ff3b
0x0011ff47
0x0011ff47
0x0011ff3b
0x0011ff4e
0x0011ff54
0x0011ff5f
0x0011ff60
0x0011ff61
0x0011ff62
0x0011ff63
0x0011ff67
0x0011ff69
0x0011ff6f
0x0011ff7f
0x0011ff82
0x0011ff82
0x0011ff84
0x0011ff71
0x0011ff71
0x0011ff77
0x0011ff77
0x0011ff8a
0x0011ff8d
0x0011ff90
0x0011ff95
0x0011ff9c
0x0011ff9c
0x0011ffa3
0x0011ffa6
0x0011ffa9
0x0011ffac
0x0011ffaf
0x0011ffbb
0x0011ffbe
0x0011ffc0
0x0011ffc2
0x0011ffc5
0x0011ffc8
0x0011ffcb
0x0011ffce
0x0011ffd4
0x0011ffd6
0x0011ffd6
0x0011ffd9
0x0011ffe6
0x0011ffef
0x00120000
0x00120003
0x00120031
0x00120031
0x00000000
0x00120031
0x00120011
0x00120012
0x00120013
0x0012001f
0x00120028
0x0011fff1
0x0011fff4
0x00120032
0x00120032
0x00120035
0x00120036
0x00120037
0x0012003b
0x0012003f
0x00120042
0x00120047
0x00120048
0x00120049
0x0012004d
0x00120051
0x00120054
0x00120059
0x0012005a
0x0012005b
0x0012005f
0x00120063
0x00120066
0x0012006b
0x0012006e
0x0012007c
0x0012007c
0x0011fff9
0x0011fff9

APIs

GetWindowRect.USER32(?,?), ref: 0011FF1D
SetRectEmpty.USER32 ref: 0011FFAF
SetRect.USER32 ref: 0011FFE6
CopyRect.USER32(?,?), ref: 0012001F

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Rect$CopyEmptyWindow
String ID:
API String ID: 2176940440-0
Opcode ID: 8703686d336efc03924e0350c6811a31c26ef7236be9b1b34ac24ae47ee8216e
Instruction ID: 15d43552da83360b7ae8a20cbc007d7eea76be8dbca46abb2dcf23aed18b907e
Opcode Fuzzy Hash: 8703686d336efc03924e0350c6811a31c26ef7236be9b1b34ac24ae47ee8216e
Instruction Fuzzy Hash: 245107B2D00219AFCB15DFA9D9849EEFBB9EF48700B10416AE405A7211D770AE86CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00068CDE Relevance: 6.2, APIs: 4, Instructions: 155
timeCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00068CDE(intOrPtr __ecx, signed int* __edx, signed int* _a4) {
				signed int _v8;
				signed int _v44;
				struct _FILETIME _v52;
				struct _FILETIME _v60;
				char _v68;
				signed int _v72;
				signed int _v76;
				struct _FILETIME _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t57;
				void* _t64;
				intOrPtr _t66;
				signed int* _t69;
				WCHAR* _t72;
				signed char _t73;
				signed int* _t91;
				signed int* _t94;
				signed int* _t97;
				signed int _t99;
				signed int _t108;
				intOrPtr _t121;
				signed int* _t122;
				signed int _t123;
				void* _t126;

				_t120 = __edx;
				_t57 =  *0x1c0454; // 0x885926af
				_v8 = _t57 ^ _t123;
				_t122 = _a4;
				_t121 = __ecx;
				E00151B30(_t122, 0, 0x22c);
				_push(E00150EEF( &(_t122[8]), 0x104,  *(_t121 + 0xc), 0xffffffff));
				E00053DF0();
				_t64 =  *(_t121 + 4);
				_t126 = _t64 -  *0x17aed0; // 0xffffffff
				if(_t126 == 0) {
					L23:
					_t66 = 1;
					L24:
					return E00150836(_t66, 0, _v8 ^ _t123, _t120, _t121, _t122);
				}
				if(GetFileTime(_t64,  &_v84,  &_v52,  &_v60) != 0) {
					_t69 =  &_v76;
					__imp__GetFileSizeEx( *(_t121 + 4), _t69);
					if(_t69 == 0) {
						goto L2;
					}
					_t122[6] = _v76;
					_t122[7] = _v72;
					_t72 =  *(_t121 + 0xc);
					if( *((intOrPtr*)(_t72 - 0xc)) != 0) {
						_t108 =  *(_t121 + 0x10);
						if(_t108 == 0) {
							_t73 = GetFileAttributesW(_t72);
						} else {
							_t120 =  &_v44;
							_t99 = E00068918(_t108, _t72, 0,  &_v44);
							asm("sbb eax, eax");
							_t73 =  ~_t99 & _v44;
						}
						_t122[8] = (_t108 & 0xffffff00 | _t73 == 0xffffffff) - 0x00000001 & _t73;
					} else {
						_t122[8] = 0;
					}
					if(E00068968( &_v84) == 0) {
						 *_t122 = 0;
						_t122[1] = 0;
					} else {
						_t97 = E00068AB1(0,  &_v68, _t121,  &_v84, 0xffffffff);
						 *_t122 =  *_t97;
						_t122[1] = _t97[1];
					}
					if(E00068968( &_v52) == 0) {
						_t122[4] = 0;
						_t122[5] = 0;
					} else {
						_t94 = E00068AB1(0,  &_v68, _t121,  &_v52, 0xffffffff);
						_t122[4] =  *_t94;
						_t122[5] = _t94[1];
					}
					if(E00068968( &_v60) == 0) {
						_t122[2] = 0;
						_t122[3] = 0;
					} else {
						_t91 = E00068AB1(0,  &_v68, _t121,  &_v60, 0xffffffff);
						_t122[2] =  *_t91;
						_t122[3] = _t91[1];
					}
					if(( *_t122 | _t122[1]) == 0) {
						 *_t122 = _t122[2];
						_t122[1] = _t122[3];
					}
					if((_t122[4] | _t122[5]) == 0) {
						_t122[4] = _t122[2];
						_t122[5] = _t122[3];
					}
					goto L23;
				}
				L2:
				_t66 = 0;
				goto L24;
			}

0x00068cde
0x00068ce6
0x00068ced
0x00068cf2
0x00068cff
0x00068d01
0x00068d1a
0x00068d1b
0x00068d20
0x00068d26
0x00068d2c
0x00068e5f
0x00068e61
0x00068e62
0x00068e70
0x00068e70
0x00068d47
0x00068d50
0x00068d57
0x00068d5f
0x00000000
0x00000000
0x00068d64
0x00068d6a
0x00068d6d
0x00068d73
0x00068d7a
0x00068d7f
0x00068d96
0x00068d81
0x00068d81
0x00068d87
0x00068d8e
0x00068d90
0x00068d90
0x00068da6
0x00068d75
0x00068d75
0x00068d75
0x00068db4
0x00068dd0
0x00068dd2
0x00068db6
0x00068dbf
0x00068dc6
0x00068dcb
0x00068dcb
0x00068de0
0x00068e01
0x00068e04
0x00068de2
0x00068deb
0x00068df2
0x00068df8
0x00068df8
0x00068e12
0x00068e33
0x00068e36
0x00068e14
0x00068e1d
0x00068e24
0x00068e2a
0x00068e2a
0x00068e3e
0x00068e43
0x00068e48
0x00068e48
0x00068e51
0x00068e56
0x00068e5c
0x00068e5c
0x00000000
0x00068e51
0x00068d49
0x00068d49
0x00000000

APIs

_memset.LIBCMT ref: 00068D01
GetFileTime.KERNEL32(?,?,?,?), ref: 00068D3F
GetFileSizeEx.KERNEL32(?,?), ref: 00068D57

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: File$SizeTime_memset
String ID:
API String ID: 151880914-0
Opcode ID: 56b62900d9a39ce8fd3917fb29adeb2411ce3be01a19de6487a89772deda8e53
Instruction ID: a14b467a0143e898dc66b6075b372908c70ffabd41b26c071d645b9a276a7e31
Opcode Fuzzy Hash: 56b62900d9a39ce8fd3917fb29adeb2411ce3be01a19de6487a89772deda8e53
Instruction Fuzzy Hash: E5511A71900605AFD724DFA4D881CABB7F9FF183507148A2EE5AAD7691EB30E944CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00062DBF Relevance: 6.1, APIs: 4, Instructions: 132
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00062DBF(void* __ebx, signed short __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				signed short _t46;
				signed short _t47;
				long _t54;
				long _t60;
				signed short _t62;
				signed short _t63;
				signed short _t66;
				signed int _t70;
				void* _t79;
				int _t81;
				signed short _t82;
				int _t86;
				long _t87;
				void* _t88;
				void* _t89;
				void* _t102;

				_t102 = __fp0;
				_t79 = __edx;
				_t67 = __ecx;
				_push(0x30);
				E00151A19(0x168a06, __ebx, __edi, __esi);
				_t66 = __ecx;
				_t81 = 0;
				_t91 =  *((intOrPtr*)(__ecx + 0x70));
				if( *((intOrPtr*)(__ecx + 0x70)) == 0) {
					_t62 = E0005C37C(_t91, 0x38);
					 *(_t88 - 0x18) = _t62;
					 *(_t88 - 4) = 0;
					_t92 = _t62;
					if(_t62 == 0) {
						_t63 = 0;
						__eflags = 0;
					} else {
						_push(_t66);
						_t63 = E00072F05(_t66, _t62, 0, __esi, _t92);
					}
					 *(_t88 - 4) =  *(_t88 - 4) | 0xffffffff;
					_t67 = _t63;
					 *(_t66 + 0x70) = _t63;
					E00073714(_t63, _t79, _t102);
				}
				_t86 =  *(_t88 + 8);
				 *(_t88 - 0x10) = 1;
				if(_t86 == _t81) {
					L27:
					E00060E14(_t66, _t67, _t79,  *(_t66 + 0x20), 0x364, _t81, _t81, _t81, _t81);
					L28:
					return E00151AF1( *(_t88 - 0x10));
				} else {
					goto L6;
				}
				while(1) {
					L6:
					_t46 =  *_t86 & 0x0000ffff;
					if(_t46 == _t81) {
						break;
					}
					_t82 = _t46;
					_t47 =  *(_t86 + 2) & 0x0000ffff;
					 *(_t88 + 8) =  *(_t86 + 4);
					_t87 = _t86 + 8;
					 *(_t88 - 0x18) = _t82;
					if(_t47 == 0x1234) {
						L13:
						_t70 = 8;
						memset(_t88 - 0x38, 0, _t70 << 2);
						_t89 = _t89 + 0xc;
						 *(_t88 - 0x38) =  *(_t88 - 0x38) | 0xffffffff;
						 *(_t88 - 0x3c) = 1;
						E00056620(_t66, _t87);
						 *((intOrPtr*)(_t88 - 0x34)) =  *((intOrPtr*)(_t88 - 0x14));
						_t54 = SendDlgItemMessageW( *(_t66 + 0x20),  *(_t88 - 0x18) & 0x0000ffff, 0x40b, 0, _t88 - 0x3c);
						__eflags = _t54 - 0xffffffff;
						if(_t54 == 0xffffffff) {
							_t24 = _t88 - 0x10;
							 *_t24 =  *(_t88 - 0x10) & 0x00000000;
							__eflags =  *_t24;
						}
						_t67 =  *((intOrPtr*)(_t88 - 0x14)) + 0xfffffff0;
						E00051190( *((intOrPtr*)(_t88 - 0x14)) + 0xfffffff0, _t79);
						L25:
						_t86 = _t87 +  *(_t88 + 8);
						_t81 = 0;
						if( *(_t88 - 0x10) != 0) {
							continue;
						}
						break;
					}
					_t67 = 0x401;
					if(_t47 != 0x401) {
						__eflags = _t47 - 0x403;
						if(_t47 == 0x403) {
							_t47 = 0x143;
						}
						__eflags = _t47 - 0x40b;
						if(_t47 != 0x40b) {
							__eflags = _t47 - 0x37c;
							if(_t47 != 0x37c) {
								_t67 = 0x180;
								__eflags = _t47 - 0x180;
								if(_t47 == 0x180) {
									L23:
									if(SendDlgItemMessageA( *(_t66 + 0x20), _t82 & 0x0000ffff, _t47 & 0x0000ffff, 0, _t87) == 0xffffffff) {
										 *(_t88 - 0x10) =  *(_t88 - 0x10) & 0x00000000;
									}
									goto L25;
								}
								_t67 = 0x143;
								__eflags = _t47 - 0x143;
								if(_t47 != 0x143) {
									goto L25;
								}
								goto L23;
							}
							_t60 = SendDlgItemMessageW( *(_t66 + 0x20), _t82 & 0x0000ffff, 0x37c,  *(_t88 + 8), _t87);
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								_t29 = _t88 - 0x10;
								 *_t29 =  *(_t88 - 0x10) & 0x00000000;
								__eflags =  *_t29;
							}
							_t67 =  *(_t66 + 0x70);
							__eflags =  *(_t66 + 0x70);
							if(__eflags != 0) {
								_push(_t87);
								_push( *(_t88 + 8));
								_push(_t82);
								E00072F8D(_t66, _t67, _t79, _t82, _t87, __eflags);
							}
							goto L25;
						} else {
							goto L13;
						}
					}
					_t47 = 0x180;
					goto L23;
				}
				if( *(_t88 - 0x10) == _t81) {
					goto L28;
				}
				goto L27;
			}

0x00062dbf
0x00062dbf
0x00062dbf
0x00062dbf
0x00062dc6
0x00062dcb
0x00062dcd
0x00062dcf
0x00062dd2
0x00062dd6
0x00062ddc
0x00062ddf
0x00062de2
0x00062de4
0x00062df0
0x00062df0
0x00062de6
0x00062de6
0x00062de9
0x00062de9
0x00062df2
0x00062df6
0x00062df8
0x00062dfb
0x00062dfb
0x00062e00
0x00062e03
0x00062e0c
0x00062f34
0x00062f40
0x00062f45
0x00062f4d
0x00000000
0x00000000
0x00000000
0x00062e12
0x00062e12
0x00062e12
0x00062e18
0x00000000
0x00000000
0x00062e21
0x00062e23
0x00062e27
0x00062e2f
0x00062e32
0x00062e38
0x00062e67
0x00062e69
0x00062e6f
0x00062e6f
0x00062e71
0x00062e79
0x00062e80
0x00062e88
0x00062e9e
0x00062ea4
0x00062ea7
0x00062ea9
0x00062ea9
0x00062ea9
0x00062ea9
0x00062eb0
0x00062eb3
0x00062f21
0x00062f21
0x00062f24
0x00062f29
0x00000000
0x00000000
0x00000000
0x00062f29
0x00062e3a
0x00062e42
0x00062e53
0x00062e56
0x00062e58
0x00062e58
0x00062e62
0x00062e65
0x00062ebf
0x00062ec2
0x00062ef2
0x00062ef7
0x00062efa
0x00062f04
0x00062f1b
0x00062f1d
0x00062f1d
0x00000000
0x00062f1b
0x00062efc
0x00062eff
0x00062f02
0x00000000
0x00000000
0x00000000
0x00062f02
0x00062ed0
0x00062ed6
0x00062ed9
0x00062edb
0x00062edb
0x00062edb
0x00062edb
0x00062edf
0x00062ee2
0x00062ee4
0x00062ee6
0x00062ee7
0x00062eea
0x00062eeb
0x00062eeb
0x00000000
0x00000000
0x00000000
0x00000000
0x00062e65
0x00062e44
0x00000000
0x00062e44
0x00062f32
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 00062DC6
SendDlgItemMessageA.USER32(?,?,?,00000000,?), ref: 00062F12

Part of subcall function 0005C37C: _malloc.LIBCMT ref: 0005C39A

SendDlgItemMessageW.USER32 ref: 00062E9E

Part of subcall function 00072F05: __EH_prolog3.LIBCMT ref: 00072F0C

SendDlgItemMessageW.USER32 ref: 00062ED0

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: ItemMessageSend$H_prolog3$_malloc
String ID:
API String ID: 2480034192-0
Opcode ID: 832c48b4283424ae6e9405bce827a2bb7bce375ed009667fe4fb507c1f533d07
Instruction ID: 3e6ca95bdb7ec60fe2910cd78a5ab5fddcf64225dc6336c492e1229a5aeefa63
Opcode Fuzzy Hash: 832c48b4283424ae6e9405bce827a2bb7bce375ed009667fe4fb507c1f533d07
Instruction Fuzzy Hash: 6A41DCB0900905ABDF65AFA8CC00BBE7AF6EB54320F504239F965AB2D1CB714E82D754

Uniqueness

Uniqueness Score: -1.00%

Function 00154F47 Relevance: 6.1, APIs: 4, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00154F47(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t56;
				signed int _t60;
				void* _t65;
				signed int _t66;
				signed int _t69;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t79;
				signed int _t81;
				signed int _t85;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				intOrPtr* _t96;
				void* _t97;

				_t92 = _a8;
				if(_t92 == 0 || _a12 == 0) {
					L4:
					return 0;
				} else {
					_t96 = _a16;
					_t100 = _t96;
					if(_t96 != 0) {
						_t79 = _a4;
						__eflags = _t79;
						if(__eflags == 0) {
							goto L3;
						}
						_t60 = _t56 | 0xffffffff;
						_t88 = _t60 % _t92;
						__eflags = _a12 - _t60 / _t92;
						if(__eflags > 0) {
							goto L3;
						}
						_t93 = _t92 * _a12;
						__eflags =  *(_t96 + 0xc) & 0x0000010c;
						_v8 = _t79;
						_v16 = _t93;
						_t78 = _t93;
						if(( *(_t96 + 0xc) & 0x0000010c) == 0) {
							_v12 = 0x1000;
						} else {
							_v12 =  *(_t96 + 0x18);
						}
						__eflags = _t93;
						if(_t93 == 0) {
							L32:
							return _a12;
						} else {
							do {
								_t81 =  *(_t96 + 0xc) & 0x00000108;
								__eflags = _t81;
								if(_t81 == 0) {
									L18:
									__eflags = _t78 - _v12;
									if(_t78 < _v12) {
										_t65 = E001583F9(_t88, _t93,  *_v8, _t96);
										__eflags = _t65 - 0xffffffff;
										if(_t65 == 0xffffffff) {
											L34:
											_t66 = _t93;
											L35:
											return (_t66 - _t78) / _a8;
										}
										_v8 = _v8 + 1;
										_t69 =  *(_t96 + 0x18);
										_t78 = _t78 - 1;
										_v12 = _t69;
										__eflags = _t69;
										if(_t69 <= 0) {
											_v12 = 1;
										}
										goto L31;
									}
									__eflags = _t81;
									if(_t81 == 0) {
										L21:
										__eflags = _v12;
										_t94 = _t78;
										if(_v12 != 0) {
											_t72 = _t78;
											_t88 = _t72 % _v12;
											_t94 = _t94 - _t72 % _v12;
											__eflags = _t94;
										}
										_push(_t94);
										_push(_v8);
										_push(E0015496F(_t96));
										_t71 = E00160756(_t78, _t88, _t94, _t96, __eflags);
										_t97 = _t97 + 0xc;
										__eflags = _t71 - 0xffffffff;
										if(_t71 == 0xffffffff) {
											L36:
											 *(_t96 + 0xc) =  *(_t96 + 0xc) | 0x00000020;
											_t66 = _v16;
											goto L35;
										} else {
											_t85 = _t94;
											__eflags = _t71 - _t94;
											if(_t71 <= _t94) {
												_t85 = _t71;
											}
											_v8 = _v8 + _t85;
											_t78 = _t78 - _t85;
											__eflags = _t71 - _t94;
											if(_t71 < _t94) {
												goto L36;
											} else {
												L27:
												_t93 = _v16;
												goto L31;
											}
										}
									}
									_t74 = E00155574(_t88, _t96);
									__eflags = _t74;
									if(_t74 != 0) {
										goto L34;
									}
									goto L21;
								}
								_t75 =  *(_t96 + 4);
								__eflags = _t75;
								if(__eflags == 0) {
									goto L18;
								}
								if(__eflags < 0) {
									_t45 = _t96 + 0xc;
									 *_t45 =  *(_t96 + 0xc) | 0x00000020;
									__eflags =  *_t45;
									goto L34;
								}
								_t95 = _t78;
								__eflags = _t78 - _t75;
								if(_t78 >= _t75) {
									_t95 = _t75;
								}
								E00155F30( *_t96, _v8, _t95);
								 *(_t96 + 4) =  *(_t96 + 4) - _t95;
								 *_t96 =  *_t96 + _t95;
								_t97 = _t97 + 0xc;
								_t78 = _t78 - _t95;
								_v8 = _v8 + _t95;
								goto L27;
								L31:
								__eflags = _t78;
							} while (_t78 != 0);
							goto L32;
						}
					}
					L3:
					 *((intOrPtr*)(E00151F1F(_t100))) = 0x16;
					E00159345();
					goto L4;
				}
			}

0x00154f52
0x00154f57
0x00154f76
0x00000000
0x00154f5f
0x00154f5f
0x00154f62
0x00154f64
0x00154f7d
0x00154f80
0x00154f82
0x00000000
0x00000000
0x00154f84
0x00154f89
0x00154f8b
0x00154f8e
0x00000000
0x00000000
0x00154f90
0x00154f94
0x00154f9b
0x00154f9e
0x00154fa1
0x00154fa3
0x00154fad
0x00154fa5
0x00154fa8
0x00154fa8
0x00154fb4
0x00154fb6
0x0015507b
0x00000000
0x00154fbc
0x00154fbc
0x00154fbf
0x00154fbf
0x00154fc5
0x00154ff6
0x00154ff6
0x00154ff9
0x00155052
0x00155059
0x0015505c
0x00155087
0x00155087
0x00155089
0x00000000
0x0015508d
0x0015505e
0x00155061
0x00155064
0x00155065
0x00155068
0x0015506a
0x0015506c
0x0015506c
0x00000000
0x0015506a
0x00154ffb
0x00154ffd
0x0015500a
0x0015500a
0x0015500e
0x00155010
0x00155014
0x00155016
0x00155019
0x00155019
0x00155019
0x0015501b
0x0015501c
0x00155026
0x00155027
0x0015502c
0x0015502f
0x00155032
0x00155095
0x00155095
0x00155099
0x00000000
0x00155034
0x00155034
0x00155036
0x00155038
0x0015503a
0x0015503a
0x0015503c
0x0015503f
0x00155041
0x00155043
0x00000000
0x00155045
0x00155045
0x00155045
0x00000000
0x00155045
0x00155043
0x00155032
0x00155000
0x00155006
0x00155008
0x00000000
0x00000000
0x00000000
0x00155008
0x00154fc7
0x00154fca
0x00154fcc
0x00000000
0x00000000
0x00154fce
0x00155083
0x00155083
0x00155083
0x00000000
0x00155083
0x00154fd4
0x00154fd6
0x00154fd8
0x00154fda
0x00154fda
0x00154fe2
0x00154fe7
0x00154fea
0x00154fec
0x00154fef
0x00154ff1
0x00000000
0x00155073
0x00155073
0x00155073
0x00000000
0x00154fbc
0x00154fb6
0x00154f66
0x00154f6b
0x00154f71
0x00000000
0x00154f71

APIs

_memmove.LIBCMT ref: 00154FE2
__flush.LIBCMT ref: 00155000
__write.LIBCMT ref: 00155027
__flsbuf.LIBCMT ref: 00155052

Part of subcall function 00151F1F: __getptd_noexit.LIBCMT ref: 00151F1F

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: f6e78f887eef2fae663c9271faf61855c0870aeccefb3a05fd6fbeaee8b34b8f
Instruction ID: 7128c27df8557ee1dea377577e05d2d98b809734c18812b7298f6c34b85408da
Opcode Fuzzy Hash: f6e78f887eef2fae663c9271faf61855c0870aeccefb3a05fd6fbeaee8b34b8f
Instruction Fuzzy Hash: C941E631A00A04DFDB24CF6D88546AFBBB6AF80366F254129FC359F180D771DE898B80

Uniqueness

Uniqueness Score: -1.00%

Function 0006E1E4 Relevance: 6.1, APIs: 4, Instructions: 121
registryCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0006E1E4(void* __ecx, intOrPtr* _a4, WCHAR* _a8, short* _a12, WCHAR* _a16) {
				int* _v8;
				char _v16;
				signed int _v20;
				short _v8212;
				WCHAR* _v8216;
				char _v8220;
				void* _v8224;
				long _v8228;
				int _v8232;
				int _v8236;
				short* _v8240;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t44;
				signed int _t45;
				WCHAR* _t47;
				void* _t53;
				long _t58;
				intOrPtr* _t71;
				intOrPtr _t72;
				void* _t83;
				WCHAR* _t88;
				short* _t90;
				intOrPtr _t91;
				intOrPtr _t95;
				void* _t97;
				signed int _t98;

				_t73 = __ecx;
				_push(0xffffffff);
				_push(0x16906c);
				_push( *[fs:0x0]);
				E00153C00(0x2020);
				_t44 =  *0x1c0454; // 0x885926af
				_t45 = _t44 ^ _t98;
				_v20 = _t45;
				_push(_t45);
				 *[fs:0x0] =  &_v16;
				_t90 = _a12;
				_t88 = _a16;
				_t71 = _a4;
				_t47 = _a8;
				_v8240 = _t90;
				_v8216 = _t88;
				_v8228 = 0;
				if( *((intOrPtr*)(__ecx + 0x58)) == 0) {
					if(_t88 == 0) {
						_v8216 = 0x1a18c0;
					}
					GetPrivateProfileStringW(_t47, _t90, _v8216,  &_v8212, 0x1000,  *(_t73 + 0x6c));
					_push( &_v8212);
					goto L12;
				} else {
					_t53 = E0006DDE0(__ecx, _t47, 0);
					_v8224 = _t53;
					if(_t53 != 0) {
						E00051110( &_v8220, E00065761());
						_v8 = 0;
						_v8236 = 0;
						_v8232 = 0;
						_t58 = RegQueryValueExW(_v8224, _t90, 0,  &_v8236, 0,  &_v8232);
						_v8228 = _t58;
						if(_t58 == 0) {
							_v8228 = RegQueryValueExW(_v8224, _v8240, 0,  &_v8236, E000512F0( &_v8220, _v8232 >> 1),  &_v8232);
							E000561B0(_t71,  &_v8220, RegQueryValueExW, 0xffffffff);
						}
						RegCloseKey(_v8224);
						if(_v8228 != 0) {
							E00056620(_t71, _v8216);
							_t83 = _v8220 + 0xfffffff0;
						} else {
							_t97 = _v8220 + 0xfffffff0;
							 *_t71 = E000541F0(_t97) + 0x10;
							_t83 = _t97;
						}
						E00051190(_t83, _t88);
					} else {
						_push(_v8216);
						L12:
						E00056620(_t71);
					}
				}
				 *[fs:0x0] = _v16;
				_pop(_t91);
				_pop(_t95);
				_pop(_t72);
				return E00150836(_t71, _t72, _v20 ^ _t98, _t88, _t91, _t95);
			}

0x0006e1e4
0x0006e1e9
0x0006e1eb
0x0006e1f6
0x0006e1fc
0x0006e201
0x0006e206
0x0006e208
0x0006e20e
0x0006e212
0x0006e218
0x0006e21b
0x0006e21e
0x0006e221
0x0006e226
0x0006e22c
0x0006e232
0x0006e23b
0x0006e337
0x0006e339
0x0006e339
0x0006e35a
0x0006e366
0x00000000
0x0006e241
0x0006e243
0x0006e248
0x0006e250
0x0006e269
0x0006e28b
0x0006e28e
0x0006e294
0x0006e29a
0x0006e29c
0x0006e2a4
0x0006e2e0
0x0006e2e6
0x0006e2e6
0x0006e2f1
0x0006e2fd
0x0006e325
0x0006e330
0x0006e2ff
0x0006e305
0x0006e312
0x0006e314
0x0006e314
0x0006e316
0x0006e252
0x0006e252
0x0006e367
0x0006e369
0x0006e369
0x0006e250
0x0006e373
0x0006e37b
0x0006e37c
0x0006e37d
0x0006e389

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0006E29A
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0006E2D6
RegCloseKey.ADVAPI32(?), ref: 0006E2F1
GetPrivateProfileStringW.KERNEL32(?,?,?,?,00001000,?), ref: 0006E35A

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: QueryValue$ClosePrivateProfileString
String ID:
API String ID: 1042844925-0
Opcode ID: 75edf6eca89c1f273c39f333ae73855abf3101b21f54fe2ea884e56eb1848573
Instruction ID: 47eaecbf31b5e2f08b5f7e95d7304990a51ac91ac80460cc9ea127ad239482cb
Opcode Fuzzy Hash: 75edf6eca89c1f273c39f333ae73855abf3101b21f54fe2ea884e56eb1848573
Instruction Fuzzy Hash: C8413F75D00328EBDB369F14CC4CADEB7B9EB48310F10419AF519A3292D7305A99DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0007EAA6 Relevance: 6.1, APIs: 4, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0007EAA6(void* __ecx) {
				intOrPtr _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t66;
				void* _t77;
				intOrPtr _t80;
				void* _t96;
				intOrPtr _t97;
				intOrPtr _t98;
				intOrPtr _t99;

				_t96 = __ecx;
				_t97 =  *0x1c3b18; // 0x0
				if(_t97 != 0) {
					 *0x1c48b8 = 0;
				}
				 *((intOrPtr*)(_t96 + 0xea8)) = 0;
				 *((intOrPtr*)(_t96 + 0x128)) = 0;
				 *((intOrPtr*)(_t96 + 0x12c)) = 0;
				 *((intOrPtr*)(_t96 + 0x130)) = 0;
				 *((intOrPtr*)(_t96 + 0x134)) = 0;
				 *((intOrPtr*)(_t96 + 0x148)) = 0;
				 *((intOrPtr*)(_t96 + 0x120)) = 1;
				 *((intOrPtr*)(_t96 + 0xeac)) = 1;
				 *((intOrPtr*)(_t96 + 0x138)) = 0;
				 *((intOrPtr*)(_t96 + 0x13c)) = 0;
				 *((intOrPtr*)(_t96 + 0xed8)) = 0;
				 *((intOrPtr*)(_t96 + 0xedc)) = 0;
				 *((intOrPtr*)(_t96 + 0xec4)) = 0;
				_t66 = E000748C1(0);
				asm("sbb eax, eax");
				 *(_t96 + 0xf20) =  *(_t96 + 0xf20) | 0xffffffff;
				 *(_t96 + 0xec8) =  *(_t96 + 0xec8) | 0xffffffff;
				 *((intOrPtr*)(_t96 + 0xee8)) =  ~_t66 + 1;
				 *((intOrPtr*)(_t96 + 0xeec)) = 0;
				 *((intOrPtr*)(_t96 + 0xef0)) = 0;
				 *((intOrPtr*)(_t96 + 0xef4)) = 0;
				 *((intOrPtr*)(_t96 + 0xec0)) = 0;
				 *((intOrPtr*)(_t96 + 0xebc)) = 0;
				 *((intOrPtr*)(_t96 + 0xecc)) = 0;
				 *((intOrPtr*)(_t96 + 0xed4)) = 0;
				SetRectEmpty(_t96 + 0xef8);
				SetRectEmpty(_t96 + 0xf08);
				_v8 =  *((intOrPtr*)( *((intOrPtr*)(E00074709(1, 0, _t96, _t97))) + 0x2e8))() + _t74;
				_t77 = E00099C98( &_v16, 1,  &_v16);
				 *((intOrPtr*)(_t96 + 0xf18)) = 0;
				 *((intOrPtr*)(_t96 + 0xf1c)) =  *((intOrPtr*)(_t77 + 4)) + _v8;
				 *((intOrPtr*)(_t96 + 0xee0)) = 1;
				 *((intOrPtr*)(_t96 + 0xee4)) = 1;
				_t98 =  *0x1be4e0; // 0x1
				if(_t98 == 0) {
					L6:
					_t80 = 0;
					__eflags = 0;
				} else {
					_t99 =  *0x1c3f04; // 0x0
					if(_t99 != 0) {
						goto L6;
					} else {
						_t100 =  *0x1c3b44 - 8;
						if( *0x1c3b44 <= 8) {
							goto L6;
						} else {
							_t80 =  *((intOrPtr*)(E00074709(1, 0, _t96, _t100) + 0x98));
						}
					}
				}
				 *((intOrPtr*)(_t96 + 0xfc0)) = _t80;
				 *((intOrPtr*)(_t96 + 0xf24)) = 0;
				if(E000748C1(0) == 3 &&  *0x1c3b44 <= 8) {
					 *0x1c48b8 = 0;
					 *((intOrPtr*)(_t96 + 0xee8)) = 1;
				}
				 *((intOrPtr*)(_t96 + 0xfd8)) = 0;
				 *((intOrPtr*)(_t96 + 0xfdc)) = 0;
				SetRectEmpty(_t96 + 0xfe0);
				 *((intOrPtr*)(_t96 + 0x1090)) = 0;
				 *((intOrPtr*)(_t96 + 0xea4)) = 0;
				 *((intOrPtr*)(_t96 + 0x124)) = 0;
				 *((intOrPtr*)(_t96 + 0xeb0)) = 0;
				 *((intOrPtr*)(_t96 + 0xeb8)) = 0;
				 *((intOrPtr*)(_t96 + 0x10b0)) = 0;
				 *((intOrPtr*)(_t96 + 0x10b8)) = 2;
				 *((intOrPtr*)(_t96 + 0x10b4)) = 0;
				 *((intOrPtr*)(_t96 + 0x10bc)) = 0;
				 *((intOrPtr*)(_t96 + 0x10c0)) = 0;
				 *((intOrPtr*)(_t96 + 0xed0)) = 0;
				 *((intOrPtr*)(_t96 + 0x108c)) = 0;
				 *((intOrPtr*)(_t96 + 0x1094)) = 0;
				SetRectEmpty(_t96 + 0x10a0);
				 *((intOrPtr*)(_t96 + 0x1080)) = 0;
				 *((intOrPtr*)(_t96 + 0x1084)) = 0;
				 *((intOrPtr*)(_t96 + 0x1088)) = 0;
				 *((intOrPtr*)(_t96 + 0x109c)) = 0;
				 *((intOrPtr*)(_t96 + 0xeb4)) = 0;
				 *((intOrPtr*)(_t96 + 0xfd4)) = 0;
				 *((intOrPtr*)(_t96 + 0x1098)) = 0;
				return 0;
			}

0x0007eab3
0x0007eab5
0x0007eabb
0x0007eabd
0x0007eabd
0x0007eac9
0x0007eacf
0x0007ead5
0x0007eadb
0x0007eae1
0x0007eae7
0x0007eaed
0x0007eaf3
0x0007eaf9
0x0007eaff
0x0007eb05
0x0007eb0b
0x0007eb11
0x0007eb17
0x0007eb1e
0x0007eb20
0x0007eb27
0x0007eb2f
0x0007eb3c
0x0007eb42
0x0007eb48
0x0007eb4e
0x0007eb54
0x0007eb5a
0x0007eb60
0x0007eb66
0x0007eb73
0x0007eb8a
0x0007eb91
0x0007eb9c
0x0007eba2
0x0007eba8
0x0007ebae
0x0007ebb4
0x0007ebba
0x0007ebda
0x0007ebda
0x0007ebda
0x0007ebbc
0x0007ebbc
0x0007ebc2
0x00000000
0x0007ebc4
0x0007ebc4
0x0007ebcb
0x00000000
0x0007ebcd
0x0007ebd2
0x0007ebd2
0x0007ebcb
0x0007ebc2
0x0007ebdd
0x0007ebe3
0x0007ebf1
0x0007ebfc
0x0007ec02
0x0007ec02
0x0007ec15
0x0007ec1b
0x0007ec21
0x0007ec25
0x0007ec32
0x0007ec38
0x0007ec3e
0x0007ec44
0x0007ec4a
0x0007ec50
0x0007ec5a
0x0007ec60
0x0007ec66
0x0007ec6c
0x0007ec72
0x0007ec78
0x0007ec7e
0x0007ec80
0x0007ec86
0x0007ec8c
0x0007ec92
0x0007ec98
0x0007ec9e
0x0007eca7
0x0007ecb0

APIs

SetRectEmpty.USER32 ref: 0007EB66
SetRectEmpty.USER32 ref: 0007EB73
SetRectEmpty.USER32 ref: 0007EC21
SetRectEmpty.USER32 ref: 0007EC7E

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: EmptyRect
String ID:
API String ID: 2270935405-0
Opcode ID: 3a2effa15ee2957e4d4e10380dc221df2752498921dcf146f697409d64d981f9
Instruction ID: 9eab3e31b0b777e06499ca49db229e4597235c0179ee67cc014685a8eb3d4c80
Opcode Fuzzy Hash: 3a2effa15ee2957e4d4e10380dc221df2752498921dcf146f697409d64d981f9
Instruction Fuzzy Hash: FC519BB1905B858ED360CF7AC9806E6FAE8FF99300F104A2FD0AED2661D7B065818F54

Uniqueness

Uniqueness Score: -1.00%

Function 001633CF Relevance: 6.1, APIs: 4, Instructions: 103
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E001633CF(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				char _t59;
				short* _t60;
				int _t65;
				char* _t73;

				_t73 = _a8;
				if(_t73 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t73 != 0) {
						E001511E1( &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E0015586F( *_t73 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t73, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E00151F1F(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								__eflags = _a12 -  *(_t56 + 0xac);
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t73[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t57 =  *(_t56 + 0xac);
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t73, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t73 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x001633d9
0x001633e0
0x001633f7
0x00000000
0x001633e7
0x001633e9
0x00163403
0x00163408
0x0016340b
0x0016340e
0x00163436
0x0016343d
0x0016343f
0x001634c0
0x001634db
0x001634dd
0x0016341d
0x0016341d
0x00163420
0x00163422
0x00163425
0x00163425
0x00163425
0x00163425
0x00000000
0x0016342b
0x0016349f
0x0016349f
0x001634a4
0x001634aa
0x001634ad
0x001634af
0x001634b2
0x001634b2
0x001634b2
0x001634b2
0x00000000
0x001634b6
0x00163441
0x00163444
0x0016344a
0x0016344d
0x00163474
0x00163477
0x0016347d
0x00000000
0x00000000
0x0016347f
0x00163482
0x00000000
0x00000000
0x00163484
0x00163484
0x0016348a
0x0016348d
0x001633fc
0x001633fc
0x00163496
0x00000000
0x00163496
0x0016344f
0x00163452
0x00000000
0x00000000
0x00163456
0x00163467
0x0016346d
0x0016346f
0x00163472
0x00000000
0x00000000
0x00000000
0x00163472
0x00163410
0x00163413
0x00163415
0x0016341a
0x0016341a
0x00000000
0x001633eb
0x001633eb
0x001633f0
0x001633f4
0x001633f4
0x00000000
0x001633f0
0x001633e9

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00163403
__isleadbyte_l.LIBCMT ref: 00163436
MultiByteToWideChar.KERNEL32(00000080,00000009,0015094E,?,00000000,00000000,?,?,?,?,0015094E,00000000), ref: 00163467
MultiByteToWideChar.KERNEL32(00000080,00000009,0015094E,00000001,00000000,00000000,?,?,?,?,0015094E,00000000), ref: 001634D5

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 8b3b8ae2d37b9892eff49f6672c482e21c040d3759e03c01fb3f4c67efdc73f8
Instruction ID: 243b3f385b8e7bfd5771f17eaafcbf1352e85d342f4439723df1694b348c4d82
Opcode Fuzzy Hash: 8b3b8ae2d37b9892eff49f6672c482e21c040d3759e03c01fb3f4c67efdc73f8
Instruction Fuzzy Hash: 24319D31A00245EFDB26DF68CC859BABBB5FF01311B1585A9E5B18B291DB30DEA0DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00085ED4 Relevance: 6.1, APIs: 4, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00085ED4(int __ecx, intOrPtr _a4) {
				int _v8;
				struct tagPOINT _v16;
				signed int _t30;
				void* _t31;
				signed int _t36;
				signed int _t38;
				signed int _t48;
				signed int _t49;
				intOrPtr _t70;
				signed int _t71;

				_t70 = _a4;
				_v8 = __ecx;
				if( *((intOrPtr*)(_t70 + 0x20)) != 0xfffffffe) {
					_t30 = E0006EA25(0x188f18, _t70);
					__eflags = _t30;
					if(_t30 == 0) {
						__eflags =  *(_t70 + 0x24) & 0x00040000;
						if(( *(_t70 + 0x24) & 0x00040000) != 0) {
							L12:
							_t31 = 0;
							__eflags = 0;
							L13:
							return _t31;
						}
						L6:
						__eflags =  *((intOrPtr*)(_t70 + 0x20)) - 0xffffffff;
						if( *((intOrPtr*)(_t70 + 0x20)) == 0xffffffff) {
							goto L12;
						}
						_t71 = E0006EA25(0x1bddfc, _t70);
						__eflags = _t71;
						if(__eflags == 0) {
							L19:
							E00085805(_v8, 0x40000, __eflags,  *((intOrPtr*)(_t70 + 0x20)), _t70);
							L20:
							_t31 = 1;
							goto L13;
						}
						_t36 =  *((intOrPtr*)( *_t71 + 0xec))();
						__eflags = _t36;
						if(_t36 == 0) {
							L15:
							__eflags =  *(_t71 + 0x8c);
							if( *(_t71 + 0x8c) != 0) {
								goto L12;
							}
							_t38 =  *((intOrPtr*)( *_t71 + 0xe4))();
							__eflags = _t38;
							if(_t38 != 0) {
								goto L20;
							}
							__eflags = E0006EA07(_t71, 0x18942c);
							if(__eflags == 0) {
								goto L19;
							}
							 *((intOrPtr*)( *_t71 + 0x20))(_v8, 0);
							goto L20;
						}
						_v16.x = 0;
						_v16.y = 0;
						GetCursorPos( &_v16);
						ScreenToClient( *(_v8 + 0x20),  &_v16);
						_push(_v16.y);
						_t20 = _t71 + 0xd8; // 0xd8
						_t48 = PtInRect(_t20, _v16);
						__eflags = _t48;
						if(_t48 != 0) {
							goto L20;
						}
						_t49 =  *(_t71 + 0x8c);
						__eflags = _t49;
						if(_t49 == 0) {
							goto L15;
						}
						PostMessageW( *(_t49 + 0x20), 0x10, 0, 0);
						goto L12;
					}
					__eflags =  *(_t70 + 0x24) & 0x00040000;
					if(( *(_t70 + 0x24) & 0x00040000) == 0) {
						goto L6;
					}
					 *((intOrPtr*)( *_t30 + 0xe4))();
					goto L20;
				}
				return 1;
			}

0x00085ede
0x00085ee5
0x00085ee8
0x00085ef9
0x00085f07
0x00085f09
0x00085f1f
0x00085f22
0x00085f9d
0x00085f9d
0x00085f9d
0x00085f9f
0x00000000
0x00085f9f
0x00085f24
0x00085f24
0x00085f28
0x00000000
0x00000000
0x00085f35
0x00085f39
0x00085f3b
0x00085fd9
0x00085fe0
0x00085fe5
0x00085fe7
0x00000000
0x00085fe7
0x00085f45
0x00085f4b
0x00085f4d
0x00085fa6
0x00085fa6
0x00085fac
0x00000000
0x00000000
0x00085fb2
0x00085fb8
0x00085fba
0x00000000
0x00000000
0x00085fc8
0x00085fca
0x00000000
0x00000000
0x00085fd4
0x00000000
0x00085fd4
0x00085f53
0x00085f56
0x00085f59
0x00085f69
0x00085f6f
0x00085f72
0x00085f7c
0x00085f82
0x00085f84
0x00000000
0x00000000
0x00085f86
0x00085f8c
0x00085f8e
0x00000000
0x00000000
0x00085f97
0x00000000
0x00085f97
0x00085f0b
0x00085f0e
0x00000000
0x00000000
0x00085f14
0x00000000
0x00085f14
0x00000000

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Parent$MessageSend
String ID:
API String ID: 2251359880-0
Opcode ID: 16c5d946013572879c8e199eb90e5d4d40485ff0f266828187bd4a9c42bb4116
Instruction ID: 47ecc6c4f83d41df8ec2e4b91e2a28cb7e5eddeadbdfddd12bf2177bffef8a5f
Opcode Fuzzy Hash: 16c5d946013572879c8e199eb90e5d4d40485ff0f266828187bd4a9c42bb4116
Instruction Fuzzy Hash: FC31A271604A05EFCB24AFA4DD48E9E7BF9FF44306B2045B9F28AD6192EB309D40DB51

Uniqueness

Uniqueness Score: -1.00%

Function 000B637C Relevance: 6.1, APIs: 4, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E000B637C(intOrPtr __ecx, intOrPtr __edx, intOrPtr __esi, struct tagRECT* _a4, intOrPtr _a8) {
				signed int _v8;
				struct tagRECT _v24;
				signed int _v28;
				void* __ebx;
				void* __edi;
				signed int _t32;
				long _t51;
				int _t56;
				long _t59;
				struct tagRECT* _t62;
				long _t68;
				long _t72;
				intOrPtr _t73;
				intOrPtr _t74;
				signed int _t77;

				_t75 = __esi;
				_t73 = __edx;
				_t32 =  *0x1c0454; // 0x885926af
				_v8 = _t32 ^ _t77;
				_t62 = _a4;
				_t74 = __ecx;
				if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 4)))) + 0x19c))() != 0) {
					_push(__esi);
					_v28 = E00063445( *((intOrPtr*)(__ecx + 4))) & 0x00400000;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 4)))) + 0x1bc))();
					asm("sbb esi, esi");
					GetWindowRect( *( *((intOrPtr*)(__ecx + 4)) + 0x20), _t62);
					__eflags = 0;
					_v24.left = 0;
					_v24.top = 0;
					_v24.right = 0;
					_v24.bottom = 0;
					GetClientRect( *( *((intOrPtr*)(_t74 + 4)) + 0x20),  &_v24);
					E0006636C( *((intOrPtr*)(_t74 + 4)),  &_v24);
					_pop(_t75);
					if(__eflags == 0) {
						_t68 = _t62->bottom;
						_t51 = _v24.top - 1;
						__eflags = _t68 - _t51;
						if(_t68 < _t51) {
							_t51 = _t68;
						}
						_t62->bottom = _t51;
					} else {
						__eflags = _v28;
						if(_v28 == 0) {
							_t72 = _t62->right;
							_t59 = _v24.left - 1;
							__eflags = _t72 - _t59;
							if(_t72 < _t59) {
								_t59 = _t72;
							}
							_t62->right = _t59;
						} else {
							_t62->left = _v24.right - 1;
						}
					}
					__eflags = _a8;
					if(_a8 == 0) {
						_t56 = OffsetRect(_t62,  ~(_t62->left),  ~(_t62->top));
					} else {
						_t56 = E0006632B( *((intOrPtr*)(_t74 + 4)), _t62);
					}
				} else {
					_t56 = SetRectEmpty(_t62);
				}
				return E00150836(_t56, _t62, _v8 ^ _t77, _t73, _t74, _t75);
			}

0x000b637c
0x000b637c
0x000b6384
0x000b638b
0x000b638f
0x000b6393
0x000b63a2
0x000b63b3
0x000b63c1
0x000b63c6
0x000b63d3
0x000b63dc
0x000b63e2
0x000b63e4
0x000b63e7
0x000b63ea
0x000b63ed
0x000b63fa
0x000b6407
0x000b640e
0x000b640f
0x000b6434
0x000b6437
0x000b6438
0x000b643a
0x000b643c
0x000b643c
0x000b643e
0x000b6411
0x000b6411
0x000b6415
0x000b6422
0x000b6425
0x000b6426
0x000b6428
0x000b642a
0x000b642a
0x000b642c
0x000b6417
0x000b641b
0x000b641b
0x000b6415
0x000b6441
0x000b6445
0x000b645e
0x000b6447
0x000b644b
0x000b644b
0x000b63a4
0x000b63a5
0x000b63a5
0x000b6471

APIs

SetRectEmpty.USER32 ref: 000B63A5
GetWindowRect.USER32(?,?), ref: 000B63DC
GetClientRect.USER32 ref: 000B63FA

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Rect$ClientEmptyWindow
String ID:
API String ID: 742297903-0
Opcode ID: 0ee73be564be6b9d2ee3a4c96d91027ed7de986476d7e15aafb1db4e42dda08e
Instruction ID: 15b833a3cee5b95bd1417de50bafda4449a8aa3b1535bf1267c8a1a435496069
Opcode Fuzzy Hash: 0ee73be564be6b9d2ee3a4c96d91027ed7de986476d7e15aafb1db4e42dda08e
Instruction Fuzzy Hash: 58315E71600619EFCB44DF68C985AAEB7F5FF09300B108169E40ADB651DB35ED40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00120185 Relevance: 6.1, APIs: 4, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00120185(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				struct tagRECT _v24;
				char _v40;
				RECT* _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t32;
				intOrPtr _t46;
				intOrPtr _t52;
				intOrPtr _t53;
				signed int _t57;

				_t52 = __edx;
				_t32 =  *0x1c0454; // 0x885926af
				_v8 = _t32 ^ _t57;
				_t46 = __ecx;
				_t34 =  *((intOrPtr*)(__ecx + 0x48));
				_t56 = 0;
				if(_t34 != 0) {
					_t50 =  *((intOrPtr*)(_t34 + 0x1b8));
					_v44 = 0;
					if(_t50 != 0 &&  *((intOrPtr*)(_t50 + 8)) != 0 &&  *((intOrPtr*)(_t50 + 4)) != 0) {
						_v44 = 1;
						E000FE3C8(_t50);
					}
					_v24.left = _t56;
					_v24.top = _t56;
					_v24.right = _t56;
					_v24.bottom = _t56;
					SetRectEmpty( &_v24);
					_t56 = _t46 + 0x1c;
					if(IsRectEmpty(_t46 + 0x1c) != 0) {
						_t56 = _t46 + 0xc;
					}
					_push(_t53);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					if( *((intOrPtr*)(_t46 + 0x34)) != 0xffffffff) {
						 *((intOrPtr*)(_t46 + 0x2c)) = 1;
					} else {
						_t64 = _v44;
						if(_v44 == 0) {
							_push(4);
							_push( *((intOrPtr*)(_t46 + 0x40)));
							_push(0);
							_push( &_v40);
							_push( &_v24);
							_t50 = _t46;
							_t34 = E0011FE57(_t46, _t46, _t52, 0, _t56, _t64);
						}
					}
					if(_a4 != 0) {
						_t50 = _t46;
						E0012007F(_t46, 0, 0);
						_t56 = SetRectEmpty;
						SetRectEmpty(_t46 + 0x1c);
						SetRectEmpty(_t46 + 0xc);
						_t34 =  *((intOrPtr*)(_t46 + 0x4c));
						 *((intOrPtr*)(_t46 + 0x38)) =  *((intOrPtr*)(_t46 + 0x4c));
						 *((intOrPtr*)(_t46 + 0x4c)) = 0;
					}
					 *((intOrPtr*)(_t46 + 0x30)) = 0;
					if(_t46 == 0) {
						_t34 = E000655E0(_t50);
					}
					if(_v44 == 0) {
						_t34 = E000A2233(0);
					}
					_pop(_t53);
				}
				return E00150836(_t34, _t46, _v8 ^ _t57, _t52, _t53, _t56);
			}

0x00120185
0x0012018d
0x00120194
0x00120198
0x0012019a
0x0012019e
0x001201a2
0x001201a8
0x001201ae
0x001201b3
0x001201bf
0x001201c6
0x001201c6
0x001201cf
0x001201d2
0x001201d5
0x001201d8
0x001201db
0x001201e1
0x001201ed
0x001201ef
0x001201ef
0x001201f2
0x001201f6
0x001201f7
0x001201f8
0x001201f9
0x00120200
0x0012021e
0x00120202
0x00120202
0x00120205
0x00120207
0x00120209
0x0012020f
0x00120210
0x00120214
0x00120215
0x00120217
0x00120217
0x00120205
0x00120228
0x0012022b
0x0012022d
0x00120232
0x0012023c
0x00120242
0x00120244
0x00120247
0x0012024a
0x0012024a
0x0012024d
0x00120255
0x00120257
0x00120257
0x0012025f
0x00120264
0x00120264
0x00120269
0x00120269
0x00120277

APIs

SetRectEmpty.USER32 ref: 001201DB
IsRectEmpty.USER32 ref: 001201E5
SetRectEmpty.USER32 ref: 0012023C
SetRectEmpty.USER32 ref: 00120242

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: EmptyRect
String ID:
API String ID: 2270935405-0
Opcode ID: be905f739caffa06f46ce838ac9a19a485bfaf99ee095d49a2f009215455b77d
Instruction ID: 2e9a15293375173b7911a3aa30bc7ad2a87d6225857816deb58e9a576e6d2f24
Opcode Fuzzy Hash: be905f739caffa06f46ce838ac9a19a485bfaf99ee095d49a2f009215455b77d
Instruction Fuzzy Hash: 80318D71900228DBCF16DF98D8C499EB7B9EF4C710F20416BE905AB147D771DA95CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00085B7F Relevance: 6.1, APIs: 4, Instructions: 83
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00085B7F(signed int __ecx, intOrPtr __edx, intOrPtr __edi, int _a4, struct tagPOINT _a8, signed short _a12) {
				signed int _v8;
				struct tagRECT _v24;
				void* __ebx;
				void* __esi;
				signed int _t30;
				int _t33;
				intOrPtr* _t37;
				void* _t56;
				signed int _t57;
				signed int _t58;
				int _t60;

				_t55 = __edi;
				_t54 = __edx;
				_t30 =  *0x1c0454; // 0x885926af
				_v8 = _t30 ^ _t58;
				_t57 = __ecx;
				_v24.left = 0;
				_v24.top = 0;
				_v24.right = 0;
				_v24.bottom = 0;
				_t33 = GetClientRect( *(__ecx + 0x20),  &_v24);
				if( *((intOrPtr*)(_t57 + 0xce8)) != 0) {
					L6:
					__eflags =  *0x1c3f04; // 0x0
					if(__eflags == 0) {
						_t33 =  *(_t57 + 0xb7c);
						__eflags = _t33;
						if(_t33 >= 0) {
							 *(_t57 + 0xb78) = _t33;
						}
					}
					L9:
					 *((intOrPtr*)(_t57 + 0xce8)) = 0;
					__eflags =  *(_t57 + 0xcfc);
					if( *(_t57 + 0xcfc) != 0) {
						_t33 = E00079FFD(_t57, _t54, _a4, _a8.x, _a12);
					}
					L11:
					return E00150836(_t33, 0, _v8 ^ _t58, _t54, _t55, _t57);
				}
				_t60 =  *0x1c3f04; // 0x0
				if(_t60 != 0) {
					goto L9;
				}
				_push(_a12);
				_t33 = PtInRect( &_v24, _a8.x);
				_t61 = _t33;
				if(_t33 != 0) {
					goto L6;
				} else {
					_push(__edi);
					_t56 = E000851E9(0, _t57, _t54, _t61, _a8.x, _a12);
					if(_t56 != 0) {
						MapWindowPoints( *(_t57 + 0x20),  *(_t56 + 0x20),  &_a8, 1);
						SendMessageW( *(_t56 + 0x20), 0x202, _a4, (_a12 & 0x0000ffff) << 0x00000010 | _a8 & 0x0000ffff);
					}
					_t37 = E0006F25D(0, _t54, _t57);
					_t54 =  *_t37;
					_t33 =  *((intOrPtr*)( *_t37 + 0x60))();
					_pop(_t55);
					goto L11;
				}
			}

0x00085b7f
0x00085b7f
0x00085b87
0x00085b8e
0x00085b96
0x00085b9e
0x00085ba1
0x00085ba4
0x00085ba7
0x00085baa
0x00085bb6
0x00085c2f
0x00085c2f
0x00085c35
0x00085c37
0x00085c3d
0x00085c3f
0x00085c41
0x00085c41
0x00085c3f
0x00085c47
0x00085c47
0x00085c4d
0x00085c53
0x00085c60
0x00085c60
0x00085c65
0x00085c72
0x00085c72
0x00085bb8
0x00085bbe
0x00000000
0x00000000
0x00085bc4
0x00085bce
0x00085bd4
0x00085bd6
0x00000000
0x00085bd8
0x00085bd8
0x00085be6
0x00085bea
0x00085bf9
0x00085c18
0x00085c18
0x00085c1f
0x00085c24
0x00085c29
0x00085c2c
0x00000000
0x00085c2c

APIs

GetClientRect.USER32 ref: 00085BAA
PtInRect.USER32(?,?,?), ref: 00085BCE

Part of subcall function 000851E9: ScreenToClient.USER32(?,?), ref: 00085206
Part of subcall function 000851E9: GetParent.USER32(?), ref: 0008521D

MapWindowPoints.USER32 ref: 00085BF9
SendMessageW.USER32(?,00000202,?,?), ref: 00085C18

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: ClientRect$MessageParentPointsScreenSendWindow
String ID:
API String ID: 4233697448-0
Opcode ID: e4375daeaf9d60a3529dcdefc31a83d2d34367c904b2132ae43ca9a5d641b5ab
Instruction ID: a109dbfc9dfa6264ff90424624f18c50fea4d4d7960bd8c29dd4fb52bb8a39c4
Opcode Fuzzy Hash: e4375daeaf9d60a3529dcdefc31a83d2d34367c904b2132ae43ca9a5d641b5ab
Instruction Fuzzy Hash: 0E314C71900749EFDF14AF64DC84DAEBBB5FB48301B10842EF9AA86551DB309A90DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00085AAF Relevance: 6.1, APIs: 4, Instructions: 71
windowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00085AAF(intOrPtr __ecx, int _a4, struct tagPOINT _a8, signed short _a12) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagPOINT _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t30;
				int _t37;
				long _t45;
				intOrPtr _t55;
				intOrPtr _t56;
				void* _t57;
				intOrPtr _t58;
				signed int _t59;
				intOrPtr _t60;
				long _t63;

				_t30 =  *0x1c0454; // 0x885926af
				_v8 = _t30 ^ _t59;
				_t58 = __ecx;
				 *((intOrPtr*)(__ecx + 0xce8)) = 0;
				 *(__ecx + 0xcfc) = 1;
				_v24.left = 0;
				_v24.top = 0;
				_v24.right = 0;
				_v24.bottom = 0;
				GetClientRect( *(__ecx + 0x20),  &_v24);
				_t60 =  *0x1c3f04; // 0x0
				if(_t60 == 0) {
					_push(_a12);
					_t37 = PtInRect( &_v24, _a8.x);
					_t61 = _t37;
					if(_t37 == 0) {
						_push(_t56);
						_t57 = E000851E9(0, _t58, _t55, _t61, _a8.x, _a12);
						if(_t57 != 0) {
							_v32.x = _a8.x;
							_v32.y = _a12;
							MapWindowPoints( *(_t58 + 0x20),  *(_t57 + 0x20),  &_v32, 1);
							_t45 = (_v32.y & 0x0000ffff) << 0x00000010 | _v32.x & 0x0000ffff;
							_t63 = _t45;
							SendMessageW( *(_t57 + 0x20), 0x201, _a4, _t45);
						}
						_pop(_t56);
					}
				}
				return E00150836(E00079574(0, _t58, _t56, _t58, _t63, _a4, _a8, _a12), 0, _v8 ^ _t59, _t55, _t56, _t58);
			}

0x00085ab7
0x00085abe
0x00085ac3
0x00085ace
0x00085ad4
0x00085ade
0x00085ae1
0x00085ae4
0x00085ae7
0x00085aea
0x00085af0
0x00085af6
0x00085af8
0x00085b02
0x00085b08
0x00085b0a
0x00085b0c
0x00085b1a
0x00085b1e
0x00085b23
0x00085b2e
0x00085b39
0x00085b4a
0x00085b4a
0x00085b58
0x00085b58
0x00085b5e
0x00085b5e
0x00085b0a
0x00085b7c

APIs

GetClientRect.USER32 ref: 00085AEA
PtInRect.USER32(?,?,?), ref: 00085B02

Part of subcall function 000851E9: ScreenToClient.USER32(?,?), ref: 00085206
Part of subcall function 000851E9: GetParent.USER32(?), ref: 0008521D

MapWindowPoints.USER32 ref: 00085B39
SendMessageW.USER32(?,00000201,?,?), ref: 00085B58

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: ClientRect$MessageParentPointsScreenSendWindow
String ID:
API String ID: 4233697448-0
Opcode ID: 752f4716bf19d81d03bb5870901f4dba9213310a58f7cafc4ced89e22b212cba
Instruction ID: c387699d03a73ff00ad7bf79dfa04a843416a9f64feeed06a63e05ac3d08c485
Opcode Fuzzy Hash: 752f4716bf19d81d03bb5870901f4dba9213310a58f7cafc4ced89e22b212cba
Instruction Fuzzy Hash: 11214A71900209EFDF149FA9CC85DAEBBB5FB48300F00852EF96997161E7719A90DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00155B74 Relevance: 6.1, APIs: 4, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00155B74(void* _a4, long _a8) {
				signed int _v8;
				void* _t11;
				void* _t12;
				intOrPtr* _t13;
				void* _t16;
				long _t22;
				void* _t27;
				long _t30;

				_t33 = _a4;
				if(_a4 != 0) {
					_t30 = _a8;
					__eflags = _t30 - 0xffffffe0;
					if(__eflags <= 0) {
						__eflags = _t30;
						if(_t30 == 0) {
							_t30 = _t30 + 1;
							__eflags = _t30;
						}
						_t22 = HeapSize( *0x1c7b24, 0, _a4);
						_t11 = HeapReAlloc( *0x1c7b24, 0x10, _a4, _t30);
						_t27 = _t11;
						__eflags = _t27;
						if(_t27 == 0) {
							__eflags = _t22 - 0x4000;
							if(__eflags > 0) {
								L12:
								_t13 = E00151F1F(__eflags);
								 *_t13 = E00151EDD(GetLastError());
							} else {
								__eflags = _t30 - _t22;
								if(__eflags > 0) {
									goto L12;
								} else {
									_v8 = _v8 | 0xffffffff;
									_t16 =  &_v8;
									__imp__HeapQueryInformation( *0x1c7b24, _t27, _t16, 4, _t11);
									__eflags = _t16;
									if(__eflags == 0) {
										goto L12;
									} else {
										__eflags = _v8 - 2;
										if(__eflags != 0) {
											goto L12;
										} else {
											_t27 = _a4;
										}
									}
								}
							}
						}
						_t12 = _t27;
					} else {
						 *((intOrPtr*)(E00151F1F(__eflags))) = 0xc;
						_t12 = 0;
					}
					return _t12;
				} else {
					 *((intOrPtr*)(E00151F1F(_t33))) = 0x16;
					E00159345();
					return 0;
				}
			}

0x00155b7a
0x00155b7e
0x00155b95
0x00155b98
0x00155b9b
0x00155bac
0x00155bae
0x00155bb0
0x00155bb0
0x00155bb0
0x00155bc8
0x00155bd2
0x00155bd8
0x00155bda
0x00155bdc
0x00155bde
0x00155be4
0x00155c11
0x00155c11
0x00155c25
0x00155be6
0x00155be6
0x00155be8
0x00000000
0x00155bea
0x00155bea
0x00155bf1
0x00155bfc
0x00155c02
0x00155c04
0x00000000
0x00155c06
0x00155c06
0x00155c0a
0x00000000
0x00155c0c
0x00155c0c
0x00155c0c
0x00155c0a
0x00155c04
0x00155be8
0x00155be4
0x00155c27
0x00155b9d
0x00155ba2
0x00155ba8
0x00155ba8
0x00155c2d
0x00155b80
0x00155b85
0x00155b8b
0x00155b93
0x00155b93

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: fe0700aba98be41e260717625e311a7fa90932cf9c37c90b7c33241d5347b987
Instruction ID: e963f6b7472d34ccdd7f10bb6afd582d19c678fdcaf3d583e037bdbb2ae8bccf
Opcode Fuzzy Hash: fe0700aba98be41e260717625e311a7fa90932cf9c37c90b7c33241d5347b987
Instruction Fuzzy Hash: 1B11D372500604FFDB212B64DC09B5A3ABBEB843A2F210160FD759F5E0C7748CC89AA0

Uniqueness

Uniqueness Score: -1.00%

Function 000674B2 Relevance: 6.1, APIs: 4, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E000674B2(intOrPtr __ebx, int _a4, int _a8, long _a12) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagPOINT _v32;
				void* __edi;
				void* __esi;
				signed int _t22;
				void* _t27;
				intOrPtr _t31;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t40;
				intOrPtr _t42;
				intOrPtr _t45;
				void* _t46;
				intOrPtr _t47;
				long _t49;
				signed int _t50;
				intOrPtr _t51;

				_t42 = __ebx;
				_t22 =  *0x1c0454; // 0x885926af
				_v8 = _t22 ^ _t50;
				_t49 = _a12;
				_t51 =  *0x1c38c8; // 0x0
				if(_t51 == 0) {
					L9:
					return E00150836(CallNextHookEx( *0x1c38c4, _a4, _a8, _t49), _t42, _v8 ^ _t50, _t47, 0, _t49);
				}
				_t27 = _a8 - 0xa1;
				if(_t27 == 0) {
					L7:
					_v32.x = 0;
					_v32.y = 0;
					GetCursorPos( &_v32);
					_t31 =  *0x1c38c8; // 0x0
					_v24.left = 0;
					_v24.top = 0;
					_v24.right = 0;
					_v24.bottom = 0;
					GetWindowRect( *( *((intOrPtr*)(_t31 + 4)) + 0x20),  &_v24);
					_push(_v32.y);
					if(PtInRect( &_v24, _v32.x) == 0) {
						_t45 =  *0x1c38c8; // 0x0
						E00067052(_t45, _t47, _v32, _v32.y);
					}
					goto L9;
				}
				_t46 = 3;
				_t37 = _t27 - _t46;
				if(_t37 == 0) {
					goto L7;
				}
				_t38 = _t37 - _t46;
				if(_t38 == 0) {
					goto L7;
				}
				_t39 = _t38 - 0x15a;
				if(_t39 == 0) {
					goto L7;
				}
				_t40 = _t39 - _t46;
				if(_t40 == 0 || _t40 == _t46) {
					goto L7;
				} else {
					goto L9;
				}
			}

0x000674b2
0x000674ba
0x000674c1
0x000674c5
0x000674cb
0x000674d1
0x0006754d
0x0006756d
0x0006756d
0x000674d6
0x000674db
0x000674f7
0x000674fb
0x000674fe
0x00067501
0x0006750b
0x00067510
0x00067513
0x00067516
0x00067519
0x00067522
0x00067528
0x0006753a
0x0006753f
0x00067548
0x00067548
0x00000000
0x0006753a
0x000674df
0x000674e0
0x000674e2
0x00000000
0x00000000
0x000674e4
0x000674e6
0x00000000
0x00000000
0x000674e8
0x000674ed
0x00000000
0x00000000
0x000674ef
0x000674f1
0x00000000
0x00000000
0x00000000
0x00000000

APIs

GetCursorPos.USER32(?), ref: 00067501
GetWindowRect.USER32(?,?), ref: 00067522
PtInRect.USER32(?,?,?), ref: 00067532
CallNextHookEx.USER32 ref: 0006755A

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Rect$CallCursorHookNextWindow
String ID:
API String ID: 3719484595-0
Opcode ID: b736a2fdae3cdfd4eeb82036136cc5058c3702cd2b6554bd663cd7ab5086d01a
Instruction ID: 5d0de9e0fbbdd9b02d3720f99e874dc7fe40628a89d65380a4c595509ecae1db
Opcode Fuzzy Hash: b736a2fdae3cdfd4eeb82036136cc5058c3702cd2b6554bd663cd7ab5086d01a
Instruction Fuzzy Hash: 9A212C7190410AEBCF02DFA9DD088AEBFF9FF94304F548169E518E2560C7749A80DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00137039 Relevance: 6.1, APIs: 4, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00137039(void* __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				void* _t25;
				WCHAR* _t26;
				void* _t32;
				void* _t35;
				struct HRSRC__* _t36;
				void* _t37;
				WCHAR* _t38;
				WCHAR* _t39;

				_t35 = __edx;
				_t33 = __ecx;
				_t39 = _a4;
				_t40 =  *(_t39 + 4) & 0x00000001;
				_t32 = __ecx;
				if(( *(_t39 + 4) & 0x00000001) == 0) {
					_t36 = FindResourceW( *(_t39 + 8),  *(_t39 + 0xc), 5);
					__eflags = _t36;
					if(_t36 == 0) {
						E00065E44(_t33);
					}
					_t37 = LoadResource( *(_t39 + 8), _t36);
					__eflags = _t37;
					if(_t37 == 0) {
						E00065E44(_t33);
					}
					_t38 = LockResource(_t37);
					__eflags = _t38;
					if(__eflags == 0) {
						E00065E44(_t33);
					}
				} else {
					_t38 =  *(_t39 + 0xc);
				}
				_t23 = E0006B628(_t32, _t38, _t39, _t40);
				_t41 =  *((intOrPtr*)(_t23 + 0x3c));
				if( *((intOrPtr*)(_t23 + 0x3c)) != 0) {
					_t38 = E00135E6B(_t32, _t32, _t38);
				}
				_push(_a8);
				_push(_t38);
				_a4 = E00136F53(_t32, _t35, _t38, _t39, _t41);
				_t25 =  *(_t32 + 0x7c);
				if(_t25 != 0) {
					GlobalFree(_t25);
					 *(_t32 + 0x7c) =  *(_t32 + 0x7c) & 0x00000000;
				}
				_t26 = _a4;
				if(_t26 != 0) {
					_t38 = _t26;
					 *(_t32 + 0x7c) = _t26;
				}
				 *(_t39 + 4) =  *(_t39 + 4) | 0x00000001;
				 *(_t39 + 0xc) = _t38;
				return _t26;
			}

0x00137039
0x00137039
0x00137040
0x00137043
0x00137048
0x0013704a
0x0013705f
0x00137061
0x00137063
0x00137065
0x00137065
0x00137074
0x00137076
0x00137078
0x0013707a
0x0013707a
0x00137086
0x00137088
0x0013708a
0x0013708c
0x0013708c
0x0013704c
0x0013704c
0x0013704c
0x00137091
0x00137096
0x0013709a
0x001370a4
0x001370a4
0x001370a6
0x001370a9
0x001370af
0x001370b2
0x001370b7
0x001370ba
0x001370c0
0x001370c0
0x001370c4
0x001370c9
0x001370cb
0x001370cd
0x001370cd
0x001370d0
0x001370d4
0x001370db

APIs

FindResourceW.KERNEL32(?,?,00000005,00000005,?,00000000,?,0013731C,00000005,?), ref: 00137059
LoadResource.KERNEL32(?,00000000,?,00000000,?,0013731C,00000005,?), ref: 0013706E
LockResource.KERNEL32(00000000,?,00000000,?,0013731C,00000005,?), ref: 00137080
GlobalFree.KERNEL32(?), ref: 001370BA

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Resource$FindFreeGlobalLoadLock
String ID:
API String ID: 3898064442-0
Opcode ID: 2862c240aa7384cba92f82a5f76023b7d9dd2131cf40f9debf2b8ffbc292c256
Instruction ID: ddbd0dc7bd5fd8181602d523b0b9cd38a0ce9e2a3fd0b334d4df0c3e890a0e21
Opcode Fuzzy Hash: 2862c240aa7384cba92f82a5f76023b7d9dd2131cf40f9debf2b8ffbc292c256
Instruction Fuzzy Hash: 5A11C871204701AFCB356F35C844B577BFAEF81761F158029F8698B6A2DB31DC418B20

Uniqueness

Uniqueness Score: -1.00%

Function 00064E0D Relevance: 6.1, APIs: 4, Instructions: 62
windowCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E00064E0D(void* __ebx, void* __edi, void* __esi, void* __eflags, signed int _a4, intOrPtr _a8, short _a12) {
				intOrPtr* _v0;
				signed int _v4;
				signed int _v8;
				signed int _v16;
				intOrPtr* _t26;
				long _t28;
				signed int _t35;
				signed int _t40;
				void* _t46;

				_t46 = __eflags;
				E00151A19(0x16a0a2, __ebx, __edi, __esi);
				_t40 = E0005C37C(_t46, 0xc);
				_t35 = 4;
				_v16 = _t40;
				_v4 = _v4 & 0x00000000;
				if(_t40 == 0) {
					_t40 = 0;
					__eflags = 0;
				} else {
					_t35 = _t40;
					E000655FC(_t35);
					 *(_t40 + 8) =  *(_t40 + 8) & 0x00000000;
					 *_t40 = 0x1799e0;
				}
				_v8 = _v8 | 0xffffffff;
				 *(_t40 + 8) = _a4;
				_a4 = _t40;
				E00151E52( &_a4, 0x1aacbc);
				asm("int3");
				_t26 = _v0;
				if(_t26 != 0) {
					 *_t26 = 0;
				}
				_t28 = FormatMessageW(0x1100, 0,  *(_t35 + 8), 0x800,  &_a12, 0, 0);
				if(_t28 != 0) {
					_push(E00150EEF(_a4, _a8, _a12, 0xffffffff));
					E00053DF0();
					LocalFree(_a12);
					_t28 = 1;
					__eflags = 1;
				} else {
					 *_a4 = _t28;
				}
				return _t28;
			}

0x00064e0d
0x00064e14
0x00064e20
0x00064e22
0x00064e23
0x00064e26
0x00064e2c
0x00064e41
0x00064e41
0x00064e2e
0x00064e2e
0x00064e30
0x00064e35
0x00064e39
0x00064e39
0x00064e46
0x00064e4a
0x00064e56
0x00064e59
0x00064e5e
0x00064e64
0x00064e6b
0x00064e6d
0x00064e6d
0x00064e83
0x00064e8b
0x00064ea5
0x00064ea6
0x00064eb1
0x00064eb9
0x00064eb9
0x00064e8d
0x00064e90
0x00064e90
0x00064ebb

APIs

__EH_prolog3.LIBCMT ref: 00064E14

Part of subcall function 0005C37C: _malloc.LIBCMT ref: 0005C39A

__CxxThrowException@8.LIBCMT ref: 00064E59
FormatMessageW.KERNEL32(00001100,00000000,?,00000800,?,00000000,00000000,?,?,001AACBC,00000004,00051348,?,?,00053DD9,8007000E), ref: 00064E83
LocalFree.KERNEL32(?), ref: 00064EB1

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc
String ID:
API String ID: 1776251131-0
Opcode ID: b548a31ce5408d87d0a21c1c3a5354dd9ce5fea33ab25f5f30a9b3078a9a9a17
Instruction ID: add11d9c2a7dc926816578ec4c2448fe6ac57aa5ffc07d965a67c2110a76a867
Opcode Fuzzy Hash: b548a31ce5408d87d0a21c1c3a5354dd9ce5fea33ab25f5f30a9b3078a9a9a17
Instruction Fuzzy Hash: 2511B271904208EFEB119FA4CC01AAE7BFAFF48751F208519FD259B191D7718A50CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00064398 Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00064398(void* __ecx) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t24;
				void* _t29;
				void* _t31;
				struct HINSTANCE__* _t33;
				signed int _t35;
				signed int _t36;
				void* _t38;
				signed int* _t41;

				_push(__ecx);
				_push(_t29);
				_t38 = __ecx;
				_t43 =  *((intOrPtr*)(__ecx + 0x78));
				_t41 =  *(__ecx + 0x80);
				_v8 =  *((intOrPtr*)(__ecx + 0x7c));
				if( *((intOrPtr*)(__ecx + 0x78)) != 0) {
					_t33 =  *(E0006B628(_t29, __ecx, _t41, _t43) + 0xc);
					_v8 = LoadResource(_t33, FindResourceW(_t33,  *(_t38 + 0x78), 5));
				}
				if(_v8 != 0) {
					_t41 = LockResource(_v8);
				}
				_t31 = 1;
				if(_t41 != 0) {
					_t36 =  *_t41;
					if(_t41[0] != 0xffff) {
						_t24 = _t41[2] & 0x0000ffff;
						_t35 = _t41[3] & 0x0000ffff;
					} else {
						_t36 = _t41[3];
						_t24 = _t41[4] & 0x0000ffff;
						_t35 = _t41[5] & 0x0000ffff;
					}
					if((_t36 & 0x00001801) != 0 || _t24 != 0 || _t35 != 0) {
						_t31 = 0;
					}
				}
				if( *(_t38 + 0x78) != 0) {
					FreeResource(_v8);
				}
				return _t31;
			}

0x0006439d
0x0006439e
0x000643a1
0x000643a3
0x000643aa
0x000643b0
0x000643b3
0x000643ba
0x000643d1
0x000643d1
0x000643d8
0x000643e3
0x000643e3
0x000643e7
0x000643ea
0x000643ec
0x000643f7
0x00064406
0x0006440a
0x000643f9
0x000643f9
0x000643fc
0x00064400
0x00064400
0x00064414
0x00064420
0x00064420
0x00064414
0x00064426
0x0006442b
0x0006442b
0x00064437

APIs

FindResourceW.KERNEL32(?,00000000,00000005), ref: 000643C3
LoadResource.KERNEL32(?,00000000), ref: 000643CB
LockResource.KERNEL32(00000000), ref: 000643DD
FreeResource.KERNEL32(00000000), ref: 0006442B

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 6581a6959aebc215a7d56a5de2b85bcca02340bb3b3da7dd8ba773ebc339ef4a
Instruction ID: 41a2ccb5709dbb0bda59efcd0286b058b450c9f35156a4a00c67eba6a4630249
Opcode Fuzzy Hash: 6581a6959aebc215a7d56a5de2b85bcca02340bb3b3da7dd8ba773ebc339ef4a
Instruction Fuzzy Hash: 24119035500611EFD7608FA5C889BB7B7F5FF04716F108029E94253A90EBB4EE94D760

Uniqueness

Uniqueness Score: -1.00%

Function 000687F0 Relevance: 6.1, APIs: 4, Instructions: 59
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E000687F0(void* __ebx, void* __edx, void* __edi, struct HWND__* _a4, intOrPtr _a8, long* _a12) {
				void* __ebp;
				signed int _t19;
				long _t22;
				int _t24;
				WCHAR* _t25;
				void* _t29;
				intOrPtr* _t31;
				void* _t36;
				void* _t37;
				intOrPtr* _t38;

				_t37 = __edi;
				_t36 = __edx;
				_t29 = __ebx;
				_t38 = _a4;
				E000633CB( *((intOrPtr*)(_t38 + 4)), _a8,  &_a4);
				_t19 = GetWindowLongW(_a4, 0xfffffff0);
				_push(_a8);
				_t31 = _t38;
				if((_t19 & 0x00000003) == 3) {
					E00068439(_t31);
				} else {
					E00068439(_t31);
					 *((intOrPtr*)(_t38 + 0xc)) = 1;
				}
				if( *_t38 != 0) {
					_t24 = GetWindowTextLengthW(_a4);
					if(_t24 <= 0) {
						_t25 = E000512F0(_a12, 0xff);
						_push(0x100);
					} else {
						_t9 = _t24 + 1; // 0x1
						_t25 = E0005CC90(_a12, _t24);
					}
					GetWindowTextW(_a4, _t25, ??);
					return E000561B0(_t29, _a12, _t37, 0xffffffff);
				}
				_t39 = _a12;
				_t22 = SendMessageW(_a4, 0x14d, 0xffffffff,  *_a12);
				if(_t22 == 0xffffffff) {
					return E00071D1C(_t31, _t36, _a4,  *_t39);
				}
				return _t22;
			}

0x000687f0
0x000687f0
0x000687f0
0x000687f6
0x00068803
0x0006880d
0x00068813
0x00068819
0x0006881d
0x0006882d
0x0006881f
0x0006881f
0x00068824
0x00068824
0x00068835
0x0006883a
0x00068842
0x0006885b
0x00068860
0x00068844
0x00068844
0x0006884c
0x0006884c
0x00068869
0x00000000
0x00068874
0x0006887b
0x0006888a
0x00068893
0x00000000
0x0006889a
0x000688a1

APIs

Part of subcall function 000633CB: GetDlgItem.USER32(00000000,?), ref: 000633DC

GetWindowLongW.USER32(?,000000F0), ref: 0006880D
GetWindowTextLengthW.USER32 ref: 0006883A
GetWindowTextW.USER32 ref: 00068869
SendMessageW.USER32(?,0000014D,000000FF,?), ref: 0006888A

Part of subcall function 00071D1C: lstrlenW.KERNEL32(?,?,?), ref: 00071D48
Part of subcall function 00071D1C: _memset.LIBCMT ref: 00071D66
Part of subcall function 00071D1C: GetWindowTextW.USER32 ref: 00071D80
Part of subcall function 00071D1C: lstrcmpW.KERNEL32(?,?,?,?), ref: 00071D92
Part of subcall function 00071D1C: SetWindowTextW.USER32 ref: 00071D9E

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Window$Text$ItemLengthLongMessageSend_memsetlstrcmplstrlen
String ID:
API String ID: 205973220-0
Opcode ID: 3f44e110a14ffb926dbbe7199cdf5dbc046bdabff424e4ad041eb95d265e9b87
Instruction ID: f070a781239a684b265a00c2e264ba6e60751616b6c6851794ed81caae0d735f
Opcode Fuzzy Hash: 3f44e110a14ffb926dbbe7199cdf5dbc046bdabff424e4ad041eb95d265e9b87
Instruction Fuzzy Hash: 1C115B31108209AFCF15AFA4DC05EE97BA6EF08360F648619F9695B1E2CF3199D0DB80

Uniqueness

Uniqueness Score: -1.00%

Function 0005E464 Relevance: 6.1, APIs: 4, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0005E464(intOrPtr __ebx, intOrPtr __edx, struct HDC__* _a4, struct HWND__* _a8, intOrPtr _a12, void* _a16, long _a20) {
				signed int _v8;
				long _v16;
				void _v20;
				void* __edi;
				void* __esi;
				signed int _t10;
				intOrPtr _t12;
				intOrPtr _t14;
				long _t18;
				intOrPtr _t22;
				struct HWND__* _t23;
				intOrPtr _t26;
				void* _t27;
				struct HDC__* _t28;
				signed int _t29;

				_t26 = __edx;
				_t22 = __ebx;
				_t10 =  *0x1c0454; // 0x885926af
				_v8 = _t10 ^ _t29;
				_t23 = _a8;
				_t28 = _a4;
				_t27 = _a16;
				if(_t28 == 0 || _t27 == 0) {
					L10:
					_t12 = 0;
				} else {
					_t14 = _a12;
					if(_t14 == 1 || _t14 == 0 || _t14 == 5 || _t14 == 2 && E00071E65(_t23, _t14) == 0) {
						goto L10;
					} else {
						GetObjectW(_t27, 0xc,  &_v20);
						SetBkColor(_t28, _v16);
						_t18 = _a20;
						if(_t18 == 0xffffffff) {
							_t18 = GetSysColor(8);
						}
						SetTextColor(_t28, _t18);
						_t12 = 1;
					}
				}
				return E00150836(_t12, _t22, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x0005e464
0x0005e464
0x0005e46c
0x0005e473
0x0005e476
0x0005e47a
0x0005e47e
0x0005e483
0x0005e4de
0x0005e4de
0x0005e489
0x0005e489
0x0005e48f
0x00000000
0x0005e4aa
0x0005e4b1
0x0005e4bb
0x0005e4c1
0x0005e4c7
0x0005e4cb
0x0005e4cb
0x0005e4d3
0x0005e4db
0x0005e4db
0x0005e48f
0x0005e4ed

APIs

GetObjectW.GDI32(?,0000000C,?), ref: 0005E4B1
SetBkColor.GDI32(?,?), ref: 0005E4BB
GetSysColor.USER32 ref: 0005E4CB
SetTextColor.GDI32(?,?), ref: 0005E4D3

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Color$ObjectText
String ID:
API String ID: 829078354-0
Opcode ID: 1a7c840a1cee1cee7f5efb8918dc82590bc5418fd7c7f063f0b496a1639e99f4
Instruction ID: 027525c238ba716777d1ff0c3c3fa669a0e2b1e64887bb0fc19a3beb5afc1440
Opcode Fuzzy Hash: 1a7c840a1cee1cee7f5efb8918dc82590bc5418fd7c7f063f0b496a1639e99f4
Instruction Fuzzy Hash: BF110031A00144ABCB699F68CE449BF33F9AF49312F008524FC15D2990DB30DE44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0006DEA7 Relevance: 6.1, APIs: 4, Instructions: 57
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0006DEA7(void* __ecx, intOrPtr __edx, WCHAR* _a4, short* _a8, char _a12) {
				signed int _v8;
				short _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				WCHAR* _t21;
				short* _t24;
				intOrPtr _t28;
				void* _t30;
				signed int _t31;

				_t28 = __edx;
				_t13 =  *0x1c0454; // 0x885926af
				_v8 = _t13 ^ _t31;
				_t24 = _a8;
				_t30 = __ecx;
				_t29 = _a4;
				if( *((intOrPtr*)(__ecx + 0x58)) == 0) {
					swprintf( &_v40, 0x10, 0x1a0f40, _a12);
					_t18 = WritePrivateProfileStringW(_t29, _t24,  &_v40,  *(_t30 + 0x6c));
				} else {
					_t30 = E0006DDE0(__ecx, _t29, 0);
					if(_t30 != 0) {
						_t21 = RegSetValueExW(_t30, _t24, 0, 4,  &_a12, 4);
						_t29 = _t21;
						RegCloseKey(_t30);
						_t18 = 0 | _t21 == 0x00000000;
					}
				}
				return E00150836(_t18, _t24, _v8 ^ _t31, _t28, _t29, _t30);
			}

0x0006dea7
0x0006deaf
0x0006deb6
0x0006deba
0x0006debe
0x0006dec5
0x0006dec8
0x0006df0a
0x0006df1b
0x0006deca
0x0006ded2
0x0006ded6
0x0006dee4
0x0006deeb
0x0006deed
0x0006def7
0x0006def7
0x0006ded6
0x0006df2f

APIs

RegSetValueExW.ADVAPI32 ref: 0006DEE4
RegCloseKey.ADVAPI32(00000000), ref: 0006DEED
swprintf.LIBCMT ref: 0006DF0A
WritePrivateProfileStringW.KERNEL32 ref: 0006DF1B

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWriteswprintf
String ID:
API String ID: 22681860-0
Opcode ID: c43736414d7ead04b73938696ff9f173eb3787f0485a52218b657e9ec7b3e280
Instruction ID: f120a24762175c60faac2edc5423360f15f71e18b5f9cfd3fe49dad168064f71
Opcode Fuzzy Hash: c43736414d7ead04b73938696ff9f173eb3787f0485a52218b657e9ec7b3e280
Instruction Fuzzy Hash: FE016172A00209BBDB11AB648C85FAF77ADEB49714F100426FA05AB181DA75ED4487A4

Uniqueness

Uniqueness Score: -1.00%

Function 00063B53 Relevance: 6.1, APIs: 4, Instructions: 54
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00063B53(void* __ecx, void* __edi, signed int _a4) {
				void* __ebx;
				void* __ebp;
				void* _t16;
				int _t17;
				int _t18;
				intOrPtr _t25;
				void* _t27;
				intOrPtr _t34;
				void* _t36;

				_t36 = __ecx;
				_t25 =  *((intOrPtr*)(__ecx + 0xc));
				if(_t25 == 0) {
					if( *((intOrPtr*)(__ecx + 0x14)) == 0) {
						L3:
						_t17 = E000655E0(_t25);
						L4:
						asm("sbb edx, edx");
						_t18 = EnableMenuItem( *(_t25 + 4), _t17, ( ~_a4 & 0xfffffffd) + 0x00000003 | 0x00000400);
						L11:
						 *((intOrPtr*)(_t36 + 0x18)) = 1;
						return _t18;
					}
					if(_a4 == 0) {
						_t34 =  *((intOrPtr*)(__ecx + 0x14));
						if(GetFocus() ==  *(_t34 + 0x20)) {
							SendMessageW( *(E0005F82E(0, _t25, _t27, GetParent( *(_t34 + 0x20))) + 0x20), 0x28, 0, 0);
						}
					}
					_t18 = E000635C4( *((intOrPtr*)(_t36 + 0x14)), _a4);
					goto L11;
				}
				if( *((intOrPtr*)(__ecx + 0x10)) == 0) {
					_t17 =  *(__ecx + 8);
					if(_t17 <  *((intOrPtr*)(__ecx + 0x20))) {
						goto L4;
					}
					goto L3;
				}
				return _t16;
			}

0x00063b5a
0x00063b5c
0x00063b63
0x00063b9a
0x00063b72
0x00063b72
0x00063b77
0x00063b7c
0x00063b8f
0x00063bd8
0x00063bd8
0x00000000
0x00063bd8
0x00063b9f
0x00063ba2
0x00063bae
0x00063bc6
0x00063bc6
0x00063bcc
0x00063bd3
0x00000000
0x00063bd3
0x00063b68
0x00063b6a
0x00063b70
0x00000000
0x00000000
0x00000000
0x00063b70
0x00063be2

APIs

EnableMenuItem.USER32 ref: 00063B8F

Part of subcall function 000655E0: __CxxThrowException@8.LIBCMT ref: 000655F6

GetFocus.USER32 ref: 00063BA5
GetParent.USER32(?), ref: 00063BB3
SendMessageW.USER32(?,00000028,00000000,00000000), ref: 00063BC6

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: EnableException@8FocusItemMenuMessageParentSendThrow
String ID:
API String ID: 4211600527-0
Opcode ID: ac0fff7581c8253e60a63ae95ace2d872097d8d08acbf4cb711fb41585223d7c
Instruction ID: 2586ec29c9b2e6c3a4c02aa7fdc1665464180d3cc18df2148df476a9098f7471
Opcode Fuzzy Hash: ac0fff7581c8253e60a63ae95ace2d872097d8d08acbf4cb711fb41585223d7c
Instruction Fuzzy Hash: 0F118E71100A04AFDB30AF20DC89C6ABBFBFF84315B109629F246468A1C770ED84CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00060E14 Relevance: 6.0, APIs: 4, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00060E14(void* __ebx, void* __ecx, void* __edx, struct HWND__* _a4, int _a8, int _a12, long _a16, struct HWND__* _a20, struct HWND__* _a24) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t16;
				struct HWND__* _t18;
				struct HWND__* _t20;
				void* _t22;
				void* _t23;
				void* _t24;
				void* _t25;
				struct HWND__* _t26;

				_t24 = __edx;
				_t23 = __ecx;
				_t22 = __ebx;
				_t25 = GetTopWindow;
				_t16 = GetTopWindow(_a4);
				while(1) {
					_t26 = _t16;
					if(_t26 == 0) {
						break;
					}
					__eflags = _a24;
					if(__eflags == 0) {
						SendMessageW(_t26, _a8, _a12, _a16);
					} else {
						_t20 = E0005F85A(_t22, _t23, _t24, _t25, _t26, __eflags, _t26);
						__eflags = _t20;
						if(__eflags != 0) {
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push( *((intOrPtr*)(_t20 + 0x20)));
							_push(_t20);
							E00060A66(_t22, _t25, _t26, __eflags);
						}
					}
					__eflags = _a20;
					if(_a20 != 0) {
						_t18 = GetTopWindow(_t26);
						__eflags = _t18;
						if(_t18 != 0) {
							E00060E14(_t22, _t23, _t24, _t26, _a8, _a12, _a16, _a20, _a24);
						}
					}
					_t16 = GetWindow(_t26, 2);
				}
				return _t16;
			}

0x00060e14
0x00060e14
0x00060e14
0x00060e1e
0x00060e24
0x00060e87
0x00060e87
0x00060e8b
0x00000000
0x00000000
0x00060e28
0x00060e2c
0x00060e56
0x00060e2e
0x00060e2f
0x00060e34
0x00060e36
0x00060e38
0x00060e3b
0x00060e3e
0x00060e41
0x00060e44
0x00060e45
0x00060e45
0x00060e36
0x00060e5c
0x00060e60
0x00060e63
0x00060e65
0x00060e67
0x00060e79
0x00060e79
0x00060e67
0x00060e81
0x00060e81
0x00060e90

APIs

GetTopWindow.USER32(?), ref: 00060E24
GetTopWindow.USER32(00000000), ref: 00060E63
GetWindow.USER32(00000000,00000002), ref: 00060E81

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 9ad31da283540c35db2e546ebc5fd5887029538b9897de976e5a4c6722651dc4
Instruction ID: 3f568464d13213a6536f5aa72f7334282b019860beff88a954ca8e5425c9461d
Opcode Fuzzy Hash: 9ad31da283540c35db2e546ebc5fd5887029538b9897de976e5a4c6722651dc4
Instruction Fuzzy Hash: CC01D33214162ABBCF236F919C08EDF3B6AAF48350F048814FA1455161C737CAA1EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0005FEEF Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0005FEEF(void* __ebx, void* __ecx, void* __edx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				void* __edi;
				void* __esi;
				struct HWND__* _t9;
				struct HWND__* _t10;
				void* _t14;
				void* _t15;
				void* _t16;
				struct HWND__* _t17;
				struct HWND__* _t18;

				_t15 = __edx;
				_t14 = __ecx;
				_t13 = __ebx;
				_t9 = GetDlgItem(_a4, _a8);
				_t16 = GetTopWindow;
				_t17 = _t9;
				if(_t17 == 0) {
					L6:
					_t10 = GetTopWindow(_a4);
					while(1) {
						_t18 = _t10;
						__eflags = _t18;
						if(_t18 == 0) {
							goto L10;
						}
						_t10 = E0005FEEF(_t13, _t14, _t15, _t18, _a8, _a12);
						__eflags = _t10;
						if(_t10 == 0) {
							_t10 = GetWindow(_t18, 2);
							continue;
						}
						goto L10;
					}
				} else {
					if(GetTopWindow(_t17) == 0) {
						L3:
						_push(_t17);
						if(_a12 == 0) {
							return E0005F82E(_t13, _t14, _t15);
						}
						_t10 = E0005F85A(_t13, _t14, _t15, _t16, _t17, __eflags);
						__eflags = _t10;
						if(_t10 == 0) {
							goto L6;
						}
					} else {
						_t10 = E0005FEEF(__ebx, _t14, _t15, _t17, _a8, _a12);
						if(_t10 == 0) {
							goto L3;
						}
					}
				}
				L10:
				return _t10;
			}

0x0005feef
0x0005feef
0x0005feef
0x0005fefc
0x0005ff02
0x0005ff08
0x0005ff0c
0x0005ff3c
0x0005ff3f
0x0005ff5c
0x0005ff5c
0x0005ff5e
0x0005ff60
0x00000000
0x00000000
0x0005ff4a
0x0005ff4f
0x0005ff51
0x0005ff56
0x00000000
0x0005ff56
0x00000000
0x0005ff51
0x0005ff0e
0x0005ff13
0x0005ff25
0x0005ff29
0x0005ff2a
0x00000000
0x0005ff2c
0x0005ff33
0x0005ff38
0x0005ff3a
0x00000000
0x00000000
0x0005ff15
0x0005ff1c
0x0005ff23
0x00000000
0x00000000
0x0005ff23
0x0005ff13
0x0005ff65
0x0005ff65

APIs

GetDlgItem.USER32(?,?), ref: 0005FEFC
GetTopWindow.USER32(00000000), ref: 0005FF0F

Part of subcall function 0005FEEF: GetWindow.USER32(00000000,00000002), ref: 0005FF56

GetTopWindow.USER32(?), ref: 0005FF3F

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 9a0882c6ff67e120f8206dbb3cb4b04821cc0cf83a61ab2aa21e5f5318e45e5d
Instruction ID: 4350cd3604b9ff47bb4e270bb7bf314e86ac8b14dec2c2d723d2b2d98786caed
Opcode Fuzzy Hash: 9a0882c6ff67e120f8206dbb3cb4b04821cc0cf83a61ab2aa21e5f5318e45e5d
Instruction Fuzzy Hash: 36014F36005617B7CF622F619C05EBF3BA9AF563A2F048030FD0495552EB39C9599791

Uniqueness

Uniqueness Score: -1.00%

Function 000770A6 Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E000770A6(intOrPtr __ecx) {
				signed int _v8;
				struct tagRECT _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t15;
				intOrPtr _t24;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t31;
				signed int _t35;

				_t15 =  *0x1c0454; // 0x885926af
				_t16 = _t15 ^ _t35;
				_v8 = _t15 ^ _t35;
				_t24 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xb44)) == 0) {
					 *(__ecx + 0xb8c) =  *(__ecx + 0xb8c) | 0xffffffff;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					InflateRect( &_v24, 2, 2);
					InvalidateRect( *(_t24 + 0x20),  &_v24, 1);
					UpdateWindow( *(_t24 + 0x20));
					_t16 = SetRectEmpty(_t24 + 0xc58);
					 *(_t24 + 0xb8c) =  *(_t24 + 0xb8c) | 0xffffffff;
					_t29 = _t29;
					 *0x1c3fc8 = 1;
					_t31 = _t31;
				}
				return E00150836(_t16, _t24, _v8 ^ _t35, _t28, _t29, _t31);
			}

0x000770ae
0x000770b3
0x000770b5
0x000770b9
0x000770c2
0x000770c4
0x000770d6
0x000770d7
0x000770da
0x000770e1
0x000770e2
0x000770f3
0x000770fc
0x00077109
0x0007710f
0x00077116
0x00077117
0x0007711d
0x0007711d
0x0007712a

APIs

InflateRect.USER32 ref: 000770E2
InvalidateRect.USER32(?,?,00000001), ref: 000770F3
UpdateWindow.USER32 ref: 000770FC
SetRectEmpty.USER32 ref: 00077109

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Rect$EmptyInflateInvalidateUpdateWindow
String ID:
API String ID: 3040190709-0
Opcode ID: 1da578c8861e3cbee1e81e0d434567a5f411c5430d29dd7eae036807cb02a25c
Instruction ID: 0e3edd5ac226dde9e0a30f8b1e6a0e810928ff0511b6a80e69ea635dc90108e7
Opcode Fuzzy Hash: 1da578c8861e3cbee1e81e0d434567a5f411c5430d29dd7eae036807cb02a25c
Instruction Fuzzy Hash: 4A0196715005099BDB10DF98DC89ED77BB8FB49325F100275ED199E0E6CB705585CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000632BF Relevance: 6.0, APIs: 4, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E000632BF(intOrPtr __ecx, void* __edx, void* __fp0, WCHAR* _a4) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t7;
				struct HRSRC__* _t10;
				void* _t13;
				void* _t17;
				void* _t19;
				struct HINSTANCE__* _t21;
				void* _t22;
				void* _t29;

				_t29 = __fp0;
				_t17 = __edx;
				_push(__ecx);
				_push(_t21);
				_t13 = 0;
				_t19 = 0;
				_v8 = __ecx;
				_t24 = _a4;
				if(_a4 == 0) {
					L4:
					_t22 = E00062DBF(_t13, _v8, _t17, _t19, _t21, _t26, _t29, _t19);
					if(_t19 != 0 && _t13 != 0) {
						FreeResource(_t13);
					}
					_t7 = _t22;
				} else {
					_t21 =  *(E0006B628(0, 0, _t21, _t24) + 0xc);
					_t10 = FindResourceW(_t21, _a4, 0xf0);
					if(_t10 == 0) {
						goto L4;
					} else {
						_t7 = LoadResource(_t21, _t10);
						_t13 = _t7;
						_t26 = _t13;
						if(_t13 != 0) {
							_t19 = LockResource(_t13);
							goto L4;
						}
					}
				}
				return _t7;
			}

0x000632bf
0x000632bf
0x000632c4
0x000632c6
0x000632c8
0x000632ca
0x000632cc
0x000632cf
0x000632d2
0x00063306
0x0006330f
0x00063313
0x0006331a
0x0006331a
0x00063320
0x000632d4
0x000632d9
0x000632e5
0x000632ed
0x00000000
0x000632ef
0x000632f1
0x000632f7
0x000632f9
0x000632fb
0x00063304
0x00000000
0x00063304
0x000632fb
0x000632ed
0x00063326

APIs

FindResourceW.KERNEL32(?,?,000000F0,?,?,?,?,?,00064351,?,?,00051AB5,885926AF), ref: 000632E5
LoadResource.KERNEL32(?,00000000,?,?,?,?,?,00064351,?,?,00051AB5,885926AF), ref: 000632F1
LockResource.KERNEL32(00000000,?,?,?,?,?,00064351,?,?,00051AB5,885926AF), ref: 000632FE
FreeResource.KERNEL32(00000000,00000000,?,?,?,?,?,00064351,?,?,00051AB5,885926AF), ref: 0006331A

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 98de8e0407f31ee2deba77ee3b9c571ee4e24ed06b1f22a4165a97315f2a5568
Instruction ID: d9be77a6c5756ab13f460dcddbfd42bd8a5f0bc05502fd5d4424c7ad181aa36c
Opcode Fuzzy Hash: 98de8e0407f31ee2deba77ee3b9c571ee4e24ed06b1f22a4165a97315f2a5568
Instruction Fuzzy Hash: 76F0C276200221AF97505FE59C889AFBBBEEF84761B154038FA06D3751DF70DF8486A0

Uniqueness

Uniqueness Score: -1.00%

Function 00063652 Relevance: 6.0, APIs: 4, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00063652(void* __ebx, void* __ecx, void* __edx) {
				void* _t24;
				void* _t28;

				_t24 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t28 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x6c)) != 0) {
					goto ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x6c)))) + 0xb0)));
				}
				if(E0005F82E(__ebx, _t22, _t24, GetParent( *(__ecx + 0x20))) != 0) {
					_t22 = E0005F82E(__ebx, _t22, _t24, GetParent( *(_t28 + 0x20)));
					if(E0005E581(_t16) != 0) {
						_t22 = E0005F82E(__ebx, _t22, _t24, GetParent( *(_t28 + 0x20)));
						 *(E0005E581(_t19) + 0x70) =  *(_t20 + 0x70) & 0x00000000;
					}
				}
				return E0005F82E(_t21, _t22, _t24, SetFocus( *(_t28 + 0x20)));
			}

0x00063652
0x00063652
0x00063652
0x00063655
0x0006365b
0x000636b7
0x000636b7
0x00063671
0x0006367e
0x00063687
0x00063694
0x0006369b
0x0006369b
0x00063687
0x000636b0

APIs

GetParent.USER32(?), ref: 00063667
GetParent.USER32(?), ref: 00063676
GetParent.USER32(?), ref: 0006368C
SetFocus.USER32 ref: 000636A2

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Parent$Focus
String ID:
API String ID: 384096180-0
Opcode ID: fe7e125c7f387bdf7e68d74e4ea505281c59446665c51c1057b0ef09f2c2771b
Instruction ID: 021fbcd5d968c623fab95585170141bbeefc8c1e02605f55eb874038013641dd
Opcode Fuzzy Hash: fe7e125c7f387bdf7e68d74e4ea505281c59446665c51c1057b0ef09f2c2771b
Instruction Fuzzy Hash: 5DF0FF36904741ABCB257771DC0DAAB76EAFF84312F050878B88687662EF34EC45CA54

Uniqueness

Uniqueness Score: -1.00%

Function 00064844 Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00064844(intOrPtr __ecx, void* __edx, void* __eflags, WCHAR* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t9;
				void* _t14;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t22;
				struct HINSTANCE__* _t23;

				_t18 = __edx;
				_push(__ecx);
				_push(_t22);
				_push(_t19);
				_v8 = __ecx;
				_t14 = 0;
				_t23 =  *(E0006B628(0, _t19, _t22, __eflags) + 0xc);
				_t20 = LoadResource(_t23, FindResourceW(_t23, _a4, 5));
				_t27 = _t20;
				if(_t20 != 0) {
					_t14 = LockResource(_t20);
				}
				_t9 = E00064481(_t14, _v8, _t18, _t20, _t23, _t27, _t14, _a8, _t23);
				FreeResource(_t20);
				return _t9;
			}

0x00064844
0x00064849
0x0006484b
0x0006484c
0x0006484d
0x00064850
0x00064857
0x0006486e
0x00064870
0x00064872
0x0006487b
0x0006487b
0x00064885
0x0006488d
0x00064899

APIs

FindResourceW.KERNEL32(?,?,00000005), ref: 00064860
LoadResource.KERNEL32(?,00000000), ref: 00064868
LockResource.KERNEL32(00000000), ref: 00064875
FreeResource.KERNEL32(00000000,00000000,?,?), ref: 0006488D

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 0540850b56e3626784072d06cb950342124ce78b31fb5d3b81b8037aada3f577
Instruction ID: e29664b871e15b6c8fa2ecc7dc7d82b64afa0bf093d5064081a29ffffd15c615
Opcode Fuzzy Hash: 0540850b56e3626784072d06cb950342124ce78b31fb5d3b81b8037aada3f577
Instruction Fuzzy Hash: 7DF05E36600214BFC7016BE99C4DC9FBFBDEF85661B254025F60AD3661DA74DD8187A0

Uniqueness

Uniqueness Score: -1.00%

Function 0013F952 Relevance: 6.0, APIs: 4, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0013F952(void* __ecx) {
				void* _t9;
				intOrPtr _t11;
				intOrPtr _t12;
				void* _t21;

				_t21 = __ecx;
				if( *(__ecx + 0xa0) != 0) {
					E00063582(__ecx, 0);
					_t11 =  *((intOrPtr*)(__ecx + 0x74));
					 *(__ecx + 0xa0) =  *(__ecx + 0xa0) & 0x00000000;
					if(_t11 != 0) {
						UpdateWindow( *(_t11 + 0x20));
					}
					_t12 =  *((intOrPtr*)(_t21 + 0x78));
					if(_t12 != 0) {
						UpdateWindow( *(_t12 + 0x20));
					}
					SetRectEmpty(_t21 + 0x7c);
					return SetRectEmpty(_t21 + 0x8c);
				}
				return _t9;
			}

0x0013f955
0x0013f95f
0x0013f963
0x0013f968
0x0013f96b
0x0013f97a
0x0013f97f
0x0013f97f
0x0013f981
0x0013f986
0x0013f98b
0x0013f98b
0x0013f997
0x00000000
0x0013f9a0
0x0013f9a4

APIs

Part of subcall function 00063582: ShowWindow.USER32(?,?), ref: 00063593

UpdateWindow.USER32 ref: 0013F97F
UpdateWindow.USER32 ref: 0013F98B
SetRectEmpty.USER32 ref: 0013F997
SetRectEmpty.USER32 ref: 0013F9A0

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Window$EmptyRectUpdate$Show
String ID:
API String ID: 1262231214-0
Opcode ID: d72924ba7a93db1ab9e95d467ae89c869f73c5b316ee45bb406d4b7e03fe68dd
Instruction ID: 4b6ea34ffba35e7941021cc5681216352466f22ae635c73309deaad5cf9aa3f7
Opcode Fuzzy Hash: d72924ba7a93db1ab9e95d467ae89c869f73c5b316ee45bb406d4b7e03fe68dd
Instruction Fuzzy Hash: A9F01232610A149FE7216B29DC00F47B7E9BF84715F160569F19597570C771E846CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000E61C0 Relevance: 6.0, APIs: 4, Instructions: 25
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E000E61C0(signed int* __ecx) {
				int _t16;
				signed int* _t22;

				_t22 = __ecx;
				 *__ecx =  *__ecx & 0x00000000;
				E000542D0( &(__ecx[1]));
				SetRectEmpty(_t22 + 8);
				SetRectEmpty(_t22 + 0x18);
				SetRectEmpty(_t22 + 0x28);
				_t16 = SetRectEmpty(_t22 + 0x38);
				 *((intOrPtr*)(_t22 + 0x48)) = 0xff000000;
				 *((intOrPtr*)(_t22 + 0x4c)) = 1;
				return _t16;
			}

0x000e61c3
0x000e61c5
0x000e61cc
0x000e61db
0x000e61e1
0x000e61e7
0x000e61ed
0x000e61f0
0x000e61f7
0x000e61ff

APIs

SetRectEmpty.USER32 ref: 000E61DB
SetRectEmpty.USER32 ref: 000E61E1
SetRectEmpty.USER32 ref: 000E61E7
SetRectEmpty.USER32 ref: 000E61ED

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: EmptyRect
String ID:
API String ID: 2270935405-0
Opcode ID: dba5828948e1c6a5ceb055b139af77c4669a4d8e49a31b316dd5d57ad52a0140
Instruction ID: 2ad95f5e1d9715a704c047da61874dc06e57f80e36a803d88501a71aa6815350
Opcode Fuzzy Hash: dba5828948e1c6a5ceb055b139af77c4669a4d8e49a31b316dd5d57ad52a0140
Instruction Fuzzy Hash: 76E0C9B6410B199AD730ABAAE844AC7B3ECAF84314F11091AE586C3924D674F58ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 000527F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 171COMMON

Download Yara Rule

APIs

UpdateWindow.USER32 ref: 000529C6

Part of subcall function 00051330: _vwprintf.LIBCMT ref: 0005139E
Part of subcall function 00051330: _vswprintf_s.LIBCMT ref: 000513DD

Strings

%0.0f, xrefs: 000528A8, 0005294F
%0.2f, xrefs: 0005290D

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: UpdateWindow_vswprintf_s_vwprintf
String ID: %0.0f$%0.2f
API String ID: 22895821-3445786577
Opcode ID: c8200b758ab39efb8fe9d79f5c28f4b50e56c72699e96a48e6ac5d36e7e917e8
Instruction ID: b07280f5667ae2bad7088d97b11c1c406f3410cb0779ae78509a3545607f6e3b
Opcode Fuzzy Hash: c8200b758ab39efb8fe9d79f5c28f4b50e56c72699e96a48e6ac5d36e7e917e8
Instruction Fuzzy Hash: 3851E5712046009FD354EB68CC96BAFB7E4FF85311F148A6CF5969B292DF30A849CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0007ADAA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0007ADAA(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t38;
				intOrPtr _t40;
				intOrPtr* _t45;
				signed int _t47;
				signed int _t54;
				signed int _t55;
				signed int _t56;
				intOrPtr* _t71;
				void* _t74;
				signed int _t83;

				_t60 = __ecx;
				_push(0x1c);
				E00151A82(0x172e10, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t74 - 0x28)) =  *((intOrPtr*)(_t74 + 8));
				_t54 =  *(_t74 + 0x10) | 0x00400000;
				_t71 = __ecx;
				if( *((intOrPtr*)(_t74 + 0x14)) < 1) {
					 *((intOrPtr*)(_t74 + 0x14)) = 1;
				}
				if( *((intOrPtr*)(_t74 + 0x18)) < 1) {
					 *((intOrPtr*)(_t74 + 0x18)) = 1;
				}
				E000BECE1(_t60, _t74 + 0x14);
				_t69 =  *_t71;
				_t38 = _t54 & 0x0040ffff;
				 *(_t71 + 0x90) = _t38;
				 *((intOrPtr*)( *_t71 + 0x1dc))(_t38);
				if( *((intOrPtr*)(_t74 + 0x24)) == 0xe800) {
					 *(_t71 + 0x90) =  *(_t71 + 0x90) | 0x00000008;
				}
				_t55 = _t54 & 0xffbf0000;
				_t40 = 0;
				if((_t55 & 0x00000002) != 0) {
					_t40 = 1;
				}
				_t63 =  *(_t74 + 0xc) | 0x0000004e;
				_t56 = _t55 |  *(_t74 + 0xc) | 0x0000004e;
				if(_t40 == 0) {
					_t83 = _t56;
				}
				E00062F94(_t56, _t63, _t71, 0, _t83, 0x10);
				 *(_t74 - 0x20) = 0;
				 *((intOrPtr*)(_t74 - 0x1c)) = 0;
				 *((intOrPtr*)(_t74 - 0x18)) = 0;
				 *((intOrPtr*)(_t74 - 0x14)) = 0;
				SetRectEmpty(_t74 - 0x20);
				_t45 = E0006F828(_t56, 0x1c3998, _t71, 0, _t83, _t74 - 0x24, L"Afx:ToolBar");
				 *((intOrPtr*)(_t74 - 4)) = 0;
				_t47 = E000C154F( *_t45, _t56, _t74 - 0x20,  *((intOrPtr*)(_t74 - 0x28)),  *((intOrPtr*)(_t74 + 0x24)), 0, 0);
				asm("sbb bl, bl");
				E00051190( *((intOrPtr*)(_t74 - 0x24)) + 0xfffffff0, _t69);
				return E00151B05( ~_t47 + 1, _t71, 0);
			}

0x0007adaa
0x0007adaa
0x0007adb1
0x0007adbc
0x0007adc2
0x0007adc8
0x0007adcd
0x0007adcf
0x0007adcf
0x0007add5
0x0007add7
0x0007add7
0x0007adde
0x0007ade3
0x0007ade7
0x0007adef
0x0007adf5
0x0007ae02
0x0007ae04
0x0007ae04
0x0007ae0b
0x0007ae13
0x0007ae18
0x0007ae1a
0x0007ae1a
0x0007ae1e
0x0007ae21
0x0007ae25
0x0007ae27
0x0007ae27
0x0007ae2c
0x0007ae35
0x0007ae38
0x0007ae3b
0x0007ae3e
0x0007ae41
0x0007ae55
0x0007ae67
0x0007ae6f
0x0007ae7b
0x0007ae80
0x0007ae91

APIs

__EH_prolog3_GS.LIBCMT ref: 0007ADB1
SetRectEmpty.USER32 ref: 0007AE41

Strings

Afx:ToolBar, xrefs: 0007AE47

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: EmptyH_prolog3_Rect
String ID: Afx:ToolBar
API String ID: 2941628838-177727192
Opcode ID: 71a01e9865e01eaa297f08f5a058ab8b0155db5620c006b21097b527be1d4df4
Instruction ID: 6ae57c03752cac132574027935467ea0ef5033c19cd303f0f89c93a598aee088
Opcode Fuzzy Hash: 71a01e9865e01eaa297f08f5a058ab8b0155db5620c006b21097b527be1d4df4
Instruction Fuzzy Hash: 0C219F71A1061A9FCB04DFB4C886BEE7BB9FF49310F14412AF519E7281DB749954CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0006EA91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0006EA91(struct HMONITOR__* _a4, long* _a16) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagMONITORINFO _v64;
				void* __esi;
				signed int _t23;
				long _t33;
				long _t34;
				long _t35;
				long _t36;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr _t42;
				long* _t43;
				signed int _t44;

				_t23 =  *0x1c0454; // 0x885926af
				_v8 = _t23 ^ _t44;
				_t43 = _a16;
				_v64.cbSize = 0x28;
				if(GetMonitorInfoW(_a4,  &_v64) != 0) {
					CopyRect( &_v24,  &(_v64.rcWork));
					_t33 =  *_t43;
					if(_t33 >= _v24.left) {
						_t33 = _v24.left;
					}
					 *_t43 = _t33;
					_t34 = _t43[2];
					if(_t34 <= _v24.right) {
						_t34 = _v24.right;
					}
					_t43[2] = _t34;
					_t35 = _t43[1];
					if(_t35 >= _v24.top) {
						_t35 = _v24.top;
					}
					_t43[1] = _t35;
					_t36 = _t43[3];
					if(_t36 <= _v24.bottom) {
						_t36 = _v24.bottom;
					}
					_t43[3] = _t36;
				}
				return E00150836(1, _t37, _v8 ^ _t44, _t41, _t42, _t43);
			}

0x0006ea99
0x0006eaa0
0x0006eaa7
0x0006eaaf
0x0006eabe
0x0006eac8
0x0006eace
0x0006ead3
0x0006ead5
0x0006ead5
0x0006ead8
0x0006eada
0x0006eae0
0x0006eae2
0x0006eae2
0x0006eae5
0x0006eae8
0x0006eaee
0x0006eaf0
0x0006eaf0
0x0006eaf3
0x0006eaf6
0x0006eafc
0x0006eafe
0x0006eafe
0x0006eb01
0x0006eb01
0x0006eb13

APIs

GetMonitorInfoW.USER32(?,?), ref: 0006EAB6
CopyRect.USER32(?,?), ref: 0006EAC8

Strings

(, xrefs: 0006EAAF

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: CopyInfoMonitorRect
String ID: (
API String ID: 2119610155-3887548279
Opcode ID: c4853ea4593436a7205dbcfdc35e627188c6688221714b792590ec017c6215bd
Instruction ID: 989609a024c3b1e319f06e9cf06e56fe201ba09c056179d0a5d5c03c4047eaf8
Opcode Fuzzy Hash: c4853ea4593436a7205dbcfdc35e627188c6688221714b792590ec017c6215bd
Instruction Fuzzy Hash: 8711C275A00249EFCB50DFA8D98599FB7F5FB08300B508859E45AE7650D730F944CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0008A8E6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E0008A8E6(void* __ecx, intOrPtr __edx, intOrPtr __edi) {
				signed int _v8;
				signed short _v20;
				signed short _v24;
				char _v28;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t9;
				signed int _t11;
				intOrPtr _t22;
				intOrPtr* _t23;
				intOrPtr _t28;
				intOrPtr _t30;
				signed int _t31;
				signed int _t34;

				_t29 = __edi;
				_t28 = __edx;
				_t9 =  *0x1c0454; // 0x885926af
				_v8 = _t9 ^ _t34;
				_t11 =  *0x1bd2e0; // 0x60010
				_t37 = _t11 - 0xffffffff;
				if(_t11 == 0xffffffff) {
					_push(_t22);
					_push(_t30);
					_t23 = GetProcAddress(E0005F4D4( *((intOrPtr*)( *((intOrPtr*)(E0006B628(_t22, __edi, _t30, _t37) + 0x78))))), "DllGetVersion");
					_t31 = 0x40000;
					if(_t23 != 0) {
						E00151B30( &_v28, 0, 0x14);
						_push( &_v28);
						_v28 = 0x14;
						if( *_t23() >= 0) {
							_t31 = (_v24 & 0x0000ffff) << 0x00000010 | _v20 & 0x0000ffff;
						}
					}
					 *0x1bd2e0 = _t31;
					_t11 = _t31;
					_pop(_t30);
					_pop(_t22);
				}
				return E00150836(_t11, _t22, _v8 ^ _t34, _t28, _t29, _t30);
			}

0x0008a8e6
0x0008a8e6
0x0008a8ee
0x0008a8f5
0x0008a8f8
0x0008a8fd
0x0008a900
0x0008a902
0x0008a903
0x0008a91f
0x0008a921
0x0008a928
0x0008a932
0x0008a93d
0x0008a93e
0x0008a949
0x0008a956
0x0008a956
0x0008a949
0x0008a958
0x0008a95e
0x0008a960
0x0008a961
0x0008a961
0x0008a96d

APIs

Part of subcall function 0005F4D4: GetModuleHandleW.KERNEL32(?,?,0005F5BC,InitCommonControlsEx,00000000,?,00060314,00080000,00008000,?,?,00063251,?,00080000,?), ref: 0005F4E2
Part of subcall function 0005F4D4: LoadLibraryW.KERNEL32(?,?,0005F5BC,InitCommonControlsEx,00000000,?,00060314,00080000,00008000,?,?,00063251,?,00080000,?), ref: 0005F4F2

GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 0008A919
_memset.LIBCMT ref: 0008A932

Strings

DllGetVersion, xrefs: 0008A913

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc_memset
String ID: DllGetVersion
API String ID: 3385804498-2861820592
Opcode ID: 52206869205320772b97f9ccffdfb526843788b9ab3e8880cf90cfad6977055f
Instruction ID: 176ea85096beeb212c9307d455c588c9b9dd3da220d7286e3c8ea56422eba76c
Opcode Fuzzy Hash: 52206869205320772b97f9ccffdfb526843788b9ab3e8880cf90cfad6977055f
Instruction Fuzzy Hash: 7701B171E002199BE700EBA8EC82BAE77F8AF08345F510121FA14E7292E770DD489791

Uniqueness

Uniqueness Score: -1.00%

Function 0006C279 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0006C279(intOrPtr __ebx, void* __ecx) {
				signed int _v8;
				char _v28;
				short _v548;
				void* __edi;
				void* __esi;
				signed int _t9;
				long _t12;
				short _t13;
				intOrPtr _t19;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t30;
				signed int _t35;

				_t19 = __ebx;
				_t33 = _t35;
				_t9 =  *0x1c0454; // 0x885926af
				_v8 = _t9 ^ _t35;
				_t12 = GetModuleFileNameW( *(__ecx + 0x44),  &_v548, 0x104);
				if(_t12 == 0) {
					L4:
					_t13 = 0;
					__eflags = 0;
				} else {
					_t39 = _t12 - 0x104;
					if(_t12 == 0x104) {
						goto L4;
					} else {
						 *(PathFindExtensionW( &_v548)) = 0;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsw");
						_t13 = E0006C0C3(0, _t25, _t39,  &_v28,  &_v548);
						_t26 = _t26;
					}
				}
				_pop(_t30);
				return E00150836(_t13, _t19, _v8 ^ _t33, _t25, _t26, _t30);
			}

0x0006c279
0x0006c27c
0x0006c284
0x0006c28b
0x0006c2a1
0x0006c2a9
0x0006c2e3
0x0006c2e3
0x0006c2e3
0x0006c2ab
0x0006c2ab
0x0006c2ad
0x00000000
0x0006c2af
0x0006c2bf
0x0006c2ca
0x0006c2cb
0x0006c2cc
0x0006c2d3
0x0006c2d9
0x0006c2db
0x0006c2e0
0x0006c2e0
0x0006c2ad
0x0006c2ea
0x0006c2f1

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 0006C2A1
PathFindExtensionW.SHLWAPI(?), ref: 0006C2B7

Part of subcall function 0006C0C3: GetProcAddress.KERNEL32(00000000,GetThreadPreferredUILanguages), ref: 0006C108
Part of subcall function 0006C0C3: _memset.LIBCMT ref: 0006C134
Part of subcall function 0006C0C3: _wcstoul.LIBCMT ref: 0006C17C
Part of subcall function 0006C0C3: _wcslen.LIBCMT ref: 0006C19D
Part of subcall function 0006C0C3: GetUserDefaultUILanguage.KERNEL32 ref: 0006C1AD
Part of subcall function 0006C0C3: ConvertDefaultLocale.KERNEL32(?), ref: 0006C1D4
Part of subcall function 0006C0C3: ConvertDefaultLocale.KERNEL32(?), ref: 0006C1E3
Part of subcall function 0006C0C3: GetSystemDefaultUILanguage.KERNEL32 ref: 0006C1EC
Part of subcall function 0006C0C3: ConvertDefaultLocale.KERNEL32(?), ref: 0006C208
Part of subcall function 0006C0C3: ConvertDefaultLocale.KERNEL32(?), ref: 0006C217

Strings

%s%s.dll, xrefs: 0006C2C2

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: Default$ConvertLocale$Language$AddressExtensionFileFindModuleNamePathProcSystemUser_memset_wcslen_wcstoul
String ID: %s%s.dll
API String ID: 1415830068-1649984862
Opcode ID: f51a427cd123d44855772066311deeae9bfef0a69cff3e3bc4cd17ec52d135e4
Instruction ID: 3625d6a493378f5dc246cb902dfa3deb5a19021fc7b2a8828800974e06c095ef
Opcode Fuzzy Hash: f51a427cd123d44855772066311deeae9bfef0a69cff3e3bc4cd17ec52d135e4
Instruction Fuzzy Hash: B0016272A04118ABD711DBA8EC45EFF77FDEF4D301F0104A5A909E7051D6709A458B94

Uniqueness

Uniqueness Score: -1.00%

Function 000BD5B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34
registryclipboardCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E000BD5B7(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				int _t11;
				intOrPtr _t13;
				int _t16;
				void* _t23;
				void* _t25;
				WCHAR* _t28;
				void* _t29;

				_t25 = __edx;
				_push(4);
				E00151A19(0x16f177, __ebx, __edi, __esi);
				if( *0x1c570c == 0) {
					_t13 =  *0x1c5714; // 0x1bc908
					_t1 = E000541F0(_t13 + 0xfffffff0) + 0x10; // 0x10
					_t28 = _t1;
					_pop(_t23);
					 *(_t29 - 0x10) = _t28;
					 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
					if( *((intOrPtr*)(_t28 - 0xc)) == 0) {
						E00051400(_t29 - 0x10, L"ToolbarButton%p", E0005C4D8());
						_t28 =  *(_t29 - 0x10);
					}
					_t16 = RegisterClipboardFormatW(_t28);
					 *0x1c570c = _t16;
					if(_t16 == 0) {
						E000655E0(_t23);
					}
					_t8 = _t28 - 0x10; // 0x0
					E00051190(_t8, _t25);
				}
				_t11 =  *0x1c570c; // 0x0
				return E00151AF1(_t11);
			}

0x000bd5b7
0x000bd5b7
0x000bd5be
0x000bd5cb
0x000bd5cd
0x000bd5db
0x000bd5db
0x000bd5de
0x000bd5df
0x000bd5e2
0x000bd5ea
0x000bd5fb
0x000bd600
0x000bd603
0x000bd607
0x000bd60d
0x000bd616
0x000bd618
0x000bd618
0x000bd61d
0x000bd620
0x000bd620
0x000bd625
0x000bd630

APIs

__EH_prolog3.LIBCMT ref: 000BD5BE
RegisterClipboardFormatW.USER32 ref: 000BD607

Strings

ToolbarButton%p, xrefs: 000BD5F5

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: ClipboardFormatH_prolog3Register
String ID: ToolbarButton%p
API String ID: 1070914459-899657487
Opcode ID: 46bd3342a91d499ec0b047e46669f4377b83845685e27767ec6206eb4421463d
Instruction ID: 5b2911b9d1a9053aeaa30a84926d4673ab2af68ba7fa8fec6463beed42a0ca37
Opcode Fuzzy Hash: 46bd3342a91d499ec0b047e46669f4377b83845685e27767ec6206eb4421463d
Instruction Fuzzy Hash: A3F08C34800700DACB10FBA0EC05BEEB7A8AF10316F404516F92467592EB74A9C98F65

Uniqueness

Uniqueness Score: -1.00%

Function 00071AE5 Relevance: 5.1, APIs: 4, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00071AE5(long* __ecx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t31;
				intOrPtr _t32;
				signed int _t38;
				struct _CRITICAL_SECTION* _t39;
				intOrPtr* _t44;
				long* _t47;
				intOrPtr* _t50;

				_push(__ecx);
				_t50 = _a4;
				_t38 = 1;
				_t47 = __ecx;
				_v8 = 1;
				if( *((intOrPtr*)(_t50 + 8)) <= 1) {
					L10:
					_t24 =  &(_t47[7]); // 0x1c
					_t39 = _t24;
					EnterCriticalSection(_t39);
					_t25 =  &(_t47[5]); // 0x14
					E0007177E(_t25, _t50);
					LeaveCriticalSection(_t39);
					LocalFree( *(_t50 + 0xc));
					 *((intOrPtr*)( *_t50))(1);
					_t31 = TlsSetValue( *_t47, 0);
					L11:
					return _t31;
				} else {
					goto L1;
				}
				do {
					L1:
					_t32 = _a8;
					if(_t32 == 0 ||  *((intOrPtr*)(_t47[4] + 4 + _t38 * 8)) == _t32) {
						_t44 =  *((intOrPtr*)( *(_t50 + 0xc) + _t38 * 4));
						if(_t44 != 0) {
							 *((intOrPtr*)( *_t44))(1);
						}
						_t31 =  *(_t50 + 0xc);
						 *(_t31 + _t38 * 4) =  *(_t31 + _t38 * 4) & 0x00000000;
					} else {
						_t31 =  *(_t50 + 0xc);
						if( *(_t31 + _t38 * 4) != 0) {
							_v8 = _v8 & 0x00000000;
						}
					}
					_t38 = _t38 + 1;
				} while (_t38 <  *((intOrPtr*)(_t50 + 8)));
				if(_v8 == 0) {
					goto L11;
				}
				goto L10;
			}

0x00071aea
0x00071aef
0x00071af2
0x00071af4
0x00071af6
0x00071afc
0x00071b40
0x00071b40
0x00071b40
0x00071b44
0x00071b4b
0x00071b4e
0x00071b54
0x00071b5d
0x00071b69
0x00071b6f
0x00071b75
0x00071b79
0x00000000
0x00000000
0x00000000
0x00071afe
0x00071afe
0x00071afe
0x00071b03
0x00071b20
0x00071b25
0x00071b2b
0x00071b2b
0x00071b2d
0x00071b30
0x00071b0e
0x00071b0e
0x00071b15
0x00071b17
0x00071b17
0x00071b15
0x00071b34
0x00071b35
0x00071b3e
0x00000000
0x00000000
0x00000000

APIs

EnterCriticalSection.KERNEL32(0000001C,00000004,00000000,0000001C,00000000,?,00071BC4,?,00000000,00000000,?,?,00069683,00000000,00000000,000000FF), ref: 00071B44
LeaveCriticalSection.KERNEL32(0000001C,00000000,?,00071BC4,?,00000000,00000000,?,?,00069683,00000000,00000000,000000FF,00000010,00069A1B,00000000), ref: 00071B54
LocalFree.KERNEL32(?,?,00071BC4,?,00000000,00000000,?,?,00069683,00000000,00000000,000000FF,00000010,00069A1B,00000000), ref: 00071B5D
TlsSetValue.KERNEL32(00000000,00000000,?,00071BC4,?,00000000,00000000,?,?,00069683,00000000,00000000,000000FF,00000010,00069A1B,00000000), ref: 00071B6F

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: 4b8f626f473ee5fbaf4efd6a8e1fbe2e530c241ac134e1883a7638ac80db8ebb
Instruction ID: b66438c4ace320dff0b6c3c5be2bc50568e7374b2a0c97a5b191bc2f282d968e
Opcode Fuzzy Hash: 4b8f626f473ee5fbaf4efd6a8e1fbe2e530c241ac134e1883a7638ac80db8ebb
Instruction Fuzzy Hash: C2117931A01208EFD724CF58D888B9AB7B8FF45316F108069E15A875E2DB74EC90CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00072399 Relevance: 5.0, APIs: 4, Instructions: 38
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00072399(signed int _a4) {
				void* __ebp;
				struct _CRITICAL_SECTION* _t4;
				void* _t8;
				signed int _t9;
				intOrPtr* _t12;

				_t9 = _a4;
				if(_t9 >= 0x11) {
					_t4 = E000655E0(_t8);
				}
				if( *0x1c3c44 == 0) {
					_t4 = E00072330();
				}
				_t12 = 0x1c3df8 + _t9 * 4;
				if( *_t12 == 0) {
					EnterCriticalSection(0x1c3de0);
					if( *_t12 == 0) {
						_t4 = 0x1c3c48 + _t9 * 0x18;
						InitializeCriticalSection(_t4);
						 *_t12 =  *_t12 + 1;
					}
					LeaveCriticalSection(0x1c3de0);
				}
				EnterCriticalSection(0x1c3c48 + _t9 * 0x18);
				return _t4;
			}

0x000723a1
0x000723a7
0x000723a9
0x000723a9
0x000723b5
0x000723b7
0x000723b7
0x000723c2
0x000723cc
0x000723d3
0x000723d8
0x000723df
0x000723e5
0x000723eb
0x000723eb
0x000723f2
0x000723f2
0x00072402
0x00072408

APIs

EnterCriticalSection.KERNEL32(001C3DE0,?,?,00000002,?,000716FF,00000010,00000008,0006B656,0006B5ED,0005E58B,0006A15B,0006918A,?,00000000,00000004), ref: 000723D3
InitializeCriticalSection.KERNEL32(?,?,?,00000002,?,000716FF,00000010,00000008,0006B656,0006B5ED,0005E58B,0006A15B,0006918A,?,00000000,00000004), ref: 000723E5
LeaveCriticalSection.KERNEL32(001C3DE0,?,?,00000002,?,000716FF,00000010,00000008,0006B656,0006B5ED,0005E58B,0006A15B,0006918A,?,00000000,00000004), ref: 000723F2
EnterCriticalSection.KERNEL32(?,?,?,00000002,?,000716FF,00000010,00000008,0006B656,0006B5ED,0005E58B,0006A15B,0006918A,?,00000000,00000004), ref: 00072402

Part of subcall function 000655E0: __CxxThrowException@8.LIBCMT ref: 000655F6

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8InitializeLeaveThrow
String ID:
API String ID: 3253506028-0
Opcode ID: aaab58e2cf6926c548d95ea2db0514e327130e47533627f104dfe9213bf5cff4
Instruction ID: 255dc6c825aa895e611a7b1c45eb622951b7ca921b86e622cf20410a60d32bd9
Opcode Fuzzy Hash: aaab58e2cf6926c548d95ea2db0514e327130e47533627f104dfe9213bf5cff4
Instruction Fuzzy Hash: 62F0F672A00204AFC7102B65DD89F6DBA6AEBA0352F51902AF05962052CB38CBC1C669

Uniqueness

Uniqueness Score: -1.00%

Function 00071678 Relevance: 5.0, APIs: 4, Instructions: 35
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00071678(long* __ecx, signed int _a4) {
				void* _t9;
				struct _CRITICAL_SECTION* _t12;
				signed int _t14;
				long* _t16;

				_t16 = __ecx;
				_t1 =  &(_t16[7]); // 0x1c
				_t12 = _t1;
				EnterCriticalSection(_t12);
				_t14 = _a4;
				if(_t14 <= 0 || _t14 >= _t16[3]) {
					L5:
					LeaveCriticalSection(_t12);
					return 0;
				} else {
					_t9 = TlsGetValue( *_t16);
					if(_t9 == 0 || _t14 >=  *((intOrPtr*)(_t9 + 8))) {
						goto L5;
					} else {
						LeaveCriticalSection(_t12);
						return  *((intOrPtr*)( *((intOrPtr*)(_t9 + 0xc)) + _t14 * 4));
					}
				}
			}

0x0007167f
0x00071682
0x00071682
0x00071686
0x0007168c
0x00071691
0x000716ba
0x000716bb
0x00000000
0x00071698
0x0007169a
0x000716a2
0x00000000
0x000716a9
0x000716b0
0x00000000
0x000716b6
0x000716a2

APIs

EnterCriticalSection.KERNEL32(0000001C,?,?,00000002,?,00071C3F,?,00000004,0006B637,0005E58B,0006A15B,0006918A,?,00000000,00000004,000691DE), ref: 00071686
TlsGetValue.KERNEL32 ref: 0007169A
LeaveCriticalSection.KERNEL32(0000001C,?,?,00000002,?,00071C3F,?,00000004,0006B637,0005E58B,0006A15B,0006918A,?,00000000,00000004,000691DE), ref: 000716B0
LeaveCriticalSection.KERNEL32(0000001C,?,?,00000002,?,00071C3F,?,00000004,0006B637,0005E58B,0006A15B,0006918A,?,00000000,00000004,000691DE), ref: 000716BB

Memory Dump Source

Source File: 00000001.00000002.926196064.0000000000051000.00000020.00000001.01000000.00000003.sdmp, Offset: 00050000, based on PE: true

Associated: 00000001.00000002.926190788.0000000000050000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926340037.0000000000177000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926377674.00000000001BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926390038.00000000001CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926400569.00000000001D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926411479.00000000001E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.926432985.000000000020D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_50000_ExamShieldLauncher.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: e779d1184bda47f37dd4ecd2198a15f02f1723b7118fcdddce549f285580c896
Instruction ID: 123d5f1461852a9913b5f3024e375d9dcc327c2c63e9d7fa168e9b2af3751d17
Opcode Fuzzy Hash: e779d1184bda47f37dd4ecd2198a15f02f1723b7118fcdddce549f285580c896
Instruction Fuzzy Hash: 48F0B4722081049FC3318F1CEC48C9A77FEEB8476072A8525F80AC3151D634F8819AA4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ExamShieldSetup.exePID: 800, Parent PID: 2128COMMON

Execution Graph

Execution Coverage:	7.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	2000
Total number of Limit Nodes:	36

Executed Functions

Function 00038050 Relevance: 60.3, APIs: 9, Strings: 24, Instructions: 2556
fileCOMMONCrypto

Download Yara Rule

C-Code - Quality: 77%

			E00038050(short* __ecx, signed int __edx, void* __fp0) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				char _v544;
				short _v1068;
				short* _v1072;
				signed int _v1076;
				char _v1080;
				char _v1084;
				char _v1088;
				signed int _v1092;
				char _v1096;
				char _v1100;
				char _v1104;
				WCHAR* _v1108;
				char _v1112;
				char _v1116;
				char _v1120;
				char _v1124;
				WCHAR* _v1128;
				WCHAR* _v1132;
				char _v1136;
				char _v1140;
				char _v1144;
				short* _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1192;
				char _v1492;
				char _v1500;
				char _v1892;
				intOrPtr _v2732;
				intOrPtr _v2736;
				char _v2776;
				char _v2780;
				char _v2940;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t792;
				signed int _t793;
				void* _t795;
				signed int _t797;
				signed int _t800;
				signed int _t803;
				signed int _t807;
				signed int _t811;
				signed int _t815;
				signed int _t819;
				signed int _t823;
				signed int _t827;
				signed int _t831;
				signed int _t835;
				signed int _t839;
				signed int _t843;
				signed int _t847;
				signed int _t851;
				signed int _t855;
				signed int _t856;
				signed int _t857;
				signed int _t858;
				intOrPtr* _t859;
				signed int* _t860;
				short* _t862;
				intOrPtr* _t869;
				signed int* _t870;
				short* _t872;
				signed int _t877;
				intOrPtr* _t879;
				long _t884;
				intOrPtr* _t886;
				void* _t891;
				short* _t894;
				void* _t895;
				short* _t898;
				void* _t899;
				short* _t902;
				signed int _t904;
				void* _t911;
				void* _t922;
				void* _t923;
				signed int _t927;
				signed int _t928;
				void* _t931;
				char _t957;
				signed int _t959;
				signed int _t961;
				signed int** _t964;
				signed int** _t967;
				signed int** _t968;
				signed int** _t970;
				signed int** _t972;
				signed int** _t974;
				signed int** _t976;
				signed int** _t978;
				short* _t980;
				short* _t982;
				signed int** _t984;
				signed int** _t986;
				signed int** _t988;
				signed int** _t990;
				signed int** _t992;
				char _t1025;
				char _t1026;
				signed int* _t1029;
				signed int _t1030;
				void* _t1031;
				void* _t1032;
				signed int* _t1038;
				signed int _t1039;
				void* _t1040;
				void* _t1041;
				char _t1046;
				signed int* _t1048;
				signed int _t1049;
				void* _t1050;
				void* _t1051;
				signed int* _t1058;
				signed int _t1059;
				void* _t1060;
				void* _t1061;
				signed int** _t1068;
				signed int** _t1069;
				signed int** _t1071;
				signed int** _t1073;
				signed int** _t1075;
				signed int** _t1077;
				signed int** _t1079;
				short* _t1081;
				short* _t1083;
				signed int** _t1085;
				signed int** _t1087;
				signed int** _t1089;
				signed int** _t1091;
				signed int** _t1093;
				signed int** _t1095;
				void* _t1129;
				signed int** _t1132;
				short* _t1139;
				signed int** _t1141;
				signed int** _t1143;
				signed int** _t1144;
				signed int** _t1146;
				signed int** _t1148;
				signed int** _t1150;
				signed int** _t1152;
				signed int** _t1154;
				signed int** _t1155;
				signed int** _t1156;
				signed int** _t1158;
				signed int** _t1160;
				signed int** _t1162;
				signed int** _t1164;
				signed int** _t1166;
				signed int** _t1168;
				short* _t1205;
				short* _t1207;
				signed int** _t1209;
				signed int** _t1210;
				signed int** _t1212;
				signed int** _t1214;
				signed int** _t1216;
				signed int** _t1218;
				signed int** _t1220;
				short* _t1222;
				short* _t1224;
				signed int** _t1226;
				signed int** _t1228;
				signed int** _t1230;
				signed int** _t1232;
				signed int** _t1234;
				signed int* _t1270;
				signed int _t1271;
				void* _t1272;
				void* _t1273;
				intOrPtr* _t1276;
				signed int* _t1283;
				signed int _t1284;
				void* _t1285;
				void* _t1286;
				signed int** _t1289;
				signed int _t1298;
				signed int** _t1305;
				signed int** _t1306;
				signed int** _t1308;
				signed int** _t1310;
				short* _t1312;
				signed int** _t1314;
				signed int** _t1316;
				short* _t1318;
				short* _t1320;
				signed int** _t1322;
				signed int** _t1324;
				signed int** _t1326;
				signed int** _t1328;
				signed int** _t1330;
				signed int** _t1368;
				signed int** _t1370;
				signed int** _t1372;
				signed int** _t1374;
				signed int** _t1375;
				signed int** _t1377;
				signed int** _t1379;
				short* _t1381;
				short* _t1383;
				signed int** _t1385;
				signed int** _t1387;
				signed int** _t1389;
				signed int** _t1391;
				signed int** _t1392;
				intOrPtr* _t1424;
				short* _t1428;
				intOrPtr* _t1429;
				short* _t1433;
				signed int _t1442;
				signed int _t1452;
				void* _t1461;
				void* _t1464;
				void* _t1468;
				char _t1469;
				char _t1470;
				void* _t1473;
				WCHAR* _t1479;
				intOrPtr* _t1540;
				signed int _t1542;
				signed int _t1546;
				signed int _t1549;
				signed int _t1606;
				char _t1650;
				signed int _t1660;
				char _t1696;
				signed int _t1781;
				signed int _t1878;
				signed int _t1881;
				signed int _t1885;
				void* _t1886;
				signed int _t1887;
				void* _t1888;
				signed int _t1891;
				signed int _t1894;
				signed int _t1898;
				signed int _t1905;
				signed int _t1907;
				signed int _t1909;
				signed int _t1911;
				signed int _t1913;
				signed int _t1915;
				signed int _t1917;
				signed int _t1919;
				signed int _t1921;
				signed int _t1923;
				signed int _t1925;
				signed int _t1927;
				signed int _t1929;
				signed int _t1935;
				signed int _t1937;
				signed int _t1939;
				signed int _t1941;
				signed int _t1943;
				signed int _t1945;
				signed int _t1947;
				signed int _t1949;
				signed int _t1951;
				signed int _t1953;
				signed int _t1955;
				signed int _t1957;
				signed int _t1959;
				signed int _t1961;
				signed int _t1963;
				signed int _t1966;
				short* _t1967;
				signed int _t1969;
				signed int _t1971;
				signed int _t1973;
				signed int _t1975;
				signed int _t1977;
				signed int _t1979;
				signed int _t1981;
				signed int _t1983;
				signed int _t1985;
				signed int _t1987;
				signed int _t1989;
				signed int _t1991;
				signed int _t1993;
				signed int _t1995;
				signed int _t1997;
				signed int _t1999;
				signed int _t2002;
				signed int _t2004;
				signed int _t2006;
				signed int _t2008;
				signed int _t2010;
				signed int _t2012;
				signed int _t2014;
				signed int _t2016;
				signed int _t2018;
				signed int _t2020;
				signed int _t2022;
				signed int _t2024;
				signed int _t2026;
				signed int _t2028;
				signed int _t2030;
				signed int _t2033;
				signed int _t2038;
				signed int _t2040;
				signed int _t2042;
				signed int _t2044;
				signed int _t2046;
				signed int _t2048;
				signed int _t2050;
				signed int _t2052;
				signed int _t2054;
				signed int _t2056;
				signed int _t2058;
				signed int _t2060;
				signed int _t2062;
				signed int _t2064;
				signed int _t2069;
				signed int _t2071;
				signed int _t2073;
				signed int _t2075;
				signed int _t2077;
				signed int _t2079;
				signed int _t2081;
				signed int _t2083;
				signed int _t2085;
				signed int _t2087;
				signed int _t2089;
				signed int _t2091;
				signed int _t2093;
				signed int _t2095;
				signed int _t2096;
				signed int _t2099;
				void* _t2106;
				signed int** _t2109;
				signed int _t2110;
				signed int** _t2112;
				WCHAR* _t2113;
				void* _t2115;
				WCHAR* _t2120;
				void* _t2123;
				short* _t2124;
				signed int _t2125;
				char _t2126;
				void* _t2127;
				signed int _t2128;
				signed int _t2130;
				signed int _t2132;
				void* _t2133;
				intOrPtr _t2134;
				void* _t2135;
				void* _t2136;
				void* _t2137;
				void* _t2138;
				char _t2139;
				void* _t2143;
				void* _t2144;
				void* _t2145;
				void* _t2146;
				intOrPtr _t2147;
				void* _t2148;
				void* _t2149;
				void* _t2150;
				void* _t2158;

				_t2158 = __fp0;
				_t1862 = __edx;
				_t2134 = _t2133 - 0xb6c;
				_t792 =  *0x1a0454; // 0x960af5fb
				_t793 = _t792 ^ _t2132;
				_v24 = _t793;
				 *[fs:0x0] =  &_v16;
				_v20 = _t2134;
				_t2124 = __ecx;
				_v1148 = __ecx;
				__imp__#17(_t793, _t2106, _t2123, _t1468,  *[fs:0x0], 0x154d4e, 0xffffffff);
				__ecx[0x5c] = 0;
				_t795 = E0003B1C0(); // executed
				if(_t795 != 0 || E0003B240(_t1468, _t1862, 0) == 0) {
					if(E0003B240(_t1468, _t1862, 0) != 0) {
						goto L7;
					}
					_t1461 = E0003B2E0();
					_t2154 = _t1461;
					if(_t1461 != 0) {
						goto L7;
					}
					goto L4;
				} else {
					L4:
					E0003C190(_t1468,  &_v1492);
					_v8 = 0;
					_t1464 = E00044645(_t1468,  &_v1492, _t1862, 0, _t2124, _t2154);
					_v8 = 0xffffffff;
					if(_t1464 == 6) {
						E0003C230(_t1468, _t1862, 0);
						L7:
						_t797 = E00045761();
						__eflags = _t797;
						_t1486 = 0 | __eflags != 0x00000000;
						if(__eflags == 0) {
							_push(0x80004005);
							_t797 = E00031330(_t1468, _t1486, 0, _t2124);
						}
						_t14 =  *((intOrPtr*)( *((intOrPtr*)( *_t797 + 0xc))))() + 0x10; // 0x10
						_t1469 = _t14;
						_v1088 = _t1469;
						_v8 = 1;
						_t800 = E00045761();
						__eflags = _t800;
						_t1489 = 0 | __eflags != 0x00000000;
						if(__eflags == 0) {
							_push(0x80004005);
							_t800 = E00031330(_t1469, _t1489, 0, _t2124);
						}
						_t20 =  *((intOrPtr*)( *((intOrPtr*)( *_t800 + 0xc))))() + 0x10; // 0x10
						_t2125 = _t20;
						_v1092 = _t2125;
						_v8 = 2;
						_t803 = E00045761();
						__eflags = _t803;
						_t1492 = 0 | __eflags != 0x00000000;
						if(__eflags == 0) {
							_push(0x80004005);
							_t803 = E00031330(_t1469, _t1492, 0, _t2125);
						}
						_v1116 =  *((intOrPtr*)( *((intOrPtr*)( *_t803 + 0xc))))() + 0x10;
						_v8 = 3;
						_t807 = E00045761();
						__eflags = _t807;
						_t1495 = 0 | __eflags != 0x00000000;
						if(__eflags == 0) {
							_push(0x80004005);
							_t807 = E00031330(_t1469, _t1495, 0, _t2125);
						}
						_v1120 =  *((intOrPtr*)( *((intOrPtr*)( *_t807 + 0xc))))() + 0x10;
						_v8 = 4;
						_t811 = E00045761();
						__eflags = _t811;
						_t1498 = 0 | __eflags != 0x00000000;
						if(__eflags == 0) {
							_push(0x80004005);
							_t811 = E00031330(_t1469, _t1498, 0, _t2125);
						}
						_v1140 =  *((intOrPtr*)( *((intOrPtr*)( *_t811 + 0xc))))() + 0x10;
						_v8 = 5;
						_t815 = E00045761();
						__eflags = _t815;
						_t1501 = 0 | __eflags != 0x00000000;
						if(__eflags == 0) {
							_push(0x80004005);
							_t815 = E00031330(_t1469, _t1501, 0, _t2125);
						}
						_v1136 =  *((intOrPtr*)( *((intOrPtr*)( *_t815 + 0xc))))() + 0x10;
						_v8 = 6;
						_t819 = E00045761();
						__eflags = _t819;
						_t1504 = 0 | __eflags != 0x00000000;
						if(__eflags == 0) {
							_push(0x80004005);
							_t819 = E00031330(_t1469, _t1504, 0, _t2125);
						}
						_v1132 =  *((intOrPtr*)( *((intOrPtr*)( *_t819 + 0xc))))() + 0x10;
						_v8 = 7;
						_t823 = E00045761();
						__eflags = _t823;
						_t1507 = 0 | __eflags != 0x00000000;
						if(__eflags == 0) {
							_push(0x80004005);
							_t823 = E00031330(_t1469, _t1507, 0, _t2125);
						}
						_v1128 =  *((intOrPtr*)( *((intOrPtr*)( *_t823 + 0xc))))() + 0x10;
						_v8 = 8;
						_t827 = E00045761();
						__eflags = _t827;
						_t1510 = 0 | __eflags != 0x00000000;
						if(__eflags == 0) {
							_push(0x80004005);
							_t827 = E00031330(_t1469, _t1510, 0, _t2125);
						}
						_v1096 =  *((intOrPtr*)( *((intOrPtr*)( *_t827 + 0xc))))() + 0x10;
						_v8 = 9;
						_t831 = E00045761();
						__eflags = _t831;
						_t1513 = 0 | __eflags != 0x00000000;
						if(__eflags == 0) {
							_push(0x80004005);
							_t831 = E00031330(_t1469, _t1513, 0, _t2125);
						}
						_v1100 =  *((intOrPtr*)( *((intOrPtr*)( *_t831 + 0xc))))() + 0x10;
						_v8 = 0xa;
						_t835 = E00045761();
						__eflags = _t835;
						_t1516 = 0 | __eflags != 0x00000000;
						if(__eflags == 0) {
							_push(0x80004005);
							_t835 = E00031330(_t1469, _t1516, 0, _t2125);
						}
						_v1108 =  *((intOrPtr*)( *((intOrPtr*)( *_t835 + 0xc))))() + 0x10;
						_v8 = 0xb;
						_t839 = E00045761();
						__eflags = _t839;
						_t1519 = 0 | __eflags != 0x00000000;
						if(__eflags == 0) {
							_push(0x80004005);
							_t839 = E00031330(_t1469, _t1519, 0, _t2125);
						}
						_v1112 =  *((intOrPtr*)( *((intOrPtr*)( *_t839 + 0xc))))() + 0x10;
						_v8 = 0xc;
						_t843 = E00045761();
						__eflags = _t843;
						_t1522 = 0 | __eflags != 0x00000000;
						if(__eflags == 0) {
							_push(0x80004005);
							_t843 = E00031330(_t1469, _t1522, 0, _t2125);
						}
						_v1144 =  *((intOrPtr*)( *((intOrPtr*)( *_t843 + 0xc))))() + 0x10;
						_v8 = 0xd;
						_t847 = E00045761();
						__eflags = _t847;
						_t1525 = 0 | __eflags != 0x00000000;
						if(__eflags == 0) {
							_push(0x80004005);
							_t847 = E00031330(_t1469, _t1525, 0, _t2125);
						}
						_v1152 =  *((intOrPtr*)( *((intOrPtr*)( *_t847 + 0xc))))() + 0x10;
						_v8 = 0xe;
						_t851 = E00045761();
						__eflags = _t851;
						_t1528 = 0 | __eflags != 0x00000000;
						if(__eflags == 0) {
							_push(0x80004005);
							_t851 = E00031330(_t1469, _t1528, 0, _t2125);
						}
						_v1124 =  *((intOrPtr*)( *((intOrPtr*)( *_t851 + 0xc))))() + 0x10;
						_v8 = 0xf;
						_push(0x12c);
						_v1076 = 0;
						_t855 = E0004A156();
						__eflags = _t855;
						if(_t855 != 0) {
							E000363E0( &_v1088, _t855, 0x12c);
							_t1469 = _v1088;
						}
						_push(0xc8);
						_t856 = E0004A156();
						__eflags = _t856;
						if(_t856 != 0) {
							E000363E0( &_v1092, _t856, 0xc8);
							_t2125 = _v1092;
						}
						_push(0x136);
						_t857 = E0004A156();
						__eflags = _t857;
						if(_t857 != 0) {
							E000363E0( &_v1096, _t857, 0x136);
						}
						_push(0x140);
						_t858 = E0004A156();
						__eflags = _t858;
						if(_t858 != 0) {
							E000363E0( &_v1100, _t858, 0x140);
						}
						_t1878 =  &_v1072;
						_t859 = E0003C0A0(_t1469, _t1878,  &_v1088, L"ExamShieldSetup.exe"); // executed
						_t2135 = _t2134 + 0xc;
						_v8 = 0x10;
						_t1531 =  *_t859;
						_t860 =  *_t859 - 0x10;
						_t2109 = _v1116 + 0xfffffff0;
						__eflags = _t860 - _t2109;
						if(_t860 == _t2109) {
							L53:
							_v8 = 0xf;
							_t862 =  &(_v1072[0xfffffffffffffff8]);
							_t1532 =  &(_t862[6]);
							asm("lock xadd [ecx], edx");
							__eflags = (_t1878 | 0xffffffff) - 1;
							if((_t1878 | 0xffffffff) - 1 <= 0) {
								_t1532 =  *_t862;
								 *((intOrPtr*)( *((intOrPtr*)( *( *_t862) + 4))))(_t862);
							}
							_t2110 =  *(_t1469 - 0xc);
							__eflags = _t2110;
							if(_t2110 >= 0) {
								L57:
								__eflags =  *((intOrPtr*)(_t1469 - 8)) - _t2110 | 0x00000001 -  *((intOrPtr*)(_t1469 - 4));
								if(( *((intOrPtr*)(_t1469 - 8)) - _t2110 | 0x00000001 -  *((intOrPtr*)(_t1469 - 4))) < 0) {
									E00031290( &_v1088, _t2110);
									_t1469 = _v1088;
								}
								_t1532 = _t2110 + 1;
								E001315C5(_t1469, _t2110 + 1);
								_t2135 = _t2135 + 8;
								__eflags = _t2110 -  *((intOrPtr*)(_t1469 - 8));
								if(_t2110 >  *((intOrPtr*)(_t1469 - 8))) {
									goto L56;
								} else {
									_t1881 = 0;
									 *(_t1469 - 0xc) = _t2110;
									 *((short*)(_t1469 + _t2110 * 2)) = 0;
									_t869 = E0003C0A0(_t1469,  &_v1072,  &_v1088, L"ExamShieldVersion.txt");
									_t2136 = _t2135 + 0xc;
									_v8 = 0x11;
									_t1536 =  *_t869;
									_t870 =  *_t869 - 0x10;
									_t2112 = _v1120 + 0xfffffff0;
									__eflags = _t870 - _t2112;
									if(_t870 == _t2112) {
										L68:
										_v8 = 0xf;
										_t872 =  &(_v1072[0xfffffffffffffff8]);
										_t1537 =  &(_t872[6]);
										asm("lock xadd [ecx], edx");
										__eflags = (_t1881 | 0xffffffff) - 1;
										if((_t1881 | 0xffffffff) - 1 <= 0) {
											_t1537 =  *_t872;
											 *((intOrPtr*)( *((intOrPtr*)( *( *_t872) + 4))))(_t872);
										}
										__eflags =  *(_t2125 - 0xc);
										if( *(_t2125 - 0xc) > 0) {
											_t2096 =  &_v1072;
											_t1424 = E00034060(_t2096, L"?id=",  &_v1092);
											_t2150 = _t2136 + 0xc;
											_v8 = 0x12;
											E0003BFE0( &_v1116,  *_t1424,  *((intOrPtr*)( *_t1424 - 0xc)));
											_v8 = 0xf;
											_t1428 =  &(_v1072[0xfffffffffffffff8]);
											asm("lock xadd [ecx], edx");
											__eflags = (_t2096 | 0xffffffff) - 1;
											if((_t2096 | 0xffffffff) - 1 <= 0) {
												 *((intOrPtr*)( *((intOrPtr*)( *( *_t1428) + 4))))(_t1428);
											}
											_t2099 =  &_v1072;
											_t1429 = E00034060(_t2099, L"?id=",  &_v1092);
											_t2136 = _t2150 + 0xc;
											_v8 = 0x13;
											E0003BFE0( &_v1120,  *_t1429,  *((intOrPtr*)( *_t1429 - 0xc)));
											_v8 = 0xf;
											_t1433 =  &(_v1072[0xfffffffffffffff8]);
											_t1537 =  &(_t1433[6]);
											asm("lock xadd [ecx], edx");
											__eflags = (_t2099 | 0xffffffff) - 1;
											if((_t2099 | 0xffffffff) - 1 <= 0) {
												_t1537 =  *_t1433;
												 *((intOrPtr*)( *((intOrPtr*)( *( *_t1433) + 4))))(_t1433);
											}
										}
										_t2110 =  *(_t2125 - 0xc);
										__eflags = _t2110;
										if(_t2110 < 0) {
											_push(0x80070057);
											E00031330(_t1469, _t1537, _t2110, _t2125);
										}
										__eflags =  *((intOrPtr*)(_t2125 - 8)) - _t2110 | 0x00000001 -  *((intOrPtr*)(_t2125 - 4));
										if(( *((intOrPtr*)(_t2125 - 8)) - _t2110 | 0x00000001 -  *((intOrPtr*)(_t2125 - 4))) < 0) {
											E00031290( &_v1092, _t2110);
											_t2125 = _v1092;
										}
										_t1532 = _t2110 + 1;
										E0013140B(_t2125, _t2110 + 1);
										_t2135 = _t2136 + 8;
										__eflags = _t2110 -  *((intOrPtr*)(_t2125 - 8));
										if(_t2110 >  *((intOrPtr*)(_t2125 - 8))) {
											goto L56;
										} else {
											__eflags = 0;
											 *(_t2125 - 0xc) = _t2110;
											 *((short*)(_t2125 + _t2110 * 2)) = 0;
											_t1540 = L"COMPATIBILITYCHECK";
											_t877 = _t2125;
											while(1) {
												_t1885 =  *_t877;
												__eflags = _t1885 -  *_t1540;
												if(_t1885 !=  *_t1540) {
													break;
												}
												__eflags = _t1885;
												if(_t1885 == 0) {
													L85:
													_t877 = 0;
													L87:
													_t877 = _t877 & 0xffffff00 | _t877 == 0x00000000;
													if((_t877 & 0xffffff00 | _t877 == 0x00000000) != 0) {
														_v1148[0x5c] = 1;
													}
													__imp__SHGetFolderPathW(0, 0x801c, 0, 0,  &_v544); // executed
													_t879 =  &_v544;
													_t1886 = _t879 + 2;
													do {
														_t1542 =  *_t879;
														_t879 = _t879 + 2;
														__eflags = _t1542;
													} while (_t1542 != 0);
													_t1887 =  &_v544;
													E00034140( &_v1108, _t1887, _t879 - _t1886 >> 1);
													E0003BFE0( &_v1108, L"\\Exam Shield", 0xc);
													_t2113 = _v1108;
													_t884 = GetFileAttributesW(_t2113); // executed
													__eflags = _t884 - 0xffffffff;
													if(_t884 != 0xffffffff) {
														L124:
														GetModuleFileNameW(0,  &_v1068, 0x105);
														_t886 =  &_v1068;
														_t1888 = _t886 + 2;
														do {
															_t1546 =  *_t886;
															_t886 = _t886 + 2;
															__eflags = _t1546;
														} while (_t1546 != 0);
														E00034140( &_v1128,  &_v1068, _t886 - _t1888 >> 1);
														_t891 = E0003C0A0(_t1469,  &_v1072,  &_v1108, L"\\ExamShieldLauncher.exe");
														_t2137 = _t2135 + 0xc;
														_t1549 =  &_v1132;
														_v8 = 0x14;
														E00034260(_t1549, _t891);
														_v8 = 0xf;
														_t894 =  &(_v1072[0xfffffffffffffff8]);
														asm("lock xadd [edx], ecx");
														__eflags = (_t1549 | 0xffffffff) - 1;
														if((_t1549 | 0xffffffff) - 1 <= 0) {
															 *((intOrPtr*)( *((intOrPtr*)( *( *_t894) + 4))))(_t894);
														}
														_t1891 =  &_v1072;
														_t895 = E0003C0A0(_t1469, _t1891,  &_v1108, L"\\ExamShieldSetup.exe");
														_t2138 = _t2137 + 0xc;
														_v8 = 0x15;
														E00034260( &_v1112, _t895);
														_v8 = 0xf;
														_t898 =  &(_v1072[0xfffffffffffffff8]);
														asm("lock xadd [ecx], edx");
														__eflags = (_t1891 | 0xffffffff) - 1;
														if((_t1891 | 0xffffffff) - 1 <= 0) {
															 *((intOrPtr*)( *((intOrPtr*)( *( *_t898) + 4))))(_t898);
														}
														_t1894 =  &_v1072;
														_t899 = E0003C0A0(_t1469, _t1894,  &_v1108, L"\\ExamShieldParams.dat");
														_t2139 = _t2138 + 0xc;
														_v8 = 0x16;
														E00034260( &_v1152, _t899);
														_v8 = 0xf;
														_t902 =  &(_v1072[0xfffffffffffffff8]);
														asm("lock xadd [ecx], edx");
														_t1896 = (_t1894 | 0xffffffff) - 1;
														__eflags = (_t1894 | 0xffffffff) - 1;
														if((_t1894 | 0xffffffff) - 1 <= 0) {
															_t1896 =  *( *_t902);
															 *((intOrPtr*)( *((intOrPtr*)( *( *_t902) + 4))))(_t902);
														}
														_t1558 = _v1148;
														__eflags = _v1148[0x5c];
														if(__eflags != 0) {
															_t2126 = _v1152;
															goto L165;
														} else {
															E0004CC06( &_v1192, __eflags);
															_v8 = 0x17;
															_t2126 = _v1152;
															_t1298 = E0004CADE( &_v1192, _t2126, 0x5001, 0); // executed
															__eflags = _t1298;
															if(__eflags != 0) {
																E0004CCE1(_t1469,  &_v1192, _t2113, _v1092);
																E0004CEA7( &_v1192);
																_t1558 =  &_v1192;
																_v8 = 0xf;
																E0004CEE5(_t1469,  &_v1192, _t1896, _t2113, _t2126, __eflags);
																L165:
																_v1084 = _t2139;
																_t2114 =  &_v1076;
																E00036620(_t1469, L"ExamShield");
																_t1470 = _v1148;
																_t904 = E0003A210( &_v1076, _t2158, _t1470, _t1558,  &_v1124); // executed
																__eflags = _t904;
																if(__eflags == 0) {
																	E000315C0( &_v1124, __eflags, _t2158,  &_v2940);
																	_t1898 =  &_v1116;
																	_v8 = 0x24;
																	E00034260( &_v2780, _t1898);
																	E00034260( &_v2776,  &_v1112);
																	_v2736 = 0;
																	_v2732 = 0;
																	E0003BEC0( &_v1892, "ExamShield Setup");
																	__eflags =  *((char*)(_t1470 + 0xb8));
																	if(__eflags != 0) {
																		_v1500 = 1;
																		E0003BEC0( &_v1892, "ExamShield (Compatibility Check) Setup");
																	}
																	_t911 = E00044645(_t1470,  &_v2940, _t1898, _t2114, _t2126, __eflags); // executed
																	__eflags = _t911 - 1;
																	if(__eflags == 0) {
																		E00036620(_t1470, 0x1818c0);
																		_v8 = 0x25;
																		__eflags =  *((char*)(_t1470 + 0xb8));
																		if( *((char*)(_t1470 + 0xb8)) != 0) {
																			E0003BEC0( &_v1080, "/COMPATIBILITYCHECK");
																			__eflags = _v1076;
																			if(_v1076 == 0) {
																				_t1025 = _v1096;
																				__eflags =  *(_t1025 - 0xc);
																				if( *(_t1025 - 0xc) > 0) {
																					E0003BB10( &_v1076, _t1898, " /COLLABORATIONCLIENT=");
																					_v8 = 0x2c;
																					_t1038 = E0003BE00(_v1080,  &_v1104,  &_v1076);
																					_t2144 = _t2139 + 8;
																					_v8 = 0x2d;
																					_t1039 =  *_t1038;
																					__eflags = _t1039;
																					if(_t1039 == 0) {
																						_t1040 = 0;
																						__eflags = 0;
																					} else {
																						_t1040 =  *_t1039;
																					}
																					_t1898 =  &_v1084;
																					_t1041 = E00034060(_t1898, _t1040,  &_v1096);
																					_t2139 = _t2144 + 0xc;
																					_v8 = 0x2e;
																					E00034260( &_v1080, _t1041);
																					E00031170( &_v1084, _t1898);
																					E0003BDB0( &_v1104);
																					_t2114 =  &_v1076;
																					_v8 = 0x25;
																					E0003BDB0( &_v1076);
																				}
																				_t1026 = _v1100;
																				__eflags =  *(_t1026 - 0xc);
																				if( *(_t1026 - 0xc) > 0) {
																					E0003BB10( &_v1076, _t1898, " /OPERATINGSYSTEM=");
																					_v8 = 0x2f;
																					_t1029 = E0003BE00(_v1080,  &_v1104,  &_v1076);
																					_t2143 = _t2139 + 8;
																					_v8 = 0x30;
																					_t1030 =  *_t1029;
																					__eflags = _t1030;
																					if(_t1030 == 0) {
																						_t1031 = 0;
																						__eflags = 0;
																					} else {
																						_t1031 =  *_t1030;
																					}
																					_t1898 =  &_v1084;
																					_t1032 = E00034060(_t1898, _t1031,  &_v1100);
																					_t2139 = _t2143 + 0xc;
																					_v8 = 0x31;
																					E00034260( &_v1080, _t1032);
																					E00031170( &_v1084, _t1898);
																					E0003BDB0( &_v1104);
																					_t2114 =  &_v1076;
																					_v8 = 0x25;
																					E0003BDB0( &_v1076);
																				}
																				E0003B520( &_v1080);
																			} else {
																				_t1650 = _v1096;
																				__eflags =  *(_t1650 - 0xc);
																				if( *(_t1650 - 0xc) > 0) {
																					E0003BB10( &_v1076, _t1898, " /COLLABORATIONCLIENT=");
																					_v8 = 0x26;
																					_t1058 = E0003BE00(_v1080,  &_v1104,  &_v1076);
																					_t2146 = _t2139 + 8;
																					_v8 = 0x27;
																					_t1059 =  *_t1058;
																					__eflags = _t1059;
																					if(_t1059 == 0) {
																						_t1060 = 0;
																						__eflags = 0;
																					} else {
																						_t1060 =  *_t1059;
																					}
																					_t1898 =  &_v1084;
																					_t1061 = E00034060(_t1898, _t1060,  &_v1096);
																					_t2139 = _t2146 + 0xc;
																					_v8 = 0x28;
																					E00034260( &_v1080, _t1061);
																					E00031170( &_v1084, _t1898);
																					E0003BDB0( &_v1104);
																					_t2114 =  &_v1076;
																					_v8 = 0x25;
																					E0003BDB0( &_v1076);
																				}
																				_t1046 = _v1100;
																				__eflags =  *(_t1046 - 0xc);
																				if( *(_t1046 - 0xc) > 0) {
																					E0003BB10( &_v1076, _t1898, " /OPERATINGSYSTEM=");
																					_v8 = 0x29;
																					_t1048 = E0003BE00(_v1080,  &_v1104,  &_v1076);
																					_t2145 = _t2139 + 8;
																					_v8 = 0x2a;
																					_t1049 =  *_t1048;
																					__eflags = _t1049;
																					if(_t1049 == 0) {
																						_t1050 = 0;
																						__eflags = 0;
																					} else {
																						_t1050 =  *_t1049;
																					}
																					_t1898 =  &_v1084;
																					_t1051 = E00034060(_t1898, _t1050,  &_v1100);
																					_t2139 = _t2145 + 0xc;
																					_v8 = 0x2b;
																					E00034260( &_v1080, _t1051);
																					E00031170( &_v1084, _t1898);
																					E0003BDB0( &_v1104);
																					_t2114 =  &_v1076;
																					_v8 = 0x25;
																					E0003BDB0( &_v1076);
																				}
																			}
																		}
																		E0003B520( &_v1080);
																		_v1084 = _t2139;
																		E00033FD0(_t2139,  &_v1112);
																		__eflags = E0003A0E0(_t1898, __eflags, " LAUNCHEXAMSHIELD");
																		if(__eflags != 0) {
																			E00036620( &_v1080, 0x1818c0);
																			_v8 = 0x32;
																			E00036620( &_v1080, 0x1818c0);
																			_v8 = 0x33;
																			E0003BEC0( &_v1160, "/z\"");
																			E0003BEC0( &_v1156, "\"");
																			_t922 = E0003B6D0(0x33,  &_v1104,  &_v1160,  &_v1080);
																			_t1900 =  &_v1084;
																			_v8 = 0x34;
																			_t923 = E0003B6D0(0x33,  &_v1084, _t922,  &_v1156);
																			_v8 = 0x35;
																			E00034260( &_v1080, _t923);
																			E00031170( &_v1084,  &_v1084);
																			E00031170( &_v1104,  &_v1084);
																			_v8 = 0x36;
																			_t927 = E0003B1C0();
																			__eflags = _t927;
																			if(_t927 != 0) {
																				L339:
																				_t928 = E0003B240(0x33, _t1900, _t2114);
																				__eflags = _t928;
																				if(_t928 != 0) {
																					L342:
																					_push(5);
																					_push(0);
																					_push(_v1080);
																					_push(_v1112);
																					_push(L"open");
																					L343:
																					ShellExecuteW(0, ??, ??, ??, ??, ??);
																					_t931 = E0003C0A0(0x33,  &_v1084,  &_v1124, 0x1818bc);
																					_v8 = 0x37;
																					E0003C0A0(0x33,  &_v1104, _t931, L"ExamShield.exe");
																					E00031170( &_v1084,  &_v1084);
																					_t1862 = _v1128;
																					CopyFileW(_v1128, _v1132, 0);
																					E00031170( &_v1104, _v1128);
																					_v8 = 0x33;
																					E00031170( &_v1156, _v1128);
																					E00031170( &_v1160, _v1128);
																					E00031170( &_v1080, _v1128);
																					_v8 = 0xf;
																					E00031800(_t1862, _t2114, __eflags,  &_v2940);
																					E00031170( &_v1124, _t1862);
																					E00031170( &_v1152, _t1862);
																					E00031170( &_v1144, _t1862);
																					E00031170( &_v1112, _t1862);
																					E00031170( &_v1108, _t1862);
																					E00031170( &_v1100, _t1862);
																					E00031170( &_v1096, _t1862);
																					E00031170( &_v1128, _t1862);
																					E00031170( &_v1132, _t1862);
																					E00031170( &_v1136, _t1862);
																					E00031170( &_v1140, _t1862);
																					E00031170( &_v1120, _t1862);
																					E00031170( &_v1116, _t1862);
																					E00031170( &_v1092, _t1862);
																					E00031170( &_v1088, _t1862);
																					_t957 = 1;
																					goto L346;
																				}
																				_t959 = E0003B2E0();
																				__eflags = _t959;
																				if(_t959 != 0) {
																					goto L342;
																				}
																				L341:
																				_push(5);
																				_push(0);
																				_push(_v1080);
																				_push(_v1112);
																				_push(L"runas");
																				goto L343;
																			}
																			_t961 = E0003B240(0x33,  &_v1084, _t2114);
																			__eflags = _t961;
																			if(_t961 != 0) {
																				goto L341;
																			}
																			goto L339;
																		} else {
																			E00044BAD( &_v1080, _t2114, _t2126, __eflags, L"An unexpected error has occured! \n Please contact support.", 0x10, 0);
																			_v8 = 0x24;
																			_t964 = _v1080 + 0xfffffff0;
																			asm("lock xadd [ecx], edx");
																			_t1904 = (_t1898 | 0xffffffff) - 1;
																			__eflags = (_t1898 | 0xffffffff) - 1;
																			if(__eflags <= 0) {
																				_t1904 =  *( *_t964);
																				 *((intOrPtr*)( *((intOrPtr*)( *( *_t964) + 4))))(_t964);
																			}
																			_t1606 =  &_v2940;
																			_v8 = 0xf;
																			E00031800(_t1904, _t2114, __eflags, _t1606);
																			_v8 = 0xe;
																			_t967 = _v1124 + 0xfffffff0;
																			_t1905 =  &(_t967[3]);
																			asm("lock xadd [edx], ecx");
																			__eflags = (_t1606 | 0xffffffff) - 1;
																			if((_t1606 | 0xffffffff) - 1 <= 0) {
																				_t1905 =  *( *_t967);
																				 *((intOrPtr*)( *((intOrPtr*)(_t1905 + 4))))(_t967);
																			}
																			_t968 = _t2126 - 0x10;
																			_v8 = 0xd;
																			asm("lock xadd [ecx], edx");
																			_t1907 = (_t1905 | 0xffffffff) - 1;
																			__eflags = _t1907;
																			if(_t1907 <= 0) {
																				_t1907 =  *( *_t968);
																				 *((intOrPtr*)( *((intOrPtr*)(_t1907 + 4))))(_t968);
																			}
																			_v8 = 0xc;
																			_t970 = _v1144 + 0xfffffff0;
																			asm("lock xadd [ecx], edx");
																			_t1909 = (_t1907 | 0xffffffff) - 1;
																			__eflags = _t1909;
																			if(_t1909 <= 0) {
																				_t1909 =  *( *_t970);
																				 *((intOrPtr*)( *((intOrPtr*)(_t1909 + 4))))(_t970);
																			}
																			_v8 = 0xb;
																			_t972 = _v1112 + 0xfffffff0;
																			asm("lock xadd [ecx], edx");
																			_t1911 = (_t1909 | 0xffffffff) - 1;
																			__eflags = _t1911;
																			if(_t1911 <= 0) {
																				_t1911 =  *( *_t972);
																				 *((intOrPtr*)( *((intOrPtr*)(_t1911 + 4))))(_t972);
																			}
																			_v8 = 0xa;
																			_t974 =  &(_v1108[0xfffffffffffffff8]);
																			asm("lock xadd [ecx], edx");
																			_t1913 = (_t1911 | 0xffffffff) - 1;
																			__eflags = _t1913;
																			if(_t1913 <= 0) {
																				_t1913 =  *( *_t974);
																				 *((intOrPtr*)( *((intOrPtr*)(_t1913 + 4))))(_t974);
																			}
																			_v8 = 9;
																			_t976 = _v1100 + 0xfffffff0;
																			asm("lock xadd [ecx], edx");
																			_t1915 = (_t1913 | 0xffffffff) - 1;
																			__eflags = _t1915;
																			if(_t1915 <= 0) {
																				_t1915 =  *( *_t976);
																				 *((intOrPtr*)( *((intOrPtr*)(_t1915 + 4))))(_t976);
																			}
																			_v8 = 8;
																			_t978 = _v1096 + 0xfffffff0;
																			asm("lock xadd [ecx], edx");
																			_t1917 = (_t1915 | 0xffffffff) - 1;
																			__eflags = _t1917;
																			if(_t1917 <= 0) {
																				_t1917 =  *( *_t978);
																				 *((intOrPtr*)( *((intOrPtr*)(_t1917 + 4))))(_t978);
																			}
																			_v8 = 7;
																			_t980 =  &(_v1128[0xfffffffffffffff8]);
																			asm("lock xadd [ecx], edx");
																			_t1919 = (_t1917 | 0xffffffff) - 1;
																			__eflags = _t1919;
																			if(_t1919 <= 0) {
																				_t1919 =  *( *_t980);
																				 *((intOrPtr*)( *((intOrPtr*)(_t1919 + 4))))(_t980);
																			}
																			_v8 = 6;
																			_t982 =  &(_v1132[0xfffffffffffffff8]);
																			asm("lock xadd [ecx], edx");
																			_t1921 = (_t1919 | 0xffffffff) - 1;
																			__eflags = _t1921;
																			if(_t1921 <= 0) {
																				_t1921 =  *( *_t982);
																				 *((intOrPtr*)( *((intOrPtr*)(_t1921 + 4))))(_t982);
																			}
																			_v8 = 5;
																			_t984 = _v1136 + 0xfffffff0;
																			asm("lock xadd [ecx], edx");
																			_t1923 = (_t1921 | 0xffffffff) - 1;
																			__eflags = _t1923;
																			if(_t1923 <= 0) {
																				_t1923 =  *( *_t984);
																				 *((intOrPtr*)( *((intOrPtr*)(_t1923 + 4))))(_t984);
																			}
																			_v8 = 4;
																			_t986 = _v1140 + 0xfffffff0;
																			asm("lock xadd [ecx], edx");
																			_t1925 = (_t1923 | 0xffffffff) - 1;
																			__eflags = _t1925;
																			if(_t1925 <= 0) {
																				_t1925 =  *( *_t986);
																				 *((intOrPtr*)( *((intOrPtr*)(_t1925 + 4))))(_t986);
																			}
																			_v8 = 3;
																			_t988 = _v1120 + 0xfffffff0;
																			asm("lock xadd [ecx], edx");
																			_t1927 = (_t1925 | 0xffffffff) - 1;
																			__eflags = _t1927;
																			if(_t1927 <= 0) {
																				_t1927 =  *( *_t988);
																				 *((intOrPtr*)( *((intOrPtr*)(_t1927 + 4))))(_t988);
																			}
																			_v8 = 2;
																			_t990 = _v1116 + 0xfffffff0;
																			asm("lock xadd [ecx], edx");
																			_t1929 = (_t1927 | 0xffffffff) - 1;
																			__eflags = _t1929;
																			if(_t1929 <= 0) {
																				_t1929 =  *( *_t990);
																				 *((intOrPtr*)( *((intOrPtr*)(_t1929 + 4))))(_t990);
																			}
																			_v8 = 1;
																			_t992 = _v1092 + 0xfffffff0;
																			asm("lock xadd [ecx], edx");
																			_t1862 = (_t1929 | 0xffffffff) - 1;
																			__eflags = (_t1929 | 0xffffffff) - 1;
																			if((_t1929 | 0xffffffff) - 1 <= 0) {
																				_t1862 =  *( *_t992);
																				 *((intOrPtr*)( *((intOrPtr*)( *( *_t992) + 4))))(_t992);
																			}
																			E00031170( &_v1088, _t1862);
																			goto L345;
																		}
																	} else {
																		_t1660 =  &_v2940;
																		_v8 = 0xf;
																		E00031800(_t1898, _t2114, __eflags, _t1660);
																		_v8 = 0xe;
																		_t1068 = _v1124 + 0xfffffff0;
																		_t1935 =  &(_t1068[3]);
																		asm("lock xadd [edx], ecx");
																		__eflags = (_t1660 | 0xffffffff) - 1;
																		if((_t1660 | 0xffffffff) - 1 <= 0) {
																			_t1935 =  *( *_t1068);
																			 *((intOrPtr*)( *((intOrPtr*)(_t1935 + 4))))(_t1068);
																		}
																		_t1069 = _t2126 - 0x10;
																		_v8 = 0xd;
																		asm("lock xadd [ecx], edx");
																		_t1937 = (_t1935 | 0xffffffff) - 1;
																		__eflags = _t1937;
																		if(_t1937 <= 0) {
																			_t1937 =  *( *_t1069);
																			 *((intOrPtr*)( *((intOrPtr*)(_t1937 + 4))))(_t1069);
																		}
																		_v8 = 0xc;
																		_t1071 = _v1144 + 0xfffffff0;
																		asm("lock xadd [ecx], edx");
																		_t1939 = (_t1937 | 0xffffffff) - 1;
																		__eflags = _t1939;
																		if(_t1939 <= 0) {
																			_t1939 =  *( *_t1071);
																			 *((intOrPtr*)( *((intOrPtr*)(_t1939 + 4))))(_t1071);
																		}
																		_v8 = 0xb;
																		_t1073 = _v1112 + 0xfffffff0;
																		asm("lock xadd [ecx], edx");
																		_t1941 = (_t1939 | 0xffffffff) - 1;
																		__eflags = _t1941;
																		if(_t1941 <= 0) {
																			_t1941 =  *( *_t1073);
																			 *((intOrPtr*)( *((intOrPtr*)(_t1941 + 4))))(_t1073);
																		}
																		_v8 = 0xa;
																		_t1075 =  &(_v1108[0xfffffffffffffff8]);
																		asm("lock xadd [ecx], edx");
																		_t1943 = (_t1941 | 0xffffffff) - 1;
																		__eflags = _t1943;
																		if(_t1943 <= 0) {
																			_t1943 =  *( *_t1075);
																			 *((intOrPtr*)( *((intOrPtr*)(_t1943 + 4))))(_t1075);
																		}
																		_v8 = 9;
																		_t1077 = _v1100 + 0xfffffff0;
																		asm("lock xadd [ecx], edx");
																		_t1945 = (_t1943 | 0xffffffff) - 1;
																		__eflags = _t1945;
																		if(_t1945 <= 0) {
																			_t1945 =  *( *_t1077);
																			 *((intOrPtr*)( *((intOrPtr*)(_t1945 + 4))))(_t1077);
																		}
																		_v8 = 8;
																		_t1079 = _v1096 + 0xfffffff0;
																		asm("lock xadd [ecx], edx");
																		_t1947 = (_t1945 | 0xffffffff) - 1;
																		__eflags = _t1947;
																		if(_t1947 <= 0) {
																			_t1947 =  *( *_t1079);
																			 *((intOrPtr*)( *((intOrPtr*)(_t1947 + 4))))(_t1079);
																		}
																		_v8 = 7;
																		_t1081 =  &(_v1128[0xfffffffffffffff8]);
																		asm("lock xadd [ecx], edx");
																		_t1949 = (_t1947 | 0xffffffff) - 1;
																		__eflags = _t1949;
																		if(_t1949 <= 0) {
																			_t1949 =  *( *_t1081);
																			 *((intOrPtr*)( *((intOrPtr*)(_t1949 + 4))))(_t1081);
																		}
																		_v8 = 6;
																		_t1083 =  &(_v1132[0xfffffffffffffff8]);
																		asm("lock xadd [ecx], edx");
																		_t1951 = (_t1949 | 0xffffffff) - 1;
																		__eflags = _t1951;
																		if(_t1951 <= 0) {
																			_t1951 =  *( *_t1083);
																			 *((intOrPtr*)( *((intOrPtr*)(_t1951 + 4))))(_t1083);
																		}
																		_v8 = 5;
																		_t1085 = _v1136 + 0xfffffff0;
																		asm("lock xadd [ecx], edx");
																		_t1953 = (_t1951 | 0xffffffff) - 1;
																		__eflags = _t1953;
																		if(_t1953 <= 0) {
																			_t1953 =  *( *_t1085);
																			 *((intOrPtr*)( *((intOrPtr*)(_t1953 + 4))))(_t1085);
																		}
																		_v8 = 4;
																		_t1087 = _v1140 + 0xfffffff0;
																		asm("lock xadd [ecx], edx");
																		_t1955 = (_t1953 | 0xffffffff) - 1;
																		__eflags = _t1955;
																		if(_t1955 <= 0) {
																			_t1955 =  *( *_t1087);
																			 *((intOrPtr*)( *((intOrPtr*)(_t1955 + 4))))(_t1087);
																		}
																		_v8 = 3;
																		_t1089 = _v1120 + 0xfffffff0;
																		asm("lock xadd [ecx], edx");
																		_t1957 = (_t1955 | 0xffffffff) - 1;
																		__eflags = _t1957;
																		if(_t1957 <= 0) {
																			_t1957 =  *( *_t1089);
																			 *((intOrPtr*)( *((intOrPtr*)(_t1957 + 4))))(_t1089);
																		}
																		_v8 = 2;
																		_t1091 = _v1116 + 0xfffffff0;
																		asm("lock xadd [ecx], edx");
																		_t1959 = (_t1957 | 0xffffffff) - 1;
																		__eflags = _t1959;
																		if(_t1959 <= 0) {
																			_t1959 =  *( *_t1091);
																			 *((intOrPtr*)( *((intOrPtr*)(_t1959 + 4))))(_t1091);
																		}
																		_v8 = 1;
																		_t1093 = _v1092 + 0xfffffff0;
																		asm("lock xadd [ecx], edx");
																		_t1961 = (_t1959 | 0xffffffff) - 1;
																		__eflags = _t1961;
																		if(_t1961 > 0) {
																			L162:
																			_v8 = 0xffffffff;
																			_t1095 = _v1088 + 0xfffffff0;
																			goto L122;
																		} else {
																			_t1961 =  *( *_t1093);
																			 *((intOrPtr*)( *((intOrPtr*)(_t1961 + 4))))(_t1093);
																			_v8 = 0xffffffff;
																			_t1095 = _v1088 + 0xfffffff0;
																			L122:
																			asm("lock xadd [ecx], edx");
																			_t1862 = (_t1961 | 0xffffffff) - 1;
																			__eflags = (_t1961 | 0xffffffff) - 1;
																			if((_t1961 | 0xffffffff) - 1 <= 0) {
																				_t1862 =  *( *_t1095);
																				 *((intOrPtr*)( *((intOrPtr*)( *( *_t1095) + 4))))(_t1095);
																			}
																			goto L345;
																		}
																	}
																}
																_t1129 = E0003C0A0(_t1470,  &_v1164,  &_v1124, 0x1818bc);
																_t1963 =  &_v1148;
																_v8 = 0x18;
																E0003C0A0(_t1470, _t1963, _t1129, L"ExamShield.exe");
																_t2147 = _t2139 + 0x18;
																_v8 = 0x1a;
																_t1132 = _v1164 + 0xfffffff0;
																asm("lock xadd [ecx], edx");
																_t1965 = (_t1963 | 0xffffffff) - 1;
																__eflags = (_t1963 | 0xffffffff) - 1;
																if((_t1963 | 0xffffffff) - 1 <= 0) {
																	_t1965 =  *( *_t1132);
																	 *((intOrPtr*)( *((intOrPtr*)( *( *_t1132) + 4))))(_t1132);
																}
																E00036620(_t1470, 0x1818c0);
																_v8 = 0x1b;
																__eflags =  *((char*)(_t1470 + 0xb8));
																if( *((char*)(_t1470 + 0xb8)) != 0) {
																	E0003BEC0( &_v1072, "/COMPATIBILITYCHECK");
																}
																_t1696 = _v1096;
																__eflags =  *(_t1696 - 0xc);
																if( *(_t1696 - 0xc) > 0) {
																	E0003BB10( &_v1076, _t1965, " /COLLABORATIONCLIENT=");
																	_v8 = 0x1c;
																	_t1283 = E0003BE00(_v1072,  &_v1084,  &_v1076);
																	_t2149 = _t2147 + 8;
																	_t1470 = 0x1d;
																	_v8 = 0x1d;
																	_t1284 =  *_t1283;
																	__eflags = _t1284;
																	if(_t1284 == 0) {
																		_t1285 = 0;
																		__eflags = 0;
																	} else {
																		_t1285 =  *_t1284;
																	}
																	_t2038 =  &_v1104;
																	_t1286 = E00034060(_t2038, _t1285,  &_v1096);
																	_t2147 = _t2149 + 0xc;
																	_v8 = 0x1e;
																	E00034260( &_v1072, _t1286);
																	_v8 = _t1470;
																	_t1289 = _v1104 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t1965 = (_t2038 | 0xffffffff) - 1;
																	__eflags = (_t2038 | 0xffffffff) - 1;
																	if((_t2038 | 0xffffffff) - 1 <= 0) {
																		_t1965 =  *( *_t1289);
																		 *((intOrPtr*)( *((intOrPtr*)( *( *_t1289) + 4))))(_t1289);
																	}
																	E0003BDB0( &_v1084);
																	_t2114 =  &_v1076;
																	_v8 = 0x1b;
																	E0003BDB0( &_v1076);
																}
																_t1697 = _v1100;
																__eflags =  *(_t1697 - 0xc);
																if( *(_t1697 - 0xc) > 0) {
																	E0003BB10( &_v1076, _t1965, " /OPERATINGSYSTEM=");
																	_v8 = 0x1f;
																	_t1270 = E0003BE00(_v1072,  &_v1104,  &_v1076);
																	_t2148 = _t2147 + 8;
																	_t1470 = 0x20;
																	_v8 = 0x20;
																	_t1271 =  *_t1270;
																	__eflags = _t1271;
																	if(_t1271 == 0) {
																		_t1272 = 0;
																		__eflags = 0;
																	} else {
																		_t1272 =  *_t1271;
																	}
																	_t2033 =  &_v1084;
																	_t1273 = E00034060(_t2033, _t1272,  &_v1100);
																	_t2147 = _t2148 + 0xc;
																	_v8 = 0x21;
																	E00034260( &_v1072, _t1273);
																	_v8 = _t1470;
																	_t1276 = _v1084 + 0xfffffff0;
																	_t1697 = _t1276 + 0xc;
																	asm("lock xadd [ecx], edx");
																	__eflags = (_t2033 | 0xffffffff) - 1;
																	if((_t2033 | 0xffffffff) - 1 <= 0) {
																		_t1697 =  *_t1276;
																		 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t1276)) + 4))))(_t1276);
																	}
																	E0003BDB0( &_v1104);
																	_t2114 =  &_v1076;
																	_v8 = 0x1b;
																	E0003BDB0( &_v1076);
																}
																_t1966 =  &_v1148;
																_v1084 = _t2147;
																E00033FD0(_t2147, _t1966);
																__eflags = E0003A0E0(_t1966, __eflags, _t1697);
																if(__eflags != 0) {
																	_t1967 = _v1148;
																	ShellExecuteW(0, L"open", _t1967, _v1072, 0, 5);
																	_t1479 = _v1132;
																	_t2120 = _v1128;
																	CopyFileExW(_t2120, _t1479, 0, 0, 0, 0);
																	_v8 = 0x1a;
																	_t1139 =  &(_v1072[0xfffffffffffffff8]);
																	asm("lock xadd [ecx], edx");
																	_t1969 = (_t1967 | 0xffffffff) - 1;
																	__eflags = _t1969;
																	if(_t1969 <= 0) {
																		_t1969 =  *( *_t1139);
																		 *((intOrPtr*)( *((intOrPtr*)(_t1969 + 4))))(_t1139);
																	}
																	_v8 = 0xf;
																	_t1141 =  &(_v1148[0xfffffffffffffff8]);
																	asm("lock xadd [ecx], edx");
																	_t1971 = (_t1969 | 0xffffffff) - 1;
																	__eflags = _t1971;
																	if(_t1971 <= 0) {
																		_t1971 =  *( *_t1141);
																		 *((intOrPtr*)( *((intOrPtr*)(_t1971 + 4))))(_t1141);
																	}
																	_v8 = 0xe;
																	_t1143 = _v1124 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t1973 = (_t1971 | 0xffffffff) - 1;
																	__eflags = _t1973;
																	if(_t1973 <= 0) {
																		_t1973 =  *( *_t1143);
																		 *((intOrPtr*)( *((intOrPtr*)(_t1973 + 4))))(_t1143);
																	}
																	_t1144 = _t2126 - 0x10;
																	_v8 = 0xd;
																	asm("lock xadd [ecx], edx");
																	_t1975 = (_t1973 | 0xffffffff) - 1;
																	__eflags = _t1975;
																	if(_t1975 <= 0) {
																		_t1975 =  *( *_t1144);
																		 *((intOrPtr*)( *((intOrPtr*)(_t1975 + 4))))(_t1144);
																	}
																	_v8 = 0xc;
																	_t1146 = _v1144 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t1977 = (_t1975 | 0xffffffff) - 1;
																	__eflags = _t1977;
																	if(_t1977 <= 0) {
																		_t1977 =  *( *_t1146);
																		 *((intOrPtr*)( *((intOrPtr*)(_t1977 + 4))))(_t1146);
																	}
																	_v8 = 0xb;
																	_t1148 = _v1112 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t1979 = (_t1977 | 0xffffffff) - 1;
																	__eflags = _t1979;
																	if(_t1979 <= 0) {
																		_t1979 =  *( *_t1148);
																		 *((intOrPtr*)( *((intOrPtr*)(_t1979 + 4))))(_t1148);
																	}
																	_v8 = 0xa;
																	_t1150 =  &(_v1108[0xfffffffffffffff8]);
																	asm("lock xadd [ecx], edx");
																	_t1981 = (_t1979 | 0xffffffff) - 1;
																	__eflags = _t1981;
																	if(_t1981 <= 0) {
																		_t1981 =  *( *_t1150);
																		 *((intOrPtr*)( *((intOrPtr*)(_t1981 + 4))))(_t1150);
																	}
																	_v8 = 9;
																	_t1152 = _v1100 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t1983 = (_t1981 | 0xffffffff) - 1;
																	__eflags = _t1983;
																	if(_t1983 <= 0) {
																		_t1983 =  *( *_t1152);
																		 *((intOrPtr*)( *((intOrPtr*)(_t1983 + 4))))(_t1152);
																	}
																	_v8 = 8;
																	_t1154 = _v1096 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t1985 = (_t1983 | 0xffffffff) - 1;
																	__eflags = _t1985;
																	if(_t1985 <= 0) {
																		_t1985 =  *( *_t1154);
																		 *((intOrPtr*)( *((intOrPtr*)(_t1985 + 4))))(_t1154);
																	}
																	_t1155 = _t2120 - 0x10;
																	_v8 = 7;
																	asm("lock xadd [ecx], edx");
																	_t1987 = (_t1985 | 0xffffffff) - 1;
																	__eflags = _t1987;
																	if(_t1987 <= 0) {
																		_t1987 =  *( *_t1155);
																		 *((intOrPtr*)( *((intOrPtr*)(_t1987 + 4))))(_t1155);
																	}
																	_t1156 = _t1479 - 0x10;
																	_v8 = 6;
																	asm("lock xadd [ecx], edx");
																	_t1989 = (_t1987 | 0xffffffff) - 1;
																	__eflags = _t1989;
																	if(_t1989 <= 0) {
																		_t1989 =  *( *_t1156);
																		 *((intOrPtr*)( *((intOrPtr*)(_t1989 + 4))))(_t1156);
																	}
																	_v8 = 5;
																	_t1158 = _v1136 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t1991 = (_t1989 | 0xffffffff) - 1;
																	__eflags = _t1991;
																	if(_t1991 <= 0) {
																		_t1991 =  *( *_t1158);
																		 *((intOrPtr*)( *((intOrPtr*)(_t1991 + 4))))(_t1158);
																	}
																	_v8 = 4;
																	_t1160 = _v1140 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t1993 = (_t1991 | 0xffffffff) - 1;
																	__eflags = _t1993;
																	if(_t1993 <= 0) {
																		_t1993 =  *( *_t1160);
																		 *((intOrPtr*)( *((intOrPtr*)(_t1993 + 4))))(_t1160);
																	}
																	_v8 = 3;
																	_t1162 = _v1120 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t1995 = (_t1993 | 0xffffffff) - 1;
																	__eflags = _t1995;
																	if(_t1995 <= 0) {
																		_t1995 =  *( *_t1162);
																		 *((intOrPtr*)( *((intOrPtr*)(_t1995 + 4))))(_t1162);
																	}
																	_v8 = 2;
																	_t1164 = _v1116 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t1997 = (_t1995 | 0xffffffff) - 1;
																	__eflags = _t1997;
																	if(_t1997 <= 0) {
																		_t1997 =  *( *_t1164);
																		 *((intOrPtr*)( *((intOrPtr*)(_t1997 + 4))))(_t1164);
																	}
																	_v8 = 1;
																	_t1166 = _v1092 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t1999 = (_t1997 | 0xffffffff) - 1;
																	__eflags = _t1999;
																	if(_t1999 <= 0) {
																		_t1999 =  *( *_t1166);
																		 *((intOrPtr*)( *((intOrPtr*)(_t1999 + 4))))(_t1166);
																	}
																	_v8 = 0xffffffff;
																	_t1168 = _v1088 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t1862 = (_t1999 | 0xffffffff) - 1;
																	__eflags = (_t1999 | 0xffffffff) - 1;
																	if((_t1999 | 0xffffffff) - 1 <= 0) {
																		_t1862 =  *( *_t1168);
																		 *((intOrPtr*)( *((intOrPtr*)( *( *_t1168) + 4))))(_t1168);
																	}
																	_t957 = 1;
																	goto L346;
																} else {
																	E00044BAD(_t1470, _t2114, _t2126, __eflags, L"An unexpected error has occured! \n Please contact support.", 0x10, 0);
																	_v8 = 0x1a;
																	_t1205 =  &(_v1072[0xfffffffffffffff8]);
																	asm("lock xadd [ecx], edx");
																	_t2002 = (_t1966 | 0xffffffff) - 1;
																	__eflags = _t2002;
																	if(_t2002 <= 0) {
																		_t2002 =  *( *_t1205);
																		 *((intOrPtr*)( *((intOrPtr*)(_t2002 + 4))))(_t1205);
																	}
																	_v8 = 0xf;
																	_t1207 =  &(_v1148[0xfffffffffffffff8]);
																	asm("lock xadd [ecx], edx");
																	_t2004 = (_t2002 | 0xffffffff) - 1;
																	__eflags = _t2004;
																	if(_t2004 <= 0) {
																		_t2004 =  *( *_t1207);
																		 *((intOrPtr*)( *((intOrPtr*)(_t2004 + 4))))(_t1207);
																	}
																	_v8 = 0xe;
																	_t1209 = _v1124 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t2006 = (_t2004 | 0xffffffff) - 1;
																	__eflags = _t2006;
																	if(_t2006 <= 0) {
																		_t2006 =  *( *_t1209);
																		 *((intOrPtr*)( *((intOrPtr*)(_t2006 + 4))))(_t1209);
																	}
																	_t1210 = _t2126 - 0x10;
																	_v8 = 0xd;
																	asm("lock xadd [ecx], edx");
																	_t2008 = (_t2006 | 0xffffffff) - 1;
																	__eflags = _t2008;
																	if(_t2008 <= 0) {
																		_t2008 =  *( *_t1210);
																		 *((intOrPtr*)( *((intOrPtr*)(_t2008 + 4))))(_t1210);
																	}
																	_v8 = 0xc;
																	_t1212 = _v1144 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t2010 = (_t2008 | 0xffffffff) - 1;
																	__eflags = _t2010;
																	if(_t2010 <= 0) {
																		_t2010 =  *( *_t1212);
																		 *((intOrPtr*)( *((intOrPtr*)(_t2010 + 4))))(_t1212);
																	}
																	_v8 = 0xb;
																	_t1214 = _v1112 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t2012 = (_t2010 | 0xffffffff) - 1;
																	__eflags = _t2012;
																	if(_t2012 <= 0) {
																		_t2012 =  *( *_t1214);
																		 *((intOrPtr*)( *((intOrPtr*)(_t2012 + 4))))(_t1214);
																	}
																	_v8 = 0xa;
																	_t1216 =  &(_v1108[0xfffffffffffffff8]);
																	asm("lock xadd [ecx], edx");
																	_t2014 = (_t2012 | 0xffffffff) - 1;
																	__eflags = _t2014;
																	if(_t2014 <= 0) {
																		_t2014 =  *( *_t1216);
																		 *((intOrPtr*)( *((intOrPtr*)(_t2014 + 4))))(_t1216);
																	}
																	_v8 = 9;
																	_t1218 = _v1100 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t2016 = (_t2014 | 0xffffffff) - 1;
																	__eflags = _t2016;
																	if(_t2016 <= 0) {
																		_t2016 =  *( *_t1218);
																		 *((intOrPtr*)( *((intOrPtr*)(_t2016 + 4))))(_t1218);
																	}
																	_v8 = 8;
																	_t1220 = _v1096 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t2018 = (_t2016 | 0xffffffff) - 1;
																	__eflags = _t2018;
																	if(_t2018 <= 0) {
																		_t2018 =  *( *_t1220);
																		 *((intOrPtr*)( *((intOrPtr*)(_t2018 + 4))))(_t1220);
																	}
																	_v8 = 7;
																	_t1222 =  &(_v1128[0xfffffffffffffff8]);
																	asm("lock xadd [ecx], edx");
																	_t2020 = (_t2018 | 0xffffffff) - 1;
																	__eflags = _t2020;
																	if(_t2020 <= 0) {
																		_t2020 =  *( *_t1222);
																		 *((intOrPtr*)( *((intOrPtr*)(_t2020 + 4))))(_t1222);
																	}
																	_v8 = 6;
																	_t1224 =  &(_v1132[0xfffffffffffffff8]);
																	asm("lock xadd [ecx], edx");
																	_t2022 = (_t2020 | 0xffffffff) - 1;
																	__eflags = _t2022;
																	if(_t2022 <= 0) {
																		_t2022 =  *( *_t1224);
																		 *((intOrPtr*)( *((intOrPtr*)(_t2022 + 4))))(_t1224);
																	}
																	_v8 = 5;
																	_t1226 = _v1136 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t2024 = (_t2022 | 0xffffffff) - 1;
																	__eflags = _t2024;
																	if(_t2024 <= 0) {
																		_t2024 =  *( *_t1226);
																		 *((intOrPtr*)( *((intOrPtr*)(_t2024 + 4))))(_t1226);
																	}
																	_v8 = 4;
																	_t1228 = _v1140 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t2026 = (_t2024 | 0xffffffff) - 1;
																	__eflags = _t2026;
																	if(_t2026 <= 0) {
																		_t2026 =  *( *_t1228);
																		 *((intOrPtr*)( *((intOrPtr*)(_t2026 + 4))))(_t1228);
																	}
																	_v8 = 3;
																	_t1230 = _v1120 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t2028 = (_t2026 | 0xffffffff) - 1;
																	__eflags = _t2028;
																	if(_t2028 <= 0) {
																		_t2028 =  *( *_t1230);
																		 *((intOrPtr*)( *((intOrPtr*)(_t2028 + 4))))(_t1230);
																	}
																	_v8 = 2;
																	_t1232 = _v1116 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t2030 = (_t2028 | 0xffffffff) - 1;
																	__eflags = _t2030;
																	if(_t2030 <= 0) {
																		_t2030 =  *( *_t1232);
																		 *((intOrPtr*)( *((intOrPtr*)(_t2030 + 4))))(_t1232);
																	}
																	_v8 = 1;
																	_t1234 = _v1092 + 0xfffffff0;
																	asm("lock xadd [ecx], edx");
																	_t1961 = (_t2030 | 0xffffffff) - 1;
																	__eflags = _t1961;
																	if(_t1961 > 0) {
																		goto L162;
																	} else {
																		_t1961 =  *( *_t1234);
																		 *((intOrPtr*)( *((intOrPtr*)(_t1961 + 4))))(_t1234);
																		_v8 = 0xffffffff;
																		_t1095 = _v1088 + 0xfffffff0;
																		goto L122;
																	}
																}
															}
															E00044BAD(_t1469, _t2113, _t2126, __eflags, L"Unable to create file", 0x10, _t1298);
															_t1781 =  &_v1192;
															_v8 = 0xf;
															E0004CEE5(_t1469, _t1781, _t1896, _t2113, _t2126, __eflags);
															_v8 = 0xe;
															_t1305 = _v1124 + 0xfffffff0;
															_t2040 =  &(_t1305[3]);
															asm("lock xadd [edx], ecx");
															__eflags = (_t1781 | 0xffffffff) - 1;
															if((_t1781 | 0xffffffff) - 1 <= 0) {
																_t2040 =  *( *_t1305);
																 *((intOrPtr*)( *((intOrPtr*)(_t2040 + 4))))(_t1305);
															}
															_t1306 = _t2126 - 0x10;
															_v8 = 0xd;
															asm("lock xadd [ecx], edx");
															_t2042 = (_t2040 | 0xffffffff) - 1;
															__eflags = _t2042;
															if(_t2042 <= 0) {
																_t2042 =  *( *_t1306);
																 *((intOrPtr*)( *((intOrPtr*)(_t2042 + 4))))(_t1306);
															}
															_v8 = 0xc;
															_t1308 = _v1144 + 0xfffffff0;
															asm("lock xadd [ecx], edx");
															_t2044 = (_t2042 | 0xffffffff) - 1;
															__eflags = _t2044;
															if(_t2044 <= 0) {
																_t2044 =  *( *_t1308);
																 *((intOrPtr*)( *((intOrPtr*)(_t2044 + 4))))(_t1308);
															}
															_v8 = 0xb;
															_t1310 = _v1112 + 0xfffffff0;
															asm("lock xadd [ecx], edx");
															_t2046 = (_t2044 | 0xffffffff) - 1;
															__eflags = _t2046;
															if(_t2046 <= 0) {
																_t2046 =  *( *_t1310);
																 *((intOrPtr*)( *((intOrPtr*)(_t2046 + 4))))(_t1310);
															}
															_v8 = 0xa;
															_t1312 =  &(_v1108[0xfffffffffffffff8]);
															asm("lock xadd [ecx], edx");
															_t2048 = (_t2046 | 0xffffffff) - 1;
															__eflags = _t2048;
															if(_t2048 <= 0) {
																_t2048 =  *( *_t1312);
																 *((intOrPtr*)( *((intOrPtr*)(_t2048 + 4))))(_t1312);
															}
															_v8 = 9;
															_t1314 = _v1100 + 0xfffffff0;
															asm("lock xadd [ecx], edx");
															_t2050 = (_t2048 | 0xffffffff) - 1;
															__eflags = _t2050;
															if(_t2050 <= 0) {
																_t2050 =  *( *_t1314);
																 *((intOrPtr*)( *((intOrPtr*)(_t2050 + 4))))(_t1314);
															}
															_v8 = 8;
															_t1316 = _v1096 + 0xfffffff0;
															asm("lock xadd [ecx], edx");
															_t2052 = (_t2050 | 0xffffffff) - 1;
															__eflags = _t2052;
															if(_t2052 <= 0) {
																_t2052 =  *( *_t1316);
																 *((intOrPtr*)( *((intOrPtr*)(_t2052 + 4))))(_t1316);
															}
															_v8 = 7;
															_t1318 =  &(_v1128[0xfffffffffffffff8]);
															asm("lock xadd [ecx], edx");
															_t2054 = (_t2052 | 0xffffffff) - 1;
															__eflags = _t2054;
															if(_t2054 <= 0) {
																_t2054 =  *( *_t1318);
																 *((intOrPtr*)( *((intOrPtr*)(_t2054 + 4))))(_t1318);
															}
															_v8 = 6;
															_t1320 =  &(_v1132[0xfffffffffffffff8]);
															asm("lock xadd [ecx], edx");
															_t2056 = (_t2054 | 0xffffffff) - 1;
															__eflags = _t2056;
															if(_t2056 <= 0) {
																_t2056 =  *( *_t1320);
																 *((intOrPtr*)( *((intOrPtr*)(_t2056 + 4))))(_t1320);
															}
															_v8 = 5;
															_t1322 = _v1136 + 0xfffffff0;
															asm("lock xadd [ecx], edx");
															_t2058 = (_t2056 | 0xffffffff) - 1;
															__eflags = _t2058;
															if(_t2058 <= 0) {
																_t2058 =  *( *_t1322);
																 *((intOrPtr*)( *((intOrPtr*)(_t2058 + 4))))(_t1322);
															}
															_v8 = 4;
															_t1324 = _v1140 + 0xfffffff0;
															asm("lock xadd [ecx], edx");
															_t2060 = (_t2058 | 0xffffffff) - 1;
															__eflags = _t2060;
															if(_t2060 <= 0) {
																_t2060 =  *( *_t1324);
																 *((intOrPtr*)( *((intOrPtr*)(_t2060 + 4))))(_t1324);
															}
															_v8 = 3;
															_t1326 = _v1120 + 0xfffffff0;
															asm("lock xadd [ecx], edx");
															_t2062 = (_t2060 | 0xffffffff) - 1;
															__eflags = _t2062;
															if(_t2062 <= 0) {
																_t2062 =  *( *_t1326);
																 *((intOrPtr*)( *((intOrPtr*)(_t2062 + 4))))(_t1326);
															}
															_v8 = 2;
															_t1328 = _v1116 + 0xfffffff0;
															asm("lock xadd [ecx], edx");
															_t2064 = (_t2062 | 0xffffffff) - 1;
															__eflags = _t2064;
															if(_t2064 <= 0) {
																_t2064 =  *( *_t1328);
																 *((intOrPtr*)( *((intOrPtr*)(_t2064 + 4))))(_t1328);
															}
															_v8 = 1;
															_t1330 = _v1092 + 0xfffffff0;
															asm("lock xadd [ecx], edx");
															_t1961 = (_t2064 | 0xffffffff) - 1;
															__eflags = _t1961;
															if(_t1961 <= 0) {
																_t1961 =  *( *_t1330);
																 *((intOrPtr*)( *((intOrPtr*)(_t1961 + 4))))(_t1330);
															}
															goto L162;
														}
													}
													__eflags = CreateDirectoryW(_t2113, 0);
													if(__eflags != 0) {
														goto L124;
													}
													E00044BAD(_t1469, _t2113, _t2125, __eflags, L"Unable to create directory", 0x10, _t1365);
													_v8 = 0xe;
													_t1368 = _v1124 + 0xfffffff0;
													asm("lock xadd [ecx], edx");
													_t2069 = (_t1887 | 0xffffffff) - 1;
													__eflags = _t2069;
													if(_t2069 <= 0) {
														_t2069 =  *( *_t1368);
														 *((intOrPtr*)( *((intOrPtr*)(_t2069 + 4))))(_t1368);
													}
													_v8 = 0xd;
													_t1370 = _v1152 + 0xfffffff0;
													asm("lock xadd [ecx], edx");
													_t2071 = (_t2069 | 0xffffffff) - 1;
													__eflags = _t2071;
													if(_t2071 <= 0) {
														_t2071 =  *( *_t1370);
														 *((intOrPtr*)( *((intOrPtr*)(_t2071 + 4))))(_t1370);
													}
													_v8 = 0xc;
													_t1372 = _v1144 + 0xfffffff0;
													asm("lock xadd [ecx], edx");
													_t2073 = (_t2071 | 0xffffffff) - 1;
													__eflags = _t2073;
													if(_t2073 <= 0) {
														_t2073 =  *( *_t1372);
														 *((intOrPtr*)( *((intOrPtr*)(_t2073 + 4))))(_t1372);
													}
													_v8 = 0xb;
													_t1374 = _v1112 + 0xfffffff0;
													asm("lock xadd [ecx], edx");
													_t2075 = (_t2073 | 0xffffffff) - 1;
													__eflags = _t2075;
													if(_t2075 <= 0) {
														_t2075 =  *( *_t1374);
														 *((intOrPtr*)( *((intOrPtr*)(_t2075 + 4))))(_t1374);
													}
													_t1375 = _t2113 - 0x10;
													_v8 = 0xa;
													asm("lock xadd [ecx], edx");
													_t2077 = (_t2075 | 0xffffffff) - 1;
													__eflags = _t2077;
													if(_t2077 <= 0) {
														_t2077 =  *( *_t1375);
														 *((intOrPtr*)( *((intOrPtr*)(_t2077 + 4))))(_t1375);
													}
													_v8 = 9;
													_t1377 = _v1100 + 0xfffffff0;
													asm("lock xadd [ecx], edx");
													_t2079 = (_t2077 | 0xffffffff) - 1;
													__eflags = _t2079;
													if(_t2079 <= 0) {
														_t2079 =  *( *_t1377);
														 *((intOrPtr*)( *((intOrPtr*)(_t2079 + 4))))(_t1377);
													}
													_v8 = 8;
													_t1379 = _v1096 + 0xfffffff0;
													asm("lock xadd [ecx], edx");
													_t2081 = (_t2079 | 0xffffffff) - 1;
													__eflags = _t2081;
													if(_t2081 <= 0) {
														_t2081 =  *( *_t1379);
														 *((intOrPtr*)( *((intOrPtr*)(_t2081 + 4))))(_t1379);
													}
													_v8 = 7;
													_t1381 =  &(_v1128[0xfffffffffffffff8]);
													asm("lock xadd [ecx], edx");
													_t2083 = (_t2081 | 0xffffffff) - 1;
													__eflags = _t2083;
													if(_t2083 <= 0) {
														_t2083 =  *( *_t1381);
														 *((intOrPtr*)( *((intOrPtr*)(_t2083 + 4))))(_t1381);
													}
													_v8 = 6;
													_t1383 =  &(_v1132[0xfffffffffffffff8]);
													asm("lock xadd [ecx], edx");
													_t2085 = (_t2083 | 0xffffffff) - 1;
													__eflags = _t2085;
													if(_t2085 <= 0) {
														_t2085 =  *( *_t1383);
														 *((intOrPtr*)( *((intOrPtr*)(_t2085 + 4))))(_t1383);
													}
													_v8 = 5;
													_t1385 = _v1136 + 0xfffffff0;
													asm("lock xadd [ecx], edx");
													_t2087 = (_t2085 | 0xffffffff) - 1;
													__eflags = _t2087;
													if(_t2087 <= 0) {
														_t2087 =  *( *_t1385);
														 *((intOrPtr*)( *((intOrPtr*)(_t2087 + 4))))(_t1385);
													}
													_v8 = 4;
													_t1387 = _v1140 + 0xfffffff0;
													asm("lock xadd [ecx], edx");
													_t2089 = (_t2087 | 0xffffffff) - 1;
													__eflags = _t2089;
													if(_t2089 <= 0) {
														_t2089 =  *( *_t1387);
														 *((intOrPtr*)( *((intOrPtr*)(_t2089 + 4))))(_t1387);
													}
													_v8 = 3;
													_t1389 = _v1120 + 0xfffffff0;
													asm("lock xadd [ecx], edx");
													_t2091 = (_t2089 | 0xffffffff) - 1;
													__eflags = _t2091;
													if(_t2091 <= 0) {
														_t2091 =  *( *_t1389);
														 *((intOrPtr*)( *((intOrPtr*)(_t2091 + 4))))(_t1389);
													}
													_v8 = 2;
													_t1391 = _v1116 + 0xfffffff0;
													asm("lock xadd [ecx], edx");
													_t2093 = (_t2091 | 0xffffffff) - 1;
													__eflags = _t2093;
													if(_t2093 <= 0) {
														_t2093 =  *( *_t1391);
														 *((intOrPtr*)( *((intOrPtr*)(_t2093 + 4))))(_t1391);
													}
													_t233 = _t2125 - 0x10; // 0x0
													_t1392 = _t233;
													_v8 = 1;
													asm("lock xadd [ecx], edx");
													_t1961 = (_t2093 | 0xffffffff) - 1;
													__eflags = _t1961;
													if(_t1961 <= 0) {
														_t1961 =  *( *_t1392);
														 *((intOrPtr*)( *((intOrPtr*)(_t1961 + 4))))(_t1392);
													}
													_v8 = 0xffffffff;
													_t1095 = _t1469 - 0x10;
													goto L122;
												}
												_t2095 =  *((intOrPtr*)(_t877 + 2));
												__eflags = _t2095 -  *((intOrPtr*)(_t1540 + 2));
												if(_t2095 !=  *((intOrPtr*)(_t1540 + 2))) {
													break;
												}
												_t877 = _t877 + 4;
												_t1540 = _t1540 + 4;
												__eflags = _t2095;
												if(_t2095 != 0) {
													continue;
												}
												goto L85;
											}
											asm("sbb eax, eax");
											asm("sbb eax, 0xffffffff");
											goto L87;
										}
									}
									__eflags = _t2112[3];
									if(_t2112[3] < 0) {
										L66:
										E00034140( &_v1120, _t1536,  *((intOrPtr*)(_t1536 - 0xc)));
										L67:
										_t1469 = _v1088;
										goto L68;
									}
									_t1881 =  *_t870;
									__eflags = _t1881 -  *_t2112;
									if(_t1881 !=  *_t2112) {
										goto L66;
									}
									_t1442 = E000341F0(_t870);
									_t2128 = _t1442;
									_t2136 = _t2136 + 4;
									asm("lock xadd [ebx], eax");
									__eflags = (_t1442 | 0xffffffff) - 1;
									if((_t1442 | 0xffffffff) - 1 <= 0) {
										_t1881 =  *( *_t2112);
										 *((intOrPtr*)( *((intOrPtr*)(_t1881 + 4))))(_t2112);
									}
									_v1120 = _t2128 + 0x10;
									_t2125 = _v1092;
									goto L67;
								}
							} else {
								L56:
								_push(0x80070057);
								E00031330(_t1469, _t1532, _t2110, _t2125);
								goto L57;
							}
						} else {
							__eflags = _t2109[3];
							if(_t2109[3] < 0) {
								L51:
								E00034140( &_v1116, _t1531,  *((intOrPtr*)(_t1531 - 0xc)));
								L52:
								_t1469 = _v1088;
								goto L53;
							}
							_t1878 =  *_t860;
							__eflags = _t1878 -  *_t2109;
							if(_t1878 !=  *_t2109) {
								goto L51;
							}
							_t1452 = E000341F0(_t860);
							_t2130 = _t1452;
							_t2135 = _t2135 + 4;
							asm("lock xadd [ebx], eax");
							__eflags = (_t1452 | 0xffffffff) - 1;
							if((_t1452 | 0xffffffff) - 1 <= 0) {
								_t1878 =  *( *_t2109);
								 *((intOrPtr*)( *((intOrPtr*)(_t1878 + 4))))(_t2109);
							}
							_v1116 = _t2130 + 0x10;
							_t2125 = _v1092;
							goto L52;
						}
					} else {
						E0003C230(_t1468, _t1862, 0);
						L345:
						_t957 = 0;
						L346:
						 *[fs:0x0] = _v16;
						_pop(_t2115);
						_pop(_t2127);
						_pop(_t1473);
						return E00130836(_t957, _t1473, _v24 ^ _t2132, _t1862, _t2115, _t2127);
					}
				}
			}

0x00038050
0x00038050
0x00038061
0x00038067
0x0003806c
0x0003806e
0x00038078
0x0003807e
0x00038081
0x00038083
0x00038089
0x00038091
0x00038098
0x0003809f
0x000380b1
0x00000000
0x00000000
0x000380b3
0x000380b8
0x000380ba
0x00000000
0x00000000
0x00000000
0x000380bc
0x000380bc
0x000380c3
0x000380ce
0x000380d1
0x000380d6
0x000380e6
0x000380f2
0x000380f7
0x000380f7
0x000380fe
0x00038100
0x00038105
0x00038107
0x0003810c
0x0003810c
0x0003811a
0x0003811a
0x0003811d
0x00038123
0x0003812a
0x00038131
0x00038133
0x00038138
0x0003813a
0x0003813f
0x0003813f
0x0003814d
0x0003814d
0x00038150
0x00038156
0x0003815a
0x00038161
0x00038163
0x00038168
0x0003816a
0x0003816f
0x0003816f
0x00038180
0x00038186
0x0003818a
0x00038191
0x00038193
0x00038198
0x0003819a
0x0003819f
0x0003819f
0x000381b0
0x000381b6
0x000381ba
0x000381c1
0x000381c3
0x000381c8
0x000381ca
0x000381cf
0x000381cf
0x000381e0
0x000381e6
0x000381ea
0x000381f1
0x000381f3
0x000381f8
0x000381fa
0x000381ff
0x000381ff
0x00038210
0x00038216
0x0003821a
0x00038221
0x00038223
0x00038228
0x0003822a
0x0003822f
0x0003822f
0x00038240
0x00038246
0x0003824a
0x00038251
0x00038253
0x00038258
0x0003825a
0x0003825f
0x0003825f
0x00038270
0x00038276
0x0003827a
0x00038281
0x00038283
0x00038288
0x0003828a
0x0003828f
0x0003828f
0x000382a0
0x000382a6
0x000382aa
0x000382b1
0x000382b3
0x000382b8
0x000382ba
0x000382bf
0x000382bf
0x000382d0
0x000382d6
0x000382da
0x000382e1
0x000382e3
0x000382e8
0x000382ea
0x000382ef
0x000382ef
0x00038300
0x00038306
0x0003830a
0x00038311
0x00038313
0x00038318
0x0003831a
0x0003831f
0x0003831f
0x00038330
0x00038336
0x0003833a
0x00038341
0x00038343
0x00038348
0x0003834a
0x0003834f
0x0003834f
0x00038360
0x00038366
0x0003836a
0x00038371
0x00038373
0x00038378
0x0003837a
0x0003837f
0x0003837f
0x00038390
0x00038396
0x0003839a
0x000383a1
0x000383a3
0x000383a8
0x000383aa
0x000383af
0x000383af
0x000383c0
0x000383c6
0x000383ca
0x000383cf
0x000383d5
0x000383da
0x000383dc
0x000383ea
0x000383ef
0x000383ef
0x000383f5
0x000383fa
0x000383ff
0x00038401
0x0003840f
0x00038414
0x00038414
0x0003841a
0x0003841f
0x00038424
0x00038426
0x00038434
0x00038434
0x00038439
0x0003843e
0x00038443
0x00038445
0x00038453
0x00038453
0x00038464
0x0003846b
0x00038470
0x00038473
0x00038477
0x0003847f
0x00038482
0x00038485
0x00038487
0x000384e0
0x000384e0
0x000384ea
0x000384ed
0x000384f3
0x000384f8
0x000384fa
0x000384fc
0x00038504
0x00038504
0x00038506
0x00038509
0x0003850b
0x00038517
0x00038524
0x00038526
0x0003852f
0x00038534
0x00038534
0x0003853a
0x0003853f
0x00038544
0x00038547
0x0003854a
0x00000000
0x0003854c
0x0003855e
0x00038560
0x00038564
0x00038568
0x0003856d
0x00038570
0x00038574
0x0003857c
0x0003857f
0x00038582
0x00038584
0x000385dd
0x000385dd
0x000385e7
0x000385ea
0x000385f0
0x000385f5
0x000385f7
0x000385f9
0x00038601
0x00038601
0x00038603
0x00038607
0x00038614
0x00038620
0x00038625
0x00038628
0x00038639
0x0003863e
0x00038648
0x00038651
0x00038656
0x00038658
0x00038662
0x00038662
0x0003866b
0x00038677
0x0003867c
0x0003867f
0x00038690
0x00038695
0x0003869f
0x000386a2
0x000386a8
0x000386ad
0x000386af
0x000386b1
0x000386b9
0x000386b9
0x000386af
0x000386bb
0x000386be
0x000386c0
0x000386c2
0x000386c7
0x000386c7
0x000386d9
0x000386db
0x000386e4
0x000386e9
0x000386e9
0x000386ef
0x000386f4
0x000386f9
0x000386fc
0x000386ff
0x00000000
0x00038705
0x00038705
0x00038707
0x0003870a
0x0003870e
0x00038713
0x00038715
0x00038715
0x00038718
0x0003871b
0x00000000
0x00000000
0x0003871d
0x00038720
0x00038737
0x00038737
0x00038740
0x00038745
0x00038747
0x0003874f
0x0003874f
0x00038768
0x0003876e
0x00038774
0x00038777
0x00038777
0x0003877a
0x0003877d
0x0003877d
0x00038787
0x00038794
0x000387a6
0x000387ab
0x000387b2
0x000387b8
0x000387bb
0x00038a13
0x00038a21
0x00038a27
0x00038a2d
0x00038a30
0x00038a30
0x00038a33
0x00038a36
0x00038a36
0x00038a4d
0x00038a65
0x00038a6a
0x00038a6e
0x00038a74
0x00038a78
0x00038a7d
0x00038a87
0x00038a90
0x00038a95
0x00038a97
0x00038aa1
0x00038aa1
0x00038aaf
0x00038ab6
0x00038abb
0x00038ac5
0x00038ac9
0x00038ace
0x00038ad8
0x00038ae1
0x00038ae6
0x00038ae8
0x00038af2
0x00038af2
0x00038b00
0x00038b07
0x00038b0c
0x00038b16
0x00038b1a
0x00038b1f
0x00038b29
0x00038b32
0x00038b36
0x00038b37
0x00038b39
0x00038b3d
0x00038b43
0x00038b43
0x00038b45
0x00038b4b
0x00038b52
0x00038df5
0x00000000
0x00038b58
0x00038b5e
0x00038b65
0x00038b69
0x00038b7b
0x00038b80
0x00038b82
0x00038dd4
0x00038ddf
0x00038de4
0x00038dea
0x00038dee
0x00038dfb
0x00038e05
0x00038e10
0x00038e16
0x00038e1b
0x00038e24
0x00038e29
0x00038e2b
0x00039584
0x00039589
0x00039596
0x0003959a
0x000395ac
0x000395be
0x000395c4
0x000395ca
0x000395cf
0x000395d6
0x000395e3
0x000395ea
0x000395ea
0x000395f5
0x000395fa
0x000395fd
0x00039845
0x0003984a
0x0003984e
0x00039855
0x00039866
0x0003986b
0x00039872
0x000399ad
0x000399b3
0x000399b7
0x000399c8
0x000399d6
0x000399e1
0x000399e6
0x000399e9
0x000399ed
0x000399ef
0x000399f1
0x000399f7
0x000399f7
0x000399f3
0x000399f3
0x000399f3
0x00039a01
0x00039a08
0x00039a0d
0x00039a17
0x00039a1b
0x00039a26
0x00039a31
0x00039a36
0x00039a3c
0x00039a40
0x00039a40
0x00039a45
0x00039a4b
0x00039a4f
0x00039a60
0x00039a6e
0x00039a79
0x00039a7e
0x00039a81
0x00039a85
0x00039a87
0x00039a89
0x00039a8f
0x00039a8f
0x00039a8b
0x00039a8b
0x00039a8b
0x00039a99
0x00039aa0
0x00039aa5
0x00039aaf
0x00039ab3
0x00039abe
0x00039ac9
0x00039ace
0x00039ad4
0x00039ad8
0x00039ad8
0x00039ae8
0x00039878
0x00039878
0x0003987e
0x00039882
0x00039893
0x000398a1
0x000398ac
0x000398b1
0x000398b4
0x000398b8
0x000398ba
0x000398bc
0x000398c2
0x000398c2
0x000398be
0x000398be
0x000398be
0x000398cc
0x000398d3
0x000398d8
0x000398e2
0x000398e6
0x000398f1
0x000398fc
0x00039901
0x00039907
0x0003990b
0x0003990b
0x00039910
0x00039916
0x0003991a
0x0003992b
0x00039939
0x00039944
0x00039949
0x0003994c
0x00039950
0x00039952
0x00039954
0x0003995a
0x0003995a
0x00039956
0x00039956
0x00039956
0x00039964
0x0003996b
0x00039970
0x0003997a
0x0003997e
0x00039989
0x00039994
0x00039999
0x0003999f
0x000399a3
0x000399a3
0x0003991a
0x00039872
0x00039af8
0x00039b04
0x00039b0d
0x00039b17
0x00039b19
0x00039d85
0x00039d95
0x00039d99
0x00039dae
0x00039db1
0x00039dc1
0x00039ddb
0x00039de8
0x00039def
0x00039df3
0x00039e02
0x00039e06
0x00039e11
0x00039e1c
0x00039e21
0x00039e25
0x00039e2a
0x00039e2c
0x00039e37
0x00039e37
0x00039e3c
0x00039e3e
0x00039e62
0x00039e6e
0x00039e70
0x00039e72
0x00039e73
0x00039e74
0x00039e79
0x00039e7b
0x00039e94
0x00039ea9
0x00039ead
0x00039ebb
0x00039ec6
0x00039ed0
0x00039edc
0x00039ee7
0x00039eea
0x00039ef5
0x00039f00
0x00039f0c
0x00039f10
0x00039f1b
0x00039f26
0x00039f31
0x00039f3c
0x00039f47
0x00039f52
0x00039f5d
0x00039f68
0x00039f73
0x00039f7e
0x00039f89
0x00039f94
0x00039f9f
0x00039faa
0x00039fb5
0x00039fba
0x00000000
0x00039fba
0x00039e40
0x00039e45
0x00039e47
0x00000000
0x00000000
0x00039e49
0x00039e55
0x00039e57
0x00039e59
0x00039e5a
0x00039e5b
0x00000000
0x00039e5b
0x00039e2e
0x00039e33
0x00039e35
0x00000000
0x00000000
0x00000000
0x00039b1f
0x00039b28
0x00039b2d
0x00039b37
0x00039b40
0x00039b44
0x00039b45
0x00039b47
0x00039b4b
0x00039b51
0x00039b51
0x00039b53
0x00039b5a
0x00039b5e
0x00039b63
0x00039b6d
0x00039b70
0x00039b76
0x00039b7b
0x00039b7d
0x00039b81
0x00039b87
0x00039b87
0x00039b89
0x00039b8c
0x00039b96
0x00039b9a
0x00039b9b
0x00039b9d
0x00039ba1
0x00039ba7
0x00039ba7
0x00039ba9
0x00039bb3
0x00039bbc
0x00039bc0
0x00039bc1
0x00039bc3
0x00039bc7
0x00039bcd
0x00039bcd
0x00039bcf
0x00039bd9
0x00039be2
0x00039be6
0x00039be7
0x00039be9
0x00039bed
0x00039bf3
0x00039bf3
0x00039bf5
0x00039bff
0x00039c08
0x00039c0c
0x00039c0d
0x00039c0f
0x00039c13
0x00039c19
0x00039c19
0x00039c1b
0x00039c25
0x00039c2e
0x00039c32
0x00039c33
0x00039c35
0x00039c39
0x00039c3f
0x00039c3f
0x00039c41
0x00039c4b
0x00039c54
0x00039c58
0x00039c59
0x00039c5b
0x00039c5f
0x00039c65
0x00039c65
0x00039c67
0x00039c71
0x00039c7a
0x00039c7e
0x00039c7f
0x00039c81
0x00039c85
0x00039c8b
0x00039c8b
0x00039c8d
0x00039c97
0x00039ca0
0x00039ca4
0x00039ca5
0x00039ca7
0x00039cab
0x00039cb1
0x00039cb1
0x00039cb3
0x00039cbd
0x00039cc6
0x00039cca
0x00039ccb
0x00039ccd
0x00039cd1
0x00039cd7
0x00039cd7
0x00039cd9
0x00039ce3
0x00039cec
0x00039cf0
0x00039cf1
0x00039cf3
0x00039cf7
0x00039cfd
0x00039cfd
0x00039cff
0x00039d09
0x00039d12
0x00039d16
0x00039d17
0x00039d19
0x00039d1d
0x00039d23
0x00039d23
0x00039d25
0x00039d2f
0x00039d38
0x00039d3c
0x00039d3d
0x00039d3f
0x00039d43
0x00039d49
0x00039d49
0x00039d4b
0x00039d55
0x00039d5e
0x00039d62
0x00039d63
0x00039d65
0x00039d6d
0x00039d73
0x00039d73
0x0003a0bb
0x00000000
0x0003a0bb
0x00039603
0x00039603
0x0003960a
0x0003960e
0x00039613
0x0003961d
0x00039620
0x00039626
0x0003962b
0x0003962d
0x00039631
0x00039637
0x00039637
0x00039639
0x0003963c
0x00039646
0x0003964a
0x0003964b
0x0003964d
0x00039651
0x00039657
0x00039657
0x00039659
0x00039663
0x0003966c
0x00039670
0x00039671
0x00039673
0x00039677
0x0003967d
0x0003967d
0x0003967f
0x00039689
0x00039692
0x00039696
0x00039697
0x00039699
0x0003969d
0x000396a3
0x000396a3
0x000396a5
0x000396af
0x000396b8
0x000396bc
0x000396bd
0x000396bf
0x000396c3
0x000396c9
0x000396c9
0x000396cb
0x000396d5
0x000396de
0x000396e2
0x000396e3
0x000396e5
0x000396e9
0x000396ef
0x000396ef
0x000396f1
0x000396fb
0x00039704
0x00039708
0x00039709
0x0003970b
0x0003970f
0x00039715
0x00039715
0x00039717
0x00039721
0x0003972a
0x0003972e
0x0003972f
0x00039731
0x00039735
0x0003973b
0x0003973b
0x0003973d
0x00039747
0x00039750
0x00039754
0x00039755
0x00039757
0x0003975b
0x00039761
0x00039761
0x00039763
0x0003976d
0x00039776
0x0003977a
0x0003977b
0x0003977d
0x00039781
0x00039787
0x00039787
0x00039789
0x00039793
0x0003979c
0x000397a0
0x000397a1
0x000397a3
0x000397a7
0x000397ad
0x000397ad
0x000397af
0x000397b9
0x000397c2
0x000397c6
0x000397c7
0x000397c9
0x000397cd
0x000397d3
0x000397d3
0x000397d5
0x000397df
0x000397e8
0x000397ec
0x000397ed
0x000397ef
0x000397f3
0x000397f9
0x000397f9
0x000397fb
0x00039805
0x0003980e
0x00039812
0x00039813
0x00039815
0x00038db2
0x00038db2
0x00038dbf
0x00000000
0x0003981b
0x0003981d
0x00039823
0x00039825
0x00039832
0x000389f1
0x000389f7
0x000389fb
0x000389fc
0x000389fe
0x00038a06
0x00038a0c
0x00038a0c
0x00000000
0x000389fe
0x00039815
0x000395fd
0x00038e44
0x00038e4f
0x00038e56
0x00038e5a
0x00038e5f
0x00038e62
0x00038e6c
0x00038e75
0x00038e79
0x00038e7a
0x00038e7c
0x00038e80
0x00038e86
0x00038e86
0x00038e93
0x00038e98
0x00038e9c
0x00038ea3
0x00038eb0
0x00038eb0
0x00038eb5
0x00038ebb
0x00038ebf
0x00038ed0
0x00038ede
0x00038ee9
0x00038eee
0x00038ef1
0x00038ef3
0x00038ef6
0x00038ef8
0x00038efa
0x00038f00
0x00038f00
0x00038efc
0x00038efc
0x00038efc
0x00038f0a
0x00038f11
0x00038f16
0x00038f20
0x00038f24
0x00038f29
0x00038f32
0x00038f3b
0x00038f3f
0x00038f40
0x00038f42
0x00038f46
0x00038f4c
0x00038f4c
0x00038f54
0x00038f59
0x00038f5f
0x00038f63
0x00038f63
0x00038f68
0x00038f6e
0x00038f72
0x00038f83
0x00038f91
0x00038f9c
0x00038fa1
0x00038fa4
0x00038fa6
0x00038fa9
0x00038fab
0x00038fad
0x00038fb3
0x00038fb3
0x00038faf
0x00038faf
0x00038faf
0x00038fbd
0x00038fc4
0x00038fc9
0x00038fd3
0x00038fd7
0x00038fdc
0x00038fe5
0x00038fe8
0x00038fee
0x00038ff3
0x00038ff5
0x00038ff7
0x00038fff
0x00038fff
0x00039007
0x0003900c
0x00039012
0x00039016
0x00039016
0x0003901c
0x00039022
0x0003902b
0x00039035
0x00039037
0x000392c4
0x000392d7
0x000392dd
0x000392e3
0x000392f3
0x000392f9
0x00039306
0x0003930f
0x00039313
0x00039314
0x00039316
0x0003931a
0x00039320
0x00039320
0x00039322
0x0003932c
0x00039335
0x00039339
0x0003933a
0x0003933c
0x00039340
0x00039346
0x00039346
0x00039348
0x00039352
0x0003935b
0x0003935f
0x00039360
0x00039362
0x00039366
0x0003936c
0x0003936c
0x0003936e
0x00039371
0x0003937b
0x0003937f
0x00039380
0x00039382
0x00039386
0x0003938c
0x0003938c
0x0003938e
0x00039398
0x000393a1
0x000393a5
0x000393a6
0x000393a8
0x000393ac
0x000393b2
0x000393b2
0x000393b4
0x000393be
0x000393c7
0x000393cb
0x000393cc
0x000393ce
0x000393d2
0x000393d8
0x000393d8
0x000393da
0x000393e4
0x000393ed
0x000393f1
0x000393f2
0x000393f4
0x000393f8
0x000393fe
0x000393fe
0x00039400
0x0003940a
0x00039413
0x00039417
0x00039418
0x0003941a
0x0003941e
0x00039424
0x00039424
0x00039426
0x00039430
0x00039439
0x0003943d
0x0003943e
0x00039440
0x00039444
0x0003944a
0x0003944a
0x0003944c
0x0003944f
0x00039459
0x0003945d
0x0003945e
0x00039460
0x00039464
0x0003946a
0x0003946a
0x0003946c
0x0003946f
0x00039479
0x0003947d
0x0003947e
0x00039480
0x00039484
0x0003948a
0x0003948a
0x0003948c
0x00039496
0x0003949f
0x000394a3
0x000394a4
0x000394a6
0x000394aa
0x000394b0
0x000394b0
0x000394b2
0x000394bc
0x000394c5
0x000394c9
0x000394ca
0x000394cc
0x000394d0
0x000394d6
0x000394d6
0x000394d8
0x000394e2
0x000394eb
0x000394ef
0x000394f0
0x000394f2
0x000394f6
0x000394fc
0x000394fc
0x000394fe
0x00039508
0x00039511
0x00039515
0x00039516
0x00039518
0x0003951c
0x00039522
0x00039522
0x00039524
0x0003952e
0x00039537
0x0003953b
0x0003953c
0x0003953e
0x00039542
0x00039548
0x00039548
0x0003954a
0x00039557
0x00039560
0x00039564
0x00039565
0x00039567
0x0003956b
0x00039571
0x00039571
0x00039573
0x00000000
0x0003903d
0x00039046
0x0003904b
0x00039055
0x0003905e
0x00039062
0x00039063
0x00039065
0x00039069
0x0003906f
0x0003906f
0x00039071
0x0003907b
0x00039084
0x00039088
0x00039089
0x0003908b
0x0003908f
0x00039095
0x00039095
0x00039097
0x000390a1
0x000390aa
0x000390ae
0x000390af
0x000390b1
0x000390b5
0x000390bb
0x000390bb
0x000390bd
0x000390c0
0x000390ca
0x000390ce
0x000390cf
0x000390d1
0x000390d5
0x000390db
0x000390db
0x000390dd
0x000390e7
0x000390f0
0x000390f4
0x000390f5
0x000390f7
0x000390fb
0x00039101
0x00039101
0x00039103
0x0003910d
0x00039116
0x0003911a
0x0003911b
0x0003911d
0x00039121
0x00039127
0x00039127
0x00039129
0x00039133
0x0003913c
0x00039140
0x00039141
0x00039143
0x00039147
0x0003914d
0x0003914d
0x0003914f
0x00039159
0x00039162
0x00039166
0x00039167
0x00039169
0x0003916d
0x00039173
0x00039173
0x00039175
0x0003917f
0x00039188
0x0003918c
0x0003918d
0x0003918f
0x00039193
0x00039199
0x00039199
0x0003919b
0x000391a5
0x000391ae
0x000391b2
0x000391b3
0x000391b5
0x000391b9
0x000391bf
0x000391bf
0x000391c1
0x000391cb
0x000391d4
0x000391d8
0x000391d9
0x000391db
0x000391df
0x000391e5
0x000391e5
0x000391e7
0x000391f1
0x000391fa
0x000391fe
0x000391ff
0x00039201
0x00039205
0x0003920b
0x0003920b
0x0003920d
0x00039217
0x00039220
0x00039224
0x00039225
0x00039227
0x0003922b
0x00039231
0x00039231
0x00039233
0x0003923d
0x00039246
0x0003924a
0x0003924b
0x0003924d
0x00039251
0x00039257
0x00039257
0x00039259
0x00039263
0x0003926c
0x00039270
0x00039271
0x00039273
0x00039277
0x0003927d
0x0003927d
0x0003927f
0x00039289
0x00039292
0x00039296
0x00039297
0x00039299
0x00000000
0x0003929f
0x000392a1
0x000392a7
0x000392a9
0x000392b6
0x00000000
0x000392b6
0x00039299
0x00039037
0x00038b90
0x00038b95
0x00038b9b
0x00038b9f
0x00038ba4
0x00038bae
0x00038bb1
0x00038bb7
0x00038bbc
0x00038bbe
0x00038bc2
0x00038bc8
0x00038bc8
0x00038bca
0x00038bcd
0x00038bd7
0x00038bdb
0x00038bdc
0x00038bde
0x00038be2
0x00038be8
0x00038be8
0x00038bea
0x00038bf4
0x00038bfd
0x00038c01
0x00038c02
0x00038c04
0x00038c08
0x00038c0e
0x00038c0e
0x00038c10
0x00038c1a
0x00038c23
0x00038c27
0x00038c28
0x00038c2a
0x00038c2e
0x00038c34
0x00038c34
0x00038c36
0x00038c40
0x00038c49
0x00038c4d
0x00038c4e
0x00038c50
0x00038c54
0x00038c5a
0x00038c5a
0x00038c5c
0x00038c66
0x00038c6f
0x00038c73
0x00038c74
0x00038c76
0x00038c7a
0x00038c80
0x00038c80
0x00038c82
0x00038c8c
0x00038c95
0x00038c99
0x00038c9a
0x00038c9c
0x00038ca0
0x00038ca6
0x00038ca6
0x00038ca8
0x00038cb2
0x00038cbb
0x00038cbf
0x00038cc0
0x00038cc2
0x00038cc6
0x00038ccc
0x00038ccc
0x00038cce
0x00038cd8
0x00038ce1
0x00038ce5
0x00038ce6
0x00038ce8
0x00038cec
0x00038cf2
0x00038cf2
0x00038cf4
0x00038cfe
0x00038d07
0x00038d0b
0x00038d0c
0x00038d0e
0x00038d12
0x00038d18
0x00038d18
0x00038d1a
0x00038d24
0x00038d2d
0x00038d31
0x00038d32
0x00038d34
0x00038d38
0x00038d3e
0x00038d3e
0x00038d40
0x00038d4a
0x00038d53
0x00038d57
0x00038d58
0x00038d5a
0x00038d5e
0x00038d64
0x00038d64
0x00038d66
0x00038d70
0x00038d79
0x00038d7d
0x00038d7e
0x00038d80
0x00038d84
0x00038d8a
0x00038d8a
0x00038d8c
0x00038d96
0x00038d9f
0x00038da3
0x00038da4
0x00038da6
0x00038daa
0x00038db0
0x00038db0
0x00000000
0x00038da6
0x00038b52
0x000387ca
0x000387cc
0x00000000
0x00000000
0x000387da
0x000387df
0x000387e9
0x000387f2
0x000387f6
0x000387f7
0x000387f9
0x000387fd
0x00038803
0x00038803
0x00038805
0x0003880f
0x00038818
0x0003881c
0x0003881d
0x0003881f
0x00038823
0x00038829
0x00038829
0x0003882b
0x00038835
0x0003883e
0x00038842
0x00038843
0x00038845
0x00038849
0x0003884f
0x0003884f
0x00038851
0x0003885b
0x00038864
0x00038868
0x00038869
0x0003886b
0x0003886f
0x00038875
0x00038875
0x00038877
0x0003887a
0x00038884
0x00038888
0x00038889
0x0003888b
0x0003888f
0x00038895
0x00038895
0x00038897
0x000388a1
0x000388aa
0x000388ae
0x000388af
0x000388b1
0x000388b5
0x000388bb
0x000388bb
0x000388bd
0x000388c7
0x000388d0
0x000388d4
0x000388d5
0x000388d7
0x000388db
0x000388e1
0x000388e1
0x000388e3
0x000388ed
0x000388f6
0x000388fa
0x000388fb
0x000388fd
0x00038901
0x00038907
0x00038907
0x00038909
0x00038913
0x0003891c
0x00038920
0x00038921
0x00038923
0x00038927
0x0003892d
0x0003892d
0x0003892f
0x00038939
0x00038942
0x00038946
0x00038947
0x00038949
0x0003894d
0x00038953
0x00038953
0x00038955
0x0003895f
0x00038968
0x0003896c
0x0003896d
0x0003896f
0x00038973
0x00038979
0x00038979
0x0003897b
0x00038985
0x0003898e
0x00038992
0x00038993
0x00038995
0x00038999
0x0003899f
0x0003899f
0x000389a1
0x000389ab
0x000389b4
0x000389b8
0x000389b9
0x000389bb
0x000389bf
0x000389c5
0x000389c5
0x000389c7
0x000389c7
0x000389ca
0x000389d4
0x000389d8
0x000389d9
0x000389db
0x000389df
0x000389e5
0x000389e5
0x000389e7
0x000389ee
0x00000000
0x000389ee
0x00038722
0x00038726
0x0003872a
0x00000000
0x00000000
0x0003872c
0x0003872f
0x00038732
0x00038735
0x00000000
0x00000000
0x00000000
0x00038735
0x0003873b
0x0003873d
0x00000000
0x0003873d
0x000386ff
0x00038586
0x0003858d
0x000385c7
0x000385d2
0x000385d7
0x000385d7
0x00000000
0x000385d7
0x0003858f
0x00038591
0x00038593
0x00000000
0x00000000
0x00038596
0x0003859b
0x0003859d
0x000385a3
0x000385a8
0x000385aa
0x000385ae
0x000385b4
0x000385b4
0x000385b9
0x000385bf
0x00000000
0x000385bf
0x0003850d
0x0003850d
0x0003850d
0x00038512
0x00000000
0x00038512
0x00038489
0x00038489
0x00038490
0x000384ca
0x000384d5
0x000384da
0x000384da
0x00000000
0x000384da
0x00038492
0x00038494
0x00038496
0x00000000
0x00000000
0x00038499
0x0003849e
0x000384a0
0x000384a6
0x000384ab
0x000384ad
0x000384b1
0x000384b7
0x000384b7
0x000384bc
0x000384c2
0x00000000
0x000384c2
0x000380e8
0x000380e8
0x0003a0c0
0x0003a0c0
0x0003a0c2
0x0003a0c5
0x0003a0cd
0x0003a0ce
0x0003a0cf
0x0003a0dd
0x0003a0dd
0x000380e6

APIs

#17.COMCTL32(960AF5FB), ref: 00038089

Part of subcall function 0003B1C0: RegOpenKeyExW.KERNEL32 ref: 0003B1F7

Part of subcall function 0003B240: _memset.LIBCMT ref: 0003B267
Part of subcall function 0003B240: VerSetConditionMask.KERNEL32 ref: 0003B29C
Part of subcall function 0003B240: VerSetConditionMask.KERNEL32(00000000,?,00000001,00000003), ref: 0003B2A4
Part of subcall function 0003B240: VerSetConditionMask.KERNEL32(00000000,?,00000020,00000003,?,00000001,00000003), ref: 0003B2AC
Part of subcall function 0003B240: VerSetConditionMask.KERNEL32(00000000,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 0003B2B4
Part of subcall function 0003B240: VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 0003B2BF

Part of subcall function 00031330: _vwprintf.LIBCMT ref: 0003139E
Part of subcall function 00031330: _vswprintf_s.LIBCMT ref: 000313DD

Part of subcall function 00034140: _memmove_s.LIBCMT ref: 000341BA

Part of subcall function 0003BFE0: _memcpy_s.LIBCMT ref: 0003C079

SHGetFolderPathW.SHELL32(00000000,0000801C,00000000,00000000,?), ref: 00038768
GetFileAttributesW.KERNELBASE(?,\Exam Shield,0000000C,?,?,?,?,?,?,?,?,80070057), ref: 000387B2
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,?,?,?,80070057), ref: 000387C4
GetModuleFileNameW.KERNEL32(00000000,?,00000105,?,?,?,?,?,?,80070057), ref: 00038A21

Part of subcall function 0004CEE5: __EH_prolog3_catch_GS.LIBCMT ref: 0004CEEF

Part of subcall function 0004CCE1: _fputws.LIBCMT ref: 0004CCFA

Part of subcall function 0003A210: RegOpenKeyExW.KERNEL32 ref: 0003A28F
Part of subcall function 0003A210: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0003A2C4
Part of subcall function 0003A210: wsprintfW.USER32 ref: 0003A2EC
Part of subcall function 0003A210: RegOpenKeyExW.ADVAPI32 ref: 0003A30E
Part of subcall function 0003A210: RegQueryValueExW.ADVAPI32 ref: 0003A344
Part of subcall function 0003A210: RegCloseKey.ADVAPI32(?), ref: 0003A36C

ShellExecuteW.SHELL32(00000000,open,?,?,00000000,00000005), ref: 000392D7
CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 000392F3

Part of subcall function 0003BEC0: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,0003AEC5,ExamShield Version,000000C8), ref: 0003BEDA
Part of subcall function 0003BEC0: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,-00000001,?,0003AEC5,ExamShield Version,000000C8,?,?,?,?,?,0000012C), ref: 0003BF0D

Part of subcall function 0003BB10: _com_util::ConvertStringToBSTR.COMSUPP ref: 0003BB60

Part of subcall function 0003BE00: SysAllocString.OLEAUT32(?), ref: 0003BE54

Part of subcall function 0003B1C0: RegQueryValueExW.KERNEL32(00000000,00181790,00000000,00000004,00000000,00000000), ref: 0003B225
Part of subcall function 0003B1C0: RegCloseKey.KERNEL32(00000000), ref: 0003B233

ShellExecuteW.SHELL32(00000000,open,?,?,00000000,00000005), ref: 00039E7B
CopyFileW.KERNEL32 ref: 00039ED0

Strings

An unexpected error has occured! Please contact support., xrefs: 00039041, 00039B23
COMPATIBILITYCHECK, xrefs: 0003870E
\ExamShieldSetup.exe, xrefs: 00038AA3
ExamShieldSetup.exe, xrefs: 00038458
/COMPATIBILITYCHECK, xrefs: 00038EA5, 0003985B
LAUNCHEXAMSHIELD, xrefs: 00039AED
\ExamShieldParams.dat, xrefs: 00038AF4
Unable to create directory, xrefs: 000387D5
/OPERATINGSYSTEM=, xrefs: 00038F78, 00039920, 00039A55
?id=, xrefs: 0003861A, 00038671
ExamShield Setup, xrefs: 000395B3
UNINSTALL, xrefs: 00039ADD
runas, xrefs: 00039E5B
\ExamShieldLauncher.exe, xrefs: 00038A52
open, xrefs: 000392D0, 00039E74
ExamShieldVersion.txt, xrefs: 0003854C
/z", xrefs: 00039DA3
Unable to create file, xrefs: 00038B8B
ExamShield, xrefs: 00038E0B
\Exam Shield, xrefs: 0003879B
ExamShield.exe, xrefs: 00038E49, 00039E9C
7, xrefs: 00039EA9
ExamShield (Compatibility Check) Setup, xrefs: 000395D8
/COLLABORATIONCLIENT=, xrefs: 00038EC5, 00039888, 000399BD

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: ConditionFileMask$Open$ByteCharCloseCopyExecuteMultiQueryShellStringValueWide$AllocAttributesConvertCreateDirectoryEnumFolderH_prolog3_catch_InfoModuleNamePathVerifyVersion_com_util::_fputws_memcpy_s_memmove_s_memset_vswprintf_s_vwprintfwsprintf
String ID: /COLLABORATIONCLIENT=$ /OPERATINGSYSTEM=$ LAUNCHEXAMSHIELD$ UNINSTALL$/COMPATIBILITYCHECK$/z"$7$?id=$An unexpected error has occured! Please contact support.$COMPATIBILITYCHECK$ExamShield$ExamShield (Compatibility Check) Setup$ExamShield Setup$ExamShield.exe$ExamShieldSetup.exe$ExamShieldVersion.txt$Unable to create directory$Unable to create file$\Exam Shield$\ExamShieldLauncher.exe$\ExamShieldParams.dat$\ExamShieldSetup.exe$open$runas
API String ID: 1871693599-2427528796
Opcode ID: 9bdc1200aaf1e3d57c99b42786169e4413bf68d0fc315be2d2cd9a5871a103b8
Instruction ID: 67bd447b63aad6ce3b2383f360bbd0a9cfce914e6380d0b495eb1ba297cf52c2
Opcode Fuzzy Hash: 9bdc1200aaf1e3d57c99b42786169e4413bf68d0fc315be2d2cd9a5871a103b8
Instruction Fuzzy Hash: BE339F70601A048FD755DB6CCC81B99B3B9BF95324F28C3D8E1299B2E2DB70AE45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0004A7E8 Relevance: 12.1, APIs: 8, Instructions: 132
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E0004A7E8(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				WCHAR* _t45;
				long _t46;
				WCHAR* _t51;
				int _t56;
				void* _t58;
				int _t64;
				intOrPtr _t76;
				signed int _t90;
				void* _t93;
				WCHAR* _t95;
				long _t97;
				void* _t98;
				WCHAR* _t103;
				WCHAR* _t105;

				_t93 = __edx;
				_push(0x268);
				E00131A82(0x148d9f, __ebx, __edi, __esi);
				_t95 =  *(_t98 + 8);
				_t45 =  *(_t98 + 0xc);
				_t76 =  *((intOrPtr*)(_t98 + 0x10));
				_t103 = _t95;
				_t78 = 0 | _t103 != 0x00000000;
				 *(_t98 - 0x268) = _t45;
				if(_t103 != 0) {
					L2:
					_t105 = _t45;
					_t78 = 0 | _t105 != 0x00000000;
					if(_t105 != 0) {
						goto L1;
					}
					_t97 = 0x104;
					_t46 = GetFullPathNameW(_t45, 0x104, _t95, _t98 - 0x26c);
					if(_t46 != 0) {
						if(_t46 < 0x104) {
							E00031110(_t98 - 0x264, E00045761());
							 *(_t98 - 4) =  *(_t98 - 4) & 0x00000000;
							E0004A618(_t76, _t95, _t98 - 0x264);
							_t51 = PathIsUNCW( *(_t98 - 0x264));
							if(_t51 != 0) {
								L21:
								E00031190( &(( *(_t98 - 0x264))[0xfffffffffffffff8]), _t93);
								goto L22;
							}
							_t56 = GetVolumeInformationW( *(_t98 - 0x264), _t51, _t51, _t51, _t98 - 0x274, _t98 - 0x270, _t51, _t51); // executed
							if(_t56 != 0) {
								if(( *(_t98 - 0x270) & 0x00000002) == 0) {
									CharUpperW(_t95);
								}
								if(( *(_t98 - 0x270) & 0x00000004) != 0) {
									goto L21;
								} else {
									_t58 = FindFirstFileW( *(_t98 - 0x268), _t98 - 0x260);
									if(_t58 == 0xffffffff) {
										goto L21;
									}
									FindClose(_t58);
									if( *(_t98 - 0x26c) == 0 ||  *(_t98 - 0x26c) <= _t95) {
										goto L11;
									} else {
										_t64 = lstrlenW(_t98 - 0x234);
										_t90 =  *(_t98 - 0x26c) - _t95 >> 1;
										if(_t64 + _t90 >= _t97) {
											if(_t76 != 0) {
												 *((intOrPtr*)(_t76 + 8)) = 3;
												E00036590(_t95,  *(_t98 - 0x268));
											}
											L12:
											E00031190( &(( *(_t98 - 0x264))[0xfffffffffffffff8]), _t93);
											goto L5;
										}
										_push(E00130E8C( *(_t98 - 0x26c), _t97, _t98 - 0x234));
										E00033DF0();
										goto L21;
									}
								}
							}
							L11:
							E0004A7B9(_t95, _t76,  *(_t98 - 0x268));
							goto L12;
						}
						if(_t76 != 0) {
							 *((intOrPtr*)(_t76 + 8)) = 3;
							E00036590(_t95,  *(_t98 - 0x268));
						}
						goto L5;
					} else {
						_push(E00130EEF(_t95, 0x104,  *(_t98 - 0x268), 0xffffffff));
						E00033DF0();
						E0004A7B9(_t95, _t76,  *(_t98 - 0x268));
						L5:
						L22:
						return E00131B05(_t76, _t95, _t97);
					}
				}
				L1:
				_t45 = E000455E0(_t78);
				goto L2;
			}

0x0004a7e8
0x0004a7e8
0x0004a7f2
0x0004a7f7
0x0004a7fa
0x0004a7fd
0x0004a802
0x0004a804
0x0004a807
0x0004a80f
0x0004a816
0x0004a818
0x0004a81a
0x0004a81f
0x00000000
0x00000000
0x0004a829
0x0004a830
0x0004a838
0x0004a867
0x0004a890
0x0004a895
0x0004a8a1
0x0004a8ac
0x0004a8b4
0x0004a980
0x0004a989
0x00000000
0x0004a990
0x0004a8d3
0x0004a8db
0x0004a903
0x0004a906
0x0004a906
0x0004a913
0x00000000
0x0004a915
0x0004a922
0x0004a92b
0x00000000
0x00000000
0x0004a92e
0x0004a93b
0x00000000
0x0004a945
0x0004a94c
0x0004a95a
0x0004a960
0x0004a99b
0x0004a9aa
0x0004a9b1
0x0004a9b1
0x0004a8e9
0x0004a8f2
0x00000000
0x0004a8f2
0x0004a977
0x0004a978
0x00000000
0x0004a97d
0x0004a93b
0x0004a913
0x0004a8dd
0x0004a8e4
0x00000000
0x0004a8e4
0x0004a86b
0x0004a876
0x0004a87d
0x0004a87d
0x00000000
0x0004a83a
0x0004a849
0x0004a84a
0x0004a859
0x0004a85e
0x0004a991
0x0004a996
0x0004a996
0x0004a838
0x0004a811
0x0004a811
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 0004A7F2
GetFullPathNameW.KERNEL32(00000000,00000104,00000000,?,00000268,0004A9CD,00000000,?,00000000,?,00048BC1,?,?,00000000), ref: 0004A830

Part of subcall function 000455E0: __CxxThrowException@8.LIBCMT ref: 000455F6

PathIsUNCW.SHLWAPI(?), ref: 0004A8AC
GetVolumeInformationW.KERNELBASE ref: 0004A8D3
CharUpperW.USER32 ref: 0004A906
FindFirstFileW.KERNEL32(?,?), ref: 0004A922
FindClose.KERNEL32(00000000), ref: 0004A92E
lstrlenW.KERNEL32(?), ref: 0004A94C

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: FindPath$CharCloseException@8FileFirstFullH_prolog3_InformationNameThrowUpperVolumelstrlen
String ID:
API String ID: 3687868058-0
Opcode ID: 60bec2c9ee2a74e573237276e5082bc2dfbe9fe2efc8577f669d35ffc1a6ab21
Instruction ID: 3e10a13c23661062f820764ff458262a2ea8bfd4d08b6a6de3fda56a05bab9e7
Opcode Fuzzy Hash: 60bec2c9ee2a74e573237276e5082bc2dfbe9fe2efc8577f669d35ffc1a6ab21
Instruction Fuzzy Hash: 974190B1A44215ABDF65AB60CC89BFE777CEF15310F0002BCB81991192DF319E81DA25

Uniqueness

Uniqueness Score: -1.00%

Function 00050268 Relevance: 103.8, APIs: 48, Strings: 11, Instructions: 559
libraryloaderstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E00050268(void* __ebx, signed int __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags, signed int __fp0) {
				signed char _t260;
				void* _t270;
				struct tagLOGFONTW _t271;
				struct tagLOGFONTW _t280;
				struct HFONT__* _t305;
				void* _t307;
				struct HFONT__* _t312;
				signed int _t318;
				int _t327;
				signed int _t330;
				struct HINSTANCE__* _t332;
				struct HINSTANCE__* _t333;
				intOrPtr _t336;
				signed int _t352;
				struct HFONT__* _t369;
				int _t371;
				signed int _t372;
				WCHAR* _t373;
				intOrPtr* _t398;
				char _t399;
				void* _t401;
				void* _t404;
				intOrPtr _t405;
				intOrPtr _t406;
				void* _t407;
				intOrPtr _t408;
				void* _t409;
				void* _t410;
				void* _t411;
				intOrPtr _t412;
				void* _t413;
				signed int _t426;
				signed int _t437;
				void* _t440;
				signed int _t442;
				void* _t446;
				signed int _t447;
				signed int _t448;
				void* _t450;
				void* _t453;
				intOrPtr _t484;
				signed long long _t488;

				_t453 = __eflags;
				_t437 = __edx;
				_push(0x488);
				E00131A82(0x149407, __ebx, __edi, __esi);
				_t398 = __ecx;
				_push(0);
				 *(_t450 - 0x460) = __ecx;
				E0004661F(__ecx, _t450 - 0x494, __edx, __edi, 0, _t453);
				 *(_t450 - 4) = 0;
				_t260 = GetDeviceCaps( *(_t450 - 0x48c), 0x58);
				 *(_t450 - 0x464) = _t260;
				asm("fild dword [ebp-0x464]");
				_t488 = __fp0 /  *0x15bbc8;
				asm("fst qword [ebx+0x1dc]");
				asm("fld1");
				asm("fcom st0, st1");
				asm("fnstsw ax");
				if((_t260 & 0x00000005) != 0) {
					st0 = _t488;
					L4:
					st0 = _t488;
				} else {
					_t488 =  *0x15bbc0;
					asm("fcomp st0, st2");
					asm("fnstsw ax");
					st1 = _t488;
					if((_t260 & 0x00000041) != 0) {
						goto L4;
					} else {
						 *(_t398 + 0x1dc) = _t488;
					}
				}
				_t404 = _t398 + 0x114;
				if(_t404 != 0 &&  *((intOrPtr*)(_t404 + 4)) != 0) {
					DeleteObject(E000467F8(_t398, _t404, _t437));
				}
				_t405 = _t398 + 0x11c;
				 *((intOrPtr*)(_t450 - 0x478)) = _t405;
				if(_t405 != 0 &&  *((intOrPtr*)(_t405 + 4)) != 0) {
					DeleteObject(E000467F8(_t398, _t405, _t437));
				}
				_t406 = _t398 + 0x124;
				 *((intOrPtr*)(_t450 - 0x470)) = _t406;
				if(_t406 != 0 &&  *((intOrPtr*)(_t406 + 4)) != 0) {
					DeleteObject(E000467F8(_t398, _t406, _t437));
				}
				_t407 = _t398 + 0x12c;
				if(_t407 != 0 &&  *((intOrPtr*)(_t407 + 4)) != 0) {
					DeleteObject(E000467F8(_t398, _t407, _t437));
				}
				_t408 = _t398 + 0x134;
				 *((intOrPtr*)(_t450 - 0x474)) = _t408;
				if(_t408 != 0 &&  *((intOrPtr*)(_t408 + 4)) != 0) {
					DeleteObject(E000467F8(_t398, _t408, _t437));
				}
				_t409 = _t398 + 0x13c;
				if(_t409 != 0 &&  *((intOrPtr*)(_t409 + 4)) != 0) {
					DeleteObject(E000467F8(_t398, _t409, _t437));
				}
				_t410 = _t398 + 0x144;
				if(_t410 != 0 &&  *((intOrPtr*)(_t410 + 4)) != 0) {
					DeleteObject(E000467F8(_t398, _t410, _t437));
				}
				_t411 = _t398 + 0x14c;
				if(_t411 != 0 &&  *((intOrPtr*)(_t411 + 4)) != 0) {
					DeleteObject(E000467F8(_t398, _t411, _t437));
				}
				_t412 = _t398 + 0x15c;
				 *((intOrPtr*)(_t450 - 0x480)) = _t412;
				if(_t412 != 0 &&  *((intOrPtr*)(_t412 + 4)) != 0) {
					DeleteObject(E000467F8(_t398, _t412, _t437));
				}
				_t413 = _t398 + 0x154;
				if(_t413 != 0) {
					_t475 =  *((intOrPtr*)(_t413 + 4));
					if( *((intOrPtr*)(_t413 + 4)) != 0) {
						DeleteObject(E000467F8(_t398, _t413, _t437));
					}
				}
				 *((intOrPtr*)(_t450 - 0x264)) = 0x1f8;
				E0004EE53(_t475, _t450 - 0x264);
				E00131B30(_t450 - 0x6c, 0, 0x5c);
				 *((char*)(_t450 - 0x55)) = GetTextCharsetInfo( *(_t450 - 0x490), 0, 0);
				 *(_t450 - 0x5c) =  *(_t450 - 0x174);
				 *((char*)(_t450 - 0x58)) =  *((intOrPtr*)(_t450 - 0x170));
				asm("cdq");
				_t270 = ( *(_t450 - 0x184) ^ _t437) - _t437;
				if(_t270 > 0xc) {
					_t271 = _t270 - 1;
					__eflags = _t271;
				} else {
					_t271 = 0xb;
				}
				if( *(_t450 - 0x184) < 0) {
					_t271 =  ~_t271;
				}
				_t440 = lstrcpyW;
				 *(_t450 - 0x6c) = _t271;
				lstrcpyW(_t450 - 0x50, _t450 - 0x168);
				if( *_t398 == 0 &&  *((char*)(_t450 - 0x16d)) <= 2) {
					_t371 = EnumFontFamiliesW( *(_t450 - 0x490), 0, E0005021F,  *0x1a3988); // executed
					if(_t371 != 0) {
						_t372 = EnumFontFamiliesW( *(_t450 - 0x490), 0, E0005021F,  *0x1a3984);
						__eflags = _t372;
						_t373 = _t450 - 0x50;
						if(_t372 != 0) {
							_push( *0x1a398c);
						} else {
							_push( *0x1a3984);
						}
						lstrcpyW(_t373, ??);
					} else {
						lstrcpyW(_t450 - 0x50,  *0x1a3988);
						 *((char*)(_t450 - 0x52)) = 5;
					}
				}
				_t446 = CreateFontIndirectW;
				E000467CA(_t398, _t398 + 0x114, _t437, _t440, CreateFontIndirectW(_t450 - 0x6c));
				 *(_t450 - 0x464) =  *(_t450 - 0x6c);
				 *((intOrPtr*)(_t450 - 0x47c)) = E00135F20(_t437,  *(_t450 - 0x6c));
				asm("fild dword [ebp-0x47c]");
				_t491 = (_t488 +  *0x181b78 + st0) /  *0x15bbb8;
				_t280 = E00135A90(_t279, (_t488 +  *0x181b78 + st0) /  *0x15bbb8);
				_t481 =  *(_t450 - 0x464);
				 *(_t450 - 0x6c) = _t280;
				if( *(_t450 - 0x464) < 0) {
					 *(_t450 - 0x6c) =  ~( *(_t450 - 0x6c));
				}
				E000467CA(_t398, _t398 + 0x154, _t437, _t440, CreateFontIndirectW(_t450 - 0x6c));
				 *(_t450 - 0x6c) =  *(_t450 - 0x464);
				 *((intOrPtr*)(_t450 - 0x45c)) = 0x1f8;
				E0004EE53(_t481, _t450 - 0x45c);
				 *((char*)(_t450 - 0x58)) =  *((intOrPtr*)(_t450 - 0x30c));
				 *(_t450 - 0x5c) =  *(_t450 - 0x310);
				E000467CA(_t398,  *((intOrPtr*)(_t450 - 0x478)), _t437, _t440, CreateFontIndirectW(_t450 - 0x6c));
				 *((char*)(_t450 - 0x58)) =  *((intOrPtr*)(_t450 - 0x170));
				 *(_t450 - 0x5c) =  *(_t450 - 0x174);
				 *((char*)(_t450 - 0x57)) = 1;
				E000467CA(_t398,  *((intOrPtr*)(_t450 - 0x474)), _t437, _t440, CreateFontIndirectW(_t450 - 0x6c));
				 *((char*)(_t450 - 0x57)) = 0;
				 *(_t450 - 0x5c) = 0x2bc;
				E000467CA(_t398,  *((intOrPtr*)(_t450 - 0x470)), _t437, _t440, CreateFontIndirectW(_t450 - 0x6c));
				_t399 =  *((intOrPtr*)(_t450 - 0x55));
				 *(_t450 - 0x5c) =  *(_t450 - 0x5c) & 0x00000000;
				 *((char*)(_t450 - 0x55)) = 2;
				 *(_t450 - 0x6c) = GetSystemMetrics(0x48) - 1;
				lstrcpyW(_t450 - 0x50,  *0x1a3994);
				_t305 = CreateFontIndirectW(_t450 - 0x6c);
				_t422 =  *((intOrPtr*)(_t450 - 0x480));
				E000467CA(_t399,  *((intOrPtr*)(_t450 - 0x480)), _t437, _t440, _t305);
				 *(_t450 - 0x468) =  *(_t450 - 0x468) & 0x00000000;
				 *((char*)(_t450 - 0x55)) = _t399;
				 *((intOrPtr*)(_t450 - 0x46c)) = 0x15bba0;
				_t441 = GetStockObject;
				 *(_t450 - 4) = 1;
				_t307 = GetStockObject(0x11);
				_t400 = GetObjectW;
				 *(_t450 - 0x468) = _t307;
				if(_t307 != 0 && GetObjectW( *(_t450 - 0x468), 0x5c, _t450 - 0x6c) != 0) {
					 *(_t450 - 0x6c) =  *(_t450 - 0x184);
					 *(_t450 - 0x5c) =  *(_t450 - 0x174);
					 *((char*)(_t450 - 0x58)) =  *((intOrPtr*)(_t450 - 0x170));
					 *((intOrPtr*)(_t450 - 0x60)) = 0x384;
					 *((intOrPtr*)(_t450 - 0x64)) = 0xa8c;
					lstrcpyW(_t450 - 0x50,  *0x1a3990);
					E000467CA(GetObjectW,  *(_t450 - 0x460) + 0x144, _t437, GetStockObject, CreateFontIndirectW(_t450 - 0x6c));
					 *((intOrPtr*)(_t450 - 0x64)) = 0x384;
					_t369 = CreateFontIndirectW(_t450 - 0x6c);
					_t422 =  *(_t450 - 0x460) + 0x14c;
					_t484 =  *(_t450 - 0x460) + 0x14c;
					E000467CA(GetObjectW,  *(_t450 - 0x460) + 0x14c, _t437, GetStockObject, _t369);
				}
				GetObjectW( *(E000467B6(_t400, _t422, _t437, _t441, _t446, _t484, GetStockObject(0x11)) + 4), 0x5c, _t450 - 0x6c);
				 *((char*)(_t450 - 0x57)) = 1;
				_t312 = CreateFontIndirectW(_t450 - 0x6c);
				_t442 =  *(_t450 - 0x460);
				E000467CA(_t400, _t442 + 0x13c, _t437, _t442, _t312);
				 *((char*)(_t450 - 0x57)) = 0;
				 *(_t450 - 0x5c) = 0x2bc;
				E000467CA(_t400, _t442 + 0x12c, _t437, _t442, CreateFontIndirectW(_t450 - 0x6c));
				_t426 = _t442;
				E0004F01E(_t400, _t426, _t437, _t442, _t446, _t484);
				_t447 =  *0x1a3f70; // 0x0
				while(_t447 != 0) {
					_t318 = _t447;
					__eflags = _t447;
					if(_t447 == 0) {
						L60:
						E000455E0(_t426);
						asm("int3");
						_push(0x11c);
						E00131A82(0x149594, _t400, _t442, _t447);
						_t448 = _t426;
						 *(_t450 - 0x128) = _t448;
						 *((intOrPtr*)(_t448 + 0x94)) = 0;
						 *((intOrPtr*)(_t448 + 0x90)) = 0x157dac;
						 *(_t450 - 4) = 0;
						 *((intOrPtr*)(_t448 + 0x9c)) = 0;
						 *((intOrPtr*)(_t448 + 0x98)) = 0x157dac;
						 *((intOrPtr*)(_t448 + 0xa4)) = 0;
						 *((intOrPtr*)(_t448 + 0xa0)) = 0x157dac;
						 *((intOrPtr*)(_t448 + 0xac)) = 0;
						 *((intOrPtr*)(_t448 + 0xa8)) = 0x157dac;
						 *((intOrPtr*)(_t448 + 0xb4)) = 0;
						 *((intOrPtr*)(_t448 + 0xb0)) = 0x157dac;
						 *((intOrPtr*)(_t448 + 0xbc)) = 0;
						 *((intOrPtr*)(_t448 + 0xb8)) = 0x157dac;
						 *((intOrPtr*)(_t448 + 0xc4)) = 0;
						 *((intOrPtr*)(_t448 + 0xc0)) = 0x157dac;
						 *((intOrPtr*)(_t448 + 0xcc)) = 0;
						 *((intOrPtr*)(_t448 + 0xc8)) = 0x157dac;
						 *((intOrPtr*)(_t448 + 0xd4)) = 0;
						 *((intOrPtr*)(_t448 + 0xd0)) = 0x159fb0;
						 *((intOrPtr*)(_t448 + 0xdc)) = 0;
						 *((intOrPtr*)(_t448 + 0xd8)) = 0x159fb0;
						 *((intOrPtr*)(_t448 + 0xe4)) = 0;
						 *((intOrPtr*)(_t448 + 0xe0)) = 0x159fb0;
						 *((intOrPtr*)(_t448 + 0x10c)) = 0;
						 *((intOrPtr*)(_t448 + 0x110)) = 0;
						 *((intOrPtr*)(_t448 + 0x118)) = 0;
						 *((intOrPtr*)(_t448 + 0x114)) = 0x15bba0;
						 *((intOrPtr*)(_t448 + 0x120)) = 0;
						 *((intOrPtr*)(_t448 + 0x11c)) = 0x15bba0;
						 *((intOrPtr*)(_t448 + 0x128)) = 0;
						 *((intOrPtr*)(_t448 + 0x124)) = 0x15bba0;
						 *((intOrPtr*)(_t448 + 0x130)) = 0;
						 *((intOrPtr*)(_t448 + 0x12c)) = 0x15bba0;
						 *((intOrPtr*)(_t448 + 0x138)) = 0;
						 *((intOrPtr*)(_t448 + 0x134)) = 0x15bba0;
						 *((intOrPtr*)(_t448 + 0x140)) = 0;
						 *((intOrPtr*)(_t448 + 0x13c)) = 0x15bba0;
						 *((intOrPtr*)(_t448 + 0x148)) = 0;
						 *((intOrPtr*)(_t448 + 0x144)) = 0x15bba0;
						 *((intOrPtr*)(_t448 + 0x150)) = 0;
						 *((intOrPtr*)(_t448 + 0x14c)) = 0x15bba0;
						 *((intOrPtr*)(_t448 + 0x158)) = 0;
						 *((intOrPtr*)(_t448 + 0x154)) = 0x15bba0;
						 *((intOrPtr*)(_t448 + 0x160)) = 0;
						 *((intOrPtr*)(_t448 + 0x15c)) = 0x15bba0;
						 *(_t450 - 4) = 0x14;
						 *((intOrPtr*)(_t448 + 0x164)) = 0;
						 *((intOrPtr*)(_t448 + 0x168)) = 0;
						 *((intOrPtr*)(_t448 + 0x16c)) = 0;
						 *((intOrPtr*)(_t448 + 0x170)) = 0;
						 *(_t450 - 0x124) = 0x114;
						GetVersionExW(_t450 - 0x124);
						_t327 = GetSystemMetrics(0x1000); // executed
						__eflags =  *((intOrPtr*)(_t450 - 0x120)) - 6;
						 *((intOrPtr*)(_t448 + 0x180)) = _t327;
						asm("sbb eax, eax");
						__eflags =  *((intOrPtr*)(_t450 - 0x120)) - 6;
						 *((intOrPtr*)(_t448 + 0x174)) = _t327 + 1;
						if(__eflags != 0) {
							L63:
							if(__eflags > 0) {
								goto L65;
							} else {
								_t330 = 0;
							}
						} else {
							__eflags =  *((intOrPtr*)(_t450 - 0x11c)) - 1;
							if( *((intOrPtr*)(_t450 - 0x11c)) >= 1) {
								L65:
								_t330 = 1;
								__eflags = 1;
							} else {
								__eflags =  *((intOrPtr*)(_t450 - 0x120)) - 6;
								goto L63;
							}
						}
						 *((intOrPtr*)(_t448 + 0x178)) = _t330;
						 *((intOrPtr*)(_t448 + 0x17c)) = 0;
						 *((intOrPtr*)(_t448 + 0x1e4)) = 1;
						 *((intOrPtr*)(_t448 + 0xc)) = 0;
						 *((intOrPtr*)(_t448 + 8)) = 0;
						 *((intOrPtr*)(_t448 + 0x10)) = 0;
						E0004FD0F(_t400, _t448, _t437, 0, _t448, __eflags);
						_push(L"UxTheme.dll"); // executed
						_t332 = E0003E893(_t448, _t448, __eflags); // executed
						_t401 = GetProcAddress;
						 *(_t448 + 0x1ec) = _t332;
						__eflags = _t332;
						if(_t332 == 0) {
							 *((intOrPtr*)(_t448 + 0x1f4)) = 0;
							 *((intOrPtr*)(_t448 + 0x1f8)) = 0;
							 *((intOrPtr*)(_t448 + 0x1fc)) = 0;
							 *((intOrPtr*)(_t448 + 0x200)) = 0;
							 *((intOrPtr*)(_t448 + 0x204)) = 0;
							 *((intOrPtr*)(_t448 + 0x208)) = 0;
						} else {
							 *((intOrPtr*)(_t448 + 0x1f4)) = GetProcAddress(_t332, "DrawThemeParentBackground");
							 *((intOrPtr*)(_t448 + 0x1f8)) = GetProcAddress( *(_t448 + 0x1ec), "DrawThemeTextEx");
							 *((intOrPtr*)(_t448 + 0x1fc)) = GetProcAddress( *(_t448 + 0x1ec), "BufferedPaintInit");
							 *((intOrPtr*)(_t448 + 0x200)) = GetProcAddress( *(_t448 + 0x1ec), "BufferedPaintUnInit");
							 *((intOrPtr*)(_t448 + 0x204)) = GetProcAddress( *(_t448 + 0x1ec), "BeginBufferedPaint");
							 *((intOrPtr*)(_t448 + 0x208)) = GetProcAddress( *(_t448 + 0x1ec), "EndBufferedPaint");
						}
						_t333 = E0004EF88(_t401, _t437, L"dwmapi.dll"); // executed
						 *(_t448 + 0x1f0) = _t333;
						__eflags = _t333;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t448 + 0x20c)) = 0;
							 *((intOrPtr*)(_t448 + 0x210)) = 0;
							 *((intOrPtr*)(_t448 + 0x214)) = 0;
						} else {
							 *((intOrPtr*)(_t448 + 0x20c)) = GetProcAddress(_t333, "DwmExtendFrameIntoClientArea");
							 *((intOrPtr*)(_t448 + 0x210)) = GetProcAddress( *(_t448 + 0x1f0), "DwmDefWindowProc");
							 *((intOrPtr*)(_t448 + 0x214)) = GetProcAddress( *(_t448 + 0x1f0), "DwmIsCompositionEnabled");
						}
						 *((intOrPtr*)(_t448 + 0xe8)) = 0;
						 *((intOrPtr*)(_t448 + 0xec)) = 0;
						 *((intOrPtr*)(_t448 + 0xf0)) = 0;
						 *((intOrPtr*)(_t448 + 0xf4)) = 0;
						 *((intOrPtr*)(_t448 + 0x100)) = 0;
						 *((intOrPtr*)(_t448 + 0x104)) = 0;
						 *((intOrPtr*)(_t448 + 0x108)) = 0;
						 *((intOrPtr*)(_t448 + 0xf8)) = 0;
						 *((intOrPtr*)(_t448 + 0xfc)) = 0;
						 *_t448 = 0;
						 *((intOrPtr*)(_t448 + 4)) = 0;
						E00050268(_t401, _t448, _t437, 0, _t448, __eflags, _t491); // executed
						E0004EB16(_t448);
						 *(_t448 + 0x1c4) =  *(_t448 + 0x1c4) | 0xffffffff;
						_t336 = 4;
						 *((intOrPtr*)(_t448 + 0x1b0)) = _t336;
						 *((intOrPtr*)(_t448 + 0x1bc)) = _t336;
						__eflags = 1;
						 *((intOrPtr*)(_t448 + 0x18c)) = 1;
						 *((intOrPtr*)(_t448 + 0x21c)) = 1;
						 *((intOrPtr*)(_t448 + 0x19c)) = 1;
						 *((intOrPtr*)(_t448 + 0x198)) = 0;
						 *((intOrPtr*)(_t448 + 0x1e8)) = 0;
						 *((intOrPtr*)(_t448 + 0x1b4)) = 3;
						 *((intOrPtr*)(_t448 + 0x1b8)) = 0xe;
						 *((intOrPtr*)(_t448 + 0x1c0)) = 0x32;
						 *((intOrPtr*)(_t448 + 0x184)) = 0;
						 *((intOrPtr*)(_t448 + 0x188)) = 0;
						 *((intOrPtr*)(_t448 + 0x218)) = 0;
						 *((intOrPtr*)(_t448 + 0x220)) = 0;
						 *((intOrPtr*)(_t448 + 0x224)) = 0;
						return E00131B05(_t401, 0, _t448);
					} else {
						_t442 =  *(_t318 + 8);
						_t447 =  *_t447;
						__eflags = _t442;
						__eflags = 0 | _t442 != 0x00000000;
						if(__eflags == 0) {
							goto L60;
						} else {
							_t352 = E0003F85A(_t400, _t426, _t437, _t442, _t447, __eflags,  *((intOrPtr*)(_t442 + 0x20)));
							__eflags = _t352;
							if(_t352 != 0) {
								_t426 = _t442;
								 *((intOrPtr*)( *_t442 + 0x3a8))();
							}
							continue;
						}
					}
					L73:
				}
				 *(_t450 - 4) = 0;
				 *((intOrPtr*)(_t450 - 0x46c)) = 0x15bba0;
				E00031420(_t450 - 0x46c, _t437);
				 *(_t450 - 4) =  *(_t450 - 4) | 0xffffffff;
				E00046673(_t400, _t450 - 0x494, _t437, _t442, _t447,  *(_t450 - 4));
				return E00131B05(_t400, _t442, _t447);
				goto L73;
			}

0x00050268
0x00050268
0x00050268
0x00050272
0x00050277
0x0005027b
0x00050282
0x00050288
0x00050295
0x00050298
0x0005029e
0x000502a4
0x000502aa
0x000502b0
0x000502b6
0x000502b8
0x000502ba
0x000502bf
0x000502da
0x000502dc
0x000502dc
0x000502c1
0x000502c1
0x000502c7
0x000502c9
0x000502cb
0x000502d0
0x00000000
0x000502d2
0x000502d2
0x000502d2
0x000502d0
0x000502e4
0x000502ec
0x000502f9
0x000502f9
0x000502fb
0x00050301
0x00050309
0x00050316
0x00050316
0x00050318
0x0005031e
0x00050326
0x00050333
0x00050333
0x00050335
0x0005033d
0x0005034a
0x0005034a
0x0005034c
0x00050352
0x0005035a
0x00050367
0x00050367
0x00050369
0x00050371
0x0005037e
0x0005037e
0x00050380
0x00050388
0x00050395
0x00050395
0x00050397
0x0005039f
0x000503ac
0x000503ac
0x000503ae
0x000503b4
0x000503bc
0x000503c9
0x000503c9
0x000503cb
0x000503d3
0x000503d5
0x000503d8
0x000503e0
0x000503e0
0x000503d8
0x000503eb
0x000503f5
0x00050401
0x00050417
0x00050420
0x00050429
0x00050432
0x00050435
0x0005043a
0x00050441
0x00050441
0x0005043c
0x0005043e
0x0005043e
0x00050448
0x0005044a
0x0005044a
0x0005044c
0x00050452
0x00050460
0x00050464
0x00050487
0x0005048b
0x000504b2
0x000504b4
0x000504b6
0x000504b9
0x000504c3
0x000504bb
0x000504bb
0x000504bb
0x000504ca
0x0005048d
0x00050497
0x00050499
0x00050499
0x0005048b
0x000504cc
0x000504df
0x000504e8
0x000504f3
0x000504f9
0x00050508
0x0005050e
0x00050513
0x0005051a
0x0005051d
0x0005051f
0x0005051f
0x0005052f
0x0005053a
0x00050546
0x00050550
0x0005055b
0x00050564
0x00050574
0x0005057f
0x00050588
0x0005058f
0x0005059c
0x000505a5
0x000505a9
0x000505b9
0x000505be
0x000505c1
0x000505c7
0x000505d8
0x000505df
0x000505e5
0x000505e7
0x000505ee
0x000505f3
0x000505fa
0x000505fd
0x00050607
0x0005060f
0x00050613
0x00050615
0x0005061b
0x00050623
0x00050647
0x00050650
0x00050659
0x00050660
0x00050667
0x0005066e
0x00050687
0x00050690
0x00050697
0x000506a0
0x000506a0
0x000506a6
0x000506a6
0x000506be
0x000506c4
0x000506c8
0x000506ca
0x000506d7
0x000506e0
0x000506e4
0x000506f4
0x000506f9
0x000506fb
0x00050700
0x00050734
0x00050708
0x0005070a
0x0005070c
0x00050766
0x00050766
0x0005076b
0x0005076c
0x00050776
0x0005077b
0x00050784
0x0005078a
0x00050790
0x00050796
0x00050799
0x0005079f
0x000507a5
0x000507ab
0x000507b1
0x000507b7
0x000507bd
0x000507c3
0x000507c9
0x000507cf
0x000507d5
0x000507db
0x000507e1
0x000507e7
0x000507f2
0x000507f8
0x000507fe
0x00050804
0x0005080a
0x00050810
0x00050816
0x0005081c
0x00050827
0x0005082d
0x00050833
0x00050839
0x0005083f
0x00050845
0x0005084b
0x00050851
0x00050857
0x0005085d
0x00050863
0x00050869
0x0005086f
0x00050875
0x0005087b
0x00050881
0x00050887
0x0005088d
0x00050893
0x00050899
0x000508a6
0x000508aa
0x000508b0
0x000508b6
0x000508bc
0x000508c2
0x000508cc
0x000508d7
0x000508dd
0x000508e4
0x000508ea
0x000508ed
0x000508f4
0x000508fa
0x0005090c
0x0005090c
0x00000000
0x0005090e
0x0005090e
0x0005090e
0x000508fc
0x000508fc
0x00050903
0x00050912
0x00050914
0x00050914
0x00050905
0x00050905
0x00000000
0x00050905
0x00050903
0x00050917
0x0005091d
0x00050923
0x0005092d
0x00050930
0x00050933
0x00050936
0x0005093b
0x00050940
0x00050945
0x0005094c
0x00050952
0x00050954
0x000509c5
0x000509cb
0x000509d1
0x000509d7
0x000509dd
0x000509e3
0x00050956
0x00050969
0x0005097c
0x0005098f
0x000509a2
0x000509b5
0x000509bd
0x000509bd
0x000509ee
0x000509f4
0x000509fa
0x000509fc
0x00050a34
0x00050a3a
0x00050a40
0x000509fe
0x00050a11
0x00050a24
0x00050a2c
0x00050a2c
0x00050a48
0x00050a4e
0x00050a54
0x00050a5a
0x00050a60
0x00050a66
0x00050a6c
0x00050a72
0x00050a78
0x00050a7e
0x00050a80
0x00050a83
0x00050a8a
0x00050a8f
0x00050a98
0x00050a99
0x00050a9f
0x00050aa7
0x00050aa8
0x00050aae
0x00050ab4
0x00050aba
0x00050ac0
0x00050ac6
0x00050ad0
0x00050ada
0x00050ae4
0x00050aea
0x00050af0
0x00050af6
0x00050afc
0x00050b09
0x0005070e
0x0005070e
0x00050711
0x00050715
0x0005071a
0x0005071c
0x00000000
0x0005071e
0x00050721
0x00050726
0x00050728
0x0005072c
0x0005072e
0x0005072e
0x00000000
0x00050728
0x0005071c
0x00000000
0x0005070c
0x0005073e
0x00050742
0x0005074c
0x00050751
0x0005075b
0x00050765
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 00050272

Part of subcall function 0004661F: __EH_prolog3.LIBCMT ref: 00046626
Part of subcall function 0004661F: GetWindowDC.USER32(00000000), ref: 00046652

GetDeviceCaps.GDI32(?,00000058), ref: 00050298
DeleteObject.GDI32(00000000), ref: 000502F9
DeleteObject.GDI32(00000000), ref: 00050316
DeleteObject.GDI32(00000000), ref: 00050333
DeleteObject.GDI32(00000000), ref: 0005034A
DeleteObject.GDI32(00000000), ref: 00050367
DeleteObject.GDI32(00000000), ref: 0005037E
DeleteObject.GDI32(00000000), ref: 00050395
DeleteObject.GDI32(00000000), ref: 000503AC
DeleteObject.GDI32(00000000), ref: 000503C9
DeleteObject.GDI32(00000000), ref: 000503E0
_memset.LIBCMT ref: 00050401
GetTextCharsetInfo.GDI32(?,00000000,00000000), ref: 00050411
lstrcpyW.KERNEL32(?,?), ref: 00050460
EnumFontFamiliesW.GDI32(?,00000000,Function_0002021F), ref: 00050487
lstrcpyW.KERNEL32(?), ref: 00050497
EnumFontFamiliesW.GDI32(?,00000000,Function_0002021F), ref: 000504B2
lstrcpyW.KERNEL32(?), ref: 000504CA
CreateFontIndirectW.GDI32(?), ref: 000504D6
CreateFontIndirectW.GDI32(?), ref: 00050526
CreateFontIndirectW.GDI32(?), ref: 0005056B
CreateFontIndirectW.GDI32(?), ref: 00050593
CreateFontIndirectW.GDI32(?), ref: 000505B0
GetSystemMetrics.USER32 ref: 000505CB
lstrcpyW.KERNEL32(?), ref: 000505DF
CreateFontIndirectW.GDI32(?), ref: 000505E5
GetStockObject.GDI32(00000011), ref: 00050613
GetObjectW.GDI32(?,0000005C,?), ref: 00050635
lstrcpyW.KERNEL32(?), ref: 0005066E
CreateFontIndirectW.GDI32(?), ref: 00050678
CreateFontIndirectW.GDI32(?), ref: 00050697
GetStockObject.GDI32(00000011), ref: 000506AD
GetObjectW.GDI32(?,0000005C,?), ref: 000506BE
CreateFontIndirectW.GDI32(?), ref: 000506C8
CreateFontIndirectW.GDI32(?), ref: 000506EB

Part of subcall function 000455E0: __CxxThrowException@8.LIBCMT ref: 000455F6

__EH_prolog3_GS.LIBCMT ref: 00050776
GetVersionExW.KERNEL32(?,0000011C,00000000), ref: 000508CC
KiUserCallbackDispatcher.NTDLL ref: 000508D7
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0005095C
GetProcAddress.KERNEL32(?,DrawThemeTextEx), ref: 0005096F
GetProcAddress.KERNEL32(?,BufferedPaintInit), ref: 00050982
GetProcAddress.KERNEL32(?,BufferedPaintUnInit), ref: 00050995
GetProcAddress.KERNEL32(?,BeginBufferedPaint), ref: 000509A8
GetProcAddress.KERNEL32(?,EndBufferedPaint), ref: 000509BB
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea), ref: 00050A04
GetProcAddress.KERNEL32(?,DwmDefWindowProc), ref: 00050A17
GetProcAddress.KERNEL32(?,DwmIsCompositionEnabled), ref: 00050A2A

Strings

BeginBufferedPaint, xrefs: 00050997
DwmExtendFrameIntoClientArea, xrefs: 000509FE
DwmIsCompositionEnabled, xrefs: 00050A19
UxTheme.dll, xrefs: 0005093B
BufferedPaintInit, xrefs: 00050971
EndBufferedPaint, xrefs: 000509AA
dwmapi.dll, xrefs: 000509E9
DwmDefWindowProc, xrefs: 00050A06
DrawThemeParentBackground, xrefs: 00050956
BufferedPaintUnInit, xrefs: 00050984
DrawThemeTextEx, xrefs: 0005095E

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Object$Font$CreateDeleteIndirect$AddressProc$lstrcpy$EnumFamiliesH_prolog3_Stock$CallbackCapsCharsetDeviceDispatcherException@8H_prolog3InfoMetricsSystemTextThrowUserVersionWindow_memset
String ID: BeginBufferedPaint$BufferedPaintInit$BufferedPaintUnInit$DrawThemeParentBackground$DrawThemeTextEx$DwmDefWindowProc$DwmExtendFrameIntoClientArea$DwmIsCompositionEnabled$EndBufferedPaint$UxTheme.dll$dwmapi.dll
API String ID: 3527877632-1174303547
Opcode ID: b6f31528951d1c617b3922daa579b3d754855d502e426006c7ee124bda7b38e5
Instruction ID: 7185a2b063aea94f6745f4256bab4e4c95af7edaef06ef9a3da38d37ab4712b6
Opcode Fuzzy Hash: b6f31528951d1c617b3922daa579b3d754855d502e426006c7ee124bda7b38e5
Instruction Fuzzy Hash: 783235B0805709DFCB619FB4C884BDEFBF8AF55305F00486AE9AAA7252DB706944CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0003F0CF Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 191
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E0003F0CF(intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				struct tagRECT _v76;
				char _v96;
				signed int _v100;
				intOrPtr _v104;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t70;
				signed int _t72;
				struct tagMONITORINFO* _t73;
				void* _t99;
				struct HMONITOR__* _t103;
				void* _t108;
				struct HMONITOR__* _t109;
				signed int _t117;
				struct tagMONITORINFO* _t118;
				intOrPtr _t119;
				struct tagMONITORINFO* _t120;
				long _t121;
				long _t126;
				void* _t130;
				intOrPtr _t131;
				struct HWND__* _t132;
				void* _t134;
				struct tagMONITORINFO* _t136;
				struct tagMONITORINFO* _t140;
				signed int _t144;

				_t130 = __edx;
				_t70 =  *0x1a0454; // 0x960af5fb
				_v8 = _t70 ^ _t144;
				_t119 = _a4;
				_t131 = __ecx;
				_v104 = __ecx;
				_t72 = E0004342B(__ecx);
				_t136 = 0;
				_v100 = _t72;
				if(_t119 == 0) {
					if((_t72 & 0x40000000) == 0) {
						_t73 = GetWindow( *(__ecx + 0x20), 4);
					} else {
						_t73 = GetParent( *(__ecx + 0x20));
					}
					_t120 = _t73;
					if(_t120 != _t136) {
						_t118 = SendMessageW(_t120, 0x36b, _t136, _t136);
						if(_t118 != _t136) {
							_t120 = _t118;
						}
					}
				} else {
					_t120 =  *(_t119 + 0x20);
				}
				_v56.left = _t136;
				_v56.top = _t136;
				_v56.right = _t136;
				_v56.bottom = _t136;
				GetWindowRect( *(_t131 + 0x20),  &_v56);
				_v24.left = _t136;
				_v24.top = _t136;
				_v24.right = _t136;
				_v24.bottom = _t136;
				_v40.left = _t136;
				_v40.top = _t136;
				_v40.right = _t136;
				_v40.bottom = _t136;
				if((_v100 & 0x40000000) != 0) {
					_t132 = GetParent( *(_t131 + 0x20));
					GetClientRect(_t132,  &_v24);
					GetClientRect(_t120,  &_v40);
					MapWindowPoints(_t120, _t132,  &_v40, 2);
				} else {
					if(_t120 != _t136) {
						_t117 = GetWindowLongW(_t120, 0xfffffff0);
						if((_t117 & 0x10000000) == 0 || (_t117 & 0x20000000) != 0) {
							_t120 = 0;
						}
					}
					_v96 = 0x28;
					if(_t120 != _t136) {
						GetWindowRect(_t120,  &_v40);
						_t103 =  &_v96;
						__imp__MonitorFromWindow(2, _t103);
						GetMonitorInfoW(_t103, _t120);
						CopyRect( &_v24,  &_v76);
					} else {
						_t108 = E0003C4D8();
						if(_t108 != _t136) {
							_t136 =  *(_t108 + 0x20);
						}
						_t109 =  &_v96;
						__imp__MonitorFromWindow(1, _t109);
						GetMonitorInfoW(_t109, _t136);
						CopyRect( &_v40,  &_v76);
						CopyRect( &_v24,  &_v76);
					}
				}
				_t121 = _v56.left;
				asm("cdq");
				_t134 = _v56.right - _t121;
				asm("cdq");
				_t126 = (_v40.right + _v40.left - _t130 >> 1) - (_t134 - _t130 >> 1);
				_t135 = _t134 + _t126;
				_v100 = _v56.bottom - _v56.top;
				asm("cdq");
				asm("cdq");
				_t140 = (_v40.top + _v40.bottom - _t130 >> 1) - (_v100 - _t130 >> 1);
				if(_t134 + _t126 > _v24.right) {
					_t126 = _t121;
				}
				if(_t126 < _v24.left) {
					_t126 = _v24.left;
				}
				if(_t140 + _v100 > _v24.bottom) {
					_t140 = _v56.top - _v56.bottom + _v24.bottom;
				}
				if(_t140 < _v24.top) {
					_t140 = _v24.top;
				}
				_t99 = E00043614(_v104, 0, _t126, _t140, 0xffffffff, 0xffffffff, 0x15); // executed
				return E00130836(_t99, _t121, _v8 ^ _t144, _t130, _t135, _t140);
			}

0x0003f0cf
0x0003f0d7
0x0003f0de
0x0003f0e2
0x0003f0e7
0x0003f0e9
0x0003f0ec
0x0003f0f1
0x0003f0f3
0x0003f0f8
0x0003f104
0x0003f116
0x0003f106
0x0003f109
0x0003f109
0x0003f11c
0x0003f120
0x0003f12a
0x0003f132
0x0003f134
0x0003f134
0x0003f132
0x0003f0fa
0x0003f0fa
0x0003f0fa
0x0003f13d
0x0003f140
0x0003f143
0x0003f146
0x0003f149
0x0003f156
0x0003f159
0x0003f15c
0x0003f15f
0x0003f162
0x0003f165
0x0003f168
0x0003f16b
0x0003f16e
0x0003f216
0x0003f21d
0x0003f224
0x0003f22e
0x0003f174
0x0003f176
0x0003f17b
0x0003f186
0x0003f18f
0x0003f18f
0x0003f186
0x0003f191
0x0003f19a
0x0003f1dd
0x0003f1e3
0x0003f1ea
0x0003f1f1
0x0003f1ff
0x0003f19c
0x0003f19c
0x0003f1a3
0x0003f1a5
0x0003f1a5
0x0003f1a8
0x0003f1af
0x0003f1b6
0x0003f1ca
0x0003f1d4
0x0003f1d4
0x0003f19a
0x0003f23d
0x0003f240
0x0003f245
0x0003f249
0x0003f250
0x0003f258
0x0003f25a
0x0003f263
0x0003f26b
0x0003f272
0x0003f277
0x0003f27f
0x0003f27f
0x0003f284
0x0003f286
0x0003f286
0x0003f291
0x0003f299
0x0003f299
0x0003f29f
0x0003f2a1
0x0003f2a1
0x0003f2b1
0x0003f2c4

APIs

Part of subcall function 0004342B: GetWindowLongW.USER32(?,000000F0), ref: 00043436

GetParent.USER32(?), ref: 0003F109
SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 0003F12A
GetWindowRect.USER32(?,?), ref: 0003F149
GetWindowLongW.USER32(00000000,000000F0), ref: 0003F17B
MonitorFromWindow.USER32 ref: 0003F1AF
GetMonitorInfoW.USER32(00000000), ref: 0003F1B6
CopyRect.USER32(?,?), ref: 0003F1CA
CopyRect.USER32(?,?), ref: 0003F1D4
GetWindowRect.USER32(00000000,?), ref: 0003F1DD
MonitorFromWindow.USER32 ref: 0003F1EA
GetMonitorInfoW.USER32(00000000), ref: 0003F1F1
CopyRect.USER32(?,?), ref: 0003F1FF

Strings

(, xrefs: 0003F191

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Window$Rect$Monitor$Copy$FromInfoLong$MessageParentSend
String ID: (
API String ID: 783970248-3887548279
Opcode ID: 7dfab0341ecd09160a049d87b3ff390022052f510d4b9075a068c3c9ad101a3e
Instruction ID: 28d573f965722ac84bc8c40210a1e38ccf9c351494579a8b08f3e0166326d291
Opcode Fuzzy Hash: 7dfab0341ecd09160a049d87b3ff390022052f510d4b9075a068c3c9ad101a3e
Instruction Fuzzy Hash: DA610A71D0021AEBCB12DFA8ED899EEBBBDFB48711F144166E505F7291D770A940CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000352F0 Relevance: 30.3, APIs: 16, Strings: 1, Instructions: 573
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E000352F0(void* __ecx, signed long long __fp0, signed char _a4, signed short _a6) {
				signed int _v8;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				void* _v28;
				long _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				long _v48;
				long _v52;
				void* _v56;
				long _v60;
				intOrPtr _v68;
				intOrPtr _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t166;
				WCHAR* _t172;
				signed int _t174;
				signed int _t177;
				signed int _t179;
				int _t186;
				signed int _t188;
				intOrPtr* _t190;
				void* _t194;
				long _t195;
				signed int _t205;
				signed int _t210;
				signed int _t212;
				signed int _t219;
				void* _t228;
				signed int _t229;
				signed char _t231;
				signed char _t233;
				signed int _t240;
				intOrPtr* _t242;
				void* _t245;
				signed int _t247;
				signed int _t254;
				signed int _t257;
				signed int _t260;
				signed int _t262;
				long _t263;
				signed int _t266;
				void* _t277;
				intOrPtr* _t280;
				void* _t289;
				intOrPtr _t334;
				intOrPtr _t339;
				signed char _t345;
				void* _t350;
				signed int _t362;
				signed int _t367;
				void* _t376;
				void* _t382;
				signed int _t399;
				signed int _t400;
				void* _t403;
				intOrPtr _t405;
				signed int _t409;
				signed int _t411;
				signed char _t413;
				signed int _t420;
				void* _t421;
				intOrPtr _t422;
				signed long long _t431;

				_t431 = __fp0;
				_push(0xffffffff);
				_push(0x154490);
				_push( *[fs:0x0]);
				_t422 = _t421 - 0x38;
				_t166 =  *0x1a0454; // 0x960af5fb
				_push(_t166 ^ _t420);
				 *[fs:0x0] =  &_v16;
				_v20 = _t422;
				_t413 = _a4;
				E000349A0(_t413);
				_t288 = _t413 + 0x84;
				_t362 = _t413 + 0x6c;
				_t399 = _t413 + 8;
				if(E00049513(_t399,  *(_t413 + 8), _t362, _t413 + 0x7c, _t413 + 0x80, _t413 + 0x84) != 0) {
					_t289 = 0;
					_t400 = _t399 | 0xffffffff;
					L7:
					_t172 =  *(_t413 + 0xc);
					__eflags =  *((intOrPtr*)(_t172 - 0xc)) - _t289;
					if( *((intOrPtr*)(_t172 - 0xc)) == _t289) {
						L16:
						_v8 = _t400;
						_t174 =  *((intOrPtr*)( *((intOrPtr*)( *_t413))))();
						__eflags = _t174;
						if(_t174 == 0) {
							goto L4;
						} else {
							_t177 =  *((intOrPtr*)( *((intOrPtr*)( *_t413 + 4))))();
							__eflags = _t177;
							if(_t177 == 0) {
								goto L4;
							} else {
								_t179 =  *((intOrPtr*)( *((intOrPtr*)( *_t413 + 8))))();
								__eflags = _t179;
								if(_t179 == 0) {
									goto L4;
								} else {
									_v28 = _t289;
									_v40 = _t289;
									_a4 = _t289;
									__eflags =  *((intOrPtr*)(_t413 + 0x60)) - _t289;
									if( *((intOrPtr*)(_t413 + 0x60)) == _t289) {
										L22:
										__eflags =  *((intOrPtr*)(_t413 + 0x64)) - _t289;
										if( *((intOrPtr*)(_t413 + 0x64)) == _t289) {
											goto L25;
										} else {
											_t260 =  *((intOrPtr*)( *((intOrPtr*)( *_t413 + 0xc))))();
											__eflags = _t260;
											if(_t260 == 0) {
												goto L4;
											} else {
												_v40 = 1;
												while(1) {
													L25:
													 *((intOrPtr*)( *((intOrPtr*)( *_t413 + 0x28))))( &_v24);
													_v8 = 3;
													_t367 = _v24;
													_t307 =  *(_t367 - 0xc);
													asm("sbb eax, eax");
													_t186 = HttpSendRequestW( *(_t413 + 0x78),  ~( *(_t367 - 0xc)) & _t367,  *(_t367 - 0xc), _t289, _t289);
													__eflags = _t186 - _t289;
													if(_t186 == _t289) {
													}
													L26:
													_t409 = GetLastError();
													__eflags = _t409 - 0x2f0c;
													if(_t409 != 0x2f0c) {
														L69:
														_push(_t409);
														_push(0x6f);
														L70:
														_t369 =  *_t413;
														_t190 =  *((intOrPtr*)( *_t413 + 0x1c));
														L71:
														 *_t190();
														L72:
														_t309 =  &_v24;
														L73:
														E00031170(_t309, _t369);
														__eflags = 0;
														 *[fs:0x0] = _v16;
														return 0;
													} else {
														__eflags = _a4 - _t289;
														if(_a4 != _t289) {
															goto L69;
														} else {
															_t345 = _t413;
															__eflags =  *((intOrPtr*)(_t413 + 0x44)) - _t289;
															if( *((intOrPtr*)(_t413 + 0x44)) == _t289) {
																_t257 = E000352D0(_t345);
															} else {
																_t257 =  *((intOrPtr*)( *((intOrPtr*)( *_t413 + 0x14))))();
															}
															__eflags = _t257;
															if(_t257 == 0) {
																goto L69;
															} else {
																_a4 = 1;
																_t400 = _t409 | 0xffffffff;
																__eflags = _t400;
																L32:
																_v8 = _t400;
																_t242 = _v24 + 0xfffffff0;
																asm("lock xadd [ecx], edx");
																__eflags = _t400 - 1;
																if(_t400 - 1 <= 0) {
																	 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t242)) + 4))))(_t242);
																}
																while(1) {
																	L25:
																	 *((intOrPtr*)( *((intOrPtr*)( *_t413 + 0x28))))( &_v24);
																	_v8 = 3;
																	_t367 = _v24;
																	_t307 =  *(_t367 - 0xc);
																	asm("sbb eax, eax");
																	_t186 = HttpSendRequestW( *(_t413 + 0x78),  ~( *(_t367 - 0xc)) & _t367,  *(_t367 - 0xc), _t289, _t289);
																	__eflags = _t186 - _t289;
																	if(_t186 == _t289) {
																	}
																	goto L35;
																}
																goto L26;
															}
														}
													}
													goto L93;
													L35:
													_t368 =  *(_t413 + 0x78);
													_v36 = _t289;
													_t188 = L00036080( &_v36, _t307,  *(_t413 + 0x78));
													__eflags = _t188;
													if(_t188 == 0) {
														_push(GetLastError());
														_push(0x70);
														goto L70;
													} else {
														_t194 = _v36;
														__eflags = _t194 - 0x197;
														if(_t194 == 0x197) {
															L38:
															_v60 = _t289;
															_v8 = 4;
															_t195 =  *(_t413 + 0x5c);
															__eflags = 0 - _t289;
															if(__eflags > 0) {
																L75:
																_t369 =  *_t413;
																 *((intOrPtr*)( *((intOrPtr*)( *_t413 + 0x1c))))(0x6e, 0xe);
																E00130CB2(_t289);
																goto L72;
															} else {
																if(__eflags < 0) {
																	L41:
																	_t403 = E00131013(_t368, _t400, _t413, _t195);
																	_t422 = _t422 + 4;
																	_v60 = _t403;
																	__eflags = _t403 - _t289;
																	if(_t403 == _t289) {
																		goto L75;
																	} else {
																		_v48 = _t289;
																		do {
																			InternetReadFile( *(_t413 + 0x78), _t403,  *(_t413 + 0x5c),  &_v48);
																			__eflags = _v48 - _t289;
																		} while (_v48 != _t289);
																		_v8 = 3;
																		E00130CB2(_t403);
																		_t194 = _v36;
																		_t422 = _t422 + 4;
																		_t400 = _t403 | 0xffffffff;
																		__eflags = _t400;
																		goto L45;
																	}
																} else {
																	__eflags = _t195 - _t400;
																	if(_t195 > _t400) {
																		goto L75;
																	} else {
																		goto L41;
																	}
																}
															}
														} else {
															__eflags = _t194 - 0x191;
															if(_t194 != 0x191) {
																L45:
																__eflags = _t194 - 0x197;
																if(_t194 != 0x197) {
																	__eflags = _t194 - 0x191;
																	if(_t194 != 0x191) {
																		__eflags = _t194 - 0xc8;
																		if(_t194 == 0xc8) {
																			L63:
																			 *((intOrPtr*)( *((intOrPtr*)( *_t413 + 0x38))))(0x6c);
																			_v44 = _t289;
																			_v40 = _t289;
																			_v56 = _t289;
																			_t205 = E00036090(_t289,  &_v44,  *(_t413 + 0x78));
																			__eflags = _t205;
																			if(_t205 != 0) {
																				_v56 = 1;
																				 *((intOrPtr*)( *((intOrPtr*)( *_t413 + 0x40))))(_v44, _v40);
																			}
																			 *((intOrPtr*)( *((intOrPtr*)( *_t413 + 0x38))))(0x74);
																			_v60 = GetTickCount();
																			_v32 = _t289;
																			_v28 = _t289;
																			_v8 = 5;
																			_t210 = E00036150( *(_t413 + 0x5c),  &_v28);
																			__eflags = _t210;
																			if(_t210 != 0) {
																				_t405 = 0;
																				__eflags = 0;
																				while(1) {
																					_t212 = InternetReadFile( *(_t413 + 0x78), _v28,  *(_t413 + 0x5c),  &_v32);
																					__eflags = _t212;
																					if(_t212 == 0) {
																						break;
																					}
																					_t219 = _v32;
																					__eflags = _t219;
																					if(_t219 == 0) {
																						L88:
																						asm("adc ecx, [ebp-0x24]");
																						_t376 =  *_t413;
																						_t377 =  *((intOrPtr*)(_t376 + 0x44));
																						 *((intOrPtr*)( *((intOrPtr*)(_t376 + 0x44))))(_t405, 0, _v56,  *((intOrPtr*)(_t413 + 0x50)) + _v44,  *((intOrPtr*)(_t413 + 0x54)));
																						__eflags = _v32;
																						if(_v32 == 0) {
																							L90:
																							E00130CB2(_v28);
																							E00031170( &_v24, _t377);
																							 *[fs:0x0] = _v16;
																							return 1;
																						} else {
																							_t228 =  *_t413;
																							_t377 =  *((intOrPtr*)(_t228 + 0x3c));
																							_t229 =  *((intOrPtr*)( *((intOrPtr*)(_t228 + 0x3c))))();
																							__eflags = _t229;
																							if(_t229 == 0) {
																								continue;
																							} else {
																								goto L90;
																							}
																						}
																					} else {
																						_t231 =  *((intOrPtr*)( *((intOrPtr*)( *_t413 + 0x48))))(_v28, _t219);
																						__eflags = _t231;
																						if(_t231 == 0) {
																							_t375 = _v28;
																							_push(_v28);
																							goto L68;
																						} else {
																							asm("fldz");
																							_t405 = _t405 + _v32;
																							asm("fcomp qword [esi+0x48]");
																							asm("adc ebx, 0x0");
																							_v72 = _t405;
																							_v68 = 0;
																							asm("fnstsw ax");
																							__eflags = _t231 & 0x00000005;
																							if((_t231 & 0x00000005) == 0) {
																								_t233 = GetTickCount() - _v60;
																								__eflags = _t233;
																								_a4 = _t233;
																								asm("fild dword [ebp+0x8]");
																								if(_t233 < 0) {
																									_t431 = _t431 +  *0x181b58;
																								}
																								asm("fild qword [ebp-0x44]");
																								_t431 = _t431 / st1;
																								asm("fcom qword [esi+0x48]");
																								asm("fnstsw ax");
																								__eflags = _t233 & 0x00000041;
																								if((_t233 & 0x00000041) != 0) {
																									st1 = _t431;
																									st0 = _t431;
																								} else {
																									asm("fnstcw word [ebp+0xa]");
																									_t431 = _t431 * st1 /  *(_t413 + 0x48);
																									_v48 = _a6 & 0x0000ffff | 0x00000c00;
																									asm("fsubrp st1, st0");
																									asm("fldcw word [ebp-0x2c]");
																									asm("fistp qword [ebp-0x30]");
																									asm("fldcw word [ebp+0xa]");
																									Sleep(_v52);
																								}
																							}
																							goto L88;
																						}
																					}
																					goto L93;
																				}
																				_push(GetLastError());
																				_push(0x72);
																				goto L67;
																			} else {
																				_push(0xe);
																				_push(0x6e);
																				L67:
																				_t375 =  *_t413;
																				 *((intOrPtr*)( *((intOrPtr*)( *_t413 + 0x1c))))();
																				_push(_v28);
																				L68:
																				E00130CB2();
																				E00031170( &_v24, _t375);
																				__eflags = 0;
																				 *[fs:0x0] = _v16;
																				return 0;
																			}
																		} else {
																			__eflags = _t194 - 0xce;
																			if(_t194 != 0xce) {
																				_t369 =  *_t413;
																				_push(_t194);
																				_t190 =  *((intOrPtr*)( *_t413 + 0x20));
																				_push(0x71);
																				goto L71;
																			} else {
																				goto L63;
																			}
																		}
																	} else {
																		_t334 =  *((intOrPtr*)(_t413 + 0x1c));
																		__eflags =  *((intOrPtr*)(_t334 - 0xc)) - _t289;
																		if( *((intOrPtr*)(_t334 - 0xc)) == _t289) {
																			L57:
																			__eflags =  *((intOrPtr*)(_t413 + 0x40)) - _t289;
																			if( *((intOrPtr*)(_t413 + 0x40)) == _t289) {
																				_t369 =  *_t413;
																				_t190 =  *((intOrPtr*)( *_t413 + 0x20));
																				_push(0x191);
																				_push(0x71);
																				goto L71;
																			} else {
																				goto L58;
																			}
																		} else {
																			__eflags = _v40 - _t289;
																			if(_v40 != _t289) {
																				goto L57;
																			} else {
																				_t369 =  *_t413;
																				_t247 =  *((intOrPtr*)( *((intOrPtr*)( *_t413 + 0xc))))();
																				_t309 =  &_v24;
																				__eflags = _t247;
																				if(_t247 == 0) {
																					goto L73;
																				} else {
																					_v40 = 1;
																					_v8 = _t400;
																					E00031170( &_v24, _t369);
																					continue;
																				}
																			}
																		}
																	}
																} else {
																	_t339 =  *((intOrPtr*)(_t413 + 0x14));
																	__eflags =  *((intOrPtr*)(_t339 - 0xc)) - _t289;
																	if( *((intOrPtr*)(_t339 - 0xc)) == _t289) {
																		L50:
																		__eflags =  *((intOrPtr*)(_t413 + 0x3c)) - _t289;
																		if( *((intOrPtr*)(_t413 + 0x3c)) != _t289) {
																			L58:
																			_t382 =  *_t413;
																			_t369 =  *((intOrPtr*)(_t382 + 0x2c));
																			_v56 = _t289;
																			_t240 =  *((intOrPtr*)( *((intOrPtr*)(_t382 + 0x2c))))( &_v56);
																			__eflags = _t240;
																			if(_t240 != 0) {
																				goto L32;
																			} else {
																				_t245 = _v56;
																				__eflags = _t245 - _t289;
																				if(_t245 != _t289) {
																					_push(_t245);
																					_push(0x84);
																					goto L70;
																				}
																				goto L72;
																			}
																		} else {
																			 *((intOrPtr*)( *((intOrPtr*)( *_t413 + 0x20))))(0x71, 0x197);
																			E00031170( &_v24,  *_t413);
																			__eflags = 0;
																			 *[fs:0x0] = _v16;
																			return 0;
																		}
																	} else {
																		__eflags = _v28 - _t289;
																		if(_v28 != _t289) {
																			goto L50;
																		} else {
																			_t369 =  *_t413;
																			_t254 =  *((intOrPtr*)( *((intOrPtr*)( *_t413 + 0x10))))();
																			_t309 =  &_v24;
																			__eflags = _t254;
																			if(_t254 == 0) {
																				goto L73;
																			} else {
																				_v28 = 1;
																				_v8 = _t400;
																				E00031170( &_v24, _t369);
																				continue;
																			}
																		}
																	}
																}
															} else {
																goto L38;
															}
														}
													}
													goto L93;
												}
											}
										}
									} else {
										_t262 =  *((intOrPtr*)( *((intOrPtr*)( *_t413 + 0x10))))();
										__eflags = _t262;
										if(_t262 == 0) {
											goto L4;
										} else {
											_v28 = 1;
											goto L22;
										}
									}
								}
							}
						}
					} else {
						_t263 = GetFileAttributesW(_t172); // executed
						_t263 - _t400 = (_t263 != _t400) - _t289;
						if(_t263 != _t400 == _t289) {
							L12:
							_t350 = 0x1021;
						} else {
							__eflags =  *((intOrPtr*)(_t413 + 0x54)) - _t289;
							if( *((intOrPtr*)(_t413 + 0x54)) > _t289) {
								L11:
								_t350 = 0x3021;
							} else {
								__eflags =  *((intOrPtr*)(_t413 + 0x50)) - _t289;
								if( *((intOrPtr*)(_t413 + 0x50)) <= _t289) {
									goto L12;
								} else {
									goto L11;
								}
							}
						}
						_t266 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t413 + 0x8c)) + 0x24))))( *(_t413 + 0xc), _t350, _t289); // executed
						__eflags = _t266;
						if(_t266 != 0) {
							_v8 = 1;
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t413 + 0x8c)) + 0x2c))))( *((intOrPtr*)(_t413 + 0x50)),  *((intOrPtr*)(_t413 + 0x54)), _t289);
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t413 + 0x8c)) + 0x30))))( *((intOrPtr*)(_t413 + 0x50)),  *((intOrPtr*)(_t413 + 0x54)));
							_t400 = _t400 | 0xffffffff;
							__eflags = _t400;
							goto L16;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)( *_t413 + 0x1c))))(0x83, GetLastError()); // executed
							__eflags = 0;
							 *[fs:0x0] = _v16;
							return 0;
						}
					}
				} else {
					_t277 = E00034060( &_v48, L"http://", _t399);
					_t422 = _t422 + 0xc;
					_v8 = 0;
					E00034260(_t399, _t277);
					_v8 = 0xffffffff;
					_t280 = _v48 + 0xfffffff0;
					asm("lock xadd [ecx], edx");
					if((_t362 | 0xffffffff) - 1 <= 0) {
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t280)) + 4))))(_t280);
					}
					_t411 =  *_t399;
					if(E00049513(_t411, _t411, _t413 + 0x6c, _t413 + 0x7c, _t413 + 0x80, _t288) != 0) {
						_t400 = _t411 | 0xffffffff;
						_t289 = 0;
						__eflags = 0;
						goto L7;
					} else {
						L4:
						 *[fs:0x0] = _v16;
						return 0;
					}
				}
				L93:
			}

0x000352f0
0x000352f3
0x000352f5
0x00035300
0x00035301
0x00035307
0x0003530e
0x00035312
0x00035318
0x0003531b
0x0003531e
0x00035326
0x00035338
0x0003533b
0x00035347
0x000353c2
0x000353c4
0x000353ce
0x000353ce
0x000353d1
0x000353d4
0x00035485
0x00035485
0x0003548e
0x00035490
0x00035492
0x00000000
0x00035498
0x0003549f
0x000354a1
0x000354a3
0x00000000
0x000354a9
0x000354b0
0x000354b2
0x000354b4
0x00000000
0x000354ba
0x000354ba
0x000354bd
0x000354c0
0x000354c3
0x000354c6
0x000354e0
0x000354e0
0x000354e3
0x00000000
0x000354e5
0x000354ec
0x000354ee
0x000354f0
0x00000000
0x000354f6
0x000354f6
0x000354fd
0x000354fd
0x00035508
0x0003550a
0x00035511
0x00035514
0x0003551d
0x00035527
0x0003552d
0x0003552f
0x0003552f
0x00035535
0x0003553b
0x0003553d
0x00035543
0x000357eb
0x000357eb
0x000357ec
0x000357ee
0x000357ee
0x000357f0
0x000357f3
0x000357f5
0x000357f7
0x000357f7
0x000357fa
0x000357fa
0x000357ff
0x00035804
0x00035812
0x00035549
0x00035549
0x0003554c
0x00000000
0x00035552
0x00035552
0x00035554
0x00035557
0x000355bf
0x00035559
0x0003555e
0x0003555e
0x00035560
0x00035562
0x00000000
0x00035568
0x00035568
0x0003556f
0x0003556f
0x00035572
0x00035572
0x00035578
0x00035580
0x00035585
0x00035587
0x00035595
0x00035595
0x000354fd
0x000354fd
0x00035508
0x0003550a
0x00035511
0x00035514
0x0003551d
0x00035527
0x0003552d
0x0003552f
0x0003552f
0x00000000
0x0003552f
0x00000000
0x000354fd
0x00035562
0x0003554c
0x00000000
0x000355c6
0x000355c6
0x000355cc
0x000355cf
0x000355d4
0x000355d6
0x0003581b
0x0003581c
0x00000000
0x000355dc
0x000355dc
0x000355df
0x000355e4
0x000355ed
0x000355ed
0x000355f2
0x000355f6
0x000355f9
0x000355fb
0x00035820
0x00035820
0x0003582b
0x0003582e
0x00000000
0x00035601
0x00035601
0x0003560b
0x00035611
0x00035613
0x00035616
0x00035619
0x0003561b
0x00000000
0x00035621
0x00035621
0x00035624
0x00035631
0x00035637
0x00035637
0x0003563d
0x00035641
0x00035646
0x00035649
0x0003564c
0x0003564c
0x00000000
0x0003564c
0x00035603
0x00035603
0x00035605
0x00000000
0x00000000
0x00000000
0x00000000
0x00035605
0x00035601
0x000355e6
0x000355e6
0x000355eb
0x0003564f
0x0003564f
0x00035654
0x000356be
0x000356c3
0x00035731
0x00035736
0x00035743
0x0003574c
0x00035755
0x00035758
0x0003575b
0x0003575e
0x00035766
0x00035768
0x00035779
0x00035780
0x00035780
0x0003578b
0x00035793
0x00035796
0x00035799
0x0003579f
0x000357a7
0x000357ac
0x000357ae
0x00035850
0x00035852
0x00035854
0x00035864
0x0003586a
0x0003586c
0x00000000
0x00000000
0x00035872
0x00035875
0x00035877
0x00035900
0x00035909
0x0003590c
0x0003590e
0x0003591b
0x0003591d
0x00035921
0x00035934
0x00035938
0x00035943
0x00035950
0x0003595e
0x00035923
0x00035923
0x00035925
0x0003592a
0x0003592c
0x0003592e
0x00000000
0x00000000
0x00000000
0x00000000
0x0003592e
0x0003587d
0x00035889
0x0003588b
0x0003588d
0x0003596f
0x00035972
0x00000000
0x00035893
0x00035893
0x00035895
0x00035898
0x0003589b
0x0003589e
0x000358a1
0x000358a4
0x000358a6
0x000358a9
0x000358b1
0x000358b1
0x000358b4
0x000358b7
0x000358ba
0x000358bc
0x000358bc
0x000358c2
0x000358c5
0x000358c7
0x000358ca
0x000358cc
0x000358cf
0x000358fc
0x000358fe
0x000358d1
0x000358d3
0x000358d6
0x000358e2
0x000358e5
0x000358e7
0x000358ea
0x000358f1
0x000358f4
0x000358f4
0x000358cf
0x00000000
0x000358a9
0x0003588d
0x00000000
0x00035877
0x00035967
0x00035968
0x00000000
0x000357b4
0x000357b4
0x000357b6
0x000357b8
0x000357b8
0x000357bf
0x000357c4
0x000357c5
0x000357c5
0x000357d0
0x000357d5
0x000357da
0x000357e8
0x000357e8
0x00035738
0x00035738
0x0003573d
0x00035846
0x00035848
0x00035849
0x0003584c
0x00000000
0x00000000
0x00000000
0x00000000
0x0003573d
0x000356c5
0x000356c5
0x000356c8
0x000356cb
0x000356fa
0x000356fa
0x000356fd
0x00035838
0x0003583a
0x0003583d
0x00035842
0x00000000
0x00000000
0x00000000
0x00000000
0x000356cd
0x000356cd
0x000356d0
0x00000000
0x000356d2
0x000356d2
0x000356d9
0x000356db
0x000356de
0x000356e0
0x00000000
0x000356e6
0x000356e6
0x000356ed
0x000356f0
0x00000000
0x000356f0
0x000356e0
0x000356d0
0x000356cb
0x00035656
0x00035656
0x00035659
0x0003565c
0x0003568b
0x0003568b
0x0003568e
0x00035703
0x00035703
0x00035705
0x0003570e
0x00035711
0x00035713
0x00035715
0x00000000
0x0003571b
0x0003571b
0x0003571e
0x00035720
0x00035726
0x00035727
0x00000000
0x00035727
0x00000000
0x00035720
0x00035690
0x0003569e
0x000356a3
0x000356a8
0x000356ad
0x000356bb
0x000356bb
0x0003565e
0x0003565e
0x00035661
0x00000000
0x00035663
0x00035663
0x0003566a
0x0003566c
0x0003566f
0x00035671
0x00000000
0x00035677
0x00035677
0x0003567e
0x00035681
0x00000000
0x00035681
0x00035671
0x00035661
0x0003565c
0x00000000
0x00000000
0x00000000
0x000355eb
0x000355e4
0x00000000
0x000355d6
0x000354fd
0x000354f0
0x000354c8
0x000354cf
0x000354d1
0x000354d3
0x00000000
0x000354d9
0x000354d9
0x00000000
0x000354d9
0x000354d3
0x000354c6
0x000354b4
0x000354a3
0x000353da
0x000353db
0x000353e8
0x000353ea
0x000353fd
0x000353fd
0x000353ec
0x000353ec
0x000353ef
0x000353f6
0x000353f6
0x000353f1
0x000353f1
0x000353f4
0x00000000
0x00000000
0x00000000
0x00000000
0x000353f4
0x000353ef
0x00035417
0x00035419
0x0003541b
0x00035448
0x00035467
0x00035480
0x00035482
0x00035482
0x00000000
0x0003541d
0x00035430
0x00035432
0x00035437
0x00035445
0x00035445
0x0003541b
0x00035349
0x00035353
0x00035358
0x0003535e
0x00035365
0x0003536a
0x00035374
0x0003537d
0x00035384
0x0003538e
0x0003538e
0x00035390
0x000353aa
0x000353c9
0x000353cc
0x000353cc
0x00000000
0x000353ac
0x000353ac
0x000353b1
0x000353bf
0x000353bf
0x000353aa
0x00000000

APIs

Part of subcall function 000349A0: InternetCloseHandle.WININET(?), ref: 000349C6
Part of subcall function 000349A0: InternetCloseHandle.WININET(?), ref: 000349D7
Part of subcall function 000349A0: InternetCloseHandle.WININET(?), ref: 000349E8

GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,960AF5FB,00000000,?,?,?,?,?,?,?,00154490), ref: 000353DB
GetLastError.KERNEL32(?,?,?,?,?,?,00154490,000000FF,?,00034A90,?,960AF5FB), ref: 0003541D
HttpSendRequestW.WININET(?,?,?,00000000,00000000), ref: 00035527
GetLastError.KERNEL32(?,?,?,?,?,?,?,00154490,000000FF,?,00034A90,?,960AF5FB), ref: 00035535

Strings

http://, xrefs: 0003534D

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: CloseHandleInternet$ErrorLast$AttributesFileHttpRequestSend
String ID: http://
API String ID: 2297146605-1121587658
Opcode ID: f397f248da96d4d97335b1e7cd53df394f14cdadb8af3bac00ce88cf3a326e89
Instruction ID: cf7ceab0b113836d95c8230b86d0906d656c15fe4e0f4a8d7c3ef89a90ba7b2e
Opcode Fuzzy Hash: f397f248da96d4d97335b1e7cd53df394f14cdadb8af3bac00ce88cf3a326e89
Instruction Fuzzy Hash: CD229E71A00A05DFDB15DFA8D881AAEB7F9FF88311F20852DE556972A0DB31ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0003A210 Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 259
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E0003A210(signed int __ecx, void* __fp0, intOrPtr _a4, char _a8, intOrPtr _a12) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v2068;
				char _v4116;
				short _v6164;
				char _v8212;
				short _v10260;
				char _v10261;
				int _v10268;
				void* _v10272;
				int* _v10276;
				char _v10280;
				int _v10284;
				signed int _v10288;
				intOrPtr _v10292;
				intOrPtr _v10296;
				intOrPtr _v10300;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t83;
				signed int _t84;
				long _t87;
				long** _t89;
				intOrPtr _t90;
				long** _t98;
				void* _t112;
				char _t114;
				long _t116;
				intOrPtr* _t119;
				long _t125;
				long _t128;
				void**** _t130;
				void* _t135;
				void* _t144;
				void* _t150;
				void* _t158;
				signed int _t167;
				void** _t171;
				void* _t187;
				int _t188;
				void* _t191;
				long _t192;
				signed int _t195;
				intOrPtr _t196;
				void* _t206;

				_t206 = __fp0;
				_push(0xffffffff);
				_push(0x154ade);
				_push( *[fs:0x0]);
				E00133C00(0x282c);
				_t83 =  *0x1a0454; // 0x960af5fb
				_t84 = _t83 ^ _t195;
				_v20 = _t84;
				_push(_t84);
				 *[fs:0x0] =  &_v16;
				_v10292 = _a12;
				_v10288 = __ecx;
				_t171 =  &_v10276;
				_v8 = 0;
				_v10276 = 0;
				_v10272 = 0;
				_v10284 = 0xf003f;
				_v10268 = 0;
				_v10261 = 0;
				_t87 = RegOpenKeyExW(0x80000001, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall", 0, 0x20019, _t171); // executed
				if(_t87 != 0) {
					L13:
					_v8 = 0xffffffff;
					_t89 = _a8 + 0xfffffff0;
					asm("lock xadd [ecx], edx");
					_t173 = (_t171 | 0xffffffff) - 1;
					__eflags = (_t171 | 0xffffffff) - 1;
					goto L14;
				} else {
					_t188 = 0;
					do {
						_v10268 = 0x800;
						_t192 = RegEnumKeyExW(_v10276, _t188,  &_v6164,  &_v10268, 0, 0, 0, 0);
						if(_t192 != 0) {
							goto L7;
						}
						wsprintfW( &_v10260, L"%s\\%s", L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall",  &_v6164);
						_t196 = _t196 + 0x10;
						if(RegOpenKeyExW(0x80000001,  &_v10260, 0, 0x20019,  &_v10272) != 0) {
							RegCloseKey(_v10272);
							_t150 = _v10276;
							RegCloseKey(_t150);
							_v8 = 0xffffffff;
							_t89 = _a8 + 0xfffffff0;
							_t173 =  &(_t89[3]);
							asm("lock xadd [edx], ecx");
							__eflags = (_t150 | 0xffffffff) - 1;
							L14:
							if(__eflags <= 0) {
								_t173 =  *( *_t89);
								 *((intOrPtr*)( *((intOrPtr*)( *( *_t89) + 4))))(_t89);
							}
							_t90 = 0;
							L27:
							 *[fs:0x0] = _v16;
							_pop(_t187);
							_pop(_t191);
							_pop(_t135);
							return E00130836(_t90, _t135, _v20 ^ _t195, _t173, _t187, _t191);
						}
						_v10268 = 0x800;
						if(RegQueryValueExW(_v10272, L"DisplayName", 0,  &_v10284,  &_v8212,  &_v10268) != 0) {
							L6:
							RegCloseKey(_v10272);
							goto L7;
						}
						_t112 = E0003B790( &_v8212,  &_a8);
						_t196 = _t196 + 8;
						if(_t112 != 0) {
							E0003A810(_t206, _a4,  &_v10280);
							_v8 = 1;
							_t114 = _v10280;
							__eflags =  *(_t114 - 0xc);
							if( *(_t114 - 0xc) != 0) {
								_t157 = _v10272;
								_v10268 = 0x800;
								_t116 = RegQueryValueExW(_v10272, L"DisplayVersion", 0,  &_v10284,  &_v4116,  &_v10268);
								__eflags = _t116;
								if(_t116 == 0) {
									_v10300 = _t196;
									E00036620(0,  &_v4116);
									_v10296 = _t196;
									_v8 = 2;
									E00033FD0(_t196,  &_v10280);
									_v8 = 1;
									_t125 = E0003A6E0(0, _t196, 0x800, RegQueryValueExW, __eflags, _t196, _t157);
									__eflags = _t125;
									if(_t125 != 0) {
										 *_v10288 = 1;
									} else {
										_v10268 = 0x800;
										_t128 = RegQueryValueExW(_v10272, L"InstallLocation", 0,  &_v10284,  &_v2068,  &_v10268);
										__eflags = _t128;
										if(_t128 == 0) {
											E000365D0(_v10292, RegQueryValueExW,  &_v2068);
											_v10261 = 1;
										}
									}
								}
								_t158 = _v10272;
								RegCloseKey(_t158);
								_v8 = 0;
								_t119 = _v10280 + 0xfffffff0;
								asm("lock xadd [edx], ecx");
								__eflags = (_t158 | 0xffffffff) - 1;
								if((_t158 | 0xffffffff) - 1 <= 0) {
									 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t119)) + 4))))(_t119);
								}
								break;
							}
							_t167 = _v10288;
							_t130 = _t114 + 0xfffffff0;
							 *_t167 = 1;
							_v8 = 0;
							_t171 =  &(_t130[3]);
							asm("lock xadd [edx], ecx");
							__eflags = (_t167 | 0xffffffff) - 1;
							if((_t167 | 0xffffffff) - 1 <= 0) {
								_t171 =  *( *_t130);
								 *(_t171[1])(_t130);
							}
							goto L13;
						}
						goto L6;
						L7:
						_t188 = _t188 + 1;
					} while (_t192 == 0);
					_t144 = _v10276;
					RegCloseKey(_t144);
					_v8 = 0xffffffff;
					_t98 = _a8 + 0xfffffff0;
					_t173 =  &(_t98[3]);
					asm("lock xadd [edx], ecx");
					if((_t144 | 0xffffffff) - 1 <= 0) {
						_t173 =  *( *_t98);
						 *((intOrPtr*)( *((intOrPtr*)( *( *_t98) + 4))))(_t98);
					}
					_t90 = _v10261;
					goto L27;
				}
			}

0x0003a210
0x0003a213
0x0003a215
0x0003a220
0x0003a226
0x0003a22b
0x0003a230
0x0003a232
0x0003a238
0x0003a23c
0x0003a245
0x0003a24b
0x0003a253
0x0003a260
0x0003a26d
0x0003a273
0x0003a279
0x0003a283
0x0003a289
0x0003a28f
0x0003a297
0x0003a3fe
0x0003a3fe
0x0003a408
0x0003a411
0x0003a415
0x0003a416
0x00000000
0x0003a29d
0x0003a29d
0x0003a2a0
0x0003a2ba
0x0003a2ca
0x0003a2ce
0x00000000
0x00000000
0x0003a2ec
0x0003a2f2
0x0003a316
0x0003a38d
0x0003a38f
0x0003a396
0x0003a398
0x0003a3a2
0x0003a3a5
0x0003a3ab
0x0003a3b0
0x0003a418
0x0003a418
0x0003a41c
0x0003a422
0x0003a422
0x0003a424
0x0003a563
0x0003a566
0x0003a56e
0x0003a56f
0x0003a570
0x0003a57e
0x0003a57e
0x0003a33a
0x0003a34c
0x0003a365
0x0003a36c
0x00000000
0x0003a36c
0x0003a359
0x0003a35e
0x0003a363
0x0003a3bf
0x0003a3c4
0x0003a3c8
0x0003a3ce
0x0003a3d1
0x0003a438
0x0003a458
0x0003a45e
0x0003a460
0x0003a462
0x0003a471
0x0003a478
0x0003a484
0x0003a48d
0x0003a491
0x0003a496
0x0003a49a
0x0003a49f
0x0003a4a1
0x0003a4f2
0x0003a4a3
0x0003a4c5
0x0003a4cb
0x0003a4cd
0x0003a4cf
0x0003a4de
0x0003a4e3
0x0003a4e3
0x0003a4cf
0x0003a4a1
0x0003a4f8
0x0003a4ff
0x0003a505
0x0003a50e
0x0003a517
0x0003a51c
0x0003a51e
0x0003a528
0x0003a528
0x00000000
0x0003a51e
0x0003a3d3
0x0003a3d9
0x0003a3dc
0x0003a3e2
0x0003a3e5
0x0003a3eb
0x0003a3f0
0x0003a3f2
0x0003a3f6
0x0003a3fc
0x0003a3fc
0x00000000
0x0003a3f2
0x00000000
0x0003a372
0x0003a372
0x0003a373
0x0003a52a
0x0003a531
0x0003a537
0x0003a541
0x0003a544
0x0003a54a
0x0003a551
0x0003a555
0x0003a55b
0x0003a55b
0x0003a55d
0x00000000
0x0003a55d

APIs

RegOpenKeyExW.KERNEL32 ref: 0003A28F
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0003A2C4
wsprintfW.USER32 ref: 0003A2EC
RegOpenKeyExW.ADVAPI32 ref: 0003A30E
RegQueryValueExW.ADVAPI32 ref: 0003A344
RegCloseKey.ADVAPI32(?), ref: 0003A36C
RegCloseKey.ADVAPI32(?), ref: 0003A38D
RegCloseKey.ADVAPI32(?), ref: 0003A396
RegQueryValueExW.ADVAPI32(?,DisplayVersion,00000000,?,?,?), ref: 0003A45E
RegQueryValueExW.ADVAPI32(?,InstallLocation,00000000,?,?,?), ref: 0003A4CB
RegCloseKey.ADVAPI32(?), ref: 0003A4FF
RegCloseKey.ADVAPI32(?), ref: 0003A531

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0003A263, 0003A2DB
DisplayName, xrefs: 0003A334
%s\%s, xrefs: 0003A2E6
DisplayVersion, xrefs: 0003A44D
InstallLocation, xrefs: 0003A4BF

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Close$QueryValue$Open$Enumwsprintf
String ID: %s\%s$DisplayName$DisplayVersion$InstallLocation$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 1752170364-2283258325
Opcode ID: f900ae2e33e27241c69dc25ec0342de23939938726bf63ec8b94135819e79651
Instruction ID: 3c02c374ce5c6be72c317e99542183e155a933e68e2475e27e0286e1bd59b162
Opcode Fuzzy Hash: f900ae2e33e27241c69dc25ec0342de23939938726bf63ec8b94135819e79651
Instruction Fuzzy Hash: 54A17175A01218DFDB25DF58CC89AAAB7FCEB49320F14C299E419972C1DB705E85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00049F68 Relevance: 21.1, APIs: 14, Instructions: 99
synchronizationthreadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00049F68(intOrPtr __ecx, void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				void* _v12;
				void* _v16;
				signed int _v24;
				intOrPtr _v28;
				char _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t43;
				void* _t59;
				void* _t60;
				intOrPtr _t64;

				_t59 = __edx;
				_t64 = __ecx;
				_t69 =  *((intOrPtr*)(__ecx + 0x2c));
				if( *((intOrPtr*)(__ecx + 0x2c)) != 0) {
					E000455E0(__ecx);
				}
				E00131B30( &_v32, 0, 0x1c);
				_v32 = E0004B059(0, _t60, _t64, _t69);
				_v28 = _t64;
				_v16 = CreateEventW(0, 1, 0, 0);
				_v12 = CreateEventW(0, 1, 0, 0);
				_t37 = _a4;
				_v24 = _a4;
				if(_v16 == 0) {
					L12:
					__eflags = _v12;
					if(_v12 == 0) {
						goto L14;
					}
					goto L13;
				} else {
					if(_v12 == 0) {
						CloseHandle(_v16);
						goto L12;
					}
					_t11 = _t64 + 0x30; // 0x30
					_t43 = E00133D34(_t59, _a12, _a8, 0x49e37,  &_v32, _t37 | 0x00000004, _t11); // executed
					 *(_t64 + 0x2c) = _t43;
					if(_t43 != 0) {
						ResumeThread(_t43); // executed
						WaitForSingleObject(_v16, 0xffffffff);
						CloseHandle(_v16); // executed
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							SuspendThread( *(_t64 + 0x2c)); // executed
						}
						__eflags = _v8;
						if(_v8 == 0) {
							SetEvent(_v12);
							return 1;
						} else {
							WaitForSingleObject( *(_t64 + 0x2c), 0xffffffff);
							CloseHandle( *(_t64 + 0x2c));
							 *(_t64 + 0x2c) = 0;
							L13:
							CloseHandle(_v12);
							L14:
							return 0;
						}
					}
					CloseHandle(_v16);
					CloseHandle(_v12);
					goto L14;
				}
			}

0x00049f68
0x00049f72
0x00049f77
0x00049f7a
0x00049f7c
0x00049f7c
0x00049f88
0x00049fa0
0x00049fa3
0x00049fad
0x00049fb8
0x00049fbb
0x00049fbe
0x00049fc4
0x0004a060
0x0004a060
0x0004a063
0x00000000
0x00000000
0x00000000
0x00049fca
0x00049fcd
0x0004a05e
0x00000000
0x0004a05e
0x00049fd3
0x00049fea
0x00049ff2
0x00049ff7
0x0004a008
0x0004a013
0x0004a022
0x0004a024
0x0004a028
0x0004a02d
0x0004a02d
0x0004a033
0x0004a036
0x0004a050
0x00000000
0x0004a038
0x0004a03d
0x0004a046
0x0004a048
0x0004a065
0x0004a068
0x0004a06a
0x00000000
0x0004a06a
0x0004a036
0x00049ffe
0x0004a003
0x00000000
0x0004a003

APIs

_memset.LIBCMT ref: 00049F88
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,00000004,00000000,?,?,00000066,?,?), ref: 00049FA6
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00049FB0
CloseHandle.KERNEL32(?), ref: 00049FFE
CloseHandle.KERNEL32(?), ref: 0004A003

Part of subcall function 000455E0: __CxxThrowException@8.LIBCMT ref: 000455F6

ResumeThread.KERNELBASE(00000000), ref: 0004A008
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0004A013
CloseHandle.KERNELBASE(?), ref: 0004A022
SuspendThread.KERNELBASE(?), ref: 0004A02D
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0004A03D
CloseHandle.KERNEL32(?), ref: 0004A046
SetEvent.KERNEL32(00000004), ref: 0004A050
CloseHandle.KERNEL32(?), ref: 0004A068

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: CloseHandle$Event$CreateObjectSingleThreadWait$Exception@8ResumeSuspendThrow_memset
String ID:
API String ID: 1858493391-0
Opcode ID: 87003e1d6c26a9a24473ebe6a1a2ab9dd97ff5b803cec692378d7214cf67acec
Instruction ID: a979ce64b492970a9500c2f71f08c8731289ae8eab1a94e49f35103f5dcd31ff
Opcode Fuzzy Hash: 87003e1d6c26a9a24473ebe6a1a2ab9dd97ff5b803cec692378d7214cf67acec
Instruction Fuzzy Hash: 253188B2D00208FFCB21AFA0EC859AEBBB9FF08315F10853AF511A21A0D7319A519F55

Uniqueness

Uniqueness Score: -1.00%

Function 00044645 Relevance: 16.6, APIs: 11, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00044645(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t54;
				void* _t58;
				signed int _t59;
				signed int _t63;
				signed int _t71;
				signed int _t84;
				void* _t94;
				struct HINSTANCE__* _t96;
				signed int _t97;
				void* _t98;
				signed int _t100;
				void* _t101;
				void* _t102;

				_t102 = __eflags;
				_t94 = __edx;
				_push(0x24);
				E00131A4C(0x148a4c, __ebx, __edi, __esi);
				_t100 = __ecx;
				 *((intOrPtr*)(_t101 - 0x20)) = __ecx;
				 *(_t101 - 0x1c) =  *(__ecx + 0x80);
				 *(_t101 - 0x18) =  *(__ecx + 0x7c);
				_t54 = E0004B628(__ebx, __edi, __ecx, _t102);
				_t96 =  *(_t54 + 0xc);
				_t84 = 0;
				_t103 =  *(_t100 + 0x78);
				if( *(_t100 + 0x78) != 0) {
					_t96 =  *(E0004B628(0, _t96, _t100, _t103) + 0xc);
					_t54 = LoadResource(_t96, FindResourceW(_t96,  *(_t100 + 0x78), 5));
					 *(_t101 - 0x18) = _t54;
				}
				if( *(_t101 - 0x18) != _t84) {
					_t54 = LockResource( *(_t101 - 0x18));
					 *(_t101 - 0x1c) = _t54;
				}
				if( *(_t101 - 0x1c) != _t84) {
					_t86 = _t100;
					 *(_t101 - 0x14) = E0004418A(_t84, _t100, __eflags);
					E0003F8E9(_t84, _t96, __eflags);
					 *(_t101 - 0x28) =  *(_t101 - 0x28) & _t84;
					 *(_t101 - 0x2c) = _t84;
					 *(_t101 - 0x24) = _t84;
					__eflags =  *(_t101 - 0x14) - _t84;
					if(__eflags != 0) {
						__eflags =  *(_t101 - 0x14) - GetDesktopWindow();
						if(__eflags != 0) {
							__eflags = IsWindowEnabled( *(_t101 - 0x14));
							if(__eflags != 0) {
								EnableWindow( *(_t101 - 0x14), 0);
								 *(_t101 - 0x2c) = 1;
								_t84 = E0003C4D8();
								 *(_t101 - 0x24) = _t84;
								__eflags = _t84;
								if(__eflags != 0) {
									_t86 = _t84;
									__eflags =  *((intOrPtr*)( *_t84 + 0x14c))();
									if(__eflags != 0) {
										_t86 = _t84;
										__eflags = E000435A9(_t84);
										if(__eflags != 0) {
											_t86 = _t84;
											E000435C4(_t84, 0);
											 *(_t101 - 0x28) = 1;
										}
									}
								}
							}
						}
					}
					 *(_t101 - 4) =  *(_t101 - 4) & 0x00000000;
					E00041E0F(_t84, __eflags, _t100);
					_t58 = E0003F82E(_t84, _t86, _t94,  *(_t101 - 0x14));
					_push(_t96);
					_push(_t58);
					_push( *(_t101 - 0x1c));
					_t59 = E00044481(_t84, _t100, _t94, _t96, _t100, __eflags); // executed
					_t97 = 0;
					__eflags = _t59;
					if(_t59 != 0) {
						__eflags =  *(_t100 + 0x58) & 0x00000010;
						if(( *(_t100 + 0x58) & 0x00000010) != 0) {
							_t98 = 4;
							_t71 = E0004342B(_t100);
							__eflags = _t71 & 0x00000100;
							if((_t71 & 0x00000100) != 0) {
								_t98 = 5;
							}
							E0003F2C7(_t100, _t94, _t98); // executed
							_t97 = 0;
							__eflags = 0;
						}
						__eflags =  *((intOrPtr*)(_t100 + 0x20)) - _t97;
						if( *((intOrPtr*)(_t100 + 0x20)) != _t97) {
							E00043614(_t100, _t97, _t97, _t97, _t97, _t97, 0x97);
						}
					}
					 *(_t101 - 4) =  *(_t101 - 4) | 0xffffffff;
					__eflags =  *(_t101 - 0x28) - _t97;
					if( *(_t101 - 0x28) != _t97) {
						E000435C4(_t84, 1);
					}
					__eflags =  *(_t101 - 0x2c) - _t97;
					if( *(_t101 - 0x2c) != _t97) {
						EnableWindow( *(_t101 - 0x14), 1);
					}
					__eflags =  *(_t101 - 0x14) - _t97;
					if(__eflags != 0) {
						__eflags = GetActiveWindow() -  *((intOrPtr*)(_t100 + 0x20));
						if(__eflags == 0) {
							SetActiveWindow( *(_t101 - 0x14));
						}
					}
					 *((intOrPtr*)( *_t100 + 0x60))();
					E000441CC(_t84, _t100, _t94, _t97, _t100, __eflags);
					__eflags =  *(_t100 + 0x78) - _t97;
					if( *(_t100 + 0x78) != _t97) {
						FreeResource( *(_t101 - 0x18));
					}
					_t63 =  *(_t100 + 0x60);
					goto L31;
				} else {
					_t63 = _t54 | 0xffffffff;
					L31:
					return E00131AF1(_t63);
				}
			}

0x00044645
0x00044645
0x00044645
0x0004464c
0x00044651
0x00044653
0x0004465c
0x00044662
0x00044665
0x0004466a
0x0004466d
0x0004466f
0x00044672
0x00044679
0x0004468a
0x00044690
0x00044690
0x00044696
0x0004469b
0x000446a1
0x000446a1
0x000446a7
0x000446b1
0x000446b8
0x000446bb
0x000446c0
0x000446c3
0x000446c6
0x000446c9
0x000446cc
0x000446d4
0x000446d7
0x000446e2
0x000446e4
0x000446eb
0x000446f1
0x000446fd
0x000446ff
0x00044702
0x00044704
0x00044708
0x00044710
0x00044712
0x00044714
0x0004471b
0x0004471d
0x00044721
0x00044723
0x00044728
0x00044728
0x0004471d
0x00044712
0x00044704
0x000446e4
0x000446d7
0x0004472f
0x00044734
0x0004473c
0x00044741
0x00044742
0x00044743
0x00044748
0x0004474d
0x0004474f
0x00044751
0x00044753
0x00044757
0x0004475b
0x0004475e
0x00044763
0x00044768
0x0004476c
0x0004476c
0x00044770
0x00044775
0x00044775
0x00044775
0x00044777
0x0004477a
0x00044788
0x00044788
0x0004477a
0x0004478d
0x000447b8
0x000447bb
0x000447c1
0x000447c1
0x000447c6
0x000447c9
0x000447d0
0x000447d0
0x000447d6
0x000447d9
0x000447e1
0x000447e4
0x000447e9
0x000447e9
0x000447e4
0x000447f3
0x000447f8
0x000447fd
0x00044800
0x00044805
0x00044805
0x0004480b
0x00000000
0x000446a9
0x000446a9
0x0004480e
0x00044813
0x00044813

APIs

__EH_prolog3_catch.LIBCMT ref: 0004464C
FindResourceW.KERNEL32(?,?,00000005,00000024,0003AEF3,ExamShield Version,000000C8,?,?,?,?,?,0000012C), ref: 00044682
LoadResource.KERNEL32(?,00000000,?,?,?,?,?,0000012C), ref: 0004468A

Part of subcall function 0003F8E9: UnhookWindowsHookEx.USER32 ref: 0003F919

LockResource.KERNEL32(00154A94,00000024,0003AEF3,ExamShield Version,000000C8,?,?,?,?,?,0000012C), ref: 0004469B
GetDesktopWindow.USER32 ref: 000446CE
IsWindowEnabled.USER32(000000FF), ref: 000446DC
EnableWindow.USER32(000000FF,00000000), ref: 000446EB

Part of subcall function 000435A9: IsWindowEnabled.USER32(?), ref: 000435B2

Part of subcall function 000435C4: EnableWindow.USER32(?,?), ref: 000435D5

EnableWindow.USER32(000000FF,00000001), ref: 000447D0
GetActiveWindow.USER32 ref: 000447DB
SetActiveWindow.USER32(000000FF), ref: 000447E9
FreeResource.KERNEL32(00154A94,?,00000024,0003AEF3,ExamShield Version,000000C8,?,?,?,?,?,0000012C), ref: 00044805

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchHookLoadLockUnhookWindows
String ID:
API String ID: 964565984-0
Opcode ID: b19cdee35db0aae742dec6c83d9891530a65fbd3d13d3c586c5f32da2d639180
Instruction ID: 038dad4855b13110283e926de6266c2f8c76347e24ed4cf32faf73efe72fccbf
Opcode Fuzzy Hash: b19cdee35db0aae742dec6c83d9891530a65fbd3d13d3c586c5f32da2d639180
Instruction Fuzzy Hash: 0B51A1B0E00B05DFDB21AFA4C88A7BEBAF5BF45702F240039E501B65E2CB744981CB59

Uniqueness

Uniqueness Score: -1.00%

Function 000517D6 Relevance: 16.6, APIs: 11, Instructions: 106
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E000517D6(void* __ecx) {
				struct _CRITICAL_SECTION* _v8;
				void* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct _CRITICAL_SECTION* _t34;
				void* _t35;
				void* _t36;
				long _t38;
				void* _t39;
				long _t51;
				signed char* _t53;
				signed int _t56;
				signed int _t57;
				void* _t61;
				signed int _t68;
				void* _t72;

				_t59 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t72 = __ecx;
				_t1 = _t72 + 0x1c; // 0x1c
				_t34 = _t1;
				_v8 = _t34;
				EnterCriticalSection(_t34);
				_t56 =  *(_t72 + 4);
				_t68 =  *(_t72 + 8);
				if(_t68 >= _t56 || ( *( *(_t72 + 0x10) + _t68 * 8) & 0x00000001) != 0) {
					_t68 = 1;
					if(_t56 <= 1) {
						L7:
						_t35 =  *(_t72 + 0x10);
						_t57 = _t56 + 0x20;
						_t83 = _t35;
						if(_t35 != 0) {
							_t36 = GlobalHandle(_t35);
							_v12 = _t36;
							GlobalUnlock(_t36);
							_t38 = E000457F3(_t57, _t59, _t68, _t72, __eflags, _t57, 8);
							_t61 = 0x2002;
							_t39 = GlobalReAlloc(_v12, _t38, ??);
						} else {
							_t51 = E000457F3(_t57, _t59, _t68, _t72, _t83, _t57, 8);
							_pop(_t61);
							_t39 = GlobalAlloc(2, _t51); // executed
						}
						if(_t39 == 0) {
							_t72 =  *(_t72 + 0x10);
							if(_t72 != 0) {
								GlobalLock(GlobalHandle(_t72));
							}
							LeaveCriticalSection(_v8);
							_t39 = E000455A8(_t61);
						}
						_v12 = GlobalLock(_t39);
						E00131B30(_t40 +  *(_t72 + 4) * 8, 0, _t57 -  *(_t72 + 4) << 3);
						 *(_t72 + 4) = _t57;
						 *(_t72 + 0x10) = _v12;
					} else {
						_t53 =  *(_t72 + 0x10) + 8;
						while(( *_t53 & 0x00000001) != 0) {
							_t68 = _t68 + 1;
							_t53 =  &(_t53[8]);
							if(_t68 < _t56) {
								continue;
							}
							break;
						}
						if(_t68 >= _t56) {
							goto L7;
						}
					}
				}
				if(_t68 >=  *((intOrPtr*)(_t72 + 0xc))) {
					 *((intOrPtr*)(_t72 + 0xc)) = _t68 + 1;
				}
				 *( *(_t72 + 0x10) + _t68 * 8) =  *( *(_t72 + 0x10) + _t68 * 8) | 0x00000001;
				 *(_t72 + 8) = _t68 + 1;
				LeaveCriticalSection(_v8);
				return _t68;
			}

0x000517d6
0x000517db
0x000517dc
0x000517df
0x000517e1
0x000517e1
0x000517e6
0x000517e9
0x000517ef
0x000517f2
0x000517f7
0x00051808
0x0005180b
0x00051828
0x00051828
0x0005182b
0x0005182e
0x00051830
0x00051848
0x0005184f
0x00051852
0x00051860
0x00051866
0x0005186b
0x00051832
0x00051835
0x0005183b
0x0005183f
0x0005183f
0x00051873
0x00051875
0x0005187a
0x00051884
0x00051884
0x0005188d
0x00051893
0x00051893
0x000518aa
0x000518b3
0x000518be
0x000518c1
0x0005180d
0x00051810
0x00051813
0x00051818
0x00051819
0x0005181e
0x00000000
0x00000000
0x00000000
0x0005181e
0x00051822
0x00000000
0x00000000
0x00051822
0x0005180b
0x000518c7
0x000518cc
0x000518cc
0x000518d8
0x000518de
0x000518e1
0x000518ed

APIs

EnterCriticalSection.KERNEL32(0000001C,?,?,00000002,00000000,00000000,?,00051C2C,00000004,0004B637,0003E58B,0004A15B,0004918A,?,00000000,00000004), ref: 000517E9
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,00000002,00000000,00000000,?,00051C2C,00000004,0004B637,0003E58B,0004A15B,0004918A,?,00000000), ref: 0005183F
GlobalHandle.KERNEL32(?), ref: 00051848
GlobalUnlock.KERNEL32(00000000,?,?,00000002,00000000,00000000,?,00051C2C,00000004,0004B637,0003E58B,0004A15B,0004918A,?,00000000,00000004), ref: 00051852
GlobalReAlloc.KERNEL32(?,00000000,00002002), ref: 0005186B
GlobalHandle.KERNEL32(?), ref: 0005187D
GlobalLock.KERNEL32 ref: 00051884
LeaveCriticalSection.KERNEL32(00000000,?,?,00000002,00000000,00000000,?,00051C2C,00000004,0004B637,0003E58B,0004A15B,0004918A,?,00000000,00000004), ref: 0005188D
GlobalLock.KERNEL32 ref: 00051899
_memset.LIBCMT ref: 000518B3
LeaveCriticalSection.KERNEL32(00000000), ref: 000518E1

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: 843fd86f7bba41c0766536d2b4c86d2b38775822865847221a0fdfaeb65c9a95
Instruction ID: db911517f9a23500f3790bd52f4f6f2f48df108a7ec06e074779e41a5108a403
Opcode Fuzzy Hash: 843fd86f7bba41c0766536d2b4c86d2b38775822865847221a0fdfaeb65c9a95
Instruction Fuzzy Hash: D7319071504704AFD7319F64DC8ABAABBF9FF44312B004929E852D7691DB30E8848B60

Uniqueness

Uniqueness Score: -1.00%

Function 00044A48 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E00044A48(void* __ecx, void* __edx, void* __eflags, signed int _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				signed int _v8;
				short _v10;
				char _v528;
				struct HWND__* _v532;
				signed int _v536;
				long _v540;
				struct HWND__* _v544;
				intOrPtr _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t36;
				void* _t47;
				signed int _t55;
				intOrPtr _t58;
				long _t61;
				struct HWND__* _t64;
				WCHAR* _t65;
				void* _t66;
				void* _t68;
				void* _t72;
				void* _t73;
				signed int _t74;
				void* _t76;
				void* _t77;
				signed int _t79;
				void* _t80;
				signed int _t84;

				_t72 = __edx;
				_t82 = _t84;
				_t36 =  *0x1a0454; // 0x960af5fb
				_v8 = _t36 ^ _t84;
				_t74 = _a4;
				_t79 = 0;
				_v548 = _a8;
				E0004495B(0);
				_t68 = _t73;
				_t64 = E00044996(0,  &_v532);
				_v544 = _t64;
				if(_t64 != _v532) {
					EnableWindow(_t64, 1);
				}
				_v540 = _v540 & _t79;
				GetWindowThreadProcessId(_t64,  &_v540);
				if(_t64 == 0 || _v540 != GetCurrentProcessId()) {
					L7:
					__eflags = _t74;
					if(__eflags != 0) {
						_t79 = _t74 + 0x7c;
					}
					goto L9;
				} else {
					_t61 = SendMessageW(_t64, 0x376, 0, 0);
					if(_t61 == 0) {
						goto L7;
					} else {
						_t79 = _t61;
						L9:
						_v536 = _v536 & 0x00000000;
						if(_t79 != 0) {
							_v536 =  *_t79;
							_t58 = _a16;
							if(_t58 != 0) {
								 *_t79 = _t58 + 0x30000;
							}
						}
						if((_a12 & 0x000000f0) == 0) {
							_t55 = _a12 & 0x0000000f;
							if(_t55 <= 1) {
								_t23 =  &_a12;
								 *_t23 = _a12 | 0x00000030;
								__eflags =  *_t23;
							} else {
								if(_t55 + 0xfffffffd <= 1) {
									_a12 = _a12 | 0x00000020;
								}
							}
						}
						_v528 = 0;
						_t99 = _t74;
						if(_t74 == 0) {
							_t65 =  &_v528;
							__eflags = GetModuleFileNameW(0, _t65, 0x104) - 0x104;
							if(__eflags == 0) {
								__eflags = 0;
								_v10 = 0;
							}
						} else {
							_t65 =  *(_t74 + 0x50);
						}
						_push(_a12);
						_push(_t65);
						_push(_v548);
						_push(_v544);
						_t47 = E0003E804(_t68, _t79, _t99); // executed
						_t76 = _t47;
						if(_t79 != 0) {
							 *_t79 = _v536;
						}
						if(_v532 != 0) {
							EnableWindow(_v532, 1);
						}
						E0004495B(1);
						_pop(_t77);
						_pop(_t80);
						_pop(_t66);
						return E00130836(_t76, _t66, _v8 ^ _t82, _t72, _t77, _t80);
					}
				}
			}

0x00044a48
0x00044a4b
0x00044a53
0x00044a5a
0x00044a63
0x00044a66
0x00044a69
0x00044a6f
0x00044a74
0x00044a82
0x00044a84
0x00044a90
0x00044a95
0x00044a95
0x00044a9b
0x00044aa9
0x00044ab1
0x00044ad9
0x00044ad9
0x00044adb
0x00044add
0x00044add
0x00000000
0x00044ac1
0x00044acb
0x00044ad3
0x00000000
0x00044ad5
0x00044ad5
0x00044ae0
0x00044ae0
0x00044ae9
0x00044aed
0x00044af3
0x00044af8
0x00044aff
0x00044aff
0x00044af8
0x00044b05
0x00044b0a
0x00044b10
0x00044b20
0x00044b20
0x00044b20
0x00044b12
0x00044b18
0x00044b1a
0x00044b1a
0x00044b18
0x00044b10
0x00044b26
0x00044b2d
0x00044b2f
0x00044b36
0x00044b4d
0x00044b4f
0x00044b51
0x00044b53
0x00044b53
0x00044b31
0x00044b31
0x00044b31
0x00044b57
0x00044b5a
0x00044b5b
0x00044b61
0x00044b67
0x00044b6f
0x00044b73
0x00044b7b
0x00044b7b
0x00044b84
0x00044b8e
0x00044b8e
0x00044b96
0x00044ba1
0x00044ba2
0x00044ba5
0x00044bac
0x00044bac
0x00044ad3

APIs

Part of subcall function 00044996: GetParent.USER32(?), ref: 000449EA
Part of subcall function 00044996: GetLastActivePopup.USER32(?), ref: 000449FB
Part of subcall function 00044996: IsWindowEnabled.USER32(?), ref: 00044A0F
Part of subcall function 00044996: EnableWindow.USER32(?,00000000), ref: 00044A22

EnableWindow.USER32(?,00000001), ref: 00044A95
GetWindowThreadProcessId.USER32(?,?), ref: 00044AA9
GetCurrentProcessId.KERNEL32(?,00000000), ref: 00044AB3
SendMessageW.USER32(?,00000376,00000000,00000000), ref: 00044ACB
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000000), ref: 00044B47
EnableWindow.USER32(00000000,00000001), ref: 00044B8E

Strings

0, xrefs: 00044B20

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID: 0
API String ID: 1877664794-4108050209
Opcode ID: cd56328cb5cb4017d8ff5a9953196433e94ae5487d04be88f37a5d2b42186125
Instruction ID: 88e0a4d9924b0617ef7120aa0bf8a9934b506342f9e4756af0ef3388bf7f4b43
Opcode Fuzzy Hash: cd56328cb5cb4017d8ff5a9953196433e94ae5487d04be88f37a5d2b42186125
Instruction Fuzzy Hash: 1341E2B1A40318ABDB61DF64DC897DAB7F8FF14701F1005A8F919D6181D770DE908B98

Uniqueness

Uniqueness Score: -1.00%

Function 00133D34 Relevance: 12.1, APIs: 8, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00133D34(void* __edx, struct _SECURITY_ATTRIBUTES* _a4, long _a8, char _a12, intOrPtr _a16, long _a20, DWORD* _a24) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t16;
				DWORD* _t21;
				char _t34;
				void* _t36;

				_t34 = _a12;
				_t26 = 0;
				_t38 = _t34;
				if(_t34 != 0) {
					E00137D4D();
					_t36 = E0013A751(1, 0x214);
					__eflags = _t36;
					if(__eflags == 0) {
						L7:
						E00130CB2(_t36);
						__eflags = _t26;
						if(_t26 != 0) {
							E00131F45(_t26);
						}
						_t16 = 0;
						__eflags = 0;
						L10:
						return _t16;
					}
					_push( *((intOrPtr*)(E00137F08(0, __edx, __eflags) + 0x6c)));
					_push(_t36);
					E00137DDB(0, _t34, _t36, __eflags);
					 *(_t36 + 4) =  *(_t36 + 4) | 0xffffffff;
					 *((intOrPtr*)(_t36 + 0x58)) = _a16;
					_t21 = _a24;
					 *((intOrPtr*)(_t36 + 0x54)) = _t34;
					__eflags = _t21;
					if(_t21 == 0) {
						_t21 =  &_a12;
					}
					_t16 = CreateThread(_a4, _a8, E00133CCF, _t36, _a20, _t21); // executed
					__eflags = _t16;
					if(_t16 != 0) {
						goto L10;
					} else {
						_t26 = GetLastError();
						goto L7;
					}
				}
				 *((intOrPtr*)(E00131F1F(_t38))) = 0x16;
				E00139345();
				return 0;
			}

0x00133d3b
0x00133d3e
0x00133d40
0x00133d42
0x00133d59
0x00133d6a
0x00133d6e
0x00133d70
0x00133dbb
0x00133dbc
0x00133dc2
0x00133dc4
0x00133dc7
0x00133dcc
0x00133dcd
0x00133dcd
0x00133dcf
0x00000000
0x00133dcf
0x00133d77
0x00133d7a
0x00133d7b
0x00133d83
0x00133d87
0x00133d8a
0x00133d8f
0x00133d92
0x00133d94
0x00133d96
0x00133d96
0x00133da9
0x00133daf
0x00133db1
0x00000000
0x00133db3
0x00133db9
0x00000000
0x00133db9
0x00133db1
0x00133d49
0x00133d4f
0x00000000

APIs

___set_flsgetvalue.LIBCMT ref: 00133D59
__calloc_crt.LIBCMT ref: 00133D65
__getptd.LIBCMT ref: 00133D72
__initptd.LIBCMT ref: 00133D7B
CreateThread.KERNELBASE(?,?,00133CCF,00000000,?,?), ref: 00133DA9
GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00133DB3
_free.LIBCMT ref: 00133DBC
__dosmaperr.LIBCMT ref: 00133DC7

Part of subcall function 00131F1F: __getptd_noexit.LIBCMT ref: 00131F1F

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit__initptd_free
String ID:
API String ID: 73303432-0
Opcode ID: ef7c4d5f58e4073461118caf5367190aaac117169b72ddf6929bfcc94cee0009
Instruction ID: a9fc40f949aa5f0867c05b1de8e8bf0f917ab93ed8688bfe96e08eddac28f587
Opcode Fuzzy Hash: ef7c4d5f58e4073461118caf5367190aaac117169b72ddf6929bfcc94cee0009
Instruction Fuzzy Hash: AA110432208746AFEB21BFE4AC4299B37A8EF54370F100129F9259A1D1DB71D90187A4

Uniqueness

Uniqueness Score: -1.00%

Function 00031A80 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 432
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E00031A80(void* __ecx, intOrPtr __edx, void* __eflags, void* __fp0) {
				signed int _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				char _v576;
				signed int _v580;
				char _v584;
				char _v588;
				char _v592;
				char _v596;
				char _v600;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t133;
				signed int _t134;
				intOrPtr* _t137;
				void* _t139;
				intOrPtr* _t140;
				intOrPtr* _t144;
				signed int _t149;
				signed int _t150;
				signed int _t151;
				void* _t153;
				signed int _t154;
				signed int _t161;
				signed int** _t164;
				signed int** _t166;
				signed int** _t168;
				void* _t185;
				intOrPtr* _t188;
				void* _t193;
				intOrPtr* _t196;
				signed int _t198;
				intOrPtr* _t202;
				intOrPtr* _t210;
				signed int _t217;
				intOrPtr* _t221;
				intOrPtr* _t229;
				void* _t232;
				void* _t233;
				void* _t235;
				signed int _t237;
				void* _t255;
				signed int _t270;
				char _t306;
				intOrPtr _t307;
				signed int _t309;
				signed int _t310;
				signed int _t312;
				signed int _t316;
				signed int _t320;
				signed int _t331;
				void* _t333;
				signed int _t334;
				signed int _t335;
				void* _t339;
				void* _t343;
				void* _t345;
				signed int _t346;
				void* _t347;
				void* _t348;
				intOrPtr* _t353;
				void* _t362;
				void* _t365;

				_t302 = __edx;
				_push(0xffffffff);
				_push(0x1543fd);
				_push( *[fs:0x0]);
				_t348 = _t347 - 0x248;
				_t133 =  *0x1a0454; // 0x960af5fb
				_t134 = _t133 ^ _t346;
				_v20 = _t134;
				_push(_t232);
				_push(_t333);
				_push(_t134);
				 *[fs:0x0] =  &_v16;
				_t343 = __ecx;
				E00044332(_t232, __ecx, __edx, _t333, __fp0);
				if( *((char*)(_t343 + 0x5a0)) == 0) {
					_t233 = 0;
					__eflags = 0;
				} else {
					_t221 = E00045761();
					_t233 = 0;
					_t353 = _t221;
					_t294 = 0 | _t353 == 0x00000000;
					if(_t353 == 0) {
						_push(0x80004005);
						_t221 = E00031330(0, _t294, _t333, _t343);
					}
					_v580 =  *((intOrPtr*)( *((intOrPtr*)( *_t221 + 0xc))))() + 0x10;
					_v8 = _t233;
					E000414A8(_t233, _t343 + 0x52c, _t333,  &_v580);
					E00033780(_t233,  &_v580, _t333, _t343, L"ExamShield Program", L"ExamShield (Compatibility Check) Program");
					_t331 = _v580;
					E000434B7(_t343 + 0x52c, _t331);
					_v8 = 0xffffffff;
					_t229 = _v580 + 0xfffffff0;
					asm("lock xadd [ecx], edx");
					_t302 = (_t331 | 0xffffffff) - 1;
					if((_t331 | 0xffffffff) - 1 <= 0) {
						_t302 =  *((intOrPtr*)( *_t229));
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t229)) + 4))))(_t229);
					}
				}
				_t237 =  *(_t343 + 0x420);
				_t334 =  *(_t237 - 0x10);
				_t137 = _t237 - 0x10;
				if( *((intOrPtr*)(_t237 - 0xc)) != _t233) {
					if( *((intOrPtr*)(_t137 + 0xc)) >= _t233) {
						asm("lock xadd [edx], ecx");
						__eflags = (_t237 | 0xffffffff) - 1;
						if((_t237 | 0xffffffff) - 1 <= 0) {
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t137)) + 4))))(_t137);
						}
						_t302 =  *_t334;
						_t217 =  *((intOrPtr*)( *((intOrPtr*)( *_t334 + 0xc))))() + 0x10;
						__eflags = _t217;
						 *(_t343 + 0x420) = _t217;
					} else {
						if( *((intOrPtr*)(_t237 - 8)) < _t233) {
							_push(0x80070057);
							E00031330(_t233, _t237, _t334, _t343);
						}
						 *((intOrPtr*)(_t237 - 0xc)) = _t233;
						_t302 = 0;
						 *( *(_t343 + 0x420)) = 0;
					}
				}
				_t335 = _t334 | 0xffffffff;
				 *(_t343 + 0x438) = _t335;
				 *((intOrPtr*)(_t343 + 0x430)) = _t233;
				 *((intOrPtr*)(_t343 + 0x434)) = _t233;
				_v576 = _t233;
				_v572 = _t233;
				_v568 = _t233;
				_v564 = _t233;
				_v560 = _t233;
				_v556 = _t233;
				_t139 = E00048B7D(_t233, _t302,  *((intOrPtr*)(_t343 + 0xa4)),  &_v576, _t233); // executed
				if(_t139 == _t233 || ( *(_t343 + 0xe8) |  *(_t343 + 0xec)) != 0 ||  *((intOrPtr*)(_t343 + 0xd0)) == _t233) {
					L23:
					_t140 = E00045761();
					__eflags = _t140 - _t233;
					_t240 = 0 | __eflags != 0x00000000;
					if(__eflags == 0) {
						_push(0x80004005);
						_t140 = E00031330(_t233, _t240, _t335, _t343);
					}
					_v584 =  *((intOrPtr*)( *((intOrPtr*)( *_t140 + 0xc))))() + 0x10;
					_v8 = 2;
					_t144 = E00045761();
					__eflags = _t144 - _t233;
					_t243 = 0 | __eflags != 0x00000000;
					if(__eflags == 0) {
						_push(0x80004005);
						_t144 = E00031330(_t233, _t243, _t335, _t343);
					}
					_v588 =  *((intOrPtr*)( *((intOrPtr*)( *_t144 + 0xc))))() + 0x10;
					_v8 = 3;
					_t336 = _t343 + 0xa0;
					_t234 = _t343 + 0x104;
					_t149 = E00049513(_t343 + 0xa0,  *((intOrPtr*)(_t343 + 0xa0)), _t343 + 0x104,  &_v588,  &_v584,  &_v596); // executed
					__eflags = _t149;
					if(_t149 != 0) {
						L32:
						_t150 = E00130DBA(_v584, 0x2f);
						_t306 = _v584;
						__eflags = _t150;
						if(_t150 == 0) {
							L34:
							_t151 = E00130DBA(_t306, 0x5c);
							__eflags = _t151;
							if(_t151 == 0) {
								L39:
								_t337 = _t343 + 0x41c;
								E00034260(_t343 + 0x41c,  &_v584);
								L40:
								_t307 =  *((intOrPtr*)(_t343 + 0x418));
								__eflags =  *(_t307 - 0xc);
								_t153 = _t343 + 0x418;
								if( *(_t307 - 0xc) > 0) {
									E00034260(_t337, _t153);
								}
								_t154 = E00045761();
								__eflags = _t154;
								_t251 = 0 | __eflags != 0x00000000;
								if(__eflags == 0) {
									_push(0x80004005);
									_t154 = E00031330(_t234, _t251, _t337, _t343);
								}
								_v592 =  *((intOrPtr*)( *((intOrPtr*)( *_t154 + 0xc))))() + 0x10;
								_v8 = 6;
								_t309 =  &_v592;
								E000491E2(_v588, _t309, 0x66,  *_t337, _v588);
								E000434B7(_t343 + 0x330, _v592); // executed
								_push(0);
								_push(4);
								_push(0);
								_push(0);
								_push(_t343);
								_push(E00032000); // executed
								_t161 = E0004A073(_t234, _t309,  *_t337, _t343, __eflags); // executed
								 *(_t343 + 0x428) = _t161;
								__eflags = _t161;
								if(_t161 != 0) {
									 *((intOrPtr*)(_t161 + 0x28)) = 0;
									_t255 =  *( *(_t343 + 0x428) + 0x2c);
									ResumeThread(_t255); // executed
									_v8 = 3;
									_t164 = _v592 + 0xfffffff0;
									_t310 =  &(_t164[3]);
									asm("lock xadd [edx], ecx");
									__eflags = (_t255 | 0xffffffff) - 1;
								} else {
									E00043F8D(_t343, 2);
									_v8 = 3;
									_t164 = _v592 + 0xfffffff0;
									asm("lock xadd [ecx], edx");
									_t310 = (_t309 | 0xffffffff) - 1;
									__eflags = _t310;
								}
								if(__eflags <= 0) {
									_t310 =  *( *_t164);
									 *((intOrPtr*)( *((intOrPtr*)(_t310 + 4))))(_t164);
								}
								goto L49;
							}
							_t306 = _v584;
							_t270 = _t151 - _t306 >> 1;
							__eflags = _t270 - 0xffffffff;
							if(_t270 == 0xffffffff) {
								goto L39;
							}
							L36:
							__eflags =  *((intOrPtr*)(_t306 - 0xc)) - 1;
							if( *((intOrPtr*)(_t306 - 0xc)) <= 1) {
								goto L39;
							}
							_t316 =  &_v600;
							_t185 = E00033AD0( &_v584, _t316,  *((intOrPtr*)(_t306 - 0xc)) - _t270 - 1);
							_t337 = _t343 + 0x41c;
							_v8 = 5;
							E00034260(_t343 + 0x41c, _t185);
							_v8 = 3;
							_t188 = _v600 + 0xfffffff0;
							asm("lock xadd [ecx], edx");
							__eflags = (_t316 | 0xffffffff) - 1;
							if((_t316 | 0xffffffff) - 1 <= 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t188)) + 4))))(_t188);
							}
							goto L40;
						}
						_t270 = _t150 - _t306 >> 1;
						__eflags = _t270 - 0xffffffff;
						if(_t270 != 0xffffffff) {
							goto L36;
						}
						goto L34;
					} else {
						_t320 =  &_v580;
						_t193 = E00034060(_t320, L"http://", _t336);
						_t348 = _t348 + 0xc;
						_v8 = 4;
						E00034260(_t336, _t193);
						_v8 = 3;
						_t196 = _v580 + 0xfffffff0;
						asm("lock xadd [ecx], edx");
						__eflags = (_t320 | 0xffffffff) - 1;
						if((_t320 | 0xffffffff) - 1 <= 0) {
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t196)) + 4))))(_t196);
						}
						_t310 =  &_v584;
						_t198 = E00049513( *_t336,  *_t336, _t234,  &_v588, _t310,  &_v596);
						__eflags = _t198;
						if(_t198 != 0) {
							goto L32;
						} else {
							E00043F8D(_t343, 2);
							L49:
							_v8 = 2;
							_t166 = _v588 + 0xfffffff0;
							asm("lock xadd [ecx], edx");
							_t312 = (_t310 | 0xffffffff) - 1;
							__eflags = _t312;
							if(_t312 <= 0) {
								_t312 =  *( *_t166);
								 *((intOrPtr*)( *((intOrPtr*)(_t312 + 4))))(_t166);
							}
							_v8 = 0xffffffff;
							_t168 = _v584 + 0xfffffff0;
							asm("lock xadd [ecx], edx");
							_t314 = (_t312 | 0xffffffff) - 1;
							__eflags = (_t312 | 0xffffffff) - 1;
							goto L52;
						}
					}
				} else {
					_t202 = E00045761();
					_t362 = _t202 - _t233;
					_t281 = 0 | _t362 != 0x00000000;
					_t363 = (_t362 != 0) - _t233;
					if(_t362 != 0 == _t233) {
						_push(0x80004005);
						_t202 = E00031330(_t233, _t281, _t335, _t343);
					}
					_v580 =  *((intOrPtr*)( *((intOrPtr*)( *_t202 + 0xc))))() + 0x10;
					_v8 = 1;
					E000491C8( &_v580, 0x82,  *((intOrPtr*)(_t343 + 0xa4)));
					_t314 = _v580;
					if(E00044BAD(_t233, _t335, _t343, _t363, _v580, 4, _t233) == 6) {
						_v8 = _t335;
						_t210 = _v580 + 0xfffffff0;
						asm("lock xadd [ecx], edi");
						_t335 = _t335 - 1;
						__eflags = _t335;
						if(_t335 <= 0) {
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t210)) + 4))))(_t210);
						}
						goto L23;
					} else {
						E00043F8D(_t343, 2);
						_v8 = _t335;
						_t168 = _v580 + 0xfffffff0;
						asm("lock xadd [ecx], edi");
						_t365 = _t335 - 1;
						L52:
						if(_t365 <= 0) {
							_t314 =  *( *_t168);
							 *((intOrPtr*)( *((intOrPtr*)( *( *_t168) + 4))))(_t168);
						}
						 *[fs:0x0] = _v16;
						_pop(_t339);
						_pop(_t345);
						_pop(_t235);
						return E00130836(1, _t235, _v20 ^ _t346, _t314, _t339, _t345);
					}
				}
			}

0x00031a80
0x00031a83
0x00031a85
0x00031a90
0x00031a91
0x00031a97
0x00031a9c
0x00031a9e
0x00031aa1
0x00031aa3
0x00031aa4
0x00031aa8
0x00031aae
0x00031ab0
0x00031abc
0x00031b57
0x00031b57
0x00031ac2
0x00031ac2
0x00031ac9
0x00031acb
0x00031acd
0x00031ad2
0x00031ad4
0x00031ad9
0x00031ad9
0x00031aea
0x00031afd
0x00031b00
0x00031b15
0x00031b1a
0x00031b27
0x00031b2c
0x00031b39
0x00031b42
0x00031b46
0x00031b49
0x00031b4d
0x00031b53
0x00031b53
0x00031b49
0x00031b59
0x00031b5f
0x00031b65
0x00031b68
0x00031b70
0x00031b94
0x00031b99
0x00031b9b
0x00031ba5
0x00031ba5
0x00031ba7
0x00031bb0
0x00031bb0
0x00031bb3
0x00031b72
0x00031b75
0x00031b77
0x00031b7c
0x00031b7c
0x00031b81
0x00031b8a
0x00031b8c
0x00031b8c
0x00031b70
0x00031bc7
0x00031bcb
0x00031bd1
0x00031bd7
0x00031bdd
0x00031be3
0x00031be9
0x00031bef
0x00031bf5
0x00031bfb
0x00031c01
0x00031c08
0x00031cd1
0x00031cd1
0x00031cd8
0x00031cda
0x00031cdf
0x00031ce1
0x00031ce6
0x00031ce6
0x00031cf7
0x00031cfd
0x00031d04
0x00031d0b
0x00031d0d
0x00031d12
0x00031d14
0x00031d19
0x00031d19
0x00031d2a
0x00031d45
0x00031d4f
0x00031d55
0x00031d5d
0x00031d62
0x00031d64
0x00031ddd
0x00031de6
0x00031deb
0x00031df4
0x00031df6
0x00031e03
0x00031e06
0x00031e0e
0x00031e10
0x00031e7c
0x00031e82
0x00031e8b
0x00031e90
0x00031e90
0x00031e96
0x00031e9a
0x00031ea0
0x00031ea5
0x00031ea5
0x00031eaa
0x00031eb1
0x00031eb3
0x00031eb8
0x00031eba
0x00031ebf
0x00031ebf
0x00031ed0
0x00031ed6
0x00031ee6
0x00031eed
0x00031eff
0x00031f04
0x00031f06
0x00031f08
0x00031f0a
0x00031f0c
0x00031f0d
0x00031f12
0x00031f17
0x00031f1d
0x00031f1f
0x00031f46
0x00031f53
0x00031f57
0x00031f5d
0x00031f67
0x00031f6a
0x00031f70
0x00031f75
0x00031f21
0x00031f25
0x00031f2a
0x00031f34
0x00031f3d
0x00031f41
0x00031f42
0x00031f42
0x00031f77
0x00031f7b
0x00031f81
0x00031f81
0x00000000
0x00031f77
0x00031e12
0x00031e1c
0x00031e1e
0x00031e21
0x00000000
0x00000000
0x00031e23
0x00031e23
0x00031e27
0x00000000
0x00000000
0x00031e30
0x00031e3d
0x00031e42
0x00031e4b
0x00031e4f
0x00031e54
0x00031e5e
0x00031e67
0x00031e6c
0x00031e6e
0x00031e78
0x00031e78
0x00000000
0x00031e6e
0x00031dfc
0x00031dfe
0x00031e01
0x00000000
0x00000000
0x00000000
0x00031d66
0x00031d67
0x00031d73
0x00031d78
0x00031d7e
0x00031d82
0x00031d87
0x00031d91
0x00031d9a
0x00031d9f
0x00031da1
0x00031dab
0x00031dab
0x00031db6
0x00031dc6
0x00031dcb
0x00031dcd
0x00000000
0x00031dcf
0x00031dd3
0x00031f83
0x00031f83
0x00031f8d
0x00031f96
0x00031f9a
0x00031f9b
0x00031f9d
0x00031fa1
0x00031fa7
0x00031fa7
0x00031fa9
0x00031fb6
0x00031fbf
0x00031fc3
0x00031fc4
0x00000000
0x00031fc4
0x00031dcd
0x00031c2c
0x00031c2c
0x00031c33
0x00031c35
0x00031c38
0x00031c3a
0x00031c3c
0x00031c41
0x00031c41
0x00031c52
0x00031c58
0x00031c72
0x00031c77
0x00031c89
0x00031caf
0x00031cb8
0x00031cbe
0x00031cc2
0x00031cc3
0x00031cc5
0x00031ccf
0x00031ccf
0x00000000
0x00031c8b
0x00031c8f
0x00031c94
0x00031c9d
0x00031ca3
0x00031ca8
0x00031fc6
0x00031fc6
0x00031fca
0x00031fd0
0x00031fd0
0x00031fda
0x00031fe2
0x00031fe3
0x00031fe4
0x00031ff2
0x00031ff2
0x00031c89

APIs

_wcsrchr.LIBCMT ref: 00031DE6
_wcsrchr.LIBCMT ref: 00031E06

Part of subcall function 00043F8D: EndDialog.USER32 ref: 00043FAC

Strings

http://, xrefs: 00031D6D
ExamShield Program, xrefs: 00031B0A
ExamShield (Compatibility Check) Program, xrefs: 00031B05

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: _wcsrchr$Dialog
String ID: ExamShield (Compatibility Check) Program$ExamShield Program$http://
API String ID: 1059084337-1264212893
Opcode ID: 6deaf07e8d7ece23c464a0ab0f19fbed9ad0b0b30cb5768620a76a5c2adee0bd
Instruction ID: a36a46aa0f5f80b8252eb904042e05a70ec4588e4881978e543ab042f0f714b2
Opcode Fuzzy Hash: 6deaf07e8d7ece23c464a0ab0f19fbed9ad0b0b30cb5768620a76a5c2adee0bd
Instruction Fuzzy Hash: D8F1A0716006059FD755DB68CC85BDEB3A9FF88324F1483ACE12A9B2D2DB30AA45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0004920A Relevance: 10.7, APIs: 7, Instructions: 161
networkstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E0004920A(WCHAR* _a4, struct _SYSTEMTIME _a8, short* _a12, signed int _a16, signed int _a20) {
				signed int _v8;
				short _v4176;
				short* _v4180;
				short _v4184;
				struct _SYSTEMTIME _v4200;
				WCHAR* _v4204;
				signed int _v4208;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t57;
				int _t67;
				void* _t69;
				long _t71;
				long _t73;
				WCHAR* _t76;
				struct _SYSTEMTIME _t78;
				WCHAR* _t80;
				short* _t84;
				signed int _t95;
				WCHAR* _t96;
				long _t97;
				signed int _t99;

				E00133C00(0x106c);
				_t57 =  *0x1a0454; // 0x960af5fb
				_v8 = _t57 ^ _t99;
				_t80 = _a4;
				_v4180 = _a12;
				_t78 = _a8;
				_v4208 = _a16;
				_v4200.wHour = _t80;
				if(_t78 == 0 || _t80 == 0) {
					L13:
					_t62 = 0;
					goto L14;
				} else {
					_t97 = _a20 & 0x2e000000;
					_v4200.wSecond = 0x824;
					_v4184 = 0;
					_v4200.wDayOfWeek = 0;
					_v4200.wYear = 0;
					if((_a20 & 0x90000000) != 0 &&  *((intOrPtr*)(_t78 + 0x30)) != 0) {
						if((_a20 & 0x02000000) == 0) {
							_v4200.wDayOfWeek = 0x80000000;
						} else {
							_v4200.wYear = 1;
						}
					}
					_t96 = InternetCanonicalizeUrlW;
					if(InternetCanonicalizeUrlW(_t80,  &_v4176,  &(_v4200.wSecond), _t97) != 0) {
						_t96 =  &_v4176;
						goto L17;
					} else {
						_t73 = GetLastError();
						_t106 = _t73 - 0x7a;
						if(_t73 != 0x7a) {
							goto L13;
						}
						_t95 = 2;
						_t94 = _v4200.wSecond * _t95 >> 0x20;
						_t76 = E0003C37C(_t106,  ~(0 | _t106 > 0x00000000) | _v4200.wSecond * _t95);
						_v4204 = _t76;
						if(_t76 == 0) {
							goto L13;
						}
						_v4184 = 1;
						if(InternetCanonicalizeUrlW(_v4200.wHour, _t76,  &(_v4200.wSecond), _t97) != 0) {
							_t96 = _v4204;
							L17:
							_t97 = 0;
							_t67 = InternetCrackUrlW(_t96, 0, _v4200.wDayOfWeek, _t78); // executed
							_v4200.wHour = _t67;
							__eflags = _v4200.wYear;
							if(_v4200.wYear == 0) {
								L21:
								__eflags = _v4184 - _t97;
								if(_v4184 != _t97) {
									_push(_t96);
									E0003C3AB();
								}
								_t62 = _v4200.wHour;
								__eflags = _v4200.wHour - _t97;
								if(_v4200.wHour != _t97) {
									_t94 = _v4208;
									 *_v4208 =  *((intOrPtr*)(_t78 + 0x18));
									_t78 =  *((intOrPtr*)(_t78 + 0xc)) - 1;
									__eflags = _t78;
									_t84 = _v4180;
									if(_t78 == 0) {
										 *_t84 = 1;
										goto L14;
									}
									_t78 = _t78 - 1;
									__eflags = _t78;
									if(_t78 == 0) {
										 *_t84 = 2;
										goto L14;
									}
									_t78 = _t78 - 1;
									__eflags = _t78;
									if(_t78 == 0) {
										 *_t84 = 3;
										goto L14;
									}
									_t78 = _t78 - 1;
									__eflags = _t78;
									if(_t78 == 0) {
										 *_t84 = 0x100b;
										goto L14;
									}
									_t78 = _t78 - 1;
									__eflags = _t78;
									if(_t78 == 0) {
										 *_t84 = 0x1001;
										goto L14;
									}
									_t78 = _t78 - 1;
									__eflags = _t78;
									if(_t78 == 0) {
										 *_t84 = 0x1006;
										goto L14;
									}
									_t78 = _t78 - 1;
									__eflags = _t78;
									if(_t78 != 0) {
										goto L25;
									}
									 *_t84 = 0x1002;
									goto L14;
								} else {
									_t84 = _v4180;
									L25:
									 *_t84 = 0x1000;
									L14:
									return E00130836(_t62, _t78, _v8 ^ _t99, _t94, _t96, _t97);
								}
							}
							_t69 = E0013161A( *(_t78 + 0x2c));
							__eflags = _t69 - 0x824;
							if(_t69 >= 0x824) {
								L26:
								__eflags = _v4184 - _t97;
								if(_v4184 == _t97) {
									goto L13;
								}
								_push(_t96);
								L12:
								E0003C3AB();
								goto L13;
							}
							_t71 = UrlUnescapeW( *(_t78 + 0x2c), 0, 0, 0x2100000);
							__eflags = _t71;
							if(_t71 < 0) {
								goto L26;
							}
							 *((intOrPtr*)(_t78 + 0x30)) = lstrlenW( *(_t78 + 0x2c));
							goto L21;
						}
						_push(_v4204);
						goto L12;
					}
				}
			}

0x00049214
0x00049219
0x00049220
0x00049226
0x00049229
0x00049233
0x00049236
0x00049240
0x00049248
0x0004931f
0x0004931f
0x00000000
0x00049256
0x00049259
0x00049266
0x00049270
0x00049276
0x0004927c
0x00049282
0x00049290
0x0004929e
0x00049292
0x00049292
0x00049292
0x00049290
0x000492a8
0x000492c2
0x00049332
0x00000000
0x000492c4
0x000492c4
0x000492ca
0x000492cd
0x00000000
0x00000000
0x000492d9
0x000492da
0x000492e4
0x000492ea
0x000492f2
0x00000000
0x00000000
0x00049303
0x00049311
0x0004933a
0x00049340
0x00049347
0x0004934b
0x00049351
0x00049357
0x0004935d
0x0004938f
0x0004938f
0x00049395
0x00049397
0x00049398
0x0004939d
0x0004939e
0x000493a4
0x000493a6
0x000493cf
0x000493d5
0x000493db
0x000493db
0x000493dc
0x000493e2
0x00049438
0x00000000
0x00049438
0x000493e4
0x000493e4
0x000493e5
0x0004942d
0x00000000
0x0004942d
0x000493e7
0x000493e7
0x000493e8
0x00049422
0x00000000
0x00049422
0x000493ea
0x000493ea
0x000493eb
0x00049417
0x00000000
0x00049417
0x000493ed
0x000493ed
0x000493ee
0x0004940c
0x00000000
0x0004940c
0x000493f0
0x000493f0
0x000493f1
0x00049401
0x00000000
0x00049401
0x000493f3
0x000493f3
0x000493f4
0x00000000
0x00000000
0x000493f6
0x00000000
0x000493a8
0x000493a8
0x000493ae
0x000493ae
0x00049321
0x0004932f
0x0004932f
0x000493a6
0x00049362
0x00049368
0x0004936d
0x000493b9
0x000493b9
0x000493bf
0x00000000
0x00000000
0x000493c5
0x00049319
0x00049319
0x00000000
0x0004931e
0x00049379
0x0004937f
0x00049381
0x00000000
0x00000000
0x0004938c
0x00000000
0x0004938c
0x00049313
0x00000000
0x00049313
0x000492c2

APIs

InternetCanonicalizeUrlW.WININET(00000825,?,00000824,?), ref: 000492BE
GetLastError.KERNEL32 ref: 000492C4
InternetCanonicalizeUrlW.WININET(?,00000000,00000824,?), ref: 0004930D
InternetCrackUrlW.WININET(?,00000000,?,02000000), ref: 0004934B
_wcslen.LIBCMT ref: 00049362
UrlUnescapeW.SHLWAPI(?,00000000,00000000,02100000), ref: 00049379
lstrlenW.KERNEL32(?), ref: 00049386

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Internet$Canonicalize$CrackErrorLastUnescape_wcslenlstrlen
String ID:
API String ID: 2764552472-0
Opcode ID: 981a627edcafbc2da60b1f4fe8582e4669514d1a500ce7f1656e42a793d73c9a
Instruction ID: 545099cfa6946934bddf25aac0f3cba1f7e0126f1a5cf278fe7f07d2d729cb82
Opcode Fuzzy Hash: 981a627edcafbc2da60b1f4fe8582e4669514d1a500ce7f1656e42a793d73c9a
Instruction Fuzzy Hash: F751ADB1504298DBDB218F60DD85AEFB7B5FB45301F1041FAE9499A190D7B08EC0CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0004ADC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 18%

			E0004ADC0(void* __ecx) {
				signed int _v8;
				short _v10;
				short _v12;
				short _v532;
				struct HINSTANCE__* _v536;
				intOrPtr _v544;
				WCHAR* _v556;
				intOrPtr _v560;
				char _v564;
				void* __edi;
				void* __esi;
				signed int _t25;
				void* _t35;
				void* _t39;
				struct HINSTANCE__* _t41;
				void* _t42;
				intOrPtr* _t43;
				void* _t45;
				void* _t46;
				signed int _t50;

				_t48 = _t50;
				_t25 =  *0x1a0454; // 0x960af5fb
				_v8 = _t25 ^ _t50;
				_v10 = 0;
				_v12 = 0;
				_t45 = __ecx;
				_t41 =  *(__ecx + 8);
				if(GetModuleFileNameW(_t41,  &_v532, 0x105) != 0) {
					if(_v12 == 0) {
						_v556 =  &_v532;
						_v536 = _t41;
						_t43 = __imp__CreateActCtxW;
						_v564 = 0x20;
						_v560 = 0x88;
						_v544 = 2;
						_t29 =  *_t43( &_v564); // executed
						 *(_t45 + 0x80) = _t29;
						if(_t29 == 0xffffffff) {
							_v544 = 3;
							_t29 =  *_t43( &_v564); // executed
							 *(_t45 + 0x80) = _t29;
						}
						if( *(_t45 + 0x80) == 0xffffffff) {
							_v544 = 1;
							_t29 =  *_t43( &_v564); // executed
							 *(_t45 + 0x80) = _t29;
							if(_t29 == 0xffffffff) {
								 *(_t45 + 0x80) =  *(_t45 + 0x80) & 0x00000000;
							}
						}
					} else {
						SetLastError(0x6f);
					}
				}
				_pop(_t42);
				_pop(_t46);
				return E00130836(_t29, _t35, _v8 ^ _t48, _t39, _t42, _t46);
			}

0x0004adc3
0x0004adcb
0x0004add2
0x0004add9
0x0004addd
0x0004ade6
0x0004ade8
0x0004adfb
0x0004ae06
0x0004ae1b
0x0004ae27
0x0004ae2d
0x0004ae34
0x0004ae3e
0x0004ae48
0x0004ae52
0x0004ae54
0x0004ae5d
0x0004ae66
0x0004ae70
0x0004ae72
0x0004ae72
0x0004ae7f
0x0004ae88
0x0004ae92
0x0004ae94
0x0004ae9d
0x0004ae9f
0x0004ae9f
0x0004ae9d
0x0004ae08
0x0004ae0a
0x0004ae0a
0x0004ae06
0x0004aea9
0x0004aeac
0x0004aeb3

APIs

GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0004ADF3
SetLastError.KERNEL32(0000006F), ref: 0004AE0A
CreateActCtxW.KERNEL32(?), ref: 0004AE52
CreateActCtxW.KERNEL32(00000020), ref: 0004AE70
CreateActCtxW.KERNEL32(00000020), ref: 0004AE92

Strings

, xrefs: 0004AE34

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Create$ErrorFileLastModuleName
String ID:
API String ID: 1315026305-3916222277
Opcode ID: fa06848600dc1c8bbe06cf6ecec7cb5f38ee54da5a70c5c2d5b042aac2378dc7
Instruction ID: bc4da663d81e1fed6bf689ff2596b0d432ca322811fbde4dc93ffff60c591e29
Opcode Fuzzy Hash: fa06848600dc1c8bbe06cf6ecec7cb5f38ee54da5a70c5c2d5b042aac2378dc7
Instruction Fuzzy Hash: 5021A9B0940218DEDB60DF65DC48BEAB7F8BF59324F1042AED069E2190DB745A89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 000BF163 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E000BF163(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				int _t18;
				int _t19;
				WCHAR* _t21;
				intOrPtr _t27;
				void* _t28;
				void* _t29;
				intOrPtr _t30;

				_t29 = __eflags;
				_push(4);
				E00131A19(0x148841, __ebx, __edi, __esi);
				_t27 = __ecx;
				 *((intOrPtr*)(_t28 - 0x10)) = __ecx;
				E00043AEA(__ecx, _t29);
				 *((intOrPtr*)(__ecx)) = 0x167ae4;
				 *((intOrPtr*)(__ecx + 0x20)) = 0x167a90;
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				 *((intOrPtr*)(__ecx + 0x28)) = 0;
				 *((intOrPtr*)(__ecx + 0x2c)) = 0;
				 *((intOrPtr*)(__ecx + 0x30)) = 0;
				 *((intOrPtr*)(_t28 - 4)) = 0;
				 *((intOrPtr*)(__ecx + 0x34)) = 0;
				 *((intOrPtr*)(__ecx + 0x38)) = 0;
				 *((intOrPtr*)(__ecx + 0x3c)) = 0;
				E00052399(3);
				_t30 =  *0x1a5a4c; // 0x1
				if(_t30 == 0) {
					_t21 = L"windows";
					_t18 = GetProfileIntW(_t21, L"DragMinDist", 2); // executed
					 *0x1a5a44 = _t18; // executed
					_t19 = GetProfileIntW(_t21, L"DragDelay", 0xc8); // executed
					 *0x1a5a48 = _t19;
					 *0x1a5a4c = 1;
				}
				E0005240B(3);
				return E00131AF1(_t27);
			}

0x000bf163
0x000bf163
0x000bf16a
0x000bf16f
0x000bf171
0x000bf174
0x000bf17b
0x000bf181
0x000bf188
0x000bf18b
0x000bf18e
0x000bf191
0x000bf196
0x000bf199
0x000bf19c
0x000bf19f
0x000bf1a2
0x000bf1a7
0x000bf1ad
0x000bf1bc
0x000bf1c2
0x000bf1cf
0x000bf1d4
0x000bf1d6
0x000bf1db
0x000bf1db
0x000bf1e7
0x000bf1f3

APIs

__EH_prolog3.LIBCMT ref: 000BF16A

Part of subcall function 00052399: EnterCriticalSection.KERNEL32(001A3DE0,?,?,00000002,?,000516FF,00000010,00000008,0004B656,0004B5ED,0003E58B,0004A15B,0004918A,?,00000000,00000004), ref: 000523D3
Part of subcall function 00052399: InitializeCriticalSection.KERNEL32(?,?,?,00000002,?,000516FF,00000010,00000008,0004B656,0004B5ED,0003E58B,0004A15B,0004918A,?,00000000,00000004), ref: 000523E5
Part of subcall function 00052399: LeaveCriticalSection.KERNEL32(001A3DE0,?,?,00000002,?,000516FF,00000010,00000008,0004B656,0004B5ED,0003E58B,0004A15B,0004918A,?,00000000,00000004), ref: 000523F2
Part of subcall function 00052399: EnterCriticalSection.KERNEL32(?,?,?,00000002,?,000516FF,00000010,00000008,0004B656,0004B5ED,0003E58B,0004A15B,0004918A,?,00000000,00000004), ref: 00052402

GetProfileIntW.KERNEL32 ref: 000BF1C2
GetProfileIntW.KERNEL32 ref: 000BF1D4

Strings

DragMinDist, xrefs: 000BF1B7
windows, xrefs: 000BF1BC, 000BF1C1, 000BF1CE
DragDelay, xrefs: 000BF1C9

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: CriticalSection$EnterProfile$H_prolog3InitializeLeave
String ID: DragDelay$DragMinDist$windows
API String ID: 3965097884-2101198082
Opcode ID: 72fa3810ebab9a6a767aee61c0d3d22fa964b049e38589191e62f79309bda55f
Instruction ID: 41d7770cc1e246d6b62be264a7e2e8ad4b2b87e392ab6da10bdf7fea560e0e85
Opcode Fuzzy Hash: 72fa3810ebab9a6a767aee61c0d3d22fa964b049e38589191e62f79309bda55f
Instruction Fuzzy Hash: B40144B0A44B01DBD720DF9A9D8261EFAF8BF94704F44191FE145ABAA2C7F05541CF45

Uniqueness

Uniqueness Score: -1.00%

Function 00044481 Relevance: 9.1, APIs: 6, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00044481(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t62;
				signed int _t68;
				signed int _t70;
				struct HWND__* _t71;
				struct HWND__* _t72;
				signed int _t74;
				signed int _t104;
				void* _t115;
				signed int _t118;
				DLGTEMPLATE* _t119;
				struct HWND__* _t120;
				intOrPtr* _t122;
				void* _t123;

				_t117 = __edi;
				_t115 = __edx;
				_t98 = __ecx;
				_push(0x3c);
				E00131A4C(0x148a31, __ebx, __edi, __esi);
				_t122 = __ecx;
				 *((intOrPtr*)(_t123 - 0x20)) = __ecx;
				_t127 =  *(_t123 + 0x10);
				if( *(_t123 + 0x10) == 0) {
					 *(_t123 + 0x10) =  *(E0004B628(0, __edi, __ecx, _t127) + 0xc);
				}
				_t118 =  *(E0004B628(0, _t117, _t122, _t127) + 0x3c);
				 *(_t123 - 0x28) = _t118;
				 *(_t123 - 0x14) = 0;
				 *(_t123 - 4) = 0;
				E00042F94(0, _t98, _t118, _t122, _t127, 0x10);
				E00042F94(0, _t98, _t118, _t122, _t127, 0xfc000); // executed
				E0004035B(0, _t98, _t115, _t118, _t127); // executed
				E000530E9();
				if(_t118 == 0) {
					_t119 =  *(_t123 + 8);
					L7:
					__eflags = _t119;
					if(_t119 == 0) {
						L4:
						_t62 = 0;
						L26:
						return E00131AF1(_t62);
					}
					E00031110(_t123 - 0x1c, E00045761());
					 *(_t123 - 4) = 1;
					 *((intOrPtr*)(_t123 - 0x18)) = 0;
					_t68 = E00053D1A(_t119, __eflags, _t119, _t123 - 0x1c, _t123 - 0x18);
					__eflags = _t68;
					__eflags = 0 | _t68 == 0x00000000;
					if(__eflags != 0) {
						_push(_t119);
						E00053CDE(_t123 - 0x38, _t119);
						 *(_t123 - 4) = 2;
						E00053C3A(_t123 - 0x38,  *((intOrPtr*)(_t123 - 0x18)));
						 *(_t123 - 0x14) = E0005398D(_t123 - 0x38);
						 *(_t123 - 4) = 1;
						E0005397F(_t123 - 0x38);
						__eflags =  *(_t123 - 0x14);
						if(__eflags != 0) {
							_t119 = GlobalLock( *(_t123 - 0x14));
						}
					}
					 *(_t122 + 0x60) =  *(_t122 + 0x60) | 0xffffffff;
					 *(_t122 + 0x58) =  *(_t122 + 0x58) | 0x00000010;
					E00041E0F(0, __eflags, _t122);
					_t70 =  *(_t123 + 0xc);
					__eflags = _t70;
					if(_t70 != 0) {
						_t71 =  *(_t70 + 0x20);
					} else {
						_t71 = 0;
					}
					_t72 = CreateDialogIndirectParamW( *(_t123 + 0x10), _t119, _t71, E00043E59, 0); // executed
					_t120 = _t72;
					E00031190( *((intOrPtr*)(_t123 - 0x1c)) + 0xfffffff0, _t115);
					 *(_t123 - 4) =  *(_t123 - 4) | 0xffffffff;
					_t104 =  *(_t123 - 0x28);
					__eflags = _t104;
					if(__eflags != 0) {
						__eflags = _t120;
						if(__eflags != 0) {
							 *((intOrPtr*)( *_t104 + 0x18))(_t123 - 0x48);
							 *((intOrPtr*)( *_t122 + 0x158))(0);
						}
					}
					_t74 = E0003F8E9(0, _t120, __eflags);
					__eflags = _t74;
					if(_t74 == 0) {
						 *((intOrPtr*)( *_t122 + 0x120))();
					}
					__eflags = _t120;
					if(_t120 != 0) {
						__eflags =  *(_t122 + 0x58) & 0x00000010;
						if(( *(_t122 + 0x58) & 0x00000010) == 0) {
							DestroyWindow(_t120);
							_t120 = 0;
							__eflags = 0;
						}
					}
					__eflags =  *(_t123 - 0x14);
					if( *(_t123 - 0x14) != 0) {
						GlobalUnlock( *(_t123 - 0x14));
						GlobalFree( *(_t123 - 0x14));
					}
					__eflags = _t120;
					_t54 = _t120 != 0;
					__eflags = _t54;
					_t62 = 0 | _t54;
					goto L26;
				}
				_push(_t123 - 0x48);
				if( *((intOrPtr*)( *_t122 + 0x158))() != 0) {
					_t119 =  *((intOrPtr*)( *_t118 + 0x14))(_t123 - 0x48,  *(_t123 + 8));
					goto L7;
				}
				goto L4;
			}

0x00044481
0x00044481
0x00044481
0x00044481
0x00044488
0x0004448d
0x0004448f
0x00044494
0x00044497
0x000444a1
0x000444a1
0x000444a9
0x000444ae
0x000444b1
0x000444b4
0x000444b7
0x000444c1
0x000444c6
0x000444cb
0x000444d2
0x000444ff
0x00044502
0x00044502
0x00044504
0x000444e6
0x000444e6
0x0004463d
0x00044642
0x00044642
0x0004450f
0x0004451d
0x00044521
0x00044524
0x0004452e
0x00044533
0x00044535
0x00044537
0x0004453b
0x00044546
0x0004454a
0x0004455a
0x0004455d
0x00044561
0x00044566
0x00044569
0x00044574
0x00044574
0x00044569
0x00044576
0x0004457a
0x0004457f
0x00044584
0x00044587
0x00044589
0x0004458f
0x0004458b
0x0004458b
0x0004458b
0x0004459d
0x000445a9
0x000445ab
0x000445b0
0x000445da
0x000445dd
0x000445df
0x000445e1
0x000445e3
0x000445eb
0x000445f3
0x000445f3
0x000445e3
0x000445f9
0x000445fe
0x00044600
0x00044606
0x00044606
0x0004460c
0x0004460e
0x00044610
0x00044614
0x00044617
0x0004461d
0x0004461d
0x0004461d
0x00044614
0x0004461f
0x00044622
0x00044627
0x00044630
0x00044630
0x00044638
0x0004463a
0x0004463a
0x0004463a
0x00000000
0x0004463a
0x000444d9
0x000444e4
0x000444fb
0x00000000
0x000444fb
0x00000000

APIs

__EH_prolog3_catch.LIBCMT ref: 00044488
GlobalLock.KERNEL32 ref: 0004456E
CreateDialogIndirectParamW.USER32(?,?,?,00043E59,00000000), ref: 0004459D
DestroyWindow.USER32 ref: 00044617
GlobalUnlock.KERNEL32(?), ref: 00044627
GlobalFree.KERNEL32(?), ref: 00044630

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Global$CreateDestroyDialogFreeH_prolog3_catchIndirectLockParamUnlockWindow
String ID:
API String ID: 3003189058-0
Opcode ID: 2d46926d4605f037d1f151eaa0ddecdbb08d12d02aa02365be05936b35b2f324
Instruction ID: 736cce82ab845f39bd3937c086bc655aca196f180688dbde4c6fe43f82350cd4
Opcode Fuzzy Hash: 2d46926d4605f037d1f151eaa0ddecdbb08d12d02aa02365be05936b35b2f324
Instruction Fuzzy Hash: 5151BEB1900249DFCF14EFA4C885AEEBBB5AF44315F25043DF502A7292CB708A45CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00035EA0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107
windowCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00035EA0(intOrPtr* __ebx, void* __esi, signed int* _a4, void* _a8) {
				DWORD* _v8;
				char _v16;
				short _v20;
				DWORD* _v24;
				struct HINSTANCE__* _v28;
				long _v36;
				void* __edi;
				void* __ebp;
				signed int _t34;
				intOrPtr* _t38;
				signed int _t41;
				long _t46;
				void* _t47;
				signed int _t50;
				void* _t54;
				void* _t59;
				void* _t93;
				intOrPtr* _t99;
				signed int _t107;
				void* _t115;
				void* _t117;
				signed int _t118;
				void* _t119;
				signed int* _t123;
				void* _t128;
				void* _t129;
				intOrPtr* _t130;

				_t99 = __ebx;
				_push(0xffffffff);
				_push(0x154049);
				_push( *[fs:0x0]);
				_t129 = _t128 - 0xc;
				_push(__esi);
				_push(_t117);
				_t34 =  *0x1a0454; // 0x960af5fb
				_push(_t34 ^ _t126);
				 *[fs:0x0] =  &_v16;
				_t123 = _a4;
				_v8 = 0;
				_v24 = 0;
				_v28 = GetModuleHandleW(L"WININET.DLL");
				_t38 = E00045761();
				_t130 = _t38;
				_t101 = 0 | _t130 == 0x00000000;
				if(_t130 == 0) {
					_push(0x80004005);
					_t38 = E00031330(__ebx, _t101, _t117, _t123);
				}
				_t41 =  *((intOrPtr*)( *((intOrPtr*)( *_t38 + 0xc))))() + 0x10;
				 *_t123 = _t41;
				_v8 = 0;
				_v24 = 1;
				if(( *((intOrPtr*)(_t41 - 8)) - 0x00001000 | 0x00000001 -  *((intOrPtr*)(_t41 - 4))) < 0) {
					E00031290(_t123, 0x1000); // executed
				}
				_t115 = _a8;
				_t118 =  *_t123;
				_t105 =  &_v20;
				_t46 = FormatMessageW(0x1b00, _v28, _t115, 0x800,  &_v20, 0, 0); // executed
				if(_t46 != 0) {
					_t115 = _v20;
					_t47 = E00130EEF(_t118, 0x1000, _t115, 0xffffffff);
					_t129 = _t129 + 0x10;
					if(_t47 > 0x50) {
						L9:
						E000455E0(_t105);
					} else {
						_t17 = _t47 + 0x35ff8; // 0x3030300
						switch( *((intOrPtr*)(( *_t17 & 0x000000ff) * 4 +  &M00035FE8))) {
							case 0:
								goto L10;
							case 1:
								E000455A8( &_v20);
								goto L9;
							case 2:
								goto L9;
						}
					}
					L10:
					LocalFree(_v20);
				} else {
					 *_t118 = 0;
				}
				_t50 =  *_t123;
				_t107 =  *(_t50 - 8);
				if(_t50 == 0) {
					L13:
					_t107 =  *_t123;
					if(_t50 >  *((intOrPtr*)(_t107 - 8))) {
						goto L15;
					} else {
						 *(_t107 - 0xc) = _t50;
						 *((short*)( *_t123 + _t50 * 2)) = 0;
						 *[fs:0x0] = _v16;
						return _t123;
					}
				} else {
					_t50 = E00130FBC(_t50, _t107);
					_t129 = _t129 + 8;
					if(_t50 < 0) {
						L15:
						E00031330(_t99, _t107, _t118, _t123);
						_t119 = 0x80070057;
						 *((intOrPtr*)(_t119 + 3)) = ds;
						 *((intOrPtr*)(_t107 - 0x6efffca1)) =  *((intOrPtr*)(_t107 - 0x6efffca1)) + _t115;
						_t54 = _t123 +  *_t123 +  *((intOrPtr*)(_t123 +  *_t123));
						 *_t99 =  *_t99 + _t54;
						_t59 = _t54 +  *_t99 +  *_t99 +  *_t99 +  *_t99 +  *_t99;
						 *_t99 =  *_t99 + _t59;
						_t93 = _t59 +  *_t99 +  *_t99 +  *_t99 +  *_t99 +  *_t99 +  *_t99 +  *_t99 +  *_t99 +  *_t99 +  *_t99 +  *_t99 +  *_t99 +  *_t99 +  *_t99 +  *_t99 +  *_t99 +  *_t99 +  *_t99 +  *_t99 +  *_t99 +  *_t99 +  *_t99 +  *_t99 +  *_t99 +  *_t99 +  *_t99 +  *_t99 +  *_t99 +  *_t99 +  *_t99 +  *_t99 +  *_t99 +  *_t99 + _t107;
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(_t107);
						 *_t93 = 0;
						_v36 = 4;
						return HttpQueryInfoW(_t115, 0x20000013, _t93,  &_v36, 0);
					} else {
						goto L13;
					}
				}
			}

0x00035ea0
0x00035ea3
0x00035ea5
0x00035eb0
0x00035eb1
0x00035eb4
0x00035eb5
0x00035eb6
0x00035ebd
0x00035ec1
0x00035ec7
0x00035eca
0x00035ed6
0x00035ee3
0x00035ee6
0x00035eed
0x00035eef
0x00035ef4
0x00035ef6
0x00035efb
0x00035efb
0x00035f09
0x00035f0c
0x00035f0e
0x00035f1a
0x00035f2a
0x00035f33
0x00035f33
0x00035f38
0x00035f3e
0x00035f44
0x00035f54
0x00035f5c
0x00035f65
0x00035f71
0x00035f76
0x00035f7c
0x00035f91
0x00035f91
0x00035f7e
0x00035f7e
0x00035f85
0x00000000
0x00000000
0x00000000
0x00035f8c
0x00000000
0x00000000
0x00000000
0x00000000
0x00035f85
0x00035f96
0x00035f9a
0x00035f5e
0x00035f60
0x00035f60
0x00035fa0
0x00035fa2
0x00035fa7
0x00035fb7
0x00035fb7
0x00035fbc
0x00000000
0x00035fbe
0x00035fbe
0x00035fc5
0x00035fce
0x00035fdb
0x00035fdb
0x00035fa9
0x00035fab
0x00035fb0
0x00035fb5
0x00035fdc
0x00035fe1
0x00035fe9
0x00035fec
0x00035fef
0x00035ff6
0x00035ff8
0x00036002
0x00036004
0x00036048
0x0003604a
0x0003604b
0x0003604c
0x0003604d
0x0003604e
0x0003604f
0x00036053
0x00036061
0x00036067
0x00036077
0x00000000
0x00000000
0x00000000
0x00035fb5

APIs

GetModuleHandleW.KERNEL32(WININET.DLL,960AF5FB), ref: 00035EDD
FormatMessageW.KERNELBASE(00001B00,?,?,00000800,?,00000000,00000000), ref: 00035F54
LocalFree.KERNEL32(?), ref: 00035F9A
_wcsnlen.LIBCMT ref: 00035FAB

Strings

WININET.DLL, xrefs: 00035ED1

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: FormatFreeHandleLocalMessageModule_wcsnlen
String ID: WININET.DLL
API String ID: 3920911148-3938801697
Opcode ID: 605dc6a872391cd67e717544201186e9259ebe0c13ae95bbcc16726be08668d9
Instruction ID: 038b4f4c1ba9ca1215930e06431eb31ba24fe7d51c899290f5dbcfa9099f1ed6
Opcode Fuzzy Hash: 605dc6a872391cd67e717544201186e9259ebe0c13ae95bbcc16726be08668d9
Instruction Fuzzy Hash: 8131CB70604605EFEB15EF68DC06BAEB7F8EB48712F20452DF945DB2A1DB34A9408B94

Uniqueness

Uniqueness Score: -1.00%

Function 00134859 Relevance: 7.6, APIs: 5, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00134859(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				long _t27;
				signed int _t34;
				signed int _t36;
				signed char _t42;
				intOrPtr* _t46;
				void* _t49;
				signed int _t56;
				void* _t57;

				_t55 = __esi;
				_t49 = __edx;
				_push(0xc);
				_push(0x196b40);
				E00131BC0(__ebx, __edi, __esi);
				 *(_t57 - 0x1c) = 0;
				_t42 = 0;
				if(( *(_t57 + 0xc) & 0x00000008) != 0) {
					_t42 = 0x20;
				}
				if(( *(_t57 + 0xc) & 0x00004000) != 0) {
					_t42 = _t42 | 0x00000080;
				}
				if(( *(_t57 + 0xc) & 0x00000080) != 0) {
					_t42 = _t42 | 0x00000010;
				}
				_t27 = GetFileType( *(_t57 + 8)); // executed
				if(_t27 != 0) {
					__eflags = _t27 - 2;
					if(__eflags != 0) {
						__eflags = _t27 - 3;
						if(__eflags == 0) {
							_t42 = _t42 | 0x00000008;
							__eflags = _t42;
						}
					} else {
						_t42 = _t42 | 0x00000040;
					}
					_t56 = E001346C0(_t42, _t49, 0, _t55, __eflags);
					 *(_t57 + 0xc) = _t56;
					__eflags = _t56 - 0xffffffff;
					if(__eflags != 0) {
						 *((intOrPtr*)(_t57 - 4)) = 0;
						E0013448A(_t42, _t56,  *(_t57 + 8));
						_t46 = 0x1a92c0 + (_t56 >> 5) * 4;
						_t34 = (_t56 & 0x0000001f) << 6;
						 *( *_t46 + _t34 + 4) = _t42 | 0x00000001;
						 *( *_t46 + _t34 + 0x24) =  *( *_t46 + _t34 + 0x24) & 0x00000080;
						 *( *_t46 + _t34 + 0x24) =  *( *_t46 + _t34 + 0x24) & 0x0000007f;
						 *(_t57 - 0x1c) = 1;
						 *((intOrPtr*)(_t57 - 4)) = 0xfffffffe;
						_t36 = E00134947(0, _t56);
						__eflags =  *(_t57 - 0x1c);
						if( *(_t57 - 0x1c) == 0) {
							goto L8;
						}
						_t37 = _t56;
						goto L9;
					} else {
						 *((intOrPtr*)(E00131F1F(__eflags))) = 0x18;
						_t36 = E00131F32(__eflags);
						 *_t36 = 0;
						goto L8;
					}
				} else {
					_t36 = E00131F45(GetLastError());
					L8:
					_t37 = _t36 | 0xffffffff;
					L9:
					return E00131C05(_t37);
				}
			}

0x00134859
0x00134859
0x00134859
0x0013485b
0x00134860
0x00134867
0x0013486a
0x00134870
0x00134872
0x00134872
0x0013487c
0x0013487e
0x0013487e
0x00134885
0x00134887
0x00134887
0x0013488d
0x00134895
0x001348ad
0x001348b0
0x001348b7
0x001348ba
0x001348bc
0x001348bc
0x001348bc
0x001348b2
0x001348b2
0x001348b2
0x001348c4
0x001348c6
0x001348c9
0x001348cc
0x001348e2
0x001348e9
0x001348f8
0x00134904
0x00134909
0x00134913
0x0013491c
0x0013491f
0x00134926
0x0013492d
0x00134932
0x00134935
0x00000000
0x00000000
0x0013493b
0x00000000
0x001348ce
0x001348d3
0x001348d9
0x001348de
0x00000000
0x001348de
0x00134897
0x0013489e
0x001348a4
0x001348a4
0x001348a7
0x001348ac
0x001348ac

APIs

GetFileType.KERNELBASE(00000000), ref: 0013488D
GetLastError.KERNEL32(?,0003AF92,?,00004000), ref: 00134897
__dosmaperr.LIBCMT ref: 0013489E
__alloc_osfhnd.LIBCMT ref: 001348BF
__set_osfhnd.LIBCMT ref: 001348E9

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: ErrorFileLastType__alloc_osfhnd__dosmaperr__set_osfhnd
String ID:
API String ID: 43408053-0
Opcode ID: 5fb2d29d12eed7ec2631a866707f0fcfb62cbd294bc9497d1c28c6940becd357
Instruction ID: c4ed42eb90eb20fadebba06ce6266bc69f4fe80b0326769ee0d69ff7e114e0df
Opcode Fuzzy Hash: 5fb2d29d12eed7ec2631a866707f0fcfb62cbd294bc9497d1c28c6940becd357
Instruction Fuzzy Hash: 7821F631941285AFEF119FB4D8027D97FA0AF56324F288784E5648F1E3CB75A981DF40

Uniqueness

Uniqueness Score: -1.00%

Function 0003B1C0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0003B1C0() {
				void* _v8;
				int _v12;
				char _v16;
				int _v20;
				long _t13;
				long _t15;

				_v8 = 0;
				_v20 = 4;
				_v12 = 0;
				_v16 = 0;
				_t13 = RegOpenKeyExW(0x80000002, L"SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v3.5", 0, 0x20019,  &_v8); // executed
				if(_t13 == 0) {
					_v12 = 4;
					_t15 = RegQueryValueExW(_v8, 0x181790, 0,  &_v20,  &_v16,  &_v12); // executed
					if(_t15 != 0) {
						goto L1;
					} else {
						RegCloseKey(_v8); // executed
						return 1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x0003b1db
0x0003b1e2
0x0003b1e9
0x0003b1f0
0x0003b1f7
0x0003b1ff
0x0003b21e
0x0003b225
0x0003b22d
0x00000000
0x0003b22f
0x0003b233
0x0003b23e
0x0003b23e
0x0003b201
0x0003b201
0x0003b206
0x0003b206

APIs

RegOpenKeyExW.KERNEL32 ref: 0003B1F7
RegQueryValueExW.KERNEL32(00000000,00181790,00000000,00000004,00000000,00000000), ref: 0003B225
RegCloseKey.KERNEL32(00000000), ref: 0003B233

Strings

SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.5, xrefs: 0003B1D1

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.5
API String ID: 3677997916-3540158507
Opcode ID: dc2c9c1233312b7c9a65810cd7567d89b550fde7b40913531959c83dbd467dff
Instruction ID: 2353b644717e8900f717d7608ad2c172c430706d2e00234465006ef4a7cae4e0
Opcode Fuzzy Hash: dc2c9c1233312b7c9a65810cd7567d89b550fde7b40913531959c83dbd467dff
Instruction Fuzzy Hash: 3E01FBB5A04208FBEB10DFD0EC4ABAEB7BCEB45709F104188FA18AA180D7B566049B54

Uniqueness

Uniqueness Score: -1.00%

Function 0004CADE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0004CADE(void* __ecx, char _a4, char _a5, signed int _a8, signed int _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t37;
				signed int _t38;
				signed int _t41;
				void* _t42;
				signed int _t52;
				void* _t55;
				void* _t62;
				signed int _t64;
				void* _t66;
				void* _t67;

				_t66 = __ecx;
				if(_a4 != 0) {
					 *(__ecx + 0x14) =  *(__ecx + 0x14) & 0x00000000;
					_t52 = _a8;
					_t64 = _a12;
					_t37 = E0004AA93(__ecx, __eflags, _a4, _t52 & 0xffffbfff, _t64); // executed
					__eflags = _t37;
					if(_t37 == 0) {
						L21:
						_t38 = 0;
						L23:
						return _t38;
					}
					__eflags = _t52 & 0x00001000;
					if((_t52 & 0x00001000) == 0) {
						__eflags = _t52 & 0x00000001;
						if((_t52 & 0x00000001) != 0) {
							L5:
							_a4 = 0x61;
							L6:
							__eflags = _t52 & 0x00000001;
							if((_t52 & 0x00000001) != 0) {
								L8:
								_t55 = 0x4000;
								__eflags = _t52 & 0x00008000;
								if(__eflags == 0) {
									 *((char*)(_t67 + 9)) = 0x74;
									_t41 = 2;
									__eflags = 2;
								} else {
									 *((char*)(_t67 + 9)) = 0x62;
									_t41 = 2;
									_t55 = 0;
								}
								_push(_t55);
								_push( *((intOrPtr*)(_t66 + 4)));
								 *((char*)(_t67 + _t41 + 8)) = 0;
								_t42 = E00134859(_t52, _t62, _t64, _t66, __eflags); // executed
								__eflags = _t42 - 0xffffffff;
								if(__eflags != 0) {
									_push( &_a4);
									_push(_t42);
									 *(_t66 + 0x14) = E00134995(_t52, _t64, _t66, __eflags);
								}
								__eflags =  *(_t66 + 0x14);
								if( *(_t66 + 0x14) != 0) {
									_t38 = 1;
									__eflags = 1;
									goto L23;
								} else {
									__eflags = _t64;
									if(__eflags != 0) {
										 *((intOrPtr*)(_t64 + 0xc)) =  *((intOrPtr*)(E00131F32(__eflags)));
										 *((intOrPtr*)(_t64 + 8)) = E00067313( *((intOrPtr*)(E00131F32(__eflags))));
									}
									E0004A502(_t66);
									goto L21;
								}
							}
							L7:
							_push(2);
							_a5 = 0x2b;
							_pop(1);
							goto L8;
						}
						_a4 = 0x72;
						__eflags = _t52 & 0x00000002;
						if((_t52 & 0x00000002) != 0) {
							goto L7;
						}
						goto L8;
					}
					__eflags = _t52 & 0x00002000;
					if((_t52 & 0x00002000) == 0) {
						_a4 = 0x77;
						goto L6;
					}
					goto L5;
				}
				return 0;
			}

0x0004cae8
0x0004caea
0x0004caf3
0x0004caf8
0x0004cafc
0x0004cb0b
0x0004cb10
0x0004cb12
0x0004cbbc
0x0004cbbc
0x0004cbc3
0x00000000
0x0004cbc4
0x0004cb1b
0x0004cb21
0x0004cb58
0x0004cb5b
0x0004cb2b
0x0004cb2b
0x0004cb2f
0x0004cb2f
0x0004cb32
0x0004cb3b
0x0004cb3b
0x0004cb40
0x0004cb46
0x0004cb68
0x0004cb6d
0x0004cb6d
0x0004cb48
0x0004cb48
0x0004cb4d
0x0004cb4e
0x0004cb4e
0x0004cb6e
0x0004cb6f
0x0004cb72
0x0004cb77
0x0004cb7e
0x0004cb81
0x0004cb86
0x0004cb87
0x0004cb8f
0x0004cb8f
0x0004cb92
0x0004cb96
0x0004cbc2
0x0004cbc2
0x00000000
0x0004cb98
0x0004cb98
0x0004cb9a
0x0004cba3
0x0004cbb2
0x0004cbb2
0x0004cbb7
0x00000000
0x0004cbb7
0x0004cb96
0x0004cb34
0x0004cb34
0x0004cb36
0x0004cb3a
0x00000000
0x0004cb3a
0x0004cb5d
0x0004cb61
0x0004cb64
0x00000000
0x00000000
0x00000000
0x0004cb66
0x0004cb23
0x0004cb29
0x0004cb52
0x00000000
0x0004cb52
0x00000000
0x0004cb29
0x00000000

APIs

__fdopen.LIBCMT ref: 0004CB88

Strings

t, xrefs: 0004CB68
+, xrefs: 0004CB36

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: __fdopen
String ID: +$t
API String ID: 194168367-1842947216
Opcode ID: 5e31c0d55c5204d745f323724012d1d1f6548057f18d4a2a8f074207e1eb0124
Instruction ID: b12845404efdac6cd37dad1cf45e06c26f1457d9e20b3a6ef5e34b426bee7dcf
Opcode Fuzzy Hash: 5e31c0d55c5204d745f323724012d1d1f6548057f18d4a2a8f074207e1eb0124
Instruction Fuzzy Hash: 232137B110A740ADF7A09E28D48BFAA7BD8DF10314F24843DE95AC61D2DB74D84587E9

Uniqueness

Uniqueness Score: -1.00%

Function 0004EF88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0004EF88(intOrPtr __ebx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				short _v532;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t12;
				signed int _t17;
				intOrPtr _t20;
				void* _t24;
				intOrPtr _t25;
				void* _t26;
				intOrPtr _t30;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t36;
				signed int _t38;
				signed int _t40;
				void* _t41;

				_t30 = __edx;
				_t25 = __ebx;
				_t38 = _t40;
				_t41 = _t40 - 0x210;
				_t12 =  *0x1a0454; // 0x960af5fb
				_v8 = _t12 ^ _t38;
				_t32 = _a4;
				if(GetSystemDirectoryW( &_v532, 0x105) != 0) {
					_t17 = E0013161A( &_v532);
					__eflags =  *((short*)(_t38 + _t17 * 2 - 0x212)) - 0x5c;
					_pop(_t26);
					if( *((short*)(_t38 + _t17 * 2 - 0x212)) == 0x5c) {
						L5:
						__eflags = E001342DE( &_v532, 0x105, _t32);
						if(__eflags != 0) {
							goto L2;
						} else {
							_push( &_v532); // executed
							_t20 = E0003E893(_t26, 0x105, __eflags); // executed
						}
					} else {
						_t24 = E001342DE( &_v532, 0x105, 0x1818bc);
						_t41 = _t41 + 0xc;
						__eflags = _t24;
						if(_t24 != 0) {
							goto L2;
						} else {
							goto L5;
						}
					}
				} else {
					L2:
					_t20 = 0;
				}
				_pop(_t33);
				_pop(_t36);
				return E00130836(_t20, _t25, _v8 ^ _t38, _t30, _t33, _t36);
			}

0x0004ef88
0x0004ef88
0x0004ef8b
0x0004ef8d
0x0004ef93
0x0004ef9a
0x0004ef9f
0x0004efb7
0x0004efc4
0x0004efc9
0x0004efd2
0x0004efd3
0x0004efee
0x0004efff
0x0004f001
0x00000000
0x0004f003
0x0004f009
0x0004f00a
0x0004f00f
0x0004efd5
0x0004efe2
0x0004efe7
0x0004efea
0x0004efec
0x00000000
0x00000000
0x00000000
0x00000000
0x0004efec
0x0004efb9
0x0004efb9
0x0004efb9
0x0004efb9
0x0004f013
0x0004f016
0x0004f01d

APIs

GetSystemDirectoryW.KERNEL32(?,00000105), ref: 0004EFAF
_wcslen.LIBCMT ref: 0004EFC4

Strings

\, xrefs: 0004EFC9

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: DirectorySystem_wcslen
String ID: \
API String ID: 2940219301-2967466578
Opcode ID: 9cdd6aa7f8eaaf4b73ea580163e2e64a4bfa15576544c728bb43c132ecc31f1b
Instruction ID: 324d01bd211214d9d573e13ae398e1640bac11c39d422ce009a0e473b8d85f97
Opcode Fuzzy Hash: 9cdd6aa7f8eaaf4b73ea580163e2e64a4bfa15576544c728bb43c132ecc31f1b
Instruction Fuzzy Hash: EF017971D0021CA6DB20DBA5EC49EEB77FCBF65310F0408B9F815D3141E770EA888A94

Uniqueness

Uniqueness Score: -1.00%

Function 0004BC2B Relevance: 4.6, APIs: 3, Instructions: 70
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0004BC2B(intOrPtr __ecx) {
				void* _v8;
				char _v12;
				int _v16;
				intOrPtr _v20;
				int _v24;
				long _t29;
				short* _t30;
				long _t31;
				intOrPtr _t32;
				short** _t34;
				signed int _t39;
				short** _t43;
				short* _t45;

				 *((intOrPtr*)(__ecx + 0xa8)) = 0;
				_v20 = __ecx;
				_v8 = 0;
				_v12 = 0;
				_v24 = 4;
				_v16 = 0;
				_t34 = 0x19ccb0;
				_t45 =  *0x19ccb0; // 0x15b230
				if(_t45 == 0) {
					L14:
					return 1;
				}
				do {
					_t29 = RegOpenKeyExW(0x80000001,  *_t34, 0, 1,  &_v8); // executed
					if(_t29 != 0) {
						goto L12;
					}
					_t8 =  &(_t34[1]); // 0x19ccd0
					_t43 =  *_t8;
					while(1) {
						_t30 =  *_t43;
						if(_t30 == 0) {
							break;
						}
						_t31 = RegQueryValueExW(_v8, _t30, 0,  &_v16,  &_v12,  &_v24); // executed
						if(_t31 == 0 && _v16 == 4) {
							_t14 =  &(_t43[1]); // 0x1
							_t39 =  *_t14;
							_t32 = _v20;
							if(_v12 == 0) {
								 *(_t32 + 0xa8) =  *(_t32 + 0xa8) &  !_t39;
							} else {
								 *(_t32 + 0xa8) =  *(_t32 + 0xa8) | _t39;
							}
						}
						_v12 = 0;
						_v24 = 4;
						_v16 = 0;
						_t43 =  &(_t43[2]);
					}
					RegCloseKey(_v8); // executed
					_v8 = 0;
					L12:
					_t34 =  &(_t34[2]);
				} while ( *_t34 != 0);
				goto L14;
			}

0x0004bc37
0x0004bc3d
0x0004bc40
0x0004bc43
0x0004bc46
0x0004bc4d
0x0004bc50
0x0004bc55
0x0004bc5b
0x0004bce9
0x0004bcef
0x0004bcef
0x0004bc62
0x0004bc70
0x0004bc78
0x00000000
0x00000000
0x0004bc7a
0x0004bc7a
0x0004bccb
0x0004bccb
0x0004bccf
0x00000000
0x00000000
0x0004bc90
0x0004bc98
0x0004bca0
0x0004bca0
0x0004bca3
0x0004bca9
0x0004bcb5
0x0004bcab
0x0004bcab
0x0004bcab
0x0004bca9
0x0004bcbb
0x0004bcbe
0x0004bcc5
0x0004bcc8
0x0004bcc8
0x0004bcd4
0x0004bcda
0x0004bcdd
0x0004bcdd
0x0004bce0
0x00000000

APIs

RegOpenKeyExW.KERNEL32 ref: 0004BC70
RegQueryValueExW.KERNEL32(?,00000000,00000000,?,?,00000004), ref: 0004BC90
RegCloseKey.KERNEL32(?), ref: 0004BCD4

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 8736aa37f59366874ab0b0ace563cacc967e9fcf970c54f77057b98ae5757be0
Instruction ID: b201d38cf04a711ac0821d1390cd0987ab54cbb236541534130d0cbf0cbf2902
Opcode Fuzzy Hash: 8736aa37f59366874ab0b0ace563cacc967e9fcf970c54f77057b98ae5757be0
Instruction Fuzzy Hash: 632138B1D04208EFDF21CF85D9C5AAEBBF8EF91311F2080AAE456A6250DB719A40DB55

Uniqueness

Uniqueness Score: -1.00%

Function 0004A073 Relevance: 4.5, APIs: 3, Instructions: 41
threadCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0004A073(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t22;
				intOrPtr* _t24;
				intOrPtr _t32;
				void* _t35;
				void* _t39;
				void* _t40;

				_t40 = __eflags;
				_t35 = __edx;
				_push(4);
				E00131A19(0x14a0a2, __ebx, __edi, __esi);
				_t32 = E0003C37C(_t40, 0x44);
				 *((intOrPtr*)(_t39 - 0x10)) = _t32;
				_t38 = 0;
				 *(_t39 - 4) = 0;
				_t41 = _t32;
				if(_t32 != 0) {
					_push( *((intOrPtr*)(_t39 + 0xc)));
					_push( *((intOrPtr*)(_t39 + 8)));
					_t38 = E00049A2A(__ebx, _t32, __edi, 0, _t41);
				}
				 *(_t39 - 4) =  *(_t39 - 4) | 0xffffffff;
				_t22 = E00049F68(_t38, _t35,  *(_t39 + 0x18) | 0x00000004,  *((intOrPtr*)(_t39 + 0x14)),  *((intOrPtr*)(_t39 + 0x1c))); // executed
				if(_t22 != 0) {
					SetThreadPriority( *(_t38 + 0x2c),  *(_t39 + 0x10)); // executed
					__eflags =  *(_t39 + 0x18) & 0x00000004;
					if(( *(_t39 + 0x18) & 0x00000004) == 0) {
						ResumeThread( *(_t38 + 0x2c));
					}
					_t24 = _t38;
				} else {
					 *((intOrPtr*)( *_t38 + 0x78))();
					_t24 = 0;
				}
				return E00131AF1(_t24);
			}

0x0004a073
0x0004a073
0x0004a073
0x0004a07a
0x0004a087
0x0004a089
0x0004a08c
0x0004a08e
0x0004a091
0x0004a093
0x0004a095
0x0004a098
0x0004a0a0
0x0004a0a0
0x0004a0ab
0x0004a0b5
0x0004a0bc
0x0004a0cf
0x0004a0d5
0x0004a0d9
0x0004a0de
0x0004a0de
0x0004a0e4
0x0004a0be
0x0004a0c2
0x0004a0c5
0x0004a0c5
0x0004a0eb

APIs

__EH_prolog3.LIBCMT ref: 0004A07A

Part of subcall function 0003C37C: _malloc.LIBCMT ref: 0003C39A

Part of subcall function 00049A2A: __EH_prolog3.LIBCMT ref: 00049A31

SetThreadPriority.KERNELBASE(?,?,?,?,?,00000004,00031F17,00032000,?,00000000,00000000,00000004,00000000,?,?,00000066), ref: 0004A0CF
ResumeThread.KERNEL32(?,?,00000000,00000000,00000004,00000000,?,?,00000066,?,?), ref: 0004A0DE

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: H_prolog3Thread$PriorityResume_malloc
String ID:
API String ID: 3956167790-0
Opcode ID: 92f9b4ab56eafd61532b17fa73e4846e5060d3f23bfb1ddee89aeeebb062a30c
Instruction ID: 9b0ff80e8fde6cc69e1fdda3fb5530e37f9fd63a9ba021f58d6f1ba8543e8f0c
Opcode Fuzzy Hash: 92f9b4ab56eafd61532b17fa73e4846e5060d3f23bfb1ddee89aeeebb062a30c
Instruction Fuzzy Hash: 2A01A2B1700205EFDF11AF64DC01AAE7AE1AF18710F108538F942E72B1C7318D22DB85

Uniqueness

Uniqueness Score: -1.00%

Function 00049B57 Relevance: 4.5, APIs: 3, Instructions: 37
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00049B57(void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				int _t8;
				void* _t13;
				void* _t17;
				MSG* _t19;
				void* _t22;

				_t17 = __edx;
				_t5 = E0004B65B(_t13, __ecx, __edi, __esi, __eflags);
				_t15 =  *((intOrPtr*)(_t5 + 4));
				_t25 =  *((intOrPtr*)(_t5 + 4));
				if( *((intOrPtr*)(_t5 + 4)) != 0) {
					goto ( *((intOrPtr*)( *__ecx + 0x5c)));
				}
				_push(__esi);
				_push(__edi);
				_t22 = E0004B059(_t13, __edi, __esi, _t25);
				_t2 = _t22 + 0x30; // 0x30
				_t19 = _t2;
				_t8 = GetMessageW(_t19, 0, 0, 0);
				if(_t8 != 0) {
					_t27 =  *((intOrPtr*)(_t22 + 0x34)) - 0x36a;
					if( *((intOrPtr*)(_t22 + 0x34)) != 0x36a) {
						_push(_t19);
						if(E0004992F(_t13, _t15, _t17, _t19, _t22, _t27) == 0) {
							TranslateMessage(_t19);
							DispatchMessageW(_t19); // executed
						}
					}
					_t8 = 1;
				}
				return _t8;
			}

0x00049b57
0x00049b57
0x00049b5c
0x00049b5f
0x00049b61
0x00049b65
0x00049b65
0x00049b13
0x00049b14
0x00049b1a
0x00049b21
0x00049b21
0x00049b25
0x00049b2d
0x00049b2f
0x00049b36
0x00049b38
0x00049b41
0x00049b44
0x00049b4b
0x00049b4b
0x00049b41
0x00049b53
0x00049b53
0x00049b56

APIs

GetMessageW.USER32 ref: 00049B25
TranslateMessage.USER32(00000030), ref: 00049B44
DispatchMessageW.USER32(00000030), ref: 00049B4B

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Message$DispatchTranslate
String ID:
API String ID: 1706434739-0
Opcode ID: 763c487b544f0ff8976ccd6455765331aa0aa5d3b908265a326711fa58ecc198
Instruction ID: ff48862e25a401f7cdc65d411168f54b4e30865688c3097e3683d1a44562bc51
Opcode Fuzzy Hash: 763c487b544f0ff8976ccd6455765331aa0aa5d3b908265a326711fa58ecc198
Instruction Fuzzy Hash: E2F0E2B2300600FB97606B24BE8AC7F37EDEF81726306107CF002DA441DB24DC428AA5

Uniqueness

Uniqueness Score: -1.00%

Function 00133C6F Relevance: 4.5, APIs: 3, Instructions: 11
threadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00133C6F(long _a4) {
				void* _t4;

				if(E00137E8F(_t4) != 0) {
					E00138051(_t2); // executed
				}
				ExitThread(_a4);
			}

0x00133c7b
0x00133c7e
0x00133c83
0x00133c87

APIs

__getptd_noexit.LIBCMT ref: 00133C74

Part of subcall function 00137E8F: GetLastError.KERNEL32(00000001,00000000,00131F24,0013109C,00000000,?,0013A71D,?,00000001,?,?,0013EDB7,00000018,00197030,0000000C,0013EE47), ref: 00137E93
Part of subcall function 00137E8F: ___set_flsgetvalue.LIBCMT ref: 00137EA1
Part of subcall function 00137E8F: __calloc_crt.LIBCMT ref: 00137EB5
Part of subcall function 00137E8F: DecodePointer.KERNEL32(00000000,?,0013A71D,?,00000001,?,?,0013EDB7,00000018,00197030,0000000C,0013EE47,?,?,?,00137FB3), ref: 00137ECF
Part of subcall function 00137E8F: __initptd.LIBCMT ref: 00137EDE
Part of subcall function 00137E8F: GetCurrentThreadId.KERNEL32(?,0013A71D,?,00000001,?,?,0013EDB7,00000018,00197030,0000000C,0013EE47,?,?,?,00137FB3,0000000D), ref: 00137EE5
Part of subcall function 00137E8F: SetLastError.KERNEL32(00000000,?,0013A71D,?,00000001,?,?,0013EDB7,00000018,00197030,0000000C,0013EE47,?,?,?,00137FB3), ref: 00137EFD

__freeptd.LIBCMT ref: 00133C7E

Part of subcall function 00138051: TlsGetValue.KERNEL32 ref: 00138072
Part of subcall function 00138051: TlsGetValue.KERNEL32 ref: 00138084
Part of subcall function 00138051: RtlDecodePointer.NTDLL(00000000,?,00133C83,00000000,?,00133CAF,00000000), ref: 0013809A
Part of subcall function 00138051: __freefls@4.LIBCMT ref: 001380A5
Part of subcall function 00138051: TlsSetValue.KERNEL32(0000001F,00000000,?,00133C83,00000000,?,00133CAF,00000000), ref: 001380B7

ExitThread.KERNEL32 ref: 00133C87

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Value$DecodeErrorLastPointerThread$CurrentExit___set_flsgetvalue__calloc_crt__freefls@4__freeptd__getptd_noexit__initptd
String ID:
API String ID: 779801232-0
Opcode ID: 14102e8bdf394330516b169b9bd7d92b474ab1fc8cbc6dc5c79ea89cf22fa830
Instruction ID: 4ae31c486173c689240a06fe4b6b65f0846c8642ee201abdf9ff5b291ae053cb
Opcode Fuzzy Hash: 14102e8bdf394330516b169b9bd7d92b474ab1fc8cbc6dc5c79ea89cf22fa830
Instruction Fuzzy Hash: 14C08C20008308AACB203B21DC0E81A3E1C8A40390F080420780C890A1EF20DDC18060

Uniqueness

Uniqueness Score: -1.00%

Function 00048B7D Relevance: 3.1, APIs: 2, Instructions: 136
stringCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00048B7D(intOrPtr __ebx, signed int __edx, WCHAR* _a4, signed int* _a8, intOrPtr* _a12) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v24;
				char _v32;
				char _v40;
				signed int _v44;
				intOrPtr* _v48;
				char _v52;
				void* __edi;
				void* __esi;
				signed int _t52;
				intOrPtr _t56;
				signed int _t58;
				int _t60;
				signed int* _t84;
				signed int* _t87;
				signed int* _t90;
				signed int* _t93;
				WCHAR* _t108;
				signed int* _t109;
				signed int _t110;

				_t107 = __edx;
				_t92 = __ebx;
				_t52 =  *0x1a0454; // 0x960af5fb
				_v8 = _t52 ^ _t110;
				_t109 = _a8;
				_t108 = _a4;
				_v48 = _a12;
				if(_t108 != 0) {
					if(lstrlenW(_t108) >= 0x104) {
						goto L1;
					} else {
						_push(__ebx);
						_t93 =  &(_t109[8]);
						_t58 = E0004A9BB(_t93, _t108); // executed
						if(_t58 != 0) {
							_t97 = _v48;
							_push( &_v44);
							_push(0);
							_push(_t108);
							if(_v48 == 0) {
								_t60 = GetFileAttributesExW();
							} else {
								_t60 = E00048918(_t97);
							}
							if(_t60 != 0) {
								_t109[8] = _v44 & 0x0000007f;
								_t107 = 0;
								_t109[6] = E00133BE0(_v16, 0x20, 0);
								_t109[6] = _t109[6] | _v12;
								_t109[7] = 0;
								if(E00048968( &_v40) == 0) {
									 *_t109 = 0;
									_t109[1] = 0;
								} else {
									_t90 = E00048AB1(0,  &_v52, _t108,  &_v40, 0xffffffff); // executed
									 *_t109 =  *_t90;
									_t109[1] = _t90[1];
								}
								if(E00048968( &_v32) == 0) {
									_t109[4] = 0;
									_t109[5] = 0;
								} else {
									_t87 = E00048AB1(0,  &_v52, _t108,  &_v32, 0xffffffff);
									_t109[4] =  *_t87;
									_t109[5] = _t87[1];
								}
								if(E00048968( &_v24) == 0) {
									_t109[2] = 0;
									_t109[3] = 0;
								} else {
									_t84 = E00048AB1(0,  &_v52, _t108,  &_v24, 0xffffffff);
									_t109[2] =  *_t84;
									_t109[3] = _t84[1];
								}
								if(( *_t109 | _t109[1]) == 0) {
									 *_t109 = _t109[2];
									_t109[1] = _t109[3];
								}
								if((_t109[4] | _t109[5]) == 0) {
									_t109[4] = _t109[2];
									_t109[5] = _t109[3];
								}
								_t56 = 1;
							} else {
								goto L9;
							}
						} else {
							 *_t93 = _t58;
							L9:
							_t56 = 0;
						}
						_pop(_t92);
					}
				} else {
					L1:
					_t56 = 0;
				}
				return E00130836(_t56, _t92, _v8 ^ _t110, _t107, _t108, _t109);
			}

0x00048b7d
0x00048b7d
0x00048b85
0x00048b8c
0x00048b93
0x00048b97
0x00048b9a
0x00048b9f
0x00048bb4
0x00000000
0x00048bb6
0x00048bb6
0x00048bb8
0x00048bbc
0x00048bc3
0x00048bca
0x00048bd2
0x00048bd3
0x00048bd4
0x00048bd7
0x00048be0
0x00048bd9
0x00048bd9
0x00048bd9
0x00048be8
0x00048bf6
0x00048bfc
0x00048c05
0x00048c0b
0x00048c11
0x00048c1f
0x00048c3b
0x00048c3d
0x00048c21
0x00048c2a
0x00048c31
0x00048c36
0x00048c36
0x00048c4b
0x00048c6c
0x00048c6f
0x00048c4d
0x00048c56
0x00048c5d
0x00048c63
0x00048c63
0x00048c7d
0x00048c9e
0x00048ca1
0x00048c7f
0x00048c88
0x00048c8f
0x00048c95
0x00048c95
0x00048ca9
0x00048cae
0x00048cb3
0x00048cb3
0x00048cbc
0x00048cc1
0x00048cc7
0x00048cc7
0x00048ccc
0x00000000
0x00000000
0x00000000
0x00048bc5
0x00048bc5
0x00048bea
0x00048bea
0x00048bea
0x00048ccd
0x00048ccd
0x00048ba1
0x00048ba1
0x00048ba1
0x00048ba1
0x00048cdb

APIs

lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,960AF5FB), ref: 00048BA9

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: 3b5f8115562f154ca635df1a0bb1b10e41380c988bde3f379581dab66a8061e3
Instruction ID: a676075fa3463d1d97501eb7d59ff9dadaa8d2712ab646ae1e19ecc99ca4723a
Opcode Fuzzy Hash: 3b5f8115562f154ca635df1a0bb1b10e41380c988bde3f379581dab66a8061e3
Instruction Fuzzy Hash: BE5103B19047059FCB24DF69C9818AEB7F8EF183107108D2EE4A6E7651EB30E904CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00034140 Relevance: 3.1, APIs: 2, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

_memmove_s.LIBCMT ref: 000341BA

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: _memmove_s
String ID:
API String ID: 800865076-0
Opcode ID: 57ac8d7570ef90a08de0bdbc226ed930f8988691f9c772728623dcae53b81b27
Instruction ID: def71622735afedae6f08eefcfa845f2624d2cd09a194830a62abfedcf16d7bc
Opcode Fuzzy Hash: 57ac8d7570ef90a08de0bdbc226ed930f8988691f9c772728623dcae53b81b27
Instruction Fuzzy Hash: 13219036600904AFDB12DF68C899CAEF3EDEFA5310F108699F8149F312DA31BD518B94

Uniqueness

Uniqueness Score: -1.00%

Function 00034A30 Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00034A30(void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				void* __esi;
				signed int _t21;
				WCHAR* _t24;
				intOrPtr _t25;
				long _t34;
				intOrPtr _t36;
				signed int _t47;
				intOrPtr _t50;
				signed int _t52;
				void* _t53;
				void* _t63;

				_t63 = __fp0;
				_push(0xffffffff);
				_push(0x1544b0);
				_push( *[fs:0x0]);
				_t21 =  *0x1a0454; // 0x960af5fb
				_push(_t21 ^ _t52);
				 *[fs:0x0] =  &_v16;
				_v20 = _t53 - 0x10;
				_t50 = _a4;
				_t24 =  *(_t50 + 0xc);
				_t38 =  *(_t24 - 0xc);
				_v24 = 0;
				_t47 = 0 |  *(_t24 - 0xc) != 0x00000000;
				if(_t47 != 0) {
					_t34 = GetFileAttributesW(_t24); // executed
					_t10 = _t34 != 0xffffffff;
					_t38 = 0 | _t10;
					_v24 = _t10;
				}
				_t25 = E000352F0(_t38, _t63, _t50); // executed
				_t36 = _t25;
				_v28 = _t36;
				E000349A0(_t50);
				if(_t47 != 0) {
					_v8 = 0;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t50 + 0x8c)) + 0x50))))();
					if(_t36 == 0 && _v24 == _t36 && GetFileAttributesW( *(_t50 + 0xc)) != 0) {
						E00034A20(_t50);
					}
				}
				 *[fs:0x0] = _v16;
				return _t36;
			}

0x00034a30
0x00034a33
0x00034a35
0x00034a40
0x00034a47
0x00034a4e
0x00034a52
0x00034a58
0x00034a5b
0x00034a5e
0x00034a61
0x00034a6b
0x00034a72
0x00034a76
0x00034a79
0x00034a84
0x00034a84
0x00034a87
0x00034a87
0x00034a8b
0x00034a90
0x00034a92
0x00034a95
0x00034a9c
0x00034a9e
0x00034ab4
0x00034ace
0x00034ae5
0x00034ae5
0x00034ace
0x00034aef
0x00034afd

APIs

GetFileAttributesW.KERNELBASE(?,960AF5FB), ref: 00034A79
GetFileAttributesW.KERNEL32(?), ref: 00034AD9

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 9dc5617779f3f8f4e153d8f45de2ea8adf35fd1f277361c3504b49ca53dca730
Instruction ID: 52a0cb5d83748fb0c173ca17077e0213df137a9d844a89ec270356c6cc886881
Opcode Fuzzy Hash: 9dc5617779f3f8f4e153d8f45de2ea8adf35fd1f277361c3504b49ca53dca730
Instruction Fuzzy Hash: 8121A275A00A059FC715DF68D891BAFF7FCEF44710F10852AE826DB681DB35B9408BA1

Uniqueness

Uniqueness Score: -1.00%

Function 000409C5 Relevance: 3.1, APIs: 2, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E000409C5(intOrPtr __ebx, intOrPtr __edx, intOrPtr* _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				struct tagRECT _v24;
				void* __edi;
				void* __esi;
				signed int _t21;
				intOrPtr _t37;
				intOrPtr _t38;
				intOrPtr* _t40;
				signed int _t41;

				_t37 = __edx;
				_t29 = __ebx;
				_t21 =  *0x1a0454; // 0x960af5fb
				_t22 = _t21 ^ _t41;
				_v8 = _t21 ^ _t41;
				_t40 = _a4;
				if((_a12 & 0x10000000) == 0 && (E0004342B(_t40) & 0x50000000) == 0) {
					_push(_t38);
					_v24.left = 0;
					_v24.top = 0;
					_v24.right = 0;
					_v24.bottom = 0;
					GetWindowRect( *(_t40 + 0x20),  &_v24);
					_t22 = _a8;
					_t33 =  *_t22;
					if( *_t22 == _v24.left && _t22 == _v24.top && (E0003F82E(__ebx, _t33, _t37, GetWindow( *(_t40 + 0x20), 4)) == 0 || E000435A9(_t27) == 0) &&  *((intOrPtr*)( *_t40 + 0x148))() != 0) {
						_t22 = E0003F0CF(_t40, _t37, 0); // executed
					}
					_pop(_t38);
				}
				return E00130836(_t22, _t29, _v8 ^ _t41, _t37, _t38, _t40);
			}

0x000409c5
0x000409c5
0x000409cd
0x000409d2
0x000409d4
0x000409df
0x000409e2
0x000409f2
0x000409fc
0x000409ff
0x00040a02
0x00040a05
0x00040a08
0x00040a0e
0x00040a11
0x00040a16
0x00040a51
0x00040a51
0x00040a56
0x00040a56
0x00040a63

APIs

Part of subcall function 0004342B: GetWindowLongW.USER32(?,000000F0), ref: 00043436

GetWindowRect.USER32(?,00031AB5), ref: 00040A08
GetWindow.USER32(?,00000004), ref: 00040A25

Part of subcall function 000435A9: IsWindowEnabled.USER32(?), ref: 000435B2

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Window$EnabledLongRect
String ID:
API String ID: 3170195891-0
Opcode ID: b4eeec7bc8c58894d9d7c7634085cce79cc5f260b2f9d4eda7aefa1498fff7cc
Instruction ID: 1b505449ffbf7e3eb612b4345da4fc13fb1f938aa51b0a4c429411fee485b5b1
Opcode Fuzzy Hash: b4eeec7bc8c58894d9d7c7634085cce79cc5f260b2f9d4eda7aefa1498fff7cc
Instruction Fuzzy Hash: 11118FB0A00209EBCB22EF69C945AAFB7F9BF98300F140069E505A7251DB74EE10CA59

Uniqueness

Uniqueness Score: -1.00%

Function 00033F50 Relevance: 3.1, APIs: 2, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00033F50(intOrPtr* __ecx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t22;
				intOrPtr _t26;
				intOrPtr* _t27;
				intOrPtr* _t28;
				signed int _t37;
				intOrPtr _t38;
				void* _t39;
				void* _t40;

				_t28 = __ecx;
				_t38 = _a12;
				_t37 = _t38 + _a20;
				if(_t37 < 0) {
					L1:
					_push(0x80070057);
					E00031330(_t26, _t28, _t37, _t38);
				}
				_t27 = _a4;
				if((0x00000001 -  *((intOrPtr*)( *_t27 - 4)) |  *((intOrPtr*)( *_t27 - 8)) - _t37) < 0) {
					E00031290(_t27, _t37); // executed
				}
				_t26 =  *_t27;
				_t39 = _t38 + _t38;
				E00130B32(_t26, _t39, _a8, _t39);
				_t38 = _t39 + _t26;
				E00130B32(_t38, _a20 + _a20, _a16, _a20 + _a20);
				_t28 = _a4;
				_t22 =  *_t28;
				_t40 = _t40 + 0x20;
				if(_t37 >  *((intOrPtr*)(_t22 - 8))) {
					goto L1;
				}
				 *(_t22 - 0xc) = _t37;
				 *((short*)( *_t28 + _t37 * 2)) = 0;
				return 0;
			}

0x00033f50
0x00033f58
0x00033f5c
0x00033f61
0x00033f63
0x00033f63
0x00033f68
0x00033f68
0x00033f6d
0x00033f81
0x00033f86
0x00033f86
0x00033f8e
0x00033f90
0x00033f96
0x00033fa6
0x00033fa9
0x00033fae
0x00033fb1
0x00033fb3
0x00033fb9
0x00000000
0x00000000
0x00033fbb
0x00033fc2
0x00033fca

APIs

_memcpy_s.LIBCMT ref: 00033F96
_memcpy_s.LIBCMT ref: 00033FA9

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: _memcpy_s
String ID:
API String ID: 2001391462-0
Opcode ID: 37b95a03f149fd1146df6a20643b4bd9df9151ec542bfe999d99809280abbc12
Instruction ID: fe00e5267e35be535b1d23d6ac7459475ca71c166ff3ecbd8fb53d40db99311c
Opcode Fuzzy Hash: 37b95a03f149fd1146df6a20643b4bd9df9151ec542bfe999d99809280abbc12
Instruction Fuzzy Hash: CE018736600214AFDB11CF28CC85CABB7ADEF88360B004169FC099B316C631AD51CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00048AB1 Relevance: 3.0, APIs: 2, Instructions: 43
timeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00048AB1(intOrPtr __ebx, signed int* __ecx, intOrPtr __edi, FILETIME* _a4, intOrPtr _a8) {
				signed int _v8;
				struct _SYSTEMTIME _v24;
				signed int _v28;
				signed int _v32;
				struct _FILETIME _v40;
				void* __esi;
				signed int _t15;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t36;
				signed int* _t37;
				signed int _t38;

				_t36 = __edi;
				_t29 = __ebx;
				_t15 =  *0x1a0454; // 0x960af5fb
				_v8 = _t15 ^ _t38;
				_t37 = __ecx;
				_t31 =  &_v40;
				if(FileTimeToLocalFileTime(_a4,  &_v40) == 0) {
					L1:
					 *_t37 =  *_t37 & 0x00000000;
					_t37[1] = _t37[1] & 0x00000000;
					_push(0x80070057);
					E00031330(_t29, _t31, _t36, _t37);
				}
				if(FileTimeToSystemTime( &_v40,  &_v24) == 0) {
					goto L1;
				}
				E00048A57( &_v32,  &_v24, _a8); // executed
				 *_t37 = _v32;
				_t37[1] = _v28;
				return E00130836(_t37, _t29, _v8 ^ _t38, _t35, _t36, _t37);
			}

0x00048ab1
0x00048ab1
0x00048ab9
0x00048ac0
0x00048ac7
0x00048ac9
0x00048ad6
0x00048ad8
0x00048ad8
0x00048adb
0x00048adf
0x00048ae4
0x00048ae4
0x00048af9
0x00000000
0x00000000
0x00048b05
0x00048b10
0x00048b15
0x00048b23

APIs

FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,00048C8D,?,000000FF,?,?,?), ref: 00048ACE
FileTimeToSystemTime.KERNEL32(?,000000FF,?,?,00048C8D,?,000000FF,?,?,?), ref: 00048AF1

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Time$File$LocalSystem
String ID:
API String ID: 1748579591-0
Opcode ID: ce6881a46218ee8a1e097909c5de500b7e99bb5913fe7e8b1b5d705328a9da0f
Instruction ID: d88da304a70400f93c984a28a9f42f6ff3d5cd86615db1b6090ef43a9c3efc68
Opcode Fuzzy Hash: ce6881a46218ee8a1e097909c5de500b7e99bb5913fe7e8b1b5d705328a9da0f
Instruction Fuzzy Hash: EA015AB1A00209EBCB10DFA4D945AEFB7F8AB18315F10882AE445E7640EB74EA54CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0004035B Relevance: 3.0, APIs: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0004035B(intOrPtr __ebx, void* __ecx, intOrPtr __edx, intOrPtr __edi, void* __eflags) {
				signed int _v8;
				struct _OSVERSIONINFOW _v284;
				void* __esi;
				void* __ebp;
				signed int _t13;
				intOrPtr _t25;
				void* _t27;
				intOrPtr _t31;
				void* _t33;
				void* _t34;
				intOrPtr _t35;
				signed int _t39;
				void* _t40;

				_t32 = __edi;
				_t31 = __edx;
				_t27 = __ecx;
				_t26 = __ebx;
				_t37 = _t39;
				_t40 = _t39 - 0x118;
				_t13 =  *0x1a0454; // 0x960af5fb
				_v8 = _t13 ^ _t39;
				_push(_t33);
				_t34 = E0004B628(__ebx, __edi, _t33, __eflags);
				if(_t34 == 0) {
					L2:
					E000455E0(_t27);
				}
				if( *((intOrPtr*)(_t34 + 0x88)) == 0) {
					E00131B30( &_v284, 0, 0x114);
					_t40 = _t40 + 0xc;
					_v284.dwOSVersionInfoSize = 0x114;
					if(GetVersionExW( &_v284) == 0) {
						goto L2;
					} else {
						_t46 = _v284.dwMajorVersion - 6;
						if(_v284.dwMajorVersion >= 6) {
							_t25 = E0003F6A6(_t26,  *((intOrPtr*)( *((intOrPtr*)(E0004B628(_t26, _t32, _t34, _t46) + 0x78)) + 8)), _t32, _t34, _t46); // executed
							 *((intOrPtr*)(_t34 + 0x84)) = _t25;
						}
						 *((intOrPtr*)(_t34 + 0x88)) = 1;
					}
				}
				_pop(_t35);
				return E00130836( *((intOrPtr*)(_t34 + 0x84)), _t26, _v8 ^ _t37, _t31, _t32, _t35);
			}

0x0004035b
0x0004035b
0x0004035b
0x0004035b
0x0004035e
0x00040360
0x00040366
0x0004036d
0x00040370
0x00040376
0x0004037a
0x0004037c
0x0004037c
0x0004037c
0x00040388
0x00040398
0x0004039d
0x000403a7
0x000403b9
0x00000000
0x000403bb
0x000403bb
0x000403c2
0x000403cf
0x000403d4
0x000403d4
0x000403da
0x000403da
0x000403b9
0x000403ef
0x000403f6

APIs

_memset.LIBCMT ref: 00040398
GetVersionExW.KERNEL32(?), ref: 000403B1

Part of subcall function 000455E0: __CxxThrowException@8.LIBCMT ref: 000455F6

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Exception@8ThrowVersion_memset
String ID:
API String ID: 2306329403-0
Opcode ID: db155e229cd13b9d801b51c89b31e20a9f6834f13145b02d58691a92cd0e48cd
Instruction ID: 2996bf016ce8a1b312edc05139925b7f512e7951e759e3e66bcc1dda17a0c48c
Opcode Fuzzy Hash: db155e229cd13b9d801b51c89b31e20a9f6834f13145b02d58691a92cd0e48cd
Instruction Fuzzy Hash: 4B01B1B09006088FDB64EF74DC46BD977E8AF44705F4080A8E648E7292DF74AE88CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00067909 Relevance: 3.0, APIs: 2, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00067909(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16) {
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t14;
				intOrPtr _t17;
				void* _t18;
				void* _t29;
				intOrPtr _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t30 = __edi;
				_t29 = __edx;
				_t23 = __ebx;
				_t11 = SetErrorMode(0); // executed
				SetErrorMode(_t11 | 0x00008001); // executed
				_t14 = E0004B628(__ebx, __edi, SetErrorMode, _t35);
				_t33 = _a4;
				 *((intOrPtr*)(_t14 + 8)) = _t33;
				 *((intOrPtr*)(_t14 + 0xc)) = _t33;
				E0004ADC0(_t14); // executed
				_t17 =  *((intOrPtr*)(E0004B628(__ebx, __edi, _t33, _t35) + 4));
				_t36 = _t17;
				if(_t17 != 0) {
					 *((intOrPtr*)(_t17 + 0x48)) = _a12;
					 *((intOrPtr*)(_t17 + 0x4c)) = _a16;
					 *((intOrPtr*)(_t17 + 0x44)) = _t33;
					E0006772D(_t17, _t29, _t36);
				}
				_t18 = E0004B628(_t23, _t30, _t33, _t36);
				_t37 =  *((char*)(_t18 + 0x14));
				_pop(_t34);
				if( *((char*)(_t18 + 0x14)) == 0) {
					E00049D08(_t34, _t37);
				}
				return 1;
			}

0x00067909
0x00067909
0x00067909
0x00067909
0x00067917
0x0006791f
0x00067921
0x00067926
0x0006792b
0x0006792e
0x00067931
0x0006793b
0x0006793e
0x00067940
0x00067945
0x0006794b
0x00067950
0x00067953
0x00067953
0x00067958
0x0006795d
0x00067961
0x00067962
0x00067964
0x00067964
0x0006796d

APIs

SetErrorMode.KERNELBASE(00000000), ref: 00067917
SetErrorMode.KERNELBASE(00000000), ref: 0006791F

Part of subcall function 0004ADC0: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0004ADF3
Part of subcall function 0004ADC0: SetLastError.KERNEL32(0000006F), ref: 0004AE0A

Part of subcall function 0006772D: GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 0006776A
Part of subcall function 0006772D: PathFindExtensionW.SHLWAPI(?), ref: 00067784
Part of subcall function 0006772D: __wcsdup.LIBCMT ref: 000677CE
Part of subcall function 0006772D: __wcsdup.LIBCMT ref: 0006780C
Part of subcall function 0006772D: __wcsdup.LIBCMT ref: 00067840

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Error__wcsdup$FileModeModuleName$ExtensionFindLastPath
String ID:
API String ID: 972848482-0
Opcode ID: 13f0b0b0c6af6d15f660abe8c541b00b89691ed938c9202ee9d53f7ef4ca3ee0
Instruction ID: c380cf299e694fb84d802087099ae8c07139c0867fcf889ab3da43277f5cfc3e
Opcode Fuzzy Hash: 13f0b0b0c6af6d15f660abe8c541b00b89691ed938c9202ee9d53f7ef4ca3ee0
Instruction Fuzzy Hash: C6F06DB1E142144FEB55FF64D805AAD3BD9AF45320F0644AAF84C9B393DB34D900CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0003F6A6 Relevance: 3.0, APIs: 2, Instructions: 35
networkCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0003F6A6(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t15;
				intOrPtr* _t18;
				intOrPtr _t19;
				intOrPtr _t21;
				void* _t31;
				void* _t32;
				void* _t33;

				_t33 = __eflags;
				E00131BC0(__ebx, __edi, __esi);
				_t31 = __ecx;
				 *((intOrPtr*)(_t32 - 0x20)) = 0;
				_t15 = E0004B628(__ebx, 0, __ecx, _t33);
				__imp__ActivateActCtx( *((intOrPtr*)(_t15 + 0x80)), _t32 - 0x20, 0x18a848, 0x14);
				 *((intOrPtr*)(_t32 - 0x1c)) = 0;
				if(_t15 != 0) {
					 *((intOrPtr*)(_t32 - 4)) = 0;
					E0003F677(_t31, _t32 - 0x24);
					_t18 =  *((intOrPtr*)(_t31 + 0x10));
					__eflags = _t18;
					_t27 = 0 | __eflags != 0x00000000;
					if(__eflags == 0) {
						_t18 = E000455E0(_t27); // executed
					}
					_t19 =  *_t18(); // executed
					 *((intOrPtr*)(_t32 - 0x1c)) = _t19;
					 *((intOrPtr*)(_t32 - 4)) = 0xfffffffe;
					E0003F714();
					_t21 =  *((intOrPtr*)(_t32 - 0x1c));
				} else {
					_t21 = 0;
				}
				return E00131C05(_t21);
			}

0x0003f6a6
0x0003f6ad
0x0003f6b2
0x0003f6b6
0x0003f6bd
0x0003f6c8
0x0003f6ce
0x0003f6d3
0x0003f6d9
0x0003f6e2
0x0003f6e7
0x0003f6ec
0x0003f6ee
0x0003f6f3
0x0003f6f5
0x0003f6f5
0x0003f6fa
0x0003f6fc
0x0003f6ff
0x0003f706
0x0003f70b
0x0003f6d5
0x0003f6d5
0x0003f6d5
0x0003f713

APIs

ActivateActCtx.KERNEL32(?,?), ref: 0003F6C8
InitNetworkAddressControl.SHELL32(?), ref: 0003F6FA

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: ActivateAddressControlInitNetwork
String ID:
API String ID: 3189851245-0
Opcode ID: 08baed73182b0ad53498ef3776f2d83697e40d1c083d2c921e0876cebb425a96
Instruction ID: 27f87df365553b52e05f419903195791723c27dea00affab7f8729f504d495bd
Opcode Fuzzy Hash: 08baed73182b0ad53498ef3776f2d83697e40d1c083d2c921e0876cebb425a96
Instruction Fuzzy Hash: 55F062B1D002069FCF51EFB49C429FDB2F9BF88301F104569E012E7162DB348A019B20

Uniqueness

Uniqueness Score: -1.00%

Function 00134B78 Relevance: 3.0, APIs: 2, Instructions: 32
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E00134B78(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t20;
				signed int _t22;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t34;

				_push(0xc);
				_push(0x196b80);
				E00131BC0(__ebx, __edi, __esi);
				 *(_t32 - 0x1c) =  *(_t32 - 0x1c) | 0xffffffff;
				_t31 =  *((intOrPtr*)(_t32 + 8));
				_t34 = _t31;
				_t35 = _t34 != 0;
				if(_t34 != 0) {
					__eflags =  *(_t31 + 0xc) & 0x00000040;
					if(( *(_t31 + 0xc) & 0x00000040) == 0) {
						E0013F4E8(_t31);
						 *(_t32 - 4) =  *(_t32 - 4) & 0x00000000;
						_t20 = E00134B0B(__ebx, _t31); // executed
						 *(_t32 - 0x1c) = _t20;
						 *(_t32 - 4) = 0xfffffffe;
						E00134BE4(_t31);
					} else {
						_t9 = _t31 + 0xc;
						 *_t9 =  *(_t31 + 0xc) & 0x00000000;
						__eflags =  *_t9;
					}
					_t22 =  *(_t32 - 0x1c);
				} else {
					 *((intOrPtr*)(E00131F1F(_t35))) = 0x16;
					_t22 = E00139345() | 0xffffffff;
				}
				return E00131C05(_t22);
			}

0x00134b78
0x00134b7a
0x00134b7f
0x00134b84
0x00134b8a
0x00134b8d
0x00134b92
0x00134b94
0x00134bab
0x00134baf
0x00134bbf
0x00134bc5
0x00134bca
0x00134bd0
0x00134bd3
0x00134bda
0x00134bb1
0x00134bb1
0x00134bb1
0x00134bb1
0x00134bb1
0x00134bb5
0x00134b96
0x00134b9b
0x00134ba6
0x00134ba6
0x00134bbd

APIs

Part of subcall function 00131F1F: __getptd_noexit.LIBCMT ref: 00131F1F

__lock_file.LIBCMT ref: 00134BBF

Part of subcall function 0013F4E8: __lock.LIBCMT ref: 0013F50D

__fclose_nolock.LIBCMT ref: 00134BCA

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 502fa6475039158bdeac9c98c8f2a547d54474de5918311d22af81261a79de26
Instruction ID: 4c2e5f982dbe119e16f914098ee1fdef0628a153393c27a7aea7550a4f85491d
Opcode Fuzzy Hash: 502fa6475039158bdeac9c98c8f2a547d54474de5918311d22af81261a79de26
Instruction Fuzzy Hash: 78F0E930D057059BDB24BB74880279EBBE06F11335F218348E435AB0D6CB7CE9019F55

Uniqueness

Uniqueness Score: -1.00%

Function 00041E0F Relevance: 3.0, APIs: 2, Instructions: 32
threadCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00041E0F(void* __ebx, void* __eflags, intOrPtr _a4) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HHOOK__* _t6;
				void* _t10;
				intOrPtr _t11;
				void* _t12;
				struct HHOOK__* _t13;

				_push(0x3e58b);
				_t6 = E00051BD8(__ebx, 0x1a3910, _t10, _t12, __eflags);
				_t13 = _t6;
				if(_t13 == 0) {
					_t6 = E000455E0(0x1a3910);
				}
				_t11 = _a4;
				if( *((intOrPtr*)(_t13 + 0x14)) == _t11) {
					return _t6;
				} else {
					if( *(_t13 + 0x28) == 0) {
						_t6 = SetWindowsHookExW(5, 0x41bfe, 0, GetCurrentThreadId()); // executed
						 *(_t13 + 0x28) = _t6;
						if(_t6 == 0) {
							_t6 = E000455A8(0x1a3910);
						}
					}
					 *((intOrPtr*)(_t13 + 0x14)) = _t11;
					return _t6;
				}
			}

0x00041e16
0x00041e20
0x00041e25
0x00041e29
0x00041e2b
0x00041e2b
0x00041e30
0x00041e36
0x00041e66
0x00041e38
0x00041e3c
0x00041e4e
0x00041e54
0x00041e59
0x00041e5b
0x00041e5b
0x00041e59
0x00041e60
0x00000000
0x00041e60

APIs

Part of subcall function 00051BD8: __EH_prolog3.LIBCMT ref: 00051BDF

GetCurrentThreadId.KERNEL32(0003E58B,?,?,?,00044584), ref: 00041E3E
SetWindowsHookExW.USER32(00000005,00041BFE,00000000,00000000), ref: 00041E4E

Part of subcall function 000455E0: __CxxThrowException@8.LIBCMT ref: 000455F6

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: CurrentException@8H_prolog3HookThreadThrowWindows
String ID:
API String ID: 1226552664-0
Opcode ID: e6584ad91c5b6efccdf9ba7414f3a22a69dbeb7a3ec5af5eb8de3c03a054faba
Instruction ID: 09f0ef3ad4b3710b29aad07f6f919d44f7f5c780f2bc549a8ba071862f543d79
Opcode Fuzzy Hash: e6584ad91c5b6efccdf9ba7414f3a22a69dbeb7a3ec5af5eb8de3c03a054faba
Instruction Fuzzy Hash: 44F027B5600F04A7D3311B53AC06BA776D9DBD07A2F800139FE059A581DB30EC8087A9

Uniqueness

Uniqueness Score: -1.00%

Function 0003D4D4 Relevance: 3.0, APIs: 2, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0003D4D4(intOrPtr* __ecx, int _a4, int _a8, long _a12) {
				_Unknown_base(*)()* _t11;
				long _t12;
				intOrPtr* _t17;

				_t17 = __ecx;
				_t11 =  *(__ecx + 0x5c);
				if(_t11 != 0) {
					L3:
					_t12 = CallWindowProcW(_t11,  *(_t17 + 0x20), _a4, _a8, _a12); // executed
					return _t12;
				}
				_t11 =  *( *((intOrPtr*)( *__ecx + 0xfc))());
				if(_t11 != 0) {
					goto L3;
				}
				return DefWindowProcW( *(__ecx + 0x20), _a4, _a8, _a12);
			}

0x0003d4da
0x0003d4dc
0x0003d4e1
0x0003d505
0x0003d512
0x00000000
0x0003d512
0x0003d4eb
0x0003d4ef
0x00000000
0x00000000
0x00000000

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 0003D4FD
CallWindowProcW.USER32(?,?,?,?,?), ref: 0003D512

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: ProcWindow$Call
String ID:
API String ID: 2316559721-0
Opcode ID: acda163b965197bd68f7d8e8cd08e8fa1907d4d693aa6ce355dfe67176c3e4bc
Instruction ID: 3de436f1d142bc0bc6666f4c354eccc6b1448d98d2d171b85907e24c4db83dbe
Opcode Fuzzy Hash: acda163b965197bd68f7d8e8cd08e8fa1907d4d693aa6ce355dfe67176c3e4bc
Instruction Fuzzy Hash: CFF01C36100609FFCF225FA5EC08D9A7FF9FF08355B054469F94986520E732D920EB90

Uniqueness

Uniqueness Score: -1.00%

Function 000434B7 Relevance: 3.0, APIs: 2, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E000434B7(void* __ecx, WCHAR* _a4) {
				void* __ebp;
				int _t8;
				int _t10;
				void* _t14;

				_t12 = __ecx;
				_t14 = __ecx;
				if(__ecx == 0) {
					L1:
					E000455E0(_t12);
				}
				_t8 = IsWindow( *(_t14 + 0x20));
				if(_t8 == 0) {
					if( *((intOrPtr*)(_t14 + 0x6c)) == _t8) {
						goto L1;
					} else {
						L4:
						_pop(_t14);
						goto ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t14 + 0x6c)))) + 0x88)));
					}
				}
				if( *((intOrPtr*)(_t14 + 0x6c)) != 0) {
					goto L4;
				}
				_t10 = SetWindowTextW( *(_t14 + 0x20), _a4); // executed
				return _t10;
			}

0x000434b7
0x000434bd
0x000434c1
0x000434c3
0x000434c3
0x000434c3
0x000434cb
0x000434d3
0x000434d8
0x00000000
0x000434da
0x000434da
0x000434df
0x000434e1
0x000434e1
0x000434d8
0x000434eb
0x00000000
0x00000000
0x000434f3
0x000434fb

APIs

IsWindow.USER32(?), ref: 000434CB

Part of subcall function 000455E0: __CxxThrowException@8.LIBCMT ref: 000455F6

SetWindowTextW.USER32 ref: 000434F3

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Window$Exception@8TextThrow
String ID:
API String ID: 735465941-0
Opcode ID: 8b8e48a1ea0738f918a7da465da8343c7ac88476e5e98ca459e7e4078329f197
Instruction ID: a2c43cfe31b3bae465b6d22ef5fb10d6d9b6db106bf09008cf8a2185e02f43de
Opcode Fuzzy Hash: 8b8e48a1ea0738f918a7da465da8343c7ac88476e5e98ca459e7e4078329f197
Instruction Fuzzy Hash: 14F0E573500B00DFCB325B54E805AE2BBE5FF94362F00943AE48686920DB31BD40CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0003E804 Relevance: 3.0, APIs: 2, Instructions: 27
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0003E804(void* __ecx, void* __esi, void* __eflags) {
				void* _t15;
				int _t16;
				int _t18;
				void* _t20;
				void* _t22;
				void* _t25;
				void* _t26;

				_t26 = __eflags;
				E00131BC0(_t20, _t22, __esi);
				 *((intOrPtr*)(_t25 - 0x20)) = 0;
				_t15 = E0004B628(_t20, _t22, 0, _t26);
				__imp__ActivateActCtx( *((intOrPtr*)(_t15 + 0x80)), _t25 - 0x20, 0x18a708, 0x10);
				 *(_t25 - 0x1c) = 0;
				if(_t15 != 0) {
					 *((intOrPtr*)(_t25 - 4)) = 0;
					_t16 = MessageBoxW( *(_t25 + 8),  *(_t25 + 0xc),  *(_t25 + 0x10),  *(_t25 + 0x14)); // executed
					 *(_t25 - 0x1c) = _t16;
					 *((intOrPtr*)(_t25 - 4)) = 0xfffffffe;
					E0003E862();
					_t18 =  *(_t25 - 0x1c);
				} else {
					_t18 = 0;
				}
				return E00131C05(_t18);
			}

0x0003e804
0x0003e80b
0x0003e812
0x0003e819
0x0003e824
0x0003e82a
0x0003e82f
0x0003e835
0x0003e844
0x0003e84a
0x0003e84d
0x0003e854
0x0003e859
0x0003e831
0x0003e831
0x0003e831
0x0003e861

APIs

ActivateActCtx.KERNEL32(?,?), ref: 0003E824
MessageBoxW.USER32 ref: 0003E844

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: ActivateMessage
String ID:
API String ID: 1648579694-0
Opcode ID: 08b6cbeb1a88e69ca65463888669471bf18c5de3a813d1024a3231ef02b56a5f
Instruction ID: ae7074e79128bc28bfc6009007452fd2bdea5bd5bd923334db0fdb17d781e3e8
Opcode Fuzzy Hash: 08b6cbeb1a88e69ca65463888669471bf18c5de3a813d1024a3231ef02b56a5f
Instruction Fuzzy Hash: 90F05875C00219EFCF12AFA0DC059DEBBB8FF08B11F008566F819A61A1CB358650EF94

Uniqueness

Uniqueness Score: -1.00%

Function 0003E893 Relevance: 3.0, APIs: 2, Instructions: 24
libraryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 79%

			E0003E893(void* __ecx, void* __esi, void* __eflags) {
				void* _t12;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t15;
				void* _t17;
				void* _t19;
				void* _t22;
				void* _t23;

				_t23 = __eflags;
				E00131BC0(_t17, _t19, __esi);
				 *((intOrPtr*)(_t22 - 0x20)) = 0;
				_t12 = E0004B628(_t17, _t19, 0, _t23);
				__imp__ActivateActCtx( *((intOrPtr*)(_t12 + 0x80)), _t22 - 0x20, 0x18a728, 0x10); // executed
				 *(_t22 - 0x1c) = 0;
				if(_t12 != 0) {
					 *((intOrPtr*)(_t22 - 4)) = 0;
					_t13 = LoadLibraryW( *(_t22 + 8)); // executed
					 *(_t22 - 0x1c) = _t13;
					 *((intOrPtr*)(_t22 - 4)) = 0xfffffffe;
					E0003E8E8();
					_t15 =  *(_t22 - 0x1c);
				} else {
					_t15 = 0;
				}
				return E00131C05(_t15);
			}

0x0003e893
0x0003e89a
0x0003e8a1
0x0003e8a8
0x0003e8b3
0x0003e8b9
0x0003e8be
0x0003e8c4
0x0003e8ca
0x0003e8d0
0x0003e8d3
0x0003e8da
0x0003e8df
0x0003e8c0
0x0003e8c0
0x0003e8c0
0x0003e8e7

APIs

ActivateActCtx.KERNEL32(?,00044351), ref: 0003E8B3
LoadLibraryW.KERNEL32(?,?,00075C4A,00000004,00054747,00000000,00000004,00097B6F,?,?,?), ref: 0003E8CA

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: ActivateLibraryLoad
String ID:
API String ID: 389599620-0
Opcode ID: b5fa0173d293eb5056f3c97ac756b27b165301f3f5358e75850ae6b718313621
Instruction ID: f0d93ee5eb7c79fbc9953258275cf72e32eb8d2504dda3501c4c2f84767379df
Opcode Fuzzy Hash: b5fa0173d293eb5056f3c97ac756b27b165301f3f5358e75850ae6b718313621
Instruction Fuzzy Hash: 7BF01C70C00218EFCF51AFA0DC455DDBAB8FF48751F104566F815A62A1CB348641EF94

Uniqueness

Uniqueness Score: -1.00%

Function 000496EE Relevance: 3.0, APIs: 2, Instructions: 21
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 93%

			E000496EE(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t12;
				void* _t13;
				intOrPtr _t22;
				void* _t23;

				_t20 = __edi;
				_t18 = __ecx;
				_t17 = __ebx;
				_push(4);
				E00131A19(0x148841, __ebx, __edi, __esi);
				_t22 = __ecx;
				 *((intOrPtr*)(_t23 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x15ae4c;
				_t12 =  *(__ecx + 0x2c);
				 *(_t23 - 4) =  *(_t23 - 4) & 0x00000000;
				_t25 = _t12;
				if(_t12 != 0) {
					CloseHandle(_t12); // executed
				}
				_t13 = E0004B65B(_t17, _t18, _t20, _t22, _t25);
				if( *(_t13 + 4) == _t22) {
					 *(_t13 + 4) =  *(_t13 + 4) & 0x00000000;
				}
				 *(_t23 - 4) =  *(_t23 - 4) | 0xffffffff;
				return E00131AF1(E00043B12(_t22));
			}

0x000496ee
0x000496ee
0x000496ee
0x000496ee
0x000496f5
0x000496fa
0x000496fc
0x000496ff
0x00049705
0x00049708
0x0004970c
0x0004970e
0x00049711
0x00049711
0x00049717
0x0004971f
0x00049721
0x00049721
0x00049725
0x00049735

APIs

__EH_prolog3.LIBCMT ref: 000496F5
CloseHandle.KERNELBASE(?), ref: 00049711

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: CloseH_prolog3Handle
String ID:
API String ID: 2454561918-0
Opcode ID: d4ef616b3e3e83d90b8a3b1de14caded63a3e48bdf52afcd7287869d8d1d9751
Instruction ID: 53065d62fe06f7e81fdf314065e5fbe42c9c42c2d826d7f2242080e9c3829c4f
Opcode Fuzzy Hash: d4ef616b3e3e83d90b8a3b1de14caded63a3e48bdf52afcd7287869d8d1d9751
Instruction Fuzzy Hash: E7E092B0511310DBDF21AF64CA0A36D76E8AF00752F048279F154AB1D2DB748D00CB48

Uniqueness

Uniqueness Score: -1.00%

Function 00133C8E Relevance: 3.0, APIs: 2, Instructions: 19
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00133C8E(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t8;
				void* _t20;
				void* _t21;

				_t21 = __eflags;
				_t12 = __ebx;
				E00131BC0(__ebx, __edi, __esi);
				_t8 = E00137F08(__ebx, __edx, _t21);
				_t1 = _t20 - 4;
				 *(_t20 - 4) =  *(_t20 - 4) & 0x00000000;
				E00133C6F( *((intOrPtr*)(_t8 + 0x54))( *((intOrPtr*)(_t8 + 0x58)), 0x196ab8, 0xc));
				_t10 =  *((intOrPtr*)(_t20 - 0x14));
				_t14 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t20 - 0x14))))));
				 *((intOrPtr*)(_t20 - 0x1c)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t20 - 0x14))))));
				return E001375C2(_t12,  *_t1, _t14, _t10);
			}

0x00133c8e
0x00133c8e
0x00133c95
0x00133c9a
0x00133c9f
0x00133c9f
0x00133caa
0x00133caf
0x00133cb4
0x00133cb6
0x00133cc2

APIs

__getptd.LIBCMT ref: 00133C9A

Part of subcall function 00137F08: __getptd_noexit.LIBCMT ref: 00137F0B
Part of subcall function 00137F08: __amsg_exit.LIBCMT ref: 00137F18

Part of subcall function 00133C6F: __getptd_noexit.LIBCMT ref: 00133C74
Part of subcall function 00133C6F: __freeptd.LIBCMT ref: 00133C7E
Part of subcall function 00133C6F: ExitThread.KERNEL32 ref: 00133C87

__XcptFilter.LIBCMT ref: 00133CBB

Part of subcall function 001375C2: __getptd_noexit.LIBCMT ref: 001375C8

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
String ID:
API String ID: 418257734-0
Opcode ID: 1447ea8c730a5e053ad81e0c0f59d59aede44d23f06c99544753527b59a7a253
Instruction ID: 68e8c7183f59452edd02bd461d77dd191338e57781fbd4fe2f375b42cc144ed7
Opcode Fuzzy Hash: 1447ea8c730a5e053ad81e0c0f59d59aede44d23f06c99544753527b59a7a253
Instruction Fuzzy Hash: 0DE0ECB5904600AFDB18BBA4C846E6D7779AF54711F204149F1026B2E2CB75AA40AB20

Uniqueness

Uniqueness Score: -1.00%

Function 0013EB6C Relevance: 3.0, APIs: 2, Instructions: 18
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E0013EB6C(void* __edx, void* __esi, void* __eflags) {
				void* _t3;
				void* _t7;
				void* _t10;
				void* _t13;
				intOrPtr _t15;
				intOrPtr _t16;

				_push(8);
				_push(0x196ff0);
				_t3 = E00131BC0(_t7, _t10, __esi);
				_t15 =  *0x1a7f44; // 0x1
				if(_t15 == 0) {
					E0013EE2C(_t7, _t10, 6);
					 *((intOrPtr*)(_t13 - 4)) = 0;
					_t16 =  *0x1a7f44; // 0x1
					if(_t16 == 0) {
						E0013E48B(_t7, __edx, _t10, 0, _t16); // executed
						 *0x1a7f44 =  *0x1a7f44 + 1;
					}
					 *((intOrPtr*)(_t13 - 4)) = 0xfffffffe;
					_t3 = E0013EBB2();
				}
				return E00131C05(_t3);
			}

0x0013eb6c
0x0013eb6e
0x0013eb73
0x0013eb7a
0x0013eb80
0x0013eb84
0x0013eb8a
0x0013eb8d
0x0013eb93
0x0013eb95
0x0013eb9a
0x0013eb9a
0x0013eba0
0x0013eba7
0x0013eba7
0x0013ebb1

APIs

__lock.LIBCMT ref: 0013EB84

Part of subcall function 0013EE2C: __mtinitlocknum.LIBCMT ref: 0013EE42
Part of subcall function 0013EE2C: __amsg_exit.LIBCMT ref: 0013EE4E
Part of subcall function 0013EE2C: EnterCriticalSection.KERNEL32(?,?,?,00137FB3,0000000D,00196D70,00000008,00133D2E,?,00000000), ref: 0013EE56

__tzset_nolock.LIBCMT ref: 0013EB95

Part of subcall function 0013E48B: __lock.LIBCMT ref: 0013E4AD
Part of subcall function 0013E48B: ____lc_codepage_func.LIBCMT ref: 0013E4F4
Part of subcall function 0013E48B: __getenv_helper_nolock.LIBCMT ref: 0013E516
Part of subcall function 0013E48B: _free.LIBCMT ref: 0013E54D
Part of subcall function 0013E48B: _strlen.LIBCMT ref: 0013E554
Part of subcall function 0013E48B: __malloc_crt.LIBCMT ref: 0013E55B
Part of subcall function 0013E48B: _strlen.LIBCMT ref: 0013E571
Part of subcall function 0013E48B: _strcpy_s.LIBCMT ref: 0013E57F
Part of subcall function 0013E48B: __invoke_watson.LIBCMT ref: 0013E594
Part of subcall function 0013E48B: _free.LIBCMT ref: 0013E5A3

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: __lock_free_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__invoke_watson__malloc_crt__mtinitlocknum__tzset_nolock_strcpy_s
String ID:
API String ID: 1828324828-0
Opcode ID: 1c099dcd1b0f7e6f99952048f8a91c345bea5197f4b6aa842b01b739e8429cbc
Instruction ID: 757b1c717250adc04f477f730895f3ade2b93e99d9f6d685d43704067bf8a9b2
Opcode Fuzzy Hash: 1c099dcd1b0f7e6f99952048f8a91c345bea5197f4b6aa842b01b739e8429cbc
Instruction Fuzzy Hash: 33E01275485720EFDE32BFA09D1262DF5E0AB29B62F6011D5F066254D7CF700781CA91

Uniqueness

Uniqueness Score: -1.00%

Function 00049D08 Relevance: 3.0, APIs: 2, Instructions: 15
threadCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00049D08(void* __esi, void* __eflags) {
				void* _t3;
				void* _t4;
				struct HHOOK__* _t6;
				void* _t7;
				void* _t8;

				_t3 = E0004B628(_t7, _t8, __esi, __eflags);
				_t13 =  *((char*)(_t3 + 0x14));
				if( *((char*)(_t3 + 0x14)) == 0) {
					_push(__esi);
					_t4 = E0004B059(_t7, _t8, __esi, _t13);
					_t6 = SetWindowsHookExW(0xffffffff, E00049B6D, 0, GetCurrentThreadId()); // executed
					 *(_t4 + 0x2c) = _t6;
					return _t6;
				}
				return _t3;
			}

0x00049d08
0x00049d0d
0x00049d11
0x00049d13
0x00049d14
0x00049d2b
0x00049d31
0x00000000
0x00049d34
0x00049d35

APIs

GetCurrentThreadId.KERNEL32(?,00067969), ref: 00049D1B
SetWindowsHookExW.USER32(000000FF,Function_00019B6D,00000000,00000000), ref: 00049D2B

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: CurrentHookThreadWindows
String ID:
API String ID: 1904029216-0
Opcode ID: 2691b85624c6978bb0452983bc4ab8e4886f59400be5508d11e152cc54cb72a3
Instruction ID: e1dd3c2d368ed563890760467b9b674e6dd63ed1dd9ba570b6ee059b7e406927
Opcode Fuzzy Hash: 2691b85624c6978bb0452983bc4ab8e4886f59400be5508d11e152cc54cb72a3
Instruction Fuzzy Hash: 83D0A7B1C08310AEE7616BB07C0EF563AC49F05332F0103B1F524594D2C72488804F5E

Uniqueness

Uniqueness Score: -1.00%

Function 00133E26 Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00133E26(int _a4) {

				E00133DFB(_a4);
				ExitProcess(_a4);
			}

0x00133e2e
0x00133e37

APIs

___crtCorExitProcess.LIBCMT ref: 00133E2E

Part of subcall function 00133DFB: GetModuleHandleW.KERNEL32(mscoree.dll,?,00133E33,?,?,00131042,000000FF,0000001E,00000001,00000000,00000000,?,0013A71D,?,00000001,?), ref: 00133E05
Part of subcall function 00133DFB: GetProcAddress.KERNEL32(00000000,CorExitProcess,?,00133E33,?,?,00131042,000000FF,0000001E,00000001,00000000,00000000,?,0013A71D,?,00000001), ref: 00133E15

ExitProcess.KERNEL32 ref: 00133E37

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 923349d99d662b1ae2bde84704441794ee6a73730c94a94b7cc5066e74294106
Instruction ID: 292b7ccce28be9d3f2d7dc2da840a135fefb7f4d0cc7f000e736619d9cb059bd
Opcode Fuzzy Hash: 923349d99d662b1ae2bde84704441794ee6a73730c94a94b7cc5066e74294106
Instruction Fuzzy Hash: FFB09231004208BBCF012F6AEC0B8597F2AEB807A1F504024F85809072DF72AE939A84

Uniqueness

Uniqueness Score: -1.00%

Function 0004AA93 Relevance: 1.6, APIs: 1, Instructions: 146
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0004AA93(void* __ecx, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				char _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				signed int _v544;
				intOrPtr _v548;
				char _v552;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t51;
				intOrPtr _t55;
				void* _t59;
				void* _t61;
				signed int _t66;
				signed int _t68;
				void* _t73;
				void* _t75;
				void* _t82;
				void* _t84;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t94;
				intOrPtr _t98;
				intOrPtr _t99;
				void* _t102;
				intOrPtr _t103;
				signed int _t107;

				_t105 = _t107;
				_t51 =  *0x1a0454; // 0x960af5fb
				_v8 = _t51 ^ _t107;
				_a8 = _a8 & 0xffff7fff;
				_push(_t84);
				_t102 = __ecx;
				 *(__ecx + 8) =  *(__ecx + 8) & 0x00000000;
				 *(__ecx + 4) =  *(__ecx + 4) | 0xffffffff;
				_t98 = _a12;
				_v532 = _a4;
				_v540 = _t98;
				E000342D0(__ecx + 0xc);
				if(_v532 == 0) {
					L38:
					__eflags = _t98;
					if(_t98 != 0) {
						 *((intOrPtr*)(_t98 + 8)) = 3;
						E00036590(_t98, _v532);
					}
					goto L40;
				} else {
					_t96 = 0x104;
					_t59 = E0004A1DF(_v532, 0x104, 0);
					_t112 = _t59;
					if(_t59 < 0) {
						_t98 = _v540;
						goto L38;
					}
					_t61 = E0004A7E8(_t84, 0x104, 0, _t102, _t112,  &_v528, _v532, _v540); // executed
					if(_t61 == 0) {
						L40:
						_t55 = 0;
						L41:
						_pop(_t99);
						_pop(_t103);
						_pop(_t85);
						return E00130836(_t55, _t85, _v8 ^ _t105, _t96, _t99, _t103);
					}
					E00036590(0,  &_v528);
					_t94 = _a8;
					_t66 = _t94 & 0x00000003;
					_v536 = 0;
					if(_t66 == 0) {
						_v536 = 0x80000000;
					} else {
						_t82 = _t66 - 1;
						if(_t82 == 0) {
							_v536 = 0x40000000;
						} else {
							if(_t82 == 1) {
								_v536 = 0xc0000000;
							}
						}
					}
					_t68 = _t94 & 0x00000070;
					if(_t68 == 0 || _t68 == 0x10) {
						L19:
						_t86 = 0;
						__eflags = 0;
						goto L20;
					} else {
						if(_t68 == 0x20) {
							_t86 = 1;
							L20:
							_v552 = 0xc;
							_v548 = 0;
							_v544 =  !(_t94 >> 7) & 0x00000001;
							if((_t94 & 0x00001000) == 0) {
								_t73 = 3;
							} else {
								asm("sbb eax, eax");
								_t73 = ( ~(_t94 & 0x00002000) & 0x00000002) + 2;
							}
							_t96 = 0x80;
							if((_t94 & 0x00010000) != 0) {
								_t96 = 0x20000080;
							}
							if((_t94 & 0x00020000) != 0) {
								_t96 = _t96 | 0x80000000;
							}
							if((_t94 & 0x00040000) != 0) {
								_t96 = _t96 | 0x10000000;
							}
							if((_t94 & 0x00080000) != 0) {
								_t96 = _t96 | 0x08000000;
							}
							_t95 =  *((intOrPtr*)(_t102 + 0x10));
							_push(0);
							_push(_t96);
							_push(_t73);
							_push( &_v552);
							_push(_t86);
							_push(_v536);
							_push(_v532);
							if( *((intOrPtr*)(_t102 + 0x10)) == 0) {
								_t75 = CreateFileW(); // executed
							} else {
								_t75 = E000488A4(_t95);
							}
							if(_t75 != 0xffffffff) {
								 *(_t102 + 4) = _t75;
								_t55 = 1;
								 *((intOrPtr*)(_t102 + 8)) = 1;
								goto L41;
							} else {
								E0004A7B9(0, _v540, _v532);
								goto L40;
							}
						}
						if(_t68 == 0x30) {
							_push(2);
							L17:
							_pop(_t86);
							goto L20;
						}
						if(_t68 != 0x40) {
							goto L19;
						}
						_push(3);
						goto L17;
					}
				}
			}

0x0004aa96
0x0004aa9e
0x0004aaa5
0x0004aaab
0x0004aab2
0x0004aab4
0x0004aab6
0x0004aaba
0x0004aabf
0x0004aac5
0x0004aacb
0x0004aad1
0x0004aadd
0x0004ac5f
0x0004ac5f
0x0004ac61
0x0004ac6c
0x0004ac73
0x0004ac73
0x00000000
0x0004aae3
0x0004aaeb
0x0004aaf0
0x0004aaf5
0x0004aaf7
0x0004ac59
0x00000000
0x0004ac59
0x0004ab10
0x0004ab17
0x0004ac78
0x0004ac78
0x0004ac7a
0x0004ac7d
0x0004ac7e
0x0004ac81
0x0004ac88
0x0004ac88
0x0004ab27
0x0004ab2c
0x0004ab34
0x0004ab36
0x0004ab3c
0x0004ab5c
0x0004ab3e
0x0004ab3e
0x0004ab3f
0x0004ab50
0x0004ab41
0x0004ab42
0x0004ab44
0x0004ab44
0x0004ab42
0x0004ab3f
0x0004ab68
0x0004ab6b
0x0004ab8f
0x0004ab8f
0x0004ab8f
0x00000000
0x0004ab72
0x0004ab75
0x0004ab8c
0x0004ab91
0x0004ab9b
0x0004aba5
0x0004abab
0x0004abb7
0x0004abce
0x0004abb9
0x0004abc2
0x0004abc7
0x0004abc7
0x0004abcf
0x0004abda
0x0004abdc
0x0004abdc
0x0004abe7
0x0004abe9
0x0004abe9
0x0004abf5
0x0004abf7
0x0004abf7
0x0004ac03
0x0004ac05
0x0004ac05
0x0004ac0b
0x0004ac0e
0x0004ac0f
0x0004ac10
0x0004ac17
0x0004ac18
0x0004ac19
0x0004ac1f
0x0004ac27
0x0004ac30
0x0004ac29
0x0004ac29
0x0004ac29
0x0004ac39
0x0004ac4e
0x0004ac53
0x0004ac54
0x00000000
0x0004ac3b
0x0004ac47
0x00000000
0x0004ac47
0x0004ac39
0x0004ab7a
0x0004ab85
0x0004ab87
0x0004ab87
0x00000000
0x0004ab87
0x0004ab7f
0x00000000
0x00000000
0x0004ab81
0x00000000
0x0004ab81
0x0004ab6b

APIs

Part of subcall function 0004A7E8: __EH_prolog3_GS.LIBCMT ref: 0004A7F2
Part of subcall function 0004A7E8: GetFullPathNameW.KERNEL32(00000000,00000104,00000000,?,00000268,0004A9CD,00000000,?,00000000,?,00048BC1,?,?,00000000), ref: 0004A830

CreateFileW.KERNELBASE(00000000,80000000,00000000,0000000C,00000003,00000080,00000000), ref: 0004AC30

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: CreateFileFullH_prolog3_NamePath
String ID:
API String ID: 2133410154-0
Opcode ID: 6caec26135a99dea97067f7d19f35b30dac3e8dcc0067097c1939c968656ef36
Instruction ID: 02330653c70ef34281cdbe2e92deeb47d8a73a887dea809152e41c883fba817b
Opcode Fuzzy Hash: 6caec26135a99dea97067f7d19f35b30dac3e8dcc0067097c1939c968656ef36
Instruction Fuzzy Hash: 355138B16802099BEBB4DF18CC89BEAB3F6EB12304F1045BDE515D2191D7789E80CF86

Uniqueness

Uniqueness Score: -1.00%

Function 00040A66 Relevance: 1.6, APIs: 1, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00040A66(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t46;
				intOrPtr _t62;
				signed int _t64;
				signed int _t68;
				intOrPtr _t71;
				intOrPtr _t76;
				intOrPtr* _t82;
				void* _t84;
				void* _t88;

				_t88 = __eflags;
				_push(0x44);
				E00131AB8(0x148814, __ebx, __edi, __esi);
				_push(0x3e58b);
				 *((intOrPtr*)(_t84 - 0x28)) =  *((intOrPtr*)(_t84 + 8));
				_t62 = E00051BD8(__ebx, 0x1a3910, __edi, __esi, _t88);
				_t71 = 0;
				 *((intOrPtr*)(_t84 - 0x2c)) = _t62;
				if((0 | _t62 != 0x00000000) == 0) {
					E000455E0(0x1a3910);
				}
				_t64 = 7;
				_t7 = _t62 + 0x58; // 0x58
				_t46 = memcpy(_t84 - 0x50, _t7, _t64 << 2);
				_t76 =  *((intOrPtr*)(_t84 + 0x10));
				_t82 =  *((intOrPtr*)(_t84 - 0x28));
				 *(_t62 + 0x60) = _t46;
				 *(_t62 + 0x58) =  *(_t84 + 0xc);
				 *((intOrPtr*)(_t62 + 0x5c)) = _t76;
				 *((intOrPtr*)(_t62 + 0x64)) =  *((intOrPtr*)(_t84 + 0x18));
				 *((intOrPtr*)(_t84 - 4)) = _t71;
				if(_t76 == 2 &&  *((intOrPtr*)(_t82 + 0x68)) != _t71) {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t82 + 0x68)))) + 0x60))(_t71);
					_t71 = 0;
				}
				 *((intOrPtr*)(_t84 - 0x24)) = _t71;
				 *((intOrPtr*)(_t84 - 0x20)) = _t71;
				 *((intOrPtr*)(_t84 - 0x1c)) = _t71;
				 *((intOrPtr*)(_t84 - 0x18)) = _t71;
				 *((intOrPtr*)(_t84 - 0x28)) = _t71;
				if(_t76 == 0x110) {
					E0003E9EC(_t82, _t84 - 0x24, _t84 - 0x28);
				}
				 *((intOrPtr*)(_t84 - 0x34)) =  *((intOrPtr*)( *_t82 + 0x114))(_t76,  *((intOrPtr*)(_t84 + 0x14)),  *((intOrPtr*)(_t84 + 0x18)));
				if(_t76 == 0x110) {
					E000409C5(_t62, _t71, _t82, _t84 - 0x24,  *((intOrPtr*)(_t84 - 0x28))); // executed
				}
				_t36 = _t62 + 0x58; // 0x58
				_t68 = 7;
				_t83 = _t84 - 0x50;
				memcpy(_t36, _t84 - 0x50, _t68 << 2);
				return E00131B14(_t62, _t84 - 0x50 + _t68 + _t68, _t83);
			}

0x00040a66
0x00040a66
0x00040a6d
0x00040a75
0x00040a7f
0x00040a87
0x00040a8b
0x00040a92
0x00040a97
0x00040a99
0x00040a99
0x00040aa3
0x00040aa4
0x00040aaa
0x00040aac
0x00040ab2
0x00040ab5
0x00040abb
0x00040abe
0x00040ac1
0x00040ac4
0x00040aca
0x00040ad7
0x00040ada
0x00040ada
0x00040adc
0x00040adf
0x00040ae2
0x00040ae5
0x00040ae8
0x00040af1
0x00040afc
0x00040afc
0x00040b12
0x00040b1b
0x00040b25
0x00040b25
0x00040b5a
0x00040b5d
0x00040b5e
0x00040b61
0x00040b68

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00040A6D

Part of subcall function 00051BD8: __EH_prolog3.LIBCMT ref: 00051BDF

Part of subcall function 000455E0: __CxxThrowException@8.LIBCMT ref: 000455F6

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Exception@8H_prolog3H_prolog3_catch_Throw
String ID:
API String ID: 2399685165-0
Opcode ID: 11e8580586f8b1274072ee870c27931d7b99eb2998a0baf5962c93c072dc1b55
Instruction ID: d842cf0a748cf8ea856e5ab4f51223a0ddd45ffdf0517c91c57a115269a0275b
Opcode Fuzzy Hash: 11e8580586f8b1274072ee870c27931d7b99eb2998a0baf5962c93c072dc1b55
Instruction Fuzzy Hash: 9731FAB1E006099FCF05DFA5C8819DEBBF6FF88310F11846AEA05BB251D770A941CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 000311B0 Relevance: 1.6, APIs: 1, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 54%

			E000311B0(signed int* __ecx, signed int _a4) {
				signed int* _v8;
				void* __edi;
				intOrPtr* _t17;
				void* _t18;
				void* _t22;
				void* _t25;
				intOrPtr _t26;
				intOrPtr* _t31;
				signed int _t32;
				void* _t43;
				void* _t44;
				void* _t46;
				signed int _t47;
				intOrPtr* _t48;

				_t47 =  *__ecx;
				_t26 =  *((intOrPtr*)(_t47 - 0xc));
				_t48 = _t47 - 0x10;
				_v8 = __ecx;
				_t17 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t48)) + 0x10))))(_t43, _t46, _t25, __ecx);
				_t31 = _t17; // executed
				_t18 =  *((intOrPtr*)( *((intOrPtr*)( *_t17))))(_a4, 2); // executed
				_t44 = _t18;
				_t52 = _t44;
				if(_t44 == 0) {
					E00031240(_t31, _t44, _t52);
				}
				_t19 = _a4;
				if(_t26 < _a4) {
					_t19 = _t26;
				}
				_t8 = _t48 + 0x10; // 0x0
				_t9 = _t44 + 0x10; // 0x10
				_t32 = _t9;
				_a4 = _t32;
				E00130B32(_t32, _t19 + _t19 + 2, _t8, _t19 + _t19 + 2);
				 *((intOrPtr*)(_t44 + 4)) = _t26;
				_t12 = _t48 + 0xc; // -4
				_t22 = _t12;
				asm("lock xadd [eax], ecx");
				if((_t32 | 0xffffffff) - 1 <= 0) {
					_t22 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t48)) + 4))))(_t48);
				}
				 *_v8 = _a4;
				return _t22;
			}

0x000311b6
0x000311b8
0x000311bb
0x000311be
0x000311c9
0x000311d5
0x000311d7
0x000311d9
0x000311db
0x000311dd
0x000311df
0x000311df
0x000311e4
0x000311e9
0x000311eb
0x000311eb
0x000311f2
0x000311f6
0x000311f6
0x000311fb
0x000311fe
0x00031206
0x00031209
0x00031209
0x0003120f
0x00031216
0x00031220
0x00031220
0x0003122a
0x00031230

APIs

_memcpy_s.LIBCMT ref: 000311FE

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: _memcpy_s
String ID:
API String ID: 2001391462-0
Opcode ID: c19cdbb899385b3a08b2b0100a88ddeedf1a44e1d66fda4f2f5ae6d72dc4d584
Instruction ID: 104526f7da73a33de345a0ce87687b1da0d1bde56e465abb6bff2d1d466a1740
Opcode Fuzzy Hash: c19cdbb899385b3a08b2b0100a88ddeedf1a44e1d66fda4f2f5ae6d72dc4d584
Instruction Fuzzy Hash: 14113D76600605AFC719DF98C881CAAB3E9FF8D350715869DE9598B351EB31ED01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0013A381 Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0013A381(signed int _a4, signed int _a8, long _a12) {
				void* _t10;
				long _t11;
				long _t12;
				signed int _t13;
				signed int _t17;
				long _t19;
				long _t24;

				_t17 = _a4;
				if(_t17 == 0) {
					L3:
					_t24 = _t17 * _a8;
					__eflags = _t24;
					if(_t24 == 0) {
						_t24 = _t24 + 1;
						__eflags = _t24;
					}
					goto L5;
					L6:
					_t10 = RtlAllocateHeap( *0x1a7b24, 8, _t24); // executed
					__eflags = 0;
					if(0 == 0) {
						goto L7;
					}
					L14:
					return _t10;
					goto L15;
					L7:
					__eflags =  *0x1a7e5c;
					if( *0x1a7e5c == 0) {
						_t19 = _a12;
						__eflags = _t19;
						if(_t19 != 0) {
							 *_t19 = 0xc;
						}
					} else {
						_t11 = E0013A6E4(_t10, _t24);
						__eflags = _t11;
						if(_t11 != 0) {
							L5:
							_t10 = 0;
							__eflags = _t24 - 0xffffffe0;
							if(_t24 > 0xffffffe0) {
								goto L7;
							} else {
								goto L6;
							}
						} else {
							_t12 = _a12;
							__eflags = _t12;
							if(_t12 != 0) {
								 *_t12 = 0xc;
							}
							_t10 = 0;
						}
					}
					goto L14;
				} else {
					_t13 = 0xffffffe0;
					_t27 = _t13 / _t17 - _a8;
					if(_t13 / _t17 >= _a8) {
						goto L3;
					} else {
						 *((intOrPtr*)(E00131F1F(_t27))) = 0xc;
						return 0;
					}
				}
				L15:
			}

0x0013a386
0x0013a38b
0x0013a3a8
0x0013a3ad
0x0013a3af
0x0013a3b1
0x0013a3b3
0x0013a3b3
0x0013a3b3
0x00000000
0x0013a3bb
0x0013a3c4
0x0013a3ca
0x0013a3cc
0x00000000
0x00000000
0x0013a400
0x0013a402
0x00000000
0x0013a3ce
0x0013a3ce
0x0013a3d5
0x0013a3f3
0x0013a3f6
0x0013a3f8
0x0013a3fa
0x0013a3fa
0x0013a3d7
0x0013a3d8
0x0013a3de
0x0013a3e0
0x0013a3b4
0x0013a3b4
0x0013a3b6
0x0013a3b9
0x00000000
0x00000000
0x00000000
0x00000000
0x0013a3e2
0x0013a3e2
0x0013a3e5
0x0013a3e7
0x0013a3e9
0x0013a3e9
0x0013a3ef
0x0013a3ef
0x0013a3e0
0x00000000
0x0013a38d
0x0013a391
0x0013a394
0x0013a397
0x00000000
0x0013a399
0x0013a39e
0x0013a3a7
0x0013a3a7
0x0013a397
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0013A767,?,?,00000000,00000000,00000000,?,00137EBA,00000001,00000214,?,0013A71D), ref: 0013A3C4

Part of subcall function 00131F1F: __getptd_noexit.LIBCMT ref: 00131F1F

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: fe0d908cf09134a8ca52a6e6b9c4bd5549099eb51f9e9d70575a2503dd518ed8
Instruction ID: 027242e567d7ce8efeed75eddafb28b8acfc9e56b9f1643561739617f9f32dc4
Opcode Fuzzy Hash: fe0d908cf09134a8ca52a6e6b9c4bd5549099eb51f9e9d70575a2503dd518ed8
Instruction Fuzzy Hash: 6001F2322012169BEB289F35DC18B6B3399FF91761F454529F89ACB5D0DB74CC40C792

Uniqueness

Uniqueness Score: -1.00%

Function 00049513 Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00049513(void* __edi, WCHAR* _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16, signed int _a20) {
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v64;
				void* __ebx;
				void* __ebp;
				intOrPtr _t19;
				void* _t21;
				char _t33;

				_t26 = _a8;
				 *_a8 = 0x1000;
				if(_a4 != 0) {
					_t33 = 0x3c;
					E00131B30( &_v64, 0, _t33);
					_v64 = _t33;
					_v44 = 0x824;
					_v48 = E000312F0(_a12, 0x825);
					_v16 = 0x824;
					_t19 = E000312F0(_a16, 0x825); // executed
					_v20 = _t19;
					_t21 = E0004920A(_a4,  &_v64, _t26, _a20, 0x2000000); // executed
					E000361B0(_t26, _a12, __edi, 0xffffffff);
					E000361B0(_t26, _a16, __edi, 0xffffffff);
					return _t21;
				}
				return 0;
			}

0x00049520
0x00049523
0x00049529
0x00049532
0x0004953a
0x00049542
0x0004954e
0x0004955e
0x00049561
0x00049568
0x00049575
0x00049580
0x0004958c
0x00049596
0x00000000
0x0004959d
0x00000000

APIs

_memset.LIBCMT ref: 0004953A

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 9f4adbe1f1f32ee072fb789f5b20271134544534737cac84b4666eea62e312e1
Instruction ID: 4be5721588a6f2a57cb02fff64203f42829bb3e23359bf61e0110c139a1a009a
Opcode Fuzzy Hash: 9f4adbe1f1f32ee072fb789f5b20271134544534737cac84b4666eea62e312e1
Instruction Fuzzy Hash: AA016DB1900218BBDB11AF98DC85FDF7BB9EF08360F108125F925A7292DB709910CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 00051BD8 Relevance: 1.5, APIs: 1, Instructions: 43
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E00051BD8(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				long* _t24;
				intOrPtr _t25;
				intOrPtr* _t30;
				void* _t31;

				_t23 = __ecx;
				_t22 = __ebx;
				_push(4);
				E00131A19(0x149849, __ebx, __edi, __esi);
				_t30 = __ecx;
				if((0 |  *((intOrPtr*)(_t31 + 8)) != 0x00000000) == 0) {
					L1:
					E000455E0(_t23);
				}
				if( *_t30 == 0) {
					_t23 =  *0x1a3c08; // 0x0
					if(_t23 != 0) {
						L5:
						_t19 = E000517D6(_t23); // executed
						 *_t30 = _t19;
						if(_t19 == 0) {
							goto L1;
						}
					} else {
						 *((intOrPtr*)(_t31 - 0x10)) = 0x1a3c0c;
						 *(_t31 - 4) =  *(_t31 - 4) & 0x00000000;
						_t21 = E000518EE(0x1a3c0c);
						 *(_t31 - 4) =  *(_t31 - 4) | 0xffffffff;
						_t23 = _t21;
						 *0x1a3c08 = _t21;
						if(_t21 == 0) {
							goto L1;
						} else {
							goto L5;
						}
					}
				}
				_t24 =  *0x1a3c08; // 0x0
				_t28 = E00051678(_t24,  *_t30);
				_t39 = _t28;
				if(_t28 == 0) {
					_t17 =  *((intOrPtr*)(_t31 + 8))();
					_t25 =  *0x1a3c08; // 0x0
					_t28 = _t17;
					E00051995(_t22, _t25, _t17, _t30, _t39,  *_t30, _t17);
				}
				return E00131AF1(_t28);
			}

0x00051bd8
0x00051bd8
0x00051bd8
0x00051bdf
0x00051be4
0x00051bf0
0x00051bf2
0x00051bf2
0x00051bf2
0x00051bfa
0x00051bfc
0x00051c04
0x00051c27
0x00051c27
0x00051c2c
0x00051c30
0x00000000
0x00000000
0x00051c06
0x00051c0b
0x00051c0e
0x00051c12
0x00051c17
0x00051c1b
0x00051c1d
0x00051c25
0x00000000
0x00000000
0x00000000
0x00000000
0x00051c25
0x00051c04
0x00051c34
0x00051c3f
0x00051c41
0x00051c43
0x00051c45
0x00051c48
0x00051c4e
0x00051c53
0x00051c53
0x00051c5f

APIs

__EH_prolog3.LIBCMT ref: 00051BDF

Part of subcall function 000455E0: __CxxThrowException@8.LIBCMT ref: 000455F6

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID:
API String ID: 3670251406-0
Opcode ID: ddc32ea5a16f85842497c314fc95912ffad8df104df242fbee96a8ea565198aa
Instruction ID: 13bb8189d5bd934e360417ab1ef03c4d043861a83d3cade0b54aaa2b425b4df9
Opcode Fuzzy Hash: ddc32ea5a16f85842497c314fc95912ffad8df104df242fbee96a8ea565198aa
Instruction Fuzzy Hash: 690121342002469BDB24AF69CC127AA7AA6AF92372F14842DF89197691EF31CE85D710

Uniqueness

Uniqueness Score: -1.00%

Function 0003FA5D Relevance: 1.5, APIs: 1, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0003FA5D(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				void* _t11;
				struct HWND__* _t13;
				int _t15;
				void* _t18;
				void* _t22;
				int _t23;
				void* _t24;

				_t22 = __edx;
				_t19 = __ecx;
				_t18 = __ebx;
				_t24 = __ecx;
				_t10 =  *((intOrPtr*)(__ecx + 0x20));
				_t23 = 0;
				if(_t10 != 0) {
					L4:
					_t11 = E0003F7BA(_t18, _t19, _t23, _t24, __eflags, _t23);
					__eflags = _t11 - _t23;
					if(_t11 == _t23) {
						_t11 = E000455E0(_t19);
					}
					_t4 = _t11 + 0x1c; // 0x1c
					E00052579(_t4, _t22,  *(_t24 + 0x20));
					L7:
					_t13 =  *(_t24 + 0x20);
					__eflags = _t13 - _t23;
					if(_t13 != _t23) {
						L9:
						__eflags =  *((intOrPtr*)(_t24 + 0x6c)) - _t23;
						if( *((intOrPtr*)(_t24 + 0x6c)) != _t23) {
							_t15 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t24 + 0x6c)))) + 0x58))();
						} else {
							_t15 = DestroyWindow(_t13); // executed
						}
						_t23 = _t15;
						L13:
						return _t23;
					}
					__eflags =  *((intOrPtr*)(_t24 + 0x6c)) - _t23;
					if( *((intOrPtr*)(_t24 + 0x6c)) == _t23) {
						goto L13;
					}
					goto L9;
				}
				if( *((intOrPtr*)(__ecx + 0x6c)) != 0) {
					__eflags = _t10;
					if(__eflags == 0) {
						goto L7;
					}
					goto L4;
				}
				return 0;
			}

0x0003fa5d
0x0003fa5d
0x0003fa5d
0x0003fa60
0x0003fa62
0x0003fa66
0x0003fa6a
0x0003fa79
0x0003fa7a
0x0003fa7f
0x0003fa81
0x0003fa83
0x0003fa83
0x0003fa8b
0x0003fa8e
0x0003fa93
0x0003fa93
0x0003fa96
0x0003fa98
0x0003fa9f
0x0003fa9f
0x0003faa2
0x0003fab2
0x0003faa4
0x0003faa5
0x0003faa5
0x0003fab5
0x0003fab7
0x00000000
0x0003fab7
0x0003fa9a
0x0003fa9d
0x00000000
0x00000000
0x00000000
0x0003fa9d
0x0003fa6f
0x0003fa75
0x0003fa77
0x00000000
0x00000000
0x00000000
0x0003fa77
0x00000000

APIs

DestroyWindow.USER32 ref: 0003FAA5

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: DestroyWindow
String ID:
API String ID: 3375834691-0
Opcode ID: 9c5653df2d66b751215b584bd443f25a1e772c1c0207349b66c68b6c6c9866cc
Instruction ID: 1af88ec204863956d2f40adb5898c297c5be810c10b635462212cfce4fb07b57
Opcode Fuzzy Hash: 9c5653df2d66b751215b584bd443f25a1e772c1c0207349b66c68b6c6c9866cc
Instruction Fuzzy Hash: 85F0F972A04E02DF4B73DA65D84487A77E9FBD93517250D3AE4CAC3611E670DC85CB12

Uniqueness

Uniqueness Score: -1.00%

Function 00040B6B Relevance: 1.5, APIs: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00040B6B(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				void* __esi;
				void* __ebp;
				void* _t10;
				long _t11;
				void* _t14;
				void* _t15;
				void* _t16;
				void* _t17;
				struct HWND__* _t19;

				if(_a8 != 0x360) {
					_t19 = _a4;
					_t10 = E0003F85A(_t14, _t15, _t16, _t17, _t19, __eflags, _t19);
					__eflags = _t10;
					if(_t10 == 0) {
						L5:
						_t11 = DefWindowProcW(_t19, _a8, _a12, _a16);
						L6:
						return _t11;
					}
					__eflags =  *((intOrPtr*)(_t10 + 0x20)) - _t19;
					if(__eflags != 0) {
						goto L5;
					}
					_t11 = E00040A66(_t14, _t17, _t19, __eflags, _t10, _t19, _a8, _a12, _a16); // executed
					goto L6;
				}
				return 1;
			}

0x00040b77
0x00040b7f
0x00040b83
0x00040b88
0x00040b8a
0x00040ba3
0x00040bad
0x00040bb3
0x00000000
0x00040bb3
0x00040b8c
0x00040b8f
0x00000000
0x00000000
0x00040b9c
0x00000000
0x00040b9c
0x00000000

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75969d3b1f4d6a4958ac68bbc57f1e94ee5b6ce5fbda6a717233cfb7fa8188d6
Instruction ID: 72677fd7c03c4a248f57500c65dc27d3325c3ad8510e1fcacea3809927b5ccec
Opcode Fuzzy Hash: 75969d3b1f4d6a4958ac68bbc57f1e94ee5b6ce5fbda6a717233cfb7fa8188d6
Instruction Fuzzy Hash: B2F0F872401219BBCF125E909D04CEB3BA9EF49365B048461BB5965021C732DA20EBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0005021F Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0005021F(void* __ebx, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a16) {
				void* __ebp;
				void* _t14;
				void* _t15;
				void* _t21;
				void* _t22;
				signed int _t23;

				_t21 = __edx;
				_t15 = __ecx;
				_t14 = __ebx;
				_t7 = _a4;
				if(_a4 == 0) {
					L1:
					_t7 = E000455E0(_t15);
				}
				if(_a16 == 0) {
					goto L1;
				}
				_push(_t23);
				E00036620(_t14, _t7 + 0x1c); // executed
				E001359F6(_t22, _a4, _a16);
				asm("sbb esi, esi");
				E00031190(_a4 + 0xfffffff0, _t21);
				return  ~_t23;
			}

0x0005021f
0x0005021f
0x0005021f
0x00050224
0x00050229
0x0005022b
0x0005022b
0x0005022b
0x00050234
0x00000000
0x00000000
0x00050236
0x0005023e
0x00050249
0x00050255
0x0005025c
0x00050265

APIs

__wcsicoll.LIBCMT ref: 00050249

Part of subcall function 000455E0: __CxxThrowException@8.LIBCMT ref: 000455F6

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Exception@8Throw__wcsicoll
String ID:
API String ID: 558878061-0
Opcode ID: 93d59e15ed567e7377cbae3142e2f12b27c662fc3e10bb400167b3fd6d004638
Instruction ID: ff704e6ee87f0898545a7be64338e04e18c855bfbd4a31047f466c256f4a8741
Opcode Fuzzy Hash: 93d59e15ed567e7377cbae3142e2f12b27c662fc3e10bb400167b3fd6d004638
Instruction Fuzzy Hash: 98E0923220051867CB15AE6CEC62EEF3B99DF047A5F004215FD15962D3DF30D954C6E5

Uniqueness

Uniqueness Score: -1.00%

Function 00045767 Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00045767(intOrPtr __ecx, intOrPtr _a4, signed int _a8) {
				void* __edi;
				void* __esi;
				intOrPtr* _t11;
				void* _t15;
				intOrPtr _t16;
				intOrPtr _t17;

				_t17 = _a4;
				_t16 = __ecx;
				if(_t17 >= 0) {
					_t11 = E00131013(_t15, __ecx, _t17, (_t17 + 1) * _a8 + 0x10); // executed
					if(_t11 == 0) {
						goto L1;
					}
					 *(_t11 + 4) =  *(_t11 + 4) & 0x00000000;
					 *_t11 = _t16;
					 *((intOrPtr*)(_t11 + 0xc)) = 1;
					 *((intOrPtr*)(_t11 + 8)) = _t17;
					return _t11;
				}
				L1:
				return 0;
			}

0x0004576d
0x00045771
0x00045775
0x00045786
0x0004578e
0x00000000
0x00000000
0x00045790
0x00045794
0x00045796
0x0004579d
0x00000000
0x0004579d
0x00045777
0x00000000

APIs

_malloc.LIBCMT ref: 00045786

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: 062e5892acbd697f7c7abb38d8b5d7e60ce32ceaf36c8a7e351176ca61e31b0b
Instruction ID: 24aedcd9c054a34371957ebae6d32bc40c00f0e10c5734aa5ca6e5f4ee61f43e
Opcode Fuzzy Hash: 062e5892acbd697f7c7abb38d8b5d7e60ce32ceaf36c8a7e351176ca61e31b0b
Instruction Fuzzy Hash: F2E09273504616ABC7108F59E804B4AFBDCEFA5371F16C436E408CF262CB71E8448BA4

Uniqueness

Uniqueness Score: -1.00%

Function 000516E4 Relevance: 1.5, APIs: 1, Instructions: 21
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 88%

			E000516E4(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t19;
				void* _t20;

				_push(8);
				E00131A4C(0x149803, __ebx, __edi, __esi);
				_t19 = __ecx;
				if( *__ecx == 0) {
					E00052399(0x10);
					 *(_t20 - 4) =  *(_t20 - 4) & 0x00000000;
					if( *__ecx == 0) {
						 *__ecx =  *((intOrPtr*)(_t20 + 8))();
					}
					 *(_t20 - 4) =  *(_t20 - 4) | 0xffffffff;
					E0005240B(0x10);
				}
				return E00131AF1( *_t19);
			}

0x000516e4
0x000516eb
0x000516f0
0x000516f6
0x000516fa
0x00051701
0x00051707
0x0005170c
0x0005170c
0x0005170e
0x00051714
0x00051714
0x00051720

APIs

__EH_prolog3_catch.LIBCMT ref: 000516EB

Part of subcall function 00052399: EnterCriticalSection.KERNEL32(001A3DE0,?,?,00000002,?,000516FF,00000010,00000008,0004B656,0004B5ED,0003E58B,0004A15B,0004918A,?,00000000,00000004), ref: 000523D3
Part of subcall function 00052399: InitializeCriticalSection.KERNEL32(?,?,?,00000002,?,000516FF,00000010,00000008,0004B656,0004B5ED,0003E58B,0004A15B,0004918A,?,00000000,00000004), ref: 000523E5
Part of subcall function 00052399: LeaveCriticalSection.KERNEL32(001A3DE0,?,?,00000002,?,000516FF,00000010,00000008,0004B656,0004B5ED,0003E58B,0004A15B,0004918A,?,00000000,00000004), ref: 000523F2
Part of subcall function 00052399: EnterCriticalSection.KERNEL32(?,?,?,00000002,?,000516FF,00000010,00000008,0004B656,0004B5ED,0003E58B,0004A15B,0004918A,?,00000000,00000004), ref: 00052402

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: CriticalSection$Enter$H_prolog3_catchInitializeLeave
String ID:
API String ID: 1641187343-0
Opcode ID: 3edfd44b851a8688328ff04dfcd876974384d73a7b57e6e359c05fe6c23acc6f
Instruction ID: cd396fcde33a00e48fd4c64cb00a0d6dd4de7585f12bf3f19c810cd09251ca21
Opcode Fuzzy Hash: 3edfd44b851a8688328ff04dfcd876974384d73a7b57e6e359c05fe6c23acc6f
Instruction Fuzzy Hash: 35E04F34240209ABE760EFB8C44678EB7F0AF25312F104529F9D0EB2C2DBB089859B10

Uniqueness

Uniqueness Score: -1.00%

Function 0003F40B Relevance: 1.5, APIs: 1, Instructions: 18
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0003F40B(void* __ecx, intOrPtr _a4) {
				signed int _t9;
				int _t12;

				 *((intOrPtr*)(__ecx + 0x60)) = _a4;
				_t9 =  *(__ecx + 0x58);
				if((_t9 & 0x00000010) != 0) {
					 *(__ecx + 0x58) = _t9 & 0xffffffef;
					_t12 = PostMessageW( *(__ecx + 0x20), 0, 0, 0); // executed
					return _t12;
				}
				return _t9;
			}

0x0003f413
0x0003f416
0x0003f41b
0x0003f420
0x0003f42b
0x00000000
0x0003f42b
0x0003f432

APIs

PostMessageW.USER32 ref: 0003F42B

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3b13db1fc252d61e7c36782cb155bb8164207995121c4aee4141d15537510723
Instruction ID: fcee831672b156033e303d9459ef7c15b4d89891c62ca8f173fab3ce70a3f931
Opcode Fuzzy Hash: 3b13db1fc252d61e7c36782cb155bb8164207995121c4aee4141d15537510723
Instruction Fuzzy Hash: 13D017B2510244AFA300DF28DC45D7B3BAEEB94324324016AB858CA2A2D332EC53CA20

Uniqueness

Uniqueness Score: -1.00%

Function 00043F8D Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00043F8D(intOrPtr* __ecx, int _a4) {
				int _t8;
				intOrPtr* _t12;

				_t12 = __ecx;
				if(( *(__ecx + 0x58) & 0x00000018) != 0) {
					_push(_a4);
					 *((intOrPtr*)( *__ecx + 0x8c))();
				}
				_t8 = EndDialog( *(_t12 + 0x20), _a4); // executed
				return _t8;
			}

0x00043f93
0x00043f99
0x00043f9b
0x00043fa0
0x00043fa0
0x00043fac
0x00043fb4

APIs

EndDialog.USER32 ref: 00043FAC

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Dialog
String ID:
API String ID: 1120787796-0
Opcode ID: c4cf6533a69afaf610daae3d96652220fee8d0cffc7d717bf47c5237f7579a01
Instruction ID: b51d0db4c32404d51e8fa1de241ad267cb38ef1e87fc8742c956b211dea4da90
Opcode Fuzzy Hash: c4cf6533a69afaf610daae3d96652220fee8d0cffc7d717bf47c5237f7579a01
Instruction Fuzzy Hash: B5D01236004648EBDB215F59D808E857FE5EF453A1B044075F98946530CA7199509790

Uniqueness

Uniqueness Score: -1.00%

Function 0013118E Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0013118E(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t9;
				void* _t17;

				_push(0xc);
				_push(0x196a98);
				E00131BC0(__ebx, __edi, __esi);
				E00133E3E();
				 *(_t17 - 4) =  *(_t17 - 4) & 0x00000000;
				_t9 = E001310A7( *((intOrPtr*)(_t17 + 8))); // executed
				 *((intOrPtr*)(_t17 - 0x1c)) = _t9;
				 *(_t17 - 4) = 0xfffffffe;
				E001311C4();
				return E00131C05( *((intOrPtr*)(_t17 - 0x1c)));
			}

0x0013118e
0x00131190
0x00131195
0x0013119a
0x0013119f
0x001311a6
0x001311ac
0x001311af
0x001311b6
0x001311c3

APIs

Part of subcall function 00133E3E: __lock.LIBCMT ref: 00133E40

__onexit_nolock.LIBCMT ref: 001311A6

Part of subcall function 001310A7: RtlDecodePointer.NTDLL(?,?,?,?,?,001311AB,00054106,00196A98,0000000C,001311D7,00054106,?,000541FF,00054106), ref: 001310BC
Part of subcall function 001310A7: DecodePointer.KERNEL32(?,?,?,?,?,001311AB,00054106,00196A98,0000000C,001311D7,00054106,?,000541FF,00054106), ref: 001310C9
Part of subcall function 001310A7: __realloc_crt.LIBCMT ref: 00131106
Part of subcall function 001310A7: __realloc_crt.LIBCMT ref: 0013111C
Part of subcall function 001310A7: EncodePointer.KERNEL32(00000000,?,?,?,?,?,001311AB,00054106,00196A98,0000000C,001311D7,00054106,?,000541FF,00054106), ref: 0013112E
Part of subcall function 001310A7: EncodePointer.KERNEL32(00054106,?,?,?,?,?,001311AB,00054106,00196A98,0000000C,001311D7,00054106,?,000541FF,00054106), ref: 00131142
Part of subcall function 001310A7: EncodePointer.KERNEL32(-00000004,?,?,?,?,?,001311AB,00054106,00196A98,0000000C,001311D7,00054106,?,000541FF,00054106), ref: 0013114A

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Pointer$Encode$Decode__realloc_crt$__lock__onexit_nolock
String ID:
API String ID: 3536590627-0
Opcode ID: 24499373f886c5db0fd60c686a890e1ae19f5a865919a8b925dc9cdeec50a34d
Instruction ID: a95591bce77f68b62bb5ef3aff46c7081f4543d8f8b638f586594bde8d629e1b
Opcode Fuzzy Hash: 24499373f886c5db0fd60c686a890e1ae19f5a865919a8b925dc9cdeec50a34d
Instruction Fuzzy Hash: 80D05276C01249BADF20FBB8C802B8CBAB0AFA1321F208214B021A60E2CB744A419B14

Uniqueness

Uniqueness Score: -1.00%

Function 0013393B Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0013393B(intOrPtr _a4) {
				void* _t2;
				void* _t5;
				void* _t6;

				_t2 = E0013368C(_a4, _t5, _t6, 1); // executed
				return _t2;
			}

0x00133945
0x0013394c

APIs

__make__time64_t.LIBCMT ref: 00133945

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: __make__time64_t
String ID:
API String ID: 1242165881-0
Opcode ID: a81d299a8d2b6a8bd27d5cbc4a530ae41cc274191c0b77a2a0f5e0db34c7229e
Instruction ID: 0cb4a26f78ebd844c3b6094f7872f29b3d9df9c09359bc0c67f6db4655f6f15e
Opcode Fuzzy Hash: a81d299a8d2b6a8bd27d5cbc4a530ae41cc274191c0b77a2a0f5e0db34c7229e
Instruction Fuzzy Hash: 16B012B314834C3FD70465C5A403E967BCD87C8B20F110009B61C0F2C25DA2FA80C1DD

Uniqueness

Uniqueness Score: -1.00%

Function 00137D1B Relevance: 1.5, APIs: 1, Instructions: 3COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,0014301E,001A72E0,00000314,00000000,?,?,?,?,?,00137517,001A72E0,Microsoft Visual C++ Runtime Library,00012010), ref: 00137D1D

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 36368b43f12c264defe6f2f9856b8b9e59db433f9b669340c26fc7b52a032076
Instruction ID: d622b5f96f70243c301b24399a69cf846624a193dfb0934b585c365fdf179893
Opcode Fuzzy Hash: 36368b43f12c264defe6f2f9856b8b9e59db433f9b669340c26fc7b52a032076
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00035AB0 Relevance: 1.4, APIs: 1, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E00035AB0(void* __edi, intOrPtr _a4, char _a8) {
				char _v8;
				char _v16;
				char _v20;
				char _v24;
				void* __ebx;
				void* __esi;
				signed int _t35;
				intOrPtr* _t38;
				char _t42;
				void* _t44;
				intOrPtr* _t47;
				intOrPtr* _t48;
				signed int** _t54;
				intOrPtr* _t55;
				signed int _t68;
				signed int _t86;
				signed int _t88;
				void* _t94;
				intOrPtr _t95;
				signed int _t97;
				intOrPtr* _t102;
				intOrPtr* _t106;

				_t93 = __edi;
				_push(0xffffffff);
				_push(0x154450);
				_push( *[fs:0x0]);
				_push(_t94);
				_t35 =  *0x1a0454; // 0x960af5fb
				_push(_t35 ^ _t97);
				 *[fs:0x0] =  &_v16;
				_t38 = E00045761();
				_t102 = _t38;
				_t65 = 0 | _t102 == 0x00000000;
				if(_t102 == 0) {
					_push(0x80004005);
					_t38 = E00031330(0, _t65, __edi, _t94);
				}
				_v20 =  *((intOrPtr*)( *((intOrPtr*)( *_t38 + 0xc))))() + 0x10;
				_v8 = 0;
				_t42 = _a8;
				if(_t42 == 0) {
					_push(GetLastError());
					_t44 = E00035EA0(0, _t94,  &_a8);
					_v8 = 2;
				} else {
					_push(_t42);
					_t44 = E00035EA0(0, _t94,  &_a8); // executed
					_v8 = 1;
				}
				_t68 =  &_v20;
				E00034260(_t68, _t44);
				_v8 = 0;
				_t47 = _a8 + 0xfffffff0;
				asm("lock xadd [edx], ecx");
				if((_t68 | 0xffffffff) - 1 <= 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t47)) + 4))))(_t47);
				}
				_t48 = E00045761();
				_t106 = _t48;
				_t72 = 0 | _t106 == 0x00000000;
				if(_t106 == 0) {
					_push(0x80004005);
					_t48 = E00031330(0, _t72, _t93, _t94);
				}
				_v24 =  *((intOrPtr*)( *((intOrPtr*)( *_t48 + 0xc))))() + 0x10;
				_v8 = 3;
				_t95 = _v20;
				_t86 =  &_v24;
				E000491C8(_t86, _a4, _t95);
				_v8 = 0;
				_t54 = _v24 + 0xfffffff0;
				asm("lock xadd [ecx], edx");
				_t88 = (_t86 | 0xffffffff) - 1;
				if(_t88 <= 0) {
					_t88 =  *( *_t54);
					 *((intOrPtr*)( *((intOrPtr*)(_t88 + 4))))(_t54);
				}
				_t55 = _t95 - 0x10;
				_v8 = 0xffffffff;
				asm("lock xadd [ecx], edx");
				if((_t88 | 0xffffffff) - 1 <= 0) {
					_t55 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t55)) + 4))))(_t55);
				}
				 *[fs:0x0] = _v16;
				return _t55;
			}

0x00035ab0
0x00035ab3
0x00035ab5
0x00035ac0
0x00035ac5
0x00035ac6
0x00035acd
0x00035ad1
0x00035ad7
0x00035ae0
0x00035ae2
0x00035ae7
0x00035ae9
0x00035aee
0x00035aee
0x00035aff
0x00035b02
0x00035b05
0x00035b0a
0x00035b25
0x00035b2a
0x00035b32
0x00035b0c
0x00035b0c
0x00035b11
0x00035b19
0x00035b19
0x00035b37
0x00035b3a
0x00035b3f
0x00035b45
0x00035b4e
0x00035b55
0x00035b5f
0x00035b5f
0x00035b61
0x00035b68
0x00035b6a
0x00035b6f
0x00035b71
0x00035b76
0x00035b76
0x00035b87
0x00035b8d
0x00035b91
0x00035b96
0x00035b9a
0x00035b9f
0x00035ba5
0x00035bae
0x00035bb2
0x00035bb5
0x00035bb9
0x00035bbf
0x00035bbf
0x00035bc1
0x00035bc4
0x00035bd1
0x00035bd8
0x00035be2
0x00035be2
0x00035be7
0x00035bf4

APIs

GetLastError.KERNEL32 ref: 00035B1F

Part of subcall function 00035EA0: GetModuleHandleW.KERNEL32(WININET.DLL,960AF5FB), ref: 00035EDD
Part of subcall function 00035EA0: FormatMessageW.KERNELBASE(00001B00,?,?,00000800,?,00000000,00000000), ref: 00035F54
Part of subcall function 00035EA0: _wcsnlen.LIBCMT ref: 00035FAB

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: ErrorFormatHandleLastMessageModule_wcsnlen
String ID:
API String ID: 2348028928-0
Opcode ID: 7e25bd56875abf0c54637f9e1cdde7c0ff6a0a13e18e6b6f085d3d5f36b68477
Instruction ID: 6bc1b95b9a7431c1e11e514fda9887e256e3eaaeea7ce30362aac3cb4096e4a1
Opcode Fuzzy Hash: 7e25bd56875abf0c54637f9e1cdde7c0ff6a0a13e18e6b6f085d3d5f36b68477
Instruction Fuzzy Hash: 3F41A471600A05DFD745DFA8CC91A9EB7A8FF45331F24876DE5259B2A2DB309A04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00032B20 Relevance: 1.3, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E00032B20(intOrPtr* __ebx, signed int _a4, char _a8) {
				char _v8;
				char _v16;
				char _v20;
				void* __ecx;
				void* __edi;
				void* __esi;
				signed int _t26;
				intOrPtr* _t31;
				void* _t36;
				intOrPtr* _t39;
				intOrPtr* _t41;
				void* _t46;
				signed int _t51;
				signed int _t54;
				char _t72;
				intOrPtr _t73;
				signed int _t75;
				intOrPtr* _t79;

				_t45 = __ebx;
				_push(0xffffffff);
				_push(0x154598);
				_push( *[fs:0x0]);
				_push(_t46);
				_t26 =  *0x1a0454; // 0x960af5fb
				_push(_t26 ^ _t75);
				 *[fs:0x0] =  &_v16;
				_t68 = _t46;
				_t72 = _a8;
				E00035AB0(_t46, _a4, _t72); // executed
				_t31 = E00045761();
				_t79 = _t31;
				_t48 = 0 | _t79 == 0x00000000;
				if(_t79 == 0) {
					_push(0x80004005);
					_t31 = E00031330(__ebx, _t48, _t68, _t72);
				}
				_a8 =  *((intOrPtr*)( *((intOrPtr*)( *_t31 + 0xc))))() + 0x10;
				_v8 = 0;
				if(_t72 == 0) {
					_push(GetLastError());
					_t36 = E00035EA0(_t45, _t72,  &_v20);
					_v8 = 2;
				} else {
					_push(_t72);
					_t36 = E00035EA0(_t45, _t72,  &_v20);
					_v8 = 1;
				}
				_t51 =  &_a8;
				E00034260(_t51, _t36);
				_v8 = 0;
				_t39 = _v20 + 0xfffffff0;
				asm("lock xadd [edx], ecx");
				if((_t51 | 0xffffffff) - 1 <= 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t39)) + 4))))(_t39);
				}
				_t73 = _a8;
				_t54 = _a4;
				E000491C8(_t68 + 0x388, _t54, _t73);
				_t20 = _t73 - 0x10; // -16
				_t41 = _t20;
				_v8 = 0xffffffff;
				asm("lock xadd [edx], ecx");
				if((_t54 | 0xffffffff) - 1 <= 0) {
					_t41 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t41)) + 4))))(_t41);
				}
				 *[fs:0x0] = _v16;
				return _t41;
			}

0x00032b20
0x00032b23
0x00032b25
0x00032b30
0x00032b31
0x00032b34
0x00032b3b
0x00032b3f
0x00032b45
0x00032b47
0x00032b4f
0x00032b54
0x00032b5b
0x00032b5d
0x00032b62
0x00032b64
0x00032b69
0x00032b69
0x00032b7a
0x00032b7d
0x00032b86
0x00032ba1
0x00032ba6
0x00032bae
0x00032b88
0x00032b8b
0x00032b8d
0x00032b95
0x00032b95
0x00032bb3
0x00032bb6
0x00032bbb
0x00032bc2
0x00032bcb
0x00032bd2
0x00032bdc
0x00032bdc
0x00032bde
0x00032be1
0x00032bed
0x00032bf2
0x00032bf2
0x00032bf5
0x00032c02
0x00032c09
0x00032c13
0x00032c13
0x00032c18
0x00032c25

APIs

GetLastError.KERNEL32(?,?,?,?,00154598,000000FF), ref: 00032B9B

Part of subcall function 00035EA0: GetModuleHandleW.KERNEL32(WININET.DLL,960AF5FB), ref: 00035EDD
Part of subcall function 00035EA0: FormatMessageW.KERNELBASE(00001B00,?,?,00000800,?,00000000,00000000), ref: 00035F54
Part of subcall function 00035EA0: _wcsnlen.LIBCMT ref: 00035FAB

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: ErrorFormatHandleLastMessageModule_wcsnlen
String ID:
API String ID: 2348028928-0
Opcode ID: c26eeebc3f835f6706f0808022a9acdc05fce3f2e783a9b4abaa3596b29a538d
Instruction ID: 3a5b8900d18e11034ac63b932b01329c4501d8b34fde98cc0e267d1b39465ca4
Opcode Fuzzy Hash: c26eeebc3f835f6706f0808022a9acdc05fce3f2e783a9b4abaa3596b29a538d
Instruction Fuzzy Hash: FC318E71501605AFD715DF68CC41BAEB7A8EF4A331F14836DF8269B292DB74AA00CB90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000343D0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 274
COMMONCrypto

Download Yara Rule

C-Code - Quality: 45%

			E000343D0(long long __fp0, intOrPtr* _a4) {
				char _v8;
				char _v16;
				intOrPtr* _v20;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				signed int _t96;
				intOrPtr* _t99;
				intOrPtr* _t103;
				intOrPtr* _t107;
				intOrPtr* _t111;
				intOrPtr* _t115;
				intOrPtr* _t119;
				intOrPtr* _t123;
				intOrPtr* _t127;
				intOrPtr* _t131;
				intOrPtr* _t135;
				intOrPtr* _t139;
				intOrPtr* _t144;
				intOrPtr* _t148;
				signed int _t156;
				void* _t159;
				intOrPtr* _t161;
				intOrPtr* _t227;
				signed int _t229;
				intOrPtr* _t230;
				intOrPtr* _t232;
				intOrPtr* _t234;
				intOrPtr* _t236;
				intOrPtr* _t238;
				intOrPtr* _t240;
				intOrPtr* _t242;
				intOrPtr* _t244;
				intOrPtr* _t246;
				intOrPtr* _t248;
				intOrPtr* _t250;
				intOrPtr* _t252;
				intOrPtr* _t254;
				signed int _t258;
				long long _t259;

				_t259 = __fp0;
				_push(0xffffffff);
				_push(0x154823);
				_push( *[fs:0x0]);
				_push(_t159);
				_t96 =  *0x1a0454; // 0x960af5fb
				_push(_t96 ^ _t229);
				 *[fs:0x0] =  &_v16;
				_t227 = _a4;
				 *_t227 = 0x180f9c;
				_t99 = E00045761();
				_t230 = _t99;
				_t166 = 0 | _t230 == 0x00000000;
				if(_t230 == 0) {
					_push(0x80004005);
					_t99 = E00031330(_t159, _t166, 0, _t227);
				}
				 *((intOrPtr*)(_t227 + 8)) =  *((intOrPtr*)( *((intOrPtr*)( *_t99 + 0xc))))() + 0x10;
				_v8 = 0;
				_t103 = E00045761();
				_t232 = _t103;
				_t169 = 0 | _t232 == 0x00000000;
				if(_t232 == 0) {
					_push(0x80004005);
					_t103 = E00031330(_t159, _t169, 0, _t227);
				}
				 *((intOrPtr*)(_t227 + 0xc)) =  *((intOrPtr*)( *((intOrPtr*)( *_t103 + 0xc))))() + 0x10;
				_v8 = 1;
				_t107 = E00045761();
				_t234 = _t107;
				_t172 = 0 | _t234 == 0x00000000;
				if(_t234 == 0) {
					_push(0x80004005);
					_t107 = E00031330(1, _t172, 0, _t227);
				}
				 *((intOrPtr*)(_t227 + 0x10)) =  *((intOrPtr*)( *((intOrPtr*)( *_t107 + 0xc))))() + 0x10;
				_v8 = 2;
				_t111 = E00045761();
				_t236 = _t111;
				_t175 = 0 | _t236 == 0x00000000;
				if(_t236 == 0) {
					_push(0x80004005);
					_t111 = E00031330(1, _t175, 0, _t227);
				}
				 *((intOrPtr*)(_t227 + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)( *_t111 + 0xc))))() + 0x10;
				_v8 = 3;
				_t115 = E00045761();
				_t238 = _t115;
				_t178 = 0 | _t238 == 0x00000000;
				if(_t238 == 0) {
					_push(0x80004005);
					_t115 = E00031330(1, _t178, 0, _t227);
				}
				 *((intOrPtr*)(_t227 + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)( *_t115 + 0xc))))() + 0x10;
				_v8 = 4;
				_t119 = E00045761();
				_t240 = _t119;
				_t181 = 0 | _t240 == 0x00000000;
				if(_t240 == 0) {
					_push(0x80004005);
					_t119 = E00031330(1, _t181, 0, _t227);
				}
				 *((intOrPtr*)(_t227 + 0x1c)) =  *((intOrPtr*)( *((intOrPtr*)( *_t119 + 0xc))))() + 0x10;
				_v8 = 5;
				_t123 = E00045761();
				_t242 = _t123;
				_t184 = 0 | _t242 == 0x00000000;
				if(_t242 == 0) {
					_push(0x80004005);
					_t123 = E00031330(1, _t184, 0, _t227);
				}
				 *((intOrPtr*)(_t227 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *_t123 + 0xc))))() + 0x10;
				_v8 = 6;
				_t127 = E00045761();
				_t244 = _t127;
				_t187 = 0 | _t244 == 0x00000000;
				if(_t244 == 0) {
					_push(0x80004005);
					_t127 = E00031330(1, _t187, 0, _t227);
				}
				 *((intOrPtr*)(_t227 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)( *_t127 + 0xc))))() + 0x10;
				_v8 = 7;
				_t131 = E00045761();
				_t246 = _t131;
				_t190 = 0 | _t246 == 0x00000000;
				if(_t246 == 0) {
					_push(0x80004005);
					_t131 = E00031330(1, _t190, 0, _t227);
				}
				 *((intOrPtr*)(_t227 + 0x28)) =  *((intOrPtr*)( *((intOrPtr*)( *_t131 + 0xc))))() + 0x10;
				_v8 = 8;
				_t135 = E00045761();
				_t248 = _t135;
				_t193 = 0 | _t248 == 0x00000000;
				if(_t248 == 0) {
					_push(0x80004005);
					_t135 = E00031330(1, _t193, 0, _t227);
				}
				 *((intOrPtr*)(_t227 + 0x2c)) =  *((intOrPtr*)( *((intOrPtr*)( *_t135 + 0xc))))() + 0x10;
				_v8 = 9;
				_t139 = E00045761();
				_t250 = _t139;
				_t196 = 0 | _t250 == 0x00000000;
				if(_t250 == 0) {
					_push(0x80004005);
					_t139 = E00031330(1, _t196, 0, _t227);
				}
				 *((intOrPtr*)(_t227 + 0x30)) =  *((intOrPtr*)( *((intOrPtr*)( *_t139 + 0xc))))() + 0x10;
				_v8 = 0xa;
				asm("fldz");
				 *((long long*)(_t227 + 0x48)) = _t259;
				 *((intOrPtr*)(_t227 + 0x34)) = 0;
				 *((intOrPtr*)(_t227 + 0x38)) = 1;
				 *((intOrPtr*)(_t227 + 0x3c)) = 1;
				 *((intOrPtr*)(_t227 + 0x40)) = 1;
				 *((intOrPtr*)(_t227 + 0x44)) = 1;
				 *((intOrPtr*)(_t227 + 0x50)) = 0;
				 *((intOrPtr*)(_t227 + 0x54)) = 0;
				 *((intOrPtr*)(_t227 + 0x58)) = 0;
				 *((intOrPtr*)(_t227 + 0x5c)) = 0x400;
				 *((intOrPtr*)(_t227 + 0x60)) = 1;
				 *((intOrPtr*)(_t227 + 0x64)) = 1;
				E00036620(1, "*/*");
				_v8 = 0xb;
				 *((intOrPtr*)(_t227 + 0x6c)) = 0;
				 *((intOrPtr*)(_t227 + 0x70)) = 0;
				 *((intOrPtr*)(_t227 + 0x74)) = 0;
				 *((intOrPtr*)(_t227 + 0x78)) = 0;
				_t144 = E00045761();
				_t252 = _t144;
				_t200 = 0 | _t252 == 0x00000000;
				if(_t252 == 0) {
					_push(0x80004005);
					_t144 = E00031330(1, _t200, 0, _t227);
				}
				 *((intOrPtr*)(_t227 + 0x7c)) =  *((intOrPtr*)( *((intOrPtr*)( *_t144 + 0xc))))() + 0x10;
				_v8 = 0xc;
				_t148 = E00045761();
				_t254 = _t148;
				_t203 = 0 | _t254 == 0x00000000;
				_t255 = _t254 == 0;
				if(_t254 == 0) {
					_push(0x80004005);
					_t148 = E00031330(1, _t203, 0, _t227);
				}
				 *((intOrPtr*)(_t227 + 0x80)) =  *((intOrPtr*)( *((intOrPtr*)( *_t148 + 0xc))))() + 0x10;
				_v8 = 0xd;
				 *((short*)(_t227 + 0x84)) = 0;
				 *((intOrPtr*)(_t227 + 0x88)) = 0;
				E0004A523(_t227 + 0x8c, _t255);
				_t161 = _t227 + 0xa0;
				_v8 = 0xe;
				_t207 = _t161;
				_v20 = _t161;
				E0004AD00(_t161, 0);
				_v8 = 0xf;
				 *_t161 = 0x158f6c;
				_t162 = _t161 + 8;
				if(InitializeCriticalSectionAndSpinCount(_t161 + 8, 0) == 0) {
					_t156 = GetLastError();
					if(_t156 > 0) {
						_t156 = _t156 & 0x0000ffff | 0x80070000;
						_t258 = _t156;
					}
					if(_t258 < 0) {
						_push(_t156);
						E00031330(_t162, _t207, 0, _t227);
					}
				}
				 *((intOrPtr*)(_t227 + 0xc0)) = 0;
				 *[fs:0x0] = _v16;
				return _t227;
			}

0x000343d0
0x000343d3
0x000343d5
0x000343e0
0x000343e2
0x000343e5
0x000343ec
0x000343f0
0x000343f6
0x000343f9
0x000343ff
0x00034408
0x0003440a
0x0003440f
0x00034411
0x00034416
0x00034416
0x00034427
0x0003442a
0x0003442d
0x00034434
0x00034436
0x0003443b
0x0003443d
0x00034442
0x00034442
0x00034453
0x0003445b
0x0003445e
0x00034465
0x00034467
0x0003446c
0x0003446e
0x00034473
0x00034473
0x00034484
0x00034487
0x0003448b
0x00034492
0x00034494
0x00034499
0x0003449b
0x000344a0
0x000344a0
0x000344b1
0x000344b4
0x000344b8
0x000344bf
0x000344c1
0x000344c6
0x000344c8
0x000344cd
0x000344cd
0x000344de
0x000344e1
0x000344e5
0x000344ec
0x000344ee
0x000344f3
0x000344f5
0x000344fa
0x000344fa
0x0003450b
0x0003450e
0x00034512
0x00034519
0x0003451b
0x00034520
0x00034522
0x00034527
0x00034527
0x00034538
0x0003453b
0x0003453f
0x00034546
0x00034548
0x0003454d
0x0003454f
0x00034554
0x00034554
0x00034565
0x00034568
0x0003456c
0x00034573
0x00034575
0x0003457a
0x0003457c
0x00034581
0x00034581
0x00034592
0x00034595
0x00034599
0x000345a0
0x000345a2
0x000345a7
0x000345a9
0x000345ae
0x000345ae
0x000345bf
0x000345c2
0x000345c6
0x000345cd
0x000345cf
0x000345d4
0x000345d6
0x000345db
0x000345db
0x000345ec
0x000345ef
0x000345f3
0x000345fa
0x00034600
0x00034603
0x00034606
0x00034609
0x0003460c
0x0003460f
0x00034612
0x00034615
0x00034618
0x0003461f
0x00034622
0x00034625
0x0003462a
0x0003462e
0x00034631
0x00034634
0x00034637
0x0003463a
0x00034641
0x00034643
0x00034648
0x0003464a
0x0003464f
0x0003464f
0x00034660
0x00034663
0x00034667
0x0003466e
0x00034670
0x00034673
0x00034675
0x00034677
0x0003467c
0x0003467c
0x0003468d
0x00034695
0x00034699
0x000346a6
0x000346ac
0x000346b1
0x000346b7
0x000346bc
0x000346be
0x000346c1
0x000346c6
0x000346ca
0x000346d1
0x000346dd
0x000346df
0x000346e7
0x000346ee
0x000346f3
0x000346f3
0x000346f5
0x000346f7
0x000346f8
0x000346f8
0x000346f5
0x000346fd
0x00034708
0x00034716

APIs

Part of subcall function 00031330: _vwprintf.LIBCMT ref: 0003139E
Part of subcall function 00031330: _vswprintf_s.LIBCMT ref: 000313DD

InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,*/*,?,00000000,00154823,000000FF,?,00031603), ref: 000346D5
GetLastError.KERNEL32(?,?,?,?,?,?,*/*,?,00000000,00154823,000000FF,?,00031603,?,0000007C,00000000), ref: 000346DF

Strings

*/*, xrefs: 000345F5

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: CountCriticalErrorInitializeLastSectionSpin_vswprintf_s_vwprintf
String ID: */*
API String ID: 1724895703-54324127
Opcode ID: e47f06e8156e5e6a6c4e96c0ad175840e6e08dbe3ebf29018030b6a574bd3b00
Instruction ID: 778cb555ac030192fe02f1659fe14c0c4d690277276433ce21a4f2f0379d3b28
Opcode Fuzzy Hash: e47f06e8156e5e6a6c4e96c0ad175840e6e08dbe3ebf29018030b6a574bd3b00
Instruction Fuzzy Hash: EBA1C070600A40CFD752DB78C88279EB7E9EF88710F288A6DD19ADB753DB34A9419B40

Uniqueness

Uniqueness Score: -1.00%

Function 0009B48F Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 323
fileCOMMON

Download Yara Rule

C-Code - Quality: 99%

			E0009B48F(void* __ebx, intOrPtr* __ecx, void* __edx, void** __edi, void* __esi, void* __eflags) {
				int _t125;
				void* _t128;
				void* _t132;
				int _t136;
				signed char _t139;
				signed int _t140;
				int _t152;
				void* _t153;
				int _t155;
				int _t156;
				int _t160;
				long _t168;
				long _t169;
				void* _t178;
				void* _t182;
				void* _t183;
				int _t185;
				int _t221;
				void* _t229;
				intOrPtr* _t232;
				void* _t233;
				void* _t235;

				_t230 = __edi;
				_t229 = __edx;
				_push(0xa90);
				E00131A82(0x14ce62, __ebx, __edi, __esi);
				_t125 =  *(_t235 + 8);
				_t232 = __ecx;
				 *((intOrPtr*)(_t235 - 0xa40)) = __ecx;
				 *(_t235 - 0xa30) = _t125;
				if( *((intOrPtr*)(__ecx + 0x24)) == 0) {
					__eflags = _t125;
					_t208 = 0 | __eflags != 0x00000000;
					if(__eflags == 0) {
						E000455E0(_t208);
					}
					_t230 = _t232 + 0x88;
					E00051DB5(_t230);
					E00036620(0,  *(_t235 - 0xa30));
					 *((intOrPtr*)(_t235 - 4)) = 0;
					_t128 = E0004C4BC(_t235 - 0xa2c, 0x1818bc, 0);
					__eflags = _t128 - 0xffffffff;
					if(_t128 == 0xffffffff) {
						_t182 = E0004C4BC(_t235 - 0xa2c, 0x1609dc, 0);
						__eflags = _t182 - 0xffffffff;
						if(_t182 == 0xffffffff) {
							_t227 = _t235 - 0xa2c;
							_t183 = E0004C4BC(_t235 - 0xa2c, 0x15b6fc, 0);
							__eflags = _t183 - 0xffffffff;
							if(_t183 == 0xffffffff) {
								_t185 = GetModuleFileNameW(0, _t235 - 0x828, 0x104);
								__eflags = _t185;
								if(_t185 != 0) {
									E001362F9(_t227, _t235 - 0x828, _t235 - 0x18, 3, _t235 - 0x620, 0x100, 0, 0, 0, 0);
									E001362F9(_t227,  *(_t235 - 0xa30), 0, 0, 0, 0, _t235 - 0x420, 0x100, _t235 - 0xa28, 0x100);
									E0013650B(_t235 - 0x220, 0x104, _t235 - 0x18, _t235 - 0x620, _t235 - 0x420, _t235 - 0xa28);
									E00034140(_t235 - 0xa2c, _t235 - 0x220, E0013161A(_t235 - 0x220));
									_t232 =  *((intOrPtr*)(_t235 - 0xa40));
								}
							}
						}
					}
					__eflags =  *(_t235 + 0xc);
					if( *(_t235 + 0xc) <= 0) {
						L13:
						 *(_t235 - 0xa34) = 0x2010;
						__eflags =  *(_t232 + 0x30);
						if(__eflags != 0) {
							 *(_t235 - 0xa34) = 0x3010;
						}
						 *(_t235 - 0xa38) =  *(_t235 - 0xa2c);
						_t132 = LoadImageW( *(E0004B628(0, _t230, _t232, __eflags) + 8),  *(_t235 - 0xa38), 0, 0, 0,  *(_t235 - 0xa34));
						 *_t230 = _t132;
						__eflags = _t132;
						if(_t132 != 0) {
							_t136 = GetObjectW(_t132, 0x18, _t235 - 0xa9c);
							__eflags = _t136;
							if(_t136 != 0) {
								 *(_t232 + 0x14) = 1;
								E00034260(_t232 + 0x94, _t235 - 0xa2c);
								_t139 = GetFileAttributesW( *(_t235 - 0xa2c));
								__eflags = _t139 & 0x00000001;
								if((_t139 & 0x00000001) != 0) {
									 *(_t232 + 0x20) = 1;
								}
								_t140 =  *(_t235 - 0xa8a) & 0x0000ffff;
								 *(_t232 + 8) = _t140;
								__eflags = _t140 - 8;
								if(_t140 <= 8) {
									L46:
									__eflags =  *(_t235 - 0xa8a) - 0x20;
									if( *(_t235 - 0xa8a) >= 0x20) {
										E00096EC7(0, _t229, _t230, _t232,  *_t230,  *((intOrPtr*)(_t232 + 0x38)));
									}
									E00096CE5(_t232);
									_t230 = _t232 + 0x8c;
									E00051DB5(_t230);
									_t232 = _t232 + 0x90;
									 *_t230 = 0;
									E00051DB5(_t232);
									 *_t232 = 0;
									E00031190( &(( *(_t235 - 0xa2c))[0xfffffffffffffff8]), _t229);
									__eflags = 1;
									L49:
									return E00131B05(0, _t230, _t232);
								} else {
									__eflags = _t140 - 0x20;
									if(_t140 >= 0x20) {
										goto L46;
									}
									__eflags =  *_t230;
									if( *_t230 == 0) {
										goto L46;
									}
									E00045EC1(_t235 - 0xa58);
									 *((char*)(_t235 - 4)) = 1;
									E000464F6(0, _t235 - 0xa58, _t229, _t230, CreateCompatibleDC(0));
									_t152 = GetObjectW( *_t230, 0x18, _t235 - 0xa84);
									__eflags = _t152;
									if(_t152 != 0) {
										_t153 =  *_t230;
										_t233 = SelectObject;
										__eflags = _t153;
										if(_t153 == 0) {
											 *(_t235 - 0xa30) = 0;
										} else {
											 *(_t235 - 0xa30) = SelectObject( *(_t235 - 0xa54), _t153);
										}
										__eflags =  *(_t235 - 0xa30);
										if( *(_t235 - 0xa30) == 0) {
											L45:
											 *((char*)(_t235 - 4)) = 0;
											E00046577(_t235 - 0xa58);
											_t232 =  *((intOrPtr*)(_t235 - 0xa40));
											goto L46;
										} else {
											_t221 =  *(_t235 - 0xa7c);
											_t155 =  *(_t235 - 0xa80);
											 *(_t235 - 0xa38) = _t155;
											 *(_t235 - 0xa48) = _t221;
											_t156 = CreateCompatibleBitmap( *(_t235 - 0xa54), _t155, _t221);
											 *(_t235 - 0xa34) = _t156;
											__eflags = _t156;
											if(_t156 != 0) {
												E00045EC1(_t235 - 0xa68);
												 *((char*)(_t235 - 4)) = 2;
												E000464F6(0, _t235 - 0xa68, _t229, _t230, CreateCompatibleDC( *(_t235 - 0xa54)));
												_t160 = SelectObject( *(_t235 - 0xa64),  *(_t235 - 0xa34));
												 *(_t235 - 0x18) = _t160;
												__eflags = _t160;
												if(_t160 != 0) {
													BitBlt( *(_t235 - 0xa64), 0, 0,  *(_t235 - 0xa38),  *(_t235 - 0xa48),  *(_t235 - 0xa54), 0, 0, 0xcc0020);
													 *(_t235 - 0xa3c) = 0;
													__eflags =  *(_t235 - 0xa38);
													if( *(_t235 - 0xa38) <= 0) {
														L43:
														SelectObject( *(_t235 - 0xa64),  *(_t235 - 0x18));
														SelectObject( *(_t235 - 0xa54),  *(_t235 - 0xa30));
														DeleteObject( *_t230);
														 *_t230 =  *(_t235 - 0xa34);
														L44:
														 *((char*)(_t235 - 4)) = 1;
														E00046577(_t235 - 0xa68);
														goto L45;
													} else {
														goto L34;
													}
													do {
														L34:
														 *(_t235 - 0xa44) = 0;
														__eflags =  *(_t235 - 0xa48);
														if( *(_t235 - 0xa48) <= 0) {
															goto L42;
														} else {
															goto L35;
														}
														do {
															L35:
															_t168 = GetPixel( *(_t235 - 0xa64),  *(_t235 - 0xa3c),  *(_t235 - 0xa44));
															__eflags =  *((short*)(_t235 - 0xa72)) - 0x18;
															 *(_t235 - 0xa6c) = _t168;
															if( *((short*)(_t235 - 0xa72)) != 0x18) {
																L38:
																_t169 = E00096D1E(0, _t230, _t233, _t168, 0);
																goto L39;
															}
															__eflags =  *0x19dc80; // 0x1
															if(__eflags != 0) {
																goto L38;
															}
															_t169 = E00096DA0(_t229, __eflags, _t168);
															L39:
															__eflags =  *(_t235 - 0xa6c) - _t169;
															if( *(_t235 - 0xa6c) != _t169) {
																SetPixel( *(_t235 - 0xa64),  *(_t235 - 0xa3c),  *(_t235 - 0xa44), _t169);
															}
															 *(_t235 - 0xa44) =  *(_t235 - 0xa44) + 1;
															__eflags =  *(_t235 - 0xa44) -  *(_t235 - 0xa48);
														} while ( *(_t235 - 0xa44) <  *(_t235 - 0xa48));
														L42:
														 *(_t235 - 0xa3c) =  *(_t235 - 0xa3c) + 1;
														__eflags =  *(_t235 - 0xa3c) -  *(_t235 - 0xa38);
													} while ( *(_t235 - 0xa3c) <  *(_t235 - 0xa38));
													goto L43;
												}
												SelectObject( *(_t235 - 0xa54),  *(_t235 - 0xa30));
												DeleteObject( *(_t235 - 0xa34));
												goto L44;
											}
											SelectObject( *(_t235 - 0xa54),  *(_t235 - 0xa30));
											goto L45;
										}
									}
									 *((char*)(_t235 - 4)) = 0;
									E00046577(_t235 - 0xa58);
									goto L46;
								}
							}
							DeleteObject( *_t230);
							 *_t230 = 0;
						}
						goto L12;
					} else {
						_t178 = CreateFileW( *(_t235 - 0xa30), 0x80000000, 1, 0, 3, 0, 0);
						 *(_t235 - 0xa34) = _t178;
						__eflags = _t178 - 0xffffffff;
						if(_t178 == 0xffffffff) {
							goto L13;
						}
						 *(_t235 - 0xa38) = GetFileSize(_t178, 0);
						CloseHandle( *(_t235 - 0xa34));
						__eflags =  *(_t235 - 0xa38) -  *(_t235 + 0xc);
						if( *(_t235 - 0xa38) <=  *(_t235 + 0xc)) {
							goto L13;
						}
						L12:
						E00031190( &(( *(_t235 - 0xa2c))[0xfffffffffffffff8]), _t229);
						goto L1;
					}
				}
				L1:
				goto L49;
			}

0x0009b48f
0x0009b48f
0x0009b48f
0x0009b499
0x0009b49e
0x0009b4a1
0x0009b4a5
0x0009b4ab
0x0009b4b4
0x0009b4bf
0x0009b4c1
0x0009b4c6
0x0009b4c8
0x0009b4c8
0x0009b4cd
0x0009b4d4
0x0009b4e5
0x0009b4f6
0x0009b4f9
0x0009b4fe
0x0009b501
0x0009b513
0x0009b518
0x0009b51b
0x0009b527
0x0009b52d
0x0009b532
0x0009b535
0x0009b548
0x0009b54e
0x0009b550
0x0009b574
0x0009b593
0x0009b5c0
0x0009b5e2
0x0009b5e7
0x0009b5e7
0x0009b550
0x0009b535
0x0009b51b
0x0009b5ed
0x0009b5f0
0x0009b64d
0x0009b64d
0x0009b657
0x0009b65a
0x0009b65c
0x0009b65c
0x0009b66c
0x0009b68a
0x0009b690
0x0009b692
0x0009b694
0x0009b6a0
0x0009b6a6
0x0009b6a8
0x0009b6c3
0x0009b6ca
0x0009b6d5
0x0009b6db
0x0009b6dd
0x0009b6df
0x0009b6df
0x0009b6e6
0x0009b6ed
0x0009b6f0
0x0009b6f3
0x0009b940
0x0009b940
0x0009b948
0x0009b94f
0x0009b94f
0x0009b956
0x0009b95b
0x0009b962
0x0009b967
0x0009b96e
0x0009b970
0x0009b97e
0x0009b980
0x0009b987
0x0009b988
0x0009b98d
0x0009b6f9
0x0009b6f9
0x0009b6fc
0x00000000
0x00000000
0x0009b702
0x0009b704
0x00000000
0x00000000
0x0009b710
0x0009b716
0x0009b727
0x0009b737
0x0009b73d
0x0009b73f
0x0009b754
0x0009b756
0x0009b75c
0x0009b75e
0x0009b771
0x0009b760
0x0009b769
0x0009b769
0x0009b777
0x0009b77d
0x0009b92c
0x0009b932
0x0009b935
0x0009b93a
0x00000000
0x0009b783
0x0009b783
0x0009b789
0x0009b797
0x0009b79d
0x0009b7a3
0x0009b7a9
0x0009b7af
0x0009b7b1
0x0009b7cc
0x0009b7d7
0x0009b7e8
0x0009b7f9
0x0009b7fb
0x0009b7fe
0x0009b800
0x0009b842
0x0009b848
0x0009b84e
0x0009b854
0x0009b8f4
0x0009b8fd
0x0009b90b
0x0009b90f
0x0009b91b
0x0009b91d
0x0009b923
0x0009b927
0x00000000
0x00000000
0x00000000
0x00000000
0x0009b85a
0x0009b85a
0x0009b85a
0x0009b860
0x0009b866
0x00000000
0x00000000
0x00000000
0x00000000
0x0009b868
0x0009b868
0x0009b87a
0x0009b880
0x0009b888
0x0009b88e
0x0009b8a0
0x0009b8a2
0x00000000
0x0009b8a2
0x0009b890
0x0009b896
0x00000000
0x00000000
0x0009b899
0x0009b8a7
0x0009b8a7
0x0009b8ad
0x0009b8c2
0x0009b8c2
0x0009b8c8
0x0009b8d4
0x0009b8d4
0x0009b8dc
0x0009b8dc
0x0009b8e8
0x0009b8e8
0x00000000
0x0009b85a
0x0009b80e
0x0009b816
0x00000000
0x0009b816
0x0009b7bf
0x00000000
0x0009b7bf
0x0009b77d
0x0009b747
0x0009b74a
0x00000000
0x0009b74a
0x0009b6f3
0x0009b6ac
0x0009b6b2
0x0009b6b2
0x00000000
0x0009b5f2
0x0009b604
0x0009b60a
0x0009b610
0x0009b613
0x00000000
0x00000000
0x0009b623
0x0009b629
0x0009b632
0x0009b638
0x00000000
0x00000000
0x0009b63a
0x0009b643
0x00000000
0x0009b643
0x0009b5f0
0x0009b4b6
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 0009B499
GetModuleFileNameW.KERNEL32(00000000,?,00000104,0015B6FC,00000000,001609DC,00000000,001818BC,00000000,?,?,00000A90,0009BA4D,?,00000000,00000084), ref: 0009B548
__wsplitpath_s.LIBCMT ref: 0009B574
__wsplitpath_s.LIBCMT ref: 0009B593
__wmakepath_s.LIBCMT ref: 0009B5C0
_wcslen.LIBCMT ref: 0009B5CC
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0009B604

Strings

, xrefs: 0009B940

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: File__wsplitpath_s$CreateH_prolog3_ModuleName__wmakepath_s_wcslen
String ID:
API String ID: 1221639053-3916222277
Opcode ID: 547b028800845c4285b4f313ddd6cfe11dcb2adab72f623f09013cf83d7b0cad
Instruction ID: dae7d03dff55e909c85df3c6a49a03590973714bd423e9d03e648fc14607b4c0
Opcode Fuzzy Hash: 547b028800845c4285b4f313ddd6cfe11dcb2adab72f623f09013cf83d7b0cad
Instruction Fuzzy Hash: 4ED14C71A00328AFDF21AF60DD85AEDBBB8AF09315F0000E9F509A2951DB355F84DF52

Uniqueness

Uniqueness Score: -1.00%

Function 00059574 Relevance: 41.0, APIs: 27, Instructions: 457
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00059574(void* __ebx, RECT* __ecx, signed int __edi, void* __esi, void* __eflags) {
				RECT* _t162;
				signed int _t174;
				signed int _t179;
				signed int _t184;
				struct HWND__* _t186;
				RECT* _t188;
				signed int _t189;
				signed int _t193;
				signed int _t195;
				signed int _t207;
				signed int _t212;
				RECT* _t218;
				RECT* _t221;
				signed int _t222;
				void* _t231;
				signed int _t239;
				void* _t250;
				signed int _t252;
				signed int _t261;
				signed short _t262;
				void* _t274;
				signed int _t280;
				signed int _t304;
				signed int _t305;
				void* _t323;
				signed int _t327;
				struct HWND__* _t328;
				RECT* _t331;
				void* _t333;
				void* _t336;
				void* _t339;
				void* _t342;

				_t327 = __edi;
				_t281 = __ecx;
				_push(0x58);
				E00131A82(0x149bd1, __ebx, __edi, __esi);
				_push( *(_t333 + 0x10));
				_t280 = __ecx;
				_push( *(_t333 + 0xc));
				 *(_t333 - 0x24) =  *((intOrPtr*)( *__ecx + 0x390))();
				_t162 =  *0x1a3f34; // 0x0
				_t331 = 0;
				if(_t162 == __ecx) {
					L4:
					_t339 =  *0x1a3f04 - _t331; // 0x0
					if(_t339 != 0) {
						L7:
						if( *(_t333 - 0x24) >= _t331) {
							_t328 = E00054F8E(_t280, __eflags,  *(_t333 - 0x24));
							__eflags = _t328 - _t331;
							if(_t328 == _t331) {
								goto L76;
							}
							 *((intOrPtr*)( *_t280 + 0x258))( *(_t333 - 0x24));
							 *0x1a3f08 = _t331;
							__eflags =  *0x1a3f30 - _t331; // 0x0
							if(__eflags == 0) {
								L22:
								__eflags =  *0x1a3f04 - _t331; // 0x0
								if(__eflags != 0) {
									L24:
									__eflags =  *((intOrPtr*)(_t280 + 0xb04)) - _t331;
									if( *((intOrPtr*)(_t280 + 0xb04)) != _t331) {
										L66:
										 *(_t280 + 0xb78) =  *(_t333 - 0x24);
										E000550EE(_t280, _t328,  *(_t333 - 0x24));
										__eflags =  *(_t328 + 0x24) & 0x00040000;
										if(( *(_t328 + 0x24) & 0x00040000) == 0) {
											L69:
											 *(_t328 + 0x24) =  *(_t328 + 0x24) | 0x00020000;
											E00056CF9(_t280, _t325,  *(_t333 - 0x24));
											UpdateWindow( *(_t280 + 0x20));
											 *((intOrPtr*)( *_t280 + 0x414))( *((intOrPtr*)(_t328 + 0x20)));
											_t287 = _t328;
											_t174 =  *((intOrPtr*)(_t328->i + 0x20))(_t280, _t331);
											__eflags = _t174;
											if(_t174 == 0) {
												 *((intOrPtr*)(_t280 + 0xc90)) = E0003F82E(_t280, _t287, _t325, SetCapture( *(_t280 + 0x20)));
											} else {
												_t179 = E00084CFE(_t280 + 0xbc8, _t328, _t331);
												__eflags = _t179;
												if(_t179 != 0) {
													_t146 = _t328 + 0x24;
													 *_t146 =  *(_t328 + 0x24) & 0xfffdffff;
													__eflags =  *_t146;
												}
												 *(_t280 + 0xb78) =  *(_t280 + 0xb78) | 0xffffffff;
												 *(_t280 + 0xb7c) =  *(_t280 + 0xb7c) | 0xffffffff;
												 *((intOrPtr*)( *_t280 + 0x3b0))(0xffffffff);
												_t287 = _t280;
												E00056CF9(_t280, _t325,  *(_t333 - 0x24));
												UpdateWindow( *(_t280 + 0x20));
											}
											L74:
											__eflags =  *0x1a3f08 - _t331; // 0x0
											if(__eflags != 0) {
												 *0x1a3f08 = _t331;
												 *0x1a3f34 = _t331;
												E00057484(_t287, _t325, _t331);
												RedrawWindow( *(_t280 + 0x20), _t331, _t331, 0x505);
											}
											goto L76;
										}
										_t184 = E0004EA07(_t328, 0x19de9c);
										__eflags = _t184;
										if(_t184 != 0) {
											goto L69;
										}
										 *(_t280 + 0xb78) =  *(_t280 + 0xb78) | 0xffffffff;
										goto L76;
									}
									__eflags =  *((intOrPtr*)(_t280 + 0xb44)) - _t331;
									if( *((intOrPtr*)(_t280 + 0xb44)) != _t331) {
										goto L66;
									}
									_t326 =  *_t280;
									 *(_t333 - 0x28) =  *(_t280 + 0xb80);
									_t186 =  *(_t333 - 0x24);
									 *(_t280 + 0xb80) = _t186;
									 *(_t333 - 0x20) = _t331;
									 *(_t333 - 0x1c) = _t331;
									 *(_t333 - 0x18) = _t331;
									 *(_t333 - 0x14) = _t331;
									 *((intOrPtr*)( *_t280 + 0x36c))(_t186, _t333 - 0x20);
									__eflags =  *(_t333 - 0x28) - 0xffffffff;
									if(__eflags != 0) {
										E00056CF9(_t280, _t326,  *(_t333 - 0x28));
									}
									_t188 = E00054F8E(_t280, __eflags,  *(_t280 + 0xb80));
									__eflags = _t188 - _t331;
									_t295 = 0 | __eflags != 0x00000000;
									 *(_t280 + 0xc98) = _t188;
									if(__eflags == 0) {
										_t188 = E000455E0(_t295);
									}
									 *(_t280 + 0xb2c) =  *(_t333 + 8) & 0x00000008;
									_t325 = _t188->left;
									_t189 =  *((intOrPtr*)(_t188->left + 0x60))();
									__eflags = _t189;
									if(_t189 != 0) {
										E00056CF9(_t280, _t325,  *(_t333 - 0x24));
										UpdateWindow( *(_t280 + 0x20));
										_t193 =  *((intOrPtr*)( *( *(_t280 + 0xc98)) + 0x3c))();
										__eflags = _t193;
										if(_t193 == 0) {
											L39:
											_t287 =  *(_t280 + 0xc98);
											_t195 =  *((intOrPtr*)( *( *(_t280 + 0xc98)) + 0x50))();
											__eflags = _t195;
											if(_t195 == 0) {
												L65:
												 *(_t280 + 0xc98) = _t331;
												goto L74;
											}
											_t287 =  *(_t280 + 0xc98);
											__eflags =  *((intOrPtr*)( *( *(_t280 + 0xc98)) + 0x74))();
											if(__eflags == 0) {
												goto L65;
											}
											E000BEEB6(_t333 - 0x64, __eflags);
											_t325 = _t333 - 0x64;
											 *(_t333 - 4) = _t331;
											 *((intOrPtr*)( *( *(_t280 + 0xc98)) + 0xc))(_t333 - 0x64);
											 *((intOrPtr*)( *_t280 + 0x414))( *((intOrPtr*)(_t328 + 0x20)));
											 *0x1a3fd0 = _t331;
											_t328 =  *(_t280 + 0x20);
											 *(_t280 + 0xc80) =  *(_t333 + 0xc);
											 *(_t280 + 0xc84) =  *(_t333 + 0x10);
											__eflags =  *0x1a3f08 - _t331; // 0x0
											if(__eflags != 0) {
												 *0x1a3f04 = 1;
											}
											_push(0x1a3f88);
											_push(_t333 - 0x20);
											_push(3);
											_t304 = _t333 - 0x64;
											 *(_t333 - 0x28) = E000BF215(_t280, _t304, _t328, _t331, __eflags);
											_t207 = IsWindow(_t328);
											__eflags = _t207;
											if(_t207 != 0) {
												 *(_t333 - 0x30) = _t331;
												 *(_t333 - 0x2c) = _t331;
												GetCursorPos(_t333 - 0x30);
												ScreenToClient( *(_t280 + 0x20), _t333 - 0x30);
												__eflags =  *0x1a3fd0 - _t331; // 0x0
												if(__eflags == 0) {
													L63:
													_t212 =  *(_t333 - 0x24);
													_t325 =  *_t280;
													_t304 = _t280;
													 *(_t280 + 0xb7c) = _t212;
													 *((intOrPtr*)( *_t280 + 0x3b0))(_t212);
													L64:
													_t305 = _t304 | 0xffffffff;
													 *(_t280 + 0xc84) = _t305;
													 *(_t333 - 4) = _t305;
													_t287 = _t333 - 0x64;
													 *(_t280 + 0xc98) = _t331;
													 *(_t280 + 0xc80) = _t305;
													E000BEEE3(_t280, _t333 - 0x64, _t328, _t331, __eflags);
													goto L74;
												}
												_push( *(_t333 - 0x2c));
												__eflags = PtInRect(_t333 - 0x20,  *(_t333 - 0x30));
												if(__eflags != 0) {
													goto L63;
												}
												__eflags =  *(_t333 - 0x28) - 1;
												if( *(_t333 - 0x28) == 1) {
													L61:
													_t218 =  *(_t280 + 0xc98);
													__eflags = _t218 - _t331;
													if(__eflags != 0) {
														InvalidateRect( *(_t280 + 0x20), _t218 + 0x54, 1);
													}
													goto L64;
												}
												_t221 =  *(_t280 + 0xc98);
												__eflags = _t221 - _t331;
												if(_t221 == _t331) {
													goto L61;
												}
												__eflags =  *0x1a3fcc - _t331; // 0x0
												if(__eflags != 0) {
													goto L61;
												}
												_t325 =  *_t280;
												_t304 = _t280;
												_t222 =  *((intOrPtr*)( *_t280 + 0x37c))(_t221,  *(_t333 - 0x28));
												__eflags = _t222;
												if(_t222 == 0) {
													goto L61;
												}
												 *((intOrPtr*)( *_t280 + 0x34c))(E00054E38(_t280,  *(_t280 + 0xc98)));
												 *((intOrPtr*)( *_t280 + 0x3e0))();
												RedrawWindow( *(_t280 + 0x20), _t331, _t331, 0x505);
												_t309 = _t280;
												 *((intOrPtr*)( *_t280 + 0x2d4))(1);
												_t328 = GetParent;
												_t231 = E0003F82E(_t280, _t280, _t325, GetParent( *(_t280 + 0x20)));
												__eflags = _t231 - _t331;
												if(_t231 != _t331) {
													__eflags =  *((intOrPtr*)(_t231 + 0x20)) - _t331;
													if( *((intOrPtr*)(_t231 + 0x20)) != _t331) {
														RedrawWindow( *(E0003F82E(_t280, _t309, _t325, GetParent( *(_t280 + 0x20))) + 0x20), _t331, _t331, 0x505);
													}
												}
												__eflags =  *0x1a3f08 - _t331; // 0x0
												if(__eflags == 0) {
													_t309 = _t280;
													 *((intOrPtr*)( *_t280 + 0x208))();
													RedrawWindow( *(_t280 + 0x20), _t331, _t331, 0x505);
												}
												_t304 = E0003F82E(_t280, _t309, _t325, GetParent( *(_t280 + 0x20)));
												__eflags = E0004EA07(_t304, 0x1660b8);
												if(__eflags != 0) {
													_t239 = E0004EA25(0x19ced8, E0003F82E(_t280, _t304, _t325, GetParent( *(E0003F82E(_t280, _t304, _t325, GetParent( *(_t280 + 0x20))) + 0x20))));
													_pop(_t304);
													__eflags = _t239 - _t331;
													if(__eflags != 0) {
														_t325 =  *_t239;
														_t304 = _t239;
														 *((intOrPtr*)( *_t239 + 0x20c))();
													}
												}
												goto L64;
											} else {
												__eflags =  *0x1a3f08 - _t331; // 0x0
												if(__eflags != 0) {
													 *0x1a3f04 = _t331;
													 *0x1a3f08 = _t331;
													 *0x1a3f34 = _t331;
												}
												 *(_t333 - 4) =  *(_t333 - 4) | 0xffffffff;
												E000BEEE3(_t280, _t333 - 0x64, _t328, _t331, __eflags);
												goto L76;
											}
										}
										_t250 = E00135F20(_t325,  *(_t333 + 0xc) -  *(_t333 - 0x18));
										__eflags = _t250 - 6;
										if(_t250 > 6) {
											goto L39;
										}
										__eflags =  *0x1a3f08 - _t331; // 0x0
										if(__eflags != 0) {
											goto L39;
										}
										_t287 =  *(_t280 + 0xc98);
										 *(_t280 + 0xb30) = 1;
										_t328 = _t280 + 0xc68;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t252 =  *((intOrPtr*)( *( *(_t280 + 0xc98)) + 0x38))();
										__eflags = _t252;
										if(_t252 != 0) {
											InflateRect(_t280 + 0xc68, 2, 2);
										}
										 *((intOrPtr*)(_t280 + 0xc90)) = E0003F82E(_t280, _t287, _t325, SetCapture( *(_t280 + 0x20)));
										SetCursor( *0x1a3a80);
										_t331 = 0;
										goto L74;
									} else {
										 *(_t280 + 0xb80) =  *(_t280 + 0xb80) | 0xffffffff;
										__eflags =  *(_t333 - 0x28) - 0xffffffff;
										 *(_t280 + 0xc98) = _t331;
										if( *(_t333 - 0x28) != 0xffffffff) {
											E00056CF9(_t280, _t325,  *(_t333 - 0x28));
										}
										goto L76;
									}
								}
								__eflags =  *0x1a3f08 - _t331; // 0x0
								if(__eflags == 0) {
									goto L66;
								}
								goto L24;
							}
							_t261 =  *((intOrPtr*)( *_t280 + 0x41c))();
							__eflags = _t261;
							if(_t261 == 0) {
								goto L22;
							}
							__eflags =  *0x1a3f04 - _t331; // 0x0
							if(__eflags != 0) {
								goto L24;
							}
							_t262 = GetAsyncKeyState(0x12);
							__eflags = 0x00008000 & _t262;
							if((0x00008000 & _t262) != 0) {
								 *0x1a3f08 = 1;
								_t28 = _t280 + 0xb7c;
								 *_t28 =  *(_t280 + 0xb7c) | 0xffffffff;
								__eflags =  *_t28;
								 *(_t280 + 0xb80) =  *(_t333 - 0x24);
								 *0x1a3f34 = _t280;
							}
							goto L22;
						} else {
							_t328 = _t327 | 0xffffffff;
							 *(_t280 + 0xb78) = _t328;
							_t342 =  *0x1a3f04 - _t331; // 0x0
							if(_t342 != 0 &&  *((intOrPtr*)(_t280 + 0xb04)) == _t331) {
								_t319 =  *(_t280 + 0xb80);
								 *(_t280 + 0xb80) = _t328;
								if( *(_t280 + 0xb80) != _t328) {
									E00056CF9(_t280, _t325, _t319);
									UpdateWindow( *(_t280 + 0x20));
								}
								 *((intOrPtr*)( *_t280 + 0x3b0))(_t328);
							}
							if( *((intOrPtr*)( *_t280 + 0x1c8))() != 0) {
								SetCursor( *0x1a3a8c);
							}
							E0009F36D(_t280,  *(_t333 + 8),  *(_t333 + 0xc),  *(_t333 + 0x10));
							L76:
							return E00131B05(_t280, _t328, _t331);
						}
					}
					L5:
					_t327 = GetParent;
					_t274 = E0004EA25(0x1645c0, E0003F82E(_t280, _t281, _t325, GetParent( *(_t280 + 0x20))));
					_pop(_t323);
					if(_t274 != 0) {
						E00043652(_t280, E0003F82E(_t280, _t323, _t325, GetParent( *(_t280 + 0x20))), _t325);
					}
					goto L7;
				}
				_t336 =  *0x1a3f04 - _t331; // 0x0
				if(_t336 == 0) {
					goto L5;
				} else {
					_t281 = _t162;
					 *0x1a3f34 = __ecx;
					if(_t281 != 0) {
						_t325 =  *(_t281 + 0xb80);
						 *(_t281 + 0xb80) =  *(_t281 + 0xb80) | 0xffffffff;
						E00056CF9(_t281,  *(_t281 + 0xb80),  *(_t281 + 0xb80));
					}
					goto L4;
				}
			}

0x00059574
0x00059574
0x00059574
0x0005957b
0x00059580
0x00059583
0x00059585
0x00059590
0x00059593
0x00059598
0x0005959c
0x000595c5
0x000595c5
0x000595cb
0x00059601
0x00059604
0x00059684
0x00059686
0x00059688
0x00000000
0x00000000
0x00059695
0x0005969b
0x000596a1
0x000596a7
0x000596f1
0x000596f1
0x000596f7
0x00059705
0x00059705
0x0005970b
0x00059ada
0x00059ae0
0x00059ae6
0x00059aeb
0x00059af2
0x00059b10
0x00059b13
0x00059b1c
0x00059b24
0x00059b31
0x00059b3b
0x00059b3d
0x00059b40
0x00059b42
0x00059b9a
0x00059b44
0x00059b4c
0x00059b51
0x00059b53
0x00059b55
0x00059b55
0x00059b55
0x00059b55
0x00059b5e
0x00059b65
0x00059b70
0x00059b79
0x00059b7b
0x00059b83
0x00059b83
0x00059ba0
0x00059ba0
0x00059ba6
0x00059ba9
0x00059baf
0x00059bb5
0x00059bc4
0x00059bc4
0x00000000
0x00059ba6
0x00059afb
0x00059b00
0x00059b02
0x00000000
0x00000000
0x00059b04
0x00000000
0x00059b04
0x00059711
0x00059717
0x00000000
0x00000000
0x00059723
0x00059728
0x0005972b
0x00059732
0x00059738
0x0005973b
0x0005973e
0x00059741
0x00059744
0x0005974a
0x0005974e
0x00059755
0x00059755
0x00059762
0x00059769
0x0005976b
0x0005976e
0x00059776
0x00059778
0x00059778
0x00059783
0x00059789
0x0005978d
0x00059790
0x00059792
0x000597bf
0x000597c7
0x000597d5
0x000597d8
0x000597da
0x00059855
0x00059855
0x0005985d
0x00059860
0x00059862
0x00059acf
0x00059acf
0x00000000
0x00059acf
0x00059868
0x00059873
0x00059875
0x00000000
0x00000000
0x0005987e
0x0005988b
0x0005988f
0x00059892
0x0005989c
0x000598a5
0x000598ab
0x000598ae
0x000598b7
0x000598bd
0x000598c3
0x000598c5
0x000598c5
0x000598cf
0x000598d7
0x000598d8
0x000598da
0x000598e3
0x000598e6
0x000598ec
0x000598ee
0x0005991f
0x00059922
0x00059925
0x00059932
0x00059938
0x0005993e
0x00059a94
0x00059a94
0x00059a97
0x00059a9a
0x00059a9c
0x00059aa2
0x00059aa8
0x00059aa8
0x00059aad
0x00059ab3
0x00059ab6
0x00059ab9
0x00059abf
0x00059ac5
0x00000000
0x00059ac5
0x00059944
0x00059954
0x00059956
0x00000000
0x00000000
0x0005995c
0x00059960
0x00059a79
0x00059a79
0x00059a7f
0x00059a81
0x00059a8c
0x00059a8c
0x00000000
0x00059a81
0x00059966
0x0005996c
0x0005996e
0x00000000
0x00000000
0x00059974
0x0005997a
0x00000000
0x00000000
0x00059983
0x00059986
0x00059988
0x0005998e
0x00059990
0x00000000
0x00000000
0x000599a8
0x000599b2
0x000599c2
0x000599cc
0x000599ce
0x000599d7
0x000599e0
0x000599e5
0x000599e7
0x000599e9
0x000599ec
0x00059a03
0x00059a03
0x000599ec
0x00059a09
0x00059a0f
0x00059a13
0x00059a15
0x00059a25
0x00059a25
0x00059a3b
0x00059a42
0x00059a44
0x00059a62
0x00059a68
0x00059a69
0x00059a6b
0x00059a6d
0x00059a6f
0x00059a71
0x00059a71
0x00059a6b
0x00000000
0x000598f0
0x000598f0
0x000598f6
0x000598f8
0x000598fe
0x00059904
0x00059904
0x0005990a
0x00059911
0x00000000
0x00059911
0x000598ee
0x000597e3
0x000597e9
0x000597ec
0x00000000
0x00000000
0x000597ee
0x000597f4
0x00000000
0x00000000
0x000597f6
0x000597fc
0x00059809
0x0005980f
0x00059810
0x00059811
0x00059812
0x00059815
0x00059818
0x0005981a
0x00059827
0x00059827
0x0005983c
0x00059848
0x0005984e
0x00000000
0x00059794
0x00059794
0x0005979b
0x0005979f
0x000597a5
0x000597b0
0x000597b0
0x00000000
0x000597a5
0x00059792
0x000596f9
0x000596ff
0x00000000
0x00000000
0x00000000
0x000596ff
0x000596ad
0x000596b3
0x000596b5
0x00000000
0x00000000
0x000596b7
0x000596bd
0x00000000
0x00000000
0x000596c1
0x000596cc
0x000596cf
0x000596d4
0x000596de
0x000596de
0x000596de
0x000596e5
0x000596eb
0x000596eb
0x00000000
0x00059606
0x00059606
0x00059609
0x0005960f
0x00059615
0x0005961f
0x00059625
0x0005962d
0x00059632
0x0005963a
0x0005963a
0x00059645
0x00059645
0x00059657
0x0005965f
0x0005965f
0x00059670
0x00059bca
0x00059bcf
0x00059bcf
0x00059604
0x000595cd
0x000595d0
0x000595e4
0x000595ea
0x000595ed
0x000595fc
0x000595fc
0x00000000
0x000595ed
0x0005959e
0x000595a4
0x00000000
0x000595a6
0x000595a6
0x000595a8
0x000595b0
0x000595b2
0x000595b8
0x000595c0
0x000595c0
0x00000000
0x000595b0

APIs

__EH_prolog3_GS.LIBCMT ref: 0005957B
GetParent.USER32(?), ref: 000595D6
GetParent.USER32(?), ref: 000595F2
UpdateWindow.USER32 ref: 0005963A
SetCursor.USER32 ref: 0005965F
GetAsyncKeyState.USER32 ref: 000596C1
UpdateWindow.USER32 ref: 000597C7
InflateRect.USER32 ref: 00059827
SetCapture.USER32(?), ref: 00059830
SetCursor.USER32(00000000), ref: 00059848
IsWindow.USER32(?), ref: 000598E6
GetCursorPos.USER32(?), ref: 00059925
ScreenToClient.USER32(?,?), ref: 00059932
PtInRect.USER32(?,?,?), ref: 0005994E
RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 000599C2
GetParent.USER32(?), ref: 000599DD
GetParent.USER32(?), ref: 000599F1
RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 00059A03
RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 00059A25
GetParent.USER32(?), ref: 00059A2E
GetParent.USER32(?), ref: 00059A49
GetParent.USER32(?), ref: 00059A54
InvalidateRect.USER32(?,?,00000001), ref: 00059A8C
RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 00059BC4

Part of subcall function 00056CF9: InvalidateRect.USER32(?,?,00000001), ref: 00056D6E
Part of subcall function 00056CF9: InflateRect.USER32 ref: 00056DB4
Part of subcall function 00056CF9: RedrawWindow.USER32(?,?,00000000,00000401), ref: 00056DC7

UpdateWindow.USER32 ref: 00059B24
UpdateWindow.USER32 ref: 00059B83
SetCapture.USER32(?), ref: 00059B8E

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Window$Parent$RectRedraw$Update$Cursor$CaptureInflateInvalidate$AsyncClientH_prolog3_ScreenState
String ID:
API String ID: 991125134-0
Opcode ID: b274a273a080204c362ac0ed36bb239d474e4b3b2dfa1abd050673b39ecf66b8
Instruction ID: 884772098f655531d80dd2e5ec8b41f9944857888ef37ff4ca12c75ac2df17c3
Opcode Fuzzy Hash: b274a273a080204c362ac0ed36bb239d474e4b3b2dfa1abd050673b39ecf66b8
Instruction Fuzzy Hash: A5027C70A10200DFDF55AF64D889AAE7BB5FF09312F140279FC1A9B2A6DB318948CF51

Uniqueness

Uniqueness Score: -1.00%

Function 000844FC Relevance: 28.9, APIs: 19, Instructions: 446
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E000844FC(void* __ebx, int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t158;
				void* _t159;
				WCHAR* _t163;
				struct HWND__* _t166;
				struct HWND__* _t168;
				intOrPtr* _t179;
				struct HWND__* _t205;
				struct HWND__* _t208;
				void* _t213;
				struct HWND__* _t215;
				intOrPtr _t218;
				struct HWND__* _t219;
				struct HWND__* _t227;
				void* _t233;
				int _t235;
				void* _t248;
				void* _t250;
				int _t262;
				struct HWND__* _t263;
				void* _t332;
				intOrPtr _t334;
				void* _t337;
				void* _t338;
				void* _t350;

				_t332 = __edx;
				_push(0xa8);
				E00131A82(0x14b9ff, __ebx, __edi, __esi);
				_t334 =  *((intOrPtr*)(_t338 + 8));
				_t262 = __ecx;
				 *(_t338 - 0x80) = __ecx;
				E000B0797(__ecx + 0x1bc, _t334);
				E00084D27(_t338 - 0xb4, 0xa);
				_t267 = _t262;
				 *(_t338 - 4) = 0;
				E000801D5(_t262, _t262, _t334, 0, _t338 - 0xb4, 1, 0, 0);
				 *(_t338 - 0x84) = 0;
				_t337 = AppendMenuW;
				while( *(_t338 - 0x84) != 1 ||  *((intOrPtr*)(_t338 + 0xc)) == 0) {
					 *(_t338 - 0x7c) = 1;
					_t158 =  *((intOrPtr*)(_t338 - 0xb0));
					if(_t158 == 0) {
						L51:
						 *(_t338 - 0x84) =  &( *(_t338 - 0x84)->i);
						if( *(_t338 - 0x84) < 2) {
							continue;
						}
						break;
					} else {
						while(_t158 != 0) {
							 *((intOrPtr*)(_t338 - 0x90)) =  *_t158;
							_t262 = E0004EA25(0x1645c0,  *((intOrPtr*)(_t158 + 8)));
							_pop(_t267);
							if(_t262 == 0 || IsWindow( *(_t262 + 0x20)) == 0) {
								L49:
								if( *((intOrPtr*)(_t338 - 0x90)) != 0) {
									_t158 =  *((intOrPtr*)(_t338 - 0x90));
									continue;
								}
								_t262 =  *(_t338 - 0x80);
								goto L51;
							} else {
								_t267 = _t262;
								if( *((intOrPtr*)( *_t262 + 0x288))() == 0) {
									goto L49;
								}
								_t267 = _t262;
								if( *((intOrPtr*)( *_t262 + 0x1c4))() == 0) {
									goto L49;
								}
								_t267 = _t262;
								if(E0004EA07(_t262, 0x19ced8) == 0) {
									__eflags =  *(_t338 - 0x84);
								} else {
									_t350 =  *(_t338 - 0x84) - 1;
								}
								if(_t350 == 0) {
									goto L49;
								} else {
									E00031110(_t338 - 0x8c, E00045761());
									 *(_t338 - 4) = 1;
									 *((intOrPtr*)( *_t262 + 0x28c))(_t338 - 0x8c);
									if(E0004EA07(_t262, 0x171814) == 0 || E0004EA07(_t262, 0x19f448) != 0) {
										_t205 = E0004EA07(_t262, 0x1676d0);
										__eflags = _t205;
										if(_t205 == 0) {
											_t208 = E00087D8E( *(_t338 - 0x80) + 0x1bc, __eflags, E000434FE(_t262), _t338 - 0x88);
											__eflags = _t208;
											if(_t208 == 0) {
												__eflags =  *(_t338 - 0x7c) - _t208;
												if( *(_t338 - 0x7c) != _t208) {
													__eflags =  *(_t338 - 0x84) - 1;
													if( *(_t338 - 0x84) == 1) {
														_t215 = GetMenuItemCount( *(_t334 + 4));
														__eflags = _t215;
														if(_t215 > 0) {
															AppendMenuW( *(_t334 + 4), 0x800, 0, 0);
														}
													}
												}
												 *(_t338 - 0x88) =  *(_t338 - 0x8c);
												AppendMenuW( *(_t334 + 4), 0, E000434FE(_t262),  *(_t338 - 0x88));
												 *(_t338 - 0x7c) =  *(_t338 - 0x7c) & 0x00000000;
												_t213 = E000434FE(_t262);
												__eflags =  *(_t338 - 0x80) + 0x1bc;
												 *(E000EA1D7( *(_t338 - 0x80) + 0x1bc, _t332,  *(_t338 - 0x80) + 0x1bc, _t213)) = _t262;
											}
											goto L48;
										}
										_t262 = E0004EA25(0x1676d0, _t262);
										_t218 = E000BC9F8(_t262);
										 *((intOrPtr*)(_t338 - 0x98)) = _t218;
										_t219 = SendMessageW( *(_t218 + 0x20), 0x40c, 0, 0);
										_t309 =  *(_t262 + 0x2ac);
										 *(_t338 - 0x78) =  *(_t338 - 0x78) & 0x00000000;
										 *(_t338 - 0x88) = _t219;
										 *(_t338 - 0x74) =  *(_t262 + 0x2ac);
										 *((intOrPtr*)(_t338 - 0x70)) = 0x230;
										__eflags = _t219;
										if(__eflags == 0) {
											goto L48;
										} else {
											goto L33;
										}
										do {
											L33:
											SendMessageW( *( *((intOrPtr*)(_t338 - 0x98)) + 0x20), 0x41c,  *(_t338 - 0x78), _t338 - 0x74);
											_t262 = E0004EA25(0x1645c0, E0003F85A(_t262, _t309, _t332, _t334, _t337, __eflags,  *((intOrPtr*)(_t338 - 0x54))));
											_pop(_t309);
											__eflags = _t262;
											if(_t262 != 0) {
												_t309 = _t262;
												_t227 =  *((intOrPtr*)( *_t262 + 0x288))();
												__eflags = _t227;
												if(_t227 != 0) {
													 *((intOrPtr*)( *_t262 + 0x28c))(_t338 - 0x8c);
													__eflags =  *(_t338 - 0x7c);
													if( *(_t338 - 0x7c) != 0) {
														__eflags =  *(_t338 - 0x84) - 1;
														if( *(_t338 - 0x84) == 1) {
															_t235 = GetMenuItemCount( *(_t334 + 4));
															__eflags = _t235;
															if(_t235 > 0) {
																AppendMenuW( *(_t334 + 4), 0x800, 0, 0);
															}
														}
													}
													 *(_t338 - 0x94) =  *(_t338 - 0x8c);
													AppendMenuW( *(_t334 + 4), 0, E000434FE(_t262),  *(_t338 - 0x94));
													 *(_t338 - 0x7c) =  *(_t338 - 0x7c) & 0x00000000;
													_t233 = E000434FE(_t262);
													_t309 =  *(_t338 - 0x80) + 0x1bc;
													__eflags =  *(_t338 - 0x80) + 0x1bc;
													 *(E000EA1D7( *(_t338 - 0x80) + 0x1bc, _t332,  *(_t338 - 0x80) + 0x1bc, _t233)) = _t262;
												}
											}
											 *(_t338 - 0x78) =  *(_t338 - 0x78) + 1;
											__eflags =  *(_t338 - 0x78) -  *(_t338 - 0x88);
										} while (__eflags < 0);
									} else {
										_t262 =  *((intOrPtr*)( *_t262 + 0x3a4))();
										 *(_t338 - 0x94) = _t262;
										if(_t262 == 0) {
											L48:
											_t267 =  *(_t338 - 0x8c) + 0xfffffff0;
											 *(_t338 - 4) = 0;
											E00031190( *(_t338 - 0x8c) + 0xfffffff0, _t332);
											goto L49;
										}
										 *(_t338 - 0x78) =  *(_t338 - 0x78) & 0x00000000;
										if( *((intOrPtr*)( *_t262 + 0x1a8))() > 0) {
											goto L21;
											L22:
											_t248 =  *((intOrPtr*)( *_t262 + 0x288))();
											_t356 = _t248;
											if(_t248 == 0) {
												goto L29;
											}
											_t250 = E000434FE(_t262);
											 *((intOrPtr*)(_t338 - 0x98)) =  *(_t338 - 0x80) + 0x1bc;
											if(E00087D8E( *(_t338 - 0x80) + 0x1bc, _t356, _t250, _t338 - 0x88) != 0) {
												goto L29;
											}
											 *((intOrPtr*)( *_t262 + 0x28c))(_t338 - 0x8c);
											if( *(_t338 - 0x7c) != 0 &&  *(_t338 - 0x84) == 1 && GetMenuItemCount( *(_t334 + 4)) > 0) {
												AppendMenuW( *(_t334 + 4), 0x800, 0, 0);
											}
											 *(_t338 - 0x7c) =  *(_t338 - 0x8c);
											AppendMenuW( *(_t334 + 4), 0, E000434FE(_t262),  *(_t338 - 0x7c));
											 *(_t338 - 0x7c) =  *(_t338 - 0x7c) & 0x00000000;
											 *(E000EA1D7( *((intOrPtr*)(_t338 - 0x98)), _t332,  *(_t338 - 0x7c), E000434FE(_t262))) = _t262;
											L29:
											 *(_t338 - 0x78) =  *(_t338 - 0x78) + 1;
											if( *(_t338 - 0x78) <  *((intOrPtr*)( *( *(_t338 - 0x94)) + 0x1a8))()) {
												_t262 =  *(_t338 - 0x94);
												L21:
												_t262 = E0004EA25(0x1645c0,  *((intOrPtr*)( *_t262 + 0x1ac))( *(_t338 - 0x78)));
												if(_t262 == 0) {
													goto L29;
												}
												goto L22;
											}
										}
									}
									goto L48;
								}
							}
						}
						E000455E0(_t267);
						L56:
						_t168 = E0004EA25(0x15da3c, E0003F82E(_t262, _t267, _t332,  *(_t338 - 0x7c)));
						_pop(_t267);
						__eflags = _t168;
						if(__eflags != 0) {
							_t263 =  *(_t168 + 0x434);
							__eflags = _t263;
							if(__eflags != 0) {
								E00031110(_t338 - 0x78, E00045761());
								 *(_t338 - 4) = 2;
								 *((intOrPtr*)(_t263->i + 0x28c))(_t338 - 0x78);
								 *(_t338 - 0x88) =  *(_t338 - 0x78);
								AppendMenuW( *(_t334 + 4), 0, E000434FE(_t263),  *(_t338 - 0x88));
								 *(E000EA1D7( *(_t338 - 0x80) + 0x1bc, _t332, __eflags, E000434FE(_t263))) = _t263;
								_t267 =  *(_t338 - 0x78) + 0xfffffff0;
								__eflags =  *(_t338 - 0x78) + 0xfffffff0;
								 *(_t338 - 4) = 0;
								E00031190( *(_t338 - 0x78) + 0xfffffff0, _t332);
							}
							_t262 =  *(_t338 - 0x80);
						}
						_t166 = GetWindow( *(_t338 - 0x7c), 2);
						L61:
						 *(_t338 - 0x7c) = _t166;
						if(_t166 != 0) {
							goto L56;
						}
						_t179 =  *((intOrPtr*)(_t262 + 0x1a0));
						_t369 = _t179;
						if(_t179 == 0) {
							L69:
							if( *((intOrPtr*)(_t262 + 0x1e8)) != 0) {
								if(GetMenuItemCount( *(_t334 + 4)) > 0) {
									AppendMenuW( *(_t334 + 4), 0x800, 0, 0);
								}
								_t163 =  *(_t262 + 0x1ec);
								AppendMenuW( *(_t334 + 4), 0, _t262, _t163);
							}
							 *(_t338 - 4) =  *(_t338 - 4) | 0xffffffff;
							E00084D4F(_t338 - 0xb4);
							return E00131B05(_t262, _t334, _t337);
						}
						while(1) {
							 *((intOrPtr*)(_t338 - 0x90)) =  *_t179;
							_t262 = E0004EA25(0x19ec6c, E0003F85A(_t262,  *_t179, _t332, _t334, _t337, _t369,  *((intOrPtr*)(_t179 + 8))));
							_t370 = _t262;
							if(_t262 != 0) {
								E00031110(_t338 - 0x78, E00045761());
								 *(_t338 - 4) = 3;
								 *((intOrPtr*)( *_t262 + 0x28c))(_t338 - 0x78);
								 *(_t338 - 0x88) =  *(_t338 - 0x78);
								AppendMenuW( *(_t334 + 4), 0, E000434FE(_t262),  *(_t338 - 0x88));
								 *(E000EA1D7( *(_t338 - 0x80) + 0x1bc, _t332, _t370, E000434FE(_t262))) = _t262;
								 *(_t338 - 4) = 0;
								E00031190( *(_t338 - 0x78) + 0xfffffff0, _t332);
							}
							if( *((intOrPtr*)(_t338 - 0x90)) == 0) {
								break;
							}
							_t179 =  *((intOrPtr*)(_t338 - 0x90));
						}
						_t262 =  *(_t338 - 0x80);
						goto L69;
					}
				}
				_t159 = E0004EA25(0x15e958,  *((intOrPtr*)(_t262 + 0xe4)));
				_pop(_t267);
				if(_t159 == 0 ||  *((intOrPtr*)(_t338 + 0xc)) != 0) {
					goto L69;
				} else {
					_t166 = GetWindow( *(_t159 + 0x110), 5);
					goto L61;
				}
			}

0x000844fc
0x000844fc
0x00084506
0x0008450b
0x0008450e
0x00084516
0x00084519
0x00084526
0x00084538
0x0008453a
0x0008453d
0x00084542
0x00084548
0x0008454e
0x00084563
0x00084566
0x0008456e
0x00084955
0x00084955
0x00084962
0x00000000
0x00000000
0x00000000
0x00084574
0x0008457c
0x0008458e
0x00084599
0x0008459c
0x0008459f
0x00084945
0x0008494c
0x00084576
0x00000000
0x00084576
0x00084952
0x00000000
0x000845b6
0x000845b8
0x000845c2
0x00000000
0x00000000
0x000845ca
0x000845d4
0x00000000
0x00000000
0x000845df
0x000845e8
0x000845f3
0x000845ea
0x000845ea
0x000845ea
0x000845fa
0x00000000
0x00084600
0x0008460c
0x0008461c
0x00084620
0x00084634
0x00084778
0x0008477d
0x0008477f
0x000848c4
0x000848c9
0x000848cb
0x000848cd
0x000848d0
0x000848d2
0x000848d9
0x000848de
0x000848e4
0x000848e6
0x000848f4
0x000848f4
0x000848e6
0x000848d9
0x000848fe
0x00084915
0x00084917
0x0008491d
0x00084926
0x00084931
0x00084931
0x00000000
0x000848cb
0x00084791
0x00084796
0x000847a7
0x000847ad
0x000847b3
0x000847b9
0x000847bd
0x000847c3
0x000847c6
0x000847cd
0x000847cf
0x00000000
0x00000000
0x00000000
0x00000000
0x000847d5
0x000847d5
0x000847ea
0x00084803
0x00084806
0x00084807
0x00084809
0x00084811
0x00084813
0x00084819
0x0008481b
0x00084828
0x0008482e
0x00084832
0x00084834
0x0008483b
0x00084840
0x00084846
0x00084848
0x00084856
0x00084856
0x00084848
0x0008483b
0x00084860
0x00084877
0x00084879
0x0008487f
0x00084888
0x00084888
0x00084893
0x00084893
0x0008481b
0x00084895
0x0008489b
0x0008489b
0x0008464e
0x00084658
0x0008465a
0x00084662
0x00084933
0x00084939
0x0008493c
0x00084940
0x00000000
0x00084940
0x0008466a
0x00084678
0x0008467e
0x000846aa
0x000846ae
0x000846b4
0x000846b6
0x00000000
0x00000000
0x000846c5
0x000846d4
0x000846e1
0x00000000
0x00000000
0x000846ee
0x000846f8
0x0008471c
0x0008471c
0x00084726
0x00084737
0x00084739
0x00084750
0x00084752
0x0008475a
0x00084766
0x00084680
0x00084686
0x0008469e
0x000846a4
0x00000000
0x00000000
0x00000000
0x000846a4
0x0008476c
0x00084678
0x00000000
0x00084634
0x000845fa
0x0008459f
0x00084999
0x0008499e
0x000849ac
0x000849b2
0x000849b3
0x000849b5
0x000849b7
0x000849bd
0x000849bf
0x000849ca
0x000849d7
0x000849db
0x000849e6
0x000849fd
0x00084a15
0x00084a1a
0x00084a1a
0x00084a1d
0x00084a21
0x00084a21
0x00084a26
0x00084a26
0x00084a2e
0x00084a2e
0x00084a34
0x00084a39
0x00000000
0x00000000
0x00084a3f
0x00084a45
0x00084a47
0x00084aed
0x00084af4
0x00084b01
0x00084b0f
0x00084b0f
0x00084b11
0x00084b24
0x00084b24
0x00084b26
0x00084b30
0x00084b3a
0x00084b3a
0x00084a55
0x00084a5a
0x00084a70
0x00084a74
0x00084a76
0x00084a81
0x00084a8e
0x00084a92
0x00084a9d
0x00084ab4
0x00084acc
0x00084ad4
0x00084ad8
0x00084ad8
0x00084ae4
0x00000000
0x00000000
0x00084a4f
0x00084a4f
0x00084aea
0x00000000
0x00084aea
0x0008456e
0x00084973
0x00084979
0x0008497c
0x00000000
0x0008498c
0x00084a2e
0x00000000
0x00084a2e

APIs

__EH_prolog3_GS.LIBCMT ref: 00084506
IsWindow.USER32(?), ref: 000845A8
GetMenuItemCount.USER32(00000001), ref: 00084706
AppendMenuW.USER32 ref: 0008471C
AppendMenuW.USER32 ref: 00084737
SendMessageW.USER32(?,0000040C,00000000,00000000), ref: 000847AD
SendMessageW.USER32(?,0000041C,00000000,?), ref: 000847EA
GetMenuItemCount.USER32(00000001), ref: 00084840
AppendMenuW.USER32 ref: 00084856
AppendMenuW.USER32 ref: 00084877
GetMenuItemCount.USER32(00000001), ref: 000848DE
AppendMenuW.USER32 ref: 000848F4
AppendMenuW.USER32 ref: 00084915
AppendMenuW.USER32 ref: 000849FD
GetWindow.USER32(?,00000005), ref: 00084A2E
AppendMenuW.USER32 ref: 00084AB4
GetMenuItemCount.USER32(00000000), ref: 00084AF9
AppendMenuW.USER32 ref: 00084B0F
AppendMenuW.USER32 ref: 00084B24

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Menu$Append$CountItem$MessageSendWindow$H_prolog3_
String ID:
API String ID: 2495817426-0
Opcode ID: 0d280259426c41aa4b89fd1f7bd2565e8cceb12f685287dd90a84df331708420
Instruction ID: 9bda2f07ee61150cd5dddafa9f18fbd9ec37a222e644f11bff9664c0cad1f58d
Opcode Fuzzy Hash: 0d280259426c41aa4b89fd1f7bd2565e8cceb12f685287dd90a84df331708420
Instruction Fuzzy Hash: B1022970A0021AABDF64AFA4CC96BEDB7B5BF05301F1440BDE549AB292DF709984CF15

Uniqueness

Uniqueness Score: -1.00%

Function 0003B2E0 Relevance: 27.2, APIs: 18, Instructions: 171
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0003B2E0() {
				void* _v8;
				signed int _v12;
				char _v20;
				signed int _v32;
				short _v36;
				struct _SID_IDENTIFIER_AUTHORITY _v40;
				struct _GENERIC_MAPPING _v56;
				struct _PRIVILEGE_SET _v76;
				void* _v80;
				void* _v84;
				int _v88;
				void* _v92;
				struct _SECURITY_DESCRIPTOR* _v96;
				struct _ACL* _v100;
				long _v104;
				long _v108;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t44;
				signed int _t45;
				int _t70;
				struct _ACL* _t75;
				void* _t76;
				long _t89;
				void* _t90;
				long _t91;
				struct _SECURITY_DESCRIPTOR* _t93;
				void* _t94;
				signed int _t95;

				_push(0xfffffffe);
				_push(0x197200);
				_push(E00131C20);
				_push( *[fs:0x0]);
				_t44 =  *0x1a0454; // 0x960af5fb
				_v12 = _v12 ^ _t44;
				_t45 = _t44 ^ _t95;
				_v32 = _t45;
				_push(_t45);
				 *[fs:0x0] =  &_v20;
				_t89 = 0;
				_v88 = 0;
				_v104 = 0x14;
				_t75 = 0;
				_v100 = 0;
				_v80 = 0;
				_v84 = 0;
				_v92 = 0;
				_t93 = 0;
				_v96 = 0;
				_v40.Value = 0;
				_v36 = 0x500;
				_v8 = 0;
				if(OpenThreadToken(GetCurrentThread(), 0xa, 1,  &_v84) != 0 || GetLastError() == 0x3f0 && OpenProcessToken(GetCurrentProcess(), 0xa,  &_v84) != 0) {
					_t86 =  &_v92;
					if(DuplicateToken(_v84, 2,  &_v92) == 0) {
						goto L15;
					}
					_t86 =  &_v40;
					if(AllocateAndInitializeSid( &_v40, 2, 0x20, 0x220, _t89, _t89, _t89, _t89, _t89, _t89,  &_v80) == 0) {
						goto L15;
					}
					_t93 = LocalAlloc(0x40, 0x14);
					_v96 = _t93;
					if(_t93 != _t89 && InitializeSecurityDescriptor(_t93, 1) != 0) {
						_t23 = GetLengthSid(_v80) + 0x10; // 0x10
						_t91 = _t23;
						_t75 = LocalAlloc(0x40, _t91);
						_v100 = _t75;
						if(_t75 != 0 && InitializeAcl(_t75, _t91, 2) != 0 && AddAccessAllowedAce(_t75, 2, 3, _v80) != 0 && SetSecurityDescriptorDacl(_t93, 1, _t75, 0) != 0) {
							_t86 = _v80;
							SetSecurityDescriptorGroup(_t93, _v80, 0);
							SetSecurityDescriptorOwner(_t93, _v80, 0);
							if(IsValidSecurityDescriptor(_t93) != 0) {
								_v56.GenericRead = 1;
								_v56.GenericWrite = 2;
								_v56.GenericExecute = 0;
								_v56.GenericAll = 3;
								_t86 =  &_v56;
								_t70 = AccessCheck(_t93, _v92, 1,  &_v56,  &_v76,  &_v104,  &_v108,  &_v88);
								if(_t70 == 0) {
									_v88 = _t70;
								}
							}
						}
						_t89 = 0;
					}
					goto L15;
				} else {
					L15:
					_v8 = 0xfffffffe;
					E0003B4DE(_t75, _t89, _t93);
					 *[fs:0x0] = _v20;
					_pop(_t90);
					_pop(_t94);
					_pop(_t76);
					return E00130836(_v88, _t76, _v32 ^ _t95, _t86, _t90, _t94);
				}
			}

0x0003b2e3
0x0003b2e5
0x0003b2ea
0x0003b2f5
0x0003b2f9
0x0003b2fe
0x0003b301
0x0003b303
0x0003b309
0x0003b30d
0x0003b313
0x0003b315
0x0003b318
0x0003b31f
0x0003b321
0x0003b324
0x0003b327
0x0003b32a
0x0003b32d
0x0003b32f
0x0003b332
0x0003b335
0x0003b33b
0x0003b355
0x0003b383
0x0003b395
0x00000000
0x00000000
0x0003b3ae
0x0003b3ba
0x00000000
0x00000000
0x0003b3ca
0x0003b3cc
0x0003b3d1
0x0003b3f2
0x0003b3f2
0x0003b3fe
0x0003b400
0x0003b405
0x0003b442
0x0003b447
0x0003b454
0x0003b463
0x0003b465
0x0003b46c
0x0003b473
0x0003b47a
0x0003b491
0x0003b49c
0x0003b4a4
0x0003b4a6
0x0003b4a6
0x0003b4a4
0x0003b463
0x0003b4a9
0x0003b4a9
0x00000000
0x0003b4ab
0x0003b4ab
0x0003b4ab
0x0003b4b2
0x0003b4bd
0x0003b4c5
0x0003b4c6
0x0003b4c7
0x0003b4d5
0x0003b4d5

APIs

GetCurrentThread.KERNEL32(0000000A,00000001,?,960AF5FB), ref: 0003B346
OpenThreadToken.ADVAPI32(00000000), ref: 0003B34D
GetLastError.KERNEL32 ref: 0003B357
GetCurrentProcess.KERNEL32(0000000A,?), ref: 0003B36E
OpenProcessToken.ADVAPI32(00000000), ref: 0003B375
DuplicateToken.ADVAPI32(?,00000002,?), ref: 0003B38D
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0003B3B2
LocalAlloc.KERNEL32(00000040,00000014), ref: 0003B3C4
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 0003B3DA
GetLengthSid.ADVAPI32(?), ref: 0003B3EC
LocalAlloc.KERNEL32(00000040,00000010), ref: 0003B3F8
InitializeAcl.ADVAPI32(00000000,00000010,00000002), ref: 0003B40F
AddAccessAllowedAce.ADVAPI32(00000000,00000002,00000003,?), ref: 0003B426
SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 0003B436
SetSecurityDescriptorGroup.ADVAPI32(00000000,?,00000000), ref: 0003B447
SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 0003B454
IsValidSecurityDescriptor.ADVAPI32(00000000), ref: 0003B45B
AccessCheck.ADVAPI32(00000000,?,00000001,00000001,?,00000014,?,?), ref: 0003B49C

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: DescriptorSecurity$InitializeToken$AccessAllocCurrentLocalOpenProcessThread$AllocateAllowedCheckDaclDuplicateErrorGroupLastLengthOwnerValid
String ID:
API String ID: 1293491508-0
Opcode ID: 370e4aba76aecaf5a878656eb419a362cbc0f8aa7dca921ffa89bc0daa70e9cd
Instruction ID: 093b12919194c29b859bbd5ea1f8041817fed41fcc9703ee3a368fe89d5e0be0
Opcode Fuzzy Hash: 370e4aba76aecaf5a878656eb419a362cbc0f8aa7dca921ffa89bc0daa70e9cd
Instruction Fuzzy Hash: B3513671A40308EBEB11CFE5EC4AFAEBBBCAB48B15F004119F601AA5D1D7B49945CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0010048A Relevance: 24.4, APIs: 16, Instructions: 368
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0010048A(void* __ebx, void* __ecx, int __edx, void* __edi, struct tagRECT* __esi, void* __eflags) {
				intOrPtr _t137;
				int _t138;
				struct tagRECT* _t155;
				int _t163;
				struct tagRECT* _t164;
				int _t166;
				int _t172;
				int _t179;
				void* _t190;
				intOrPtr _t198;
				int _t200;
				int _t205;
				int _t206;
				struct tagRECT* _t207;
				int* _t215;
				intOrPtr _t216;
				void* _t220;
				intOrPtr _t224;
				int _t250;
				int _t256;
				intOrPtr _t259;
				struct tagPOINT _t265;
				RECT* _t269;
				struct tagRECT* _t273;
				int _t274;
				intOrPtr* _t278;
				int* _t280;
				void* _t282;

				_t270 = __esi;
				_t262 = __edx;
				_push(0x68);
				E00131A82(0x150f35, __ebx, __edi, __esi);
				_t220 = __ecx;
				_t265 = 0;
				 *((intOrPtr*)(__ecx + 0x38)) = 0;
				if( *((intOrPtr*)(__ecx + 0x44)) == 0 ||  *((intOrPtr*)(__ecx + 0x48)) == 0) {
					L60:
					return E00131B05(_t220, _t265, _t270);
				} else {
					_t286 =  *((intOrPtr*)(__ecx + 0x50));
					if( *((intOrPtr*)(__ecx + 0x50)) == 0) {
						_t280 = E0003C37C(_t286, 0x350);
						 *(_t282 - 0x68) = _t280;
						 *(_t282 - 4) = 0;
						_t287 = _t280;
						if(_t280 == 0) {
							_t215 = 0;
							__eflags = 0;
						} else {
							E000DF1C8(_t220, _t280, __edx, 0, _t280, _t287);
							 *_t280 = 0x171444;
							_t215 = _t280;
						}
						 *(_t282 - 4) =  *(_t282 - 4) | 0xffffffff;
						_t259 =  *((intOrPtr*)(_t220 + 0x44));
						 *(_t220 + 0x50) = _t215;
						_t216 =  *0x1a564c; // 0x0
						 *(_t282 - 0x40) = _t265;
						 *(_t282 - 0x3c) = _t265;
						 *(_t282 - 0x38) = _t265;
						 *(_t282 - 0x34) = _t265;
						if(_t216 == _t265) {
							_t216 = E00040DD3(_t259);
						}
						_t262 =  *( *(_t220 + 0x50));
						 *((intOrPtr*)(_t262 + 0x328))(_t265, 0x1818c0, _t216, _t282 - 0x40, _t265,  *0x19f300, 0x40000000, 0x20, 0xf, _t265);
					}
					_t137 =  *0x1a6034; // 0x4
					 *((intOrPtr*)(_t282 - 0x6c)) = _t137;
					_t138 =  *0x1a6038; // 0x4
					 *(_t282 - 0x68) = _t138;
					 *(_t282 - 0x5c) = _t265;
					 *(_t282 - 0x58) = _t265;
					GetCursorPos(_t282 - 0x5c);
					_t270 =  *(_t282 - 0x58) -  *(_t220 + 8);
					 *(_t282 - 0x74) =  *(_t282 - 0x5c) -  *(_t220 + 4);
					 *(_t282 - 0x70) =  *(_t282 - 0x58) -  *(_t220 + 8);
					if(E00135F20(_t262,  *(_t282 - 0x5c) -  *(_t220 + 4)) >=  *((intOrPtr*)(_t282 - 0x6c)) || E00135F20(_t262, _t270) >=  *(_t282 - 0x68) || IsRectEmpty(_t220 + 0xc) == 0 ||  *((intOrPtr*)(_t282 + 8)) != _t265) {
						 *((intOrPtr*)(_t220 + 0x30)) = 1;
						E00082233(1);
						if(IsRectEmpty(_t220 + 0x1c) != 0) {
						}
						 *(_t282 - 0x60) =  *(_t282 - 0x60) & 0x00000000;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t273 = _t220 + 0xc;
						if(IsRectEmpty(_t273) != 0) {
							if(E0004EA07( *((intOrPtr*)(_t220 + 0x44)), 0x19d608) == 0) {
								_t200 = E0004EA07( *((intOrPtr*)(_t220 + 0x44)), 0x1645c0);
								__eflags = _t200;
								if(_t200 != 0) {
									_t278 = E0004EA25(0x1645c0,  *((intOrPtr*)(_t220 + 0x44)));
									_t269 = _t220 + 0xc;
									GetWindowRect( *( *((intOrPtr*)(_t220 + 0x44)) + 0x20), _t269);
									_t205 =  *((intOrPtr*)( *_t278 + 0x224))(0);
									__eflags = _t205;
									if(_t205 == 0) {
										 *((intOrPtr*)(_t220 + 0x14)) =  *((intOrPtr*)(_t278 + 0x1e0)) -  *((intOrPtr*)(_t278 + 0x1d8)) + _t269->left;
										_t256 =  *((intOrPtr*)(_t278 + 0x1e4)) -  *((intOrPtr*)(_t278 + 0x1dc)) +  *((intOrPtr*)(_t220 + 0x10));
										__eflags = _t256;
										 *(_t220 + 0x18) = _t256;
									}
									_push( *(_t220 + 8));
									_t206 = PtInRect(_t269,  *(_t220 + 4));
									__eflags = _t206;
									if(_t206 == 0) {
										_t207 = _t220 + 0xc;
										_t250 =  *(_t220 + 4) - _t207->left - 5;
										__eflags = _t250;
										OffsetRect(_t207, _t250, _t206);
									}
								}
							} else {
								GetWindowRect( *( *((intOrPtr*)(_t220 + 0x44)) + 0x20), _t273);
							}
							 *(_t282 - 0x60) = 1;
						}
						 *(_t282 - 0x64) =  *(_t282 - 0x64) & 0x00000000;
						_t265 = _t220 + 0x4c;
						 *(_t282 - 0x54) =  *_t265;
						_t274 = 0;
						 *(_t282 - 0x20) = 0;
						 *((intOrPtr*)(_t282 - 0x1c)) = 0;
						 *((intOrPtr*)(_t282 - 0x18)) = 0;
						 *((intOrPtr*)(_t282 - 0x14)) = 0;
						SetRectEmpty(_t282 - 0x20);
						_t224 =  *((intOrPtr*)(_t220 + 0x48));
						 *(_t282 - 0x68) = 0;
						if(_t224 != 0) {
							_t198 =  *((intOrPtr*)(_t224 + 0x1b8));
							if(_t198 != 0 &&  *((intOrPtr*)(_t198 + 8)) != 0 &&  *((intOrPtr*)(_t198 + 4)) != 0) {
								 *(_t282 - 0x68) = 1;
							}
						}
						E00080C76(_t224,  *((intOrPtr*)(_t220 + 0x44)),  *(_t282 - 0x5c),  *(_t282 - 0x58), _t282 - 0x20, _t282 - 0x64, _t265);
						_t155 =  *(_t282 - 0x54);
						if(_t155 != _t274 &&  *(_t220 + 0x34) != 0xffffffff && (_t155 !=  *_t265 ||  *(_t282 - 0x64) == _t274)) {
							E0010007F(_t220, _t265, _t155);
							 *(_t282 - 0x60) = 1;
						}
						 *(_t282 - 0x54) = 1;
						if(E0004EA07( *((intOrPtr*)(_t220 + 0x44)), 0x19d608) == 0) {
							if(E0004EA07( *((intOrPtr*)(_t220 + 0x44)), 0x1645c0) != 0) {
								_t262 =  *(E0004EA25(0x1645c0,  *((intOrPtr*)(_t220 + 0x44))));
								 *(_t282 - 0x54) =  *((intOrPtr*)(_t262 + 0x188))();
							}
							_t274 = 0;
						}
						_t157 =  *_t265;
						if( *_t265 == _t274 ||  *(_t282 - 0x54) == _t274) {
							L52:
							OffsetRect(_t220 + 0xc,  *(_t282 - 0x74),  *(_t282 - 0x70));
							 *(_t220 + 4) =  *(_t282 - 0x5c);
							 *(_t220 + 8) =  *(_t282 - 0x58);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t163 = IsRectEmpty(_t220 + 0x1c);
							__eflags = _t163;
							_t164 =  *0x1a3b48; // 0x4
							if(_t163 == 0) {
								_t164 =  *0x1a3b4c; // 0x3
							}
							 *(_t282 - 0x54) = _t164;
							_t270 = _t220 + 0x1c;
							 *(_t282 - 0x30) = 0;
							 *((intOrPtr*)(_t282 - 0x2c)) = 0;
							 *((intOrPtr*)(_t282 - 0x28)) = 0;
							 *((intOrPtr*)(_t282 - 0x24)) = 0;
							_t166 = IsRectEmpty(_t220 + 0x1c);
							__eflags = _t166;
							if(_t166 != 0) {
								_push( *(_t282 - 0x58));
								_t270 = _t220 + 0xc;
								_t172 = PtInRect(_t270,  *(_t282 - 0x5c));
								__eflags = _t172;
								if(_t172 == 0) {
									asm("cdq");
									_t262 =  *(_t282 - 0x5c) - (_t270->right - _t270->left - _t262 >> 1) + _t270->left;
									_t179 =  *(_t282 - 0x58) -  *((intOrPtr*)(_t220 + 0x10)) + 5;
									__eflags = _t179;
									OffsetRect(_t270, _t262, _t179);
								}
							}
							__eflags =  *(_t282 - 0x68);
							_t265 = _t282 - 0x30;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							if(__eflags == 0) {
								L59:
								_push( *(_t220 + 0x40));
								_t270 =  *(_t282 - 0x54);
								_push(_t270);
								_push( *(_t282 - 0x60));
								_push(_t282 - 0x30);
								_push(_t282 - 0x50);
								E000FFE57(_t220, _t220, _t262, _t265, _t270, __eflags);
								 *(_t220 + 0x40) = _t270;
								goto L60;
							} else {
								__eflags = IsRectEmpty(_t220 + 0x1c);
								if(__eflags != 0) {
									goto L60;
								}
								goto L59;
							}
						} else {
							_t270 = E0004EA25(0x171814, _t157);
							if(_t270 == 0) {
								L47:
								__eflags =  *(_t282 - 0x64);
								if( *(_t282 - 0x64) == 0) {
									goto L52;
								}
								__eflags =  *(_t220 + 0x34) - 0xffffffff;
								if( *(_t220 + 0x34) == 0xffffffff) {
									__eflags =  *(_t282 - 0x60);
									if( *(_t282 - 0x60) == 0) {
										E00100185(_t220, _t262, 0);
									}
									E000FFEEB(_t220,  *_t265, 0);
									 *(_t220 + 0x34) = 1;
								}
								goto L60;
							}
							if( *(_t282 - 0x64) == 0) {
								goto L52;
							}
							if( *((intOrPtr*)(_t270->left + 0x3ac))() <= 1 ||  *((intOrPtr*)(_t270->left + 0x3b0))() == 0) {
								if( *((intOrPtr*)(_t270->left + 0x3ac))() <= 0) {
									goto L47;
								}
								_t190 =  *((intOrPtr*)(_t270->left + 0x3b0))();
								_t314 = _t190;
								if(_t190 != 0) {
									goto L47;
								}
								goto L46;
							} else {
								L46:
								_push( *(_t282 - 0x60));
								_push(_t270);
								E0010027A(_t220, _t220, _t262, _t265, _t270, _t314);
								goto L60;
							}
						}
					} else {
						goto L60;
					}
				}
			}

0x0010048a
0x0010048a
0x0010048a
0x00100491
0x00100496
0x00100498
0x0010049a
0x001004a0
0x001008b5
0x001008ba
0x001004af
0x001004af
0x001004b2
0x001004be
0x001004c1
0x001004c4
0x001004c7
0x001004c9
0x001004dc
0x001004dc
0x001004cb
0x001004cd
0x001004d2
0x001004d8
0x001004d8
0x001004de
0x001004e2
0x001004e5
0x001004e8
0x001004ed
0x001004f0
0x001004f3
0x001004f6
0x001004fb
0x001004fd
0x001004fd
0x00100505
0x00100523
0x00100523
0x00100529
0x0010052e
0x00100531
0x00100536
0x0010053d
0x00100540
0x00100543
0x00100552
0x00100556
0x00100559
0x00100565
0x00100591
0x00100594
0x001005a5
0x001005a5
0x001005aa
0x001005b1
0x001005b2
0x001005b3
0x001005b4
0x001005b5
0x001005c1
0x001005d6
0x001005f3
0x001005f8
0x001005fa
0x00100607
0x0010060c
0x00100613
0x0010061f
0x00100625
0x00100627
0x00100637
0x00100646
0x00100646
0x00100649
0x00100649
0x0010064c
0x00100653
0x00100659
0x0010065b
0x00100661
0x00100666
0x00100666
0x0010066b
0x0010066b
0x0010065b
0x001005d8
0x001005df
0x001005df
0x00100671
0x00100671
0x00100678
0x0010067c
0x00100681
0x00100684
0x0010068a
0x0010068d
0x00100690
0x00100693
0x00100696
0x0010069c
0x0010069f
0x001006a4
0x001006a6
0x001006ae
0x001006ba
0x001006ba
0x001006ae
0x001006d3
0x001006d8
0x001006dd
0x001006f1
0x001006f6
0x001006f6
0x00100705
0x00100713
0x00100725
0x00100730
0x0010073c
0x0010073c
0x0010073f
0x0010073f
0x00100741
0x00100745
0x001007eb
0x001007f5
0x001007fe
0x00100804
0x0010080f
0x00100810
0x00100811
0x00100812
0x0010081a
0x0010081c
0x0010081e
0x00100823
0x00100825
0x00100825
0x0010082a
0x0010082f
0x00100833
0x00100836
0x00100839
0x0010083c
0x0010083f
0x00100841
0x00100843
0x00100845
0x00100848
0x0010084f
0x00100855
0x00100857
0x00100861
0x0010086e
0x00100873
0x00100873
0x00100878
0x00100878
0x00100857
0x0010087e
0x00100882
0x00100885
0x00100886
0x00100887
0x00100888
0x00100889
0x00100899
0x00100899
0x0010089c
0x0010089f
0x001008a0
0x001008a6
0x001008aa
0x001008ad
0x001008b2
0x00000000
0x0010088b
0x00100895
0x00100897
0x00000000
0x00000000
0x00000000
0x00100897
0x00100754
0x0010075f
0x00100765
0x001007b6
0x001007b8
0x001007bb
0x00000000
0x00000000
0x001007bd
0x001007c1
0x001007c7
0x001007ca
0x001007cf
0x001007cf
0x001007da
0x001007df
0x001007df
0x00000000
0x001007c1
0x0010076b
0x00000000
0x00000000
0x0010077a
0x00100796
0x00000000
0x00000000
0x0010079c
0x001007a2
0x001007a4
0x00000000
0x00000000
0x00000000
0x001007a6
0x001007a6
0x001007a6
0x001007ab
0x001007ac
0x00000000
0x001007ac
0x0010077a
0x00000000
0x00000000
0x00000000
0x00100565

APIs

__EH_prolog3_GS.LIBCMT ref: 00100491
GetCursorPos.USER32(?), ref: 00100543
IsRectEmpty.USER32 ref: 00100577
IsRectEmpty.USER32 ref: 0010059D
IsRectEmpty.USER32 ref: 001005B9
GetWindowRect.USER32(?,00000000), ref: 001005DF
SetRectEmpty.USER32 ref: 00100696

Part of subcall function 0003C37C: _malloc.LIBCMT ref: 0003C39A

GetWindowRect.USER32(?,00000000), ref: 00100613
PtInRect.USER32(00000000,?,00000000), ref: 00100653
OffsetRect.USER32 ref: 0010066B

Part of subcall function 000DF1C8: __EH_prolog3.LIBCMT ref: 000DF1CF
Part of subcall function 000DF1C8: SetRectEmpty.USER32 ref: 000DF2D6
Part of subcall function 000DF1C8: SetRectEmpty.USER32 ref: 000DF2DF

OffsetRect.USER32 ref: 001007F5
IsRectEmpty.USER32 ref: 0010081A
IsRectEmpty.USER32 ref: 0010083F
PtInRect.USER32(00000000,?,?), ref: 0010084F
OffsetRect.USER32 ref: 00100878
IsRectEmpty.USER32 ref: 0010088F

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Rect$Empty$Offset$Window$CursorH_prolog3H_prolog3__malloc
String ID:
API String ID: 1330315114-0
Opcode ID: 48be2c4dd602267d34bcd4b6c2c0649fa48f46fb637a0d8194aeb7e02db10aa5
Instruction ID: 891500962e0557c7152c2ca8fe079754fbae4ee4ab5bca72fea6f64eb4eb33c9
Opcode Fuzzy Hash: 48be2c4dd602267d34bcd4b6c2c0649fa48f46fb637a0d8194aeb7e02db10aa5
Instruction Fuzzy Hash: CCE18C71900614DFCF16DFA8C884AAEBBB9FF48700F14416AE945EB296E771E941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00054321 Relevance: 24.2, APIs: 16, Instructions: 245
windowCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E00054321(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				RECT* _t114;
				void* _t140;
				void* _t144;
				void* _t160;
				RECT* _t193;
				intOrPtr _t204;
				intOrPtr* _t234;
				void* _t237;

				_t231 = __edx;
				_push(0x48);
				E00131A82(0x149a51, __ebx, __edi, __esi);
				_t114 =  *(_t237 + 8);
				_t193 =  *(_t237 + 0x14);
				_t234 = __ecx;
				 *((intOrPtr*)(_t237 - 0x24)) =  *((intOrPtr*)(_t237 + 0x20));
				 *((intOrPtr*)(_t237 - 0x28)) =  *((intOrPtr*)(_t237 + 0x24));
				 *(_t237 - 0x54) = _t114;
				 *((intOrPtr*)(_t237 - 0x4c)) = 0;
				 *((intOrPtr*)(_t237 - 0x50)) = 0x15ad2c;
				 *(_t237 - 4) = 0;
				 *(_t237 - 0x34) = 0;
				 *((intOrPtr*)(_t237 - 0x38)) = 0x15ad2c;
				 *(_t237 - 0x3c) = 0;
				 *((intOrPtr*)(_t237 - 0x40)) = 0x15ad2c;
				 *(_t237 - 4) = 2;
				E000467CA(_t193, _t237 - 0x38, __edx, __ecx, CreateRectRgnIndirect(_t114));
				CopyRect(_t237 - 0x20,  *(_t237 - 0x54));
				InflateRect(_t237 - 0x20,  ~( *(_t237 + 0xc)),  ~( *(_t237 + 0x10)));
				IntersectRect(_t237 - 0x20, _t237 - 0x20,  *(_t237 - 0x54));
				E000467CA(_t193, _t237 - 0x40, _t231, _t234, CreateRectRgnIndirect(_t237 - 0x20));
				E000467CA(_t193, _t237 - 0x50, _t231, _t234, CreateRectRgn(0, 0, 0, 0));
				E00054154(_t237 - 0x50, _t237 - 0x38, _t237 - 0x40, 3);
				_t239 =  *((intOrPtr*)(_t237 - 0x24));
				if( *((intOrPtr*)(_t237 - 0x24)) == 0) {
					 *((intOrPtr*)(_t237 - 0x24)) = E00054183(_t193, _t234, 0x15ad2c, _t239);
				}
				_t204 =  *((intOrPtr*)(_t237 - 0x24));
				if((0 | _t204 != 0x00000000) == 0) {
					E000455E0(_t204);
				}
				if( *((intOrPtr*)(_t237 - 0x28)) == 0) {
					 *((intOrPtr*)(_t237 - 0x28)) = _t204;
				}
				 *((intOrPtr*)(_t237 - 0x2c)) = 0;
				 *((intOrPtr*)(_t237 - 0x30)) = 0x15ad2c;
				 *((intOrPtr*)(_t237 - 0x44)) = 0;
				 *((intOrPtr*)(_t237 - 0x48)) = 0x15ad2c;
				 *(_t237 - 4) = 4;
				if(_t193 != 0) {
					E000467CA(_t193, _t237 - 0x30, 0, _t234, CreateRectRgn(0, 0, 0, 0));
					SetRectRgn( *(_t237 - 0x34),  *_t193, _t193->top, _t193->right, _t193->bottom);
					CopyRect(_t237 - 0x20, _t193);
					InflateRect(_t237 - 0x20,  ~( *(_t237 + 0x18)),  ~( *(_t237 + 0x1c)));
					IntersectRect(_t237 - 0x20, _t237 - 0x20, _t193);
					SetRectRgn( *(_t237 - 0x3c),  *(_t237 - 0x20),  *(_t237 - 0x1c),  *(_t237 - 0x18),  *(_t237 - 0x14));
					E00054154(_t237 - 0x30, _t237 - 0x38, _t237 - 0x40, 3);
					if( *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x24)) + 4)) ==  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x28)) + 4))) {
						E000467CA(_t193, _t237 - 0x48, 0, _t234, CreateRectRgn(0, 0, 0, 0));
						E00054154(_t237 - 0x48, _t237 - 0x30, _t237 - 0x50, 3);
					}
				}
				if( *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x24)) + 4)) !=  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x28)) + 4)) && _t193 != 0) {
					E000462A0(_t234, _t237 - 0x30);
					 *((intOrPtr*)( *_t234 + 0x50))(_t237 - 0x20);
					_t160 = E000468DD(_t234,  *((intOrPtr*)(_t237 - 0x28)));
					PatBlt( *(_t234 + 4),  *(_t237 - 0x20),  *(_t237 - 0x1c),  *(_t237 - 0x18) -  *(_t237 - 0x20),  *(_t237 - 0x14) -  *(_t237 - 0x1c), 0x5a0049);
					E000468DD(_t234, _t160);
				}
				_t140 = _t237 - 0x48;
				if( *((intOrPtr*)(_t237 - 0x44)) == 0) {
					_t140 = _t237 - 0x50;
				}
				E000462A0(_t234, _t140);
				 *((intOrPtr*)( *_t234 + 0x50))(_t237 - 0x20);
				_t144 = E000468DD(_t234,  *((intOrPtr*)(_t237 - 0x24)));
				_t194 = _t144;
				PatBlt( *(_t234 + 4),  *(_t237 - 0x20),  *(_t237 - 0x1c),  *(_t237 - 0x18) -  *(_t237 - 0x20),  *(_t237 - 0x14) -  *(_t237 - 0x1c), 0x5a0049);
				if(_t144 != 0) {
					E000468DD(_t234, _t194);
				}
				E000462A0(_t234, 0);
				 *(_t237 - 4) = 3;
				 *((intOrPtr*)(_t237 - 0x48)) = 0x15ad2c;
				E00031420(_t237 - 0x48, 0);
				 *(_t237 - 4) = 2;
				 *((intOrPtr*)(_t237 - 0x30)) = 0x15ad2c;
				E00031420(_t237 - 0x30, 0);
				 *(_t237 - 4) = 1;
				 *((intOrPtr*)(_t237 - 0x40)) = 0x15ad2c;
				E00031420(_t237 - 0x40, 0);
				 *(_t237 - 4) = 0;
				 *((intOrPtr*)(_t237 - 0x38)) = 0x15ad2c;
				E00031420(_t237 - 0x38, 0);
				 *(_t237 - 4) =  *(_t237 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t237 - 0x50)) = 0x15ad2c;
				E00031420(_t237 - 0x50, 0);
				return E00131B05(_t194, _t234, 0x15ad2c);
			}

0x00054321
0x00054321
0x00054328
0x0005432d
0x00054330
0x00054333
0x00054338
0x0005433e
0x00054348
0x0005434b
0x0005434e
0x00054351
0x00054354
0x00054357
0x0005435a
0x0005435d
0x00054361
0x0005436f
0x0005437b
0x00054391
0x0005439f
0x000543b3
0x000543c8
0x000543da
0x000543df
0x000543e3
0x000543ea
0x000543ea
0x000543ed
0x000543fb
0x000543fd
0x000543fd
0x00054405
0x00054407
0x00054407
0x0005440a
0x0005440d
0x00054410
0x00054413
0x00054416
0x0005441c
0x00054430
0x00054443
0x0005444e
0x00054464
0x00054470
0x00054485
0x00054498
0x000544a9
0x000544bb
0x000544cd
0x000544cd
0x000544a9
0x000544de
0x000544ea
0x000544f7
0x000544ff
0x00054522
0x0005452b
0x0005452b
0x00054534
0x00054537
0x00054539
0x00054539
0x0005453f
0x0005454c
0x00054554
0x0005455f
0x00054577
0x0005457f
0x00054584
0x00054584
0x0005458d
0x00054595
0x00054599
0x0005459c
0x000545a4
0x000545a8
0x000545ab
0x000545b3
0x000545b7
0x000545ba
0x000545c2
0x000545c6
0x000545c9
0x000545ce
0x000545d5
0x000545d8
0x000545e2

APIs

__EH_prolog3_GS.LIBCMT ref: 00054328
CreateRectRgnIndirect.GDI32(?), ref: 00054365
CopyRect.USER32(?,?), ref: 0005437B
InflateRect.USER32 ref: 00054391
IntersectRect.USER32(?,?,?), ref: 0005439F
CreateRectRgnIndirect.GDI32(?), ref: 000543A9
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 000543BE

Part of subcall function 00054154: CombineRgn.GDI32(?,?,?,?), ref: 00054179

CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00054426
SetRectRgn.GDI32(?,0000000A,?,?,?), ref: 00054443
CopyRect.USER32(?,0000000A), ref: 0005444E
InflateRect.USER32 ref: 00054464
IntersectRect.USER32(?,?,0000000A), ref: 00054470
SetRectRgn.GDI32(?,?,?,?,0000000A), ref: 00054485
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 000544B1

Part of subcall function 00054183: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 000541CC
Part of subcall function 00054183: CreatePatternBrush.GDI32(00000000), ref: 000541D9
Part of subcall function 00054183: DeleteObject.GDI32(00000000), ref: 000541E5

Part of subcall function 000468DD: SelectObject.GDI32(?,00000000), ref: 00046903
Part of subcall function 000468DD: SelectObject.GDI32(?,?), ref: 00046919

PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 00054522
PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 00054577

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Rect$Create$Object$CopyIndirectInflateIntersectSelect$BitmapBrushCombineDeleteH_prolog3_Pattern
String ID:
API String ID: 3107162742-0
Opcode ID: a71736a15dcb7d62932dac35d23e228b30213e7634900d8acc816509990f05f9
Instruction ID: ddca562963dfb5329ad627dae8895c0a2e46fdf430485ffb470fbf1b3f7bd330
Opcode Fuzzy Hash: a71736a15dcb7d62932dac35d23e228b30213e7634900d8acc816509990f05f9
Instruction Fuzzy Hash: 33A10FB1900218EFCF05EFE4D985DEEBBB9BF08305F144029F506A6291DB359A85CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0004C0C3 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 126
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0004C0C3(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v210;
				char _v212;
				int _v316;
				intOrPtr _v320;
				char _v324;
				intOrPtr _v328;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t46;
				struct HINSTANCE__* _t50;
				signed int _t51;
				signed short _t55;
				signed int _t56;
				void* _t73;
				intOrPtr _t74;
				signed int _t78;
				signed int _t80;
				void* _t87;
				signed int _t90;
				void* _t91;
				struct HINSTANCE__* _t92;
				short* _t93;
				signed int _t95;
				signed int _t96;
				void* _t97;
				signed int _t99;
				signed int _t101;
				void* _t102;
				void* _t104;

				_t87 = __edx;
				_t99 = _t101;
				_t102 = _t101 - 0x144;
				_t46 =  *0x1a0454; // 0x960af5fb
				_v8 = _t46 ^ _t99;
				_v328 = _a4;
				_push(L"KERNEL32.DLL");
				_v320 = _a8;
				_t95 = 0;
				_t50 = E0003E893(__ecx, 0, __eflags);
				if(_t50 != 0) {
					_t50 = GetProcAddress(_t50, "GetThreadPreferredUILanguages");
					_t92 = _t50;
					if(_t92 != 0) {
						_v212 = 0;
						_v324 = 0;
						E00131B30( &_v210, 0, 0xc8);
						_t104 = _t102 + 0xc;
						_v316 = 0x65;
						_t50 = _t92->i(0x34,  &_v324,  &_v212,  &_v316);
						if(_t50 != 0) {
							_t93 =  &_v212;
							if(_v212 != 0) {
								while(_t95 < 0x14) {
									_t74 = E001342C4(_t93, 0, 0x10);
									_t104 = _t104 + 0xc;
									_t111 = _t74;
									if(_t74 != 0 &&  *((intOrPtr*)(E00131F1F(_t111))) != 0x22) {
										 *((intOrPtr*)(_t99 + _t95 * 4 - 0x134)) = _t74;
										_t95 = _t95 + 1;
									}
									_t50 = E0013161A(_t93);
									_t93 = _t93 + 2 + _t50 * 2;
									if( *_t93 != 0) {
										continue;
									}
									goto L10;
								}
							}
						}
					}
				}
				L10:
				__imp__GetUserDefaultUILanguage();
				_t51 = _t50 & 0x0000ffff;
				_t78 = _t51 & 0x000003ff;
				_v316 = _t78;
				 *((intOrPtr*)(_t99 + _t95 * 4 - 0x134)) = ConvertDefaultLocale(_t51 & 0x0000fc00 | _t78);
				_t55 = ConvertDefaultLocale(_v316);
				 *(_t99 + _t95 * 4 - 0x130) = _t55;
				__imp__GetSystemDefaultUILanguage();
				_t56 = _t55 & 0x0000ffff;
				_t80 = _t56 & 0x000003ff;
				_v316 = _t80;
				 *((intOrPtr*)(_t99 + _t95 * 4 - 0x12c)) = ConvertDefaultLocale(_t56 & 0x0000fc00 | _t80);
				 *((intOrPtr*)(_t99 + _t95 * 4 - 0x128)) = ConvertDefaultLocale(_v316);
				_t96 = _t95 + 4;
				if( *0x1a3920 == 0) {
					 *((intOrPtr*)(_t99 + _t96 * 4 - 0x134)) = 0x800;
					_t96 = _t96 + 1;
				}
				_t90 = 0;
				if(_t96 <= 0) {
					L15:
				} else {
					while(E0004BB41(0xfc00, _v328, _t87, _v320,  *((intOrPtr*)(_t99 + _t90 * 4 - 0x134))) == 0) {
						_t90 = _t90 + 1;
						if(_t90 < _t96) {
							continue;
						} else {
							goto L15;
						}
						goto L16;
					}
				}
				L16:
				_pop(_t91);
				_pop(_t97);
				_pop(_t73);
				return E00130836(0, _t73, _v8 ^ _t99, _t87, _t91, _t97);
			}

0x0004c0c3
0x0004c0c6
0x0004c0c8
0x0004c0ce
0x0004c0d5
0x0004c0dd
0x0004c0e7
0x0004c0ec
0x0004c0f2
0x0004c0f4
0x0004c0fc
0x0004c108
0x0004c10e
0x0004c112
0x0004c11f
0x0004c12e
0x0004c134
0x0004c139
0x0004c153
0x0004c15d
0x0004c161
0x0004c163
0x0004c170
0x0004c172
0x0004c181
0x0004c183
0x0004c186
0x0004c188
0x0004c194
0x0004c19b
0x0004c19b
0x0004c19d
0x0004c1a2
0x0004c1ab
0x00000000
0x00000000
0x00000000
0x0004c1ab
0x0004c172
0x0004c170
0x0004c161
0x0004c112
0x0004c1ad
0x0004c1ad
0x0004c1b9
0x0004c1be
0x0004c1ce
0x0004c1dc
0x0004c1e3
0x0004c1e5
0x0004c1ec
0x0004c1f2
0x0004c1f7
0x0004c202
0x0004c210
0x0004c219
0x0004c220
0x0004c22a
0x0004c22c
0x0004c237
0x0004c237
0x0004c238
0x0004c23c
0x0004c261
0x00000000
0x0004c23e
0x0004c25c
0x0004c25f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0004c25f
0x0004c23e
0x0004c263
0x0004c266
0x0004c267
0x0004c26a
0x0004c271

APIs

Part of subcall function 0003E893: ActivateActCtx.KERNEL32(?,00044351), ref: 0003E8B3

GetProcAddress.KERNEL32(00000000,GetThreadPreferredUILanguages), ref: 0004C108
_memset.LIBCMT ref: 0004C134
_wcstoul.LIBCMT ref: 0004C17C
_wcslen.LIBCMT ref: 0004C19D

Part of subcall function 00131F1F: __getptd_noexit.LIBCMT ref: 00131F1F

GetUserDefaultUILanguage.KERNEL32 ref: 0004C1AD
ConvertDefaultLocale.KERNEL32(?), ref: 0004C1D4
ConvertDefaultLocale.KERNEL32(?), ref: 0004C1E3
GetSystemDefaultUILanguage.KERNEL32 ref: 0004C1EC
ConvertDefaultLocale.KERNEL32(?), ref: 0004C208
ConvertDefaultLocale.KERNEL32(?), ref: 0004C217

Strings

e, xrefs: 0004C153
GetThreadPreferredUILanguages, xrefs: 0004C102
KERNEL32.DLL, xrefs: 0004C0E7

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Default$ConvertLocale$Language$ActivateAddressProcSystemUser__getptd_noexit_memset_wcslen_wcstoul
String ID: GetThreadPreferredUILanguages$KERNEL32.DLL$e
API String ID: 2962385649-2285706205
Opcode ID: a16d3867b4bfca8d671414369ca6515933f00cfa85cefec0e1c2acbb3f96d4ea
Instruction ID: 6c522487e38ecebf237a46f78423bb8d4c13475423eab7fdc54d04c3820052bb
Opcode Fuzzy Hash: a16d3867b4bfca8d671414369ca6515933f00cfa85cefec0e1c2acbb3f96d4ea
Instruction Fuzzy Hash: 2841A7B1902228ABDBA1AFA4DC41BED77E4AF49710F0104B9E809E7151DB749E85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0006102D Relevance: 22.7, APIs: 15, Instructions: 232
timeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0006102D(intOrPtr* __ecx, int __edx, intOrPtr _a4) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				int _v60;
				intOrPtr _v64;
				intOrPtr* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t114;
				signed int _t121;
				intOrPtr _t126;
				int _t144;
				intOrPtr _t169;
				void* _t176;
				void* _t178;
				intOrPtr _t182;
				intOrPtr* _t183;
				intOrPtr _t194;
				RECT* _t200;
				RECT* _t201;
				void* _t202;
				int _t210;
				void* _t211;
				signed int _t214;
				intOrPtr _t215;

				_t196 = __edx;
				_t114 =  *0x1a0454; // 0x960af5fb
				_v8 = _t114 ^ _t214;
				_t183 = __ecx;
				_v68 =  *((intOrPtr*)( *__ecx + 0x1c0))();
				_v24.left = 0;
				_v24.top = 0;
				_v24.right = 0;
				_v24.bottom = 0;
				GetClientRect( *(__ecx + 0x20),  &_v24);
				_t215 =  *0x1a3f04; // 0x0
				if(_t215 == 0) {
					_t182 =  *((intOrPtr*)(_t183 + 0xfc0));
					_v24.right = _v24.right - _t182;
					_v24.bottom = _v24.bottom - _t182;
				}
				_t121 =  *((intOrPtr*)( *_t183 + 0x204))();
				_v60 = _t121;
				InflateRect( &_v24,  ~_t121,  ~_t121);
				_t126 =  *((intOrPtr*)(_t183 + 0xed4));
				if(_t126 == 0) {
					_v24.left = _v24.left +  *((intOrPtr*)(_t183 + 0xecc));
				} else {
					_t176 = _t126 - 1;
					if(_t176 == 0) {
						_v24.right = _v24.right -  *((intOrPtr*)(_t183 + 0xecc));
					} else {
						_t178 = _t176 - 1;
						if(_t178 == 0) {
							_v24.top = _v24.top +  *((intOrPtr*)(_t183 + 0xecc));
						} else {
							if(_t178 == 1) {
								_v24.bottom = _v24.bottom -  *((intOrPtr*)(_t183 + 0xecc));
							}
						}
					}
				}
				_v24.top = _v24.top +  *((intOrPtr*)(_t183 + 0xfec)) -  *((intOrPtr*)(_t183 + 0xfe4));
				if( *((intOrPtr*)(_t183 + 0x1088)) == 0) {
					_v24.bottom = _v24.bottom +  *((intOrPtr*)(_t183 + 0x10a4)) -  *((intOrPtr*)(_t183 + 0x10ac));
				} else {
					_v24.top = _v24.top +  *((intOrPtr*)(_t183 + 0x10ac)) -  *((intOrPtr*)(_t183 + 0x10a4));
				}
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				SetRectEmpty(_t183 + 0xef8);
				SetRectEmpty(_t183 + 0xf08);
				_t210 = 0;
				_v64 = 0x14;
				if( *((intOrPtr*)(_t183 + 0xef0)) == 0) {
					if( *((intOrPtr*)(_t183 + 0xee8)) == 0) {
						_v64 = 0x1c;
						KillTimer( *(_t183 + 0x20), 2);
						 *((intOrPtr*)(_t183 + 0xf18)) = 0;
					}
				} else {
					if( *((intOrPtr*)(_t183 + 0xef4)) == 0) {
						if( *((intOrPtr*)( *_t183 + 0x1dc))() != 0) {
							_t196 = _v60;
							_t194 =  *((intOrPtr*)(_t183 + 0xf1c));
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							 *((intOrPtr*)(_t183 + 0xefc)) =  *((intOrPtr*)(_t183 + 0xefc)) + _t196;
							_v24.top = _v24.top + _t194 + _t196;
							 *((intOrPtr*)(_t183 + 0xf04)) =  *((intOrPtr*)(_t183 + 0xefc)) + _t194;
							_t210 = 0;
						}
						if( *((intOrPtr*)( *_t183 + 0x1e0))() != 0) {
							_t169 =  *((intOrPtr*)(_t183 + 0xf1c));
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							 *((intOrPtr*)(_t183 + 0xf0c)) =  *((intOrPtr*)(_t183 + 0xf14)) - _t169;
							_v24.bottom = _v24.bottom - _t169 + _v60;
							_t210 = 0;
						}
					} else {
						_v24.right = _v24.right - GetSystemMetrics(2);
					}
				}
				if(_a4 != _t210 || EqualRect( &_v56, _t183 + 0xef8) == 0 || EqualRect( &_v40, _t183 + 0xf08) == 0) {
					_t196 =  *_v68;
					 *((intOrPtr*)( *_v68 + 0x234))(_t210, _v24.left, _v24.top, _v24.right - _v24.left, _v24.bottom - _v24.top, _v64, _t210);
					 *((intOrPtr*)(_t183 + 0xec4)) = _v24.bottom - _v24.top;
				} else {
					 *((intOrPtr*)( *_v68 + 0x208))();
				}
				_t200 = _t183 + 0xef8;
				_v60 = _t210;
				_t144 = EqualRect( &_v56, _t200);
				_t211 = InvalidateRect;
				if(_t144 == 0) {
					InvalidateRect( *(_t183 + 0x20),  &_v56, 1);
					InvalidateRect( *(_t183 + 0x20), _t200, 1);
					_v60 = 1;
				}
				_t201 = _t183 + 0xf08;
				if(EqualRect( &_v40, _t201) == 0) {
					InvalidateRect( *(_t183 + 0x20),  &_v40, 1);
					InvalidateRect( *(_t183 + 0x20), _t201, 1);
					_v60 = 1;
				}
				_pop(_t202);
				if(_v60 != 0) {
					UpdateWindow( *(_t183 + 0x20));
				}
				return E00130836(_v60, _t183, _v8 ^ _t214, _t196, _t202, _t211);
			}

0x0006102d
0x00061035
0x0006103c
0x00061040
0x0006104b
0x00061057
0x0006105a
0x0006105d
0x00061060
0x00061063
0x00061069
0x0006106f
0x00061071
0x00061077
0x0006107a
0x0006107a
0x00061081
0x00061087
0x00061092
0x0006109e
0x000610a0
0x000610d2
0x000610a2
0x000610a2
0x000610a3
0x000610c7
0x000610a5
0x000610a5
0x000610a6
0x000610bc
0x000610a8
0x000610a9
0x000610b1
0x000610b1
0x000610a9
0x000610a6
0x000610a3
0x000610e1
0x000610ea
0x00061109
0x000610ec
0x000610f8
0x000610f8
0x00061118
0x00061119
0x0006111a
0x0006111b
0x00061125
0x00061126
0x00061127
0x00061128
0x00061130
0x00061139
0x0006113b
0x0006113d
0x0006114a
0x000611e6
0x000611ed
0x000611f4
0x000611fa
0x000611fa
0x00061150
0x00061156
0x00061174
0x00061176
0x00061179
0x00061188
0x00061189
0x0006118a
0x0006118b
0x0006118c
0x0006119c
0x0006119f
0x000611a5
0x000611a5
0x000611b3
0x000611b5
0x000611c4
0x000611c5
0x000611c6
0x000611c7
0x000611d3
0x000611d9
0x000611dc
0x000611dc
0x00061158
0x00061160
0x00061160
0x00061156
0x00061203
0x00061243
0x00061258
0x00061264
0x0006122d
0x00061232
0x00061232
0x0006126a
0x00061275
0x00061278
0x0006127e
0x00061286
0x00061291
0x00061299
0x0006129b
0x0006129b
0x000612a2
0x000612b5
0x000612c0
0x000612c8
0x000612ca
0x000612ca
0x000612d5
0x000612d6
0x000612db
0x000612db
0x000612f1

APIs

GetClientRect.USER32 ref: 00061063
InflateRect.USER32 ref: 00061092
SetRectEmpty.USER32 ref: 00061130
SetRectEmpty.USER32 ref: 00061139
GetSystemMetrics.USER32 ref: 0006115A
KillTimer.USER32 ref: 000611F4
EqualRect.USER32 ref: 00061216
EqualRect.USER32 ref: 00061227
EqualRect.USER32 ref: 00061278
InvalidateRect.USER32(?,?,00000001), ref: 00061291
InvalidateRect.USER32(?,?,00000001), ref: 00061299
EqualRect.USER32 ref: 000612AD
InvalidateRect.USER32(?,?,00000001), ref: 000612C0
InvalidateRect.USER32(?,?,00000001), ref: 000612C8
UpdateWindow.USER32 ref: 000612DB

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Rect$EqualInvalidate$Empty$ClientInflateKillMetricsSystemTimerUpdateWindow
String ID:
API String ID: 2140115980-0
Opcode ID: d147daf8fa249fc29284f85e712d79e6f5223909dfa89b412316d133acab8551
Instruction ID: f7653325349903fb15f47c6e3b95ff53eadb3c55eaa2604720ab6d0102fe9d57
Opcode Fuzzy Hash: d147daf8fa249fc29284f85e712d79e6f5223909dfa89b412316d133acab8551
Instruction Fuzzy Hash: 4391E57190021ADFDF11CFA4D984AEE7BB6BF08301F1845B5EC05EB255DBB1A981CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0005348A Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E0005348A(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _t41;
				void* _t44;
				intOrPtr _t57;
				intOrPtr _t84;
				intOrPtr _t86;
				intOrPtr _t88;
				intOrPtr _t90;
				intOrPtr _t92;
				intOrPtr _t94;
				intOrPtr _t96;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t102;
				intOrPtr _t104;
				void* _t105;
				void* _t109;

				_t105 = __edx;
				_push(4);
				E00131A19(0x1499b0, __ebx, __edi, __esi);
				_t108 = 0;
				if( *((intOrPtr*)(_t109 + 8)) == 0) {
					_t41 = 0;
					__eflags = 0;
				} else {
					E00036620(__ebx,  *((intOrPtr*)(_t109 + 8)));
					 *((intOrPtr*)(_t109 - 4)) = 0;
					_t44 = E0003BF90(_t109 + 8, L"MFCButton");
					_t112 = _t44;
					if(_t44 != 0) {
						__eflags = E0003BF90(_t109 + 8, L"MFCColorButton");
						if(__eflags != 0) {
							__eflags = E0003BF90(_t109 + 8, L"MFCEditBrowse");
							if(__eflags != 0) {
								__eflags = E0003BF90(_t109 + 8, L"MFCFontComboBox");
								if(__eflags != 0) {
									__eflags = E0003BF90(_t109 + 8, L"MFCLink");
									if(__eflags != 0) {
										__eflags = E0003BF90(_t109 + 8, L"MFCMaskedEdit");
										if(__eflags != 0) {
											__eflags = E0003BF90(_t109 + 8, L"MFCMenuButton");
											if(__eflags != 0) {
												__eflags = E0003BF90(_t109 + 8, L"MFCPropertyGrid");
												if(__eflags != 0) {
													__eflags = E0003BF90(_t109 + 8, L"MFCShellList");
													if(__eflags != 0) {
														__eflags = E0003BF90(_t109 + 8, L"MFCShellTree");
														if(__eflags != 0) {
															__eflags = E0003BF90(_t109 + 8, L"MFCVSListBox");
															if(__eflags == 0) {
																_t84 = E0003C37C(__eflags, 0x1d0);
																 *((intOrPtr*)(_t109 - 0x10)) = _t84;
																 *((char*)(_t109 - 4)) = 0xb;
																__eflags = _t84;
																if(__eflags == 0) {
																	goto L34;
																} else {
																	_t57 = E0008837C(__ebx, _t84, _t105, __edi, 0, __eflags);
																}
																goto L35;
															}
														} else {
															_t86 = E0003C37C(__eflags, 0x84);
															 *((intOrPtr*)(_t109 - 0x10)) = _t86;
															 *((char*)(_t109 - 4)) = 0xa;
															__eflags = _t86;
															if(__eflags == 0) {
																goto L34;
															} else {
																_t57 = E00088CB7(_t86, __eflags);
															}
															goto L35;
														}
													} else {
														_t88 = E0003C37C(__eflags, 0x154);
														 *((intOrPtr*)(_t109 - 0x10)) = _t88;
														 *((char*)(_t109 - 4)) = 9;
														__eflags = _t88;
														if(__eflags == 0) {
															goto L34;
														} else {
															_t57 = E000854EB(_t88, __eflags);
														}
														goto L35;
													}
												} else {
													_t90 = E0003C37C(__eflags, 0x3c8);
													 *((intOrPtr*)(_t109 - 0x10)) = _t90;
													 *((char*)(_t109 - 4)) = 8;
													__eflags = _t90;
													if(__eflags == 0) {
														goto L34;
													} else {
														_t57 = E0008E723(__ebx, _t90, _t105, __edi, 0, __eflags);
													}
													goto L35;
												}
											} else {
												_t92 = E0003C37C(__eflags, 0x770);
												 *((intOrPtr*)(_t109 - 0x10)) = _t92;
												 *((char*)(_t109 - 4)) = 7;
												__eflags = _t92;
												if(__eflags == 0) {
													goto L34;
												} else {
													_t57 = E0008EABC(_t92, __eflags);
												}
												goto L35;
											}
										} else {
											_t94 = E0003C37C(__eflags, 0xa0);
											 *((intOrPtr*)(_t109 - 0x10)) = _t94;
											 *((char*)(_t109 - 4)) = 6;
											__eflags = _t94;
											if(__eflags == 0) {
												goto L34;
											} else {
												_t57 = E0008F234(_t94, __eflags);
											}
											goto L35;
										}
									} else {
										_t96 = E0003C37C(__eflags, 0x768);
										 *((intOrPtr*)(_t109 - 0x10)) = _t96;
										 *((char*)(_t109 - 4)) = 5;
										__eflags = _t96;
										if(__eflags == 0) {
											goto L34;
										} else {
											_t57 = E000912A7(__ebx, _t96, _t105, __edi, 0, __eflags, __fp0);
										}
										goto L35;
									}
								} else {
									_t98 = E0003C37C(__eflags, 0x80);
									 *((intOrPtr*)(_t109 - 0x10)) = _t98;
									 *((char*)(_t109 - 4)) = 4;
									__eflags = _t98;
									if(__eflags == 0) {
										goto L34;
									} else {
										_t57 = E00091962(__ebx, _t98, _t105, __edi, 0, __eflags);
									}
									goto L35;
								}
							} else {
								_t100 = E0003C37C(__eflags, 0xb8);
								 *((intOrPtr*)(_t109 - 0x10)) = _t100;
								 *((char*)(_t109 - 4)) = 3;
								__eflags = _t100;
								if(__eflags == 0) {
									goto L34;
								} else {
									_t57 = E000928E6(__ebx, _t100, _t105, __edi, 0, __eflags);
								}
								goto L35;
							}
						} else {
							_t102 = E0003C37C(__eflags, 0x7ac);
							 *((intOrPtr*)(_t109 - 0x10)) = _t102;
							 *((char*)(_t109 - 4)) = 2;
							__eflags = _t102;
							if(__eflags == 0) {
								goto L34;
							} else {
								_t57 = E00093754(__ebx, _t102, _t105, __eflags, __fp0);
							}
							goto L35;
						}
					} else {
						_t104 = E0003C37C(_t112, 0x750);
						 *((intOrPtr*)(_t109 - 0x10)) = _t104;
						 *((char*)(_t109 - 4)) = 1;
						_t113 = _t104;
						if(_t104 == 0) {
							L34:
							_t57 = 0;
							__eflags = 0;
						} else {
							_t57 = E000942D7(__ebx, _t104, _t105, __edi, 0, _t113, __fp0);
						}
						L35:
						_t108 = _t57;
					}
					E00031190( *((intOrPtr*)(_t109 + 8)) + 0xfffffff0, _t105);
					_t41 = _t108;
				}
				return E00131AF1(_t41);
			}

0x0005348a
0x0005348a
0x00053491
0x00053496
0x0005349b
0x0005370a
0x0005370a
0x000534a1
0x000534a7
0x000534b4
0x000534b7
0x000534bc
0x000534be
0x000534f3
0x000534f5
0x0005352a
0x0005352c
0x00053561
0x00053563
0x00053598
0x0005359a
0x000535cf
0x000535d1
0x00053606
0x00053608
0x0005363d
0x0005363f
0x00053674
0x00053676
0x000536a4
0x000536a6
0x000536d4
0x000536d6
0x000536e3
0x000536e5
0x000536e8
0x000536ec
0x000536ee
0x00000000
0x000536f0
0x000536f0
0x000536f0
0x00000000
0x000536ee
0x000536a8
0x000536b3
0x000536b5
0x000536b8
0x000536bc
0x000536be
0x00000000
0x000536c0
0x000536c0
0x000536c0
0x00000000
0x000536be
0x00053678
0x00053683
0x00053685
0x00053688
0x0005368c
0x0005368e
0x00000000
0x00053690
0x00053690
0x00053690
0x00000000
0x0005368e
0x00053641
0x0005364c
0x0005364e
0x00053651
0x00053655
0x00053657
0x00000000
0x0005365d
0x0005365d
0x0005365d
0x00000000
0x00053657
0x0005360a
0x00053615
0x00053617
0x0005361a
0x0005361e
0x00053620
0x00000000
0x00053626
0x00053626
0x00053626
0x00000000
0x00053620
0x000535d3
0x000535de
0x000535e0
0x000535e3
0x000535e7
0x000535e9
0x00000000
0x000535ef
0x000535ef
0x000535ef
0x00000000
0x000535e9
0x0005359c
0x000535a7
0x000535a9
0x000535ac
0x000535b0
0x000535b2
0x00000000
0x000535b8
0x000535b8
0x000535b8
0x00000000
0x000535b2
0x00053565
0x00053570
0x00053572
0x00053575
0x00053579
0x0005357b
0x00000000
0x00053581
0x00053581
0x00053581
0x00000000
0x0005357b
0x0005352e
0x00053539
0x0005353b
0x0005353e
0x00053542
0x00053544
0x00000000
0x0005354a
0x0005354a
0x0005354a
0x00000000
0x00053544
0x000534f7
0x00053502
0x00053504
0x00053507
0x0005350b
0x0005350d
0x00000000
0x00053513
0x00053513
0x00053513
0x00000000
0x0005350d
0x000534c0
0x000534cb
0x000534cd
0x000534d0
0x000534d4
0x000534d6
0x000536f7
0x000536f7
0x000536f7
0x000534dc
0x000534dc
0x000534dc
0x000536f9
0x000536f9
0x000536f9
0x00053701
0x00053706
0x00053706
0x00053711

APIs

__EH_prolog3.LIBCMT ref: 00053491

Part of subcall function 0003C37C: _malloc.LIBCMT ref: 0003C39A

Part of subcall function 000942D7: __EH_prolog3.LIBCMT ref: 000942DE

Strings

MFCFontComboBox, xrefs: 00053554
MFCShellList, xrefs: 00053667
MFCMaskedEdit, xrefs: 000535C2
MFCMenuButton, xrefs: 000535F9
MFCButton, xrefs: 000534AC
MFCLink, xrefs: 0005358B
MFCPropertyGrid, xrefs: 00053630
MFCEditBrowse, xrefs: 0005351D
MFCVSListBox, xrefs: 000536C7
MFCColorButton, xrefs: 000534E6
MFCShellTree, xrefs: 00053697

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: H_prolog3$_malloc
String ID: MFCButton$MFCColorButton$MFCEditBrowse$MFCFontComboBox$MFCLink$MFCMaskedEdit$MFCMenuButton$MFCPropertyGrid$MFCShellList$MFCShellTree$MFCVSListBox
API String ID: 1683881009-2110171958
Opcode ID: c9fbcb9d56c1c57a44cb7675992cb1c077b223869cc079b54c68a48463751da1
Instruction ID: b7aa69784d53bb40952d57446ef3e9c1a9ced7ae7ea67535a8d8c83e244c21e0
Opcode Fuzzy Hash: c9fbcb9d56c1c57a44cb7675992cb1c077b223869cc079b54c68a48463751da1
Instruction Fuzzy Hash: 7551C530608205BADF59E778A8537FE76D45F18785F10802DFD0AE62D7EFB04B488A96

Uniqueness

Uniqueness Score: -1.00%

Function 00098012 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 172
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00098012(signed int __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t98;
				signed int _t100;
				int _t105;
				void* _t113;
				int _t123;
				void* _t130;
				int _t135;
				int _t136;
				void*** _t143;
				signed int _t144;
				signed int _t146;
				int _t147;
				void* _t150;
				void* _t153;

				_t134 = __ebx;
				_push(0xa8);
				E00131A82(0x14cb8d, __ebx, __edi, __esi);
				_t149 =  *(_t153 + 8);
				_t98 =  *_t149;
				_t146 =  *(_t153 + 0xc);
				 *(_t153 - 0x84) = _t146;
				if(_t98 != 0) {
					_t134 = GetObjectW;
					if(GetObjectW(_t98, 0x18, _t153 - 0xb4) != 0) {
						_t100 =  *(_t153 - 0xb0);
						 *(_t153 - 0x7c) = _t100;
						asm("cdq");
						_t144 = _t100 % _t146;
						 *(_t153 - 0x80) =  *(_t153 - 0xac);
						 *(_t153 - 0x68) = _t100 / _t146;
						if( *((short*)(_t153 - 0xa2)) != 0x20) {
							E00045EC1(_t153 - 0x98);
							_t146 = 0;
							 *(_t153 - 4) = 0;
							E000464F6(GetObjectW, _t153 - 0x98, _t144, 0, CreateCompatibleDC(0));
							_t150 =  *_t149;
							if(_t150 == 0) {
								 *(_t153 - 0x74) = 0;
							} else {
								 *(_t153 - 0x74) = SelectObject( *(_t153 - 0x94), _t150);
							}
							if( *(_t153 - 0x74) != _t146) {
								_t105 =  *(_t153 - 0x68);
								if(_t105 <= _t146) {
									L35:
									SelectObject( *(_t153 - 0x94),  *(_t153 - 0x74));
									_t149 = 1;
									L25:
									 *(_t153 - 4) =  *(_t153 - 4) | 0xffffffff;
									E00046577(_t153 - 0x98);
									L2:
									return E00131B05(_t134, _t146, _t149);
								}
								_t146 = SetPixel;
								_t135 = 0;
								 *(_t153 - 0x78) = 0;
								 *(_t153 - 0x7c) = _t105;
								do {
									 *(_t153 - 0x68) =  *(_t153 - 0x68) & 0x00000000;
									if( *(_t153 - 0x80) <= 0) {
										goto L34;
									}
									asm("cdq");
									 *(_t153 - 0x70) =  *(_t153 - 0x84) - _t144;
									 *(_t153 - 0x70) =  *(_t153 - 0x70) >> 1;
									do {
										 *(_t153 - 0x6c) = _t135;
										_t136 = _t135 +  *(_t153 - 0x84) - 1;
										_t113 =  *(_t153 - 0x70);
										if(_t113 <= 0) {
											goto L33;
										}
										 *(_t153 - 0x88) = _t113;
										do {
											 *(_t153 - 0x9c) = GetPixel( *(_t153 - 0x94),  *(_t153 - 0x6c),  *(_t153 - 0x68));
											SetPixel( *(_t153 - 0x94),  *(_t153 - 0x6c),  *(_t153 - 0x68), GetPixel( *(_t153 - 0x94), _t136,  *(_t153 - 0x68)));
											SetPixel( *(_t153 - 0x94), _t136,  *(_t153 - 0x68),  *(_t153 - 0x9c));
											 *(_t153 - 0x6c) =  *(_t153 - 0x6c) + 1;
											_t136 = _t136 - 1;
											_t83 = _t153 - 0x88;
											 *_t83 =  *(_t153 - 0x88) - 1;
										} while ( *_t83 != 0);
										L33:
										 *(_t153 - 0x68) =  *(_t153 - 0x68) + 1;
										_t135 =  *(_t153 - 0x78);
									} while ( *(_t153 - 0x68) <  *(_t153 - 0x80));
									L34:
									_t135 = _t135 +  *(_t153 - 0x84);
									_t91 = _t153 - 0x7c;
									 *_t91 =  *(_t153 - 0x7c) - 1;
									 *(_t153 - 0x78) = _t135;
								} while ( *_t91 != 0);
								goto L35;
							}
							_t149 = 0;
							goto L25;
						}
						if(GetObjectW( *_t149, 0x54, _t153 - 0x64) == 0 ||  *((short*)(_t153 - 0x52)) != 0x20) {
							goto L4;
						} else {
							_t123 =  *(_t153 - 0x50);
							if(_t123 == 0) {
								goto L4;
							}
							if( *(_t153 - 0x68) <= 0) {
								goto L1;
							}
							 *(_t153 - 0x6c) = _t123;
							_t134 = _t146 << 2;
							do {
								if( *(_t153 - 0x80) <= 0) {
									goto L18;
								}
								_t147 =  *(_t153 - 0x6c);
								asm("cdq");
								 *(_t153 - 0x70) = _t146 - _t144;
								 *(_t153 - 0x70) =  *(_t153 - 0x70) >> 1;
								 *(_t153 - 0x78) =  *(_t153 - 0x80);
								do {
									_t130 =  *(_t153 - 0x70);
									_t144 = _t147;
									_t143 = _t147 + _t134 - 4;
									if(_t130 <= 0) {
										goto L16;
									}
									 *(_t153 - 0x74) = _t130;
									do {
										_t149 =  *_t144;
										 *_t144 =  *_t143;
										 *_t143 =  *_t144;
										_t144 = _t144 + 4;
										_t143 = _t143 - 4;
										_t33 = _t153 - 0x74;
										 *_t33 =  *(_t153 - 0x74) - 1;
									} while ( *_t33 != 0);
									L16:
									_t147 = _t147 + ( *(_t153 - 0x7c) << 2);
									_t36 = _t153 - 0x78;
									 *_t36 =  *(_t153 - 0x78) - 1;
								} while ( *_t36 != 0);
								_t146 =  *(_t153 - 0x84);
								L18:
								 *(_t153 - 0x6c) =  *(_t153 - 0x6c) + _t134;
								_t41 = _t153 - 0x68;
								 *_t41 =  *(_t153 - 0x68) - 1;
							} while ( *_t41 != 0);
							goto L1;
						}
					}
					L4:
					goto L2;
				}
				L1:
				goto L2;
			}

0x00098012
0x00098012
0x0009801c
0x00098021
0x00098024
0x00098026
0x00098029
0x00098031
0x0009803e
0x00098052
0x00098058
0x0009805e
0x00098061
0x00098062
0x00098072
0x00098075
0x00098078
0x00098111
0x00098116
0x00098119
0x00098129
0x0009812e
0x00098132
0x00098146
0x00098134
0x00098141
0x00098141
0x0009814c
0x00098166
0x0009816b
0x00098229
0x00098232
0x0009823a
0x00098150
0x00098150
0x0009815a
0x00098036
0x0009803b
0x0009803b
0x00098177
0x0009817d
0x0009817f
0x00098182
0x00098185
0x00098185
0x0009818d
0x00000000
0x00000000
0x00098199
0x0009819c
0x0009819f
0x000981a2
0x000981a8
0x000981ab
0x000981af
0x000981b4
0x00000000
0x00000000
0x000981b6
0x000981bc
0x000981cd
0x000981e9
0x000981fb
0x000981fd
0x00098200
0x00098201
0x00098201
0x00098201
0x00098209
0x00098209
0x0009820f
0x00098212
0x00098217
0x00098217
0x0009821d
0x0009821d
0x00098220
0x00098220
0x00000000
0x00098185
0x0009814e
0x00000000
0x0009814e
0x0009808a
0x00000000
0x00098093
0x00098093
0x00098098
0x00000000
0x00000000
0x0009809e
0x00000000
0x00000000
0x000980a0
0x000980a8
0x000980ae
0x000980b2
0x00000000
0x00000000
0x000980b6
0x000980b9
0x000980bc
0x000980c2
0x000980c5
0x000980c8
0x000980c8
0x000980cb
0x000980cd
0x000980d3
0x00000000
0x00000000
0x000980d5
0x000980d8
0x000980da
0x000980dc
0x000980de
0x000980e0
0x000980e3
0x000980e6
0x000980e6
0x000980e6
0x000980eb
0x000980f1
0x000980f3
0x000980f3
0x000980f3
0x000980f8
0x000980fe
0x000980fe
0x00098101
0x00098101
0x00098101
0x00000000
0x00098106
0x0009808a
0x00098054
0x00000000
0x00098054
0x00098033
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 0009801C
GetObjectW.GDI32(00000000,00000018,?), ref: 0009804E
GetObjectW.GDI32(?,00000054,?), ref: 00098086
CreateCompatibleDC.GDI32(00000000), ref: 0009811C
SelectObject.GDI32(?,?), ref: 0009813B
GetPixel.GDI32(?,?,00000000), ref: 000981C8
GetPixel.GDI32(?,?,00000000), ref: 000981DA
SetPixel.GDI32(?,?,00000000,00000000), ref: 000981E9
SetPixel.GDI32(?,?,00000000,?), ref: 000981FB
SelectObject.GDI32(?,?), ref: 00098232

Strings

, xrefs: 00098064
, xrefs: 0009808C

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: ObjectPixel$Select$CompatibleCreateH_prolog3_
String ID: $
API String ID: 1266819874-227171996
Opcode ID: e7a3f2b53b4fe7ae18d1ff5c492195b75264f5d3998d80b9f758e973f8425683
Instruction ID: 2543e98645c5aba49d28c0b2d7b47720282962813715f89317a459bbdab17552
Opcode Fuzzy Hash: e7a3f2b53b4fe7ae18d1ff5c492195b75264f5d3998d80b9f758e973f8425683
Instruction Fuzzy Hash: 03711670D00218CFDF60DFA9CC85AADBBB5FF59354F208169E508AB252EB319985EF50

Uniqueness

Uniqueness Score: -1.00%

Function 0006646A Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 397
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0006646A(signed int* __ecx, RECT* _a4) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t155;
				signed int _t158;
				signed int _t163;
				signed int _t166;
				intOrPtr _t178;
				signed int _t181;
				signed int _t191;
				void* _t193;
				signed int _t198;
				signed int _t202;
				signed int _t203;
				signed int _t205;
				signed int _t206;
				signed int _t209;
				signed int _t211;
				signed int _t216;
				signed int _t218;
				signed int _t219;
				signed int _t226;
				int _t228;
				signed char _t229;
				signed int _t230;
				signed int* _t232;
				signed int _t235;
				signed int* _t248;
				signed int _t257;
				signed int _t260;
				intOrPtr _t283;

				_t155 =  *0x1a0454; // 0x960af5fb
				_v8 = _t155 ^ _t260;
				_t232 = __ecx;
				_t157 =  *((intOrPtr*)(__ecx + 0xb7c));
				_t257 = 0;
				_v64 = 0;
				if( *((intOrPtr*)(__ecx + 0xb7c)) >= 0) {
					_t158 = E00084CDB(__ecx + 0xbc8, _t157);
					_v48 = _t158;
					__eflags = _t158;
					if(_t158 != 0) {
						_t257 =  *(_t158 + 8);
					}
				} else {
					_v48 = 0;
				}
				_t256 = _a4;
				_v60 = _v60 & 0x00000000;
				_v56 = _t257;
				_v52 = _t257;
				_v44 = _t232[0x2df];
				if(_t256 == 9) {
					_t229 = GetKeyState(0x10);
					_t230 = 0;
					_t20 = (_t230 & 0xffffff00 | (_t229 & 0x00000080) == 0x00000000) + 0x26; // 0x26
					_t256 = (_t230 & 0xffffff00 | (_t229 & 0x00000080) == 0x00000000) + _t20;
					_a4 = _t256;
				}
				_t255 = _v48;
				_t161 = 1;
				_t235 = _t255;
				if(_t256 == 0xd) {
					_v64 = 1;
					_t257 = E0004EA25(0x19ddfc, _t257);
					__eflags = _t257;
					if(_t257 == 0) {
						goto L103;
					}
					_t166 =  *((intOrPtr*)( *_t257 + 0xec))();
					__eflags = _t166;
					if(_t166 != 0) {
						L89:
						SendMessageW( *(E00041441(_t232) + 0x20), 0x362, 0xe001, 0);
						 *((intOrPtr*)( *_t232 + 0x3e4))(_t257);
						goto L90;
					}
					_t191 =  *((intOrPtr*)( *_t257 + 0xc8))(0);
					__eflags = _t191;
					if(_t191 != 0) {
						goto L103;
					}
					goto L89;
				} else {
					if(_t256 <= 0x20) {
						L13:
						if( *0x1a3f04 != 0 || (0x00008000 & GetAsyncKeyState(0x11)) != 0) {
							L103:
							_t163 = _v64;
							goto L104;
						} else {
							_t193 = E000792A2(_t232, 0x8000, _t255, _t256, _t257, _t256);
							_t274 = _t193;
							if(_t193 == 0) {
								L82:
								__eflags =  *0x19e4d8;
								if( *0x19e4d8 == 0) {
									goto L103;
								}
								__eflags = _t232[0x33c];
								if(__eflags != 0) {
									goto L103;
								}
								_v56 = _v56 & 0x00000000;
								__eflags = E00087D8E( &(_t232[0x34f]), __eflags, _t256,  &_v56);
								if(__eflags == 0) {
									goto L103;
								}
								_push(0);
								_push(_v56);
								_t248 = _t232;
								L79:
								E00065805(_t248, _t255, __eflags);
								L22:
								_t163 = 1;
								L104:
								return E00130836(_t163, _t232, _v8 ^ _t260, _t255, _t256, _t257);
							}
							_t198 = E0007932D(_t255, _t256);
							_t256 = _t198;
							_v52 = _t198;
							if(E0007A01A( &(_t232[0x32b]), _t274,  &_v52,  &_v48) == 0) {
								goto L82;
							}
							_t256 = _v48;
							_t202 = _t232[0x2f3];
							_v52 = _t256;
							_t255 = 0;
							while(_t202 != 0) {
								_t235 = _t202;
								__eflags = _t202;
								if(_t202 == 0) {
									L38:
									_t161 = E000455E0(_t235);
									L39:
									_t255 = 0;
									__eflags = 0;
									_v48 = 0;
									L40:
									__eflags = _t232[0x342];
									if(_t232[0x342] == 0) {
										L43:
										_v64 = _t161;
										_t203 = _t232[0x2f5];
										__eflags = _t203;
										if(_t203 == 0) {
											goto L103;
										}
										__eflags = _t255;
										if(_t255 == 0) {
											L46:
											_t257 = _t232[0x2f4];
											_v44 = _t203 - 1;
											L48:
											__eflags = _t257 - _t255;
											if(_t257 == _t255) {
												goto L103;
											} else {
												goto L49;
											}
											while(1) {
												L49:
												_v60 = _t257;
												_t205 = _t257;
												__eflags = _t257;
												if(_t257 == 0) {
													goto L38;
												}
												_t256 =  *((intOrPtr*)(_t205 + 8));
												__eflags =  *(_t256 + 0x24) & 0x00000001;
												_t257 =  *(_t257 + 4);
												if(( *(_t256 + 0x24) & 0x00000001) != 0) {
													L53:
													_v44 = _v44 - 1;
													__eflags = _t257;
													if(_t257 != 0) {
														L56:
														__eflags = _t257 - _v48;
														if(_t257 != _v48) {
															continue;
														}
														L57:
														_t206 = _v60;
														__eflags = _t206;
														if(_t206 == 0) {
															goto L103;
														}
														_v52 =  *((intOrPtr*)(_t206 + 8));
														_v60 = 1;
														L90:
														if(_v52 != _v56) {
															if(_v60 != 0 && _t232[0x344] == 0) {
																 *((intOrPtr*)( *_t232 + 0x258))(_v44);
															}
															_t283 =  *0x1a3f04; // 0x0
															if(_t283 != 0) {
																_t232[0x2e0] = _v44;
															}
															_t232[0x2df] = _v44;
															_v24.left = 0;
															_v24.top = 0;
															_v24.right = 0;
															_v24.bottom = 0;
															GetClientRect(_t232[8],  &_v24);
															_t257 = _v52 + 0x54;
															_t256 =  &_v40;
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															if(_v40.top >= _v24.top && _v40.bottom <= _v24.bottom) {
																_t181 = _v56;
																_t257 = InvalidateRect;
																if(_t181 != 0) {
																	InvalidateRect(_t232[8], _t181 + 0x54, 1);
																}
																InvalidateRect(_t232[8],  &_v40, 1);
																UpdateWindow(_t232[8]);
															}
															_t178 =  *((intOrPtr*)(_v52 + 0x20));
															if(_t178 != 0xffffffff) {
																_t255 =  *_t232;
																 *((intOrPtr*)( *_t232 + 0x414))(_t178);
															}
														}
														goto L103;
													}
													__eflags = _t232[0x342] - _t257;
													if(_t232[0x342] != _t257) {
														goto L22;
													}
													_t257 = _t232[0x2f4];
													_t209 = _t232[0x2f5] - 1;
													__eflags = _t209;
													_v44 = _t209;
													goto L56;
												}
												_t211 = IsRectEmpty(_t256 + 0x54);
												__eflags = _t211;
												if(_t211 != 0) {
													goto L53;
												}
												__eflags =  *((intOrPtr*)(_t256 + 0x20)) - 0xfffffffe;
												if( *((intOrPtr*)(_t256 + 0x20)) != 0xfffffffe) {
													goto L57;
												}
												goto L53;
											}
											goto L38;
										}
										_t257 =  *(_t255 + 4);
										__eflags = _t257;
										if(_t257 != 0) {
											_t64 =  &_v44;
											 *_t64 = _v44 - 1;
											__eflags =  *_t64;
											goto L48;
										}
										goto L46;
									}
									__eflags = _t235 - _t232[0x2f3];
									if(_t235 != _t232[0x2f3]) {
										goto L43;
									}
									__eflags = _t256 - 0x23;
									if(_t256 != 0x23) {
										goto L22;
									}
									goto L43;
								}
								_t235 =  *(_t235 + 8);
								_t202 =  *_t202;
								__eflags = _t235;
								if(_t235 == 0) {
									goto L38;
								}
								__eflags = _t235 - _t256;
								if(_t235 == _t256) {
									_v44 = _t255;
									L73:
									_t257 = E0004EA25(0x19ddfc, _t256);
									if(_t257 == 0) {
										goto L90;
									}
									_push(0);
									if( *((intOrPtr*)( *_t257 + 0xc8))() == 0) {
										__eflags =  *(_t256 + 0x24) & 0x00040000;
										_t248 = _t232;
										if(__eflags == 0) {
											_t216 =  *((intOrPtr*)( *_t232 + 0x3e4))(_t257);
											_v64 = _t216;
											__eflags = _t216;
											if(_t216 == 0) {
												goto L90;
											}
											goto L22;
										}
										_push(_t256);
										_push(0);
										goto L79;
									}
									_t257 =  *(_t257 + 0x8c);
									if(_t257 != 0) {
										SendMessageW( *(_t257 + 0x20), 0x100, 0x24, 0);
									}
									goto L90;
								}
								_t255 = _t255 + 1;
								__eflags = _t255;
							}
							goto L73;
						}
					}
					if(_t256 <= 0x22) {
						__eflags = _t232[0x342];
						if(_t232[0x342] == 0) {
							goto L103;
						}
						_t218 = _t232[0x343];
						__eflags = _t218;
						if(_t218 <= 0) {
							goto L103;
						}
						_t257 = _t232[0x2df];
						_t256 = 0;
						_t232[0x344] = 1;
						__eflags = _t218;
						if(_t218 <= 0) {
							L64:
							_t219 = _t232[0x2df];
							_t232[0x344] = _t232[0x344] & 0x00000000;
							__eflags = _t257 - _t219;
							if(_t257 != _t219) {
								_t255 =  *_t232;
								 *((intOrPtr*)( *_t232 + 0x258))(_t219);
							}
							goto L22;
						}
						__eflags = _a4 - 0x21;
						_t91 = _a4 != 0x21;
						__eflags = _t91;
						_v56 = (0 | _t91) + (0 | _t91) + 0x26;
						do {
							 *((intOrPtr*)( *_t232 + 0x3fc))(_v56);
							_t256 = _t256 + 1;
							__eflags = _t256 - _t232[0x343];
						} while (_t256 < _t232[0x343]);
						goto L64;
					}
					if(_t256 == 0x23) {
						goto L39;
					}
					if(_t256 == 0x24) {
						_t255 = 0;
						__eflags = 0;
						_v48 = 0;
						L19:
						__eflags = _t232[0x342];
						if(_t232[0x342] == 0) {
							L23:
							__eflags = _t232[0x2f5];
							_v64 = _t161;
							if(_t232[0x2f5] == 0) {
								goto L103;
							}
							__eflags = _t255;
							if(_t255 == 0) {
								L26:
								_t257 = _t232[0x2f3];
								_v44 = _v44 & 0x00000000;
								L28:
								__eflags = _t257 - _t255;
								if(_t257 == _t255) {
									goto L103;
								} else {
									goto L29;
								}
								while(1) {
									L29:
									_v60 = _t257;
									_t226 = _t257;
									__eflags = _t257;
									if(_t257 == 0) {
										goto L38;
									}
									_t256 =  *((intOrPtr*)(_t226 + 8));
									__eflags =  *(_t256 + 0x24) & 0x00000001;
									_t257 =  *_t257;
									if(( *(_t256 + 0x24) & 0x00000001) != 0) {
										L33:
										_v44 = _v44 + 1;
										__eflags = _t257;
										if(_t257 != 0) {
											L36:
											__eflags = _t257 - _v48;
											if(_t257 != _v48) {
												continue;
											}
											goto L57;
										}
										__eflags = _t232[0x342] - _t257;
										if(_t232[0x342] != _t257) {
											goto L22;
										}
										_t257 = _t232[0x2f3];
										_t53 =  &_v44;
										 *_t53 = _v44 & 0x00000000;
										__eflags =  *_t53;
										goto L36;
									}
									_t228 = IsRectEmpty(_t256 + 0x54);
									__eflags = _t228;
									if(_t228 != 0) {
										goto L33;
									}
									__eflags =  *((intOrPtr*)(_t256 + 0x20)) - 0xfffffffe;
									if( *((intOrPtr*)(_t256 + 0x20)) != 0xfffffffe) {
										goto L57;
									}
									goto L33;
								}
								goto L38;
							}
							_t257 =  *_t255;
							__eflags = _t257;
							if(_t257 != 0) {
								_t40 =  &_v44;
								 *_t40 = _v44 + 1;
								__eflags =  *_t40;
								goto L28;
							}
							goto L26;
						}
						__eflags = _t235 - _t232[0x2f4];
						if(_t235 != _t232[0x2f4]) {
							goto L23;
						}
						__eflags = _t256 - 0x24;
						if(_t256 == 0x24) {
							goto L23;
						}
						goto L22;
					}
					if(_t256 == 0x26) {
						goto L40;
					}
					if(_t256 == 0x28) {
						goto L19;
					}
					goto L13;
				}
			}

0x00066472
0x00066479
0x0006647e
0x00066480
0x00066486
0x00066489
0x0006648e
0x0006649c
0x000664a1
0x000664a4
0x000664a6
0x000664a8
0x000664a8
0x00066490
0x00066490
0x00066490
0x000664ab
0x000664b4
0x000664b8
0x000664bb
0x000664be
0x000664c4
0x000664c8
0x000664d2
0x000664d6
0x000664d6
0x000664da
0x000664da
0x000664dd
0x000664e2
0x000664e3
0x000664e8
0x0006684d
0x00066855
0x00066859
0x0006685b
0x00000000
0x00000000
0x00066865
0x0006686b
0x0006686d
0x00066883
0x00066899
0x000668a4
0x00000000
0x000668a4
0x00066875
0x0006687b
0x0006687d
0x00000000
0x00000000
0x00000000
0x000664ee
0x000664f1
0x00066518
0x0006651f
0x00066966
0x00066966
0x00000000
0x0006653b
0x0006653c
0x00066541
0x00066543
0x00066808
0x00066808
0x0006680f
0x00000000
0x00000000
0x00066815
0x0006681c
0x00000000
0x00000000
0x00066822
0x00066836
0x00066838
0x00000000
0x00000000
0x0006683e
0x00066840
0x00066843
0x000667e5
0x000667e5
0x0006659d
0x0006659f
0x00066969
0x00066977
0x00066977
0x0006654a
0x0006654f
0x0006655f
0x00066569
0x00000000
0x00000000
0x0006656f
0x00066572
0x00066578
0x0006657b
0x00066782
0x00066766
0x00066768
0x0006676a
0x00066625
0x00066625
0x0006662a
0x0006662a
0x0006662a
0x0006662c
0x0006662f
0x0006662f
0x00066636
0x00066649
0x00066649
0x0006664c
0x00066652
0x00066654
0x00000000
0x00000000
0x0006665a
0x0006665c
0x00066665
0x00066665
0x0006666c
0x00066674
0x00066674
0x00066676
0x00000000
0x00000000
0x00000000
0x00000000
0x0006667c
0x0006667c
0x0006667c
0x0006667f
0x00066681
0x00066683
0x00000000
0x00000000
0x00066685
0x00066688
0x0006668c
0x0006668f
0x000666a5
0x000666a5
0x000666a8
0x000666aa
0x000666c8
0x000666c8
0x000666cb
0x00000000
0x00000000
0x000666cd
0x000666cd
0x000666d0
0x000666d2
0x00000000
0x00000000
0x000666db
0x000666de
0x000668aa
0x000668b0
0x000668bb
0x000668cc
0x000668cc
0x000668d2
0x000668d8
0x000668dd
0x000668dd
0x000668e6
0x000668ee
0x000668f1
0x000668f4
0x000668f7
0x00066901
0x0006690a
0x0006690d
0x00066910
0x00066911
0x00066912
0x00066913
0x0006691a
0x00066924
0x00066927
0x0006692f
0x0006693a
0x0006693a
0x00066945
0x0006694a
0x0006694a
0x00066953
0x00066959
0x0006695b
0x00066960
0x00066960
0x00066959
0x00000000
0x000668b0
0x000666ac
0x000666b2
0x00000000
0x00000000
0x000666be
0x000666c4
0x000666c4
0x000666c5
0x00000000
0x000666c5
0x00066695
0x0006669b
0x0006669d
0x00000000
0x00000000
0x0006669f
0x000666a3
0x00000000
0x00000000
0x00000000
0x000666a3
0x00000000
0x0006667c
0x0006665e
0x00066661
0x00066663
0x00066671
0x00066671
0x00066671
0x00000000
0x00066671
0x00000000
0x00066663
0x00066638
0x0006663e
0x00000000
0x00000000
0x00066640
0x00066643
0x00000000
0x00000000
0x00000000
0x00066643
0x00066770
0x00066773
0x00066775
0x00066777
0x00000000
0x00000000
0x0006677d
0x0006677f
0x00066788
0x0006678b
0x00066796
0x0006679c
0x00000000
0x00000000
0x000667a4
0x000667b0
0x000667d7
0x000667de
0x000667e0
0x000667f2
0x000667f8
0x000667fb
0x000667fd
0x00000000
0x00000000
0x00000000
0x00066803
0x000667e2
0x000667e3
0x00000000
0x000667e3
0x000667b2
0x000667ba
0x000667cc
0x000667cc
0x00000000
0x000667ba
0x00066781
0x00066781
0x00066781
0x00000000
0x00066786
0x0006651f
0x000664f6
0x000666ea
0x000666f1
0x00000000
0x00000000
0x000666f7
0x000666fd
0x000666ff
0x00000000
0x00000000
0x00066705
0x0006670b
0x0006670d
0x00066717
0x00066719
0x00066741
0x00066741
0x00066747
0x0006674e
0x00066750
0x00066756
0x0006675b
0x0006675b
0x00000000
0x00066750
0x0006671d
0x00066721
0x00066721
0x00066728
0x0006672b
0x00066732
0x00066738
0x00066739
0x00066739
0x00000000
0x0006672b
0x000664ff
0x00000000
0x00000000
0x00066508
0x00066582
0x00066582
0x00066584
0x00066587
0x00066587
0x0006658e
0x000665a5
0x000665a5
0x000665ac
0x000665af
0x00000000
0x00000000
0x000665b5
0x000665b7
0x000665bf
0x000665bf
0x000665c5
0x000665ce
0x000665ce
0x000665d0
0x00000000
0x00000000
0x00000000
0x00000000
0x000665d6
0x000665d6
0x000665d6
0x000665d9
0x000665db
0x000665dd
0x00000000
0x00000000
0x000665df
0x000665e2
0x000665e6
0x000665e8
0x00066602
0x00066602
0x00066605
0x00066607
0x0006661b
0x0006661b
0x0006661e
0x00000000
0x00000000
0x00000000
0x00066620
0x00066609
0x0006660f
0x00000000
0x00000000
0x00066611
0x00066617
0x00066617
0x00066617
0x00000000
0x00066617
0x000665ee
0x000665f4
0x000665f6
0x00000000
0x00000000
0x000665f8
0x000665fc
0x00000000
0x00000000
0x00000000
0x000665fc
0x00000000
0x000665d6
0x000665b9
0x000665bb
0x000665bd
0x000665cb
0x000665cb
0x000665cb
0x00000000
0x000665cb
0x00000000
0x000665bd
0x00066590
0x00066596
0x00000000
0x00000000
0x00066598
0x0006659b
0x00000000
0x00000000
0x00000000
0x0006659b
0x0006650d
0x00000000
0x00000000
0x00066516
0x00000000
0x00000000
0x00000000
0x00066516

APIs

GetKeyState.USER32(00000010), ref: 000664C8
GetAsyncKeyState.USER32 ref: 00066527
IsRectEmpty.USER32 ref: 000665EE
IsRectEmpty.USER32 ref: 00066695
SendMessageW.USER32(?,00000100,00000024,00000000), ref: 000667CC
SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 00066899
GetClientRect.USER32 ref: 00066901
InvalidateRect.USER32(?,?,00000001), ref: 0006693A
InvalidateRect.USER32(?,?,00000001), ref: 00066945
UpdateWindow.USER32 ref: 0006694A

Strings

!, xrefs: 0006671D

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Rect$EmptyInvalidateMessageSendState$AsyncClientUpdateWindow
String ID: !
API String ID: 348497913-2657877971
Opcode ID: d5e9c550e4c74e0417c276c344feadcbeea9f3e7bce28b1337ae0f4cf57e30af
Instruction ID: cc0e05dae659041b166df4769c454bf3fa3bbb3ef4cbf28ae82ae53222ebc324
Opcode Fuzzy Hash: d5e9c550e4c74e0417c276c344feadcbeea9f3e7bce28b1337ae0f4cf57e30af
Instruction Fuzzy Hash: 48E17F31A006149FDF60DF64D984BADB7F6BF48714F18427AEC05AB295DB32AD80CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0004F43C Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E0004F43C(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				void* __ebx;
				void* _t5;
				struct HINSTANCE__* _t6;
				void* _t7;
				_Unknown_base(*)()* _t8;
				struct HINSTANCE__* _t10;
				_Unknown_base(*)()* _t11;
				void* _t24;
				void* _t26;
				intOrPtr _t28;

				_t26 = __ecx;
				_t28 =  *0x1a397c; // 0x0
				if(_t28 == 0) {
					if( *((intOrPtr*)(__ecx + 0x218)) != 0) {
						L5:
						 *((intOrPtr*)(_t26 + 0x218)) = 1;
						_t6 = E0004EF88(1, _t24, L"D2D1.dll");
						 *0x1a3964 = _t6;
						if(_t6 == 0) {
							L9:
							_t7 = 0;
							L14:
							return _t7;
						}
						_t8 = GetProcAddress(_t6, "D2D1CreateFactory");
						if(_t8 == 0) {
							L10:
							 *0x1a3978 = GetProcAddress( *0x1a3964, "D2D1MakeRotateMatrix");
							_t10 = E0004EF88(1, _t24, L"DWrite.dll");
							 *0x1a3968 = _t10;
							if(_t10 != 0) {
								_t11 = GetProcAddress(_t10, "DWriteCreateFactory");
								if(_t11 != 0) {
									 *_t11(_a8, 0x15baf0, 0x1a3970);
								}
							}
							__imp__CoCreateInstance(0x180710, 0, 1, 0x180900, 0x1a3974);
							 *0x1a397c = 1;
							_t7 = 1;
							goto L14;
						}
						_push(0x1a396c);
						_push(0);
						_push(0x15bb44);
						_push(_a4);
						if( *_t8() >= 0) {
							goto L10;
						}
						 *0x1a396c = 0;
						goto L9;
					}
					__imp__CoInitialize(0);
					if(_t5 >= 0) {
						goto L5;
					}
					return 0;
				}
				return 1;
			}

0x0004f445
0x0004f447
0x0004f44d
0x0004f45d
0x0004f471
0x0004f47a
0x0004f480
0x0004f486
0x0004f48d
0x0004f4bb
0x0004f4bb
0x0004f51f
0x00000000
0x0004f51f
0x0004f49b
0x0004f49f
0x0004f4bf
0x0004f4d1
0x0004f4d6
0x0004f4dc
0x0004f4e3
0x0004f4eb
0x0004f4ef
0x0004f4fe
0x0004f4fe
0x0004f4ef
0x0004f511
0x0004f517
0x0004f51d
0x00000000
0x0004f51d
0x0004f4a1
0x0004f4a6
0x0004f4a7
0x0004f4ac
0x0004f4b3
0x00000000
0x00000000
0x0004f4b5
0x00000000
0x0004f4b5
0x0004f460
0x0004f468
0x00000000
0x00000000
0x00000000
0x0004f46a
0x00000000

APIs

CoInitialize.OLE32(00000000), ref: 0004F460

Strings

D2D1.dll, xrefs: 0004F475
D2D1MakeRotateMatrix, xrefs: 0004F4BF
DWriteCreateFactory, xrefs: 0004F4E5
D2D1CreateFactory, xrefs: 0004F495
DWrite.dll, xrefs: 0004F4CC

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Initialize
String ID: D2D1.dll$D2D1CreateFactory$D2D1MakeRotateMatrix$DWrite.dll$DWriteCreateFactory
API String ID: 2538663250-1403614551
Opcode ID: c2ec2cd00643aaf5a6389fc6fed8ea6e5010da62881640343a3343d443ccd702
Instruction ID: 6ee53f5ef7a03bfdc202fa7c9b81bdfaf95614404f0392287f3870cba9ae7e1d
Opcode Fuzzy Hash: c2ec2cd00643aaf5a6389fc6fed8ea6e5010da62881640343a3343d443ccd702
Instruction Fuzzy Hash: D7113AB1645709BEC7116F75AC85D37BA98F7C5B693200535F421E6090EBF0D680CE58

Uniqueness

Uniqueness Score: -1.00%

Function 000D81FD Relevance: 15.3, APIs: 10, Instructions: 269
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E000D81FD(void* __ecx, void* __edx, struct tagPOINT _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr* _a28, signed int _a32, RECT* _a36) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				long _v44;
				long _v48;
				long _v52;
				long _v56;
				RECT* _v60;
				signed int _v64;
				long _v68;
				long _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t137;
				intOrPtr _t140;
				intOrPtr _t141;
				void* _t142;
				long _t149;
				long _t162;
				long _t167;
				intOrPtr _t172;
				void* _t175;
				void* _t176;
				void* _t177;
				long _t181;
				long _t191;
				RECT* _t197;
				intOrPtr* _t207;
				void* _t208;
				void* _t233;
				long _t234;
				intOrPtr* _t235;
				signed int _t236;
				void* _t248;

				_t233 = __edx;
				_t208 = __ecx;
				_t137 =  *0x1a0454; // 0x960af5fb
				_v8 = _t137 ^ _t236;
				_v64 = _v64 | 0xffffffff;
				_t207 = _a28;
				_t235 = _a12;
				_v60 = _a36;
				_t140 = _a20;
				_t234 = 0;
				_v68 = 0;
				if(_t140 != 0) {
					L3:
					_t141 =  *((intOrPtr*)(_t140 + 0x1b8));
					if(_t141 != _t234 &&  *((intOrPtr*)(_t141 + 8)) != _t234 &&  *((intOrPtr*)(_t141 + 4)) != _t234) {
						_v68 = 1;
						_v64 =  *((intOrPtr*)(_t141 + 0x100));
					}
					L7:
					_v40.left = _t234;
					_v40.top = _t234;
					_v40.right = _t234;
					_v40.bottom = _t234;
					if(_t235 == _t234) {
						if(_v60 == _t234) {
							L35:
							_t142 = 0;
							L36:
							return E00130836(_t142, _t207, _v8 ^ _t236, _t233, _t234, _t235);
						}
						CopyRect( &_v40, _v60);
						L11:
						_v60 = _t234;
						_v72 = _t234;
						_t235 = E0004EA25(0x19ec6c, _t235);
						if(_t235 != _t234) {
							_t197 =  *((intOrPtr*)( *_t235 + 0x1a0))();
							_v60 = _t197;
							_v56 = _t234;
							_v52 = _t234;
							_v48 = _t234;
							_v44 = _t234;
							_v24.left = _t234;
							_v24.top = _t234;
							_v24.right = _t234;
							_v24.bottom = _t234;
							 *((intOrPtr*)( *_t235 + 0x32c))( &_v56,  &_v24);
							_v72 = _v24.bottom - _v24.top;
						}
						if(_a24 == _t234) {
							if(_v68 == _t234) {
								_t235 = _a16;
								_push(_a8);
								_t234 = PtInRect;
								_v24.left = _v40.left - _t235;
								_t149 = _v40.top;
								_v24.top = _t149 - _t235;
								_v24.bottom = _t149 + _v60 + _t235;
								_v24.right = _v40.right + _t235;
								if(PtInRect( &_v24, _a4.x) == 0) {
									L41:
									_push(_a8);
									_v24.right = _v40.left + _t235;
									_v24.bottom = _v40.bottom + _t235;
									if(PtInRect( &_v24, _a4.x) == 0) {
										L43:
										_push(_a8);
										_v24.left = _v40.left - _t235;
										_t162 = _v40.bottom;
										_v24.top = _t162 - _v72 - _t235;
										_v24.bottom = _t162 + _t235;
										_v24.right = _v40.right + _t235;
										if(PtInRect( &_v24, _a4.x) == 0) {
											L45:
											_t167 = _v40.right - _t235;
											goto L33;
										}
										_t172 = 0x8000;
										if((_a32 & 0x00008000) != 0) {
											goto L27;
										}
										goto L45;
									}
									_t172 = 0x1000;
									if((_a32 & 0x00001000) != 0) {
										goto L27;
									}
									goto L43;
								}
								_t172 = 0x2000;
								if((_a32 & 0x00002000) != 0) {
									goto L27;
								}
								goto L41;
							}
							_t175 = _v64 - 4;
							goto L16;
						} else {
							if(_v68 == _t234) {
								_t235 = _a16;
								_push(_a8);
								_t234 = PtInRect;
								_v24.left = _v40.left - _t235;
								_t181 = _v40.top;
								_v24.top = _t181 - _t235;
								_v24.bottom = _t181;
								_v24.right = _v40.right + _t235;
								if(PtInRect( &_v24, _a4.x) == 0) {
									L28:
									_push(_a8);
									_v24.right = _v40.left;
									_v24.bottom = _v40.bottom + _t235;
									if(PtInRect( &_v24, _a4.x) == 0) {
										L30:
										_push(_a8);
										_v24.left = _v40.left - _t235;
										_t191 = _v40.bottom;
										_v24.top = _t191;
										_v24.bottom = _t191 + _t235;
										_v24.right = _v40.right + _t235;
										if(PtInRect( &_v24, _a4.x) == 0) {
											L32:
											_t167 = _v40.right;
											L33:
											_push(_a8);
											_v24.left = _t167;
											_v24.top = _v40.top - _t235;
											if(PtInRect( &_v24, _a4) == 0) {
												goto L35;
											}
											_t172 = 0x4000;
											if((_a32 & 0x00004000) != 0) {
												L27:
												 *_t207 = _t172;
												L24:
												_t142 = 1;
												goto L36;
											}
											goto L35;
										}
										_t172 = 0x8000;
										if((_a32 & 0x00008000) != 0) {
											goto L27;
										}
										goto L32;
									}
									_t172 = 0x1000;
									if((_a32 & 0x00001000) != 0) {
										goto L27;
									}
									goto L30;
								}
								_t172 = 0x2000;
								if((_a32 & 0x00002000) == 0) {
									goto L28;
								}
								goto L27;
							}
							_t175 = _v64 - _t234;
							_t248 = _t175;
							L16:
							if(_t248 == 0) {
								 *_t207 = 0x1000;
								goto L24;
							}
							_t176 = _t175 - 1;
							if(_t176 == 0) {
								 *_t207 = 0x4000;
								goto L24;
							}
							_t177 = _t176 - 1;
							if(_t177 == 0) {
								 *_t207 = 0x2000;
								goto L24;
							}
							if(_t177 != 1) {
								goto L35;
							}
							 *_t207 = 0x8000;
							goto L24;
						}
					}
					GetWindowRect( *(_t235 + 0x20),  &_v40);
					goto L11;
				}
				if(_t235 == 0) {
					goto L7;
				}
				_t140 = E000D7EDC(0x19ea58, _t233, E0003F82E(_t207, _t208, _t233, GetParent( *(_t235 + 0x20))));
				if(_t140 == 0) {
					goto L7;
				}
				goto L3;
			}

0x000d81fd
0x000d81fd
0x000d8205
0x000d820c
0x000d8212
0x000d8217
0x000d821b
0x000d821f
0x000d8222
0x000d8225
0x000d8227
0x000d822c
0x000d8250
0x000d8250
0x000d8258
0x000d826a
0x000d8271
0x000d8271
0x000d8274
0x000d8274
0x000d8277
0x000d827a
0x000d827d
0x000d8282
0x000d8296
0x000d8417
0x000d8417
0x000d8419
0x000d8427
0x000d8427
0x000d82a3
0x000d82a9
0x000d82af
0x000d82b2
0x000d82ba
0x000d82c0
0x000d82c6
0x000d82d3
0x000d82db
0x000d82de
0x000d82e1
0x000d82e4
0x000d82e7
0x000d82ea
0x000d82ed
0x000d82f0
0x000d82f3
0x000d82ff
0x000d82ff
0x000d8305
0x000d842d
0x000d843a
0x000d8440
0x000d8443
0x000d844e
0x000d8451
0x000d845d
0x000d8463
0x000d846c
0x000d8473
0x000d8483
0x000d8486
0x000d848e
0x000d8496
0x000d84a1
0x000d84b1
0x000d84b4
0x000d84bc
0x000d84bf
0x000d84cb
0x000d84d1
0x000d84da
0x000d84e1
0x000d84f1
0x000d84f4
0x00000000
0x000d84f4
0x000d84e3
0x000d84eb
0x00000000
0x00000000
0x00000000
0x000d84eb
0x000d84a3
0x000d84ab
0x00000000
0x00000000
0x00000000
0x000d84ab
0x000d8475
0x000d847d
0x00000000
0x00000000
0x00000000
0x000d847d
0x000d8432
0x00000000
0x000d830b
0x000d830e
0x000d834a
0x000d8350
0x000d8353
0x000d835e
0x000d8361
0x000d8368
0x000d836e
0x000d8377
0x000d837e
0x000d838e
0x000d8391
0x000d8394
0x000d839f
0x000d83aa
0x000d83b6
0x000d83b9
0x000d83c4
0x000d83c7
0x000d83ca
0x000d83cf
0x000d83d8
0x000d83df
0x000d83eb
0x000d83eb
0x000d83ee
0x000d83ee
0x000d83f1
0x000d83fc
0x000d8407
0x00000000
0x00000000
0x000d8409
0x000d8411
0x000d838a
0x000d838a
0x000d8342
0x000d8344
0x00000000
0x000d8344
0x00000000
0x000d8411
0x000d83e1
0x000d83e9
0x00000000
0x00000000
0x00000000
0x000d83e9
0x000d83ac
0x000d83b4
0x00000000
0x00000000
0x00000000
0x000d83b4
0x000d8380
0x000d8388
0x00000000
0x00000000
0x00000000
0x000d8388
0x000d8313
0x000d8313
0x000d8315
0x000d8315
0x000d833c
0x00000000
0x000d833c
0x000d8317
0x000d8318
0x000d8334
0x00000000
0x000d8334
0x000d831a
0x000d831b
0x000d832c
0x00000000
0x000d832c
0x000d831e
0x00000000
0x00000000
0x000d8324
0x00000000
0x000d8324
0x000d8305
0x000d828b
0x00000000
0x000d828b
0x000d8230
0x00000000
0x00000000
0x000d8247
0x000d824e
0x00000000
0x00000000
0x00000000

APIs

GetParent.USER32(?), ref: 000D8235
GetWindowRect.USER32(?,?), ref: 000D828B
CopyRect.USER32(?,?), ref: 000D82A3
PtInRect.USER32(?,0019D608,?), ref: 000D837A
PtInRect.USER32(?,0019D608,?), ref: 000D83A6
PtInRect.USER32(?,0019D608,?), ref: 000D83DB
PtInRect.USER32(?,0019D608,?), ref: 000D8403
PtInRect.USER32(?,0019D608,?), ref: 000D846F
PtInRect.USER32(?,0019D608,?), ref: 000D849D
PtInRect.USER32(?,0019D608,?), ref: 000D84DD

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Rect$CopyParentWindow
String ID:
API String ID: 642869531-0
Opcode ID: 9d4601607fd3a81da8d11a7e3885dea9715dac0e2a268228de9eca50c45e4eca
Instruction ID: 4dd21caca9f410521228911403e50f78e570f0f35f29517d7970e74067034369
Opcode Fuzzy Hash: 9d4601607fd3a81da8d11a7e3885dea9715dac0e2a268228de9eca50c45e4eca
Instruction Fuzzy Hash: E2B1C271D0021A9BCF51CFA9C984AEEBBF4BF48740F14816AE919E7354EB359A41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 000472C1 Relevance: 15.2, APIs: 10, Instructions: 158
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E000472C1(intOrPtr __ecx, void* __edx, struct HWND__** _a4) {
				intOrPtr _v8;
				struct tagPOINT _v16;
				void* __ebx;
				struct HWND__* _t36;
				void* _t39;
				int _t40;
				void* _t42;
				intOrPtr _t52;
				intOrPtr _t54;
				intOrPtr _t56;
				void* _t57;
				intOrPtr _t58;
				intOrPtr _t60;
				intOrPtr _t63;
				void* _t67;
				void* _t68;
				struct HWND__** _t83;
				void* _t84;

				_t77 = __edx;
				_t83 = _a4;
				_t36 = _t83[1];
				_v8 = __ecx;
				_t84 = _t36 - 0x105;
				if(_t84 > 0) {
					if(_t36 == 0x200) {
						_v16.x = _t83[3];
						_v16.y = _t83[3];
						_t39 = E0003F82E(_t67, 0x105, __edx,  *_t83);
						if(_t39 != 0) {
							ClientToScreen( *(_t39 + 0x20),  &_v16);
						}
						_t40 = E00047230(_v16.x, _v16.y);
						L22:
						if(_t40 != 0) {
							L16:
							_t42 = 1;
							L24:
							return _t42;
						}
						L23:
						_t42 = 0;
						goto L24;
					}
					if(_t36 == 0x201) {
						L36:
						_v16.x = _t83[3];
						_push(_t67);
						_v16.y = _t83[3];
						_t68 = E0003F82E(_t67, 0x105, _t77,  *_t83);
						if(_t68 != 0 && IsWindow( *_t83) != 0) {
							ClientToScreen( *(_t68 + 0x20),  &_v16);
						}
						if(E00047052(_v8, _t77, _v16.x, _v16.y) == 0) {
							if(IsWindow( *_t83) != 0) {
								goto L23;
							}
						}
						goto L16;
					}
					if(_t36 <= 0x203) {
						goto L23;
					}
					if(_t36 <= 0x205) {
						goto L36;
					}
					if(_t36 <= 0x206) {
						goto L23;
					}
					if(_t36 <= 0x208) {
						goto L36;
					}
					if(_t36 == 0x20a) {
						_t52 =  *0x1a48bc; // 0x0
						if(_t52 != 0 && IsWindow( *(_t52 + 0x20)) != 0) {
							_t54 =  *0x1a48bc; // 0x0
							if( *((intOrPtr*)(_t54 + 0xef0)) != 0) {
								SendMessageW( *(_t54 + 0x20), 0x20a, _t83[2], _t83[3]);
							}
						}
					}
					goto L23;
				}
				if(_t84 == 0) {
					_t56 =  *0x1a48bc; // 0x0
					if(_t56 == 0) {
						goto L23;
					}
					_t40 = IsWindow( *(_t56 + 0x20));
					goto L22;
				}
				if(_t36 > 0xa8) {
					_t57 = _t36 - 0x100;
					if(_t57 == 0) {
						_t58 =  *0x1a48bc; // 0x0
						if(_t58 == 0 || IsWindow( *(_t58 + 0x20)) == 0) {
							goto L23;
						} else {
							_push(0);
							_push(_t83[2]);
							_push(0x100);
							L15:
							_t60 =  *0x1a48bc; // 0x0
							SendMessageW( *(_t60 + 0x20), ??, ??, ??);
							goto L16;
						}
					}
					if(_t57 != 4) {
						goto L23;
					}
					L11:
					_t63 =  *0x1a48bc; // 0x0
					if(_t63 == 0 || IsWindow( *(_t63 + 0x20)) == 0 || _t83[2] != 0x12) {
						goto L23;
					} else {
						_push(0);
						_push(0);
						_push(0x10);
						goto L15;
					}
				}
				if(_t36 >= 0xa7) {
					L8:
					_t40 = E00047052(_v8, _t77, _t83[3], _t83[3]);
					goto L22;
				}
				if(_t36 == 0x7b) {
					goto L11;
				}
				if(_t36 <= 0xa0 || _t36 > 0xa2 && _t36 + 0xffffff5c > 1) {
					goto L23;
				} else {
					goto L8;
				}
			}

0x000472c1
0x000472ca
0x000472cd
0x000472d0
0x000472d9
0x000472db
0x000473b2
0x0004747f
0x00047486
0x00047489
0x00047490
0x00047499
0x00047499
0x000474a8
0x000473a1
0x000473a3
0x0004736c
0x0004736e
0x000473a7
0x000473aa
0x000473aa
0x000473a5
0x000473a5
0x00000000
0x000473a5
0x000473bd
0x0004741a
0x0004741e
0x00047425
0x00047428
0x00047436
0x0004743a
0x0004744b
0x0004744b
0x00047462
0x0004746e
0x00000000
0x00000000
0x00047474
0x00000000
0x00047462
0x000473c4
0x00000000
0x00000000
0x000473cb
0x00000000
0x00000000
0x000473d2
0x00000000
0x00000000
0x000473d9
0x00000000
0x00000000
0x000473e2
0x000473e4
0x000473eb
0x000473fa
0x00047406
0x00047412
0x00047412
0x00047406
0x000473eb
0x00000000
0x000473e2
0x000472e1
0x0004738f
0x00047396
0x00000000
0x00000000
0x0004739b
0x00000000
0x0004739b
0x000472ec
0x00047333
0x00047335
0x00047371
0x00047378
0x00000000
0x00047387
0x00047387
0x00047389
0x0004738c
0x0004735e
0x0004735e
0x00047366
0x00000000
0x00047366
0x00047378
0x0004733a
0x00000000
0x00000000
0x0004733c
0x0004733c
0x00047343
0x00000000
0x00047358
0x00047358
0x0004735a
0x0004735c
0x00000000
0x0004735c
0x00047343
0x000472f3
0x0004731a
0x00047327
0x00000000
0x00047327
0x000472f8
0x00000000
0x00000000
0x000472ff
0x00000000
0x00000000
0x00000000
0x00000000

APIs

IsWindow.USER32(?), ref: 00047348
SendMessageW.USER32(?,00000100,?,00000000), ref: 00047366
IsWindow.USER32(?), ref: 0004737D
IsWindow.USER32(?), ref: 0004739B
IsWindow.USER32(?), ref: 000473F0
SendMessageW.USER32(?,0000020A,?,?), ref: 00047412
IsWindow.USER32(?), ref: 0004743E
ClientToScreen.USER32(?,?), ref: 0004744B
IsWindow.USER32(?), ref: 0004746A
ClientToScreen.USER32(?,?), ref: 00047499

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Window$ClientMessageScreenSend
String ID:
API String ID: 526472501-0
Opcode ID: fc0dd425265282f83539a973657f539535c2ecf96bd6b748f1b5deb55786d827
Instruction ID: 55e059be7eb3c6fa2455870da87ac31b1c3002fb71648178a54169390fcfe893
Opcode Fuzzy Hash: fc0dd425265282f83539a973657f539535c2ecf96bd6b748f1b5deb55786d827
Instruction Fuzzy Hash: 8551B2B1608201EFEB709F64DC49A2E7BF5FB48702F104539E899E61A1E735DE80EB04

Uniqueness

Uniqueness Score: -1.00%

Function 00045255 Relevance: 13.7, APIs: 9, Instructions: 233
filecomstringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00045255(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t68;
				void* _t69;
				void* _t74;
				void* _t82;
				void* _t83;
				void* _t84;
				void* _t85;
				void* _t87;
				void* _t89;
				void* _t90;
				void* _t91;
				void* _t95;
				void* _t100;
				void* _t103;
				void* _t104;
				WCHAR* _t105;
				void* _t108;
				void* _t111;
				void* _t114;
				void* _t117;
				void* _t118;
				void* _t119;
				struct HMETAFILE__* _t121;
				void _t128;
				signed int _t147;
				void* _t153;
				void* _t161;

				_push(0x5c);
				E00131A82(0x148aa2, __ebx, __edi, __esi);
				_t157 =  *(_t161 + 0xc);
				_t147 =  *(_t161 + 8) & 0x0000ffff;
				_t153 =  *(_t161 + 0x10);
				if( *_t157 != 0) {
					L10:
					_t68 =  *_t153 - 1;
					if(_t68 == 0) {
						_t69 = E00044EBE(_t128,  *(_t157 + 4),  *(_t153 + 4));
						__eflags = _t69;
						if(_t69 == 0) {
							goto L19;
						} else {
							 *(_t157 + 4) = _t69;
							goto L37;
						}
					} else {
						_t74 = _t68 - 1;
						if(_t74 == 0) {
							E00036620(0,  *(_t153 + 4));
							 *((intOrPtr*)(_t161 - 4)) = 0;
							E00036620(0,  *(_t157 + 4));
							asm("sbb esi, esi");
							asm("sbb edi, edi");
							_t157 = CopyFileW(_t153,  ~( *(_t157 + 4)) &  *(_t161 - 0x5c), 0);
							E00031190( *(_t161 - 0x5c) + 0xfffffff0, _t147);
							E00031190( *((intOrPtr*)(_t161 - 0x60)) + 0xfffffff0, _t147);
						} else {
							_t82 = _t74;
							if(_t82 == 0) {
								_t83 =  *(_t153 + 4);
								_t84 =  *((intOrPtr*)( *_t83 + 0x30))(_t83, _t161 - 0x58, 1);
								__eflags = _t84;
								if(_t84 != 0) {
									goto L19;
								} else {
									_t85 =  *(_t157 + 4);
									 *((intOrPtr*)(_t161 - 0x64)) = 0;
									 *((intOrPtr*)( *_t85 + 0x14))(_t85, 0, 0, 0, 0);
									_t87 =  *(_t153 + 4);
									 *((intOrPtr*)( *_t87 + 0x14))(_t87, 0, 0, 0, 0);
									_t89 =  *(_t153 + 4);
									_t90 =  *((intOrPtr*)( *_t89 + 0x1c))(_t89,  *(_t157 + 4),  *((intOrPtr*)(_t161 - 0x50)),  *((intOrPtr*)(_t161 - 0x4c)), 0, 0);
									__eflags = _t90;
									if(_t90 != 0) {
										goto L19;
									} else {
										_t91 =  *(_t157 + 4);
										_t157 = 0;
										 *((intOrPtr*)( *_t91 + 0x14))(_t91, 0, 0, 0, 0);
										_t153 =  *(_t153 + 4);
										 *((intOrPtr*)( *_t153 + 0x14))(_t153, 0, 0, 0, 0);
										goto L37;
									}
								}
							} else {
								_t95 = _t82 - 4;
								if(_t95 == 0) {
									_t153 =  *(_t153 + 4);
									 *((intOrPtr*)( *_t153 + 0x1c))(_t153, 0, 0, 0,  *(_t157 + 4));
									asm("sbb eax, eax");
								} else {
									_t100 = _t95 - 8;
									if(_t100 == 0) {
										L16:
										if( *(_t157 + 4) != 0) {
											goto L19;
										} else {
											__imp__OleDuplicateData( *(_t153 + 4), _t147, 0);
											 *(_t157 + 4) = _t100;
										}
									} else {
										_t100 = _t100 - 0x30;
										if(_t100 != 0) {
											goto L19;
										} else {
											goto L16;
										}
									}
								}
							}
						}
					}
				} else {
					_t128 =  *_t153;
					_t103 = _t128 - 1;
					if(_t103 == 0) {
						L8:
						 *_t157 = _t128;
						goto L9;
					} else {
						_t104 = _t103 - 1;
						if(_t104 == 0) {
							 *_t157 = 2;
							_t105 =  *(_t153 + 4);
							__eflags = _t105;
							if(__eflags == 0) {
								_t105 = E000455E0(_t128);
							}
							 *((intOrPtr*)(_t161 - 0x60)) = lstrlenW(_t105);
							_t108 = E00044DDE(_t128, __eflags, _t106 + 1, 2);
							 *(_t157 + 4) = _t108;
							__eflags = _t108;
							if(_t108 == 0) {
								goto L19;
							} else {
								_push( *((intOrPtr*)(_t161 - 0x60)) +  *((intOrPtr*)(_t161 - 0x60)) + 2);
								E00033E80(_t108,  *((intOrPtr*)(_t161 - 0x60)) +  *((intOrPtr*)(_t161 - 0x60)) + 2,  *(_t153 + 4));
								goto L37;
							}
						} else {
							_t111 = _t104;
							if(_t111 == 0) {
								_t153 =  *(_t153 + 4);
								 *(_t157 + 4) = _t153;
								 *((intOrPtr*)( *_t153 + 4))(_t153);
								 *_t157 = 4;
								goto L37;
							} else {
								_t114 = _t111 - 4;
								if(_t114 == 0) {
									_t153 =  *(_t153 + 4);
									 *(_t157 + 4) = _t153;
									 *((intOrPtr*)( *_t153 + 4))(_t153);
									 *_t157 = 8;
									goto L37;
								} else {
									_t117 = _t114 - 8;
									if(_t117 == 0) {
										 *_t157 = 0x10;
										L9:
										 *(_t157 + 4) = 0;
										goto L10;
									} else {
										_t118 = _t117 - 0x10;
										if(_t118 == 0) {
											_t119 = E00044EBE(_t128, 0,  *(_t153 + 4));
											 *(_t161 - 0x5c) = _t119;
											__eflags = _t119;
											if(_t119 != 0) {
												_t153 = GlobalLock(_t119);
												_t121 = CopyMetaFileW( *(_t153 + 0xc), 0);
												 *(_t153 + 0xc) = _t121;
												__eflags = _t121;
												if(_t121 != 0) {
													_t153 =  *(_t161 - 0x5c);
													GlobalUnlock(_t153);
													 *(_t157 + 4) = _t153;
													 *_t157 = 0x20;
													L37:
													__eflags = 1;
												} else {
													GlobalUnlock( *(_t161 - 0x5c));
													GlobalFree( *(_t161 - 0x5c));
													goto L19;
												}
											} else {
												goto L19;
											}
										} else {
											if(_t118 == 0x20) {
												goto L8;
											}
										}
									}
								}
							}
						}
					}
				}
				return E00131B05(0, _t153, _t157);
			}

0x00045255
0x0004525c
0x00045261
0x00045264
0x00045268
0x0004526f
0x000452a8
0x000452aa
0x000452ab
0x000454bd
0x000454c2
0x000454c4
0x00000000
0x000454ca
0x000454ca
0x00000000
0x000454ca
0x000452b1
0x000452b1
0x000452b2
0x0004546b
0x00045476
0x00045479
0x00045486
0x0004548d
0x000454a1
0x000454a3
0x000454ae
0x000452b8
0x000452b9
0x000452ba
0x000453ef
0x000453fb
0x000453fe
0x00045400
0x00000000
0x00045406
0x00045406
0x00045412
0x00045415
0x00045418
0x00045424
0x00045427
0x00045438
0x0004543b
0x0004543d
0x00000000
0x00045443
0x00045443
0x0004544d
0x00045451
0x00045454
0x00045460
0x00000000
0x00045460
0x0004543d
0x000452c0
0x000452c0
0x000452c3
0x000453d9
0x000453e2
0x000453e7
0x000452c9
0x000452c9
0x000452cc
0x000452d3
0x000452d6
0x00000000
0x000452d8
0x000452dd
0x000452ea
0x000452ed
0x000452ce
0x000452ce
0x000452d1
0x00000000
0x00000000
0x00000000
0x00000000
0x000452d1
0x000452cc
0x000452c3
0x000452ba
0x000452b2
0x00045271
0x00045271
0x00045275
0x00045276
0x000452a3
0x000452a3
0x00000000
0x00045278
0x00045278
0x00045279
0x0004538a
0x00045390
0x00045393
0x00045395
0x00045397
0x00045397
0x000453a3
0x000453aa
0x000453b1
0x000453b4
0x000453b6
0x00000000
0x000453bc
0x000453c3
0x000453c9
0x00000000
0x000453ce
0x0004527f
0x00045280
0x00045281
0x00045373
0x00045376
0x0004537c
0x0004537f
0x00000000
0x00045287
0x00045287
0x0004528a
0x0004535c
0x0004535f
0x00045365
0x00045368
0x00000000
0x00045290
0x00045290
0x00045293
0x00045351
0x000452a5
0x000452a5
0x00000000
0x00045299
0x00045299
0x0004529c
0x000452f8
0x000452fd
0x00045300
0x00045302
0x00045312
0x00045318
0x0004531e
0x00045321
0x00045323
0x00045339
0x0004533d
0x00045343
0x00045346
0x000454cd
0x000454cf
0x00045325
0x00045328
0x00045331
0x00000000
0x00045331
0x00000000
0x00000000
0x00000000
0x0004529e
0x000452a1
0x00000000
0x00000000
0x000452a1
0x0004529c
0x00045293
0x0004528a
0x00045281
0x00045279
0x00045276
0x000454d5

APIs

__EH_prolog3_GS.LIBCMT ref: 0004525C
OleDuplicateData.OLE32(?,?,00000000), ref: 000452DD
GlobalLock.KERNEL32 ref: 0004530C
CopyMetaFileW.GDI32(?,00000000), ref: 00045318
GlobalUnlock.KERNEL32(?), ref: 00045328
GlobalFree.KERNEL32(?), ref: 00045331
GlobalUnlock.KERNEL32(?), ref: 0004533D
lstrlenW.KERNEL32(?,0000005C,0010FBF2,?,?,?), ref: 0004539D
CopyFileW.KERNEL32 ref: 00045495

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Global$CopyFileUnlock$DataDuplicateFreeH_prolog3_LockMetalstrlen
String ID:
API String ID: 3489744035-0
Opcode ID: fb6b4f7f277d21dd23b46ce17af63d948e0570f3e19b300d30b5498d4af1e7b8
Instruction ID: feb4796fc250bc11c4be39a6f5500533ffc6a8ef8efec64ae88393182a1e08ef
Opcode Fuzzy Hash: fb6b4f7f277d21dd23b46ce17af63d948e0570f3e19b300d30b5498d4af1e7b8
Instruction Fuzzy Hash: 5881ADF1900A05AFDB209FA0CD8896ABBF9FF44746B108529F456CB652D770ED40CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00047052 Relevance: 13.7, APIs: 9, Instructions: 158
windowCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E00047052(intOrPtr __ecx, void* __edx, long _a4, intOrPtr _a8) {
				intOrPtr _v8;
				struct tagPOINT _v16;
				intOrPtr _v20;
				long _v24;
				void* __ebx;
				void* __edi;
				intOrPtr _t37;
				void* _t42;
				intOrPtr _t43;
				intOrPtr _t48;
				int _t50;
				intOrPtr _t51;
				int _t54;
				int _t55;
				int _t72;
				int _t76;
				intOrPtr _t77;
				int _t79;
				intOrPtr _t81;
				intOrPtr _t82;
				intOrPtr* _t83;
				intOrPtr* _t92;
				void* _t93;
				void* _t94;
				intOrPtr _t95;
				intOrPtr _t97;
				int _t98;
				int _t99;
				void* _t100;

				_t93 = __edx;
				_t79 = 0;
				_t97 = __ecx;
				_v8 = __ecx;
				_t100 =  *0x1a3f04 - _t79; // 0x0
				if(_t100 != 0) {
					L22:
					__eflags = 0;
					return 0;
				}
				_t37 =  *0x1a48bc; // 0x0
				if(_t37 == 0 || IsWindow( *(_t37 + 0x20)) == 0) {
					goto L22;
				} else {
					_t81 =  *0x1a48bc; // 0x0
					_v16.x = _a4;
					_v16.y = _a8;
					_t42 = E000612F4(_t81, _t93, _t94,  &_v16);
					if(_t42 != 4) {
						__eflags = _t42 - 1;
						if(_t42 == 1) {
							L27:
							_t43 =  *0x1a48bc; // 0x0
							SendMessageW( *(_t43 + 0x20), 0x10, _t79, _t79);
							_t82 =  *((intOrPtr*)(_t97 + 4));
							L28:
							E00043652(_t79, _t82, _t93);
							L10:
							return 1;
						}
						__eflags = _t42 - 2;
						if(_t42 != 2) {
							goto L22;
						}
						goto L27;
					}
					_t48 =  *0x1a48bc; // 0x0
					_t95 =  *((intOrPtr*)(_t48 + 0x148));
					if(_t95 == 0) {
						L18:
						_t83 =  *0x1a48bc; // 0x0
						_t50 =  *((intOrPtr*)( *_t83 + 0x1c4))();
						__eflags = _t50;
						if(_t50 == 0) {
							_t51 =  *0x1a48bc; // 0x0
							SendMessageW( *(_t51 + 0x20), 0x10, _t50, _t50);
							_t54 = E0003F82E(_t79, _t83, _t93, GetFocus());
							__eflags = _t54;
							if(_t54 != 0) {
								_t55 = E0004EA07(_t54, 0x19ced8);
								__eflags = _t55;
								if(_t55 != 0) {
									E00043652(_t79,  *((intOrPtr*)(_v8 + 4)), _t93);
								}
							}
						}
						goto L22;
					}
					_t79 =  *(_t95 + 0x6c);
					if(_t79 == 0) {
						goto L18;
					}
					_t98 = E0004EA25(0x19d08c, _t79);
					_v16.x = _a4;
					_v16.y = _a8;
					ScreenToClient( *(_t79 + 0x20),  &_v16);
					_push(_v16.y);
					_t96 = _t95 + 0x54;
					if(PtInRect(_t95 + 0x54, _v16) == 0) {
						__eflags = _t98;
						if(_t98 == 0) {
							goto L18;
						}
						 *((intOrPtr*)( *_t98 + 0x43c))();
						_t99 = E0004EA25(0x19cffc, E0003F82E(_t79, _t98, _t93, GetParent( *(_t98 + 0x20))));
						__eflags = _t99;
						if(_t99 == 0) {
							goto L18;
						}
						_v24 = _a4;
						_v20 = _a8;
						_t72 = E000612F4(_t99, _t93, _t96,  &_v24);
						__eflags = _t72;
						if(__eflags == 0) {
							goto L22;
						}
						if(__eflags <= 0) {
							goto L18;
						}
						__eflags = _t72 - 2;
						if(_t72 <= 2) {
							SendMessageW( *(_t99 + 0x20), 0x10, 0, 0);
							_t82 =  *((intOrPtr*)(_v8 + 4));
							goto L28;
						}
						__eflags = _t72 - 3;
						if(_t72 == 3) {
							goto L22;
						}
						__eflags = _t72 - 5;
						if(_t72 == 5) {
							goto L22;
						}
						goto L18;
					}
					if(_t98 == 0) {
						_t92 =  *0x1a48bc; // 0x0
						_t76 =  *((intOrPtr*)( *_t92 + 0x1c4))();
						if(_t76 == 0) {
							_t77 =  *0x1a48bc; // 0x0
							SendMessageW( *(_t77 + 0x20), 0x10, _t76, _t76);
						}
					}
					goto L10;
				}
			}

0x00047052
0x0004705c
0x0004705e
0x00047061
0x00047064
0x0004706a
0x000471e7
0x000471e7
0x00000000
0x000471e7
0x00047070
0x00047077
0x00000000
0x0004708e
0x00047091
0x00047097
0x0004709d
0x000470a4
0x000470ac
0x00047207
0x0004720a
0x00047211
0x00047211
0x0004721d
0x00047223
0x00047226
0x00047226
0x00047134
0x00000000
0x00047136
0x0004720c
0x0004720f
0x00000000
0x00000000
0x00000000
0x0004720f
0x000470b2
0x000470b7
0x000470bf
0x00047198
0x00047198
0x000471a0
0x000471a6
0x000471a8
0x000471ac
0x000471b6
0x000471c3
0x000471c8
0x000471ca
0x000471d3
0x000471d8
0x000471da
0x000471e2
0x000471e2
0x000471da
0x000471ca
0x00000000
0x000471a8
0x000470c5
0x000470ca
0x00000000
0x00000000
0x000470db
0x000470e0
0x000470e8
0x000470f2
0x000470f8
0x000470fb
0x0004710a
0x0004713c
0x0004713e
0x00000000
0x00000000
0x00047144
0x00047164
0x00047168
0x0004716a
0x00000000
0x00000000
0x0004716f
0x00047175
0x0004717e
0x00047183
0x00047185
0x00000000
0x00000000
0x00047187
0x00000000
0x00000000
0x00047189
0x0004718c
0x000471f9
0x00047202
0x00000000
0x00047202
0x0004718e
0x00047191
0x00000000
0x00000000
0x00047193
0x00047196
0x00000000
0x00000000
0x00000000
0x00047196
0x0004710e
0x00047110
0x00047118
0x00047120
0x00047124
0x0004712e
0x0004712e
0x00047120
0x00000000
0x0004710e

APIs

IsWindow.USER32(?), ref: 00047080

Part of subcall function 000612F4: GetClientRect.USER32 ref: 00061325
Part of subcall function 000612F4: PtInRect.USER32(?,?,?), ref: 0006133F

ScreenToClient.USER32(?,?), ref: 000470F2
PtInRect.USER32(?,?,?), ref: 00047102
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 0004712E
GetParent.USER32(?), ref: 0004714D
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 000471B6
GetFocus.USER32 ref: 000471BC
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 000471F9
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 0004721D

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: MessageSend$Rect$Client$FocusParentScreenWindow
String ID:
API String ID: 4216724418-0
Opcode ID: b0986d1ae29b420d9a9e9dadeecda5ee716d7c8459b03299005f6dbf91d14e02
Instruction ID: c95eb3f22da60a2bee365c1e37c5a8701e0e4591745444795e44a648c6d6123e
Opcode Fuzzy Hash: b0986d1ae29b420d9a9e9dadeecda5ee716d7c8459b03299005f6dbf91d14e02
Instruction Fuzzy Hash: C2515BB5A04245AFEB609FA8EC85EAD77F9EB09300B104479F909EB671DB70ED40CB54

Uniqueness

Uniqueness Score: -1.00%

Function 000582C3 Relevance: 13.6, APIs: 9, Instructions: 129
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E000582C3(intOrPtr* __ecx, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				void* __ebp;
				void* _t34;
				intOrPtr* _t36;
				intOrPtr _t43;
				intOrPtr _t53;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t59;
				intOrPtr _t60;
				intOrPtr _t62;
				void* _t63;
				intOrPtr _t64;
				void* _t66;
				signed int _t70;

				_t55 = _a4;
				_t64 = _a8;
				_v8 = __ecx;
				asm("sbb esi, esi");
				_t70 =  ~( ~( *(__ecx + 0x90) & 0x0000a000));
				_t34 =  *((intOrPtr*)( *_t55 + 0x68))(_t64, _t63, _t66, _t54, __ecx);
				if(_t34 != 0) {
					L24:
					_t36 =  *((intOrPtr*)(_v8 + 0xbcc));
					_t62 = 0;
					while(_t36 != 0) {
						_t59 = _t36;
						if(_t36 == 0) {
							E000455E0(_t59);
							L31:
							if(_t62 != 0) {
								if(( *(_t62 + 0x24) & 0x00000001) != 0) {
									CheckMenuItem( *(_t64 + 4), 0x4215, 8);
								}
							} else {
								EnableMenuItem( *(_t64 + 4), 0x4215, 1);
							}
							L35:
							return 1;
						}
						_t60 =  *((intOrPtr*)(_t59 + 8));
						_t36 =  *_t36;
						if(_t60 == _t55) {
							goto L31;
						}
						_t62 = _t60;
					}
					goto L35;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) == _t34) {
					L6:
					EnableMenuItem( *(_t64 + 4), 0x420f, 1);
					goto L7;
				} else {
					if( *((intOrPtr*)(_t55 + 4)) == _t34) {
						_t53 =  *((intOrPtr*)(_t55 + 0x34));
					} else {
						_t53 =  *((intOrPtr*)(_t55 + 0x38));
					}
					if(_t53 >= 0) {
						L7:
						_t43 =  *((intOrPtr*)(_t55 + 0x20));
						if(_t43 == 0xffffffff || _t43 == 0) {
							EnableMenuItem( *(_t64 + 4), 0x420e, 1);
						}
						if( *(_t55 + 8) != 0 ||  *((intOrPtr*)(_t55 + 0x18)) != 0 && _t70 != 0) {
							_push(8);
							if( *((intOrPtr*)(_t55 + 0xc)) == 0) {
								_push(0x4213);
							} else {
								_push(0x4214);
							}
						} else {
							_push(8);
							_push(0x4212);
						}
						CheckMenuItem( *(_t64 + 4), ??, ??);
						if( *((intOrPtr*)(_t55 + 0x18)) != 0 && _t70 != 0) {
							EnableMenuItem( *(_t64 + 4), 0x4212, 1);
						}
						_push(_t55);
						if( *((intOrPtr*)( *_v8 + 0x408))() != 0) {
							EnableMenuItem( *(_t64 + 4), 0x4212, 1);
							EnableMenuItem( *(_t64 + 4), 0x4213, 1);
							EnableMenuItem( *(_t64 + 4), 0x4214, 1);
							 *(_t55 + 8) = 1;
						}
						goto L24;
					}
					goto L6;
				}
			}

0x000582ca
0x000582dd
0x000582e2
0x000582e5
0x000582ea
0x000582ec
0x000582f1
0x000583d5
0x000583d8
0x000583de
0x000583f3
0x000583e2
0x000583e6
0x000583f9
0x000583fe
0x00058400
0x00058414
0x00058420
0x00058420
0x00058402
0x0005840c
0x0005840c
0x00058426
0x0005842d
0x0005842d
0x000583e8
0x000583eb
0x000583ef
0x00000000
0x00000000
0x000583f1
0x000583f1
0x00000000
0x000583f7
0x000582fa
0x0005830d
0x00058317
0x00000000
0x000582fc
0x000582ff
0x00058306
0x00058301
0x00058301
0x00058301
0x0005830b
0x0005831d
0x0005831d
0x00058323
0x00058333
0x00058333
0x0005833e
0x00058352
0x00058357
0x00058360
0x00058359
0x00058359
0x00058359
0x00058349
0x00058349
0x0005834b
0x0005834b
0x00058368
0x00058372
0x00058388
0x00058388
0x00058397
0x000583a0
0x000583ac
0x000583b8
0x000583c4
0x000583c6
0x000583c6
0x00000000
0x000583a0
0x00000000
0x0005830b

APIs

EnableMenuItem.USER32 ref: 00058317
EnableMenuItem.USER32 ref: 00058333
CheckMenuItem.USER32 ref: 00058368
EnableMenuItem.USER32 ref: 00058388
EnableMenuItem.USER32 ref: 000583AC
EnableMenuItem.USER32 ref: 000583B8
EnableMenuItem.USER32 ref: 000583C4
EnableMenuItem.USER32 ref: 0005840C
CheckMenuItem.USER32 ref: 00058420

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: ItemMenu$Enable$Check
String ID:
API String ID: 1852492618-0
Opcode ID: 3c29a8f1478a5216eb02252f72918c60b7a08bcd85f1beeca17a3c7ea02f98e8
Instruction ID: 6e0dcb56a9637d4abb9ea457a94faf7b508120f00f7b1d31ef9c79631dadee24
Opcode Fuzzy Hash: 3c29a8f1478a5216eb02252f72918c60b7a08bcd85f1beeca17a3c7ea02f98e8
Instruction Fuzzy Hash: D0419070744602EBEB608F14CC86B6A77A5BB10B12F14C165BE09BF1E1EBB1DD84CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0009F454 Relevance: 12.1, APIs: 8, Instructions: 149
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0009F454(intOrPtr* __ecx, void* __edx, int _a4, struct tagPOINT _a8, signed short _a12) {
				signed int _v8;
				struct tagRECT _v24;
				signed int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				int _t52;
				void* _t63;
				intOrPtr _t66;
				struct HWND__* _t77;
				intOrPtr* _t80;
				void* _t98;
				int _t99;
				RECT* _t100;
				signed int _t102;
				void* _t103;

				_t98 = __edx;
				_t45 =  *0x1a0454; // 0x960af5fb
				_v8 = _t45 ^ _t102;
				_t80 = __ecx;
				_push(0);
				_t99 =  *((intOrPtr*)( *__ecx + 0x224))();
				if( *((char*)(__ecx + 0x160)) == 0) {
					__eflags = _t99;
					if(_t99 == 0) {
						L23:
						_t82 =  *(_t80 + 0xb0);
						 *((char*)(_t80 + 0x162)) = 0;
						__eflags =  *(_t80 + 0xb0);
						if(__eflags != 0) {
							_push(0);
							E000AC876(_t80, _t82, _t98, _t99, _t100, 0);
						}
						_t49 = E0003F788(_t80, _t80, _t99, __eflags);
						L26:
						return E00130836(_t49, _t80, _v8 ^ _t102, _t98, _t99, _t100);
					}
					__eflags =  *((char*)(__ecx + 0x162));
					if( *((char*)(__ecx + 0x162)) != 0) {
						goto L23;
					}
					_t52 = IsWindowVisible( *(_t99 + 0x20));
					__eflags = _t52;
					if(_t52 == 0) {
						goto L23;
					}
					MapWindowPoints( *(_t80 + 0x20),  *(_t99 + 0x20),  &_a8, 1);
					_t49 = SendMessageW( *(_t99 + 0x20), 0x202, _a4, (_a12 & 0x0000ffff) << 0x00000010 | _a8.x & 0x0000ffff);
					goto L26;
				}
				ReleaseCapture();
				 *((char*)(_t80 + 0x160)) = 0;
				if(_a4 == 0xffff) {
					L6:
					 *((intOrPtr*)( *_t80 + 0x30c))(0);
					_t63 = E000D7EDC(0x19ea58, _t98, E0003F82E(_t80, _t80, _t98, GetParent( *(_t80 + 0x20))));
					if(_t63 != 0) {
						_t75 =  *((intOrPtr*)(_t63 + 0x1b8));
						if( *((intOrPtr*)(_t63 + 0x1b8)) != 0) {
							E000DE1AE(_t75);
						}
					}
					if(( *((intOrPtr*)( *_t80 + 0x1b4))() & 0x00000002) == 0) {
						goto L23;
					} else {
						_t66 =  *((intOrPtr*)(_t80 + 0x1ac));
						if(_t66 != 0 ||  *((intOrPtr*)(_t80 + 0x1b0)) >= _t66) {
							_t99 =  &_v24;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							if(_t66 != 0 && ( *((intOrPtr*)( *_t80 + 0x1b4))() & 0x00000002) != 0) {
								E00100185(_t80 + 0x17c, _t98, 1);
							}
							_v28 = _v28 & 0x00000000;
							 *((intOrPtr*)( *_t80 + 0x31c))();
							_t100 =  *((intOrPtr*)( *_t80 + 0x2b0))( &_v28);
							if(_v28 == 0 && IsRectEmpty( &_v24) == 0 && _t100 != _t80) {
								_t99 = _t103 - 0x10;
								_t100 =  &_v24;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t49 =  *((intOrPtr*)( *_t80 + 0x1f8))(5, 1);
							}
							goto L26;
						} else {
							goto L23;
						}
					}
				}
				_t77 =  *(_t80 + 0x174);
				if(_t77 != 0 && IsWindow(_t77) != 0) {
					DestroyWindow( *(_t80 + 0x174));
				}
				 *(_t80 + 0x174) =  *(_t80 + 0x174) & 0x00000000;
				goto L6;
			}

0x0009f454
0x0009f45c
0x0009f463
0x0009f469
0x0009f46d
0x0009f47c
0x0009f47e
0x0009f5af
0x0009f5b1
0x0009f5fd
0x0009f5fd
0x0009f603
0x0009f60a
0x0009f60c
0x0009f60e
0x0009f612
0x0009f612
0x0009f619
0x0009f61e
0x0009f62c
0x0009f62c
0x0009f5b3
0x0009f5ba
0x00000000
0x00000000
0x0009f5bf
0x0009f5c5
0x0009f5c7
0x00000000
0x00000000
0x0009f5d6
0x0009f5f5
0x00000000
0x0009f5f5
0x0009f484
0x0009f491
0x0009f498
0x0009f4c2
0x0009f4c8
0x0009f4e3
0x0009f4ea
0x0009f4ec
0x0009f4f4
0x0009f4f8
0x0009f4f8
0x0009f4f4
0x0009f509
0x00000000
0x0009f50f
0x0009f50f
0x0009f517
0x0009f52b
0x0009f52e
0x0009f52f
0x0009f530
0x0009f531
0x0009f534
0x0009f54c
0x0009f54c
0x0009f553
0x0009f559
0x0009f571
0x0009f573
0x0009f59c
0x0009f59e
0x0009f5a1
0x0009f5a2
0x0009f5a3
0x0009f5a6
0x0009f5a7
0x0009f5a7
0x00000000
0x00000000
0x00000000
0x00000000
0x0009f517
0x0009f509
0x0009f49a
0x0009f4a2
0x0009f4b5
0x0009f4b5
0x0009f4bb
0x00000000

APIs

ReleaseCapture.USER32 ref: 0009F484
IsWindow.USER32(?), ref: 0009F4A5
DestroyWindow.USER32 ref: 0009F4B5
GetParent.USER32(?), ref: 0009F4D1
IsRectEmpty.USER32 ref: 0009F57D
IsWindowVisible.USER32(?), ref: 0009F5BF
MapWindowPoints.USER32 ref: 0009F5D6
SendMessageW.USER32(?,00000202,?,?), ref: 0009F5F5

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Window$CaptureDestroyEmptyMessageParentPointsRectReleaseSendVisible
String ID:
API String ID: 3509494761-0
Opcode ID: 45d2cdb73c3379879658b8847b356b94743e30e9bbb6dd56c959c67e9713545f
Instruction ID: ca621243ba14f45244ed6ad89d0919a34f80a22ce7b0f66501f2e296b6e1334e
Opcode Fuzzy Hash: 45d2cdb73c3379879658b8847b356b94743e30e9bbb6dd56c959c67e9713545f
Instruction Fuzzy Hash: 3D5167312046069BEF119F68D899BBA3BF5AF49301F0900B8F90ADF1A6DB70D944DB60

Uniqueness

Uniqueness Score: -1.00%

Function 000651E9 Relevance: 12.1, APIs: 8, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E000651E9(void* __ebx, struct HWND__* __ecx, void* __edx, void* __eflags, struct tagPOINT _a4, intOrPtr _a8) {
				signed int _v8;
				struct tagRECT _v24;
				void* __edi;
				void* __esi;
				signed int _t27;
				intOrPtr* _t33;
				intOrPtr* _t43;
				intOrPtr* _t53;
				intOrPtr* _t54;
				intOrPtr* _t58;
				void* _t64;
				intOrPtr* _t65;
				struct HWND__* _t66;
				signed int _t67;

				_t64 = __edx;
				_t55 = __ecx;
				_t52 = __ebx;
				_t27 =  *0x1a0454; // 0x960af5fb
				_v8 = _t27 ^ _t67;
				_t66 = __ecx;
				ScreenToClient( *(__ecx + 0x20),  &_a4);
				_t65 = 0;
				_v24.left = 0;
				_v24.top = 0;
				_v24.right = 0;
				_v24.bottom = 0;
				_t33 = E0004EA25(0x19cffc, E0003F82E(__ebx, _t55, _t64, GetParent( *(_t66 + 0x20))));
				if(_t33 != 0) {
					_push(__ebx);
					_t53 = _t33;
					_t58 = _t33;
					while(1) {
						_t65 = E0005ED49(_t53, _t58, _t64);
						if(_t65 == 0) {
							break;
						}
						_t54 =  *((intOrPtr*)( *_t65 + 0x1c0))();
						GetClientRect( *(_t54 + 0x20),  &_v24);
						MapWindowPoints( *(_t54 + 0x20),  *(_t66 + 0x20),  &_v24, 2);
						_push(_a8);
						if(PtInRect( &_v24, _a4.x) != 0) {
							_t43 = _t54;
						} else {
							_t53 = _t65;
							_t58 = _t65;
							continue;
						}
						L11:
						_pop(_t52);
						goto L12;
					}
					_t65 = E0005ED9A(_t53);
					if(_t65 == 0) {
						L10:
						_t43 = 0;
					} else {
						GetClientRect( *(_t65 + 0x20),  &_v24);
						MapWindowPoints( *(_t65 + 0x20), _t66,  &_v24, 2);
						_push(_a8);
						if(PtInRect( &_v24, _a4) == 0) {
							goto L10;
						} else {
							_t43 = _t65;
						}
					}
					goto L11;
				} else {
					_t43 = 0;
				}
				L12:
				return E00130836(_t43, _t52, _v8 ^ _t67, _t64, _t65, _t66);
			}

0x000651e9
0x000651e9
0x000651e9
0x000651f1
0x000651f8
0x00065200
0x00065206
0x0006520f
0x00065211
0x00065214
0x00065217
0x0006521a
0x0006522f
0x00065238
0x00065241
0x00065242
0x00065244
0x0006528c
0x00065291
0x00065295
0x00000000
0x00000000
0x00065252
0x0006525b
0x0006526e
0x00065274
0x00065286
0x000652dc
0x00065288
0x00065288
0x0006528a
0x00000000
0x0006528a
0x000652e2
0x000652e2
0x00000000
0x000652e2
0x0006529e
0x000652a2
0x000652e0
0x000652e0
0x000652a4
0x000652ab
0x000652be
0x000652c4
0x000652d6
0x00000000
0x000652d8
0x000652d8
0x000652d8
0x000652d6
0x00000000
0x0006523a
0x0006523a
0x0006523a
0x000652e3
0x000652f0

APIs

ScreenToClient.USER32(?,?), ref: 00065206
GetParent.USER32(?), ref: 0006521D
GetClientRect.USER32 ref: 000652AB
MapWindowPoints.USER32 ref: 000652BE
PtInRect.USER32(?,?,?), ref: 000652CE

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: ClientRect$ParentPointsScreenWindow
String ID:
API String ID: 1402249346-0
Opcode ID: 77b408a4db3108924b23693adcd7d44360e0f06609bda2848537f93af8f2eea5
Instruction ID: 45b684a2a77d8f5466f4ad61a537c6e729042cbd847ca6982137b0df598a26cf
Opcode Fuzzy Hash: 77b408a4db3108924b23693adcd7d44360e0f06609bda2848537f93af8f2eea5
Instruction Fuzzy Hash: AA313A72600606AFDB11DFA5EC598AEBBFAFF48301B104529F946DB661EB70DA00DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0007932D Relevance: 12.1, APIs: 8, Instructions: 75
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0007932D(void* __edx, int _a4) {
				signed int _v8;
				char _v264;
				short _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t17;
				struct HKL__* _t25;
				signed int _t32;
				void* _t40;
				void* _t41;
				void* _t45;
				int _t47;
				void* _t48;
				void* _t51;
				signed int _t55;

				_t45 = __edx;
				_t53 = _t55;
				_t17 =  *0x1a0454; // 0x960af5fb
				_v8 = _t17 ^ _t55;
				_t47 = _a4;
				if(_t47 - 0x60 > 9 || (0x00008000 & GetAsyncKeyState(0x12)) != 0) {
					if( *0x1a3f24 != 0) {
						goto L8;
					} else {
						if(_t47 - 0x41 <= 0x19 || (0x00008000 & GetAsyncKeyState(0x12)) != 0) {
							_t32 = _t47;
						} else {
							_t32 = E001367E6(_t47);
						}
					}
				} else {
					L8:
					E00131B30( &_v268, 0, 4);
					if(GetKeyboardState( &_v264) == 0) {
						E000455E0(_t41);
					}
					_t25 = GetKeyboardLayout( *(E000495BD() + 0x30));
					ToUnicodeEx(_t47, MapVirtualKeyW(_t47, 0),  &_v264,  &_v268, 2, 1, _t25);
					CharUpperW( &_v268);
					_t32 = _v268 & 0x0000ffff;
				}
				_pop(_t48);
				_pop(_t51);
				_pop(_t40);
				return E00130836(_t32, _t40, _v8 ^ _t53, _t45, _t48, _t51);
			}

0x0007932d
0x00079330
0x00079338
0x0007933f
0x0007934b
0x00079359
0x0007936b
0x00000000
0x0007936d
0x00079373
0x0007937e
0x00079382
0x00079383
0x00079388
0x00079373
0x0007938b
0x0007938b
0x00079396
0x000793ad
0x000793af
0x000793af
0x000793bc
0x000793e0
0x000793ed
0x000793f3
0x000793f3
0x000793fd
0x000793fe
0x00079401
0x00079408

APIs

GetAsyncKeyState.USER32 ref: 0007935D
GetAsyncKeyState.USER32 ref: 00079377
_memset.LIBCMT ref: 00079396
GetKeyboardState.USER32(?), ref: 000793A5
GetKeyboardLayout.USER32 ref: 000793BC
MapVirtualKeyW.USER32(?,00000000), ref: 000793D8
ToUnicodeEx.USER32 ref: 000793E0
CharUpperW.USER32 ref: 000793ED

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: State$AsyncKeyboard$CharLayoutUnicodeUpperVirtual_memset
String ID:
API String ID: 3224171628-0
Opcode ID: 314961ec224517184e94e5bfbc73a0ac54c0241566d0e93f5a5ade4e7ae79f27
Instruction ID: 9cba29b06193d2b984b7299d41df6ed776b985b3cfbb5832d9382063d627cef9
Opcode Fuzzy Hash: 314961ec224517184e94e5bfbc73a0ac54c0241566d0e93f5a5ade4e7ae79f27
Instruction Fuzzy Hash: 3A21F371D04209EBEB20AB60DC86FED73BCFB54741F404061FA45D60D1EB74AAC48B64

Uniqueness

Uniqueness Score: -1.00%

Function 0004C016 Relevance: 12.1, APIs: 8, Instructions: 66
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0004C016(void* __ecx, short* _a4) {
				void* _v8;
				void* _t17;
				void* _t23;
				void* _t37;

				_push(__ecx);
				_t37 = __ecx;
				_t17 =  *(__ecx + 0x78);
				if(_t17 != 0) {
					_t17 = lstrcmpW(GlobalLock(_t17) + ( *(_t18 + 2) & 0x0000ffff) * 2, _a4);
					if(_t17 == 0) {
						_t17 = OpenPrinterW(_a4,  &_v8, 0);
						if(_t17 != 0) {
							_t21 =  *(_t37 + 0x74);
							if( *(_t37 + 0x74) != 0) {
								E00051DDC(_t21);
							}
							_t23 = GlobalAlloc(0x42, DocumentPropertiesW(0, _v8, _a4, 0, 0, 0));
							 *(_t37 + 0x74) = _t23;
							if(DocumentPropertiesW(0, _v8, _a4, GlobalLock(_t23), 0, 2) != 1) {
								E00051DDC( *(_t37 + 0x74));
								 *(_t37 + 0x74) = 0;
							}
							_t17 = ClosePrinter(_v8);
						}
					}
				}
				return _t17;
			}

0x0004c01b
0x0004c01d
0x0004c01f
0x0004c027
0x0004c042
0x0004c04a
0x0004c054
0x0004c05b
0x0004c05d
0x0004c062
0x0004c065
0x0004c065
0x0004c07c
0x0004c083
0x0004c09b
0x0004c0a0
0x0004c0a5
0x0004c0a5
0x0004c0ab
0x0004c0ab
0x0004c05b
0x0004c0b0
0x0004c0b4

APIs

GlobalLock.KERNEL32 ref: 0004C035
lstrcmpW.KERNEL32(00000000,?,?,?,?,?,?,000418BD,?), ref: 0004C042
OpenPrinterW.WINSPOOL.DRV(?,?,00000000,?,?,?,?,?,000418BD,?), ref: 0004C054
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,?,?,000418BD,?), ref: 0004C074
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0004C07C
GlobalLock.KERNEL32 ref: 0004C086
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002,?,?,?,?,?,000418BD,?), ref: 0004C093
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002,?,?,?,?,?,000418BD,?), ref: 0004C0AB

Part of subcall function 00051DDC: GlobalFlags.KERNEL32(?), ref: 00051DEB
Part of subcall function 00051DDC: GlobalUnlock.KERNEL32(?,?,?,?,0004C69A,?,00000414,0003802B), ref: 00051DFC
Part of subcall function 00051DDC: GlobalFree.KERNEL32(?), ref: 00051E06

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 87a8bba638937090984b8ac1417c5fbae9f4491d449ccf082839c4b0a8c8a06d
Instruction ID: dbac6ca61e5376bff20181cd6feead5e179cbf0eeb042d861853a47a6d04ff12
Opcode Fuzzy Hash: 87a8bba638937090984b8ac1417c5fbae9f4491d449ccf082839c4b0a8c8a06d
Instruction Fuzzy Hash: 3F114CB1500604FEDB62ABA6DC4ADAF7AFDEB85B41B00042AFA05D6031DB31DD51E764

Uniqueness

Uniqueness Score: -1.00%

Function 000CA4B1 Relevance: 10.7, APIs: 7, Instructions: 242
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E000CA4B1(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags, signed long long __fp0) {
				void* _t97;
				struct HDC__* _t100;
				signed int _t102;
				signed int _t105;
				signed int _t106;
				void* _t110;
				struct HDC__* _t114;
				unsigned int _t116;
				signed int _t118;
				signed int _t121;
				void* _t127;
				void* _t128;
				unsigned int _t129;
				signed int _t131;
				signed char _t138;
				signed char _t147;
				signed char _t152;
				signed char _t158;
				int _t166;
				unsigned int _t181;
				signed int _t192;
				signed int _t193;
				int _t197;
				intOrPtr _t201;
				void* _t203;
				signed long long* _t204;
				signed long long _t210;

				_t210 = __fp0;
				_t193 = __edx;
				_push(0x54);
				E00131A19(0x14ee4b, __ebx, __edi, __esi);
				_t197 =  *((intOrPtr*)(_t203 + 0x14)) -  *(_t203 + 0xc);
				_t201 = __ecx;
				 *((intOrPtr*)(_t203 - 0x40)) = __ecx;
				 *(_t203 - 0x50) = _t197;
				if(_t197 <= 0) {
					L38:
					_t97 = 1;
				} else {
					_t166 =  *((intOrPtr*)(_t203 + 0x10)) -  *(_t203 + 8);
					 *(_t203 - 0x1c) = _t166;
					if(_t166 <= 0) {
						goto L38;
					} else {
						if( *0x1a3b44 > 8) {
							E00045EC1(_t203 - 0x34);
							_t100 =  *(__ecx + 4);
							 *(_t203 - 4) =  *(_t203 - 4) & 0x00000000;
							__eflags = _t100;
							if(_t100 != 0) {
								_t100 =  *(_t100 + 4);
							}
							_t102 = E000464F6(_t166, _t203 - 0x34, _t193, _t197, CreateCompatibleDC(_t100));
							__eflags = _t102;
							if(_t102 != 0) {
								 *(_t203 - 0x14) =  *(_t203 - 0x14) & 0x00000000;
								 *((intOrPtr*)(_t203 - 0x18)) = 0x159fa0;
								 *(_t203 - 4) = 1;
								_t105 = E000467CA(_t166, _t203 - 0x18, _t193, _t197, CreateCompatibleBitmap( *( *(_t201 + 4) + 4), _t166, _t197));
								__eflags = _t105;
								if(_t105 != 0) {
									_t106 = E00046881( *(_t203 - 0x30),  *(_t203 - 0x14));
									__eflags = _t106;
									_t173 = 0 | __eflags != 0x00000000;
									 *(_t203 - 0x4c) = _t106;
									if(__eflags == 0) {
										E000455E0(_t173);
									}
									 *(_t203 - 0x3c) = _t166;
									 *(_t203 - 0x38) = _t197;
									_t110 = E000C9034(_t203 - 0x3c, _t203 - 0x10);
									 *(_t203 - 0x38) = _t110;
									__eflags = _t110;
									if(_t110 == 0) {
										goto L9;
									} else {
										__eflags =  *(_t203 - 0x10);
										if( *(_t203 - 0x10) == 0) {
											goto L9;
										} else {
											SelectObject( *(_t203 - 0x30), _t110);
											_t114 =  *(_t201 + 4);
											__eflags = _t114;
											if(_t114 != 0) {
												_t114 =  *(_t114 + 4);
											}
											BitBlt( *(_t203 - 0x30), 0, 0, _t166, _t197, _t114,  *(_t203 + 8),  *(_t203 + 0xc), 0xcc0020);
											_t116 =  *(_t203 + 0x1c);
											__eflags = _t116 - 0xffffffff;
											if(_t116 != 0xffffffff) {
												_t193 = (_t116 & 0x000000ff) << 8;
												_t192 = (_t116 >> 0x00000008 & 0x000000ff | _t193) << 0x00000008 | _t116 >> 0x00000010 & 0x000000ff;
												__eflags = _t192;
												 *(_t203 + 0x1c) = _t192;
											}
											__eflags =  *(_t203 + 0x20) - 0xffffffff;
											if( *(_t203 + 0x20) == 0xffffffff) {
												_t158 =  *0x1a39b4; // 0xffffff
												 *(_t203 + 0x20) = _t158;
											}
											_t118 = _t197 *  *(_t203 - 0x1c);
											__eflags = _t118;
											if(_t118 > 0) {
												 *(_t203 - 0x24) = _t118;
												do {
													_t127 =  *( *(_t203 - 0x10));
													__eflags = _t127 -  *(_t203 + 0x1c);
													if(_t127 !=  *(_t203 + 0x1c)) {
														_t128 = E000C9611(_t127, _t203 - 0x60, _t203 - 0x48, _t203 - 0x58);
														asm("fldz");
														_t204 = _t204 - 0x18;
														_t204[2] = _t210;
														_t204[1] =  *(_t203 - 0x58);
														_t210 =  *(_t203 - 0x60);
														 *_t204 = _t210;
														_t129 = E000C93E5(_t128);
														__eflags =  *((intOrPtr*)(_t203 + 0x18)) - 0xffffffff;
														_t181 = _t129;
														if( *((intOrPtr*)(_t203 + 0x18)) != 0xffffffff) {
															asm("fild dword [ebp+0x18]");
															_t204 = _t204 - 0x18;
															_t210 = _t210 *  *0x164450;
															asm("fst qword [esp+0x10]");
															asm("fst qword [esp+0x8]");
															 *_t204 = _t210;
															_push(_t181);
															_t131 = E000C91C4(_t181) | 0xff000000;
															__eflags = _t131;
														} else {
															asm("cdq");
															_t138 = (( *(_t203 + 0x20) >> 0x00000010 & 0x000000ff) - (_t181 & 0x000000ff) - _t193 >> 1) + (_t181 & 0x000000ff);
															 *(_t203 - 0x44) = 0xff;
															__eflags = _t138 - 0xff;
															if(_t138 <= 0xff) {
																 *(_t203 - 0x44) = _t138;
															}
															asm("cdq");
															_t147 = (( *(_t203 + 0x20) >> 0x00000008 & 0x000000ff) - (_t181 >> 0x00000008 & 0x000000ff) - _t193 >> 1) + (_t181 >> 0x00000008 & 0x000000ff);
															 *(_t203 - 0x20) = 0xff;
															__eflags = _t147 - 0xff;
															if(_t147 <= 0xff) {
																 *(_t203 - 0x20) = _t147;
															}
															asm("cdq");
															_t152 = (( *(_t203 + 0x20) & 0x000000ff) - (_t181 >> 0x00000010 & 0x000000ff) - _t193 >> 1) + (_t181 >> 0x00000010 & 0x000000ff);
															__eflags = _t152 - 0xff;
															if(_t152 > 0xff) {
																_t152 = 0xff;
															}
															_t197 =  *(_t203 - 0x50);
															_t131 = ((_t152 & 0x000000ff | 0xffffff00) << 0x00000008 |  *(_t203 - 0x20) & 0x000000ff) << 0x00000008 |  *(_t203 - 0x44) & 0x000000ff;
														}
														 *( *(_t203 - 0x10)) = _t131;
													}
													 *(_t203 - 0x10) =  *(_t203 - 0x10) + 4;
													_t75 = _t203 - 0x24;
													 *_t75 =  *(_t203 - 0x24) - 1;
													__eflags =  *_t75;
												} while ( *_t75 != 0);
												_t201 =  *((intOrPtr*)(_t203 - 0x40));
											}
											BitBlt( *( *(_t201 + 4) + 4),  *(_t203 + 8),  *(_t203 + 0xc),  *(_t203 - 0x1c), _t197,  *(_t203 - 0x30), 0, 0, 0xcc0020);
											_t121 =  *(_t203 - 0x4c);
											__eflags = _t121;
											if(_t121 != 0) {
												_t121 =  *(_t121 + 4);
											}
											E00046881( *(_t203 - 0x30), _t121);
											DeleteObject( *(_t203 - 0x38));
											 *(_t203 - 4) = 0;
											 *((intOrPtr*)(_t203 - 0x18)) = 0x159fa0;
											E00031420(_t203 - 0x18, _t193);
											_t91 = _t203 - 4;
											 *_t91 =  *(_t203 - 4) | 0xffffffff;
											__eflags =  *_t91;
											E00046577(_t203 - 0x34);
											goto L38;
										}
									}
								} else {
									L9:
									 *(_t203 - 4) = 0;
									 *((intOrPtr*)(_t203 - 0x18)) = 0x159fa0;
									E00031420(_t203 - 0x18, _t193);
									goto L7;
								}
							} else {
								L7:
								 *(_t203 - 4) =  *(_t203 - 4) | 0xffffffff;
								E00046577(_t203 - 0x34);
								_t97 = 0;
							}
						} else {
							E0009755D( *(__ecx + 4), _t203 + 8);
							goto L38;
						}
					}
				}
				return E00131AF1(_t97);
			}

0x000ca4b1
0x000ca4b1
0x000ca4b1
0x000ca4b8
0x000ca4c0
0x000ca4c3
0x000ca4c5
0x000ca4c8
0x000ca4cd
0x000ca783
0x000ca785
0x000ca4d3
0x000ca4d6
0x000ca4d9
0x000ca4de
0x00000000
0x000ca4e4
0x000ca4eb
0x000ca501
0x000ca506
0x000ca509
0x000ca50d
0x000ca50f
0x000ca511
0x000ca511
0x000ca51f
0x000ca524
0x000ca526
0x000ca53b
0x000ca53f
0x000ca54e
0x000ca55c
0x000ca561
0x000ca563
0x000ca580
0x000ca587
0x000ca589
0x000ca58c
0x000ca593
0x000ca595
0x000ca595
0x000ca5a2
0x000ca5a5
0x000ca5a8
0x000ca5ad
0x000ca5b0
0x000ca5b2
0x00000000
0x000ca5b4
0x000ca5b4
0x000ca5b8
0x00000000
0x000ca5ba
0x000ca5be
0x000ca5c4
0x000ca5c7
0x000ca5c9
0x000ca5cb
0x000ca5cb
0x000ca5e9
0x000ca5eb
0x000ca5ee
0x000ca5f1
0x000ca5fe
0x000ca60c
0x000ca60c
0x000ca60e
0x000ca60e
0x000ca611
0x000ca615
0x000ca617
0x000ca61c
0x000ca61c
0x000ca621
0x000ca625
0x000ca627
0x000ca62d
0x000ca635
0x000ca638
0x000ca63a
0x000ca63d
0x000ca650
0x000ca655
0x000ca657
0x000ca65a
0x000ca661
0x000ca665
0x000ca668
0x000ca66b
0x000ca670
0x000ca674
0x000ca676
0x000ca6f3
0x000ca6f6
0x000ca6f9
0x000ca6ff
0x000ca703
0x000ca707
0x000ca70a
0x000ca710
0x000ca710
0x000ca678
0x000ca686
0x000ca68b
0x000ca68d
0x000ca690
0x000ca692
0x000ca694
0x000ca694
0x000ca6aa
0x000ca6af
0x000ca6b1
0x000ca6b4
0x000ca6b6
0x000ca6b8
0x000ca6b8
0x000ca6c7
0x000ca6cc
0x000ca6ce
0x000ca6d0
0x000ca6d2
0x000ca6d2
0x000ca6d8
0x000ca6ef
0x000ca6ef
0x000ca718
0x000ca718
0x000ca71a
0x000ca71e
0x000ca71e
0x000ca71e
0x000ca71e
0x000ca727
0x000ca727
0x000ca746
0x000ca748
0x000ca74b
0x000ca74d
0x000ca74f
0x000ca74f
0x000ca756
0x000ca75e
0x000ca767
0x000ca76b
0x000ca772
0x000ca777
0x000ca777
0x000ca777
0x000ca77e
0x00000000
0x000ca77e
0x000ca5b8
0x000ca565
0x000ca565
0x000ca568
0x000ca56c
0x000ca573
0x00000000
0x000ca573
0x000ca528
0x000ca528
0x000ca528
0x000ca52f
0x000ca534
0x000ca534
0x000ca4ed
0x000ca4f4
0x00000000
0x000ca4f4
0x000ca4eb
0x000ca4de
0x000ca78b

APIs

__EH_prolog3.LIBCMT ref: 000CA4B8
CreateCompatibleDC.GDI32(?), ref: 000CA515

Part of subcall function 0009755D: FillRect.USER32 ref: 00097571

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: CompatibleCreateFillH_prolog3Rect
String ID:
API String ID: 2215992850-0
Opcode ID: 583e500eff850420a652474ef5415d99443903094f7dafcbd1d229b77f8e7df6
Instruction ID: 39d840ce485d19cd150648a2c9a8f3b308f4c3476a0bba052cd60dac8749d4d1
Opcode Fuzzy Hash: 583e500eff850420a652474ef5415d99443903094f7dafcbd1d229b77f8e7df6
Instruction Fuzzy Hash: 69919871A0060ADBCB14DFA8CD8AAEEBBF5FF49305F044229F461E6291DB34D905DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0007032A Relevance: 10.7, APIs: 7, Instructions: 176
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0007032A(int __ebx, int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HMENU__* _t84;
				int _t86;
				int _t89;
				int _t92;
				void* _t93;
				int _t96;
				int _t131;
				intOrPtr _t133;
				void* _t134;
				void* _t135;
				void* _t136;
				void* _t137;
				void* _t139;
				void* _t158;
				void* _t162;

				_t137 = __eflags;
				_t129 = __edx;
				_t111 = __ebx;
				_push(0x1f4);
				E00131A82(0x14ade7, __ebx, __edi, __esi);
				_t133 =  *((intOrPtr*)(_t136 + 8));
				_t131 = __ecx;
				_push(__ecx);
				_push(_t133);
				_t113 = __ecx + 0x33c;
				 *(_t136 - 0x1e8) = __ecx;
				 *((intOrPtr*)(_t136 - 0x1ec)) = _t133;
				if(E000AB88C(__ebx, __ecx + 0x33c, __edx, __ecx, _t133, _t137, _t162) == 0) {
					L35:
					return E00131B05(_t111, _t131, _t133);
				}
				_t111 = 0;
				_t139 =  *0x1a3f04 - _t111; // 0x0
				if(_t139 != 0 ||  *((intOrPtr*)(_t131 + 0x118)) == 0) {
					L30:
					if(_t133 == _t111 ||  *((intOrPtr*)(_t133 + 0xebc)) == _t111) {
						_t131 =  *(_t136 - 0x1e8);
						goto L34;
					} else {
						goto L35;
					}
				} else {
					if(_t133 == 0) {
						L34:
						 *((intOrPtr*)( *_t131 + 0x1dc))(_t133);
						goto L35;
					}
					_t84 =  *(_t133 + 0xea8);
					 *(_t136 - 0x1f0) = _t84;
					if(_t84 == 0) {
						goto L30;
					} else {
						_t131 = GetMenuItemCount;
						_t134 = 0;
						 *(_t136 - 0x1f4) = GetMenuItemCount(_t84);
						 *(_t136 - 0x1e4) = 0;
						while(1) {
							_t86 =  *(_t136 - 0x1e4);
							if(_t86 >=  *(_t136 - 0x1f4)) {
								break;
							}
							GetMenuItemID( *(_t136 - 0x1f0), _t86);
							_t113 = 0xf;
							asm("sbb esi, esi");
							_t134 = _t134 + 1;
							 *(_t136 - 0x1e4) = 1 +  *(_t136 - 0x1e4);
							if(_t134 == _t111) {
								continue;
							}
							break;
						}
						_t147 = _t134 - _t111;
						if(_t134 == _t111) {
							L29:
							_t133 =  *((intOrPtr*)(_t136 - 0x1ec));
							goto L30;
						}
						_t135 = E00050E3E(_t111, _t113, _t129, _t131, _t134, _t147,  *((intOrPtr*)( *(_t136 - 0x1e8) + 0x118)));
						if(_t135 == _t111) {
							goto L29;
						}
						_t89 = GetMenuItemCount( *(_t135 + 4));
						 *(_t136 - 0x1fc) = _t89;
						 *(_t136 - 0x1f0) = 1;
						 *(_t136 - 0x1f4) = _t111;
						 *(_t136 - 0x1e4) = _t111;
						if(_t89 <= _t111) {
							L23:
							_t91 =  *((intOrPtr*)( *(_t136 - 0x1e8) + 0x11c));
							if( *((intOrPtr*)( *(_t136 - 0x1e8) + 0x11c)) != _t111 && ( *(_t136 - 0x1f4) != _t111 ||  *((intOrPtr*)( *(_t136 - 0x1e8) + 0x12c)) != _t111)) {
								_t158 =  *0x19cec8 - _t111; // 0x0
								if(_t158 != 0) {
									E0005A93A(_t91);
								}
								_t92 =  *(_t136 - 0x1e8);
								_push(_t111);
								_push( *((intOrPtr*)(_t92 + 0x114)));
								_push(0xffffffff);
								_push(_t111);
								_push( *((intOrPtr*)(_t92 + 0x11c)));
								_t93 = E000A3EAA(_t111, _t136 - 0x1e0, _t131, _t135, _t158);
								_push(0xffffffff);
								_push(_t93);
								 *(_t136 - 4) = 2;
								E0005EDD2();
								 *(_t136 - 4) =  *(_t136 - 4) | 0xffffffff;
								E000A2BFD(_t111, _t136 - 0x1e0, _t129, _t131, _t135,  *(_t136 - 4));
							}
							goto L29;
						}
						_t131 = 0x400;
						do {
							_t96 = GetMenuItemID( *(_t135 + 4),  *(_t136 - 0x1e4));
							 *(_t136 - 0x200) = _t96;
							if(_t96 >= 0xff00 && _t96 != 0xffffffff) {
								if( *((intOrPtr*)( *(_t136 - 0x1e8) + 0x11c)) == _t111 || _t96 != 0xff09) {
									__eflags =  *(_t136 - 0x1f0) - _t111;
									if( *(_t136 - 0x1f0) != _t111) {
										_push(0xffffffff);
										E0005EDEA();
										 *(_t136 - 0x1f0) = _t111;
										SendMessageW( *( *(_t136 - 0x1e8) + 0x110), 0x234, _t111, _t111);
									}
									E00031110(_t136 - 0x1f8, E00045761());
									 *(_t136 - 4) = _t111;
									E00050F12(_t111, _t135,  *(_t136 - 0x1e4), _t136 - 0x1f8, _t131);
									_push(_t111);
									_push( *((intOrPtr*)(_t136 - 0x1f8)));
									_push(0xffffffff);
									_push(_t111);
									_push( *(_t136 - 0x200));
									E000A3EAA(_t111, _t136 - 0xf8, _t131, _t135, __eflags);
									 *(_t136 - 4) = 1;
									__eflags = GetMenuState( *(_t135 + 4),  *(_t136 - 0x1e4), _t131) & 0x00000008;
									if(__eflags != 0) {
										_t45 = _t136 - 0xd4;
										 *_t45 =  *(_t136 - 0xd4) | 0x00010000;
										__eflags =  *_t45;
									}
									_push(0xffffffff);
									_push(_t136 - 0xf8);
									E0005EDD2();
									 *(_t136 - 4) = _t111;
									E000A2BFD(_t111, _t136 - 0xf8, _t129, _t131, _t135, __eflags);
									 *(_t136 - 4) =  *(_t136 - 4) | 0xffffffff;
									__eflags =  *((intOrPtr*)(_t136 - 0x1f8)) + 0xfffffff0;
									E00031190( *((intOrPtr*)(_t136 - 0x1f8)) + 0xfffffff0, _t129);
								} else {
									 *(_t136 - 0x1f4) = 1;
								}
							}
							 *(_t136 - 0x1e4) = 1 +  *(_t136 - 0x1e4);
						} while ( *(_t136 - 0x1e4) <  *(_t136 - 0x1fc));
						goto L23;
					}
				}
			}

0x0007032a
0x0007032a
0x0007032a
0x0007032a
0x00070334
0x00070339
0x0007033c
0x0007033e
0x0007033f
0x00070340
0x00070346
0x0007034c
0x00070359
0x00070604
0x00070609
0x00070609
0x0007035f
0x00070361
0x00070367
0x000705e2
0x000705e4
0x000705f3
0x00000000
0x000705ee
0x00000000
0x000705f0
0x00070379
0x0007037b
0x000705f9
0x000705fe
0x00000000
0x000705fe
0x00070381
0x00070387
0x0007038f
0x00000000
0x00070395
0x00070395
0x0007039c
0x000703a0
0x000703a6
0x000703ac
0x000703ac
0x000703b8
0x00000000
0x00000000
0x000703c1
0x000703ce
0x000703d1
0x000703d3
0x000703d4
0x000703dc
0x00000000
0x00000000
0x00000000
0x000703dc
0x000703de
0x000703e0
0x000705dc
0x000705dc
0x00000000
0x000705dc
0x000703f7
0x000703fb
0x00000000
0x00000000
0x00070404
0x00070406
0x0007040c
0x00070416
0x0007041c
0x00070424
0x00070562
0x00070568
0x00070570
0x00070588
0x0007058e
0x00070591
0x00070591
0x00070596
0x000705a2
0x000705a3
0x000705a4
0x000705a6
0x000705a7
0x000705b3
0x000705be
0x000705c0
0x000705c1
0x000705c8
0x000705cd
0x000705d7
0x000705d7
0x00000000
0x00070570
0x0007042a
0x0007042f
0x00070438
0x0007043e
0x00070449
0x00070464
0x0007047c
0x00070482
0x0007048a
0x0007048c
0x000704a4
0x000704aa
0x000704aa
0x000704bc
0x000704d1
0x000704d4
0x000704d9
0x000704da
0x000704e6
0x000704e8
0x000704e9
0x000704ef
0x000704fb
0x00070508
0x0007050a
0x0007050c
0x0007050c
0x0007050c
0x0007050c
0x0007051c
0x00070524
0x00070525
0x00070530
0x00070533
0x0007053e
0x00070542
0x00070545
0x0007046d
0x0007046d
0x0007046d
0x00070464
0x0007054a
0x00070556
0x00000000
0x0007042f
0x0007038f

APIs

__EH_prolog3_GS.LIBCMT ref: 00070334

Part of subcall function 000AB88C: __EH_prolog3.LIBCMT ref: 000AB893

GetMenuItemCount.USER32(?), ref: 0007039E
GetMenuItemID.USER32(?,?), ref: 000703C1
GetMenuItemCount.USER32(?), ref: 00070404
GetMenuItemID.USER32(?,?), ref: 00070438
SendMessageW.USER32(?,00000234,00000000,00000000), ref: 000704AA
GetMenuState.USER32(?,?,00000400), ref: 00070502

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Menu$Item$Count$H_prolog3H_prolog3_MessageSendState
String ID:
API String ID: 999183886-0
Opcode ID: f917f83cc0c4b6461d87a0b1be5d88cd72c6f6edf62e1060718e1ecc9e07eb85
Instruction ID: 21a1ec13fe83fff8c84951e2557a748698b30132741285761143bf221f5b3907
Opcode Fuzzy Hash: f917f83cc0c4b6461d87a0b1be5d88cd72c6f6edf62e1060718e1ecc9e07eb85
Instruction Fuzzy Hash: 57715871D0026ADBCF649F54CD85AEEB7B5AB05314F1482EAE92DA7292CB345F81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0005712B Relevance: 10.6, APIs: 7, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0005712B(intOrPtr* __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				struct tagRECT _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t43;
				intOrPtr _t45;
				void* _t46;
				intOrPtr _t50;
				signed int _t54;
				intOrPtr _t60;
				intOrPtr* _t74;
				intOrPtr _t88;
				signed int _t92;

				_t85 = __edx;
				_t43 =  *0x1a0454; // 0x960af5fb
				_v8 = _t43 ^ _t92;
				_t45 = _a4;
				_t74 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xb04)) != 0) {
					L13:
					_t46 = 0;
					__eflags = 0;
					L14:
					return E00130836(_t46, _t74, _v8 ^ _t92, _t85, _t86, _t90);
				}
				_t94 =  *((intOrPtr*)(__ecx + 0xb44));
				if( *((intOrPtr*)(__ecx + 0xb44)) != 0) {
					goto L13;
				}
				_push(_t45);
				_t90 = E0009D631(__ecx, __ecx, __edx, _t86, _t90, _t94);
				if(_t90 == 0) {
					goto L13;
				}
				_t50 =  *((intOrPtr*)(_t90->left + 0x10))(_t74);
				_t86 = _t50;
				 *((intOrPtr*)(_t90->left + 4))(1);
				if(_t50 == 0) {
					goto L13;
				}
				_t54 = _a8 & 0x00000008;
				_v28 = _t54;
				 *(_t74 + 0xb2c) = _t54;
				if( *((intOrPtr*)(_t74 + 0xc98)) == 0) {
					_t83 =  *(_t74 + 0xb80);
					 *(_t74 + 0xb80) =  *(_t74 + 0xb80) | 0xffffffff;
					if( *(_t74 + 0xb80) != 0xffffffff) {
						E00056CF9(_t74, __edx, _t83);
						UpdateWindow( *(_t74 + 0x20));
					}
				}
				_t85 =  *_t74;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t88 =  *((intOrPtr*)( *_t74 + 0x3dc))(_a12, _a16, _t74 + 0xc58);
				_t90 = _t74 + 0xc58;
				_v32 = _t88;
				if(EqualRect( &_v24, _t74 + 0xc58) == 0) {
					 *((intOrPtr*)(_t74 + 0xb8c)) = _t88;
					InflateRect( &_v24, 2, 2);
					InvalidateRect( *(_t74 + 0x20),  &_v24, 1);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					InflateRect( &_v24, 2, 2);
					InvalidateRect( *(_t74 + 0x20), _t74 + 0xc58, 1);
					UpdateWindow( *(_t74 + 0x20));
				}
				_t86 =  *((intOrPtr*)(_t74 + 0xb7c));
				_t60 =  *((intOrPtr*)( *_t74 + 0x390))(_a12, _a16);
				 *((intOrPtr*)(_t74 + 0xb7c)) = _t60;
				if( *((intOrPtr*)(_t74 + 0xb7c)) != _t60) {
					_t85 =  *_t74;
					 *((intOrPtr*)( *_t74 + 0x3b0))(_t60);
				}
				_t46 = 0;
				if(_v32 != 0xffffffff) {
					_t46 = (0 | _v28 == 0x00000000) + 1;
				}
				goto L14;
			}

0x0005712b
0x00057133
0x0005713a
0x0005713d
0x00057141
0x0005714c
0x0005728e
0x0005728e
0x0005728e
0x00057290
0x0005729e
0x0005729e
0x00057152
0x00057159
0x00000000
0x00000000
0x0005715f
0x00057165
0x00057169
0x00000000
0x00000000
0x00057174
0x00057177
0x0005717f
0x00057184
0x00000000
0x00000000
0x0005718d
0x00057197
0x0005719a
0x000571a0
0x000571a2
0x000571a8
0x000571b2
0x000571b7
0x000571bf
0x000571bf
0x000571b2
0x000571c5
0x000571d2
0x000571d3
0x000571d8
0x000571de
0x000571e5
0x000571e7
0x000571f2
0x000571fd
0x00057207
0x0005720d
0x0005721c
0x00057225
0x00057226
0x00057229
0x00057230
0x00057231
0x00057243
0x0005724c
0x0005724c
0x0005725a
0x00057262
0x00057268
0x00057270
0x00057272
0x00057277
0x00057277
0x0005727d
0x00057283
0x0005728b
0x0005728b
0x00000000

APIs

Part of subcall function 0009D631: __EH_prolog3_catch.LIBCMT ref: 0009D638

UpdateWindow.USER32 ref: 000571BF
EqualRect.USER32 ref: 000571F5
InflateRect.USER32 ref: 0005720D
InvalidateRect.USER32(?,?,00000001), ref: 0005721C
InflateRect.USER32 ref: 00057231
InvalidateRect.USER32(?,?,00000001), ref: 00057243
UpdateWindow.USER32 ref: 0005724C

Part of subcall function 00056CF9: InvalidateRect.USER32(?,?,00000001), ref: 00056D6E
Part of subcall function 00056CF9: InflateRect.USER32 ref: 00056DB4
Part of subcall function 00056CF9: RedrawWindow.USER32(?,?,00000000,00000401), ref: 00056DC7

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Rect$InflateInvalidateWindow$Update$EqualH_prolog3_catchRedraw
String ID:
API String ID: 1041772997-0
Opcode ID: f33d0a73a945001605383ad8d7dd98a8dbf457a58dc207d2cdade2123e25011d
Instruction ID: b573f86a156a2c403fb1006df79d33b702b3027121814d3f1c0361209877dc2d
Opcode Fuzzy Hash: f33d0a73a945001605383ad8d7dd98a8dbf457a58dc207d2cdade2123e25011d
Instruction Fuzzy Hash: 44418971600205DFCB11CF68D889BAA7BA9FF48312F140279FD09DF296DB319945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0007A276 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
fileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0007A276(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t47;
				long _t48;
				void* _t108;
				void* _t115;
				void* _t116;

				_t108 = __edx;
				_t81 = __ebx;
				_push(0x80);
				E00131A4C(0x14b56d, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t116 - 0x1c)) = __ecx;
				_t47 = E00055658( *((intOrPtr*)(_t116 + 0xc)));
				_t118 = _t47;
				if(_t47 == 0) {
					L6:
					_t48 = 0;
					__eflags = 0;
				} else {
					 *(_t116 - 0x20) = 0;
					 *((intOrPtr*)(_t116 - 0x24)) = __ecx + 4;
					if(E0007A01A(__ecx + 4, _t118, _t116 + 8, _t116 - 0x20) != 0) {
						CloseHandle( *(_t116 - 0x20));
					}
					E00031110(_t116 - 0x18, E00045761());
					 *((intOrPtr*)(_t116 - 4)) = 0;
					GetTempPathW(0x104, E000312F0(_t116 - 0x18, 0x104));
					E000361B0(_t81, _t116 - 0x18, 0, 0xffffffff);
					E00031110(_t116 - 0x14, E00045761());
					 *((char*)(_t116 - 4)) = 1;
					GetTempFileNameW( *(_t116 - 0x18), "AFX", 0, E000312F0(_t116 - 0x14, 0x104));
					E000361B0(1, _t116 - 0x14, 0, 0xffffffff);
					_t115 = CreateFileW( *(_t116 - 0x14), 0xc0000000, 0, 0, 2, 0x4000100, 0);
					 *(_t116 - 0x20) = _t115;
					_t120 = _t115 - 0xffffffff;
					if(_t115 == 0xffffffff) {
						E00031190( &(( *(_t116 - 0x14))[0xfffffffffffffff8]), _t108);
						__eflags =  &(( *(_t116 - 0x18))[0xfffffffffffffff8]);
						E00031190( &(( *(_t116 - 0x18))[0xfffffffffffffff8]), _t108);
						goto L6;
					} else {
						 *((char*)(_t116 - 4)) = 2;
						E0004A54C(_t116 - 0x44, _t120, _t115);
						 *((char*)(_t116 - 4)) = 3;
						E0004D953(1, _t116 - 0x8c, _t108, 0, _t115, _t120);
						_t109 = _t116 - 0x8c;
						 *((intOrPtr*)( *((intOrPtr*)(_t116 - 0x1c)) + 0x20)) = 1;
						 *((char*)(_t116 - 4)) = 4;
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t116 + 0xc)))) + 8))(_t116 - 0x8c, _t116 - 0x44, 0, 0x1000, 0);
						E0004D288(_t116 - 0x8c);
						 *((intOrPtr*)( *((intOrPtr*)(_t116 - 0x1c)) + 0x20)) = 0;
						 *((char*)(_t116 - 4)) = 3;
						E0004D911(1, _t116 - 0x8c, _t116 - 0x8c, 0, _t115, _t120);
						 *((char*)(_t116 - 4)) = 2;
						E0004A691(1, _t116 - 0x44, _t116 - 0x8c, 0, _t115, _t120);
						 *((intOrPtr*)(_t116 - 4)) = 1;
						 *(E0007A171( *((intOrPtr*)(_t116 - 0x24)), _t109, _t120, _t116 + 8)) = _t115;
						E00031190( &(( *(_t116 - 0x14))[0xfffffffffffffff8]), _t109);
						E00031190( &(( *(_t116 - 0x18))[0xfffffffffffffff8]), _t109);
						_t48 = 1;
					}
				}
				return E00131AF1(_t48);
			}

0x0007a276
0x0007a276
0x0007a276
0x0007a280
0x0007a287
0x0007a28d
0x0007a292
0x0007a294
0x0007a418
0x0007a418
0x0007a418
0x0007a29a
0x0007a2a7
0x0007a2aa
0x0007a2b4
0x0007a2b9
0x0007a2b9
0x0007a2c8
0x0007a2d6
0x0007a2e0
0x0007a2eb
0x0007a2f9
0x0007a305
0x0007a317
0x0007a322
0x0007a33f
0x0007a341
0x0007a344
0x0007a347
0x0007a408
0x0007a410
0x0007a413
0x00000000
0x0007a34d
0x0007a351
0x0007a355
0x0007a36b
0x0007a36f
0x0007a37a
0x0007a380
0x0007a386
0x0007a38a
0x0007a393
0x0007a3a1
0x0007a3a4
0x0007a3a8
0x0007a3b0
0x0007a3b4
0x0007a3c0
0x0007a3ce
0x0007a3d0
0x0007a3db
0x0007a3e0
0x0007a3e0
0x0007a347
0x0007a41f

APIs

__EH_prolog3_catch.LIBCMT ref: 0007A280
CloseHandle.KERNEL32(000CC8D0), ref: 0007A2B9
GetTempPathW.KERNEL32(00000104,00000000), ref: 0007A2E0
GetTempFileNameW.KERNEL32(000000FF,AFX,00000000,00000000,00000104,00000000,000000FF,?,00000000), ref: 0007A317
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,04000100,00000000), ref: 0007A339

Strings

AFX, xrefs: 0007A30F

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: FileTemp$CloseCreateH_prolog3_catchHandleNamePath
String ID: AFX
API String ID: 1737446630-1300893600
Opcode ID: ec825a8d8682f00a6aab652cf74a086286f5ebe82ab3263bb06743e2da72a843
Instruction ID: 971dc119a7b5bcda635d140a94e4a295cc8b270396d3492b67def92d68feb120
Opcode Fuzzy Hash: ec825a8d8682f00a6aab652cf74a086286f5ebe82ab3263bb06743e2da72a843
Instruction Fuzzy Hash: 1F418B70900109EFCB01EBA4CD56EEEBBB8AF59310F108269F915B72E2DB305A45CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0003F2C7 Relevance: 10.6, APIs: 7, Instructions: 117
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0003F2C7(intOrPtr* __ecx, void* __edx, signed int _a4) {
				int _v8;
				int _v12;
				int _v16;
				struct tagMSG* _v20;
				struct HWND__* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t48;
				struct tagMSG* _t49;
				signed int _t51;
				void* _t54;
				void* _t56;
				int _t59;
				long _t62;
				signed int _t66;
				void* _t69;
				intOrPtr* _t71;
				void* _t73;
				intOrPtr* _t75;

				_t73 = __edx;
				_t70 = __ecx;
				_t75 = __ecx;
				_v16 = 1;
				_v12 = 0;
				if((_a4 & 0x00000004) == 0) {
					L2:
					_v8 = 0;
					L3:
					_t48 = GetParent( *(_t75 + 0x20));
					 *(_t75 + 0x58) =  *(_t75 + 0x58) | 0x00000018;
					_v24 = _t48;
					_t49 = E000495C6(_t77);
					_t69 = UpdateWindow;
					_v20 = _t49;
					while(1) {
						_t78 = _v16;
						if(_v16 == 0) {
							goto L15;
						}
						while(1) {
							L15:
							_t51 = E00049B57(_t70, _t73, 0, _t75, _t78);
							if(_t51 == 0) {
								break;
							}
							if(_v8 != 0) {
								_t59 = _v20->message;
								if(_t59 == 0x118 || _t59 == 0x104) {
									E00043582(_t75, 1);
									UpdateWindow( *(_t75 + 0x20));
									_v8 = 0;
								}
							}
							_t71 = _t75;
							_t54 =  *((intOrPtr*)( *_t75 + 0x88))();
							_t83 = _t54;
							if(_t54 == 0) {
								_t45 = _t75 + 0x58;
								 *_t45 =  *(_t75 + 0x58) & 0xffffffe7;
								__eflags =  *_t45;
								return  *((intOrPtr*)(_t75 + 0x60));
							} else {
								_push(_v20);
								_t56 = E000499C0(_t69, _t71, 0, _t75, _t83);
								_pop(_t70);
								if(_t56 != 0) {
									_v16 = 1;
									_v12 = 0;
								}
								if(PeekMessageW(_v20, 0, 0, 0, 0) == 0) {
									while(1) {
										_t78 = _v16;
										if(_v16 == 0) {
											goto L15;
										}
										goto L4;
									}
								}
								continue;
							}
						}
						_push(0);
						E0004BE0C();
						return _t51 | 0xffffffff;
						L4:
						__eflags = PeekMessageW(_v20, 0, 0, 0, 0);
						if(__eflags != 0) {
							goto L15;
						} else {
							__eflags = _v8;
							if(_v8 != 0) {
								_t70 = _t75;
								E00043582(_t75, 1);
								UpdateWindow( *(_t75 + 0x20));
								_v8 = 0;
							}
							__eflags = _a4 & 0x00000001;
							if((_a4 & 0x00000001) == 0) {
								__eflags = _v24;
								if(_v24 != 0) {
									__eflags = _v12;
									if(_v12 == 0) {
										SendMessageW(_v24, 0x121, 0,  *(_t75 + 0x20));
									}
								}
							}
							__eflags = _a4 & 0x00000002;
							if(__eflags != 0) {
								L13:
								_v16 = 0;
								continue;
							} else {
								_t62 = SendMessageW( *(_t75 + 0x20), 0x36a, 0, _v12);
								_v12 = _v12 + 1;
								__eflags = _t62;
								if(__eflags != 0) {
									continue;
								}
								goto L13;
							}
						}
					}
				}
				_t66 = E0004342B(__ecx);
				_v8 = 1;
				_t77 = _t66 & 0x10000000;
				if((_t66 & 0x10000000) == 0) {
					goto L3;
				}
				goto L2;
			}

0x0003f2c7
0x0003f2c7
0x0003f2db
0x0003f2dd
0x0003f2e0
0x0003f2e3
0x0003f2f4
0x0003f2f4
0x0003f2f7
0x0003f2fa
0x0003f300
0x0003f304
0x0003f307
0x0003f30c
0x0003f312
0x0003f382
0x0003f382
0x0003f385
0x00000000
0x00000000
0x0003f387
0x0003f387
0x0003f387
0x0003f38e
0x00000000
0x00000000
0x0003f393
0x0003f398
0x0003f3a0
0x0003f3ad
0x0003f3b5
0x0003f3b7
0x0003f3b7
0x0003f3a0
0x0003f3bc
0x0003f3be
0x0003f3c4
0x0003f3c6
0x0003f3fd
0x0003f3fd
0x0003f3fd
0x00000000
0x0003f3c8
0x0003f3c8
0x0003f3cb
0x0003f3d0
0x0003f3d3
0x0003f3d5
0x0003f3dc
0x0003f3dc
0x0003f3ee
0x0003f382
0x0003f382
0x0003f385
0x00000000
0x00000000
0x00000000
0x0003f385
0x0003f382
0x00000000
0x0003f3ee
0x0003f3c6
0x0003f3f2
0x0003f3f3
0x00000000
0x0003f317
0x0003f324
0x0003f326
0x00000000
0x0003f328
0x0003f328
0x0003f32b
0x0003f32f
0x0003f331
0x0003f339
0x0003f33b
0x0003f33b
0x0003f33e
0x0003f342
0x0003f344
0x0003f347
0x0003f349
0x0003f34c
0x0003f35a
0x0003f35a
0x0003f34c
0x0003f347
0x0003f360
0x0003f364
0x0003f37f
0x0003f37f
0x00000000
0x0003f366
0x0003f372
0x0003f378
0x0003f37b
0x0003f37d
0x00000000
0x00000000
0x00000000
0x0003f37d
0x0003f364
0x0003f326
0x0003f382
0x0003f2e5
0x0003f2ea
0x0003f2ed
0x0003f2f2
0x00000000
0x00000000
0x00000000

APIs

GetParent.USER32(?), ref: 0003F2FA
PeekMessageW.USER32(00000024,00000000,00000000,00000000,00000000), ref: 0003F31E
UpdateWindow.USER32 ref: 0003F339
SendMessageW.USER32(?,00000121,00000000,?), ref: 0003F35A
SendMessageW.USER32(?,0000036A,00000000,00000002), ref: 0003F372
UpdateWindow.USER32 ref: 0003F3B5
PeekMessageW.USER32(00000024,00000000,00000000,00000000,00000000), ref: 0003F3E6

Part of subcall function 0004342B: GetWindowLongW.USER32(?,000000F0), ref: 00043436

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: c14eb4bcc2744c14343c4aea5c7d71a233983b814aa176c7ca05cb253e8afb6b
Instruction ID: ed8d20e8f25dcab0372e2abad0251b47bb58b4cd657c551622bb852eb6fb7acb
Opcode Fuzzy Hash: c14eb4bcc2744c14343c4aea5c7d71a233983b814aa176c7ca05cb253e8afb6b
Instruction Fuzzy Hash: F7416D70D0074AEBDB229F66DC49AAFBBF9FF84745F204179E441A61A1D7718B40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 000A13F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E000A13F9(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t58;
				signed int _t59;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t66;
				void* _t72;
				intOrPtr* _t76;
				void* _t91;
				intOrPtr _t96;
				signed int _t97;
				void* _t99;

				_t91 = __edx;
				_push(0x24);
				E00131A82(0x14d21d, __ebx, __edi, __esi);
				_t96 =  *((intOrPtr*)(_t99 + 0xc));
				_t93 =  *(_t99 + 0x14);
				 *(_t99 - 0x28) =  *(_t99 + 0x18);
				_t76 = __ecx;
				 *((intOrPtr*)(_t99 - 0x30)) =  *((intOrPtr*)(_t99 + 0x24));
				E00031110(_t99 - 0x24, E00045761());
				 *(_t99 - 4) =  *(_t99 - 4) & 0x00000000;
				_t101 = _t96;
				if(_t96 != 0) {
					E00036590(_t93, _t96);
				} else {
					_push(L"Afx:ControlBar");
					_push(_t99 - 0x2c);
					_t72 = E0004F828(__ecx, 0x1a3998, _t93, _t96, _t101);
					 *(_t99 - 4) = 1;
					E00034260(_t99 - 0x24, _t72);
					 *(_t99 - 4) = 0;
					E00031190( *((intOrPtr*)(_t99 - 0x2c)) + 0xfffffff0, _t91);
				}
				 *((intOrPtr*)(_t76 + 0x170)) =  *((intOrPtr*)(_t99 + 0x1c));
				_t97 = 0;
				if(L000A7735(_t76, _t91,  *((intOrPtr*)(_t99 + 8)),  *((intOrPtr*)(_t99 - 0x24)), 0,  *(_t99 + 0x10) | 0x06000000, _t93,  *(_t99 - 0x28),  *((intOrPtr*)(_t99 + 0x1c)),  *((intOrPtr*)(_t99 + 0x20)),  *((intOrPtr*)(_t99 - 0x30))) != 0) {
					CopyRect(_t99 - 0x20, _t93);
					E0004636C( *(_t99 - 0x28), _t99 - 0x20);
					_t58 = IsRectEmpty(_t76 + 0x248);
					__eflags = _t58;
					if(_t58 != 0) {
						_t97 = _t99 - 0x20;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					_t93 = _t76 + 0x208;
					_t59 = IsRectEmpty(_t76 + 0x208);
					__eflags = _t59;
					if(_t59 != 0) {
						_t97 = _t99 - 0x20;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					_t61 = IsRectEmpty(_t99 - 0x20);
					__eflags = _t61;
					if(_t61 == 0) {
						_t93 = _t76 + 0x1d8;
						_t97 = _t99 - 0x20;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					_t62 =  *(_t99 - 0x28);
					__eflags = _t62;
					if(_t62 == 0) {
						_t63 = 0;
						__eflags = 0;
					} else {
						_t63 =  *((intOrPtr*)(_t62 + 0x20));
					}
					 *((intOrPtr*)(_t76 + 0x54)) = _t63;
					E000A0102(_t76, _t91);
					_t66 =  *((intOrPtr*)( *_t76 + 0x1c8))();
					__eflags =  *(_t76 + 0x94) & _t66;
					if(( *(_t76 + 0x94) & _t66) != 0) {
						E000FFD3C(_t76, _t76 + 0x17c, _t91, _t93, _t97, _t76);
					}
					_t97 = 1;
					goto L4;
				} else {
					L4:
					E00031190( *((intOrPtr*)(_t99 - 0x24)) + 0xfffffff0, _t91);
					return E00131B05(_t76, _t93, _t97);
				}
			}

0x000a13f9
0x000a13f9
0x000a1400
0x000a1408
0x000a140b
0x000a140e
0x000a1414
0x000a1416
0x000a1422
0x000a1427
0x000a142b
0x000a142d
0x000a1464
0x000a142f
0x000a142f
0x000a1437
0x000a143d
0x000a1446
0x000a144a
0x000a1455
0x000a1459
0x000a1459
0x000a1472
0x000a1486
0x000a1498
0x000a14b4
0x000a14c1
0x000a14cd
0x000a14d3
0x000a14d5
0x000a14d7
0x000a14da
0x000a14db
0x000a14dc
0x000a14dd
0x000a14dd
0x000a14de
0x000a14e5
0x000a14eb
0x000a14ed
0x000a14ef
0x000a14f2
0x000a14f3
0x000a14f4
0x000a14f5
0x000a14f5
0x000a14fa
0x000a1500
0x000a1502
0x000a1504
0x000a150a
0x000a150d
0x000a150e
0x000a150f
0x000a1510
0x000a1510
0x000a1511
0x000a1514
0x000a1516
0x000a151d
0x000a151d
0x000a1518
0x000a1518
0x000a1518
0x000a1521
0x000a1524
0x000a152d
0x000a1533
0x000a1539
0x000a1542
0x000a1542
0x000a1549
0x00000000
0x000a149a
0x000a149a
0x000a14a0
0x000a14ac
0x000a14ac

APIs

__EH_prolog3_GS.LIBCMT ref: 000A1400

Part of subcall function 0004F828: __EH_prolog3.LIBCMT ref: 0004F82F
Part of subcall function 0004F828: LoadCursorW.USER32 ref: 0004F85B
Part of subcall function 0004F828: GetClassInfoW.USER32 ref: 0004F89F

CopyRect.USER32(?,?), ref: 000A14B4

Part of subcall function 0004636C: ClientToScreen.USER32(?,00061336), ref: 0004637D
Part of subcall function 0004636C: ClientToScreen.USER32(?,0006133E), ref: 0004638A

IsRectEmpty.USER32 ref: 000A14CD
IsRectEmpty.USER32 ref: 000A14E5
IsRectEmpty.USER32 ref: 000A14FA

Strings

Afx:ControlBar, xrefs: 000A142F

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Rect$Empty$ClientScreen$ClassCopyCursorH_prolog3H_prolog3_InfoLoad
String ID: Afx:ControlBar
API String ID: 2202805320-4244778371
Opcode ID: c53390c8e08d982f9320370cded9f9fa5ac75be9be6469f82cf15db111a767cb
Instruction ID: 015d0559127ea58feb30e9d6dd6692f822d907d1228b4a4b0a3ce158cdc0cf12
Opcode Fuzzy Hash: c53390c8e08d982f9320370cded9f9fa5ac75be9be6469f82cf15db111a767cb
Instruction Fuzzy Hash: A5412971A00618EBCF12DFA4CC85AEE77FAAF4A310F044168FD05BB252DB75A905CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0005E3AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0005E3AD(intOrPtr* __ecx, void* __edx, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v20;
				char _v56;
				struct tagPOINT _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t27;
				intOrPtr _t29;
				void* _t30;
				intOrPtr _t32;
				intOrPtr _t43;
				int _t59;
				void* _t62;
				intOrPtr* _t63;
				intOrPtr* _t64;
				signed int _t65;

				_t62 = __edx;
				_t27 =  *0x1a0454; // 0x960af5fb
				_v8 = _t27 ^ _t65;
				_t63 = _a8;
				_t64 = __ecx;
				if(( *0x1a4880 & 0x00000001) == 0) {
					 *0x1a4880 =  *0x1a4880 | 0x00000001;
					E00031110(0x1a487c, E00045761());
					E001311CA( *0x1a4880, 0x156137);
				}
				_t29 =  *((intOrPtr*)(_t64 + 0xc94));
				if(_t29 == 0 ||  *((intOrPtr*)(_t29 + 0x20)) == 0) {
					L12:
					_t30 = 0;
					__eflags = 0;
				} else {
					if(_t29 != 0) {
						_t32 =  *((intOrPtr*)(_t29 + 0x20));
					} else {
						_t32 = 0;
					}
					if( *_t63 != _t32) {
						goto L12;
					} else {
						_v64.x = 0;
						_v64.y = 0;
						GetCursorPos( &_v64);
						ScreenToClient( *(_t64 + 0x20),  &_v64);
						E00131B30( &_v56, 0, 0x30);
						_push( &_v56);
						_push(_v64.y);
						_push(_v64.x);
						_v56 = 0x2c;
						if( *((intOrPtr*)( *_t64 + 0x74))() < 0 || _v20 == 0 || _v20 == 0xffffffff) {
							goto L12;
						} else {
							E00036590(_t63, _v20);
							E00130CB2(_v20);
							_t43 =  *0x1a487c; // 0x0
							 *((intOrPtr*)(_t63 + 0xc)) = _t43;
							_t59 =  *0x1a3ab0; // 0x0
							SendMessageW( *( *((intOrPtr*)(_t64 + 0xc94)) + 0x20), 0x30, _t59, 0);
							_t30 = 1;
						}
					}
				}
				return E00130836(_t30, 0x1a487c, _v8 ^ _t65, _t62, _t63, _t64);
			}

0x0005e3ad
0x0005e3b5
0x0005e3bc
0x0005e3c9
0x0005e3cc
0x0005e3d3
0x0005e3d5
0x0005e3e4
0x0005e3ee
0x0005e3f3
0x0005e3f4
0x0005e3fe
0x0005e4af
0x0005e4af
0x0005e4af
0x0005e40d
0x0005e40f
0x0005e415
0x0005e411
0x0005e411
0x0005e411
0x0005e41a
0x00000000
0x0005e420
0x0005e424
0x0005e427
0x0005e42a
0x0005e437
0x0005e445
0x0005e452
0x0005e453
0x0005e458
0x0005e45b
0x0005e467
0x00000000
0x0005e475
0x0005e47a
0x0005e482
0x0005e487
0x0005e48d
0x0005e490
0x0005e4a4
0x0005e4ac
0x0005e4ac
0x0005e467
0x0005e41a
0x0005e4bf

APIs

GetCursorPos.USER32(?), ref: 0005E42A
ScreenToClient.USER32(?,?), ref: 0005E437
_memset.LIBCMT ref: 0005E445
_free.LIBCMT ref: 0005E482
SendMessageW.USER32(?,00000030,00000000,00000000), ref: 0005E4A4

Strings

,, xrefs: 0005E45B

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: ClientCursorMessageScreenSend_free_memset
String ID: ,
API String ID: 628317799-3772416878
Opcode ID: ee50f3a78216b78f9657007a302698195cfec913d04cf3798d855c3597d9a5d3
Instruction ID: a735e7ca1801f8b27e140ce7a461ff1bf905bffef5ecc2f79ee2dbdd36b8c4d1
Opcode Fuzzy Hash: ee50f3a78216b78f9657007a302698195cfec913d04cf3798d855c3597d9a5d3
Instruction Fuzzy Hash: FD318F31A00254EFDB18DBA4EC85B9EBBF9BF48361F10053DF955D62A1DB70AA44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00082233 Relevance: 10.6, APIs: 7, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00082233(intOrPtr _a4) {
				intOrPtr* _v8;
				void* __ecx;
				void* __ebp;
				int _t22;
				intOrPtr* _t23;
				intOrPtr* _t27;
				intOrPtr* _t28;
				intOrPtr* _t36;
				intOrPtr _t37;
				intOrPtr* _t40;
				intOrPtr* _t43;
				intOrPtr _t44;

				_push(_t36);
				_t40 = _t36;
				_t37 = _a4;
				_v8 = _t40;
				if(_t37 == 0) {
					L4:
					 *((intOrPtr*)(_t40 + 8)) = _t37;
					if(_t37 == 0) {
						_t22 = LockWindowUpdate(0);
					} else {
						_t22 = LockWindowUpdate( *( *((intOrPtr*)(_t40 + 0xe4)) + 0x20));
					}
					_t43 =  *((intOrPtr*)(_t40 + 0xcc));
					if(_t43 == 0) {
						L14:
						_t40 =  *((intOrPtr*)(_t40 + 0x24));
					} else {
						while(1) {
							_t27 = _t43;
							if(_t43 == 0) {
								break;
							}
							_t43 =  *_t43;
							_t28 = E0004EA25(0x19d608,  *((intOrPtr*)(_t27 + 8)));
							_pop(_t37);
							_t40 = _t28;
							ValidateRect( *(_t40 + 0x20), 0);
							UpdateWindow( *(_t40 + 0x20));
							if(_a4 == 0) {
								_t22 = LockWindowUpdate(0);
							} else {
								_t22 = LockWindowUpdate( *(_t40 + 0x20));
							}
							if(_t43 != 0) {
								continue;
							} else {
								_t40 = _v8;
								goto L14;
							}
							goto L21;
						}
						L15:
						E000455E0(_t37);
						L16:
						_t23 = _t40;
						if(_t40 == 0) {
							goto L15;
						}
						_t44 =  *((intOrPtr*)(_t23 + 8));
						_t40 =  *_t40;
						ValidateRect( *(_t44 + 0x20), 0);
						UpdateWindow( *(_t44 + 0x20));
						if(_a4 == 0) {
							_t22 = LockWindowUpdate(0);
						} else {
							_t22 = LockWindowUpdate( *(_t44 + 0x20));
						}
					}
					L21:
					if(_t40 != 0) {
						goto L16;
					}
				} else {
					_t22 =  *(_t40 + 0x1b8);
					if(_t22 == 0 ||  *((intOrPtr*)(_t22 + 8)) == 0 ||  *((intOrPtr*)(_t22 + 4)) == 0) {
						goto L4;
					}
				}
				return _t22;
			}

0x00082238
0x0008223b
0x0008223d
0x00082242
0x00082247
0x00082261
0x00082261
0x00082266
0x00082274
0x00082268
0x00082274
0x00082274
0x0008227b
0x00082289
0x000822ce
0x000822ce
0x0008228b
0x0008228b
0x0008228b
0x0008228f
0x00000000
0x00000000
0x00082294
0x0008229b
0x000822a1
0x000822a2
0x000822a9
0x000822ae
0x000822b8
0x000822c1
0x000822ba
0x000822c1
0x000822c1
0x000822c9
0x00000000
0x000822cb
0x000822cb
0x00000000
0x000822cb
0x00000000
0x000822c9
0x000822d3
0x000822d3
0x000822d8
0x000822d8
0x000822dc
0x00000000
0x00000000
0x000822de
0x000822e1
0x000822e8
0x000822ed
0x000822f7
0x00082300
0x000822f9
0x00082300
0x00082300
0x00082300
0x00082306
0x00082308
0x00000000
0x00000000
0x00082249
0x00082249
0x00082251
0x00000000
0x00000000
0x00082251
0x0008230e

APIs

LockWindowUpdate.USER32(00000000), ref: 00082274
ValidateRect.USER32(?,00000000), ref: 000822A9
UpdateWindow.USER32 ref: 000822AE
LockWindowUpdate.USER32(00000000), ref: 000822C1
ValidateRect.USER32(?,00000000), ref: 000822E8
UpdateWindow.USER32 ref: 000822ED
LockWindowUpdate.USER32(00000000), ref: 00082300

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: UpdateWindow$Lock$RectValidate
String ID:
API String ID: 797752328-0
Opcode ID: 4ee894cf36bb4b22c177739e7f13f0d89e160ec98472f070641ec4729dce849c
Instruction ID: 77759d23663207a5ad3ec5b597f010b665ad01e1326b29bee65fe2b01dd9049d
Opcode Fuzzy Hash: 4ee894cf36bb4b22c177739e7f13f0d89e160ec98472f070641ec4729dce849c
Instruction Fuzzy Hash: 4C21AD32608605FFCB65AF94D885B69B7F1FF44751F294128E9896B6A0D730AC90CB90

Uniqueness

Uniqueness Score: -1.00%

Function 000BF215 Relevance: 10.6, APIs: 7, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E000BF215(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				int _t36;
				intOrPtr _t39;
				void* _t40;
				int _t44;
				RECT* _t48;
				struct tagRECT* _t58;
				intOrPtr* _t61;
				signed int _t62;
				void* _t63;
				void* _t64;

				_t64 = __eflags;
				_push(0x54);
				E00131A82(0x14e487, __ebx, __edi, __esi);
				_t48 =  *(_t63 + 0xc);
				_t61 =  *((intOrPtr*)(_t63 + 0x10));
				 *((intOrPtr*)(_t63 - 0x60)) = __ecx;
				E000BF163(_t48, _t63 - 0x50, __edi, _t61, _t64);
				 *(_t63 - 4) = 0;
				if(_t61 == 0) {
					_t61 = _t63 - 0x50;
				}
				 *((intOrPtr*)(_t61 + 0x34)) = 0;
				if(_t48 == 0) {
					 *(_t63 - 0x58) = 0;
					 *(_t63 - 0x54) = 0;
					GetCursorPos(_t63 - 0x58);
					_t58 = _t61 + 0x24;
					SetRect(_t58,  *(_t63 - 0x58),  *(_t63 - 0x54),  *(_t63 - 0x58),  *(_t63 - 0x54));
				} else {
					_t58 = _t61 + 0x24;
					CopyRect(_t58, _t48);
				}
				if(E0006A96E(_t58) == 0) {
					_t36 = IsRectEmpty(_t58);
					__eflags = _t36;
					if(_t36 != 0) {
						_t44 =  *0x1a5a44; // 0x2
						InflateRect(_t58, _t44, _t44);
					}
				} else {
					 *((intOrPtr*)(_t61 + 0x34)) = 1;
				}
				_t59 =  *_t61;
				_push(E0003C4D8());
				if( *((intOrPtr*)( *_t61 + 0x58))() != 0) {
					_t39 = E00052135( *((intOrPtr*)(_t63 - 0x60)), 0x180a40);
					_t59 = _t39;
					_t40 = E00052135(_t61, 0x180a00);
					 *(_t63 - 0x5c) =  *(_t63 - 0x5c) & 0x00000000;
					__imp__DoDragDrop(_t39, _t40,  *((intOrPtr*)(_t63 + 8)), _t63 - 0x5c);
					_t62 =  *(_t63 - 0x5c);
				} else {
					_t62 = 0;
				}
				 *(_t63 - 4) =  *(_t63 - 4) | 0xffffffff;
				E00043B12(_t63 - 0x50);
				return E00131B05(_t48, _t59, _t62);
			}

0x000bf215
0x000bf215
0x000bf21c
0x000bf221
0x000bf224
0x000bf227
0x000bf22d
0x000bf234
0x000bf239
0x000bf23b
0x000bf23b
0x000bf23e
0x000bf243
0x000bf252
0x000bf255
0x000bf25c
0x000bf265
0x000bf272
0x000bf245
0x000bf246
0x000bf24a
0x000bf24a
0x000bf281
0x000bf28d
0x000bf293
0x000bf295
0x000bf297
0x000bf29f
0x000bf29f
0x000bf283
0x000bf283
0x000bf283
0x000bf2a5
0x000bf2ac
0x000bf2b4
0x000bf2d6
0x000bf2e2
0x000bf2e4
0x000bf2e9
0x000bf2f6
0x000bf2fc
0x000bf2b6
0x000bf2b6
0x000bf2b6
0x000bf2b8
0x000bf2bf
0x000bf2cb

APIs

__EH_prolog3_GS.LIBCMT ref: 000BF21C

Part of subcall function 000BF163: __EH_prolog3.LIBCMT ref: 000BF16A
Part of subcall function 000BF163: GetProfileIntW.KERNEL32 ref: 000BF1C2
Part of subcall function 000BF163: GetProfileIntW.KERNEL32 ref: 000BF1D4

CopyRect.USER32(?,?), ref: 000BF24A
GetCursorPos.USER32(?), ref: 000BF25C
SetRect.USER32 ref: 000BF272
IsRectEmpty.USER32 ref: 000BF28D
InflateRect.USER32 ref: 000BF29F
DoDragDrop.OLE32(00000000,00000000,?,00000000), ref: 000BF2F6

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Rect$Profile$CopyCursorDragDropEmptyH_prolog3H_prolog3_Inflate
String ID:
API String ID: 1837043813-0
Opcode ID: 9b000bf2f6f146a0d000acc625fe5f6d6a3c9c7b9bbbcb4235a40d5205c228a6
Instruction ID: 50e18536ff091f702598f374541d66bd18a5dee258ef7473a67213165d2ceea4
Opcode Fuzzy Hash: 9b000bf2f6f146a0d000acc625fe5f6d6a3c9c7b9bbbcb4235a40d5205c228a6
Instruction Fuzzy Hash: 6F216D76900205EBDB01EFE0CC899FEBBB5BF58701F004428E902AB691DB34A945DF50

Uniqueness

Uniqueness Score: -1.00%

Function 000614D3 Relevance: 10.6, APIs: 7, Instructions: 73
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E000614D3(void* __ecx, long _a4) {
				struct tagPOINT _v12;
				void* __ebx;
				void* _t26;
				void* _t28;
				RECT* _t45;
				void* _t54;

				_push(__ecx);
				_push(__ecx);
				_t54 = __ecx;
				_t26 = __ecx + 0xff0;
				if(_t26 != 0 &&  *((intOrPtr*)(_t26 + 0x20)) != 0) {
					SendMessageW( *(__ecx + 0x1010), 0x407, 0, _a4);
				}
				if( *((intOrPtr*)(_a4 + 4)) != 0x200) {
					L9:
					_t28 = E000B5461(_t54, _a4);
				} else {
					_t45 = _t54 + 0xef8;
					if(IsRectEmpty(_t45) == 0 || IsRectEmpty(_t54 + 0xf08) == 0) {
						_v12.x = _v12.x & 0x00000000;
						_v12.y = _v12.y & 0x00000000;
						GetCursorPos( &_v12);
						ScreenToClient( *(_t54 + 0x20),  &_v12);
						_push(_v12.y);
						if(PtInRect(_t45, _v12.x) != 0) {
							L8:
							E000604D0(_t45, _t54,  *((intOrPtr*)(_a4 + 8)), _v12.x, _v12.y);
							_t28 = 1;
						} else {
							_push(_v12.y);
							if(PtInRect(_t54 + 0xf08, _v12) == 0) {
								goto L9;
							} else {
								goto L8;
							}
						}
					} else {
						goto L9;
					}
				}
				return _t28;
			}

0x000614d8
0x000614d9
0x000614dc
0x000614de
0x000614e7
0x000614ff
0x000614ff
0x0006150f
0x0006158e
0x00061593
0x00061511
0x00061517
0x00061522
0x00061531
0x00061535
0x0006153d
0x0006154a
0x00061550
0x00061561
0x00061576
0x00061584
0x0006158b
0x00061563
0x00061563
0x00061574
0x00000000
0x00000000
0x00000000
0x00000000
0x00061574
0x00000000
0x00000000
0x00000000
0x00061522
0x0006159c

APIs

SendMessageW.USER32(00000000,00000407,00000000,?), ref: 000614FF
IsRectEmpty.USER32 ref: 0006151E
IsRectEmpty.USER32 ref: 0006152B
GetCursorPos.USER32(00000000), ref: 0006153D
ScreenToClient.USER32(?,00000000), ref: 0006154A
PtInRect.USER32(?,00000000,00000000), ref: 0006155D
PtInRect.USER32(?,00000000,00000000), ref: 00061570

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Rect$Empty$ClientCursorMessageScreenSend
String ID:
API String ID: 703117857-0
Opcode ID: bb74e16c796e2bd0baa7e88dc33899f3774587115b2034f4eafc78739b83d545
Instruction ID: 176694dd9bf6c0cef3a5f2a597491dacba46ea1a0355f89fa2bcf7789f071c69
Opcode Fuzzy Hash: bb74e16c796e2bd0baa7e88dc33899f3774587115b2034f4eafc78739b83d545
Instruction Fuzzy Hash: A521807250060AFFDF209BA0DC44FEEBBFAEF48386F044464E546960A0D731EA81DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0009917C Relevance: 9.5, APIs: 6, Instructions: 472
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0009917C(void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed char _t299;
				signed int _t300;
				signed int _t303;
				signed int _t304;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				signed int _t312;
				signed char _t315;
				intOrPtr _t329;
				signed int _t350;
				signed int _t353;
				signed char _t354;
				void* _t355;
				intOrPtr* _t360;
				signed int* _t362;
				signed long long* _t363;
				signed char* _t367;
				signed int _t369;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				signed long long* _t374;
				void* _t378;
				signed int _t381;
				signed int _t386;
				signed int _t402;
				signed int _t413;
				signed int _t415;
				signed int* _t418;
				signed int _t419;
				signed int _t423;
				intOrPtr* _t425;
				signed long long* _t428;
				signed int _t430;
				signed int _t431;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				void* _t440;
				void* _t445;
				void* _t446;
				signed long long _t450;
				signed long long _t451;
				signed long long _t458;
				signed long long _t460;

				_t431 = __edx;
				_push(0x104);
				_t299 = E00131A19(0x14cc42, __ebx, __edi, __esi);
				_t440 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x88)) != 0) {
					__eflags =  *((intOrPtr*)(__ecx + 8)) - 0x18;
					if( *((intOrPtr*)(__ecx + 8)) < 0x18) {
						goto L1;
					}
					_t450 = st0;
					asm("fldz");
					asm("fucompp");
					asm("fnstsw ax");
					__eflags = _t299 & 0x00000044;
					if((_t299 & 0x00000044) != 0) {
						_t451 = st0;
						asm("fld1");
						asm("fucompp");
						asm("fnstsw ax");
						__eflags = _t299 & 0x00000044;
						if((_t299 & 0x00000044) != 0) {
							 *(_t445 - 0x20) =  *(__ecx + 0x54);
							asm("fild dword [ebp-0x20]");
							asm("fxch st0, st1");
							_t303 = E00135A90( *(__ecx + 0x54),  *0x15bdf8 + st0);
							_t371 =  *(_t440 + 0x50);
							 *(_t445 - 0x24) = _t371;
							asm("fild dword [ebp-0x24]");
							 *(_t445 - 0x14) = _t303;
							asm("fmulp st2, st0");
							asm("faddp st1, st0");
							_t304 = E00135A90(_t303,  *0x15bdf8 + st0);
							_t381 =  *(_t440 + 0x54);
							 *(_t445 - 0x6c) = _t304;
							__eflags = _t304 - _t371;
							if(_t304 != _t371) {
								L11:
								__eflags = _t371;
								if(_t371 <= 0) {
									L7:
									_t300 = 1;
									__eflags = 1;
									L8:
									return E00131AF1(_t300);
								}
								__eflags =  *(_t445 - 0x20);
								if( *(_t445 - 0x20) <= 0) {
									goto L7;
								}
								__eflags =  *(_t445 - 0x6c);
								if( *(_t445 - 0x6c) <= 0) {
									goto L7;
								}
								__eflags =  *(_t445 - 0x14);
								if( *(_t445 - 0x14) <= 0) {
									goto L7;
								}
								_t372 =  *(_t440 + 4);
								 *(_t445 - 0x10) = _t372;
								__eflags = _t372;
								if(_t372 == 0) {
									goto L7;
								}
								_t307 = GetObjectW( *(_t440 + 0x88), 0x18, _t445 - 0xdc);
								__eflags = _t307;
								if(_t307 == 0) {
									goto L1;
								}
								_t308 = E00135F20(_t431,  *(_t445 - 0xd4));
								_t456 =  *(_t440 + 0xb0) *  *(_t445 + 8);
								__eflags =  *(_t445 - 0xd4);
								 *(_t440 + 0xb0) =  *(_t440 + 0xb0) *  *(_t445 + 8);
								 *(_t445 - 0x70) = 0;
								 *(_t445 - 0x5c) = 0;
								 *(_t445 - 0x58) = 0;
								 *(_t445 - 0x24) = 0 |  *(_t445 - 0xd4) < 0x00000000;
								 *(_t445 - 0x74) =  *(_t440 + 0x50);
								__eflags = _t372 - 1;
								if(__eflags == 0) {
									_t430 =  *(_t440 + 0x54);
									__eflags = _t308 - _t430;
									if(__eflags > 0) {
										asm("cdq");
										_t38 = _t308 % _t430;
										__eflags = _t38;
										_t369 = _t308 / _t430;
										_t431 = _t38;
										 *(_t445 - 0x74) = 0;
										 *(_t445 - 0x70) = _t430;
										 *(_t445 - 0x10) = _t369;
										_t372 = _t369;
									}
								}
								_t309 = E000C9A19(_t372, _t431, _t440, 0, __eflags,  *(_t440 + 0x88),  *(_t440 + 0xa4));
								 *(_t445 - 0x60) = _t309;
								__eflags = _t309;
								if(_t309 == 0) {
									goto L1;
								} else {
									_t310 =  *(_t445 - 0x6c);
									_t386 =  *(_t445 - 0x14);
									 *(_t445 - 0x38) = _t310;
									 *(_t445 - 0x34) = _t386;
									__eflags =  *(_t445 - 0x74);
									if( *(_t445 - 0x74) <= 0) {
										_t312 = _t386 * _t372;
										__eflags = _t312;
										 *(_t445 - 0x34) = _t312;
										 *(_t445 - 0x58) = _t386;
									} else {
										 *(_t445 - 0x38) = _t372 * _t310;
										 *(_t445 - 0x5c) = _t310;
									}
									__eflags =  *(_t445 - 0x24);
									if( *(_t445 - 0x24) != 0) {
										 *(_t445 - 0x34) =  ~( *(_t445 - 0x34));
									}
									 *(_t445 - 0x20) = E000C9034(_t445 - 0x38, 0);
									_t315 = E00135F20(_t431,  *(_t445 - 0x34));
									 *(_t445 - 0x34) = _t315;
									__eflags =  *(_t445 - 0x20);
									if( *(_t445 - 0x20) != 0) {
										asm("fld1");
										asm("fcomp qword [ebp+0x8]");
										 *(_t445 + 0xc) = 5;
										asm("fnstsw ax");
										__eflags = _t315 & 0x00000041;
										if((_t315 & 0x00000041) != 0) {
											 *(_t445 + 0xc) = 6;
										}
										 *((intOrPtr*)(_t445 - 0xc4)) = 0;
										 *((intOrPtr*)(_t445 - 0xb8)) = 0;
										 *((intOrPtr*)(_t445 - 0xb4)) = 0;
										 *((intOrPtr*)(_t445 - 0xb0)) = 0;
										 *((intOrPtr*)(_t445 - 0xac)) = 0;
										 *((intOrPtr*)(_t445 - 0xa8)) = 0;
										 *(_t445 - 0xa4) = 0;
										 *((intOrPtr*)(_t445 - 0x9c)) = 0;
										 *((intOrPtr*)(_t445 - 0xc0)) = 0;
										 *((intOrPtr*)(_t445 - 0xbc)) = 0;
										 *((intOrPtr*)(_t445 - 4)) = 0;
										 *((intOrPtr*)(_t445 - 0x1c)) = 0;
										 *((intOrPtr*)(_t445 - 0x18)) = 0;
										E00098C37(_t445 - 0xc4, _t431,  *(_t445 - 0x60), _t445 - 0x1c);
										 *((intOrPtr*)(_t445 - 0x108)) = 0;
										 *((intOrPtr*)(_t445 - 0xfc)) = 0;
										 *((intOrPtr*)(_t445 - 0xf8)) = 0;
										 *((intOrPtr*)(_t445 - 0xf4)) = 0;
										 *((intOrPtr*)(_t445 - 0xf0)) = 0;
										 *((intOrPtr*)(_t445 - 0xec)) = 0;
										 *(_t445 - 0xe8) = 0;
										 *((intOrPtr*)(_t445 - 0xe0)) = 0;
										 *(_t445 - 0x104) = 0;
										 *((intOrPtr*)(_t445 - 0x100)) = 0;
										 *((intOrPtr*)(_t445 - 0x1c)) = 0;
										 *((intOrPtr*)(_t445 - 0x18)) = 0;
										E00098C37(_t445 - 0x108, _t431,  *(_t445 - 0x20), _t445 - 0x1c);
										_t373 =  *(_t445 - 0xa0) & 0x000000ff;
										 *((intOrPtr*)(_t445 - 0xd0)) = 0x1643d4;
										 *((intOrPtr*)(_t445 - 0xcc)) = 0;
										 *(_t445 - 0xc8) = 0;
										 *((char*)(_t445 - 4)) = 2;
										E00097175(_t445 - 0xd0, _t456,  *(_t440 + 0x50),  *(_t445 - 0x6c), 0,  *(_t440 + 0x50),  *(_t445 + 0xc));
										 *((intOrPtr*)(_t445 - 0x88)) = 0x1643d4;
										 *((intOrPtr*)(_t445 - 0x84)) = 0;
										 *(_t445 - 0x80) = 0;
										 *((char*)(_t445 - 4)) = 3;
										E00097175(_t445 - 0x88, _t456,  *(_t440 + 0x54),  *(_t445 - 0x14), 0,  *(_t440 + 0x54),  *(_t445 + 0xc));
										_t432 = 8;
										 *(_t445 - 0x2c) = E0003C37C(__eflags,  ~(0 | __eflags > 0x00000000) | _t373 * _t432);
										_t434 = 8;
										_t435 = _t373 * _t434 >> 0x20;
										_t329 = E0003C37C(__eflags,  ~(0 | __eflags > 0x00000000) | _t373 * _t434);
										_t402 =  *(_t445 - 0x10);
										 *((intOrPtr*)(_t445 - 0x28)) = _t329;
										 *((intOrPtr*)(_t445 - 0x1c)) = 0;
										 *((intOrPtr*)(_t445 - 0x18)) = 0;
										__eflags = _t402;
										if(_t402 <= 0) {
											L71:
											_push( *(_t445 - 0x2c));
											E0003C3AB();
											_push( *((intOrPtr*)(_t445 - 0x28)));
											E0003C3AB();
											DeleteObject( *(_t445 - 0x60));
											__eflags = E0005463C(_t440 + 0x58, 0, 0);
											if(__eflags != 0) {
												 *(_t440 + 0x58) =  *(_t440 + 0x50);
												 *(_t440 + 0x5c) =  *(_t440 + 0x54);
											}
											 *(_t440 + 0x50) =  *(_t445 - 0x6c);
											 *(_t440 + 0x54) =  *(_t445 - 0x14);
											 *(_t440 + 0xa4) =  *(_t440 + 0xa4) | 0xffffffff;
											 *(_t440 + 0xa8) =  *(_t440 + 0xa4);
											 *(_t440 + 0x88) =  *(_t445 - 0x20);
											 *((intOrPtr*)(_t440 + 8)) = 0x20;
											E0009790E(_t373, _t440, _t435, _t440, 0, __eflags, _t456, 0);
											E0009790E(_t373, _t440, _t435, _t440, 0, __eflags, _t456, 1);
											__eflags =  *(_t440 + 0x88);
											 *((char*)(_t445 - 4)) = 2;
											 *((intOrPtr*)(_t445 - 0x88)) = 0x1643d4;
											E00096B05(_t445 - 0x88);
											 *((char*)(_t445 - 4)) = 1;
											 *((intOrPtr*)(_t445 - 0xd0)) = 0x1643d4;
											E00096B05(_t445 - 0xd0);
											_t300 = 0 |  *(_t440 + 0x88) != 0x00000000;
											goto L8;
										} else {
											_t435 =  *(_t445 - 0x104);
											 *(_t445 - 0x78) = _t373 << 3;
											_t350 =  *(_t445 - 0xe8) *  *(_t445 - 0x58);
											_t373 = _t373 *  *(_t445 - 0x5c);
											__eflags = _t373;
											 *((intOrPtr*)(_t445 - 0x48)) = 0;
											 *(_t445 - 0x8c) = _t350;
											 *(_t445 - 0x58) = _t373;
											 *(_t445 - 0x4c) =  *(_t445 - 0x104);
											 *(_t445 - 0x24) = _t402;
											do {
												 *(_t445 - 0x10) = 0;
												__eflags =  *(_t445 - 0x14);
												if( *(_t445 - 0x14) <= 0) {
													goto L70;
												}
												_t413 =  *(_t445 - 0x4c) +  *((intOrPtr*)(_t445 - 0x48));
												__eflags = _t413;
												 *(_t445 - 0x3c) = _t413;
												do {
													 *(_t445 - 0x54) =  *(_t445 - 0x3c);
													_t415 =  *(_t445 - 0x6c);
													__eflags = _t415;
													if(_t415 <= 0) {
														goto L69;
													}
													 *(_t445 - 0x30) =  *(_t445 - 0xc8);
													 *(_t445 - 0x7c) = _t415;
													do {
														_t374 =  *(_t445 - 0x2c);
														E00131B30(_t374, 0,  *(_t445 - 0x78));
														_t353 =  *(_t445 - 0x10);
														_t435 =  *(_t445 - 0x80);
														_t418 = _t435 + _t353 * 8;
														_t446 = _t446 + 0xc;
														 *((intOrPtr*)(_t445 - 0x64)) = 0;
														 *(_t445 - 0x94) = _t418;
														__eflags =  *_t418;
														if( *_t418 <= 0) {
															L48:
															_t419 =  *(_t445 - 0xa0) & 0x000000ff;
															__eflags = _t419 - 4;
															if(_t419 == 4) {
																asm("fcomp qword [ebx]");
																asm("fnstsw ax");
																__eflags = _t353 & 0x00000041;
																if((_t353 & 0x00000041) != 0) {
																	_t458 = _t374[3];
																} else {
																	_t458 =  *_t374;
																}
																 *_t374 = _t458;
																asm("fcomp qword [ebx+0x8]");
																asm("fnstsw ax");
																__eflags = _t353 & 0x00000041;
																if((_t353 & 0x00000041) != 0) {
																	_t460 = _t374[3];
																} else {
																	_t460 = _t374[1];
																}
																_t374[1] = _t460;
																asm("fcomp qword [ebx+0x10]");
																asm("fnstsw ax");
																__eflags = _t353 & 0x00000041;
																if((_t353 & 0x00000041) != 0) {
																	_t456 = _t374[3];
																} else {
																	_t456 = _t374[2];
																}
																_t374[2] = _t456;
															}
															 *(_t445 + 0xc) = 0;
															__eflags = _t419;
															if(_t419 > 0) {
																asm("fldz");
																do {
																	_t354 =  *(_t445 + 0xc);
																	_t456 = _t374[_t354];
																	asm("fcom st0, st1");
																	asm("fnstsw ax");
																	__eflags = _t354 & 0x00000005;
																	if((_t354 & 0x00000005) != 0) {
																		asm("fcom st0, st2");
																		asm("fnstsw ax");
																		__eflags = _t354 & 0x00000041;
																		if((_t354 & 0x00000041) == 0) {
																			st0 = _t456;
																			_t456 = st1;
																		}
																	} else {
																		st0 = _t456;
																		_t456 = st0;
																	}
																	_t355 = E00135AC6();
																	 *(_t445 - 0x54) =  *(_t445 - 0x54) + 1;
																	 *(_t445 + 0xc) =  *(_t445 + 0xc) + 1;
																	 *( *(_t445 - 0x54)) = _t355;
																	__eflags =  *(_t445 + 0xc) - ( *(_t445 - 0xa0) & 0x000000ff);
																} while ( *(_t445 + 0xc) < ( *(_t445 - 0xa0) & 0x000000ff));
																st1 = _t456;
																st0 = _t456;
															}
															goto L67;
														}
														 *((intOrPtr*)(_t445 - 0x98)) = _t435 + 4 + _t353 * 8;
														 *((intOrPtr*)(_t445 - 0x50)) = 0;
														do {
															_t360 =  *((intOrPtr*)( *((intOrPtr*)(_t445 - 0x98)))) +  *((intOrPtr*)(_t445 - 0x50));
															_t456 =  *(_t360 + 4);
															 *(_t445 - 0x110) =  *(_t360 + 4);
															_t378 = ( *_t360 +  *((intOrPtr*)(_t445 - 0x18))) *  *(_t445 - 0xa4) +  *((intOrPtr*)(_t445 - 0xc0));
															E00131B30( *((intOrPtr*)(_t445 - 0x28)), 0,  *(_t445 - 0x78));
															_t362 =  *(_t445 - 0x30);
															_t446 = _t446 + 0xc;
															 *((intOrPtr*)(_t445 - 0x40)) = 0;
															__eflags =  *_t362;
															if( *_t362 <= 0) {
																L43:
																_t435 =  *(_t445 - 0xa0) & 0x000000ff;
																__eflags = _t435;
																if(_t435 <= 0) {
																	goto L46;
																}
																_t363 =  *(_t445 - 0x2c);
																_t423 =  *((intOrPtr*)(_t445 - 0x28)) - _t363;
																__eflags = _t423;
																do {
																	_t456 =  *(_t363 + _t423) *  *(_t445 - 0x110) +  *_t363;
																	 *_t363 =  *(_t363 + _t423) *  *(_t445 - 0x110) +  *_t363;
																	_t363 =  &(_t363[1]);
																	_t435 = _t435 - 1;
																	__eflags = _t435;
																} while (_t435 != 0);
																goto L46;
															}
															 *((intOrPtr*)(_t445 - 0x44)) = 0;
															do {
																_t425 = _t362[1] +  *((intOrPtr*)(_t445 - 0x44));
																_t436 =  *(_t445 - 0xa0) & 0x000000ff;
																_t456 =  *(_t425 + 4);
																 *(_t445 + 0xc) = 0;
																_t367 = ( *_t425 +  *((intOrPtr*)(_t445 - 0x1c))) * _t436 + _t378;
																__eflags = _t436;
																if(_t436 <= 0) {
																	goto L42;
																} else {
																	goto L41;
																}
																do {
																	L41:
																	_t428 =  *((intOrPtr*)(_t445 - 0x28)) +  *(_t445 + 0xc) * 8;
																	 *(_t445 - 0x90) =  *_t367 & 0x000000ff;
																	_t367 =  &(_t367[1]);
																	 *(_t445 + 0xc) =  *(_t445 + 0xc) + 1;
																	asm("fild dword [ebp-0x90]");
																	_t456 = _t456 * st1 +  *_t428;
																	 *_t428 = _t456;
																	__eflags =  *(_t445 + 0xc) - ( *(_t445 - 0xa0) & 0x000000ff);
																} while ( *(_t445 + 0xc) < ( *(_t445 - 0xa0) & 0x000000ff));
																L42:
																 *((intOrPtr*)(_t445 - 0x40)) =  *((intOrPtr*)(_t445 - 0x40)) + 1;
																st0 = _t456;
																_t362 =  *(_t445 - 0x30);
																 *((intOrPtr*)(_t445 - 0x44)) =  *((intOrPtr*)(_t445 - 0x44)) + 0xc;
																__eflags =  *((intOrPtr*)(_t445 - 0x40)) -  *_t362;
															} while ( *((intOrPtr*)(_t445 - 0x40)) <  *_t362);
															goto L43;
															L46:
															 *((intOrPtr*)(_t445 - 0x64)) =  *((intOrPtr*)(_t445 - 0x64)) + 1;
															_t353 =  *(_t445 - 0x94);
															 *((intOrPtr*)(_t445 - 0x50)) =  *((intOrPtr*)(_t445 - 0x50)) + 0xc;
															__eflags =  *((intOrPtr*)(_t445 - 0x64)) -  *_t353;
														} while ( *((intOrPtr*)(_t445 - 0x64)) <  *_t353);
														_t374 =  *(_t445 - 0x2c);
														goto L48;
														L67:
														 *(_t445 - 0x30) =  &(( *(_t445 - 0x30))[2]);
														_t247 = _t445 - 0x7c;
														 *_t247 =  *(_t445 - 0x7c) - 1;
														__eflags =  *_t247;
													} while ( *_t247 != 0);
													_t350 =  *(_t445 - 0x8c);
													_t373 =  *(_t445 - 0x58);
													L69:
													 *(_t445 - 0x10) =  *(_t445 - 0x10) + 1;
													 *(_t445 - 0x3c) =  *(_t445 - 0x3c) +  *(_t445 - 0xe8);
													__eflags =  *(_t445 - 0x10) -  *(_t445 - 0x14);
												} while ( *(_t445 - 0x10) <  *(_t445 - 0x14));
												L70:
												 *((intOrPtr*)(_t445 - 0x1c)) =  *((intOrPtr*)(_t445 - 0x1c)) +  *(_t445 - 0x74);
												 *((intOrPtr*)(_t445 - 0x18)) =  *((intOrPtr*)(_t445 - 0x18)) +  *(_t445 - 0x70);
												 *((intOrPtr*)(_t445 - 0x48)) =  *((intOrPtr*)(_t445 - 0x48)) + _t373;
												 *(_t445 - 0x4c) =  *(_t445 - 0x4c) + _t350;
												_t268 = _t445 - 0x24;
												 *_t268 =  *(_t445 - 0x24) - 1;
												__eflags =  *_t268;
											} while ( *_t268 != 0);
											goto L71;
										}
									} else {
										DeleteObject( *(_t445 - 0x60));
										goto L1;
									}
								}
							}
							__eflags =  *(_t445 - 0x14) - _t381;
							if( *(_t445 - 0x14) == _t381) {
								goto L7;
							}
							goto L11;
						}
						st0 = _t451;
						goto L7;
					} else {
						st0 = _t450;
						goto L1;
					}
				}
				L1:
				_t300 = 0;
				goto L8;
			}

0x0009917c
0x0009917c
0x00099186
0x0009918b
0x00099195
0x0009919b
0x0009919f
0x00000000
0x00000000
0x000991a4
0x000991a6
0x000991a8
0x000991aa
0x000991ac
0x000991af
0x000991b5
0x000991b7
0x000991b9
0x000991bb
0x000991bd
0x000991c0
0x000991d2
0x000991d5
0x000991e2
0x000991e4
0x000991e9
0x000991ec
0x000991ef
0x000991f2
0x000991f5
0x000991f7
0x000991f9
0x000991fe
0x00099201
0x00099204
0x00099206
0x0009920d
0x0009920d
0x0009920f
0x000991c4
0x000991c6
0x000991c6
0x000991c7
0x000991cc
0x000991cc
0x00099211
0x00099214
0x00000000
0x00000000
0x00099216
0x00099219
0x00000000
0x00000000
0x0009921b
0x0009921e
0x00000000
0x00000000
0x00099220
0x00099223
0x00099226
0x00099228
0x00000000
0x00000000
0x00099239
0x0009923f
0x00099241
0x00000000
0x00000000
0x0009924d
0x00099258
0x0009925e
0x00099264
0x0009926a
0x00099270
0x00099273
0x00099276
0x0009927c
0x0009927f
0x00099282
0x00099284
0x00099287
0x00099289
0x0009928b
0x0009928c
0x0009928c
0x0009928c
0x0009928c
0x0009928e
0x00099291
0x00099294
0x00099297
0x00099297
0x00099289
0x000992a5
0x000992aa
0x000992ad
0x000992af
0x00000000
0x000992b5
0x000992b5
0x000992b8
0x000992bb
0x000992be
0x000992c1
0x000992c4
0x000992d3
0x000992d3
0x000992d6
0x000992d9
0x000992c6
0x000992c9
0x000992cc
0x000992cc
0x000992dc
0x000992df
0x000992e1
0x000992e1
0x000992f1
0x000992f4
0x000992fa
0x000992fd
0x00099300
0x00099310
0x00099312
0x00099315
0x0009931c
0x0009931e
0x00099321
0x00099323
0x00099323
0x0009932a
0x00099330
0x00099336
0x0009933c
0x00099342
0x00099348
0x0009934e
0x00099354
0x0009935a
0x00099360
0x00099373
0x00099376
0x00099379
0x0009937c
0x00099381
0x00099387
0x0009938d
0x00099393
0x00099399
0x0009939f
0x000993a5
0x000993ab
0x000993b1
0x000993b7
0x000993ca
0x000993cd
0x000993d0
0x000993d5
0x000993dc
0x000993e6
0x000993ec
0x00099404
0x00099408
0x0009940d
0x00099417
0x0009941d
0x00099432
0x00099436
0x0009943f
0x00099451
0x0009945a
0x0009945b
0x00099465
0x0009946c
0x0009946f
0x00099472
0x00099475
0x00099478
0x0009947a
0x000996e7
0x000996e7
0x000996ea
0x000996ef
0x000996f2
0x000996fc
0x0009970e
0x00099710
0x00099715
0x0009971b
0x0009971b
0x00099721
0x00099727
0x00099730
0x00099737
0x00099743
0x00099749
0x00099750
0x00099759
0x00099760
0x00099774
0x00099778
0x00099780
0x0009978b
0x0009978f
0x00099795
0x0009979a
0x00000000
0x00099480
0x00099480
0x0009948b
0x00099494
0x00099498
0x00099498
0x0009949c
0x0009949f
0x000994a5
0x000994a8
0x000994ab
0x000994ae
0x000994ae
0x000994b1
0x000994b4
0x00000000
0x00000000
0x000994bd
0x000994bd
0x000994c0
0x000994c3
0x000994c6
0x000994c9
0x000994cc
0x000994ce
0x00000000
0x00000000
0x000994da
0x000994dd
0x000994e0
0x000994e3
0x000994e8
0x000994ed
0x000994f0
0x000994f3
0x000994f6
0x000994f9
0x000994fc
0x00099502
0x00099504
0x000995fc
0x000995fc
0x00099603
0x00099606
0x0009960b
0x0009960d
0x0009960f
0x00099612
0x00099618
0x00099614
0x00099614
0x00099614
0x0009961b
0x00099620
0x00099623
0x00099625
0x00099628
0x0009962f
0x0009962a
0x0009962a
0x0009962a
0x00099632
0x00099638
0x0009963b
0x0009963d
0x00099640
0x00099647
0x00099642
0x00099642
0x00099642
0x0009964a
0x0009964a
0x0009964d
0x00099650
0x00099652
0x0009965a
0x0009965c
0x0009965c
0x0009965f
0x00099662
0x00099664
0x00099666
0x00099669
0x00099671
0x00099673
0x00099675
0x00099678
0x0009967a
0x0009967c
0x0009967c
0x0009966b
0x0009966b
0x0009966d
0x0009966d
0x0009967e
0x00099686
0x00099689
0x0009968c
0x00099695
0x00099695
0x0009969a
0x0009969c
0x0009969c
0x00000000
0x00099652
0x0009950e
0x00099514
0x00099517
0x0009951f
0x00099527
0x0009952d
0x0009953e
0x00099544
0x00099549
0x0009954c
0x0009954f
0x00099552
0x00099554
0x000995bb
0x000995bb
0x000995c2
0x000995c4
0x00000000
0x00000000
0x000995c6
0x000995cc
0x000995cc
0x000995ce
0x000995d7
0x000995d9
0x000995db
0x000995de
0x000995de
0x000995de
0x00000000
0x000995ce
0x00099556
0x00099559
0x0009955c
0x0009955f
0x00099568
0x0009956e
0x00099574
0x00099576
0x00099578
0x00000000
0x00000000
0x00000000
0x00000000
0x0009957a
0x0009957a
0x00099580
0x00099586
0x0009958c
0x0009958d
0x00099590
0x00099598
0x0009959a
0x000995a3
0x000995a3
0x000995a8
0x000995a8
0x000995ab
0x000995ad
0x000995b3
0x000995b7
0x000995b7
0x00000000
0x000995e1
0x000995e1
0x000995e4
0x000995ed
0x000995f1
0x000995f1
0x000995f9
0x00000000
0x0009969e
0x0009969e
0x000996a2
0x000996a2
0x000996a2
0x000996a2
0x000996ab
0x000996b1
0x000996b4
0x000996ba
0x000996bd
0x000996c3
0x000996c3
0x000996cc
0x000996cf
0x000996d5
0x000996d8
0x000996db
0x000996de
0x000996de
0x000996de
0x000996de
0x00000000
0x000994ae
0x00099302
0x00099305
0x00000000
0x00099305
0x00099300
0x000992af
0x00099208
0x0009920b
0x00000000
0x00000000
0x00000000
0x0009920b
0x000991c2
0x00000000
0x000991b1
0x000991b1
0x00000000
0x000991b1
0x000991af
0x00099197
0x00099197
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 00099186
GetObjectW.GDI32(?,00000018,?), ref: 00099239
DeleteObject.GDI32(?), ref: 00099305
_memset.LIBCMT ref: 000994E8
_memset.LIBCMT ref: 00099544
DeleteObject.GDI32(?), ref: 000996FC

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Object$Delete_memset$H_prolog3
String ID:
API String ID: 1235337548-0
Opcode ID: 0e4512c42fbefcdbf91bb90f986b34899ffb6e32a5dd1e696ae8b4cc5f3f9cbb
Instruction ID: 84c10643e9a872faece5f5c82949f44156d4f963b128e369ff9f115151087b97
Opcode Fuzzy Hash: 0e4512c42fbefcdbf91bb90f986b34899ffb6e32a5dd1e696ae8b4cc5f3f9cbb
Instruction Fuzzy Hash: 092227B0D00229DFCF25DFA8D985AEDBBB4FF09700F10809AE459AB251DB305A95DF90

Uniqueness

Uniqueness Score: -1.00%

Function 000623BA Relevance: 9.2, APIs: 6, Instructions: 246
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E000623BA(intOrPtr* __ecx, intOrPtr __edx, void* __fp0) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagPOINT _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t53;
				intOrPtr _t58;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t63;
				intOrPtr* _t64;
				intOrPtr _t72;
				intOrPtr* _t74;
				void* _t83;
				void* _t97;
				void* _t105;
				intOrPtr* _t107;
				intOrPtr* _t122;
				int _t146;
				intOrPtr* _t153;
				signed int _t154;
				intOrPtr _t167;
				intOrPtr _t173;
				void* _t178;
				intOrPtr _t179;
				intOrPtr _t181;

				_t151 = __edx;
				_t53 =  *0x1a0454; // 0x960af5fb
				_v8 = _t53 ^ _t154;
				_t153 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x10b0)) != 0) {
					E000C22D9( *0x1a5c64);
					_t146 = E00041441(__ecx);
					_v32.y = _t146;
					if(_t146 != 0 && E0004EA07(_t146, 0x19d608) != 0) {
						_t110 = E0004EA25(0x19d608, _v32.y);
						_t105 = E0007A789(_t104, 0x19);
						_t158 = _t105;
						if(_t105 != 0) {
							 *((intOrPtr*)(_t105 + 4)) = 0;
							E0007EE0A(_t110, _t110, __edx, 0, _t153, _t158, __fp0);
						}
					}
				}
				_t107 =  *((intOrPtr*)( *_t153 + 0x1c0))();
				_t57 =  *((intOrPtr*)(_t107 + 0xc98));
				if( *((intOrPtr*)(_t107 + 0xc98)) != 0 &&  *((intOrPtr*)(_t107 + 0xb2c)) == 0) {
					_v32.y =  *_t107;
					 *((intOrPtr*)(_v32.y + 0x34c))(E00054E38(_t107, _t57));
					 *((intOrPtr*)(_t107 + 0xc98)) = 0;
				}
				_t58 =  *((intOrPtr*)(_t153 + 0x10bc));
				if(_t58 == 0) {
					L19:
					if( *((intOrPtr*)(_t153 + 0x148)) == 0) {
						E000C22C8(0);
					} else {
						 *((intOrPtr*)( *_t153 + 0x1d8))();
						 *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x148)) + 0x8c)) = 0;
						 *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x148)) + 0x9c)) = 0;
						_t83 = E0005ED49(_t107, _t153, _t151);
						if(_t83 != 0 &&  *((intOrPtr*)(_t153 + 0x120)) != 0) {
							_t173 =  *0x1a3f04; // 0x0
							if(_t173 == 0) {
								SendMessageW( *(_t83 + 0x20), 0x10, 0, 0);
								 *((intOrPtr*)(_t153 + 0x148)) = 0;
							}
						}
					}
					_t113 =  *((intOrPtr*)(_t153 + 0x144));
					_t174 =  *((intOrPtr*)(_t153 + 0x144));
					if( *((intOrPtr*)(_t153 + 0x144)) != 0) {
						E000CCB07(_t113, _t153);
					}
					E0005EF64(_t153, _t174, 0);
					_t61 =  *0x1a564c; // 0x0
					if(_t61 == 0) {
						_t61 = E00040DD3(_t153);
					}
					_t108 = _t61;
					_t62 = E0004EA25(0x15e958, _t108);
					if(_t62 == 0) {
						_t63 = E0004EA25(0x15ef7c, _t108);
						__eflags = _t63;
						if(__eflags == 0) {
							_t64 = E0004EA25(0x15e5ac, _t108);
							__eflags = _t64;
							if(__eflags != 0) {
								L35:
								_t151 =  *_t64;
								 *((intOrPtr*)( *_t64 + 0x1ec))(_t153);
								goto L36;
							}
							_t64 = E0004EA25(0x15e1f8, _t108);
							__eflags = _t64;
							if(__eflags == 0) {
								goto L36;
							}
							goto L35;
						}
						_t151 =  *_t63;
						 *((intOrPtr*)( *_t63 + 0x1d0))(_t153);
						goto L36;
					} else {
						_t151 =  *_t62;
						 *((intOrPtr*)( *_t62 + 0x1e4))(_t153);
						L36:
						if( *((intOrPtr*)(_t153 + 0xeb0)) != 0) {
							_t178 =  *0x1a48bc - _t153; // 0x0
							if(_t178 == 0) {
								 *0x1a48bc = 0;
							}
						}
						_t179 =  *0x1a3f04; // 0x0
						if(_t179 == 0 && _t108 != 0) {
							_t181 =  *0x1a48bc; // 0x0
							if(_t181 == 0) {
								_t126 = _t153;
								if(E0005ED9A(_t153) != 0) {
									_t72 = E0003F82E(_t108, _t126, _t151, GetFocus());
									_t108 = _t72;
									if(E0005ED9A(_t153) != _t72) {
										_t74 = E0005ED9A(_t153);
										_t151 =  *_t74;
										 *((intOrPtr*)( *_t74 + 0x360))();
									}
								}
							}
						}
						_t122 =  *((intOrPtr*)(_t153 + 0xfd4));
						if(_t122 != 0) {
							_t185 =  *((intOrPtr*)(_t122 + 0x20));
							if( *((intOrPtr*)(_t122 + 0x20)) != 0) {
								 *((intOrPtr*)( *_t122 + 0x60))();
							}
						}
						return E00130836(E000B78E7(_t108, _t153, _t151, 0, _t185), _t108, _v8 ^ _t154, _t151, 0, _t153);
					}
				}
				 *((intOrPtr*)(_t58 + 0x40)) = 0;
				_t107 = E0005ED49(_t107, _t153, _t151);
				if(_t107 == 0) {
					goto L19;
				}
				if( *((intOrPtr*)( *_t107 + 0x200))() != 0) {
					_t97 = E0004EA25(0x1695c0, _t107);
					if(_t97 != 0 &&  *((intOrPtr*)(_t97 + 0x1f00)) == 0) {
						 *((intOrPtr*)(_t153 + 0x120)) = 0;
					}
				}
				if( *((intOrPtr*)(_t153 + 0x120)) == 0) {
					goto L19;
				}
				_t167 =  *0x1a3f04; // 0x0
				if(_t167 != 0) {
					goto L19;
				}
				_v32.x = 0;
				_v32.y = 0;
				GetCursorPos( &_v32);
				_v24.left = 0;
				_v24.top = 0;
				_v24.right = 0;
				_v24.bottom = 0;
				GetWindowRect( *(_t107 + 0x20),  &_v24);
				if( *((intOrPtr*)( *_t107 + 0x1d0))() != 0) {
					L18:
					SendMessageW( *(_t107 + 0x20), 0x10, 0, 0);
					 *((intOrPtr*)(_t153 + 0x10bc)) = 0;
					goto L19;
				}
				_push(_v32.y);
				if(PtInRect( &_v24, _v32) != 0) {
					goto L19;
				}
				goto L18;
			}

0x000623ba
0x000623c2
0x000623c9
0x000623cf
0x000623d9
0x000623e1
0x000623ed
0x000623ef
0x000623f4
0x00062410
0x00062416
0x0006241b
0x0006241d
0x00062421
0x00062424
0x00062424
0x0006241d
0x000623f4
0x00062433
0x00062435
0x0006243d
0x00062449
0x0006245a
0x00062460
0x00062460
0x00062466
0x0006246e
0x00062523
0x00062529
0x0006257e
0x0006252b
0x0006252f
0x0006253b
0x00062549
0x0006254f
0x00062556
0x00062560
0x00062566
0x0006256f
0x00062575
0x00062575
0x00062566
0x00062556
0x00062583
0x00062589
0x0006258b
0x0006258e
0x0006258e
0x00062596
0x0006259b
0x000625a2
0x000625a6
0x000625a6
0x000625ab
0x000625b3
0x000625bc
0x000625d1
0x000625d8
0x000625da
0x000625ef
0x000625f6
0x000625f8
0x0006260b
0x0006260b
0x00062610
0x00000000
0x00062610
0x00062600
0x00062607
0x00062609
0x00000000
0x00000000
0x00000000
0x00062609
0x000625dc
0x000625e1
0x00000000
0x000625be
0x000625be
0x000625c3
0x00062616
0x0006261c
0x0006261e
0x00062624
0x00062626
0x00062626
0x00062624
0x0006262c
0x00062632
0x00062638
0x0006263e
0x00062640
0x00062649
0x00062652
0x00062659
0x00062662
0x00062666
0x0006266b
0x0006266f
0x0006266f
0x00062662
0x00062649
0x0006263e
0x00062675
0x0006267d
0x0006267f
0x00062682
0x00062686
0x00062686
0x00062682
0x0006269e
0x0006269e
0x000625bc
0x00062476
0x0006247e
0x00062482
0x00000000
0x00000000
0x00062494
0x0006249c
0x000624a5
0x000624af
0x000624af
0x000624a5
0x000624bb
0x00000000
0x00000000
0x000624bd
0x000624c3
0x00000000
0x00000000
0x000624c9
0x000624cc
0x000624cf
0x000624dc
0x000624df
0x000624e2
0x000624e5
0x000624e8
0x000624fa
0x00062510
0x00062517
0x0006251d
0x00000000
0x0006251d
0x000624fc
0x0006250e
0x00000000
0x00000000
0x00000000

APIs

GetCursorPos.USER32(?), ref: 000624CF
GetWindowRect.USER32(?,?), ref: 000624E8
PtInRect.USER32(?,?,?), ref: 00062506
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00062517
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 0006256F

Part of subcall function 00041441: GetParent.USER32(?), ref: 0004144B

GetFocus.USER32 ref: 0006264B

Part of subcall function 0007EE0A: __EH_prolog3_GS.LIBCMT ref: 0007EE14
Part of subcall function 0007EE0A: GetWindowRect.USER32(?,?), ref: 0007EEAD
Part of subcall function 0007EE0A: SetRect.USER32 ref: 0007EECF
Part of subcall function 0007EE0A: CreateCompatibleDC.GDI32(?), ref: 0007EEDB
Part of subcall function 0007EE0A: CreateCompatibleBitmap.GDI32(?,00000019,0019D608), ref: 0007EF05
Part of subcall function 0007EE0A: GetWindowRect.USER32(?,?), ref: 0007EF67
Part of subcall function 0007EE0A: GetClientRect.USER32 ref: 0007EF70

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Rect$Window$CompatibleCreateMessageSend$BitmapClientCursorFocusH_prolog3_Parent
String ID:
API String ID: 2914356772-0
Opcode ID: 7fc381aff9e31a590f6781fd552e834a166063bac14f228098a3ca2c34a2ccb5
Instruction ID: de85d9270752a2aacfd3d66d945986246dc0372df0246edf2b9eefe2029cb055
Opcode Fuzzy Hash: 7fc381aff9e31a590f6781fd552e834a166063bac14f228098a3ca2c34a2ccb5
Instruction Fuzzy Hash: 0781B070A00A00DFCB26AF64D8959FEB7F6FF88701B24456EF4069B252DB74AD81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 000572A1 Relevance: 9.2, APIs: 6, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E000572A1(intOrPtr* __ecx, void* __edx, signed int _a4, intOrPtr _a8, char _a12, intOrPtr _a16) {
				signed int _v8;
				void* __ebx;
				signed int _t45;
				signed int _t46;
				signed int _t53;
				void* _t55;
				signed int _t60;
				signed int _t64;
				signed int _t73;
				signed int _t83;
				void* _t86;
				void* _t87;
				signed int _t88;
				void* _t91;
				signed int _t108;
				signed int _t113;
				intOrPtr* _t117;
				signed int _t119;

				_t111 = __edx;
				_push(__ecx);
				_t117 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xb44)) == 0) {
					_t45 =  *(__ecx + 0xb8c);
					_v8 = _t45;
					__eflags = _t45;
					if(_t45 < 0) {
						goto L1;
					}
					_t113 =  *(__ecx + 0xc98);
					 *(__ecx + 0xc98) =  *(__ecx + 0xc98) & 0x00000000;
					 *((intOrPtr*)( *__ecx + 0x3d0))();
					_push(_a16);
					_push(_a12);
					__eflags =  *((intOrPtr*)( *__ecx + 0x390))();
					if(__eflags < 0) {
						L6:
						_t46 =  *((intOrPtr*)( *_t117 + 0x3f8))(_a4, _t87);
						_t88 = _t46;
						_a4 = _t88;
						__eflags = _t88;
						if(_t88 == 0) {
							L30:
							L31:
							L32:
							return _t46;
						}
						_t53 =  *((intOrPtr*)( *_t88 + 0x78))(_t117);
						__eflags = _t53;
						if(_t53 != 0) {
							 *(_t88 + 0x1c) =  *(_t88 + 0x1c) & 0x00000000;
							__eflags = _t113;
							if(_t113 == 0) {
								L18:
								_t55 =  *((intOrPtr*)( *_t117 + 0x340))(_t88, _v8);
								__eflags = _t55 - 0xffffffff;
								if(_t55 != 0xffffffff) {
									 *((intOrPtr*)( *_t117 + 0x208))();
									_t98 = E0003F82E(_t88, _t117, _t111, GetParent( *(_t117 + 0x20)));
									_t60 = E0004EA07(_t59, 0x1660b8);
									__eflags = _t60;
									if(_t60 != 0) {
										_t73 = E0004EA25(0x19ced8, E0003F82E(_t88, _t98, _t111, GetParent( *(E0003F82E(_t88, _t98, _t111, GetParent( *(_t117 + 0x20))) + 0x20))));
										_pop(_t98);
										__eflags = _t73;
										if(_t73 != 0) {
											_t111 =  *_t73;
											_t98 = _t73;
											 *((intOrPtr*)( *_t73 + 0x20c))();
										}
									}
									__eflags =  *0x1a3f08;
									if( *0x1a3f08 != 0) {
										_t98 = _t88;
										 *((intOrPtr*)( *_t88 + 0x80))();
									}
									 *(_t117 + 0xb80) =  *(_t117 + 0xb80) | 0xffffffff;
									RedrawWindow( *(_t117 + 0x20), 0, 0, 0x505);
									_t64 = E0004EA25(0x19cffc, E0003F82E(RedrawWindow, _t98, _t111, GetParent( *(_t117 + 0x20))));
									__eflags = _t64;
									if(_t64 != 0) {
										RedrawWindow( *(_t64 + 0x20), 0, 0, 0x505);
									}
									L29:
									_t46 = 1;
									__eflags = 1;
									goto L30;
								}
								_t119 = 0;
								L21:
								 *((intOrPtr*)( *_t88 + 4))(1);
								_t46 = _t119;
								goto L30;
							}
							__eflags = _a8 - 1;
							if(_a8 == 1) {
								goto L18;
							}
							_t91 = E00054E38(_t117, _t113);
							__eflags = _v8 - _t91;
							if(_v8 == _t91) {
								L20:
								 *((intOrPtr*)( *_t117 + 0x410))(_t113, _t117 + 0xc80,  &_a12);
								_t88 = _a4;
								_t119 = 1;
								__eflags = 1;
								goto L21;
							}
							_t20 = _t91 + 1; // 0x1
							__eflags = _v8 - _t20;
							if(_v8 == _t20) {
								goto L20;
							}
							 *((intOrPtr*)( *_t117 + 0x34c))(_t91);
							_t108 = _v8;
							__eflags = _t108 - _t91;
							if(_t108 > _t91) {
								_t108 = _t108 - 1;
								__eflags = _t108;
							}
							_t83 =  *(_t117 + 0xbd4);
							__eflags = _t108 - _t83;
							if(_t108 < _t83) {
								_t83 = _t108;
							}
							_t88 = _a4;
							_v8 = _t83;
							goto L18;
						}
						 *((intOrPtr*)( *_t88 + 4))(1);
						goto L29;
					}
					_t86 = E00054F8E(__ecx, __eflags, _t50);
					__eflags = _t113 - _t86;
					if(_t113 != _t86) {
						goto L6;
					} else {
						_t46 = 0;
						goto L31;
					}
				}
				L1:
				_t46 = 0;
				goto L32;
			}

0x000572a1
0x000572a6
0x000572a8
0x000572b1
0x000572ba
0x000572c0
0x000572c3
0x000572c5
0x00000000
0x00000000
0x000572ca
0x000572d0
0x000572d7
0x000572dd
0x000572e2
0x000572ed
0x000572ef
0x00057304
0x0005730c
0x00057312
0x00057314
0x00057317
0x00057319
0x0005747d
0x0005747e
0x0005747f
0x00057481
0x00057481
0x00057324
0x00057327
0x00057329
0x00057339
0x0005733d
0x0005733f
0x00057383
0x0005738b
0x00057391
0x00057394
0x000573ca
0x000573e6
0x000573e8
0x000573ed
0x000573ef
0x0005740d
0x00057413
0x00057414
0x00057416
0x00057418
0x0005741a
0x0005741c
0x0005741c
0x00057416
0x00057422
0x00057429
0x0005742d
0x0005742f
0x0005742f
0x0005743b
0x0005744e
0x00057461
0x00057468
0x0005746a
0x00057478
0x00057478
0x0005747a
0x0005747c
0x0005747c
0x00000000
0x0005747c
0x00057396
0x000573b6
0x000573bc
0x000573bf
0x00000000
0x000573bf
0x00057341
0x00057345
0x00000000
0x00000000
0x0005734f
0x00057351
0x00057354
0x0005739a
0x000573aa
0x000573b0
0x000573b5
0x000573b5
0x00000000
0x000573b5
0x00057356
0x00057359
0x0005735c
0x00000000
0x00000000
0x00057363
0x00057369
0x0005736c
0x0005736e
0x00057370
0x00057370
0x00057370
0x00057371
0x00057377
0x00057379
0x0005737b
0x0005737b
0x0005737d
0x00057380
0x00000000
0x00057380
0x00057331
0x00000000
0x00057331
0x000572f4
0x000572f9
0x000572fb
0x00000000
0x000572fd
0x000572fd
0x00000000
0x000572fd
0x000572fb
0x000572b3
0x000572b3
0x00000000

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11d24693df875ddd6e5a02b85d7668b689246e27a41cc6974209276049098d2e
Instruction ID: f4e36c7f83494e6d9e7b694e1576198ba20c02d02438ccee1e8acd94a65cfcfd
Opcode Fuzzy Hash: 11d24693df875ddd6e5a02b85d7668b689246e27a41cc6974209276049098d2e
Instruction Fuzzy Hash: 7F518F71204601AFDB299F64D848BAE77E9FF48311F104578FD4A9B2A2DB70ED44EB50

Uniqueness

Uniqueness Score: -1.00%

Function 0005F1ED Relevance: 9.1, APIs: 6, Instructions: 95
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0005F1ED(void* __ecx, void* __edx, void* __edi) {
				signed int _v8;
				struct tagRECT _v24;
				void* __ebx;
				void* __esi;
				signed int _t30;
				int _t35;
				int _t39;
				int _t58;
				void* _t59;
				void* _t64;
				void* _t65;
				void* _t67;
				signed int _t68;

				_t65 = __edi;
				_t64 = __edx;
				_t30 =  *0x1a0454; // 0x960af5fb
				_v8 = _t30 ^ _t68;
				_t67 = __ecx;
				_v24.left = 0;
				_v24.top = 0;
				_v24.right = 0;
				_v24.bottom = 0;
				GetWindowRect( *( *((intOrPtr*)(__ecx + 0x120)) + 0x20),  &_v24);
				_t35 =  *(_t67 + 0x124);
				_t58 = _t35;
				if( *((intOrPtr*)(_t67 + 0x290)) != 0) {
					_t58 =  ~_t58;
				}
				OffsetRect( &_v24, _t58, _t35);
				SendMessageW( *(_t67 + 0x20), 0xb, 0, 0);
				_t39 = IsWindowVisible( *(_t67 + 0x20));
				_t59 = _t67;
				if(_t39 != 0) {
					E00043614(_t59, 0, _v24.left, _v24.top, _v24.right - _v24.left, _v24.bottom - _v24.top, 0x14);
				} else {
					E00043582(_t59, 4);
					E00043614( *((intOrPtr*)(_t67 + 0x120)), 0x1a3428, E00043614(_t67, 0x1a3428, _v24.left, _v24.top, _v24.right - _v24.left, _v24.bottom - _v24.top, 0x10) | 0xffffffff, E00043614(_t67, 0x1a3428, _v24.left, _v24.top, _v24.right - _v24.left, _v24.bottom - _v24.top, 0x10) | 0xffffffff, E00043614(_t67, 0x1a3428, _v24.left, _v24.top, _v24.right - _v24.left, _v24.bottom - _v24.top, 0x10) | 0xffffffff, _t54, 0x53);
					_t65 = _t65;
				}
				SendMessageW( *(_t67 + 0x20), 0xb, 1, 0);
				return E00130836(RedrawWindow( *(_t67 + 0x20), 0, 0, 0x105), 0, _v8 ^ _t68, _t64, _t65, _t67);
			}

0x0005f1ed
0x0005f1ed
0x0005f1f5
0x0005f1fc
0x0005f206
0x0005f20f
0x0005f212
0x0005f215
0x0005f218
0x0005f21e
0x0005f224
0x0005f22a
0x0005f232
0x0005f234
0x0005f234
0x0005f23c
0x0005f249
0x0005f252
0x0005f258
0x0005f25c
0x0005f2b8
0x0005f25e
0x0005f261
0x0005f299
0x0005f29e
0x0005f29e
0x0005f2c5
0x0005f2e8

APIs

GetWindowRect.USER32(?,?), ref: 0005F21E
OffsetRect.USER32 ref: 0005F23C
SendMessageW.USER32(00000000,0000000B,00000000,00000000), ref: 0005F249
IsWindowVisible.USER32(?), ref: 0005F252
SendMessageW.USER32(00000014,0000000B,00000001,00000000), ref: 0005F2C5
RedrawWindow.USER32(00000105,00000000,00000000,00000105), ref: 0005F2D5

Part of subcall function 00043614: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,0003F2B6), ref: 0004363C

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Window$MessageRectSend$OffsetRedrawVisible
String ID:
API String ID: 2707749077-0
Opcode ID: 3ac87f0bc7c532d91f5def71d3aa876cfd45d36d7a600094e9a781d62be912d2
Instruction ID: 929cc85e51f375ab63834a44ff365fd887c1db2ca39d2872c598cc9c8ccfd03d
Opcode Fuzzy Hash: 3ac87f0bc7c532d91f5def71d3aa876cfd45d36d7a600094e9a781d62be912d2
Instruction Fuzzy Hash: A0312DB2A00209BFDB11DFA8DD85EBFBBF9FB08301F100528B556A6291D770AD00CB20

Uniqueness

Uniqueness Score: -1.00%

Function 000604D0 Relevance: 9.1, APIs: 6, Instructions: 79
timeCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E000604D0(void* __ebx, intOrPtr* __ecx, struct tagPOINT _a8, intOrPtr _a12) {
				void* __edi;
				int _t27;
				int _t28;
				int _t34;
				RECT* _t40;
				intOrPtr* _t48;

				_t48 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xfd8)) == 0) {
					_t27 = E0003F788(__ebx, __ecx, 0, __eflags);
					__eflags =  *(_t48 + 0xef0);
					if( *(_t48 + 0xef0) != 0) {
						__eflags =  *(_t48 + 0xf18);
						if( *(_t48 + 0xf18) == 0) {
							_push(__ebx);
							_push(_a12);
							_t40 = _t48 + 0xef8;
							_t28 = PtInRect(_t40, _a8.x);
							__eflags = _t28;
							if(_t28 == 0) {
								L8:
								_push(_a12);
								_t40 = _t48 + 0xf08;
								_t27 = PtInRect(_t40, _a8.x);
								__eflags = _t27;
								if(_t27 == 0) {
									L12:
									_t23 = _t48 + 0xf18;
									 *_t23 =  *(_t48 + 0xf18) & 0x00000000;
									__eflags =  *_t23;
								} else {
									_t27 =  *((intOrPtr*)( *_t48 + 0x1e0))();
									__eflags = _t27;
									if(_t27 == 0) {
										goto L12;
									} else {
										__eflags = 1;
										 *(_t48 + 0xf18) = 1;
										_push(1);
										goto L11;
									}
								}
							} else {
								_t34 =  *((intOrPtr*)( *_t48 + 0x1dc))();
								__eflags = _t34;
								if(_t34 == 0) {
									goto L8;
								} else {
									 *(_t48 + 0xf18) =  *(_t48 + 0xf18) | 0xffffffff;
									_push(1);
									L11:
									_t27 = InvalidateRect( *(_t48 + 0x20), _t40, ??);
								}
							}
							__eflags =  *(_t48 + 0xf18);
							if( *(_t48 + 0xf18) != 0) {
								return SetTimer( *(_t48 + 0x20), 2, 0x50, 0);
							}
						}
					}
				} else {
					_push(_a12);
					_t27 = PtInRect(__ecx + 0xfe0, _a8.x);
					if(_t27 == 0) {
						ReleaseCapture();
						 *((intOrPtr*)(_t48 + 0xfd8)) = 0;
						return  *((intOrPtr*)( *_t48 + 0x1f0))(_a8, _a12);
					}
				}
				return _t27;
			}

0x000604d7
0x000604e1
0x0006051f
0x00060524
0x0006052a
0x00060530
0x00060536
0x00060542
0x00060543
0x00060546
0x00060550
0x00060552
0x00060554
0x0006056f
0x0006056f
0x00060572
0x0006057c
0x0006057e
0x00060580
0x000605a6
0x000605a6
0x000605a6
0x000605a6
0x00060582
0x00060586
0x0006058c
0x0006058e
0x00000000
0x00060590
0x00060592
0x00060593
0x00060599
0x00000000
0x00060599
0x0006058e
0x00060556
0x0006055a
0x00060560
0x00060562
0x00000000
0x00060564
0x00060564
0x0006056b
0x0006059a
0x0006059e
0x0006059e
0x00060562
0x000605ad
0x000605b5
0x00000000
0x000605c0
0x000605b5
0x00060536
0x000604e3
0x000604e3
0x000604f0
0x000604f8
0x000604fe
0x0006050e
0x00000000
0x00060514
0x000604f8
0x000605c9

APIs

PtInRect.USER32(?,?,?), ref: 000604F0
ReleaseCapture.USER32 ref: 000604FE
PtInRect.USER32(?,?,?), ref: 00060550
InvalidateRect.USER32(?,?,00000001), ref: 0006059E
SetTimer.USER32(?,00000002,00000050,00000000), ref: 000605C0

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Rect$CaptureInvalidateReleaseTimer
String ID:
API String ID: 2903485716-0
Opcode ID: abf0cf686f354f5cfe8182ff1e94ce84b70004f65bd91066ac7d05f97e7089df
Instruction ID: 8652d029c41e276ec259ac674afa22fdcfb505a3a0a28337b381b8621db43a8d
Opcode Fuzzy Hash: abf0cf686f354f5cfe8182ff1e94ce84b70004f65bd91066ac7d05f97e7089df
Instruction Fuzzy Hash: B4218C31284B06EBDB719F20DC48BBB77EAFB44391F140829E5AA865A0DB319941DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0003B240 Relevance: 9.1, APIs: 6, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 18%

			E0003B240(void* __ebx, void* __edx, void* __edi) {
				signed int _v8;
				intOrPtr _v24;
				signed int _v72;
				intOrPtr _v292;
				intOrPtr _v296;
				char _v300;
				struct _OSVERSIONINFOEXW _v364;
				void* __esi;
				signed int _t9;
				void* _t13;
				void* _t14;
				void* _t15;
				longlong _t16;
				int _t18;
				void* _t24;
				void* _t26;
				intOrPtr* _t27;
				void* _t28;
				signed int _t29;

				_t24 = __edx;
				_t31 = (_t29 & 0xfffffff8) - 0x12c;
				_t9 =  *0x1a0454; // 0x960af5fb
				_v8 = _t9 ^ (_t29 & 0xfffffff8) - 0x0000012c;
				E00131B30( &_v300, 0, 0x11c);
				_t27 = __imp__VerSetConditionMask;
				_v300 = 0x11c;
				_v296 = 6;
				_v292 = 0;
				_v24 = 0;
				_t13 =  *_t27(0, 0, 2, 3, _t26);
				_t14 =  *_t27(_t13, _t24, 1, 3);
				_t15 =  *_t27(_t14, _t24, 0x20, 3);
				_t16 =  *_t27(_t15, _t24, 0x10, 3);
				_t18 = VerifyVersionInfoW( &_v364, 0x33, _t16);
				_t28 = _t24;
				return E00130836(_t18, __ebx, _v72 ^ _t31 + 0x0000000c, _t24, __edi, _t28);
			}

0x0003b240
0x0003b246
0x0003b24c
0x0003b253
0x0003b267
0x0003b26c
0x0003b27d
0x0003b285
0x0003b28d
0x0003b295
0x0003b29c
0x0003b2a4
0x0003b2ac
0x0003b2b4
0x0003b2bf
0x0003b2cc
0x0003b2d7

APIs

_memset.LIBCMT ref: 0003B267
VerSetConditionMask.KERNEL32 ref: 0003B29C
VerSetConditionMask.KERNEL32(00000000,?,00000001,00000003), ref: 0003B2A4
VerSetConditionMask.KERNEL32(00000000,?,00000020,00000003,?,00000001,00000003), ref: 0003B2AC
VerSetConditionMask.KERNEL32(00000000,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 0003B2B4
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 0003B2BF

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion_memset
String ID:
API String ID: 3299124433-0
Opcode ID: 76888a359d6ac49c15dd0e4d9012e16b12463e89a632c844a19e9fc946da23fd
Instruction ID: c68feeec2573b1539c5f0b85524878b86afec7db59d47066d8c447a608d04652
Opcode Fuzzy Hash: 76888a359d6ac49c15dd0e4d9012e16b12463e89a632c844a19e9fc946da23fd
Instruction Fuzzy Hash: F90188B0A443047AF6309B30EC1BFAB7FACDB88B14F00491DB6445B1C1D6B5AA14CAD6

Uniqueness

Uniqueness Score: -1.00%

Function 00052072 Relevance: 9.1, APIs: 6, Instructions: 52
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00052072(struct HWND__* _a4) {
				struct HWND__* _t3;
				struct HWND__* _t6;
				struct HWND__* _t8;
				struct HWND__* _t10;

				_t3 = GetFocus();
				_t10 = _t3;
				if(_t10 != 0) {
					_t8 = _a4;
					if(_t10 == _t8) {
						L10:
						return _t3;
					}
					if(E00051E65(_t10, 3) != 0) {
						L5:
						if(_t8 == 0 || (GetWindowLongW(_t8, 0xfffffff0) & 0x40000000) == 0) {
							L8:
							_t3 = SendMessageW(_t10, 0x14f, 0, 0);
							goto L9;
						} else {
							_t6 = GetParent(_t8);
							_t3 = GetDesktopWindow();
							if(_t6 == _t3) {
								L9:
								goto L10;
							}
							goto L8;
						}
					}
					_t3 = GetParent(_t10);
					_t10 = _t3;
					if(_t10 == _t8) {
						goto L9;
					}
					_t3 = E00051E65(_t10, 2);
					if(_t3 == 0) {
						goto L9;
					}
					goto L5;
				}
				return _t3;
			}

0x00052078
0x0005207e
0x00052082
0x00052085
0x0005208a
0x000520e8
0x00000000
0x000520e8
0x0005209d
0x000520b4
0x000520b6
0x000520d7
0x000520e1
0x00000000
0x000520c8
0x000520c9
0x000520cd
0x000520d5
0x000520e7
0x00000000
0x000520e7
0x00000000
0x000520d5
0x000520b6
0x000520a0
0x000520a2
0x000520a6
0x00000000
0x00000000
0x000520ab
0x000520b2
0x00000000
0x00000000
0x00000000
0x000520b2
0x000520eb

APIs

GetFocus.USER32 ref: 00052078
GetParent.USER32(00000000), ref: 000520A0

Part of subcall function 00051E65: GetWindowLongW.USER32(?,000000F0), ref: 00051E86
Part of subcall function 00051E65: GetClassNameW.USER32(?,?,0000000A), ref: 00051E9B
Part of subcall function 00051E65: CompareStringW.KERNEL32(00000409,00000001,?,000000FF,combobox,000000FF,?,0003E4A6,?,?), ref: 00051EB5

GetWindowLongW.USER32(?,000000F0), ref: 000520BB
GetParent.USER32(?), ref: 000520C9
GetDesktopWindow.USER32 ref: 000520CD
SendMessageW.USER32(00000000,0000014F,00000000,00000000), ref: 000520E1

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Window$LongParent$ClassCompareDesktopFocusMessageNameSendString
String ID:
API String ID: 1233893325-0
Opcode ID: 4588198172d1d12bd9db16c7a502c7357e1e1d6d4623f491267f4add2306ae9d
Instruction ID: 14ca84cbc5922536fde08b104ca71492b86926845362b9b2f01751ac5c6aec92
Opcode Fuzzy Hash: 4588198172d1d12bd9db16c7a502c7357e1e1d6d4623f491267f4add2306ae9d
Instruction Fuzzy Hash: 6301D13220130167E7712769BCCAF7F26DD8F86B63F0A5425FE00A65E28F208CC5C160

Uniqueness

Uniqueness Score: -1.00%

Function 00044029 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00044029(void* __ebx, void* __ecx, void* __edx, void* __eflags, struct HWND__** _a4) {
				void* __edi;
				struct HWND__* _t10;
				struct HWND__* _t12;
				struct HWND__* _t14;
				struct HWND__* _t15;
				int _t19;
				void* _t21;
				void* _t25;
				struct HWND__** _t26;
				void* _t27;

				_t25 = __edx;
				_t21 = __ebx;
				_t26 = _a4;
				_t27 = __ecx;
				if(E0003D521(__ecx, __eflags, _t26) == 0) {
					_t10 = E00040DD3(__ecx);
					__eflags = _t10;
					if(_t10 == 0) {
						L5:
						__eflags = _t26[1] - 0x100;
						if(_t26[1] != 0x100) {
							L13:
							return E0003E4F0(_t26);
						}
						_t12 = _t26[2];
						__eflags = _t12 - 0x1b;
						if(_t12 == 0x1b) {
							L8:
							__eflags = GetWindowLongW( *_t26, 0xfffffff0) & 0x00000004;
							if(__eflags == 0) {
								goto L13;
							}
							_t14 = E00051ED2(_t21, _t25, _t26, __eflags,  *_t26, L"Edit");
							__eflags = _t14;
							if(_t14 == 0) {
								goto L13;
							}
							_t15 = GetDlgItem( *(_t27 + 0x20), 2);
							__eflags = _t15;
							if(_t15 == 0) {
								L12:
								SendMessageW( *(_t27 + 0x20), 0x111, 2, 0);
								goto L1;
							}
							_t19 = IsWindowEnabled(_t15);
							__eflags = _t19;
							if(_t19 == 0) {
								goto L13;
							}
							goto L12;
						}
						__eflags = _t12 - 3;
						if(_t12 != 3) {
							goto L13;
						}
						goto L8;
					}
					__eflags =  *(_t10 + 0x88);
					if( *(_t10 + 0x88) == 0) {
						goto L5;
					}
					return 0;
				}
				L1:
				return 1;
			}

0x00044029
0x00044029
0x00044030
0x00044034
0x0004403d
0x00044049
0x0004404e
0x00044050
0x0004405f
0x0004405f
0x00044066
0x000440c4
0x00000000
0x000440c7
0x00044068
0x0004406b
0x0004406e
0x00044075
0x0004407f
0x00044081
0x00000000
0x00000000
0x0004408a
0x0004408f
0x00044091
0x00000000
0x00000000
0x00044098
0x0004409e
0x000440a0
0x000440ad
0x000440b9
0x00000000
0x000440b9
0x000440a3
0x000440a9
0x000440ab
0x00000000
0x00000000
0x00000000
0x000440ab
0x00044070
0x00044073
0x00000000
0x00000000
0x00000000
0x00044073
0x00044052
0x00044059
0x00000000
0x00000000
0x00000000
0x0004405b
0x0004403f
0x00000000

Strings

Edit, xrefs: 00044083

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: edee277b93c61a55aab078a20923bb0d3ea9fc15616813a9a3946b7651b56398
Instruction ID: 3f23b711223d1b98205dd3c716b536d34ab2e934a4525a18b95bdda7c46a13da
Opcode Fuzzy Hash: edee277b93c61a55aab078a20923bb0d3ea9fc15616813a9a3946b7651b56398
Instruction Fuzzy Hash: 59118EB0204201FAEB751A25EC4ABAAB6E9AF44755F144635FB01E70E2CF71DC60C618

Uniqueness

Uniqueness Score: -1.00%

Function 000682F9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E000682F9(void** __ecx, short* _a4) {
				intOrPtr* _t6;
				struct HINSTANCE__* _t9;

				_t14 = __ecx;
				_t13 =  *((intOrPtr*)(__ecx + 8));
				if( *((intOrPtr*)(__ecx + 8)) == 0) {
					if( *0x1a4958 == 0) {
						_t9 = GetModuleHandleW(L"Advapi32.dll");
						if(_t9 != 0) {
							 *0x1a4954 = GetProcAddress(_t9, "RegDeleteKeyExW");
						}
						 *0x1a4958 = 1;
					}
					_t6 =  *0x1a4954; // 0x0
					if(_t6 == 0) {
						return RegDeleteKeyW( *_t14, _a4);
					} else {
						return  *_t6( *_t14, _a4, _t14[1], 0);
					}
				}
				return E0004E3B6(_t13,  *((intOrPtr*)(__ecx)), _a4);
			}

0x000682ff
0x00068301
0x00068306
0x0006831b
0x00068322
0x0006832a
0x00068338
0x00068338
0x0006833d
0x0006833d
0x00068344
0x0006834b
0x00000000
0x0006834d
0x00000000
0x00068357
0x0006834b
0x00000000

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00068322
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00068332

Part of subcall function 0004E3B6: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 0004E3CA
Part of subcall function 0004E3B6: GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 0004E3DA

Strings

RegDeleteKeyExW, xrefs: 0006832C
Advapi32.dll, xrefs: 0006831D

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyExW
API String ID: 1646373207-2191092095
Opcode ID: 381e675ed1c162fd4cce9162048a7a218e2e357b745aed28cd42e53b5c8c6390
Instruction ID: 51f7906f7a00753bca568d426e3783d85d258dd1d0e101276e1b6429aff308a1
Opcode Fuzzy Hash: 381e675ed1c162fd4cce9162048a7a218e2e357b745aed28cd42e53b5c8c6390
Instruction Fuzzy Hash: D7F0D131104340FFDB714F65EC04B563FE6AB48B85F244428F955956A0CB7296A4D752

Uniqueness

Uniqueness Score: -1.00%

Function 000612F4 Relevance: 7.6, APIs: 5, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E000612F4(RECT* __ecx, void* __edx, void* __edi, struct tagPOINT* _a4) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				RECT* _v60;
				void* __ebx;
				void* __esi;
				signed int _t41;
				intOrPtr _t51;
				intOrPtr _t56;
				void* _t58;
				void* _t65;
				void* _t68;
				struct tagPOINT* _t74;
				void* _t84;
				RECT* _t88;
				RECT* _t90;
				signed int _t91;

				_t85 = __edi;
				_t84 = __edx;
				_t41 =  *0x1a0454; // 0x960af5fb
				_v8 = _t41 ^ _t91;
				_t74 = _a4;
				_v24.left = 0;
				_v24.top = 0;
				_v24.right = 0;
				_v24.bottom = 0;
				_t88 = __ecx;
				_v60 = __ecx;
				GetClientRect( *(__ecx + 0x20),  &_v24);
				E0004636C(_t88,  &_v24);
				_push(_t74->y);
				if(PtInRect( &_v24, _t74->x) != 0) {
					_push(__edi);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t90 = _v60;
					_t51 =  *((intOrPtr*)(_t90 + 0xed4));
					if(_t51 == 0) {
						_v40.right =  *((intOrPtr*)(_t90 + 0xecc)) + _v24.left;
					} else {
						_t65 = _t51 - 1;
						if(_t65 == 0) {
							_v40.left = _v24.right -  *((intOrPtr*)(_t90 + 0xecc));
						} else {
							_t68 = _t65 - 1;
							if(_t68 == 0) {
								_v40.bottom =  *((intOrPtr*)(_t90 + 0xecc)) + _v24.top;
							} else {
								if(_t68 == 1) {
									_v40.top = _v24.bottom -  *((intOrPtr*)(_t90 + 0xecc));
								}
							}
						}
					}
					_push(_t74->y);
					if(PtInRect( &_v40, _t74->x) == 0) {
						_t56 =  *((intOrPtr*)(_t90 + 0xfc0));
						if(_t74->x <= _v24.right - _t56) {
							if(_t74->y <= _v24.bottom - _t56) {
								if(IsRectEmpty(_t90) != 0) {
									L20:
									_t58 = 0;
									goto L21;
								}
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								E0004636C(_v60,  &_v56);
								_push(_t74->y);
								if(PtInRect( &_v56,  *_t74) == 0) {
									goto L20;
								}
								_push(5);
								goto L19;
							}
							_push(2);
							goto L19;
						}
						_t58 = 1;
						goto L21;
					} else {
						_push(3);
						L19:
						_pop(_t58);
						L21:
						_pop(_t85);
						goto L22;
					}
				} else {
					_t58 = 4;
					L22:
					return E00130836(_t58, _t74, _v8 ^ _t91, _t84, _t85, _t90);
				}
			}

0x000612f4
0x000612f4
0x000612fc
0x00061303
0x00061309
0x0006130d
0x00061310
0x00061313
0x00061316
0x0006131c
0x00061322
0x00061325
0x00061331
0x00061336
0x00061347
0x00061351
0x00061358
0x00061359
0x0006135a
0x0006135b
0x0006135c
0x00061365
0x00061368
0x000613a6
0x0006136a
0x0006136a
0x0006136b
0x00061398
0x0006136d
0x0006136d
0x0006136e
0x0006138a
0x00061370
0x00061371
0x0006137c
0x0006137c
0x00061371
0x0006136e
0x0006136b
0x000613a9
0x000613ba
0x000613c0
0x000613cd
0x000613dc
0x000613f1
0x0006141e
0x0006141e
0x00000000
0x0006141e
0x000613f9
0x000613fa
0x000613fb
0x00061400
0x00061401
0x00061406
0x00061417
0x00000000
0x00000000
0x00061419
0x00000000
0x00061419
0x000613de
0x00000000
0x000613de
0x000613d1
0x00000000
0x000613bc
0x000613bc
0x0006141b
0x0006141b
0x00061420
0x00061420
0x00000000
0x00061420
0x00061349
0x0006134b
0x00061421
0x0006142e
0x0006142e

APIs

GetClientRect.USER32 ref: 00061325

Part of subcall function 0004636C: ClientToScreen.USER32(?,00061336), ref: 0004637D
Part of subcall function 0004636C: ClientToScreen.USER32(?,0006133E), ref: 0004638A

PtInRect.USER32(?,?,?), ref: 0006133F
PtInRect.USER32(?,?,?), ref: 000613B2

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: ClientRect$Screen
String ID:
API String ID: 3187875807-0
Opcode ID: e92a3adab54368160938207f5b79983d2b5dac1bc9bb297def83a350ee224174
Instruction ID: b9276e219d4b98a5a164c48754a78d172a4887761b94735723c867c31cd15b4f
Opcode Fuzzy Hash: e92a3adab54368160938207f5b79983d2b5dac1bc9bb297def83a350ee224174
Instruction Fuzzy Hash: 99410B71A0061AEFCF11DFA4D985AEEBBFAFF48301F144869E406FB640D671AA41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 000C5210 Relevance: 7.6, APIs: 5, Instructions: 111
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E000C5210(void* __ecx, void* __edx, void* __eflags, intOrPtr _a8) {
				signed int _v8;
				struct tagRECT _v24;
				signed int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t40;
				void* _t49;
				signed int _t54;
				signed int _t57;
				signed int _t60;
				signed int _t64;
				int _t71;
				void* _t80;
				void* _t81;
				void* _t82;
				int _t84;
				signed int _t85;
				void* _t86;

				_t86 = __eflags;
				_t80 = __edx;
				_t40 =  *0x1a0454; // 0x960af5fb
				_v8 = _t40 ^ _t85;
				_t81 = __ecx;
				_v28 = E0004342B(__ecx);
				_v24.left = 0;
				_v24.top = 0;
				_v24.right = 0;
				_v24.bottom = 0;
				GetWindowRect( *(__ecx + 0x20),  &_v24);
				_t71 = GetSystemMetrics(0x21);
				_t84 = GetSystemMetrics(0x20);
				_t82 = E0003F788(_t71, _t81, _t81, _t86);
				if((_v28 & 0x00001000) == 0) {
					L5:
					__eflags = _t82 - 0xa;
					if(_t82 < 0xa) {
						L7:
						__eflags = _t82 - 4;
						if(_t82 != 4) {
							goto L16;
						} else {
							goto L8;
						}
					} else {
						__eflags = _t82 - 0x11;
						if(_t82 <= 0x11) {
							L8:
							__eflags = _v28 & 0x00000800;
							if((_v28 & 0x00000800) == 0) {
								_t71 =  ~_t71;
								InflateRect( &_v24, _t84, _t71);
								__eflags = _v28 & 0x00000200;
								if((_v28 & 0x00000200) == 0) {
									L16:
									_t49 = _t82;
								} else {
									_t54 = _t82 - 4;
									__eflags = _t54;
									if(_t54 == 0) {
										L21:
										__eflags = _a8 - _v24.bottom;
										_t49 = 0xb + (0 | _a8 - _v24.bottom > 0x00000000) * 4;
									} else {
										_t57 = _t54 - 9;
										__eflags = _t57;
										if(_t57 == 0) {
											__eflags = _a8 - _v24.top;
											_t49 = (0 | _a8 - _v24.top < 0x00000000) + (0 | _a8 - _v24.top < 0x00000000) + 0xa;
										} else {
											_t60 = _t57 - 1;
											__eflags = _t60;
											if(_t60 == 0) {
												__eflags = _a8 - _v24.top;
												_t49 = (0 | _a8 - _v24.top < 0x00000000) + 0xb;
											} else {
												_t64 = _t60;
												__eflags = _t64;
												if(_t64 == 0) {
													__eflags = _a8 - _v24.bottom;
													_t49 = ((0 | _a8 - _v24.bottom <= 0x00000000) - 0x00000001 & 0x00000005) + 0xa;
												} else {
													__eflags = _t64 == 1;
													if(_t64 == 1) {
														goto L21;
													} else {
														goto L16;
													}
												}
											}
										}
									}
								}
							} else {
								_t49 = 2;
							}
						} else {
							goto L7;
						}
					}
				} else {
					if(_t82 == 3) {
						_t82 = 2;
					}
					if(GetKeyState(2) >= 0) {
						goto L5;
					} else {
						_t49 = 0;
					}
				}
				return E00130836(_t49, _t71, _v8 ^ _t85, _t80, _t82, _t84);
			}

0x000c5210
0x000c5210
0x000c5218
0x000c521f
0x000c5225
0x000c522c
0x000c5231
0x000c5234
0x000c5237
0x000c523a
0x000c5244
0x000c5256
0x000c525c
0x000c526a
0x000c526c
0x000c5287
0x000c5287
0x000c528a
0x000c5291
0x000c5291
0x000c5294
0x00000000
0x00000000
0x00000000
0x00000000
0x000c528c
0x000c528c
0x000c528f
0x000c5296
0x000c5296
0x000c529d
0x000c52a4
0x000c52ae
0x000c52b4
0x000c52bb
0x000c52d3
0x000c52d3
0x000c52bd
0x000c52bf
0x000c52bf
0x000c52c2
0x000c531b
0x000c5320
0x000c5326
0x000c52c4
0x000c52c4
0x000c52c4
0x000c52c7
0x000c530f
0x000c5315
0x000c52c9
0x000c52c9
0x000c52c9
0x000c52ca
0x000c52ff
0x000c5305
0x000c52cc
0x000c52cd
0x000c52cd
0x000c52ce
0x000c52eb
0x000c52f5
0x000c52d0
0x000c52d0
0x000c52d1
0x00000000
0x00000000
0x00000000
0x00000000
0x000c52d1
0x000c52ce
0x000c52ca
0x000c52c7
0x000c52c2
0x000c529f
0x000c52a1
0x000c52a1
0x00000000
0x00000000
0x00000000
0x000c528f
0x000c526e
0x000c5271
0x000c5275
0x000c5275
0x000c5281
0x00000000
0x000c5283
0x000c5283
0x000c5283
0x000c5281
0x000c52e3

APIs

Part of subcall function 0004342B: GetWindowLongW.USER32(?,000000F0), ref: 00043436

GetWindowRect.USER32(?,0005F14E), ref: 000C5244
GetSystemMetrics.USER32 ref: 000C5252
GetSystemMetrics.USER32 ref: 000C5258
GetKeyState.USER32(00000002), ref: 000C5278
InflateRect.USER32 ref: 000C52AE

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: MetricsRectSystemWindow$InflateLongState
String ID:
API String ID: 2406722796-0
Opcode ID: 4a89e48ec767a7c1c75ae8d794555c3275df4a2429b175c0ea4c9e52a0c27239
Instruction ID: a5abcd22a637db3cf3175bc4cb24bacc4c1f2c8a5c9fd504b0fc744d6e0f7f7d
Opcode Fuzzy Hash: 4a89e48ec767a7c1c75ae8d794555c3275df4a2429b175c0ea4c9e52a0c27239
Instruction Fuzzy Hash: D1319235B006199BDB20DFB8DC8AFEE77F4EB4A392F14441DD002DB191DA74AA80CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0005E28C Relevance: 7.6, APIs: 5, Instructions: 73
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0005E28C(intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t17;
				int _t20;
				intOrPtr* _t28;
				intOrPtr* _t31;
				void* _t36;
				int _t37;
				void* _t39;
				intOrPtr _t45;

				_t36 = __edi;
				_t35 = __edx;
				_t28 = __ecx;
				E0005DCF1(__ecx, __ecx, __edx, __edi, _t39, __eflags);
				E000A7BED(__ecx, __eflags, _a4, _a8, _a12);
				_t45 =  *0x1a3f04; // 0x0
				if(_t45 != 0) {
					_t46 =  *((intOrPtr*)(__ecx + 0xb04));
					if( *((intOrPtr*)(__ecx + 0xb04)) == 0) {
						E00056DE5(__ecx, __ecx, __edx, __edi, _t46);
					}
				}
				if( *((intOrPtr*)(_t28 + 0xb68)) == 0) {
					 *((intOrPtr*)( *_t28 + 0x3e0))();
				}
				_t31 = _t28;
				_t17 =  *((intOrPtr*)( *_t28 + 0x16c))();
				if(_t17 == 0) {
					L11:
					return _t17;
				} else {
					_t17 = E0004EA25(0x1688dc, E0004F25D(_t28, _t35, _t28));
					_t49 = _t17;
					if(_t17 == 0) {
						goto L11;
					}
					_push(_t36);
					_t20 = E00050E3E(_t28, _t31, _t35, _t36, 0, _t49, GetSystemMenu( *(_t17 + 0x20), 0));
					_t37 = _t20;
					if(_t37 != 0) {
						DeleteMenu( *(_t37 + 4), 0xf120, 0);
						DeleteMenu( *(_t37 + 4), 0xf020, 0);
						DeleteMenu( *(_t37 + 4), 0xf030, 0);
						_t20 =  *((intOrPtr*)( *_t28 + 0x1c4))();
						if(_t20 == 0) {
							_t20 = EnableMenuItem( *(_t37 + 4), 0xf060, 1);
						}
					}
					return _t20;
				}
			}

0x0005e28c
0x0005e28c
0x0005e293
0x0005e295
0x0005e2a5
0x0005e2ac
0x0005e2b2
0x0005e2b4
0x0005e2ba
0x0005e2be
0x0005e2be
0x0005e2ba
0x0005e2c9
0x0005e2cf
0x0005e2cf
0x0005e2d7
0x0005e2d9
0x0005e2e1
0x0005e35d
0x0005e35d
0x0005e2e3
0x0005e2ef
0x0005e2f7
0x0005e2f9
0x00000000
0x00000000
0x0005e2fb
0x0005e307
0x0005e30c
0x0005e310
0x0005e321
0x0005e32d
0x0005e339
0x0005e33f
0x0005e347
0x0005e353
0x0005e353
0x0005e347
0x00000000
0x0005e359

APIs

Part of subcall function 0005DCF1: __EH_prolog3_GS.LIBCMT ref: 0005DCF8
Part of subcall function 0005DCF1: GetWindowRect.USER32(?,?), ref: 0005DD39
Part of subcall function 0005DCF1: CreateRoundRectRgn.GDI32(00000000,00000000,?,?,00000004,00000004), ref: 0005DD63
Part of subcall function 0005DCF1: SetWindowRgn.USER32(?,?,00000000), ref: 0005DD79

GetSystemMenu.USER32 ref: 0005E300
DeleteMenu.USER32 ref: 0005E321
DeleteMenu.USER32 ref: 0005E32D
DeleteMenu.USER32 ref: 0005E339
EnableMenuItem.USER32 ref: 0005E353

Part of subcall function 00056DE5: SetRectEmpty.USER32 ref: 00056E18
Part of subcall function 00056DE5: ReleaseCapture.USER32 ref: 00056E1E
Part of subcall function 00056DE5: SetCapture.USER32(?), ref: 00056E2D
Part of subcall function 00056DE5: GetCapture.USER32 ref: 00056E6F
Part of subcall function 00056DE5: ReleaseCapture.USER32 ref: 00056E7F
Part of subcall function 00056DE5: SetCapture.USER32(?), ref: 00056E8E
Part of subcall function 00056DE5: RedrawWindow.USER32(?,?,?,00000505), ref: 00056EF9

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: CaptureMenu$DeleteRectWindow$Release$CreateEmptyEnableH_prolog3_ItemRedrawRoundSystem
String ID:
API String ID: 2818640433-0
Opcode ID: 0c49534dcace172c422d0a1ef5a1176e6301efabb2169e1f0eaa2b4d7fa9fea4
Instruction ID: 1ac886d895ae0a2b5631ead9087d0136602616d577e8479de63d596e4564c97d
Opcode Fuzzy Hash: 0c49534dcace172c422d0a1ef5a1176e6301efabb2169e1f0eaa2b4d7fa9fea4
Instruction Fuzzy Hash: FB21E471700211BFDB252F60CC8AFAE7BA9FF44752F040476FA099B2A2CB719D54DA90

Uniqueness

Uniqueness Score: -1.00%

Function 0013354B Relevance: 7.6, APIs: 5, Instructions: 68
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E0013354B(void* __edx, void* __edi, void* __esi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t27;
				long _t30;

				if(_a4 != 0) {
					_push(__esi);
					_t30 = _a8;
					__eflags = _t30;
					if(_t30 != 0) {
						_push(__edi);
						while(1) {
							__eflags = _t30 - 0xffffffe0;
							if(_t30 > 0xffffffe0) {
								break;
							}
							__eflags = _t30;
							if(_t30 == 0) {
								_t30 = _t30 + 1;
								__eflags = _t30;
							}
							_t7 = HeapReAlloc( *0x1a7b24, 0, _a4, _t30);
							_t27 = _t7;
							__eflags = _t27;
							if(_t27 != 0) {
								L17:
								_t8 = _t27;
							} else {
								__eflags =  *0x1a7e5c - _t7;
								if(__eflags == 0) {
									_t9 = E00131F1F(__eflags);
									 *_t9 = E00131EDD(GetLastError());
									goto L17;
								} else {
									__eflags = E0013A6E4(_t7, _t30);
									if(__eflags == 0) {
										_t12 = E00131F1F(__eflags);
										 *_t12 = E00131EDD(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E0013A6E4(_t6, _t30);
						 *((intOrPtr*)(E00131F1F(__eflags))) = 0xc;
						goto L12;
					} else {
						E00130CB2(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E00131013(__edx, __edi, __esi, _a8);
				}
			}

0x00133554
0x00133561
0x00133562
0x00133565
0x00133567
0x00133576
0x001335a9
0x001335a9
0x001335ac
0x00000000
0x00000000
0x00133579
0x0013357b
0x0013357d
0x0013357d
0x0013357d
0x0013358a
0x00133590
0x00133592
0x00133594
0x001335f4
0x001335f4
0x00133596
0x00133596
0x0013359c
0x001335de
0x001335f2
0x00000000
0x0013359e
0x001335a5
0x001335a7
0x001335c6
0x001335da
0x001335c0
0x001335c0
0x001335c0
0x00000000
0x00000000
0x00000000
0x001335a7
0x0013359c
0x00000000
0x001335c2
0x001335af
0x001335ba
0x00000000
0x00133569
0x0013356c
0x00133572
0x00133572
0x001335c3
0x001335c5
0x00133556
0x00133560
0x00133560

APIs

_malloc.LIBCMT ref: 00133559

Part of subcall function 00131013: __FF_MSGBANNER.LIBCMT ref: 0013102C
Part of subcall function 00131013: __NMSG_WRITE.LIBCMT ref: 00131033
Part of subcall function 00131013: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0013A71D,?,00000001,?,?,0013EDB7,00000018,00197030,0000000C,0013EE47), ref: 00131058

_free.LIBCMT ref: 0013356C

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 9dc96774195edd748bf9a318cb56a2c537ec172af9d9369199abdaf050603c6c
Instruction ID: 6ddd93b73d73f11c0c1bd1b713c2440bce5d4ebc89e422830710800f1d6f7b72
Opcode Fuzzy Hash: 9dc96774195edd748bf9a318cb56a2c537ec172af9d9369199abdaf050603c6c
Instruction Fuzzy Hash: 7F110632808615BBCF223B74AC05A5A3B95AF613B0F254525F8698B5A1DF34CF809798

Uniqueness

Uniqueness Score: -1.00%

Function 000BF533 Relevance: 7.6, APIs: 5, Instructions: 53
threadCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E000BF533(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t18;
				void* _t20;
				void* _t24;
				intOrPtr _t28;
				void* _t33;

				_push(0);
				_t10 = E00131A19(0x14e4ba, __ebx, __edi, __esi);
				_t28 =  *0x19cff8; // 0x1
				if(_t28 != 0) {
					if( *0x19e408 != 0xfffffffe) {
						_t10 =  *(_t24 + 8);
						 *0x19e408 = _t10;
						__eflags = _t10 - 0xffffffff;
						if(_t10 == 0xffffffff) {
							 *0x1a5a84 = 0;
						}
					} else {
						if( *(_t24 + 8) != 0xffffffff) {
							_t31 =  *0x1a5aa8 & 0x00000001;
							if(( *0x1a5aa8 & 0x00000001) == 0) {
								 *0x1a5aa8 =  *0x1a5aa8 | 0x00000001;
								 *(_t24 - 4) = 0;
								E000362B0(__ebx, __edi, _t31);
								E001311CA(_t31, 0x1563d3);
								 *(_t24 - 4) =  *(_t24 - 4) | 0xffffffff;
								_pop(_t18);
							}
							EnterCriticalSection(0x1a5a90);
							_t33 =  *0x1a5a84; // 0x0
							if(_t33 != 0) {
								E000455E0(_t18);
							}
							_t10 = E00137028(_t20, 0xbf4db, 0, 0);
							 *0x1a5a84 = _t10;
							if(_t10 <= 0 || _t10 == 0xffffffff) {
								 *0x1a5a84 = 0;
							} else {
								SetThreadPriority(_t10, 0xffffffff);
								_t10 =  *(_t24 + 8);
								 *0x19e408 =  *(_t24 + 8);
							}
							LeaveCriticalSection(0x1a5a90);
						}
					}
				}
				return E00131AF1(_t10);
			}

0x000bf533
0x000bf53a
0x000bf541
0x000bf547
0x000bf554
0x000bf5e8
0x000bf5eb
0x000bf5f0
0x000bf5f3
0x000bf5f5
0x000bf5f5
0x000bf55a
0x000bf55e
0x000bf564
0x000bf56b
0x000bf56d
0x000bf579
0x000bf57c
0x000bf586
0x000bf58b
0x000bf58f
0x000bf58f
0x000bf596
0x000bf59c
0x000bf5a2
0x000bf5a4
0x000bf5a4
0x000bf5b0
0x000bf5b8
0x000bf5bf
0x000bf5d9
0x000bf5c6
0x000bf5c9
0x000bf5cf
0x000bf5d2
0x000bf5d2
0x000bf5e0
0x000bf5e0
0x000bf55e
0x000bf554
0x000bf600

APIs

__EH_prolog3.LIBCMT ref: 000BF53A
EnterCriticalSection.KERNEL32(001A5A90,00000000,0005AB65,00000001), ref: 000BF596
__beginthread.LIBCMT ref: 000BF5B0
SetThreadPriority.KERNEL32(00000000,000000FF), ref: 000BF5C9
LeaveCriticalSection.KERNEL32(001A5A90), ref: 000BF5E0

Part of subcall function 000362B0: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,00000000,960AF5FB,?,?,?,00153B58,000000FF), ref: 000362F3
Part of subcall function 000362B0: GetLastError.KERNEL32(?,?,?,00153B58,000000FF), ref: 000362FD

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: CriticalSection$CountEnterErrorH_prolog3InitializeLastLeavePrioritySpinThread__beginthread
String ID:
API String ID: 4077887634-0
Opcode ID: 850d054b98df035c4e822a6dadf92cb9e95409c6947528cc5fa4e8f903394cbf
Instruction ID: 37e7699c7791cd796a08070627bbb3daa82ed62e145922935cf2a7e19b2a65c7
Opcode Fuzzy Hash: 850d054b98df035c4e822a6dadf92cb9e95409c6947528cc5fa4e8f903394cbf
Instruction Fuzzy Hash: 8C11C17050AF12FFC7319F34AD894A93BA5A716335B200335F5669B9E1C73049C29791

Uniqueness

Uniqueness Score: -1.00%

Function 000792A2 Relevance: 7.5, APIs: 5, Instructions: 44
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E000792A2(intOrPtr __ebx, void* __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, int _a4) {
				signed int _v8;
				char _v264;
				short _v268;
				void* __ebp;
				signed int _t12;
				struct HKL__* _t19;
				intOrPtr _t27;
				void* _t28;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				signed int _t39;

				_t35 = __esi;
				_t34 = __edi;
				_t33 = __edx;
				_t28 = __ecx;
				_t27 = __ebx;
				_t37 = _t39;
				_t12 =  *0x1a0454; // 0x960af5fb
				_v8 = _t12 ^ _t39;
				if(GetKeyboardState( &_v264) == 0) {
					E000455E0(_t28);
				}
				E00131B30( &_v268, 0, 4);
				_t19 = GetKeyboardLayout( *(E000495BD() + 0x30));
				return E00130836(0 | ToUnicodeEx(_a4, MapVirtualKeyW(_a4, 0),  &_v264,  &_v268, 2, 0, _t19) > 0x00000000, _t27, _v8 ^ _t37, _t33, _t34, _t35);
			}

0x000792a2
0x000792a2
0x000792a2
0x000792a2
0x000792a2
0x000792a5
0x000792ad
0x000792b4
0x000792c6
0x000792c8
0x000792c8
0x000792d8
0x000792e8
0x0007932a

APIs

GetKeyboardState.USER32(?), ref: 000792BE
_memset.LIBCMT ref: 000792D8
GetKeyboardLayout.USER32 ref: 000792E8
MapVirtualKeyW.USER32(?,00000000), ref: 00079306
ToUnicodeEx.USER32 ref: 00079310

Part of subcall function 000455E0: __CxxThrowException@8.LIBCMT ref: 000455F6

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Keyboard$Exception@8LayoutStateThrowUnicodeVirtual_memset
String ID:
API String ID: 505339058-0
Opcode ID: 9b45da5b27a19c3f022508642cb159fe7dded2d59484ba8006623a7be122a1f8
Instruction ID: 9d7445ac8cddb163ab5d92bf0eab1cea763e7e78406b6a9eaf278f99ef09cad0
Opcode Fuzzy Hash: 9b45da5b27a19c3f022508642cb159fe7dded2d59484ba8006623a7be122a1f8
Instruction Fuzzy Hash: 8E01A2B1A00208BBEB10AB70EC47FDE77BCAF18341F404061B645DA0E1EB70AA84CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0013B1E1 Relevance: 7.5, APIs: 5, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 66%

			E0013B1E1(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t12;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t20 = __ebx;
				_push(0xc);
				_push(0x196df8);
				E00131BC0(__ebx, __edi, __esi);
				_t28 = E00137F08(__ebx, __edx, _t31);
				_t12 =  *0x1a0b90; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t12) == 0) {
					L6:
					E0013EE2C(_t20, _t26, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t29 = _t28 + 0x6c;
					 *((intOrPtr*)(_t30 - 0x1c)) = E0013B194(_t29,  *0x1a0dd8);
					 *(_t30 - 4) = 0xfffffffe;
					E0013B24E();
				} else {
					_t33 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E00137F08(_t20, __edx, _t33) + 0x6c));
					}
				}
				_t34 = _t29;
				if(_t29 == 0) {
					_push(0x20);
					E001340CA(_t25, _t34);
				}
				return E00131C05(_t29);
			}

0x0013b1e1
0x0013b1e1
0x0013b1e1
0x0013b1e1
0x0013b1e1
0x0013b1e3
0x0013b1e8
0x0013b1f2
0x0013b1f4
0x0013b1fc
0x0013b220
0x0013b222
0x0013b228
0x0013b232
0x0013b23d
0x0013b240
0x0013b247
0x0013b1fe
0x0013b1fe
0x0013b202
0x00000000
0x0013b204
0x0013b209
0x0013b209
0x0013b202
0x0013b20c
0x0013b20e
0x0013b210
0x0013b212
0x0013b217
0x0013b21f

APIs

__getptd.LIBCMT ref: 0013B1ED

Part of subcall function 00137F08: __getptd_noexit.LIBCMT ref: 00137F0B
Part of subcall function 00137F08: __amsg_exit.LIBCMT ref: 00137F18

__getptd.LIBCMT ref: 0013B204
__amsg_exit.LIBCMT ref: 0013B212
__lock.LIBCMT ref: 0013B222
__updatetlocinfoEx_nolock.LIBCMT ref: 0013B236

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 1790d6df973feaed9f51711e0bd1ac75361bf165c900e02dac684906579b878f
Instruction ID: 6ddf200e92f6248b5719f3d6cd36ead8956dad00f86e81039551eff6bf5e908e
Opcode Fuzzy Hash: 1790d6df973feaed9f51711e0bd1ac75361bf165c900e02dac684906579b878f
Instruction Fuzzy Hash: EAF0B4329487149BDB26BBB4984375F37E0AF11720F110209F614BB2D2DB246940DB55

Uniqueness

Uniqueness Score: -1.00%

Function 0003B4DE Relevance: 7.5, APIs: 5, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0003B4DE(void* __ebx, void* __edi, void* __esi) {
				void* _t4;
				void* _t5;
				void* _t6;
				void* _t13;
				void* _t14;
				void* _t15;

				_t14 = __esi;
				_t13 = __edi;
				if(__ebx != __edi) {
					LocalFree(__ebx);
				}
				if(_t14 != _t13) {
					LocalFree(_t14);
				}
				_t4 =  *(_t15 - 0x4c);
				if(_t4 != _t13) {
					FreeSid(_t4);
				}
				_t5 =  *(_t15 - 0x58);
				if(_t5 != _t13) {
					CloseHandle(_t5);
				}
				_t6 =  *(_t15 - 0x50);
				if(_t6 != _t13) {
					return CloseHandle(_t6);
				}
				return _t6;
			}

0x0003b4de
0x0003b4de
0x0003b4e0
0x0003b4e3
0x0003b4e3
0x0003b4eb
0x0003b4ee
0x0003b4ee
0x0003b4f4
0x0003b4f9
0x0003b4fc
0x0003b4fc
0x0003b502
0x0003b507
0x0003b50a
0x0003b50a
0x0003b510
0x0003b515
0x00000000
0x0003b518
0x0003b51e

APIs

LocalFree.KERNEL32(00000000,0003B4B7), ref: 0003B4E3
LocalFree.KERNEL32(00000000,0003B4B7), ref: 0003B4EE
FreeSid.ADVAPI32(?,0003B4B7), ref: 0003B4FC
CloseHandle.KERNEL32(?), ref: 0003B50A
CloseHandle.KERNEL32(?), ref: 0003B518

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Free$CloseHandleLocal
String ID:
API String ID: 705109652-0
Opcode ID: 076889d73df6dc861fd8b946dafe9195cea256392d218a6fe0ffc297b5dc8a67
Instruction ID: 2deb47ba8763a3625d3347f8a4402b27546610fd6b8e49d4de790b84560faec9
Opcode Fuzzy Hash: 076889d73df6dc861fd8b946dafe9195cea256392d218a6fe0ffc297b5dc8a67
Instruction Fuzzy Hash: 3AE04F30904B04DBCF535BB8AC8D96DBBAEBB4070AF680900F502EB595E736DCC18A10

Uniqueness

Uniqueness Score: -1.00%

Function 0004E3B6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 18%

			E0004E3B6(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				struct HINSTANCE__* _t7;
				_Unknown_base(*)()* _t8;
				intOrPtr* _t12;

				_t12 = __ecx;
				if( *__ecx == 0) {
					if( *((intOrPtr*)(__ecx + 4)) == 0) {
						L6:
						return 1;
					}
					return RegDeleteKeyW();
				}
				_t7 = GetModuleHandleW(L"Advapi32.dll");
				if(_t7 == 0) {
					goto L6;
				}
				_t8 = GetProcAddress(_t7, "RegDeleteKeyTransactedW");
				if(_t8 == 0) {
					goto L6;
				}
				return  *_t8(_a4, _a8, 0, 0,  *_t12, 0);
			}

0x0004e3bd
0x0004e3c3
0x0004e3f6
0x0004e401
0x00000000
0x0004e403
0x0004e3fb
0x0004e3fb
0x0004e3ca
0x0004e3d2
0x00000000
0x00000000
0x0004e3da
0x0004e3e2
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 0004E3CA
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 0004E3DA

Strings

RegDeleteKeyTransactedW, xrefs: 0004E3D4
Advapi32.dll, xrefs: 0004E3C5

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyTransactedW
API String ID: 1646373207-2168864297
Opcode ID: 701c92d87fac267413152704c523236608eef1533efeb101aa156c1da20cdc40
Instruction ID: 5a822f74a382bc263c3f9780fa2782e2bb2a06856eb65c96a4d7f6cf8245e777
Opcode Fuzzy Hash: 701c92d87fac267413152704c523236608eef1533efeb101aa156c1da20cdc40
Instruction Fuzzy Hash: 64F0A772204254FBC7711F5AEC4CC67BBEAFBC1B633248536F655C5050D7328896D664

Uniqueness

Uniqueness Score: -1.00%

Function 0006535E Relevance: 6.2, APIs: 4, Instructions: 187
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0006535E(RECT* __ecx, intOrPtr __edx, signed int _a4) {
				int _v8;
				signed int _v12;
				struct tagRECT _v28;
				intOrPtr _v36;
				signed int _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t54;
				signed int _t58;
				intOrPtr _t65;
				intOrPtr _t67;
				signed int _t73;
				intOrPtr* _t74;
				intOrPtr _t77;
				intOrPtr* _t82;
				signed int _t83;
				int _t96;
				signed int _t97;
				RECT* _t100;
				intOrPtr _t101;
				signed int _t104;
				signed int _t105;
				void* _t107;
				void* _t108;

				_t95 = __edx;
				_t79 = __ecx;
				_t96 = 0;
				_t100 = __ecx;
				_t107 =  *0x1a3f04 - _t96; // 0x0
				if(_t107 != 0) {
					L6:
					return _t54;
				} else {
					_t108 =  *0x19e4d8 - _t96; // 0x1
					if(_t108 == 0 ||  *((intOrPtr*)(__ecx + 0xd00)) != 0) {
						goto L6;
					} else {
						_t54 = E0004EA25(0x19cffc, E0003F82E(_t77, _t79, _t95, GetParent( *(__ecx + 0x20))));
						if(_t54 == 0) {
							goto L6;
						} else {
							_t82 = _t54;
							_t54 = E0005EF1A(_t82);
							if(_t54 == 0) {
								goto L6;
							} else {
								_t54 =  *((intOrPtr*)(_t100 + 0xbcc));
								_v8 = 1;
								_v28.left = 0;
								_v28.top = 0;
								_v28.right = 0;
								_v28.bottom = 0;
								if(_t54 != 0) {
									while(1) {
										__eflags = _t54 - _t96;
										if(__eflags == 0) {
											break;
										}
										_t77 =  *((intOrPtr*)(_t54 + 8));
										_t82 =  *_t54;
										_v12 = _t82;
										__eflags = _t77 - _t96;
										if(__eflags != 0) {
											__eflags =  *(_t77 + 0x24) & 0x00000001;
											if(( *(_t77 + 0x24) & 0x00000001) == 0) {
												L13:
												_t100 = 0;
												_t73 = E0005ABF8(_t95,  *((intOrPtr*)(_t77 + 0x20)));
												__eflags = _t73;
												if(_t73 == 0) {
													__eflags = _v8 - _t96;
													if(_v8 == _t96) {
														_t73 =  *(_t77 + 0x58);
														_v28.bottom = _t73;
														_t100 = 1;
														__eflags = 1;
													}
													_v8 = 1;
													__eflags = _t100 - _t96;
													if(__eflags != 0) {
														goto L21;
													}
													goto L22;
												} else {
													__eflags = _v8 - _t96;
													if(_v8 != _t96) {
														_v8 = _t96;
														_t100 = _t77 + 0x54;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t96 = 0;
														__eflags = 0;
													}
													__eflags = _v12 - _t96;
													if(__eflags != 0) {
														goto L7;
													} else {
														_v28.bottom =  *((intOrPtr*)(_t77 + 0x60));
														L21:
														_t74 = E00054709(_t77, _t96, _t100, __eflags);
														_t95 =  *_t74;
														_t105 = _t105 - 0x10;
														_t100 =  &_v28;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t82 = _t74;
														asm("movsd");
														_t73 =  *((intOrPtr*)( *_t74 + 0xa0))(_a4);
														_t96 = 0;
														__eflags = 0;
														goto L22;
													}
												}
											} else {
												__eflags = _t82 - _t96;
												if(_t82 == _t96) {
													goto L13;
												} else {
													_t73 = E0005ABF8(_t95,  *((intOrPtr*)( *((intOrPtr*)(_t82 + 8)) + 0x20)));
													__eflags = _t73;
													if(_t73 != 0) {
														L22:
														__eflags = _v12 - _t96;
														if(_v12 != _t96) {
															L7:
															_t54 = _v12;
															continue;
														} else {
															return _t73;
														}
													} else {
														goto L13;
													}
												}
											}
										}
										break;
									}
									E000455E0(_t82);
									asm("int3");
									_t104 = _t105;
									_t58 =  *0x1a0454; // 0x960af5fb
									_v48 = _t58 ^ _t104;
									_push(_t77);
									_t78 = _v36;
									_push(_t100);
									_push(_t96);
									_t101 = _t82;
									_t60 = E00054F8E(_t82, __eflags, _v36);
									__eflags = _t60;
									if(_t60 == 0) {
										_t60 = E000455E0(_t82);
									}
									_t97 =  *(_t60 + 0x24);
									_t83 = _a4;
									__eflags = _t97 - _t83;
									if(_t97 != _t83) {
										 *(_t60 + 0x24) = _t83;
										_t60 = _t97 & _t83;
										__eflags = _t97 & _t83 & 0x00020000;
										if(__eflags == 0) {
											_t60 = E0004EA25(0x19ddfc, E00054F8E(_t101, __eflags, _t78));
											__eflags = _t60;
											if(_t60 == 0) {
												L31:
												_t97 = _t97 ^ _a4;
												__eflags = _t97 - 2;
												if(_t97 != 2) {
													_t60 = E00056CF9(_t101, _t95, _t78);
												}
											} else {
												__eflags = (_t97 ^ _a4) & 0x00010000;
												if(__eflags == 0) {
													goto L31;
												} else {
													_v28.left = 0;
													_v28.top = 0;
													_v28.right = 0;
													_v28.bottom = 0;
													E000A2ED1(_t60, __eflags,  &_v28);
													_t65 =  *0x1a3e54; // 0x2
													_t67 =  *0x1a3e50; // 0x2
													InflateRect( &_v28, _t67 + _t67, _t65 + _t65);
													InvalidateRect( *(_t101 + 0x20),  &_v28, 1);
													_t60 = UpdateWindow( *(_t101 + 0x20));
												}
											}
										}
									}
									__eflags = _v12 ^ _t104;
									return E00130836(_t60, _t78, _v12 ^ _t104, _t95, _t97, _t101);
								} else {
									goto L6;
								}
							}
						}
					}
				}
			}

0x0006535e
0x0006535e
0x00065369
0x0006536b
0x0006536d
0x00065373
0x000653d1
0x000653d1
0x00065375
0x00065375
0x0006537b
0x00000000
0x00065385
0x0006539a
0x000653a3
0x00000000
0x000653a5
0x000653a5
0x000653a7
0x000653ae
0x00000000
0x000653b0
0x000653b0
0x000653b6
0x000653bd
0x000653c0
0x000653c3
0x000653c6
0x000653cb
0x000653d7
0x000653d7
0x000653d9
0x00000000
0x00000000
0x000653df
0x000653e2
0x000653e4
0x000653e7
0x000653e9
0x000653ef
0x000653f3
0x00065408
0x0006540b
0x0006540d
0x00065412
0x00065414
0x00065437
0x0006543a
0x0006543c
0x00065441
0x00065444
0x00065444
0x00065444
0x00065445
0x0006544c
0x0006544e
0x00000000
0x00000000
0x00000000
0x00065416
0x00065416
0x00065419
0x0006541b
0x0006541e
0x00065424
0x00065425
0x00065426
0x00065427
0x00065428
0x00065428
0x00065428
0x0006542a
0x0006542d
0x00000000
0x0006542f
0x00065432
0x00065450
0x00065450
0x00065455
0x00065457
0x0006545f
0x00065462
0x00065463
0x00065464
0x00065465
0x00065467
0x00065468
0x0006546e
0x0006546e
0x00000000
0x0006546e
0x0006542d
0x000653f5
0x000653f5
0x000653f7
0x00000000
0x000653f9
0x000653ff
0x00065404
0x00065406
0x00065470
0x00065470
0x00065473
0x000653d4
0x000653d4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00065406
0x000653f7
0x000653f3
0x00000000
0x000653e9
0x0006547e
0x00065483
0x00065487
0x0006548c
0x00065493
0x00065496
0x00065497
0x0006549a
0x0006549b
0x0006549d
0x0006549f
0x000654a4
0x000654a6
0x000654a8
0x000654a8
0x000654ad
0x000654b0
0x000654b3
0x000654b5
0x000654bb
0x000654c0
0x000654c2
0x000654c7
0x000654db
0x000654e2
0x000654e4
0x00065540
0x00065540
0x00065543
0x00065546
0x0006554b
0x0006554b
0x000654e6
0x000654eb
0x000654f1
0x00000000
0x000654f3
0x000654f5
0x000654f8
0x000654fb
0x000654fe
0x00065507
0x0006550c
0x00065514
0x00065520
0x0006552f
0x00065538
0x00065538
0x000654f1
0x000654e4
0x000654c7
0x00065555
0x0006555e
0x00000000
0x00000000
0x00000000
0x000653cb
0x000653ae
0x000653a3
0x0006537b

APIs

GetParent.USER32(?), ref: 00065388
InflateRect.USER32 ref: 00065520
InvalidateRect.USER32(?,?,00000001), ref: 0006552F
UpdateWindow.USER32 ref: 00065538

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Rect$InflateInvalidateParentUpdateWindow
String ID:
API String ID: 4005937429-0
Opcode ID: 994f92d957b7357660fc01db401c18e24e311c31390da9bff4173fb033bdecbb
Instruction ID: a8dcbd9f85df5bee0b8b2d068df5d59a989586e64df4f1e5fe79af2f969d15ef
Opcode Fuzzy Hash: 994f92d957b7357660fc01db401c18e24e311c31390da9bff4173fb033bdecbb
Instruction Fuzzy Hash: 0551C371A00A04DFCB15DFA9DC455AEBBF7FF88356F20016AE845AB251EB719E80CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0005C4D7 Relevance: 6.2, APIs: 4, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0005C4D7(void* __ebx, signed int* __ecx, signed int _a4, signed int _a8, signed int _a12) {
				signed short* _v8;
				signed int _v12;
				void* _v16;
				signed char _v20;
				intOrPtr _v24;
				intOrPtr _v32;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HRSRC__* _t69;
				void* _t70;
				signed int _t75;
				signed char _t79;
				signed int _t80;
				signed int _t81;
				signed int _t86;
				signed int _t92;
				signed int* _t94;
				signed int _t95;
				intOrPtr _t98;
				void* _t99;
				signed int _t102;
				signed int _t103;
				signed int _t110;
				signed int _t122;
				signed int* _t124;
				signed int _t125;
				struct HINSTANCE__* _t126;
				void* _t131;

				_t105 = __ecx;
				_t99 = __ebx;
				_t127 = _a4;
				_t124 = __ecx;
				if(_a4 != 0) {
					L2:
					_t126 =  *(E0004B628(_t99, _t124, _t125, _t127) + 0xc);
					_t69 = FindResourceW(_t126, _a4 & 0x0000ffff, 0xf1);
					if(_t69 != 0) {
						_t70 = LoadResource(_t126, _t69);
						_v16 = _t70;
						__eflags = _t70;
						if(_t70 == 0) {
							goto L3;
						}
						_t125 = LockResource(_t70);
						__eflags = _t125;
						if(__eflags == 0) {
							goto L3;
						}
						_t122 = 4;
						_t123 = ( *(_t125 + 6) & 0x0000ffff) * _t122 >> 0x20;
						_t75 = E0003C37C(__eflags,  ~(0 | __eflags > 0x00000000) | ( *(_t125 + 6) & 0x0000ffff) * _t122);
						_pop(_t105);
						_v12 = _t75;
						__eflags = _t75;
						if(__eflags == 0) {
							goto L1;
						} else {
							__eflags = _a12;
							_t110 =  *(_t125 + 4) & 0x0000ffff;
							_push(_t99);
							_t100 =  *(_t125 + 2) & 0x0000ffff;
							_v24 = ( *(_t125 + 2) & 0x0000ffff) + 6;
							_v8 = _t110;
							_v20 = _t110 + 6;
							if(_a12 == 0) {
								_t79 =  *0x1a3f20; // 0x0
							} else {
								_t79 = _t124[0x2ef];
							}
							__eflags = _t79;
							if(_t79 == 0) {
								_t123 =  *0x1a3b7c; // 0x1
								asm("fld1");
								__eflags = _t123;
								if(_t123 == 0) {
								}
								_t131 = st2;
								asm("fucompp");
								asm("fnstsw ax");
								__eflags = _t79 & 0x00000044;
								if((_t79 & 0x00000044) != 0) {
									st1 = _t131;
									st0 = _t131;
								} else {
									__eflags = _t123;
									if(_t123 == 0) {
										st0 = _t131;
									} else {
										st1 = _t131;
									}
									asm("fild dword [ebp-0x14]");
									asm("fxch st0, st1");
									_t98 = E00135A90(_t79,  *0x15bdf8 + st0);
									asm("fild dword [ebp-0x10]");
									_v32 = _t98;
									asm("fmulp st2, st0");
									asm("faddp st1, st0");
									_t79 = E00135A90(_t98,  *0x15bdf8 + st0);
									_v24 = _v32;
									_t110 = _v8;
									_v20 = _t79;
								}
							}
							__eflags = _a12;
							if(_a12 == 0) {
								_t80 = E000546CF(_t79, 0x1a3fe0);
								__eflags = _t80;
								if(_t80 == 0) {
									E00054948(_t123, _v24, _v20, _t100, _v8);
								}
							} else {
								E00054AC4(_t124, _v24, _v20, _t100, _t110, 0);
							}
							_t81 = _a8;
							_t102 = 1;
							__eflags =  *(_t81 + 4);
							if( *(_t81 + 4) == 0) {
								 *(_t81 + 4) = _a4;
							}
							__eflags = _t124[0x329];
							if(_t124[0x329] != 0) {
								L28:
								_a8 = _t124[0x2e4];
								_t103 = 0;
								__eflags = 0 -  *(_t125 + 6);
								if(0 >=  *(_t125 + 6)) {
									L34:
									_t124[0x329] = _a4;
									_t86 =  *((intOrPtr*)( *_t124 + 0x33c))(_v12,  *(_t125 + 6) & 0x0000ffff, 1);
									_t102 = _t86;
									__eflags = _t102;
									if(_t102 == 0) {
										_t63 =  &(_t124[0x329]);
										 *_t63 = _t124[0x329] & _t86;
										__eflags =  *_t63;
									}
									goto L36;
								}
								_t45 = _t125 + 8; // 0x8
								_v8 = _t45;
								do {
									__eflags = _a12;
									_t92 =  *_v8 & 0x0000ffff;
									 *(_v12 + _t103 * 4) = _t92;
									if(_a12 == 0) {
										__eflags = _t92;
										if(__eflags != 0) {
											_t94 = E000EA1D7(0x19ce84, _t123, __eflags, _t92);
											_t53 =  &_a8;
											 *_t53 = _a8 + 1;
											__eflags =  *_t53;
											 *_t94 = _a8;
										}
									}
									_v8 =  &(_v8[1]);
									_t103 = _t103 + 1;
									__eflags = _t103 - ( *(_t125 + 6) & 0x0000ffff);
								} while (_t103 < ( *(_t125 + 6) & 0x0000ffff));
								goto L34;
							} else {
								_t123 =  *_t124;
								_t95 =  *((intOrPtr*)( *_t124 + 0x334))(_t81, _a12);
								__eflags = _t95;
								if(_t95 == 0) {
									L36:
									_push(_v12);
									E0003C3AB();
									FreeResource(_v16);
									return _t102;
								}
								goto L28;
							}
						}
					}
					L3:
					return 0;
				}
				L1:
				E000455E0(_t105);
				goto L2;
			}

0x0005c4d7
0x0005c4d7
0x0005c4df
0x0005c4e5
0x0005c4e7
0x0005c4ee
0x0005c4f3
0x0005c501
0x0005c509
0x0005c514
0x0005c51a
0x0005c51d
0x0005c51f
0x00000000
0x00000000
0x0005c528
0x0005c52a
0x0005c52c
0x00000000
0x00000000
0x0005c536
0x0005c537
0x0005c541
0x0005c546
0x0005c547
0x0005c54a
0x0005c54c
0x00000000
0x0005c54e
0x0005c54e
0x0005c552
0x0005c556
0x0005c557
0x0005c55e
0x0005c564
0x0005c567
0x0005c56a
0x0005c574
0x0005c56c
0x0005c56c
0x0005c56c
0x0005c579
0x0005c57b
0x0005c57d
0x0005c583
0x0005c58b
0x0005c58d
0x0005c58d
0x0005c595
0x0005c597
0x0005c599
0x0005c59b
0x0005c59e
0x0005c5db
0x0005c5dd
0x0005c5a0
0x0005c5a0
0x0005c5a2
0x0005c5a8
0x0005c5a4
0x0005c5a4
0x0005c5a4
0x0005c5aa
0x0005c5b7
0x0005c5b9
0x0005c5be
0x0005c5c1
0x0005c5c4
0x0005c5c6
0x0005c5c8
0x0005c5d0
0x0005c5d3
0x0005c5d6
0x0005c5d6
0x0005c59e
0x0005c5df
0x0005c5e3
0x0005c5fd
0x0005c602
0x0005c604
0x0005c610
0x0005c610
0x0005c5e5
0x0005c5f1
0x0005c5f1
0x0005c615
0x0005c61a
0x0005c61b
0x0005c61f
0x0005c624
0x0005c624
0x0005c627
0x0005c62e
0x0005c642
0x0005c648
0x0005c64d
0x0005c64f
0x0005c653
0x0005c691
0x0005c694
0x0005c6a8
0x0005c6ae
0x0005c6b0
0x0005c6b2
0x0005c6b4
0x0005c6b4
0x0005c6b4
0x0005c6b4
0x00000000
0x0005c6b2
0x0005c655
0x0005c658
0x0005c65b
0x0005c65b
0x0005c662
0x0005c668
0x0005c66b
0x0005c66d
0x0005c66f
0x0005c677
0x0005c67f
0x0005c67f
0x0005c67f
0x0005c682
0x0005c682
0x0005c66f
0x0005c688
0x0005c68c
0x0005c68d
0x0005c68d
0x00000000
0x0005c630
0x0005c633
0x0005c638
0x0005c63e
0x0005c640
0x0005c6ba
0x0005c6ba
0x0005c6bd
0x0005c6c6
0x00000000
0x0005c6ce
0x00000000
0x0005c640
0x0005c62e
0x0005c54c
0x0005c50b
0x00000000
0x0005c50b
0x0005c4e9
0x0005c4e9
0x00000000

APIs

FindResourceW.KERNEL32(?,00000000,000000F1), ref: 0005C501

Part of subcall function 000455E0: __CxxThrowException@8.LIBCMT ref: 000455F6

LoadResource.KERNEL32(?,00000000), ref: 0005C514
LockResource.KERNEL32(00000000), ref: 0005C522
FreeResource.KERNEL32(?), ref: 0005C6C6

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Resource$Exception@8FindFreeLoadLockThrow
String ID:
API String ID: 3726238965-0
Opcode ID: bc11f4bd6d571a14873afec6039846a78d7a7baa937678ec7cd92627a22148ae
Instruction ID: 0f2610a8a0817ae4c91a0a108053fcb49caf4514f6eb3c2227a97e598b26f082
Opcode Fuzzy Hash: bc11f4bd6d571a14873afec6039846a78d7a7baa937678ec7cd92627a22148ae
Instruction Fuzzy Hash: BD61C3B4A00706EFEB159FA1C854ABFB7F4FF04346F108129EC5696291EB709E84DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0004E1E4 Relevance: 6.1, APIs: 4, Instructions: 121
registryCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0004E1E4(void* __ecx, intOrPtr* _a4, WCHAR* _a8, short* _a12, WCHAR* _a16) {
				int* _v8;
				char _v16;
				signed int _v20;
				short _v8212;
				WCHAR* _v8216;
				char _v8220;
				void* _v8224;
				long _v8228;
				int _v8232;
				int _v8236;
				short* _v8240;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t44;
				signed int _t45;
				WCHAR* _t47;
				void* _t53;
				long _t58;
				intOrPtr* _t71;
				intOrPtr _t72;
				void* _t83;
				WCHAR* _t88;
				short* _t90;
				intOrPtr _t91;
				intOrPtr _t95;
				void* _t97;
				signed int _t98;

				_t73 = __ecx;
				_push(0xffffffff);
				_push(0x14906c);
				_push( *[fs:0x0]);
				E00133C00(0x2020);
				_t44 =  *0x1a0454; // 0x960af5fb
				_t45 = _t44 ^ _t98;
				_v20 = _t45;
				_push(_t45);
				 *[fs:0x0] =  &_v16;
				_t90 = _a12;
				_t88 = _a16;
				_t71 = _a4;
				_t47 = _a8;
				_v8240 = _t90;
				_v8216 = _t88;
				_v8228 = 0;
				if( *((intOrPtr*)(__ecx + 0x58)) == 0) {
					if(_t88 == 0) {
						_v8216 = 0x1818c0;
					}
					GetPrivateProfileStringW(_t47, _t90, _v8216,  &_v8212, 0x1000,  *(_t73 + 0x6c));
					_push( &_v8212);
					goto L12;
				} else {
					_t53 = E0004DDE0(__ecx, _t47, 0);
					_v8224 = _t53;
					if(_t53 != 0) {
						E00031110( &_v8220, E00045761());
						_v8 = 0;
						_v8236 = 0;
						_v8232 = 0;
						_t58 = RegQueryValueExW(_v8224, _t90, 0,  &_v8236, 0,  &_v8232);
						_v8228 = _t58;
						if(_t58 == 0) {
							_v8228 = RegQueryValueExW(_v8224, _v8240, 0,  &_v8236, E000312F0( &_v8220, _v8232 >> 1),  &_v8232);
							E000361B0(_t71,  &_v8220, RegQueryValueExW, 0xffffffff);
						}
						RegCloseKey(_v8224);
						if(_v8228 != 0) {
							E00036620(_t71, _v8216);
							_t83 = _v8220 + 0xfffffff0;
						} else {
							_t97 = _v8220 + 0xfffffff0;
							 *_t71 = E000341F0(_t97) + 0x10;
							_t83 = _t97;
						}
						E00031190(_t83, _t88);
					} else {
						_push(_v8216);
						L12:
						E00036620(_t71);
					}
				}
				 *[fs:0x0] = _v16;
				_pop(_t91);
				_pop(_t95);
				_pop(_t72);
				return E00130836(_t71, _t72, _v20 ^ _t98, _t88, _t91, _t95);
			}

0x0004e1e4
0x0004e1e9
0x0004e1eb
0x0004e1f6
0x0004e1fc
0x0004e201
0x0004e206
0x0004e208
0x0004e20e
0x0004e212
0x0004e218
0x0004e21b
0x0004e21e
0x0004e221
0x0004e226
0x0004e22c
0x0004e232
0x0004e23b
0x0004e337
0x0004e339
0x0004e339
0x0004e35a
0x0004e366
0x00000000
0x0004e241
0x0004e243
0x0004e248
0x0004e250
0x0004e269
0x0004e28b
0x0004e28e
0x0004e294
0x0004e29a
0x0004e29c
0x0004e2a4
0x0004e2e0
0x0004e2e6
0x0004e2e6
0x0004e2f1
0x0004e2fd
0x0004e325
0x0004e330
0x0004e2ff
0x0004e305
0x0004e312
0x0004e314
0x0004e314
0x0004e316
0x0004e252
0x0004e252
0x0004e367
0x0004e369
0x0004e369
0x0004e250
0x0004e373
0x0004e37b
0x0004e37c
0x0004e37d
0x0004e389

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0004E29A
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0004E2D6
RegCloseKey.ADVAPI32(?), ref: 0004E2F1
GetPrivateProfileStringW.KERNEL32(?,?,?,?,00001000,?), ref: 0004E35A

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: QueryValue$ClosePrivateProfileString
String ID:
API String ID: 1042844925-0
Opcode ID: 597d688eaae173516108f53b5a697de147e500a70a6faf4ca54b70afd92a7bc1
Instruction ID: 705e1adf062b50e20f3a5a55ffee72a7aba88f431b9483e46d2067446ee4b2e5
Opcode Fuzzy Hash: 597d688eaae173516108f53b5a697de147e500a70a6faf4ca54b70afd92a7bc1
Instruction Fuzzy Hash: DD413CB1D00228EBDB369F14CC499DEB7B9FB48310F1045AAE519A3292C7309E95DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 001433CF Relevance: 6.1, APIs: 4, Instructions: 103
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E001433CF(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				char _t59;
				short* _t60;
				int _t65;
				char* _t73;

				_t73 = _a8;
				if(_t73 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t73 != 0) {
						E001311E1( &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E0013586F( *_t73 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t73, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E00131F1F(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								__eflags = _a12 -  *(_t56 + 0xac);
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t73[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t57 =  *(_t56 + 0xac);
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t73, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t73 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x001433d9
0x001433e0
0x001433f7
0x00000000
0x001433e7
0x001433e9
0x00143403
0x00143408
0x0014340b
0x0014340e
0x00143436
0x0014343d
0x0014343f
0x001434c0
0x001434db
0x001434dd
0x0014341d
0x0014341d
0x00143420
0x00143422
0x00143425
0x00143425
0x00143425
0x00143425
0x00000000
0x0014342b
0x0014349f
0x0014349f
0x001434a4
0x001434aa
0x001434ad
0x001434af
0x001434b2
0x001434b2
0x001434b2
0x001434b2
0x00000000
0x001434b6
0x00143441
0x00143444
0x0014344a
0x0014344d
0x00143474
0x00143477
0x0014347d
0x00000000
0x00000000
0x0014347f
0x00143482
0x00000000
0x00000000
0x00143484
0x00143484
0x0014348a
0x0014348d
0x001433fc
0x001433fc
0x00143496
0x00000000
0x00143496
0x0014344f
0x00143452
0x00000000
0x00000000
0x00143456
0x00143467
0x0014346d
0x0014346f
0x00143472
0x00000000
0x00000000
0x00000000
0x00143472
0x00143410
0x00143413
0x00143415
0x0014341a
0x0014341a
0x00000000
0x001433eb
0x001433eb
0x001433f0
0x001433f4
0x001433f4
0x00000000
0x001433f0
0x001433e9

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00143403
__isleadbyte_l.LIBCMT ref: 00143436
MultiByteToWideChar.KERNEL32(00000080,00000009,0013094E,?,00000000,00000000,?,?,?,?,0013094E,00000000), ref: 00143467
MultiByteToWideChar.KERNEL32(00000080,00000009,0013094E,00000001,00000000,00000000,?,?,?,?,0013094E,00000000), ref: 001434D5

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: a51922177ef744098556d433def1a2e47551f60b32d61e79613b475a697b5583
Instruction ID: 78567271b08c3df11a25c7e7eec0e6b91e8523699d3cc26cd11c6a9ccb5b5726
Opcode Fuzzy Hash: a51922177ef744098556d433def1a2e47551f60b32d61e79613b475a697b5583
Instruction Fuzzy Hash: 7D31DE31A00285EFDB26DFA8C8959BE7BA5FF01311F1985A9E5B18B1A1D730DE80DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0009637C Relevance: 6.1, APIs: 4, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0009637C(intOrPtr __ecx, intOrPtr __edx, intOrPtr __esi, struct tagRECT* _a4, intOrPtr _a8) {
				signed int _v8;
				struct tagRECT _v24;
				signed int _v28;
				void* __ebx;
				void* __edi;
				signed int _t32;
				long _t51;
				int _t56;
				long _t59;
				struct tagRECT* _t62;
				long _t68;
				long _t72;
				intOrPtr _t73;
				intOrPtr _t74;
				signed int _t77;

				_t75 = __esi;
				_t73 = __edx;
				_t32 =  *0x1a0454; // 0x960af5fb
				_v8 = _t32 ^ _t77;
				_t62 = _a4;
				_t74 = __ecx;
				if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 4)))) + 0x19c))() != 0) {
					_push(__esi);
					_v28 = E00043445( *((intOrPtr*)(__ecx + 4))) & 0x00400000;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 4)))) + 0x1bc))();
					asm("sbb esi, esi");
					GetWindowRect( *( *((intOrPtr*)(__ecx + 4)) + 0x20), _t62);
					__eflags = 0;
					_v24.left = 0;
					_v24.top = 0;
					_v24.right = 0;
					_v24.bottom = 0;
					GetClientRect( *( *((intOrPtr*)(_t74 + 4)) + 0x20),  &_v24);
					E0004636C( *((intOrPtr*)(_t74 + 4)),  &_v24);
					_pop(_t75);
					if(__eflags == 0) {
						_t68 = _t62->bottom;
						_t51 = _v24.top - 1;
						__eflags = _t68 - _t51;
						if(_t68 < _t51) {
							_t51 = _t68;
						}
						_t62->bottom = _t51;
					} else {
						__eflags = _v28;
						if(_v28 == 0) {
							_t72 = _t62->right;
							_t59 = _v24.left - 1;
							__eflags = _t72 - _t59;
							if(_t72 < _t59) {
								_t59 = _t72;
							}
							_t62->right = _t59;
						} else {
							_t62->left = _v24.right - 1;
						}
					}
					__eflags = _a8;
					if(_a8 == 0) {
						_t56 = OffsetRect(_t62,  ~(_t62->left),  ~(_t62->top));
					} else {
						_t56 = E0004632B( *((intOrPtr*)(_t74 + 4)), _t62);
					}
				} else {
					_t56 = SetRectEmpty(_t62);
				}
				return E00130836(_t56, _t62, _v8 ^ _t77, _t73, _t74, _t75);
			}

0x0009637c
0x0009637c
0x00096384
0x0009638b
0x0009638f
0x00096393
0x000963a2
0x000963b3
0x000963c1
0x000963c6
0x000963d3
0x000963dc
0x000963e2
0x000963e4
0x000963e7
0x000963ea
0x000963ed
0x000963fa
0x00096407
0x0009640e
0x0009640f
0x00096434
0x00096437
0x00096438
0x0009643a
0x0009643c
0x0009643c
0x0009643e
0x00096411
0x00096411
0x00096415
0x00096422
0x00096425
0x00096426
0x00096428
0x0009642a
0x0009642a
0x0009642c
0x00096417
0x0009641b
0x0009641b
0x00096415
0x00096441
0x00096445
0x0009645e
0x00096447
0x0009644b
0x0009644b
0x000963a4
0x000963a5
0x000963a5
0x00096471

APIs

SetRectEmpty.USER32 ref: 000963A5
GetWindowRect.USER32(?,?), ref: 000963DC
GetClientRect.USER32 ref: 000963FA

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Rect$ClientEmptyWindow
String ID:
API String ID: 742297903-0
Opcode ID: 34e2294d005ce1fad2dddb3d43ce64f8588f262e47fbca9d71646d305e262b29
Instruction ID: 5a19984a97cd3da223099b7fb8f513cd647f593eda4cbe7c96aa2b0cc8759cc7
Opcode Fuzzy Hash: 34e2294d005ce1fad2dddb3d43ce64f8588f262e47fbca9d71646d305e262b29
Instruction Fuzzy Hash: A4315CB1604219EFCF40DFA8D995AAEB7F4FF09300B1081A9E40ADB651DB31ED00DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00100185 Relevance: 6.1, APIs: 4, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00100185(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				struct tagRECT _v24;
				char _v40;
				RECT* _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t32;
				intOrPtr _t46;
				intOrPtr _t52;
				intOrPtr _t53;
				signed int _t57;

				_t52 = __edx;
				_t32 =  *0x1a0454; // 0x960af5fb
				_v8 = _t32 ^ _t57;
				_t46 = __ecx;
				_t34 =  *((intOrPtr*)(__ecx + 0x48));
				_t56 = 0;
				if(_t34 != 0) {
					_t50 =  *((intOrPtr*)(_t34 + 0x1b8));
					_v44 = 0;
					if(_t50 != 0 &&  *((intOrPtr*)(_t50 + 8)) != 0 &&  *((intOrPtr*)(_t50 + 4)) != 0) {
						_v44 = 1;
						E000DE3C8(_t50);
					}
					_v24.left = _t56;
					_v24.top = _t56;
					_v24.right = _t56;
					_v24.bottom = _t56;
					SetRectEmpty( &_v24);
					_t56 = _t46 + 0x1c;
					if(IsRectEmpty(_t46 + 0x1c) != 0) {
						_t56 = _t46 + 0xc;
					}
					_push(_t53);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					if( *((intOrPtr*)(_t46 + 0x34)) != 0xffffffff) {
						 *((intOrPtr*)(_t46 + 0x2c)) = 1;
					} else {
						_t64 = _v44;
						if(_v44 == 0) {
							_push(4);
							_push( *((intOrPtr*)(_t46 + 0x40)));
							_push(0);
							_push( &_v40);
							_push( &_v24);
							_t50 = _t46;
							_t34 = E000FFE57(_t46, _t46, _t52, 0, _t56, _t64);
						}
					}
					if(_a4 != 0) {
						_t50 = _t46;
						E0010007F(_t46, 0, 0);
						_t56 = SetRectEmpty;
						SetRectEmpty(_t46 + 0x1c);
						SetRectEmpty(_t46 + 0xc);
						_t34 =  *((intOrPtr*)(_t46 + 0x4c));
						 *((intOrPtr*)(_t46 + 0x38)) =  *((intOrPtr*)(_t46 + 0x4c));
						 *((intOrPtr*)(_t46 + 0x4c)) = 0;
					}
					 *((intOrPtr*)(_t46 + 0x30)) = 0;
					if(_t46 == 0) {
						_t34 = E000455E0(_t50);
					}
					if(_v44 == 0) {
						_t34 = E00082233(0);
					}
					_pop(_t53);
				}
				return E00130836(_t34, _t46, _v8 ^ _t57, _t52, _t53, _t56);
			}

0x00100185
0x0010018d
0x00100194
0x00100198
0x0010019a
0x0010019e
0x001001a2
0x001001a8
0x001001ae
0x001001b3
0x001001bf
0x001001c6
0x001001c6
0x001001cf
0x001001d2
0x001001d5
0x001001d8
0x001001db
0x001001e1
0x001001ed
0x001001ef
0x001001ef
0x001001f2
0x001001f6
0x001001f7
0x001001f8
0x001001f9
0x00100200
0x0010021e
0x00100202
0x00100202
0x00100205
0x00100207
0x00100209
0x0010020f
0x00100210
0x00100214
0x00100215
0x00100217
0x00100217
0x00100205
0x00100228
0x0010022b
0x0010022d
0x00100232
0x0010023c
0x00100242
0x00100244
0x00100247
0x0010024a
0x0010024a
0x0010024d
0x00100255
0x00100257
0x00100257
0x0010025f
0x00100264
0x00100264
0x00100269
0x00100269
0x00100277

APIs

SetRectEmpty.USER32 ref: 001001DB
IsRectEmpty.USER32 ref: 001001E5
SetRectEmpty.USER32 ref: 0010023C
SetRectEmpty.USER32 ref: 00100242

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: EmptyRect
String ID:
API String ID: 2270935405-0
Opcode ID: bf6686ba9c13c3ac4bbe5bcdbea4d5a28d2c824fa875b741cb735540dac6d7eb
Instruction ID: 3db587046654f5892f206136f8a7e6a1c80a4c9a443ea0998ee3b33cb46db640
Opcode Fuzzy Hash: bf6686ba9c13c3ac4bbe5bcdbea4d5a28d2c824fa875b741cb735540dac6d7eb
Instruction Fuzzy Hash: BF318171900618DBCF12DF98C8C4AEEB7B9FF4C710F24406AE901AB186D7B1D985CB90

Uniqueness

Uniqueness Score: -1.00%

Function 000474B2 Relevance: 6.1, APIs: 4, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E000474B2(intOrPtr __ebx, int _a4, int _a8, long _a12) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagPOINT _v32;
				void* __edi;
				void* __esi;
				signed int _t22;
				void* _t27;
				intOrPtr _t31;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t40;
				intOrPtr _t42;
				intOrPtr _t45;
				void* _t46;
				intOrPtr _t47;
				long _t49;
				signed int _t50;
				intOrPtr _t51;

				_t42 = __ebx;
				_t22 =  *0x1a0454; // 0x960af5fb
				_v8 = _t22 ^ _t50;
				_t49 = _a12;
				_t51 =  *0x1a38c8; // 0x0
				if(_t51 == 0) {
					L9:
					return E00130836(CallNextHookEx( *0x1a38c4, _a4, _a8, _t49), _t42, _v8 ^ _t50, _t47, 0, _t49);
				}
				_t27 = _a8 - 0xa1;
				if(_t27 == 0) {
					L7:
					_v32.x = 0;
					_v32.y = 0;
					GetCursorPos( &_v32);
					_t31 =  *0x1a38c8; // 0x0
					_v24.left = 0;
					_v24.top = 0;
					_v24.right = 0;
					_v24.bottom = 0;
					GetWindowRect( *( *((intOrPtr*)(_t31 + 4)) + 0x20),  &_v24);
					_push(_v32.y);
					if(PtInRect( &_v24, _v32.x) == 0) {
						_t45 =  *0x1a38c8; // 0x0
						E00047052(_t45, _t47, _v32, _v32.y);
					}
					goto L9;
				}
				_t46 = 3;
				_t37 = _t27 - _t46;
				if(_t37 == 0) {
					goto L7;
				}
				_t38 = _t37 - _t46;
				if(_t38 == 0) {
					goto L7;
				}
				_t39 = _t38 - 0x15a;
				if(_t39 == 0) {
					goto L7;
				}
				_t40 = _t39 - _t46;
				if(_t40 == 0 || _t40 == _t46) {
					goto L7;
				} else {
					goto L9;
				}
			}

0x000474b2
0x000474ba
0x000474c1
0x000474c5
0x000474cb
0x000474d1
0x0004754d
0x0004756d
0x0004756d
0x000474d6
0x000474db
0x000474f7
0x000474fb
0x000474fe
0x00047501
0x0004750b
0x00047510
0x00047513
0x00047516
0x00047519
0x00047522
0x00047528
0x0004753a
0x0004753f
0x00047548
0x00047548
0x00000000
0x0004753a
0x000474df
0x000474e0
0x000474e2
0x00000000
0x00000000
0x000474e4
0x000474e6
0x00000000
0x00000000
0x000474e8
0x000474ed
0x00000000
0x00000000
0x000474ef
0x000474f1
0x00000000
0x00000000
0x00000000
0x00000000

APIs

GetCursorPos.USER32(?), ref: 00047501
GetWindowRect.USER32(?,?), ref: 00047522
PtInRect.USER32(?,?,?), ref: 00047532
CallNextHookEx.USER32 ref: 0004755A

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Rect$CallCursorHookNextWindow
String ID:
API String ID: 3719484595-0
Opcode ID: 961f1a7ad4ea0b8e5006a8c32080d6e5e4decb1b063d27871714a7fcaa8e815e
Instruction ID: 3ba7c2814f8e1cf23536b38a7c24acf5087afb54b46bcb205f13ba19258e035c
Opcode Fuzzy Hash: 961f1a7ad4ea0b8e5006a8c32080d6e5e4decb1b063d27871714a7fcaa8e815e
Instruction Fuzzy Hash: 91212C7590420AEBCF42DFA9DD099BEBFF8FF99301B404169F514E6560C7789A80CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00117039 Relevance: 6.1, APIs: 4, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00117039(void* __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				void* _t25;
				WCHAR* _t26;
				void* _t32;
				void* _t35;
				struct HRSRC__* _t36;
				void* _t37;
				WCHAR* _t38;
				WCHAR* _t39;

				_t35 = __edx;
				_t33 = __ecx;
				_t39 = _a4;
				_t40 =  *(_t39 + 4) & 0x00000001;
				_t32 = __ecx;
				if(( *(_t39 + 4) & 0x00000001) == 0) {
					_t36 = FindResourceW( *(_t39 + 8),  *(_t39 + 0xc), 5);
					__eflags = _t36;
					if(_t36 == 0) {
						E00045E44(_t33);
					}
					_t37 = LoadResource( *(_t39 + 8), _t36);
					__eflags = _t37;
					if(_t37 == 0) {
						E00045E44(_t33);
					}
					_t38 = LockResource(_t37);
					__eflags = _t38;
					if(__eflags == 0) {
						E00045E44(_t33);
					}
				} else {
					_t38 =  *(_t39 + 0xc);
				}
				_t23 = E0004B628(_t32, _t38, _t39, _t40);
				_t41 =  *((intOrPtr*)(_t23 + 0x3c));
				if( *((intOrPtr*)(_t23 + 0x3c)) != 0) {
					_t38 = E00115E6B(_t32, _t32, _t38);
				}
				_push(_a8);
				_push(_t38);
				_a4 = E00116F53(_t32, _t35, _t38, _t39, _t41);
				_t25 =  *(_t32 + 0x7c);
				if(_t25 != 0) {
					GlobalFree(_t25);
					 *(_t32 + 0x7c) =  *(_t32 + 0x7c) & 0x00000000;
				}
				_t26 = _a4;
				if(_t26 != 0) {
					_t38 = _t26;
					 *(_t32 + 0x7c) = _t26;
				}
				 *(_t39 + 4) =  *(_t39 + 4) | 0x00000001;
				 *(_t39 + 0xc) = _t38;
				return _t26;
			}

0x00117039
0x00117039
0x00117040
0x00117043
0x00117048
0x0011704a
0x0011705f
0x00117061
0x00117063
0x00117065
0x00117065
0x00117074
0x00117076
0x00117078
0x0011707a
0x0011707a
0x00117086
0x00117088
0x0011708a
0x0011708c
0x0011708c
0x0011704c
0x0011704c
0x0011704c
0x00117091
0x00117096
0x0011709a
0x001170a4
0x001170a4
0x001170a6
0x001170a9
0x001170af
0x001170b2
0x001170b7
0x001170ba
0x001170c0
0x001170c0
0x001170c4
0x001170c9
0x001170cb
0x001170cd
0x001170cd
0x001170d0
0x001170d4
0x001170db

APIs

FindResourceW.KERNEL32(?,?,00000005,00000005,?,00000000,?,0011731C,00000005,?), ref: 00117059
LoadResource.KERNEL32(?,00000000,?,00000000,?,0011731C,00000005,?), ref: 0011706E
LockResource.KERNEL32(00000000,?,00000000,?,0011731C,00000005,?), ref: 00117080
GlobalFree.KERNEL32(?), ref: 001170BA

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Resource$FindFreeGlobalLoadLock
String ID:
API String ID: 3898064442-0
Opcode ID: 43b8343ac516ea7b8ea4676e40c9fe20f17f1ce6b8346adf16457df218eebb2e
Instruction ID: c7890bf6eecc1ea3f8b033d70f6cd65da732fb8a6b37d97674ca174e17903237
Opcode Fuzzy Hash: 43b8343ac516ea7b8ea4676e40c9fe20f17f1ce6b8346adf16457df218eebb2e
Instruction Fuzzy Hash: F31193311047019BCB256F26D845B967BF9AF85365B15803CF8598B692DB30D8818B20

Uniqueness

Uniqueness Score: -1.00%

Function 00044398 Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00044398(void* __ecx) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t24;
				void* _t29;
				void* _t31;
				struct HINSTANCE__* _t33;
				signed int _t35;
				signed int _t36;
				void* _t38;
				signed int* _t41;

				_push(__ecx);
				_push(_t29);
				_t38 = __ecx;
				_t43 =  *((intOrPtr*)(__ecx + 0x78));
				_t41 =  *(__ecx + 0x80);
				_v8 =  *((intOrPtr*)(__ecx + 0x7c));
				if( *((intOrPtr*)(__ecx + 0x78)) != 0) {
					_t33 =  *(E0004B628(_t29, __ecx, _t41, _t43) + 0xc);
					_v8 = LoadResource(_t33, FindResourceW(_t33,  *(_t38 + 0x78), 5));
				}
				if(_v8 != 0) {
					_t41 = LockResource(_v8);
				}
				_t31 = 1;
				if(_t41 != 0) {
					_t36 =  *_t41;
					if(_t41[0] != 0xffff) {
						_t24 = _t41[2] & 0x0000ffff;
						_t35 = _t41[3] & 0x0000ffff;
					} else {
						_t36 = _t41[3];
						_t24 = _t41[4] & 0x0000ffff;
						_t35 = _t41[5] & 0x0000ffff;
					}
					if((_t36 & 0x00001801) != 0 || _t24 != 0 || _t35 != 0) {
						_t31 = 0;
					}
				}
				if( *(_t38 + 0x78) != 0) {
					FreeResource(_v8);
				}
				return _t31;
			}

0x0004439d
0x0004439e
0x000443a1
0x000443a3
0x000443aa
0x000443b0
0x000443b3
0x000443ba
0x000443d1
0x000443d1
0x000443d8
0x000443e3
0x000443e3
0x000443e7
0x000443ea
0x000443ec
0x000443f7
0x00044406
0x0004440a
0x000443f9
0x000443f9
0x000443fc
0x00044400
0x00044400
0x00044414
0x00044420
0x00044420
0x00044414
0x00044426
0x0004442b
0x0004442b
0x00044437

APIs

FindResourceW.KERNEL32(?,00000000,00000005), ref: 000443C3
LoadResource.KERNEL32(?,00000000), ref: 000443CB
LockResource.KERNEL32(00000000), ref: 000443DD
FreeResource.KERNEL32(00000000), ref: 0004442B

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: c6fee3ee4df30477219d0556c9c886ed6aa6f3292b563d23dcb70dea3df1ce22
Instruction ID: 757b1c82bda3fe2b7fb82c647f9abd3a3ae230ff71d493d6f75f51e6474c5d5f
Opcode Fuzzy Hash: c6fee3ee4df30477219d0556c9c886ed6aa6f3292b563d23dcb70dea3df1ce22
Instruction Fuzzy Hash: B911BBB4500611EBDB608FA5D888BBAB7F8FF44712F108079E94253990E7B0ED94E760

Uniqueness

Uniqueness Score: -1.00%

Function 0003E464 Relevance: 6.1, APIs: 4, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0003E464(intOrPtr __ebx, intOrPtr __edx, struct HDC__* _a4, struct HWND__* _a8, intOrPtr _a12, void* _a16, long _a20) {
				signed int _v8;
				long _v16;
				void _v20;
				void* __edi;
				void* __esi;
				signed int _t10;
				intOrPtr _t12;
				intOrPtr _t14;
				long _t18;
				intOrPtr _t22;
				struct HWND__* _t23;
				intOrPtr _t26;
				void* _t27;
				struct HDC__* _t28;
				signed int _t29;

				_t26 = __edx;
				_t22 = __ebx;
				_t10 =  *0x1a0454; // 0x960af5fb
				_v8 = _t10 ^ _t29;
				_t23 = _a8;
				_t28 = _a4;
				_t27 = _a16;
				if(_t28 == 0 || _t27 == 0) {
					L10:
					_t12 = 0;
				} else {
					_t14 = _a12;
					if(_t14 == 1 || _t14 == 0 || _t14 == 5 || _t14 == 2 && E00051E65(_t23, _t14) == 0) {
						goto L10;
					} else {
						GetObjectW(_t27, 0xc,  &_v20);
						SetBkColor(_t28, _v16);
						_t18 = _a20;
						if(_t18 == 0xffffffff) {
							_t18 = GetSysColor(8);
						}
						SetTextColor(_t28, _t18);
						_t12 = 1;
					}
				}
				return E00130836(_t12, _t22, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x0003e464
0x0003e464
0x0003e46c
0x0003e473
0x0003e476
0x0003e47a
0x0003e47e
0x0003e483
0x0003e4de
0x0003e4de
0x0003e489
0x0003e489
0x0003e48f
0x00000000
0x0003e4aa
0x0003e4b1
0x0003e4bb
0x0003e4c1
0x0003e4c7
0x0003e4cb
0x0003e4cb
0x0003e4d3
0x0003e4db
0x0003e4db
0x0003e48f
0x0003e4ed

APIs

GetObjectW.GDI32(?,0000000C,?), ref: 0003E4B1
SetBkColor.GDI32(?,?), ref: 0003E4BB
GetSysColor.USER32 ref: 0003E4CB
SetTextColor.GDI32(?,?), ref: 0003E4D3

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Color$ObjectText
String ID:
API String ID: 829078354-0
Opcode ID: 61accfbda037ca251bf22a59c46e2fa4591590deb21373a80113716e44cc8341
Instruction ID: f6f2f8ae6ec91426e4c70f3c51e391f95889f01a1dd530e574a3431db4e244eb
Opcode Fuzzy Hash: 61accfbda037ca251bf22a59c46e2fa4591590deb21373a80113716e44cc8341
Instruction Fuzzy Hash: 8A11CC31A00248ABDB629F68DC46AAF73EDAF8D711F104624FD22D69D1DB30DC01C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 000570A6 Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E000570A6(intOrPtr __ecx) {
				signed int _v8;
				struct tagRECT _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t15;
				intOrPtr _t24;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t31;
				signed int _t35;

				_t15 =  *0x1a0454; // 0x960af5fb
				_t16 = _t15 ^ _t35;
				_v8 = _t15 ^ _t35;
				_t24 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xb44)) == 0) {
					 *(__ecx + 0xb8c) =  *(__ecx + 0xb8c) | 0xffffffff;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					InflateRect( &_v24, 2, 2);
					InvalidateRect( *(_t24 + 0x20),  &_v24, 1);
					UpdateWindow( *(_t24 + 0x20));
					_t16 = SetRectEmpty(_t24 + 0xc58);
					 *(_t24 + 0xb8c) =  *(_t24 + 0xb8c) | 0xffffffff;
					_t29 = _t29;
					 *0x1a3fc8 = 1;
					_t31 = _t31;
				}
				return E00130836(_t16, _t24, _v8 ^ _t35, _t28, _t29, _t31);
			}

0x000570ae
0x000570b3
0x000570b5
0x000570b9
0x000570c2
0x000570c4
0x000570d6
0x000570d7
0x000570da
0x000570e1
0x000570e2
0x000570f3
0x000570fc
0x00057109
0x0005710f
0x00057116
0x00057117
0x0005711d
0x0005711d
0x0005712a

APIs

InflateRect.USER32 ref: 000570E2
InvalidateRect.USER32(?,?,00000001), ref: 000570F3
UpdateWindow.USER32 ref: 000570FC
SetRectEmpty.USER32 ref: 00057109

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Rect$EmptyInflateInvalidateUpdateWindow
String ID:
API String ID: 3040190709-0
Opcode ID: 29e34c10dcfafd6bdd1e5d16e3e39df6dfe5cc499ba7d04bff6efcdbd2fe0cea
Instruction ID: 0685fd2ef34a276dc64fafdb308407524665df8766f3bd35a56ef97ce901dddf
Opcode Fuzzy Hash: 29e34c10dcfafd6bdd1e5d16e3e39df6dfe5cc499ba7d04bff6efcdbd2fe0cea
Instruction Fuzzy Hash: 30019671500605DFDB00DF98EC8AAD77BB8FB49325F100265ED159F0E6CB705945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000432BF Relevance: 6.0, APIs: 4, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E000432BF(intOrPtr __ecx, void* __edx, void* __fp0, WCHAR* _a4) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t7;
				struct HRSRC__* _t10;
				void* _t13;
				void* _t17;
				void* _t19;
				struct HINSTANCE__* _t21;
				void* _t22;
				void* _t29;

				_t29 = __fp0;
				_t17 = __edx;
				_push(__ecx);
				_push(_t21);
				_t13 = 0;
				_t19 = 0;
				_v8 = __ecx;
				_t24 = _a4;
				if(_a4 == 0) {
					L4:
					_t22 = E00042DBF(_t13, _v8, _t17, _t19, _t21, _t26, _t29, _t19);
					if(_t19 != 0 && _t13 != 0) {
						FreeResource(_t13);
					}
					_t7 = _t22;
				} else {
					_t21 =  *(E0004B628(0, 0, _t21, _t24) + 0xc);
					_t10 = FindResourceW(_t21, _a4, 0xf0);
					if(_t10 == 0) {
						goto L4;
					} else {
						_t7 = LoadResource(_t21, _t10);
						_t13 = _t7;
						_t26 = _t13;
						if(_t13 != 0) {
							_t19 = LockResource(_t13);
							goto L4;
						}
					}
				}
				return _t7;
			}

0x000432bf
0x000432bf
0x000432c4
0x000432c6
0x000432c8
0x000432ca
0x000432cc
0x000432cf
0x000432d2
0x00043306
0x0004330f
0x00043313
0x0004331a
0x0004331a
0x00043320
0x000432d4
0x000432d9
0x000432e5
0x000432ed
0x00000000
0x000432ef
0x000432f1
0x000432f7
0x000432f9
0x000432fb
0x00043304
0x00000000
0x00043304
0x000432fb
0x000432ed
0x00043326

APIs

FindResourceW.KERNEL32(?,?,000000F0,?,?,?,?,?,00044351,?,?,00031AB5,960AF5FB), ref: 000432E5
LoadResource.KERNEL32(?,00000000,?,?,?,?,?,00044351,?,?,00031AB5,960AF5FB), ref: 000432F1
LockResource.KERNEL32(00000000,?,?,?,?,?,00044351,?,?,00031AB5,960AF5FB), ref: 000432FE
FreeResource.KERNEL32(00000000,00000000,?,?,?,?,?,00044351,?,?,00031AB5,960AF5FB), ref: 0004331A

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: f222f971e94c4843126f8d9912a6960a8fae7d614b3e729579bcbf5bd830d0c8
Instruction ID: 72bb64ad803490ebeb4e746ab22819323d96de3bd55cef1875078766db0c04ec
Opcode Fuzzy Hash: f222f971e94c4843126f8d9912a6960a8fae7d614b3e729579bcbf5bd830d0c8
Instruction Fuzzy Hash: 6AF022B2200301AF97505FE5AC859AFBBACEF847627054078FA01E7641DF70EF008268

Uniqueness

Uniqueness Score: -1.00%

Function 000C61C0 Relevance: 6.0, APIs: 4, Instructions: 25
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E000C61C0(signed int* __ecx) {
				int _t16;
				signed int* _t22;

				_t22 = __ecx;
				 *__ecx =  *__ecx & 0x00000000;
				E000342D0( &(__ecx[1]));
				SetRectEmpty(_t22 + 8);
				SetRectEmpty(_t22 + 0x18);
				SetRectEmpty(_t22 + 0x28);
				_t16 = SetRectEmpty(_t22 + 0x38);
				 *((intOrPtr*)(_t22 + 0x48)) = 0xff000000;
				 *((intOrPtr*)(_t22 + 0x4c)) = 1;
				return _t16;
			}

0x000c61c3
0x000c61c5
0x000c61cc
0x000c61db
0x000c61e1
0x000c61e7
0x000c61ed
0x000c61f0
0x000c61f7
0x000c61ff

APIs

SetRectEmpty.USER32 ref: 000C61DB
SetRectEmpty.USER32 ref: 000C61E1
SetRectEmpty.USER32 ref: 000C61E7
SetRectEmpty.USER32 ref: 000C61ED

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: EmptyRect
String ID:
API String ID: 2270935405-0
Opcode ID: 78f9c00b6a5f1904665de7fb2d07f2ae42d281a64038f5d391319089668db657
Instruction ID: d60b8552b7b26d7fe3c2ea80c3aa941097506fc84faa62bf3876865ea1462c2e
Opcode Fuzzy Hash: 78f9c00b6a5f1904665de7fb2d07f2ae42d281a64038f5d391319089668db657
Instruction Fuzzy Hash: E9E0EDB7410B199AD730AFAAEC45AC7B3ECAF84310F11091EE582C7924D674F589CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0004C279 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0004C279(intOrPtr __ebx, void* __ecx) {
				signed int _v8;
				char _v28;
				short _v548;
				void* __edi;
				void* __esi;
				signed int _t9;
				long _t12;
				short _t13;
				intOrPtr _t19;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t30;
				signed int _t35;

				_t19 = __ebx;
				_t33 = _t35;
				_t9 =  *0x1a0454; // 0x960af5fb
				_v8 = _t9 ^ _t35;
				_t12 = GetModuleFileNameW( *(__ecx + 0x44),  &_v548, 0x104);
				if(_t12 == 0) {
					L4:
					_t13 = 0;
					__eflags = 0;
				} else {
					_t39 = _t12 - 0x104;
					if(_t12 == 0x104) {
						goto L4;
					} else {
						 *(PathFindExtensionW( &_v548)) = 0;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsw");
						_t13 = E0004C0C3(0, _t25, _t39,  &_v28,  &_v548);
						_t26 = _t26;
					}
				}
				_pop(_t30);
				return E00130836(_t13, _t19, _v8 ^ _t33, _t25, _t26, _t30);
			}

0x0004c279
0x0004c27c
0x0004c284
0x0004c28b
0x0004c2a1
0x0004c2a9
0x0004c2e3
0x0004c2e3
0x0004c2e3
0x0004c2ab
0x0004c2ab
0x0004c2ad
0x00000000
0x0004c2af
0x0004c2bf
0x0004c2ca
0x0004c2cb
0x0004c2cc
0x0004c2d3
0x0004c2d9
0x0004c2db
0x0004c2e0
0x0004c2e0
0x0004c2ad
0x0004c2ea
0x0004c2f1

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 0004C2A1
PathFindExtensionW.SHLWAPI(?), ref: 0004C2B7

Part of subcall function 0004C0C3: GetProcAddress.KERNEL32(00000000,GetThreadPreferredUILanguages), ref: 0004C108
Part of subcall function 0004C0C3: _memset.LIBCMT ref: 0004C134
Part of subcall function 0004C0C3: _wcstoul.LIBCMT ref: 0004C17C
Part of subcall function 0004C0C3: _wcslen.LIBCMT ref: 0004C19D
Part of subcall function 0004C0C3: GetUserDefaultUILanguage.KERNEL32 ref: 0004C1AD
Part of subcall function 0004C0C3: ConvertDefaultLocale.KERNEL32(?), ref: 0004C1D4
Part of subcall function 0004C0C3: ConvertDefaultLocale.KERNEL32(?), ref: 0004C1E3
Part of subcall function 0004C0C3: GetSystemDefaultUILanguage.KERNEL32 ref: 0004C1EC
Part of subcall function 0004C0C3: ConvertDefaultLocale.KERNEL32(?), ref: 0004C208
Part of subcall function 0004C0C3: ConvertDefaultLocale.KERNEL32(?), ref: 0004C217

Strings

%s%s.dll, xrefs: 0004C2C2

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: Default$ConvertLocale$Language$AddressExtensionFileFindModuleNamePathProcSystemUser_memset_wcslen_wcstoul
String ID: %s%s.dll
API String ID: 1415830068-1649984862
Opcode ID: 5f661cfb65b0f381681c0f610ec410035aa785faf1aee34d9cd95ed5d57ff97c
Instruction ID: 26d5df2784bb32d73caf77c6e4a34def3aaad1c0468581a9ee4d6b15206612a5
Opcode Fuzzy Hash: 5f661cfb65b0f381681c0f610ec410035aa785faf1aee34d9cd95ed5d57ff97c
Instruction Fuzzy Hash: CC01A272A14108ABD751DBA8ED45DEF77ECEF4D301F0004B5A409EB051E6B09E448B94

Uniqueness

Uniqueness Score: -1.00%

Function 00052399 Relevance: 5.0, APIs: 4, Instructions: 38
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00052399(signed int _a4) {
				void* __ebp;
				struct _CRITICAL_SECTION* _t4;
				void* _t8;
				signed int _t9;
				intOrPtr* _t12;

				_t9 = _a4;
				if(_t9 >= 0x11) {
					_t4 = E000455E0(_t8);
				}
				if( *0x1a3c44 == 0) {
					_t4 = E00052330();
				}
				_t12 = 0x1a3df8 + _t9 * 4;
				if( *_t12 == 0) {
					EnterCriticalSection(0x1a3de0);
					if( *_t12 == 0) {
						_t4 = 0x1a3c48 + _t9 * 0x18;
						InitializeCriticalSection(_t4);
						 *_t12 =  *_t12 + 1;
					}
					LeaveCriticalSection(0x1a3de0);
				}
				EnterCriticalSection(0x1a3c48 + _t9 * 0x18);
				return _t4;
			}

0x000523a1
0x000523a7
0x000523a9
0x000523a9
0x000523b5
0x000523b7
0x000523b7
0x000523c2
0x000523cc
0x000523d3
0x000523d8
0x000523df
0x000523e5
0x000523eb
0x000523eb
0x000523f2
0x000523f2
0x00052402
0x00052408

APIs

EnterCriticalSection.KERNEL32(001A3DE0,?,?,00000002,?,000516FF,00000010,00000008,0004B656,0004B5ED,0003E58B,0004A15B,0004918A,?,00000000,00000004), ref: 000523D3
InitializeCriticalSection.KERNEL32(?,?,?,00000002,?,000516FF,00000010,00000008,0004B656,0004B5ED,0003E58B,0004A15B,0004918A,?,00000000,00000004), ref: 000523E5
LeaveCriticalSection.KERNEL32(001A3DE0,?,?,00000002,?,000516FF,00000010,00000008,0004B656,0004B5ED,0003E58B,0004A15B,0004918A,?,00000000,00000004), ref: 000523F2
EnterCriticalSection.KERNEL32(?,?,?,00000002,?,000516FF,00000010,00000008,0004B656,0004B5ED,0003E58B,0004A15B,0004918A,?,00000000,00000004), ref: 00052402

Part of subcall function 000455E0: __CxxThrowException@8.LIBCMT ref: 000455F6

Memory Dump Source

Source File: 00000004.00000002.931971887.0000000000031000.00000020.00000001.01000000.00000004.sdmp, Offset: 00030000, based on PE: true

Associated: 00000004.00000002.931966386.0000000000030000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932161350.0000000000157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932202377.000000000019C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932215919.00000000001AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932225736.00000000001B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932236354.00000000001C5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.932257024.00000000001ED000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30000_ExamShieldSetup.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8InitializeLeaveThrow
String ID:
API String ID: 3253506028-0
Opcode ID: e844ffebabf875db86b89104f954438b16486c2e5a056740cf1437d0d3377049
Instruction ID: 700d4d770a9a63b09fdac9cd5dfcd5ed28584a0349cbbcc857ee7d132334de19
Opcode Fuzzy Hash: e844ffebabf875db86b89104f954438b16486c2e5a056740cf1437d0d3377049
Instruction Fuzzy Hash: 50F0F673600204EFCB102B65ED4A71ABA5EEFA3363F511026F46066553DB348BC5C661

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ExamShieldLauncher.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Exam Shield\ExamShieldLauncher.exe

C:\Users\user\AppData\Local\Exam Shield\ExamShieldLauncher.exe:Zone.Identifier

C:\Users\user\AppData\Local\Exam Shield\ExamShieldParams.dat

C:\Users\user\AppData\Local\Exam Shield\ExamShieldSetup.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\PFSBE4YK.txt

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Windows Analysis Report
ExamShieldLauncher.exe

Function 00070268 Relevance: 103.8, APIs: 48, Strings: 11, Instructions: 559
libraryloaderstringCOMMON

Function 00058050 Relevance: 60.3, APIs: 9, Strings: 24, Instructions: 2556
fileCOMMONCrypto

Function 000552F0 Relevance: 30.3, APIs: 16, Strings: 1, Instructions: 573
networkCOMMON

Function 00064645 Relevance: 16.6, APIs: 11, Instructions: 139
COMMON

Function 0006A7E8 Relevance: 12.1, APIs: 8, Instructions: 132
filestringCOMMON

Function 0005F0CF Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 191
windowCOMMON

Function 0005A210 Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 259
registryCOMMON

Function 00069F68 Relevance: 21.1, APIs: 14, Instructions: 99
synchronizationthreadinjectionCOMMON

Function 00052EB0 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 155
COMMON

Function 00054E80 Relevance: 16.8, APIs: 11, Instructions: 254
networkCOMMON

Function 000717D6 Relevance: 16.6, APIs: 11, Instructions: 106
memoryCOMMONLIBRARYCODE

Function 00153D34 Relevance: 12.1, APIs: 8, Instructions: 63
threadCOMMON

Function 00051A80 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 432
COMMON

Function 0006920A Relevance: 10.7, APIs: 7, Instructions: 161
networkstringCOMMON

Function 0005F2C7 Relevance: 10.6, APIs: 7, Instructions: 117
windowCOMMON

Function 0006ADC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 000DF163 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39
COMMON

Function 00054B00 Relevance: 9.2, APIs: 6, Instructions: 245
networkCOMMON

Function 00064481 Relevance: 9.1, APIs: 6, Instructions: 139
COMMON

Function 00154859 Relevance: 7.6, APIs: 5, Instructions: 71
COMMON

Function 0005B1C0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41
registryCOMMON

Function 0006CADE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88
COMMON

Function 0006EF88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52
COMMON

Function 00052CF0 Relevance: 4.6, APIs: 3, Instructions: 126
COMMON

Function 0006BC2B Relevance: 4.6, APIs: 3, Instructions: 70
registryCOMMON

Function 0006A073 Relevance: 4.5, APIs: 3, Instructions: 41
threadCOMMON

Function 00069B57 Relevance: 4.5, APIs: 3, Instructions: 37
windowCOMMON

Function 0006A2A7 Relevance: 4.5, APIs: 3, Instructions: 35
COMMON

Function 000549A0 Relevance: 4.5, APIs: 3, Instructions: 34
networkCOMMON

Function 00153C6F Relevance: 4.5, APIs: 3, Instructions: 11
threadCOMMONLIBRARYCODE

Function 00052F90 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33
COMMON

Function 00068B7D Relevance: 3.1, APIs: 2, Instructions: 136
stringCOMMON